Time-aware scan-free searchable public key encryption method and system
By employing bilinear paired ciphertext and threshold secret sharing techniques, the problems of time awareness and authorized user authentication in EHRs scenarios are solved, enabling efficient search and result verification, and making it suitable for secure access to EHRs in cloud computing.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HUAIYIN INSTITUTE OF TECHNOLOGY
- Filing Date
- 2023-07-26
- Publication Date
- 2026-06-05
AI Technical Summary
Existing searchable public key encryption schemes cannot achieve time-aware timed publishing and authorized user identity verification in EHRs scenarios, and their search efficiency is low, making it impossible to effectively verify search results.
Employing bilinear paired ciphertext and threshold secret sharing techniques, this system enables time-aware encrypted document search and effective verification of search results by establishing an index with implicit links to the same keywords. This includes the design of modules for key generation, encryption, index generation, trapdoor generation, and verification.
It enables efficient searching of encrypted documents and effective verification of search results in EHRs scenarios, and is suitable for secure access and privacy protection of EHRs in cloud computing environments.
Smart Images

Figure CN116962046B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to searchable public key encryption schemes, specifically to a time-aware, scan-free searchable public key encryption method and system. Background Technology
[0002] Searchable encryption (SE) is divided into symmetric searchable encryption (SSE) and asymmetric searchable symmetric encryption (ASE), the latter also known as public key encryption with keyword search (PEKS), depending on the cryptographic scheme. PEKS uses a trapdoor to search for documents containing a specific keyword, and other participants cannot know any other information besides the trapdoor.
[0003] On the other hand, Electronic Health Records (EHRs) involve patient privacy and are typically stored encrypted on cloud servers. However, for medical treatment and scientific research purposes, they may be made accessible to legitimate users such as doctors and medical institutions for a certain period. This necessitates that the encryption scheme possess time-awareness, scheduled release capabilities, and the ability to verify the identity of authorized users—features that existing PEKS encryption schemes lack. Furthermore, most existing PEKS encryption schemes require scanning the index corresponding to each keyword in all documents during the search process and matching it against trapdoors, resulting in low search efficiency; and existing PEKS encryption schemes do not implement effective verification of search results. Summary of the Invention
[0004] Objectives of this invention: The first objective of this invention is to provide a time-aware, scan-free, searchable public-key encryption method suitable for EHRs (Enterprise Resource Planning) scenarios. This searchable public-key encryption method utilizes bilinear paired ciphertext to verify the data publication time (time awareness) and the identity of authorized users, while simultaneously achieving efficient searching of encrypted documents and effective verification of search results by establishing an index with implicit links to the same keywords. The second objective of this invention is to provide a time-aware, scan-free, searchable public-key encryption system.
[0005] Technical solution: The time-aware, scan-free, searchable public-key encryption method of the present invention includes:
[0006] (1) Configure security parameter λ, generate system master key S and system master public key P, and cloud service provider public key pk. s and private key sk sData owner DO i public key y i and private key (K) i ,x i ), data user DU j public key and private key j and the common parameter pp;
[0007] (2) According to document d j Data owner DO i private key (K) i ,x i ), public parameter pp, keyword set W, identity IDs of all users, and public key pk of the cloud service provider. s And at a specific time t, generate an encrypted document e. j and the corresponding search index I;
[0008] (3) The system master key S is recovered based on the TSS algorithm, and the trapdoor T and data user DU are generated using the system master key S. j key k j Based on the public parameter pp and the cloud service provider's public key pk s Keyword set W, Data user DU j key k j And the trapdoor T in the search part, and the trapdoor T in the generation and verification part. w Trapdoor T is obtained z ={T,T w};
[0009] (4) Based on search index I and the cloud service provider's private key sk s Current time t′ and trapdoor T z Perform verification of the user's identity at a specific time. If the verification is successful, the user's identity is valid and within the allowed query time range, and step (5) is executed; otherwise, output ⊥.
[0010] (5) According to the trapdoor T z Public parameters pp, data owner DO i public key y i And search index I, generate result set RST and corresponding proof;
[0011] (6) Verify the correctness of the ciphertext based on the public parameter pp, the result set RST and the corresponding proof. If the verification is successful, the result is correct; otherwise, the result is incorrect and the search is repeated.
[0012] (7) When deleting a document, the public parameter pp and the data owner DO are used as parameters. ipublic key y i Keyword set W and document d j Generate a deletion token del, find the corresponding document by searching for keywords and delete it; when adding a document, execute step (2) to generate an encrypted document and the corresponding index.
[0013] Further, step (1) includes:
[0014] (1.1) Choose a prime number q, a multiplicative cyclic group G of order q, and Gq. T The generator g of group G, and the bilinear mapping e: G×G→G T ;
[0015] Select system master key Z represents q The set of all modularly invertible elements in Z. q Let Z / qZ denote the residue class ring modulo q, where Z represents the set of all integers;
[0016] System master public key P = g S ;
[0017] (1.2) Select five hash functions: H1:{0,1} * →{0,1} logq H2:G T →{0,1} logq H3:{0,1} * →G, H5:G T →{0,1} n ;where {0,1} * Represents a bit string of arbitrary length, {0,1} logq A bit string representing the length of logq; {0,1} λ Represents a bit string of length λ, where λ is a security parameter; {0,1} n Represents a bit string of length n, where n is the number of authorized users;
[0018] (1.3) Choose μ∈G;
[0019] Random selection sk, as a cloud service provider s ;
[0020] Public key PK of cloud service providers s =(pk s,1 ,pk s,2 )=(g ζ ,μ 1ζ );
[0021] Randomly select a key K from H1. i Choose a key x from {2,3,…,q-2} i Obtain data from DO (Domain) i private key (K) i ,x i ); Data owner DO i public key
[0022] According to data user DU j Identity ID j Generate its public key
[0023] The system master key S is divided into n+l parts, i.e., {s1, s2, ..., sn}. n ,s n+1 ,…,s n+l}, of which n portions are secretly distributed to data user DU j That is, data user DU j The private key is s j , 1≤j≤n; l is the number of backup keys;
[0024] (1.4) Common parameters pp={G,G T ,g,q,e,P,y1,y2,…,y m ,H1,H2,H3,H4,H5}, where m is the number of data owners.
[0025] Furthermore, step (2) includes:
[0026] (2.1) Data Owner (DO) i Provide a keyword space W for a collection of documents i And store a dictionary σ consisting of key-value pairs locally; for the key space W i Each keyword w in k There exists a key-value pair (w) k ID(d)) represents the keyword w k Document d;
[0027] (2.2) Assume the data owner is DO i To provide document d j Create an index, W(d) j ) for document d j The set of keywords; using symmetric encryption methods to encrypt the document d j Encryption is used to encrypt documents. j ;
[0028] (2.3) Randomly select from the keyword set W(d) jSelect a keyword w from ) k If σ[w k If empty, it indicates that the keyword w k It has not been encrypted. Calculate F = H1(K) i ,w k ||ID(d j ));
[0029] Random selection Data owner DO i private key (K) i ,x i x in ) i For document d j Keyword w k Create Index I k =(A,(B,C,D));
[0030]
[0031]
[0032] mod is the modulo operation, modq means the remainder when divided by q;
[0033]
[0034] Document d j The identifier is assigned to σ[w k ], that is, σ[w k ] = ID(d j );
[0035] (2.4) Random selection
[0036] calculate
[0037] Cipher
[0038] Search index I = {I k ,ψ}.
[0039] Furthermore, in step (2.3), if the keyword w k If it has already been encrypted, then access σ[w] k Obtain the corresponding identifier;
[0040] Calculate the two values F = H1(K) i ,w k ||σ[w k ]), F′=H1(K i ,w k ||ID(dj ));
[0041] Choose one For document d j Keyword w k Create Index I k =(A,(B,C,D));
[0042] A = F;
[0043]
[0044]
[0045]
[0046] By ID(d) j Assign the value to σ[w] k To update the dictionary σ.
[0047] Furthermore, step (3) includes:
[0048] (3.1) Random selection Calculate H3(w) k ) a ;
[0049] Random selection Calculate H3(w) k ) ab ;
[0050] (3.2) Recover the system master key based on the TSS algorithm. Where s i =(u i ,f(u i )) is data user DU j The private key; the equation can be written as ∑f(u)g(u);
[0051] Using partial private keys {s1,s2,…,s} of the other θ-1 assistant users θ-1} to obtain different (H3(w k ) ab ) f(u)g(u) value;
[0052] Calculate ∏(H3(w) k ) ab ) f(u)g(u) =(H3(w k ) ab ) ∑f(u)g(u) Thus, we obtain H3(w) k ) ab·S ;
[0053] calculate The trapdoor T = H3(w) is obtained. k ) b·S ;
[0054] Data user DU is generated based on the system master key S. j A key k j =S·H4(ID) j );
[0055] (3.3) Random selection
[0056] Trapdoors in the computational verification section
[0057] Trapdoor T z ={T,T w}
[0058] Further, in step (4), the calculation is performed. Verify the equation Check if the equation is true. If it is true, the verification is successful.
[0059] Further, step (5) includes:
[0060] (5.1) Through calculation From the trapdoor T=H3(w in the search section) k ) b·S From this, we obtain T′=H3(w k ) S ;
[0061] (5.2) Generate two empty lists L i (p) and L i (e) to store the proof and the result set RST;
[0062] Calculate tag = H2(e(T′,y) i )), and compare it with I in the search index I. k For matching, if a value A matches the tag, then the corresponding (C,D) and the encrypted document are added to L respectively. i (p) and L i (e) in;
[0063] (5.3) After successfully locating the data owner DO i After the first entry is constructed, a new tag is calculated. Then check if there is another A that matches the new tag. If so, add the new corresponding (C,D) and the new encrypted document to L respectively. i (p) and L i (e) in;
[0064] Repeat step (5.3) until the new label cannot find a matching A in the index;
[0065] (5.4) Send the result set RST and the corresponding proof to the data user DU. j .
[0066] Further, step (6) includes: data user DU j Receive 2m lists, L1(p), L2(p), ..., L m (p) and L1(e), L2(e), ..., L m (e); Assuming it is stored in L i (p) contains v i right Stored in L i (e) contains v i An encrypted document Verify the equation If the statement is true, the verification is successful, indicating that the result is correct; otherwise, the result is incorrect, and the search is repeated.
[0067] Further, step (7) includes:
[0068] (7.1) When a document is deleted, a deletion token is generated: del = H1(K i ,w k ||ID), where w k `ID` is the keyword and identifier for the document to be deleted; search for the keyword to be deleted. k There must be a key A in the index that matches the delete token, and that key A will be marked, but instead of deleting the document with the marked value, the document preceding it will be deleted;
[0069] (7.2) When adding a document, execute step (2) to generate an encrypted document e. j and the corresponding index I = {I k ,ψ}.
[0070] The time-aware, scan-free, searchable public-key encryption system of the present invention includes:
[0071] The system parameter setting module is used to configure security parameters λ and generate the system master key S, the system master public key P, and the cloud service provider's public key pk. s and private key sk s Data owner DO i public key y i and private key (K) i ,x i ), data user DU j public key and private key jAnd the common parameter pp; send the common parameter pp to the index generation module, trapdoor generation module, ciphertext generation module and update module;
[0072] The ciphertext generation module is used to generate ciphertext from document d. j Encryption is used to encrypt documents. j ; encrypt the document e j Send to the search module;
[0073] The index generation module is used to generate an index based on document d. j Data owner DO i private key (K) i ,x i ), public parameter pp, keyword set W, identity IDs of all users, and public key pk of the cloud service provider. s And at a specific time t, generate an encrypted document e. j The search index I; will encrypt the document e j The search index I is sent to the verification module and the search module;
[0074] The trapdoor generation module is used to recover the system master key S based on the TSS algorithm, and to generate the trapdoor T and data user DU for the search part using the system master key S. j key k j Based on the public parameter pp and the cloud service provider's public key pk s Keyword set W, Data user DU j key k j And the trapdoor T in the search part, and the trapdoor T in the generation and verification part. w Trapdoor T is obtained z ={T,T w};The trap door T z Send to the verification module and the search module;
[0075] The search module is used to search based on the trapdoor T. z Public parameters pp, data owner DO i public key y i And search index I, generate result set RST and corresponding proof; send result set RST and corresponding proof to verification module;
[0076] The verification module is used to verify the search index I and the cloud service provider's private key sk. s Current time t′ and trapdoor T z It performs verification of specific times and authorized user identities; and is used to verify the correctness of ciphertext based on the public parameter pp, the result set RST, and the corresponding proof.
[0077] And, an update module for deleting documents, based on the public parameter pp and the data owner DO. i public key y i Keyword set W and document d j It generates a deletion token `del`, finds and deletes the corresponding document using the search keyword; and it adds a document by calling the index generation module and the ciphertext generation module to generate an encrypted document `e`. j And the corresponding search index I.
[0078] Beneficial effects: Compared with the prior art, the present invention has the following significant advantages: The present invention achieves time awareness and authorized user identity verification based on bilinear paired ciphertext containing specific time and authorized user identity identifiers, while realizing efficient search of encrypted documents and effective verification of search results by establishing an index with implicit links of the same keywords, thus making it suitable for EHRs scenarios. Attached Figure Description
[0079] Figure 1 This is a schematic diagram of the structure of a time-aware, scan-free, searchable public key encryption system provided in an embodiment of this application;
[0080] Figure 2 This is a schematic diagram illustrating the user status of a time-aware, scan-free, searchable public key encryption system provided in an embodiment of this application. Detailed Implementation
[0081] The invention will now be further described with reference to the accompanying drawings.
[0082] This application provides a time-aware, scan-free, searchable public key encryption method, which specifically includes the following steps.
[0083] (1) Configure security parameter λ to generate system master key S, system master public key P, and cloud service provider (CSP) public key pk. s and private key sk s Data owner DO i public key y i and private key (K) i ,x i ), data user DU j public key and private key j and the common parameter pp;
[0084] Step (1) specifically includes:
[0085] (1.1) Input the security parameter λ into the key generation center KGC, and KGC generates the public parameter pp′=(G,G TGiven G(g,q,e), where q is a prime number, and G and G(e) are given. T There are two multiplicative cyclic groups of order q, g is a generator of group G, and e is a bilinear mapping e: G × G → G T ;
[0086] Select system master key Z represents q The set of all modularly invertible elements in Z. q Let Z / qZ denote the residue class ring modulo q, where Z represents the set of all integers;
[0087] System master public key P = g S ;
[0088] (1.2) KGC selects five hash functions: H1:{0,1} * →{0,1} logq H2:G T →{0,1} logq H3:{0,1} * →G, H5:G T →{0,1} n ;where {0,1} * Represents a bit string of arbitrary length, {0,1} logq A bit string representing the length of logq; {0,1} λ Represents a bit string of length λ, where λ is a security parameter; {0,1} n Represents a bit string of length n, where n is the number of authorized users;
[0089] (1.3) Choose μ∈G;
[0090] CSP randomly selects sk, as a cloud service provider s ;
[0091] Public key PK of cloud service providers s =(pk s,1 ,pk s,2 )=(g ζ ,μ 1ζ );
[0092] Data owner DO i Randomly select a key K from H1. i Choose a key x from {2,3,…,q-2} i Obtain data from DO (Domain) i private key (K) i ,x i ); Data owner DOi public key
[0093] Data user DU j Based on their identity ID j Generate your own public key
[0094] The system master key S is divided into n+l parts, i.e., {s1, s2, ..., sn}. n ,s n+1 ,…,s n+l}, of which n copies are secretly distributed to data user DU j That is, data user DU j The private key is s j , 1≤j≤n; l is the number of backup keys;
[0095] (1.4) KGC updates the public parameter pp′ and publishes the final public parameter pp={G,G T ,g,q,e,P,y1,y2,…,y m ,H1,H2,H3,H4,H5}, where m is the number of data owners.
[0096] (2) According to document d j Data owner DO i private key (K) i ,x i ), public parameter pp, keyword set W, identity IDs of all users, and public key pk of the cloud service provider. s And at a specific time t, generate an encrypted document e. j and the corresponding search index I;
[0097] Step (2) specifically includes:
[0098] (2.1) Data Owner (DO) i Provide a keyword space W for a collection of documents i And store a dictionary σ consisting of key-value pairs locally; for the key space W i Each keyword w in k There exists a key-value pair (w) k ,ID(d)), (w k ID(d) represents the keyword w k Document d;
[0099] (2.2) Assume the data owner is DO i To provide document d j Create an index, W(d) j ) for document d jThe set of keywords; data owner DO i Use a symmetric encryption method, such as AES encryption, to encrypt the document d. j Encryption is used to encrypt documents. j ;
[0100] (2.3) Data Owner (DO) i Randomly select from the key set W(d) j Select a keyword w from ) k If σ[w k If empty, it indicates that the keyword w k Unencrypted, data owner DO i For the keyword w k Calculate F = H1(K) i ,w k ||ID(d j ));
[0101] Data owner DO i Random selection Use its private key (K) i ,x i x in ) i For document d j Keyword w k Create Index I k =(A,(B,C,D));
[0102]
[0103]
[0104] mod is the modulo operation, mod q means the remainder when divided by q;
[0105]
[0106] Subsequently, the data owner DO i Document d j The identifier is assigned to σ[w k ], that is, σ[w k ] = ID(d j ).
[0107] As a supplement, if the data owner DO i Selected keyword w k If it has already been encrypted, then access σ[w] k Obtain the corresponding identifier;
[0108] Afterwards, the data owner DO i Calculate the two values F = H1(K) i ,wk ||σ[w k ]), F′=H1(K i ,w k ||ID(d j ));
[0109] Then, choose one For document d j Keyword w k Create Index I k =(A,(B,C,D));
[0110] A = F;
[0111]
[0112]
[0113]
[0114] Finally, the data owner DO i By ID(d) j Assign the value to σ[w] k To update the dictionary σ.
[0115] (2.4) Enter the public key pk of the cloud service provider s Data user DU j public key Keyword set W and a specific time t are randomly selected. Data owner DO i calculate
[0116] Output ciphertext
[0117] Search index I = {I k ,ψ};
[0118] Data owner DO i Encrypted document e j and the generated search index I = {I k ,ψ} is sent to the cloud service provider CSP.
[0119] (3) The system master key S is recovered based on the TSS algorithm, and the trapdoor T and data user DU are generated using the system master key S. j key k j Based on the public parameter pp and the cloud service provider's public key pk s Keyword set W, Data user DU j key k j And the trapdoor T in the search part, and the trapdoor T in the generation and verification part.w , obtain the trap door T z ={T,T w};
[0120] Step (3) specifically includes:
[0121] (3.1) Input common parameter pp, data user DU j Random selection Calculate H3(w) k ) a Then it is sent to the cloud service provider CSP; when the CSP receives H3(w k ) a Then, CSP randomly selects And calculate H3(w) k ) ab Then return it to the data user DU j ;
[0122] (3.2) Recover the system master key based on the TSS algorithm. Where s i =(u i ,f(u i )) is data user DU j A portion of the private key; for simplicity, the equation is denoted as ∑f(u)g(u);
[0123] Data user DU j Using partial private keys {s1,s2,…,s} of the other θ-1 assistant users θ-1} Obtain different (H3(wk)) ab ) f(u)g(u) The value is used to calculate Π(H3(w) k ) ab ) f(u)g(u) =(H3(w k ) ab ) ∑f(u)g(u) Thus, we obtain H3(w) k ) ab·S ;
[0124] Data user DU j Through calculation The trapdoor T = H3(w) is obtained. k ) b·S ;
[0125] Data user DU j A key k is generated based on the system master key S. j =S·H4(ID) j );
[0126] (3.3) Input public parameters pp and server public key pks Keyword set W and data user DU j key k j Data user DU j Random selection Trapdoors in the computational verification section
[0127] Finally, data user DU j Trapdoor T z ={T,T w Send to CSP.
[0128] The TSS (Threshold Secret Sharing) algorithm described in step (3): (θ,n)-TSS is a method for sharing secrets proposed by Shamir in 1979. Specifically, a secret message is divided into n parts (called shares) and distributed to different parties. The property of the TSS scheme is that any party holding a share of θ (called the threshold) or more can recover the secret message, while any party holding a share of θ-1 or less cannot recover the secret message. The TSS scheme includes two algorithms: (1) Sharing: by inputting a secret message The algorithm outputs n shares {s1,s2,…,s}. n}, where q is a prime number greater than n; (2) Recovery: by inputting {s1,s2,…,s n For any θ share in}, the algorithm outputs secret information S.
[0129] (4) Based on search index I and the cloud service provider's private key sk s Current time t′ and trapdoor T z CSP verifies the identity of the user at a specific time and the user authorized. If the verification passes, it outputs true, indicating that the user's identity is valid and within the allowed query time range, and steps (5) are executed; otherwise, the test fails and ⊥ is output.
[0130] Step (4) specifically includes:
[0131] Enter search index I and CSP private key sk s Current time t′ and trapdoor T z CSP first calculates Verify the equation If the equation is true, output true, indicating that the querying user is legitimate and within the allowed query time range, and the next search operation can continue; otherwise, output ⊥.
[0132] (5) According to the trapdoor T z Public parameters pp, data owner DO ipublic key y i And search index I, generate result set RST and corresponding proof;
[0133] Step (5) specifically includes:
[0134] (5.1) Input trapdoor T z The trapdoor in the search section is T = H3(w k ) b·S CSP calculates From the trapdoor T=H3(w in the search section) k ) b·S From this, we obtain T′=H3(w k ) S ;
[0135] (5.2) Input common parameters pp and data owner DO i public key y i Given T′ and search index I, CSP first generates two empty lists L. i (p) and L i (e) to store the proof and the result set RST;
[0136] Then, CSP calculates tag = H2(e(T′,y) i )), and compare it with I in the search index I. k For matching, if a value A matches the tag, then the corresponding (C, D) and the encrypted document will be added to L respectively. i (p) and L i (e) in;
[0137] (5.3) After successfully locating the data owner DO i After the first entry is constructed, CSP calculates a new tag. Then check if there is another A that matches the new tag. If so, add the new corresponding (C,D) and the new encrypted document to L respectively. i (p) and L i (e) in;
[0138] CSP repeats step (5.3) until the new label cannot find a matching A in the index;
[0139] (5.4) The CSP sends the result set RST and the corresponding proof to the data user DU. j .
[0140] (6) Verify the correctness of the ciphertext based on the public parameter pp, the result set RST and the corresponding proof. If the verification is successful, the result is correct; otherwise, the result is incorrect and the search is repeated.
[0141] Step (6) specifically includes:
[0142] Data user DU j Receive 2m lists, L1(p), L2(p), ..., L m (p) and L1(e), L2(e), ..., L m (e); Assuming it is stored in L i (p) contains v i right Stored in L i (e) contains v i An encrypted document Verify the equation If the statement is true, the verification is successful, indicating that the result is correct; otherwise, the result is incorrect, and the search is repeated.
[0143] (7) When deleting a document, the public parameter pp and the data owner DO are used as parameters. i public key y i Keyword set W and document d j Generate a deletion token del, find the corresponding document by searching for keywords and delete it; when adding a document, execute step (2) to generate an encrypted document and the corresponding index.
[0144] Step (7) specifically includes:
[0145] (7.1) When a document is deleted, the data owner DO i Generate a deletion token del = H1(K) i ,w k ||ID) send it to CSP, where w k The `ID` is the keyword and identifier of the document to be deleted; the CSP searches for the keyword `w` to be deleted. k There must be a key A in the index that matches the delete token, and that key A will be marked, but instead of deleting the document with the marked value, the document preceding it will be deleted;
[0146] (7.2) When a document is added, the data owner DO i Call step (2) to generate the encrypted document e j and the corresponding index I = {I k ,ψ}, will encrypt document e j and the corresponding index I = {I k ,ψ} is sent to CSP.
[0147] like Figure 1 As shown in the embodiments of this application, a time-aware, scan-free, searchable public-key encryption system is also provided, specifically including the following functional modules:
[0148] The system parameter setting module is used to configure security parameters λ and generate the system master key S, the system master public key P, and the cloud service provider's public key pk. s and private key sk s Data owner DO i public key y i and private key (K) i ,x i ), data user DU j public key and private key j And the common parameter pp; send the common parameter pp to the index generation module, trapdoor generation module, ciphertext generation module and update module;
[0149] The ciphertext generation module is used to generate ciphertext from document d. j Encryption is used to encrypt documents. j ; encrypt the document e j Send to the search module;
[0150] The index generation module is used to generate an index based on document d. j Data owner DO i private key (K) i ,x i ), public parameter pp, keyword set W, identity IDs of all users, and public key pk of the cloud service provider. s And at a specific time t, generate an encrypted document e. j The search index I; will encrypt the document e j The search index I is sent to the verification module and the search module;
[0151] The trapdoor generation module is used to recover the system master key S based on the TSS algorithm, and to generate the trapdoor T and data user DU for the search part using the system master key S. j key k j Based on the public parameter pp and the cloud service provider's public key pk s Keyword set W, Data user DU j key k j And the trapdoor T in the search part, and the trapdoor T in the generation and verification part. w Trapdoor T is obtained z ={T,T w};The trap door T z Send to the verification module and the search module;
[0152] The search module is used to search based on the trapdoor T. z Public parameters pp, data owner DO i public key y iAnd search index I, generate result set RST and corresponding proof; send result set RST and corresponding proof to verification module;
[0153] The verification module is used to verify the search index I and the cloud service provider's private key sk. s Current time t′ and trapdoor T z It performs verification of specific time and authorized user identity. If the verification is successful, it proceeds to the next search operation. It also verifies the correctness of the ciphertext based on the public parameter pp, the result set RST, and the corresponding proof. If the verification is successful, the proof result is correct; otherwise, the result is incorrect, and the search is repeated.
[0154] And, an update module for deleting documents, based on the public parameter pp and the data owner DO. i public key y i Keyword set W and document d j It generates a deletion token `del`, finds and deletes the corresponding document using the search keyword; and it adds a document by calling the index generation module and the ciphertext generation module to generate an encrypted document `e`. j And the corresponding search index I.
[0155] Figure 2 The diagram shown is a user usage status illustration of a time-aware, scan-free, searchable public key encryption system provided in an embodiment of this application. It involves four types of entities, including the key generation center KGC, the cloud server CSP, the data owner DOs (clients), and the data user DUs (clients).
[0156] Key Generation Center (KGC): As the system administrator, it generates the system's master, public, and private keys and public parameters. Additionally, a subset of the key, separated from the master key, is secretly distributed to different DUs.
[0157] Data owner: Generates their own public and private keys, encrypts the document, generates a corresponding index, and uploads it to the cloud server.
[0158] Data user: Receives a partial key from KGC as their private key and generates their own public key. When performing a keyword search, a data user DU... j A trapdoor needs to be generated with the help of a certain number of other assistant users. DUs can also verify the correctness and completeness of the results.
[0159] Cloud servers: responsible for storing encrypted documents and corresponding indexes outsourced from different DOS. When from DU jWhen a trapdoor is received, the CSP first verifies the user's identity and time point. If the verification is successful, it matches the user with the search index and returns the corresponding result and proof.
[0160] The following describes the application of a time-aware, scan-free, searchable public key encryption method and system, as described in the application embodiments, to EHRs scenarios in cloud computing.
[0161] Suppose a hospital stores patients' Emergency Records (EHRs) on a cloud server for use by various doctors or third-party institutions. However, not all patients' medical records have the same privacy requirements. While some EHRs are currently confidential and subject to strict usage restrictions, they may be accessed by legitimate users such as doctors or medical institutions at some point in the future. When dealing with large volumes of data, search efficiency becomes particularly important. Therefore, this invention proposes a method using implicitly linked indexes with the same keywords to improve retrieval efficiency. First, patients' EHRs are encrypted and stored on the server. The hospital decides which doctors or third-party institutions can access these medical records. When an EHR is within a searchable timeframe and the search user is legitimate, the authorized doctor or third-party institution can recover the master key with the assistance of a group of other legitimate users. Efficient searching of encrypted documents is achieved through implicitly linked indexes with the same keywords and trapdoor matching, without revealing any patient privacy information. When a target medical record is found, the doctor or third-party institution can also verify the correctness and completeness of the search results.
Claims
1. A time-aware, scan-free, searchable public-key encryption method, characterized in that, include: (1) Configure security parameter λ, generate system master key S and system master public key P, and cloud service provider public key pk. s and private key sk s Data owner DO i public key y i and private key (K) i ,x i ), data user DU j public key and private key j and the common parameter pp; (2) According to document d j Data owner DO i private key (K) i ,x i ), public parameter pp, keyword set W, identity IDs of all users, and public key pk of the cloud service provider. s And at a specific time t, generate an encrypted document e. j and the corresponding search index I; (3) The system master key S is recovered based on the TSS algorithm, and the trapdoor T and data user DU are generated using the system master key S. j key k j Based on the public parameter pp and the cloud service provider's public key pk s Keyword set W, Data user DU j key k j And the trapdoor T in the search part, and the trapdoor T in the generation and verification part. w , obtain the trap door T z ={T,T w }; (4) Based on search index I and the cloud service provider's private key sk s Current time t′ and trapdoor T z Perform verification of the user's identity at a specific time. If the verification is successful, the user's identity is valid and within the allowed query time range, and step (5) is executed; otherwise, output ⊥. (5) According to the trapdoor T z Public parameters pp, data owner DO i public key y i And search index I, generate result set RST and corresponding proof; (6) Verify the correctness of the ciphertext based on the public parameter pp, the result set RST and the corresponding proof. If the verification is successful, the result is correct; otherwise, the result is incorrect and the search is repeated. (7) When deleting a document, the public parameter pp and the data owner DO are used as parameters. i public key y i Keyword set W and document d j Generate a deletion token del, find the corresponding document by searching for keywords and delete it; when adding a document, execute step (2) to generate an encrypted document and the corresponding index.
2. The time-aware, scan-free, searchable public-key encryption method according to claim 1, characterized in that, Step (1) includes: (1.1) Choose a prime number q, a multiplicative cyclic group G of order q, and Gq. T The generator g of group G, and the bilinear mapping e: G×G→G T ; Select system master key Z represents q The set of all modularly invertible elements in Z. q Let Z / qZ denote the residue class ring modulo q, where Z represents the set of all integers; System master public key P = g S ; (1.2) Select five hash functions: H1:{0,1} * →{0,1} logq H2:G T →{0,1} logq H3:{0,1} * →G,H4: H5:G T →{0,1} n ;where {0,1} * Represents a bit string of arbitrary length, {0,1} logq A bit string representing the length of logq; {0,1} λ Represents a bit string of length λ, where λ is a security parameter; {0,1} n Represents a bit string of length n, where n is the number of authorized users; (1.3) Choose μ∈G; Random selection sk, as a cloud service provider s ; Public key PK of cloud service providers s =(pk s,1 ,pk s,2 )=(g ζ ,μ 1 / ζ ); Randomly select a key K from H1. i Choose a key x from {2,3,…,q-2} i Obtain data from DO (Domain) i private key (K) i ,x i ); Data owner DO i public key According to data user DU j Identity ID j Generate its public key The system master key S is divided into n+l parts, i.e., {s1, s2, ..., sn}. n ,s n+1 ,…,s n+l }, of which n portions are secretly distributed to data user DU j That is, data user DU j The private key is s j , 1≤j≤n; l is the number of backup keys; (1.4) Common parameters pp={G,G T ,g,q,e,P,y1,y2,…,y m ,H1,H2,H3,H4,H5}, where m is the number of data owners.
3. The time-aware, scan-free, searchable public-key encryption method according to claim 2, characterized in that, Step (2) includes: (2.1) Data Owner (DO) i Provide a keyword space W for a collection of documents i And store a dictionary σ consisting of key-value pairs locally; for the key space W i Each keyword w in k There exists a key-value pair (w) k ID(d)) represents the keyword w k Document d; (2.2) Assume the data owner is DO i To provide document d j Create an index, W(d) j ) for document d j The set of keywords; using symmetric encryption methods to encrypt the document d j Encryption is used to encrypt documents. j ; (2.3) Randomly select from the keyword set W(d) j Select a keyword w from ) k If σ[w k If empty, it indicates that the keyword w k It has not been encrypted. Calculate F = H1(K) i ,w k ||ID(d j )); Random selection Data owner DO i private key (K) i ,x i x in ) i For document d j Keyword w k Create Index I k =(A,(B,C,D)); mod is the modulo operation, modq means the remainder when divided by q; Document d j The identifier is assigned to σ[w k ], that is, σ[w k ] = ID(d j ); (2.4) Random selection calculate Cipher Search index I={I k ,ψ}.
4. The time-aware, scan-free, searchable public-key encryption method according to claim 3, characterized in that, In step (2.3), if the keyword w k If it has already been encrypted, then access σ[w] k Obtain the corresponding identifier; Calculate the two values F = H1(K) i ,w k ||σ[w k ]), F′=H1(K i ,w k ||ID(d j )); Choose one For document d j Keyword w k Create Index I k =(A,(B,C,D)); A = F; By ID(d) j Assign the value to σ[w] k To update the dictionary σ.
5. The time-aware, scan-free, searchable public-key encryption method according to claim 3 or 4, characterized in that, Step (3) includes: (3.1) Random selection Calculate H3(w) k ) a ; Random selection Calculate H3(w) k ) ab ; (3.2) Recover the system master key based on the TSS algorithm. Where s i =(u i ,f(u i )) is data user DU j The private key; the equation can be written as ∑f(u)g(u); Using partial private keys {s1,s2,…,s} of the other θ-1 assistant users θ-1 } to obtain different (H3(w k ) ab ) f(u)g(u) value; Calculate Π(H3(w) k ) ab ) f(u)g(u) =(H3(w k ) ab )∑ f(u)g(u) Thus, we obtain H3(w) k ) ab·S ; calculate The trapdoor T = H3(w) is obtained. k ) b·S ; Data user DU is generated based on the system master key S. j A key k j =S·H4(ID) j ); (3.3) Random selection Trapdoors in the computational verification section Trapdoor T z ={T,T w } 6. The time-aware, scan-free, searchable public-key encryption method according to claim 5, characterized in that, In step (4), calculate Verify the equation Check if the equation is true. If it is true, the verification is successful.
7. The time-aware, scan-free, searchable public-key encryption method according to claim 6, characterized in that, Step (5) includes: (5.1) Through calculation From the trapdoor T=H3(w in the search section) k ) b·S From this, we obtain T′=H3(w k ) S ; (5.2) Generate two empty lists L i (p) and L i (e) to store the proof and the result set RST; Calculate tag = H2(e(T′,y) i )), and compare it with I in the search index I. k For matching, if a value A matches the tag, then the corresponding (C,D) and the encrypted document are added to L respectively. i (p) and L i (e) in; (5.3) After successfully locating the data owner DO i After the first entry is constructed, a new tag is calculated. Then check if there is another A that matches the new tag. If so, add the new corresponding (C,D) and the new encrypted document to L respectively. i (p) and L i (e) in; Repeat step (5.3) until the new label cannot find a matching A in the index; (5.4) Send the result set RST and the corresponding proof to the data user DU. j .
8. The time-aware, scan-free, searchable public-key encryption method according to claim 7, characterized in that, Step (6) includes: Data user DU j Receive 2m lists, L1(p), L2(p), ..., L m (p) and L1(e), L2(e), ..., L m (e); Assuming it is stored in L i (p) contains v i right Stored in L i (e) contains v i An encrypted document Verify the equation If the statement is true, the verification is successful, indicating that the result is correct; otherwise, the result is incorrect, and the search is repeated.
9. The time-aware, scan-free, searchable public-key encryption method according to claim 8, characterized in that, Step (7) includes: (7.1) When a document is deleted, a deletion token is generated: del = H1(K i ,w k ||ID), where w k `ID` is the keyword and identifier for the document to be deleted; search for the keyword to be deleted. k There must be a key A in the index that matches the delete token, and that key A will be marked, but instead of deleting the document with the marked value, the document preceding it will be deleted; (7.2) When adding a document, execute step (2) to generate an encrypted document e. j and the corresponding index I = {I k ,ψ}.
10. A time-aware, scan-free, searchable public-key encryption system, characterized in that, include: The system parameter setting module is used to configure security parameters λ and generate the system master key S, the system master public key P, and the cloud service provider's public key pk. s and private key sk s Data owner DO i public key y i and private key (K) i ,x i ), data user DU j public key and private key j And the common parameter pp; send the common parameter pp to the index generation module, trapdoor generation module, ciphertext generation module and update module; The ciphertext generation module is used to generate ciphertext from document d. j Encryption is used to encrypt documents. j ; encrypt the document e j Send to the search module; The index generation module is used to generate an index based on document d. j Data owner DO i private key (K) i ,x i ), public parameter pp, keyword set W, identity IDs of all users, and public key pk of the cloud service provider. s And at a specific time t, generate an encrypted document e. j The search index I; will encrypt the document e j The search index I is sent to the verification module and the search module; The trapdoor generation module is used to recover the system master key S based on the TSS algorithm, and to generate the trapdoor T and data user DU for the search part using the system master key S. j key k j Based on the public parameter pp and the cloud service provider's public key pk s Keyword set W, Data user DU j key k j And the trapdoor T in the search part, and the trapdoor T in the generation and verification part. w Trapdoor T is obtained z ={T,T w };The trap door T z Send to the verification module and the search module; The search module is used to search based on the trapdoor T. z Public parameters pp, data owner DO i public key y i And search index I, generate result set RST and corresponding proof; send result set RST and corresponding proof to verification module; The verification module is used to verify the search index I and the cloud service provider's private key sk. s Current time t′ and trapdoor T z It performs verification of specific times and authorized user identities; and is used to verify the correctness of ciphertext based on the public parameter pp, the result set RST, and the corresponding proof. And, an update module for deleting documents, based on the public parameter pp and the data owner DO. i public key y i Keyword set W and document d j It generates a deletion token `del`, finds and deletes the corresponding document using the search keyword; and it adds a document by calling the index generation module and the ciphertext generation module to generate an encrypted document `e`. j And the corresponding search index I.