A cloud attribute-based multi-party privacy set intersection method and system

By employing a linear secret sharing scheme to represent the access structure in a cloud computing environment, and utilizing aggregation tokens and cryptographic Bloom filters, the problems of low flexibility and high expansion costs in access policy structures are solved, enabling efficient intersection computation and flexible access control for multi-party privacy datasets.

CN118694521BActive Publication Date: 2026-06-19XIDIAN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
XIDIAN UNIV
Filing Date
2024-06-11
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In existing technologies, privacy protection set intersection protocols in cloud computing environments have low flexibility in access policy structure and high cost for both parties to extend, making them difficult to adapt to scenarios involving multiple parties.

Method used

The access structure is represented by a linear secret sharing scheme, which is embedded into the ciphertext set of the cloud server. The cloud server generates an aggregation token and a cryptographic Bloom filter to realize the intersection calculation of the privacy datasets of multiple parties.

Benefits of technology

It improves the flexibility and computational efficiency of the access structure, is suitable for multi-party intersection scenarios, reduces user resource requirements, supports dynamic adjustment of access strategies, and ensures data privacy and security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN118694521B_ABST
    Figure CN118694521B_ABST
Patent Text Reader

Abstract

This invention provides a method and system for finding the intersection of multiple privacy datasets based on attribute bases in the cloud, relating to the field of information security technology. The method includes: each data owner generating ciphertext based on public parameters, access structure, and their own privacy datasets, and sending the ciphertext to a cloud server; the access structure is represented by a linear secret sharing scheme; the cloud server generating an aggregation token and a cryptographic Bloom filter based on the public parameters, request token, and ciphertext, and sending the aggregation token and cryptographic Bloom filter to the data user; and the data user determining the intersection based on the public parameters, aggregation token, and cryptographic Bloom filter. Embedding the access structure into the ciphertext set using a linear secret sharing scheme provides high flexibility; it can find the intersection of the privacy datasets of multiple data owners and data users, making it suitable for multi-party intersection scenarios; and generating the aggregation token and cryptographic Bloom filter through the cloud server improves the efficiency of finding the intersection of multiple parties.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, and in particular to a method and system for finding the intersection of multiple privacy sets based on cloud attributes. Background Technology

[0002] With the popularization and development of cloud computing, the design of privacy-preserving set intersection protocols has moved towards cloud computing environments to meet the needs of large-scale data processing more efficiently and securely. Many organizations, enterprises, and individuals outsource data to the cloud to enjoy high-quality data storage services and computing resources provided on demand, which has driven the development of cloud-assisted privacy-preserving set intersection protocols. This allows participants to perform necessary processing on the input set, after which the cloud server manages and computes the data. In this way, the cloud server undertakes a large amount of encrypted data storage and computation, significantly reducing the storage and computing costs for participants and improving system efficiency. The widespread application and development of cloud computing inevitably brings the risk of data access abuse, making ensuring the compliance of data users a pressing security issue. Therefore, building an efficient authorization management method has become an important task in ensuring data security, and designing privacy-preserving set intersection protocols with more flexible access control for different scenarios has broad research value.

[0003] Currently, the specific method for implementing privacy-preserving set intersection protocols is to achieve access control over outsourced datasets by data owners through attribute-based encryption, thereby enabling privacy-preserving set intersection computation in a cloud environment. However, the attribute access structure in the protocol implementation uses an access tree representation, which results in low flexibility in the access policy structure. This approach is only suitable for scenarios involving two parties. If extended to multiple parties, significant modifications to both parties' protocols are required, leading to high costs for expansion. Summary of the Invention

[0004] The purpose of this invention is to provide a method and system for finding the intersection of multiple privacy sets based on attribute bases in the cloud, thereby addressing the problems of low flexibility in access policy structure and high cost of extending both parties.

[0005] To address the aforementioned technical problems, the embodiments of the present invention provide the following technical solutions:

[0006] The first aspect of this invention provides a method for finding the intersection of multiple privacy sets based on attribute bases in the cloud, the method comprising:

[0007] Trusted institutions determine public parameters and master keys based on security parameters and a set of attributes of the trusted institution.

[0008] The trusted institution generates a private key for the data user based on public parameters, the master key, and the data user's attribute set, and then sends the private key to the data user.

[0009] Each data owner generates ciphertext based on public parameters, access structure, and their own private datasets, and sends the ciphertext to the cloud server. The access structure is represented by a linear secret sharing scheme.

[0010] The data user calculates a request token based on the private key and the first element in the finite field, and sends the request token to the cloud server;

[0011] The cloud server generates an aggregation token and a cryptographic Bloom filter based on public parameters, request token, and ciphertext, and sends the aggregation token and cryptographic Bloom filter to the data user.

[0012] Data users determine the intersection based on public parameters, aggregation tokens, and cryptographic Bloom filters. The intersection is the intersection of the privacy datasets of each data owner and data user.

[0013] A second aspect of this application provides a cloud-based attribute-based multi-party privacy set intersection system, the system comprising:

[0014] The trusted authority is used to determine the public parameters and master key based on the security parameters and the attribute set of the trusted authority; based on the public parameters, master key and the attribute set of the data user, it generates the private key of the data user and sends the private key to the data user;

[0015] Each data owner generates ciphertext based on public parameters, access structure, and their own privacy datasets, and sends the ciphertext to the cloud server. The access structure is represented by a linear secret sharing scheme.

[0016] The cloud server is used to receive request tokens sent by data users, generate an aggregation token and a cryptographic Bloom filter based on public parameters, request tokens and ciphertext, and send the aggregation token and cryptographic Bloom filter to the data users.

[0017] Data users are used to calculate a request token based on their private key and the first element in the finite field, and send the request token to the cloud server; based on public parameters, aggregate tokens, and cryptographic Bloom filters, they determine the intersection, which is the intersection of the privacy datasets of each data owner and data user.

[0018] Compared to existing technologies, the present invention provides a method and system for finding the intersection of multiple privacy datasets based on attribute bases in the cloud. This method embeds the access structure into the ciphertext set to be uploaded to the cloud server using a linear secret sharing scheme, resulting in greater flexibility in the access structure. It can find the intersection of privacy datasets of multiple data owners and data users, making it suitable for scenarios involving multiple intersections. It can generate aggregation tokens and encrypted Bloom filters through the cloud server, reducing user resource requirements and improving the efficiency of finding the intersection of multiple datasets. Attached Figure Description

[0019] The above and other objects, features, and advantages of exemplary embodiments of the present invention will become readily apparent upon reading the following detailed description with reference to the accompanying drawings. In the drawings, several embodiments of the invention are illustrated by way of example and not limitation, with the same or corresponding reference numerals denoteing the same or corresponding parts, wherein:

[0020] Figure 1 The flowchart of the cloud-based attribute-based multi-party privacy set intersection method is illustrated schematically. Figure 1 ;

[0021] Figure 2 The flowchart of the cloud-based attribute-based multi-party privacy set intersection method is illustrated schematically. Figure 2 . Detailed Implementation

[0022] Exemplary embodiments of the invention will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided to enable a more thorough understanding of the invention and to fully convey the scope of the invention to those skilled in the art.

[0023] It should be noted that, unless otherwise stated, the technical or scientific terms used in this invention should have the ordinary meaning as understood by one of ordinary skill in the art.

[0024] The methods described in the embodiments of the present invention will be explained in detail below.

[0025] Figure 1 A flowchart illustrating the cloud-based attribute-based multi-party privacy set intersection method in an embodiment of the present invention is shown in the figure. See also... Figure 1 As shown, the method may include:

[0026] S101. The trusted organization determines the public parameters and master key based on the security parameters and the set of attributes of the trusted organization.

[0027] The trusted institution generates a public parameter par for all entities participating in the protocol computation (i.e., n data owners DO, 1 data user DU, and the cloud server) based on the security parameter λ and the attribute set U of the trusted institution. It provides the master key msk for the data user DU and secretly provides relevant parameters for the data owner DO.

[0028] S102. The trusted institution generates the data user's private key based on the public parameters, master key, and data user's attribute set, and sends the private key to the data user.

[0029] Specifically, the trusted institution generates the data user's private key SK based on the public parameter par, the master key msk, and the data user's attribute set S, and then sends the private key SK to the data user.

[0030] S103. Each data owner generates ciphertext based on public parameters, access structure, and their own privacy dataset, and sends the ciphertext to the cloud server.

[0031] Among them, access structure Represented by a linear secret sharing scheme as Let ρ be a linear shared matrix, and let ρ be a mapping.

[0032] Specifically, each data owner determines the data ownership based on public parameters and access structure. Privacy datasets of various data owners X i (i∈[1,n]), generate ciphertext CT i and encrypted CT i Send to the cloud server. 'i' represents any data owner.

[0033] S104. The data user calculates a request token based on the private key and the first element in the finite field, and sends the request token to the cloud server.

[0034] Specifically, the data user DU receives the private key SK sent by the trusted institution, calculates the request token Tk1 based on its own private key SK associated with the attribute and the first element z in the finite field, and sends the request token Tk1 to the cloud server.

[0035] The first element in a finite field is a randomly selected element within the finite field.

[0036] S105: The cloud server generates an aggregation token and a cryptographic Bloom filter based on public parameters, request token, and ciphertext, and sends the aggregation token and cryptographic Bloom filter to the data user.

[0037] Specifically, the cloud server receives encrypted CT messages sent by each data owner. i And the request token Tk1 sent by the data user, based on the public parameter par, the request token Tk1 and the ciphertext CT i Generate aggregation token Tk2 and cryptographic Bloom filter Enc(BF) X ), and aggregate token Tk2 and cryptographic Bloom filter Enc(BF) X Send to data users.

[0038] S106. Data users determine the intersection based on public parameters, aggregation tokens, and cryptographic Bloom filters.

[0039] The intersection is the set of privacy datasets belonging to each data owner and data user.

[0040] Specifically, data users receive an aggregation token Tk2 and a cryptographic Bloom filter Enc(BF) sent by the cloud server. X Based on the public parameter par, the aggregation token Tk2, and the cryptographic Bloom filter Enc(BF), X ), determine the intersection.

[0041] Based on the above Figure 1 As can be seen from the implementation method, in this embodiment of the invention, the trusted institution determines the public parameters and master key based on the security parameters and the attribute set of the trusted institution; the trusted institution generates the private key of the data user based on the public parameters, master key, and attribute set of the data user, and sends the private key to the data user; each data owner generates ciphertext based on the public parameters, access structure, and privacy dataset of each data owner, and sends the ciphertext to the cloud server, the access structure being represented by a linear secret sharing scheme; the data user calculates a request token based on the private key and the first element in the finite field, and sends the request token to the cloud server; the cloud server generates an aggregation token and a cryptographic Bloom filter based on the public parameters, request token, and ciphertext, and sends the aggregation token and cryptographic Bloom filter to the data user; the data user determines the intersection based on the public parameters, aggregation token, and cryptographic Bloom filter, the intersection being the intersection of the privacy datasets of each data owner and the data user. In this way, the access structure is embedded into the ciphertext set to be uploaded to the cloud server in the form of a linear secret sharing scheme, which makes the access structure highly flexible. It can find the intersection of the privacy datasets of multiple data owners and data users, which is suitable for multi-party intersection scenarios. It can generate aggregation tokens and encrypted Bloom filters through the cloud server, reducing the user resource requirements and making multi-party intersection calculation more efficient.

[0042] As a refinement and extension of the above embodiments, Figure 2 The flowchart of a cloud-based attribute-based multi-party privacy set intersection method in an embodiment of the present invention. Figure 2 See Figure 2 As shown in the embodiments of the present invention, the cloud-based attribute-based multi-party privacy set intersection method may include:

[0043] S201. The trusted authority determines the public parameters and master key based on the security parameters and the set of attributes of the trusted authority.

[0044] The trusted institution generates a public parameter par for all entities participating in the protocol computation (i.e., n data owners DO, 1 data user DU, and the cloud server) based on the security parameter λ and the attribute set U of the trusted institution. It provides the master key msk for the data user DU and secretly provides relevant parameters for the data owner DO.

[0045] Specifically, the trusted authority determines the public parameters and master key based on security parameters and the trusted authority's attribute set, including:

[0046] Step A1: The trusted organization performs a bilinear group function with the security parameter λ as input, generating relevant parameters. Randomly select q-order cyclic group The first element f, the second element h, and the third element α in the finite field.

[0047] q is a prime number. It is a q-order cyclic group. It is a bilinear mapping. It is a group The generator is randomly selected. Random selection Calculate e(g,g) based on e and g. α . It represents a symbol that is randomly selected.

[0048] Step A2: The trusted organization randomly selects a q-order cyclic group. The first parameter.

[0049] Specifically, the trusted organization randomly selects a q-order cyclic group. The first parameter It is associated with the set of properties U of the trusted institution, a q-order cyclic group. The number of the first parameters is the same as the number of attributes U of the trusted institution.

[0050] Step A3: The trusted institution randomly selects the fifth element s of the finite field. i and the sixth element s′ of the finite field i .

[0051] Specifically, random selection and calculate and s i and s′ i All data is securely sent to the corresponding data owner, DO. i (i = 1, ..., n). s is s i The sum of the additions, i∈[1,n], s′ is s′ i The sum is given, where n is the number of data owners.

[0052] Step A4: Trusted institution determines hash function And calculate H(e(g,g)) αs ).

[0053] α is the third element in the finite field, and g is the cyclic group of order q. The generator of is e, which is a bilinear mapping, and υ is the length of the string mapped by the hash function, chosen from any positive integer.

[0054] Step A5: The trusted institution uses the dataset size v in the protocol intersection based on all data owners. i The required parameters BF.par are generated by determining the false positive rate and the number of hash functions k selected by the Bloom filter.

[0055] Specifically, all data owners DO i (i = 1, 2, ..., n) all publicly disclose the size v of the dataset they use in the protocol intersection. i The trusted institution obtains the maximum value v by comparing these sizes. max By using a pre-defined false positive rate, the optimal number of hash functions can be calculated. Further calculations reveal the length m of the median array in the Bloom filter:

[0056]

[0057] Among them, symbols This represents the rounding operation on the element.

[0058] Based on the length m of the bit array in the Bloom filter, the hash function h1 is obtained:

[0059] h l ={0,1} * →{1,2,...,m};

[0060] Where k represents the number of hash functions selected by the Bloom filter, satisfying l = 1, 2, ..., k, to obtain the Bloom filter and generate the required parameters BF.par = {k, m, {h}. l} l=1,2,…,k , where l is the total number of rows of vectors in the linear shared matrix.

[0061] Step A6: Set the public key par for the trusted institution's public parameters, and make the public key par public, while keeping the master key msk private.

[0062] Specifically, the public key 'par' of the trusted organization is set as follows:

[0063]

[0064] Set the system's master key msk to:

[0065] msk=g a ;

[0066] Where g is a cyclic group of order q. The generator of , where α is the third element in the finite field.

[0067] S202. The trusted authority generates the data user's private key based on the public parameters, master key, and data user's attribute set, and sends the private key to the data user.

[0068] Among them, the common parameters include the q-order cyclic group. generators, q-order cyclic group First element, q-order cyclic group The second element and the q-order cyclic group The first parameter.

[0069] Specifically, the trusted institution generates the data user's private key based on public parameters, the master key, and a set of attributes of the data user, including:

[0070] Trusted institutions based on q-order cyclic groups generators, q-order cyclic group First element, q-order cyclic group The second element and the q-order cyclic group Given the first parameter, the master key, and the data user's attribute set, the data user's private key is generated using the following first formula and the second element in the finite field:

[0071] SK = (K, K1, {K x} x∈S );

[0072] Where K = g α ·f r K1 = g r ,K x =(g x h) r SK is the private key of the data user, K is the first parameter of the private key, K1 is the second parameter of the private key, and K... x The third parameter of the private key, x is an element in the attribute set of the data user, S is the attribute set of the data user, and g is the third parameter of the private key. α The master key is g, and g is a q-order cyclic group. The generators are q, α is the third element in the finite field, and f is the cyclic group of order q. The first element, r is the second element in the finite field, g x It is a q-order cyclic group The first element of the first parameter, h, is a cyclic group of order q. The second element.

[0073] The second element *r* in a finite field is a randomly selected element within the finite field, and can be represented as:

[0074] S203. Each data owner generates ciphertext based on public parameters, access structure, and their own privacy dataset, and sends the ciphertext to the cloud server.

[0075] The access structure is represented by a linear secret sharing scheme as follows: Let ρ be a linear sharing matrix, and ρ be a mapping, specifically... A mapping that associates rows with attributes. Common parameters include the parameters of the Bloom filter and the q-order cyclic group. Generator, fifth element in finite field, q-order cyclic group First element, q-order cyclic group The second element and the q-order cyclic group The first parameter.

[0076] Specifically, each data owner generates ciphertext based on public parameters, access structure, and their own privacy datasets, including:

[0077] Step B1: Each data owner determines a preset encrypted Bloom filter based on the parameters of the Bloom filter, their own privacy dataset, and the encryption operation.

[0078] Specifically, the data owner determines each preset encrypted Bloom filter based on the parameters of the Bloom filter, the data owner's private dataset, and encryption operations, including:

[0079] Step B11: Each data owner constructs an empty Bloom filter based on the parameters of the Bloom filter and the data owner's private dataset, and sets the value of each position in each empty Bloom filter to a first preset value.

[0080] The first preset value is 1.

[0081] Specifically, each data owner uses the Bloom filter parameter BF.par from the public parameters and their own privacy dataset X. i (i∈[1,n]), construct empty Bloom filters for each data owner, and set the value of each position in each empty Bloom filter to 1. i is any data owner, and n is the number of data owners.

[0082] Step B12: Each data owner uses multiple hash functions of each empty Bloom filter to perform hash operations on each element in the data owner's privacy dataset, obtains the index of each element, and modifies the first preset value corresponding to each index to the second preset value, generating each preset Bloom filter corresponding to the privacy dataset. Each preset Bloom filter includes the target value corresponding to each position, and the second preset value is different from the first preset value.

[0083] There can be k hash functions. The second preset value is different from the first preset value; the second preset value is 0.

[0084] Specifically, each data owner uses k hash functions from each empty Bloom filter to process their private dataset X. i Each element x in i Perform a hash operation to calculate the index of each element:

[0085] {h1(x1),h2(x2),…,h k (x n )};

[0086] Where n is the privacy dataset X of the data owner. i Size, h k (x n ) is the index of the nth element.

[0087] Change the 1 value corresponding to each index to 0. If the value at a certain position is already set to 0, no changes are needed. Ensure that the 1 value corresponding to all indices is changed to 0 to generate the privacy dataset X. i Corresponding preset Bloom filters

[0088]

[0089] Where m is the length of the bit array in the Bloom filter.

[0090] Step B13: Each data owner performs encryption operations on the target value to generate preset encrypted Bloom filters corresponding to the privacy dataset.

[0091] Each preset Bloom filter includes a target value (0 or 1) corresponding to each position.

[0092] Each data owner performs an encryption operation on the target value (0 or 1) to generate a pre-defined encrypted Bloom filter C corresponding to the privacy dataset. i :

[0093]

[0094] in, For each preset encrypted Bloom filter, i represents any data owner. This indicates the preset encrypted Bloom filters. The value at the j-th position, e is a bilinear mapping, and g is a cyclic group of order q. The generators are q, α, and s. i Let be the fifth element in the finite field.

[0095] Step B2: Each data owner applies their preset encrypted Bloom filter and q-order cyclic group. Generator, fifth element in finite field, q-order cyclic group First element, q-order cyclic group Given the second element and access structure, the ciphertext is generated using the following second formula, the secret share corresponding to the attribute, and the fourth element in the finite field:

[0096]

[0097] in, CT i It is a ciphertext. For accessing the structure, Represented as Let ρ be a linear sharing matrix, and let ρ be a mapping. For each preset encrypted Bloom filter, X i Let i be the privacy dataset of each data owner, i∈[1,n], n be the number of data owners, i be any data owner, C′ be the third parameter of the ciphertext, and g be a cyclic group of order q. generator, s i C is the fifth element in the finite field. τ The fourth parameter of the ciphertext is τ, where τ is the number of any row in the vector of the linear shared matrix, and f is the q-order cyclic group. The first element, λ τ For the secret share corresponding to the attribute, g ρ(τ) It is a q-order cyclic group The second element of the first parameter, ρ(τ), is an attribute, and h is a cyclic group of order q. The second element, t τ D is the fourth element in the finite field. τ Let v be the fifth parameter of the ciphertext, and v be a random vector in a finite field. For linear shared matrices The vector in row τ, where l is the total number of rows of vectors in the linear shared matrix.

[0098] As an n-order matrix, v is a random vector in a finite field, specifically... These values ​​are generated for the purpose of sharing secret shares of the encrypted dataset. i For τ∈[1,l], calculate The fourth element t in a finite field τ In a finite field The element randomly selected from the data, i.e., the random selection.

[0099] S204. The data user calculates a request token based on the private key and the first element in the finite field, and sends the request token to the cloud server.

[0100] Specifically, the data user calculates a request token based on the private key and the first element in the finite field, including:

[0101] The data user calculates the request token using the following third formula, based on the first parameter, the second parameter, and the third parameter of the private key, and the first element of the finite field:

[0102]

[0103] Where Tk1 is the request token, K′ is the first parameter of the request token, K′1 is the second parameter of the request token, and K′... x The third parameter for requesting the token is x, an element in the data user's attribute set, S, the data user's attribute set, K, the first parameter of the private key, and K1, the second parameter of the private key. x is the third parameter of the private key, and z is the first element in the finite field.

[0104] The fifth element z in a finite field is in the finite field The element is randomly selected from the data, that is, an element is randomly chosen.

[0105] Steps S205-S207 below describe the specific operations of the cloud server generating an aggregation token and a cryptographic Bloom filter based on public parameters, request tokens, and ciphertext, and then sending the aggregation token and cryptographic Bloom filter to the data user.

[0106] S205. The cloud server generates multiple intersection tokens based on the common parameters, the request token, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext.

[0107] The ciphertext includes each preset encrypted Bloom filter, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext. The common parameters include a bilinear mapping, and the request token includes the first parameter of the request token, the second parameter of the request token, and the third parameter of the request token.

[0108] Specifically, the cloud server generates multiple intersection tokens based on the public parameters, the request token, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext, including:

[0109] Assume that the attribute set S of the data user satisfies the access structure set up Defined as I = τ: ρ(τ) ∈ S. Then let {ω τ ∈Z q}τ∈I A constant is required to ensure that the effective share {λ} τ} τ∈I Satisfy ∑ τ∈I ω τ λ τ =s i .

[0110] The cloud server generates multiple intersection tokens based on a bilinear mapping, the first parameter of the request token, the second parameter of the request token, the third parameter of the request token, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext, using the following fourth formula:

[0111]

[0112] Among them, Tk 2,i For multiple intersection tokens, e is a bilinear mapping, C′ is the third parameter of the ciphertext, and C... τ The fourth parameter of the ciphertext, τ, is the row number of any vector in the linear shared matrix, and D... τ K is the fifth parameter of the ciphertext, K′ is the first parameter of the request token, K′1 is the second parameter of the request token, and K′... ρ(τ) The information in the third parameter of the request token is ρ(τ), where ρ is an attribute, I is a subset of the set from 1 to l, l is the total number of rows of the vector in the linear shared matrix, and ω is the value of τ. τ Let g be a constant, and g be a cyclic group of order q. The generators are q, α, z, and s. i Let be the fifth element in the finite field.

[0113] S206. The cloud server performs multiplication on multiple intersection tokens to obtain an aggregate token, and then sends the aggregate token to the data user.

[0114] Data Owner (DO) i Request token Tk 2,i After that, all Tk 2,i By performing multiplication and leveraging the relationship between shared secret values ​​obtained through addition, the selected secret value s can be reconstructed to obtain the aggregate token Tk2:

[0115] Tk2=e(g,g) zαs ;

[0116] Where e is a bilinear mapping and g is a q-order cyclic group. The generator of , where q is a prime number and α is the third element in the finite field s is s i The sum of the two, s i It is a q-order cyclic group The third element.

[0117] S207. The cloud server multiplies the positions corresponding to each preset encrypted Bloom filter to obtain the encrypted Bloom filter, and sends the encrypted Bloom filter to the data user.

[0118] The cloud server received CTs from all data owners. i That is, the components that contain the ciphertext. Multiply the corresponding positions of each preset encrypted Bloom filter to obtain the encrypted Bloom filter Enc(BF). X ):

[0119] Enc(BF X )=(C1,C2,…,C m );

[0120] in, C j Enc(BF) for Encryption Bloom Filter X The value at the j-th position of ), where i is any data owner, e is a bilinear mapping, and g is a cyclic group of order q. The generators are q, α, and s, where q is a prime number, α is the third element in the finite field, and s is the generator of s. i The sum of the two, s′ i Let i be the sixth element in the finite field, i∈[1,n]. s′ is s′ i The sum of all additions.

[0121] Steps S208-S210 below are specific operations for data users to determine the intersection based on public parameters, aggregation tokens, and cryptographic Bloom filters. The intersection is the intersection of the privacy datasets of the data owner and the data user.

[0122] S208. The data user determines the intermediate parameters and their hash values ​​based on the aggregation token and the fifth element in the finite field.

[0123] The common parameters include comparison parameters.

[0124] Specifically, the data user determines the intermediate parameters based on the aggregation token Tk2 and the fifth element z in the finite field selected during the query request. And the hash value H(Tmp) of the intermediate parameter.

[0125] S209. The data user determines whether the hash value of the intermediate parameter is equal to the comparison parameter. If so, the user takes the ratio of the value corresponding to each position in the encrypted Bloom filter to the intermediate parameter to obtain a new Bloom filter.

[0126] Specifically, data users compare the hash value H(Tmp) of the intermediate parameter with the comparison parameter H(e(g,g)). αs If the values ​​are equal, it proves that the data user's own attribute set conforms to the access policy of all data owners. The ratio of the corresponding values ​​at each position in the encrypted Bloom filter to the intermediate parameters is taken to obtain a new Bloom filter; otherwise, the process is terminated.

[0127] Specifically, by taking the ratio of the values ​​at each position in the encrypted Bloom filter to the intermediate parameters, a new Bloom filter is obtained, including:

[0128] The new Bloom filter BF is obtained by comparing the values ​​at each position in the encrypted Bloom filter with the intermediate parameter Tmp. res The values ​​at each position in the new Bloom filter are as follows:

[0129]

[0130] Where, μ j For the value at each position in the new Bloom filter, C j Let Tmp be the value at each position in the cryptographic Bloom filter, i be any data owner, e be a bilinear mapping, and g be a q-order cyclic group. The generators are q, α, and s, where q is a prime number, α is the third element in the finite field, and s is the generator of s. i The sum is given by j, where j is the position of the corresponding value in the encrypted Bloom filter, and m is the length of the bit array in the Bloom filter.

[0131] S210. According to the element detection rules, the data user queries the data user's dataset for intersection elements in the new Bloom filter, and determines the set of intersection elements as the intersection.

[0132] Specifically, based on the element detection rules, the data user queries the new Bloom filter for intersection elements existing in the data user's dataset, and determines the set of intersection elements as the intersection, including:

[0133] Step C1: The data user calculates multiple target indices corresponding to each target element in the data user's dataset.

[0134] Specifically, the data user calculates each target element y in the data user's dataset Y. i Corresponding multiple target indices:

[0135] {h1(y i ),h2(y i ),…,h l (y i )};

[0136] Where l is the total number of rows of the vectors in the linear shared matrix, h l (y i ) is the index of the l-th element.

[0137] Step C2: In the new Bloom filter, the data user queries whether the values ​​corresponding to all target indices for each target element are the first preset values.

[0138] The first preset value is 1. In the new Bloom filter, we query whether the values ​​corresponding to all target indices for each target element are all 1, that is, whether the BF condition is satisfied for l = 1, 2, ..., k. X [h l (y i )]=1.

[0139] In the new Bloom filter, check whether the values ​​corresponding to all target indices for each target element are the first preset values. If yes, proceed to step C3; otherwise, proceed to step C4.

[0140] Step C3: Determine each target element as an intersection element, and determine the set of intersection elements as the intersection.

[0141] In the new Bloom filter, we query whether the values ​​corresponding to all target indices for each target element are all 1. If the BF condition is met for l = 1, 2, ..., k, then... X [h l (y i If )]=1, then the element y i If it is an element of the intersection, it is added to the intersection Res, where k represents the number of hash functions selected by the Bloom filter.

[0142] Step C4: The target elements are not intersecting elements.

[0143] In the new Bloom filter, we query whether the values ​​corresponding to all target indices for each target element are all 1. If not all values ​​for l = 1, 2, ..., k satisfy the BF filter, then... X [h l (y i If )]=1, then the element y i Not an intersection element.

[0144] This invention provides a method applicable to authorization management to prevent data misuse. For scenarios with multiple participants, it utilizes attribute-based encryption to achieve fine-grained access control for data owners, realizing a multi-party attribute-based privacy-preserving set intersection protocol for outsourced datasets. The attribute access structure employs a linear secret-sharing scheme, which is matrix-based, capable of representing more complex access policies, offering better scalability to support new attributes and rules, more efficient management in response to changing needs, and higher computational efficiency—a more flexible structure than access trees. For multi-party participation, the protocol design embeds the privacy access policy into the encrypted set to be uploaded to the cloud server in the form of a linear secret-sharing scheme. This structure is considered more flexible than access trees, and the protocol ensures the security of the access policy and the privacy of the original set elements. Furthermore, the protocol allows data owners to operate offline, and their access policies can be dynamically adjusted.

[0145] Based on the same inventive concept, as an implementation of the above-mentioned method for finding the intersection of cloud-based attribute-based multi-party privacy sets, this embodiment of the invention also provides a cloud-based attribute-based multi-party privacy set intersection system, which may include:

[0146] The trusted authority is used to determine the public parameters and master key based on the security parameters and the attribute set of the trusted authority; based on the public parameters, master key and the attribute set of the data user, it generates the private key of the data user and sends the private key to the data user;

[0147] Each data owner generates ciphertext based on public parameters, access structure, and their own privacy datasets, and sends the ciphertext to the cloud server. The access structure is represented by a linear secret sharing scheme.

[0148] The cloud server is used to receive request tokens sent by data users, generate an aggregation token and a cryptographic Bloom filter based on public parameters, request tokens and ciphertext, and send the aggregation token and cryptographic Bloom filter to the data users.

[0149] Data users are used to calculate a request token based on their private key and the first element in the finite field, and send the request token to the cloud server; based on public parameters, aggregate tokens, and cryptographic Bloom filters, they determine the intersection, which is the intersection of the privacy datasets of each data owner and data user.

[0150] A trusted institution generates a private key for a data user based on public parameters, the master key, and a set of attributes of the data user, including: based on a q-order cyclic group. generators, q-order cyclic group First element, q-order cyclic group The second element and the q-order cyclic group Given the first parameter, the master key, and the data user's attribute set, the data user's private key is generated using the following first formula and the second element in the finite field:

[0151] SK = (K, K1, {K x} x∈S );

[0152] Where K = g α ·f r K1 = g r ,K x =(g x h) r SK is the private key of the data user, K is the first parameter of the private key, K1 is the second parameter of the private key, and K... x The third parameter of the private key, x is an element in the attribute set of the data user, S is the attribute set of the data user, and g is the third parameter of the private key. α The master key is g, and g is a q-order cyclic group. The generators are q, α is the third element in the finite field, and f is the cyclic group of order q. The first element, r is the second element in the finite field, g x It is a q-order cyclic group The first element of the first parameter, h, is a cyclic group of order q. The second element; common parameters include the q-order cyclic group. generators, q-order cyclic group First element, q-order cyclic group The second element and the q-order cyclic group The first parameter.

[0153] Each data owner, specifically, determines a preset encrypted Bloom filter based on the parameters of the Bloom filter, their own private dataset, and encryption operations; each data owner then uses the preset encrypted Bloom filter and the q-order cyclic group... The generator, the fifth element in the finite field, the first element of the q-order cyclic group G, and the q-order cyclic group Given the second element and access structure, the ciphertext is generated using the following second formula, the secret share corresponding to the attribute, and the fourth element in the finite field:

[0154]

[0155] in, CT i It is a ciphertext. For accessing the structure, Represented as Let ρ be a linear sharing matrix, and let ρ be a mapping. For each preset encrypted Bloom filter, X i Let i be the privacy dataset of each data owner, i∈[1,n], n be the number of data owners, i be any data owner, C′ be the third parameter of the ciphertext, and g be a cyclic group of order q. generator, s i C is the fifth element in the finite field. τ The fourth parameter of the ciphertext is τ, where τ is the number of any row in the vector of the linear shared matrix, and f is the q-order cyclic group. The first element, λ τ For the secret share corresponding to the attribute, g ρ(τ) It is a q-order cyclic group The second element of the first parameter, ρ(τ), is an attribute, and h is a cyclic group of order q. The second element, t τ D is the fourth element in the finite field. τ Let v be the fifth parameter of the ciphertext, and v be a random vector in a finite field. For linear shared matrices The vector in row τ, where l is the total number of rows in the linear shared matrix; common parameters include the parameters of the Bloom filter and the q-order cyclic group. Generator, fifth element in finite field, q-order cyclic group First element, q-order cyclic group The second element and the q-order cyclic group The first parameter.

[0156] Each data owner determines a preset encrypted Bloom filter based on the parameters of the Bloom filter, their private dataset, and encryption operations. This includes: constructing an empty Bloom filter for each data owner based on the parameters of the Bloom filter and their private dataset, and setting the value at each position in each empty Bloom filter to a first preset value; performing hash operations on each element in the data owner's private dataset using multiple hash functions of each empty Bloom filter to obtain the index of each element, and modifying the first preset value corresponding to each index to a second preset value to generate a preset Bloom filter corresponding to the private dataset. Each preset Bloom filter includes a target value corresponding to each position, and the second preset value is different from the first preset value; and performing encryption operations on the target value to generate a preset encrypted Bloom filter corresponding to the private dataset.

[0157] The data user calculates the request token based on the private key and the first element of the finite field, including: the data user calculates the request token using the following third formula based on the first parameter, the second parameter, the third parameter of the private key, and the first element of the finite field:

[0158]

[0159] Where Tk1 is the request token, K′ is the first parameter of the request token, K′1 is the second parameter of the request token, and K′... x The third parameter for requesting the token is x, an element in the data user's attribute set, S, the data user's attribute set, K, the first parameter of the private key, and K1, the second parameter of the private key. x is the third parameter of the private key, and z is the first element in the finite field.

[0160] The cloud server is specifically used to generate multiple intersection tokens based on public parameters, request tokens, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext; perform multiplication operations on the multiple intersection tokens to obtain an aggregate token; multiply the corresponding positions of each preset encrypted Bloom filter to obtain an encrypted Bloom filter; the ciphertext includes each preset encrypted Bloom filter, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext.

[0161] The cloud server generates multiple intersection tokens based on common parameters, request tokens, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext. This includes generating multiple intersection tokens using the following fourth formula based on a bilinear mapping, the first parameter of the request token, the second parameter of the request token, the third parameter of the request token, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext:

[0162]

[0163] Among them, Tk 2,i For multiple intersection tokens, e is a bilinear mapping, C′ is the third parameter of the ciphertext, and C... τ The fourth parameter of the ciphertext, τ, is the row number of any vector in the linear shared matrix, and D... τ K is the fifth parameter of the ciphertext, K′ is the first parameter of the request token, K′1 is the second parameter of the request token, and K′... ρ(τ) The information in the third parameter of the request token is ρ(τ), where ρ is an attribute, I is a subset of the set from 1 to l, l is the total number of rows of the vector in the linear shared matrix, and ω is the value of τ. τ Let g be a constant, and g be a cyclic group of order q. The generators are q, α, z, and s. i It is the fifth element in the finite field; the public parameters include a bilinear mapping, and the request token includes the first parameter, the second parameter, and the third parameter of the request token.

[0164] Data users determine the intersection based on public parameters, aggregation tokens, and cryptographic Bloom filters. This includes: determining intermediate parameters and their hash values ​​based on the aggregation token and the fifth element in the finite field; comparing the hash value of the intermediate parameters with the comparison parameters; and, if so, comparing the values ​​at each position in the cryptographic Bloom filter with the intermediate parameters to obtain a new Bloom filter; and, according to element detection rules, querying the new Bloom filter for intersection elements found in the data user's dataset and defining the set of intersection elements as the intersection. Public parameters include comparison parameters.

[0165] According to the element detection rules, the data user queries the new Bloom filter for intersection elements in the data user's dataset and determines the set of intersection elements as the intersection. This includes: calculating multiple target indices corresponding to each target element in the data user's dataset; querying the new Bloom filter to see if the values ​​corresponding to all target indices of each target element are all the first preset values; if so, then each target element is determined as an intersection element, and the set of intersection elements is determined as the intersection; otherwise, the target elements are not intersection elements.

[0166] It should be noted that the above description of the cloud-based attribute-based multi-party privacy set intersection system is similar to the description of the above method embodiments, and has similar beneficial effects. For technical details not disclosed in the embodiments of the cloud-based attribute-based multi-party privacy set intersection system of this invention, please refer to the description of the method embodiments of this invention for understanding.

[0167] The above are merely specific embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for finding the intersection of multiple privacy sets based on attribute bases in the cloud, characterized in that, The cloud-based attribute-based multi-party privacy set intersection method includes: Trusted institutions determine public parameters and master keys based on security parameters and the set of attributes of the trusted institution; The trusted institution generates the data user's private key based on the public parameters, the master key, and the data user's attribute set, and sends the private key to the data user. Each data owner generates ciphertext based on the public parameters, access structure, and their own privacy datasets, and sends the ciphertext to the cloud server. The access structure is represented by a linear secret sharing scheme. The data user calculates a request token based on the private key and the first element in the finite field, and sends the request token to the cloud server; The cloud server generates an aggregation token and a cryptographic Bloom filter based on the public parameters, the request token, and the ciphertext, and sends the aggregation token and the cryptographic Bloom filter to the data user. The data user determines the intersection based on the public parameters, the aggregation token, and the cryptographic Bloom filter. The intersection is the intersection of the privacy datasets of each data owner and the data user.

2. The cloud-based attribute-based multi-party privacy set intersection method according to claim 1, characterized in that, The common parameters include Cyclic group generator, Cyclic group The first element Cyclic group The second element and Cyclic group The first parameter, wherein the trusted institution generates the private key of the data user based on the public parameters, the master key, and the data user's attribute set, includes: The trusted institution, according to the Cyclic group The generator, the Cyclic group The first element, the Cyclic group The second element and the Cyclic group The first parameter, the master key, and the set of attributes of the data user are used to generate the private key of the data user using the following first formula and the second element in the finite field: ; in, , The private key of the data user. The first parameter of the private key. The second parameter of the private key. The third parameter of the private key. For the elements in the attribute set of the data user, The set of attributes of the data user. The master key, For the Cyclic group generator, It is a prime number. The third element in the finite field. For the Cyclic group The first element, The second element in the finite field. For the Cyclic group The first element in the first parameter, For the Cyclic group The second element.

3. The cloud-based attribute-based multi-party privacy set intersection method according to claim 1, characterized in that, The common parameters include the parameters of the Bloom filter. Cyclic group Generator, fifth element in finite field, Cyclic group The first element Cyclic group The second element and Cyclic group The first parameter, generated by each data owner based on the public parameter, access structure, and the privacy dataset of each data owner, includes: Each data owner determines a preset encrypted Bloom filter based on the parameters of the Bloom filter, the privacy dataset of each data owner, and the encryption operation. Each data owner, according to the preset encrypted Bloom filters, ... Cyclic group The generator, the fifth element in the finite field, and the Cyclic group The first element, the Cyclic group Given the second element and access structure, the ciphertext is generated using the following second formula, the secret share corresponding to the attribute, and the fourth element in the finite field: ; in, , , The ciphertext, This refers to the access structure. Represented as , For linear shared matrices, As a mapping, For each of the preset encrypted Bloom filters, This is a privacy dataset for each of the data owners. , The number of data owners. For any data owner, The third parameter of the ciphertext. For the Cyclic group generator, The fifth element in the finite field. The fourth parameter of the ciphertext. Let be the row number of any vector in the linear shared matrix. For the Cyclic group The first element, The secret share corresponding to the attribute. For the Cyclic group The second element in the first parameter, For the attribute, For the Cyclic group The second element, Let be the fourth element in the finite field. The fifth parameter of the ciphertext. For a random vector in a finite field, For linear shared matrices No. The vector of rows, This represents the total number of rows of vectors in the linear shared matrix.

4. The cloud-based attribute-based multi-party privacy set intersection method according to claim 3, characterized in that, Each data owner determines a preset encrypted Bloom filter based on the parameters of the Bloom filter, the data owner's private dataset, and encryption operations, including: Each data owner constructs an empty Bloom filter based on the parameters of the Bloom filter and the data owner's privacy dataset, and sets the value at each position in each empty Bloom filter to a first preset value; Each data owner uses multiple hash functions of each empty Bloom filter to perform hash operations on each element in the data owner's privacy dataset to obtain the index of each element, and modifies the first preset value corresponding to each index to a second preset value to generate each preset Bloom filter corresponding to the privacy dataset. Each preset Bloom filter includes a target value corresponding to each position, and the second preset value is different from the first preset value. Each data owner performs encryption operations on the target value to generate the preset encrypted Bloom filters corresponding to the privacy dataset.

5. The cloud-based attribute-based multi-party privacy set intersection method according to claim 2, characterized in that, The data user calculates a request token based on the private key and the first element in the finite field, including: The data user calculates the request token using the following third formula based on the first parameter of the private key, the second parameter of the private key, the third parameter of the private key, and the first element in the finite field: ; in, For the request token, The first parameter of the request token. The second parameter of the request token. The third parameter of the request token. For the elements in the attribute set of the data user, The set of attributes of the data user. The first parameter of the private key. The second parameter of the private key. The third parameter of the private key. Let be the first element in the finite field.

6. The cloud-based attribute-based multi-party privacy set intersection method according to claim 1, characterized in that, The ciphertext includes preset encrypted Bloom filters, a third parameter of the ciphertext, a fourth parameter of the ciphertext, and a fifth parameter of the ciphertext. The cloud server generates an aggregate token and encrypted Bloom filters based on the common parameters, the request token, and the ciphertext, including: The cloud server generates multiple intersection tokens based on the public parameters, the request token, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext. The cloud server performs a multiplication operation on the multiple intersection tokens to obtain the aggregate token; The cloud server multiplies the positions corresponding to each preset encrypted Bloom filter to obtain the encrypted Bloom filter.

7. The cloud-based attribute-based multi-party privacy set intersection method according to claim 6, characterized in that, The public parameters include a bilinear mapping, and the request token includes a first parameter, a second parameter, and a third parameter. The cloud server generates multiple intersection tokens based on the public parameters, the request token, the third parameter, the fourth parameter, and the fifth parameter of the ciphertext, including: The cloud server generates the plurality of intersection tokens using the following fourth formula, based on the bilinear mapping, the first parameter of the request token, the second parameter of the request token, the third parameter of the request token, the third parameter of the ciphertext, the fourth parameter of the ciphertext, and the fifth parameter of the ciphertext: ; in, For the multiple intersection tokens, For the aforementioned bilinear mapping, The third parameter of the ciphertext. The fourth parameter of the ciphertext. Let be the row number of any vector in the linear shared matrix. The fifth parameter of the ciphertext. The first parameter of the request token. The second parameter of the request token. The information in the third parameter of the request token. As an attribute, From 1 to A subset of a set This represents the total number of rows of vectors in a linearly shared matrix. It is a constant. for Cyclic group generator, It is a prime number. The third element in the finite field. Let be the first element in the finite field. Let be the fifth element in the finite field.

8. The cloud-based attribute-based multi-party privacy set intersection method according to claim 7, characterized in that, The public parameters include comparison parameters. The data user determines the intersection based on the public parameters, the aggregation token, and the cryptographic Bloom filter, including: The data user determines the intermediate parameters and the hash value of the intermediate parameters based on the aggregated token and the fifth element in the finite field. The data user determines whether the hash value of the intermediate parameter is equal to the comparison parameter. If so, the user takes the ratio of the value corresponding to each position in the encrypted Bloom filter to the intermediate parameter to obtain a new Bloom filter. According to the element detection rules, the data user queries the new Bloom filter for the intersection elements that exist in the data user's dataset, and determines the set of the intersection elements as the intersection.

9. The cloud-based attribute-based multi-party privacy set intersection method according to claim 8, characterized in that, The data user, according to the element detection rules, queries the new Bloom filter for intersection elements existing in the user's dataset, and determines the set of intersection elements as the intersection, including: The data user calculates multiple target indices corresponding to each target element in the data user's dataset; The data user queries the new Bloom filter to see if the values ​​corresponding to all target indices of each target element are all the first preset values. If so, then each target element is determined as the intersection element, and the set of the intersection elements is determined as the intersection; If not, then the target elements are not the intersection elements.

10. A cloud-based attribute-based multi-party privacy set intersection system, characterized in that, The cloud-based attribute-based multi-party privacy set intersection system includes: A trusted institution is used to determine public parameters and a master key based on security parameters and a set of attributes of the trusted institution; and to generate a private key for the data user based on the public parameters, the master key, and a set of attributes of the data user, and to send the private key to the data user. Each data owner is responsible for generating ciphertext based on the public parameters, access structure, and the privacy dataset of each data owner, and sending the ciphertext to the cloud server. The access structure is represented by a linear secret sharing scheme. The cloud server is configured to receive a request token sent by the data user, generate an aggregation token and a cryptographic Bloom filter based on the public parameters, the request token, and the ciphertext, and send the aggregation token and the cryptographic Bloom filter to the data user. The data user is configured to calculate a request token based on the private key and a first element in the finite field, and send the request token to the cloud server; and determine an intersection based on the public parameters, the aggregate token, and the cryptographic Bloom filter, wherein the intersection is the intersection of the privacy datasets of each data owner and the data user.