A method for supporting time-constrained data security controllable flow in a cloud-edge environment
By issuing encryption keys that bind access structures and time intervals to the sender, and combining them with a zero-knowledge proof system, edge nodes perform purification verification, solving the sender write control and time constraint problems in the cloud-edge computing environment of CP-ABE. This achieves fine-grained write control and efficient data flow control, preventing data leakage.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING UNIV OF POSTS & TELECOMM
- Filing Date
- 2026-01-27
- Publication Date
- 2026-07-03
Smart Images

Figure CN121907585B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of mobile edge cloud computing, specifically a method for time-constrained, secure, and controllable data flow in a cloud-edge environment. Background Technology
[0002] With the rapid development of mobile edge cloud computing, the demand for data sharing among mobile users is growing. Edge cloud computing effectively reduces response time and improves efficiency by deploying storage and processing resources at the network edge. However, cloud storage is often managed by semi-trusted service providers, which raises serious data privacy issues.
[0003] In practical applications, especially in cross-institutional collaboration scenarios (such as medical data sharing and enterprise collaborative work), it is necessary to control not only "who can read the data," but also "who can send the data" and "when the data can be sent." For example, in cross-institutional clinical research, medical staff can only share collected medical data with associated researchers during designated trial phases (e.g., October 1 to October 31, 2025). This time-sensitive data sharing scenario requires: fine-grained write control to prevent malicious senders from leaking sensitive data; time constraints to ensure senders can only send data within authorized time windows; and efficient edge node cleanup to block illegal data flows.
[0004] Attribute-Based Encryption (ABE) is an encryption technology that supports fine-grained access control and is widely used for data protection in cloud storage. ABE is mainly divided into two categories: Key Policy ABE (KP-ABE) and Ciphertext Policy ABE (CP-ABE). The former embeds the access structure in the decryption key, while the latter embeds the access structure in the ciphertext.
[0005] Traditional ABE schemes primarily focus on "read control," ensuring that only authorized users who meet the policy requirements can decrypt data through access structures. To enhance access flexibility in dynamic environments, researchers have proposed various ABE variants, including revocable ABE that supports user reversal and puncturable ABE that enables fine-grained reversal. However, these schemes are still essentially "receiver-centric," assuming that the sender will honestly perform the encryption process. They cannot prevent malicious senders from deliberately encrypting and uploading data beyond their authorized scope or time window, leading to policy violations and privacy breaches.
[0006] Existing CP-ABE technology can achieve access control for encrypted data in cloud storage, involving entities such as trusted authorization authorities, cloud servers, senders, and receivers; however, using CP-ABE technology to implement data flow control in a cloud-edge computing environment has the following key drawbacks:
[0007] 1) Lack of sender-side write control: The CP-ABE scheme is entirely "receiver-centric," focusing only on who can decrypt data (read control) and not on who can generate valid ciphertext (write control). Any entity that obtains the public key can generate ciphertext for any access policy, making it impossible to verify whether the sender has permission to send data to a specific recipient. This allows malicious or compromised senders to arbitrarily encrypt sensitive data and distribute it to unauthorized recipients, leading to data leaks and policy violations. In application scenarios requiring strict control over data flow (such as internal enterprise document sharing and medical data sharing), this deficiency can result in serious security vulnerabilities.
[0008] 2) Lack of Time-Constrained Sending Mechanism: The CP-ABE solution does not support time-constrained encryption permissions for senders. Once a sender obtains encryption capabilities, these capabilities are permanently valid. It cannot restrict senders to generating ciphertext only within specific time periods, nor can it prevent expired or departed senders from continuing to encrypt and upload data. In time-sensitive data sharing scenarios, such as clinical trial data only allowing sharing by researchers during the trial, project documents only allowing uploads by team members within the project cycle, and temporary collaborators only allowing data submission within the collaboration period, CP-ABE's inability to provide time-granular sending permission control leads to the potential misuse of expired credentials and the possibility of departed personnel leaking sensitive information, increasing the risk of data breaches and compliance issues.
[0009] 3) Lack of ciphertext verification at edge nodes: Once ciphertext is generated in CP-ABE, no intermediate node (such as an edge node) can verify its legitimacy and source credibility without decryption. Edge nodes cannot determine whether ciphertext was generated within the valid scope by an authorized sender; they can only passively store and forward all ciphertext. This prevents edge nodes from acting as security gateways to filter illegal data streams and from detecting and intercepting expired or forged ciphertext to prevent data leakage by malicious senders. Summary of the Invention
[0010] To address the shortcomings of existing CP-ABE technologies, this invention proposes a time-constrained, controllable data flow method in a cloud-edge environment to meet the requirements for secure and controllable data flow in such environments.
[0011] The specific steps are as follows:
[0012] Step 1: Establish a communication scenario that includes the sending authorization agency, the receiving authorization agency, the sending party, edge nodes, cloud servers, and the receiving party;
[0013] The receiving authorized agency is responsible for initializing the system's public parameters, generating its master public key and master private key, and issuing decryption keys to recipients within the domain.
[0014] The authorizing authority of the sender uses public parameters to generate its master public key and master private key, and issues encryption keys to senders within the domain.
[0015] The sender obtains its time-limited encryption key from its authorized agency and transmits the original ciphertext to the edge node. The edge node cleans up all the original ciphertext and determines whether the sender is allowed to transmit data to the recipient specified in the ciphertext and whether the data has expired within the current time period. If so, the edge node transmits the re-randomized ciphertext to the recipient; otherwise, it discards the original ciphertext.
[0016] The receiver obtains the cleaned ciphertext from the edge node and decrypts it using its decryption key. If the set of attributes in the decryption key satisfies the access policy in the cleaned ciphertext, the receiver can recover the plaintext data.
[0017] The cloud server provides ample storage space for cleaned ciphertext from edge nodes and sends frequently accessed ciphertext to edge nodes for caching.
[0018] Step 2: Specify security parameters The receiving authorized agency runs the global initialization algorithm. Output common parameters .
[0019] Common parameters Choose the asymmetric bilinear group to describe ,in It is a bilinear mapping. and The prime order is respectively Cyclic group and Generators in.
[0020] Step 3: The receiving authorized agency runs the initialization algorithm. Input common parameters Output the domain public key of the authorized agency of the recipient. and domain private key .
[0021] Domain public key , ;
[0022] Domain private key , ;
[0023] To randomly select parameters, This is a hash function.
[0024] Represents the prime number of the module Integer field; This represents a bilinear pairing, used to group elements. and Mapping to cyclic group An element on;
[0025] Step 4: The sending authorized agency uses public parameters domain public key of the recipient's authorized agency Run the initialization algorithm Output the domain public key of the sending authority. and domain private key ;
[0026] First, define the time tolerance threshold between encryption and sanitization timestamps. .
[0027] Then, run Generate signature key and verification key pair ;
[0028] in Representing groups respectively The maximum number of elements that can be processed in a given time.
[0029] Specifically, parameters are selected randomly. Output the signature key and verification key ;
[0030] ;
[0031] .
[0032] Next, the non-interactive zero-knowledge proof system initialization algorithm is run. Generate public reference string .
[0033] For the relationship The defined language.
[0034] Finally, the sending authority outputs the domain public key. and retain the domain private key .
[0035] Step 5: For each sender, the sender's authorizing authority assigns it an access structure. and an effective time interval By running the algorithm Generate encryption key .
[0036] in Encoded as Integers in the range.
[0037] Specifically:
[0038] First, given the access structure And define its effective payload as .
[0039] Indicates the access structure corresponding to OK Column matrix; It is a mapping function that maps a matrix. The A row is mapped to a property; Represents attributes The attribute name; Represents attributes The attribute value;
[0040] Then, set the random parameters. and vectors and set Compute aggregate access structure ;
[0041]
[0042] For each ,make ; ,as well as . It is the access structure number The corresponding secret shared component is used to store the secret value. Bind to the rows of the access matrix; Used to transfer attributes With secret value and Bind to the group element;
[0043] Next, construct the message vector. .right The elements within are classified according to their bilinear group: Let [element name missing] for Belongs to the group The elements, namely , ;remember for Belongs to the group The elements, namely Then, based on the time interval Running the structure-preserving signature algorithm Randomly select parameters Output signature .
[0044] Finally, the encryption key is transmitted through a secure channel. Returned to the sender.
[0045] Step Six: For each recipient, the recipient's authorizing body assigns a set of attributes. And run the decryption key generation algorithm. Generate the corresponding decryption key .
[0046] Specifically, attribute set Each attribute Includes name Sum ,Right now and define the payload. .
[0047] The key generation algorithm randomly selects parameters. Then calculate and At the same time, for each attribute ,calculate and .
[0048] Finally, the decryption key is transmitted through a secure channel. Return it to the recipient.
[0049] Step 7: Given plaintext data and encrypted timestamps The sender runs the encryption algorithm Output the original ciphertext To the edge node;
[0050] Specifically, first, given a plaintext message and aggregate access structure Random selection , And calculate the original ciphertext.
[0051] The ciphertext components are as follows: , , , , ; , ,as well as , , .
[0052] Then, set the parameters according to the effective time window. ;composition ;
[0053] Among them, random numbers .
[0054] Then, calculate the sub-relations separately. and The combination is a complex relationship. ;
[0055] , and construct a relation Zero-knowledge proofs. This represents the verification key for the signature scheme.
[0056] , The sender proves the relationship. It is valid if and only if the following conditions are met: .in, and These are the start and end times of the system's lifecycle, respectively.
[0057] Based on non-interactive zero-knowledge proofs The combined construction method allows the sender to send the original ciphertext. Securely transmitted to edge nodes. For public reference strings; For public statements that need to be proven; It is private evidence held by the witness.
[0058] Step 8: Running the algorithm at the edge nodes For each received original ciphertext The purified ciphertext was then processed. It is passed to the cloud server.
[0059] To clean up the timestamp, the edge nodes determine if the original ciphertext... Legal, output the purified ciphertext Otherwise, output the cutoff character. .
[0060] The specific process is as follows:
[0061] First, check the timestamp when the ciphertext was generated. Does it meet the requirements?
[0062] It is the time tolerance threshold set by the authorizing agency of the sender.
[0063] If the conditions are met, then further verify the proof related to the time range. The validity of the condition; that is, whether the condition is met: If so, output and discard Otherwise, output the ciphertext. .
[0064] Purified ciphertext .
[0065] ,in Randomly select parameters,
[0066] ,
[0067] , .
[0068] Step 9: Run the decryption algorithm on the cloud server. Enter the decryption key and the purified ciphertext Output message or .
[0069] If the decryption key Attribute collection in Satisfy ciphertext If the associated access structure is available, the receiver can correctly recover the plaintext.
[0070] Specifically, given a private key and purification cipher The decryption algorithm first checks whether a subset of attributes exists. , making Able to match the effective load in the access structure If no subset satisfies the condition, return 0. Otherwise, the algorithm searches for a set of constants. , making And using this subset, perform the following bilinear pairing computation to reconstruct the message:
[0071] .
[0072] If the current subset cannot correctly recover the plaintext, try other matching subsets and repeat the calculation. If all possible subsets fail to decrypt, return [the previous value]. The final output is a plaintext message. .
[0073] The advantages of this invention are:
[0074] 1) Implemented fine-grained write control functionality that supports time constraints.
[0075] This invention implements dual constraints on the sender's encryption permissions by issuing encryption keys that bind access structures and time intervals. Only senders holding legitimate encryption keys can generate verifiable ciphertext, and only within authorized time windows can they generate valid ciphertext. Edge nodes can verify and reject ciphertext generated by unauthorized senders or outside authorized time intervals. This fundamentally solves the problem in traditional CP-ABE schemes where anyone can generate ciphertext with permanently valid encryption capabilities. It enables the system to control data flow at the source, preventing malicious or compromised senders from leaking data to unauthorized receivers, while effectively preventing expired or resigned personnel from uploading data, thus meeting the security requirements of time-sensitive data sharing scenarios.
[0076] 2) Implemented efficient time-aware purification verification function for edge nodes.
[0077] This invention enables edge nodes to verify the legitimacy of ciphertext, compliance with access control policies, and validity of encryption time in a single step using a combined zero-knowledge proof system, without possessing the secret key or decrypting the ciphertext. Compared to existing solutions that require individual verification of each attribute, this invention achieves overall verification of the access structure and time interval by maintaining the signature through a tag-based structure, significantly reducing verification overhead. Edge nodes can act as security gateways, efficiently filtering illegal data streams, automatically intercepting ciphertexts that do not meet requirements, and forwarding legitimate ciphertexts after re-randomization. This solves the problem in traditional CP-ABE schemes where edge nodes can only passively forward all ciphertexts and cannot perform security audits, significantly improving the system's security protection capabilities and data flow control efficiency. Attached Figure Description
[0078] Figure 1 This is a flowchart of a time-constrained, controllable data flow method for cloud-edge environments according to the present invention.
[0079] Figure 2 This is a schematic diagram of a communication scenario built according to the present invention, including a sending authorization agency, a receiving authorization agency, a sending party, an edge node, a cloud server, and a receiving party. Detailed Implementation
[0080] To facilitate understanding and implementation of the present invention by those skilled in the art, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. Obviously, the described embodiments are merely some, not all, embodiments of the present invention. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort should fall within the scope of protection of the present invention.
[0081] To address the lack of sender write control and time constraints in CP-ABE, a mechanism needs to be designed so that the sender's encryption permissions are constrained not only by the access structure but also by a time interval. This mechanism should be able to jointly bind the access structure and time interval to the sender's encryption key, ensuring that the sender can only generate valid ciphertext for recipients satisfying the access structure within the authorized time window. The key technical challenges are: how to use a signature mechanism to jointly authenticate the access structure and time interval; and how to design a zero-knowledge proof system that allows the sender to prove that its encryption behavior conforms to the authorized access structure and time interval without revealing this sensitive information.
[0082] Meanwhile, to address the issue that CP-ABE cannot perform ciphertext verification at edge nodes, an efficient sanitization mechanism needs to be designed to enable edge nodes to verify the legitimacy of ciphertext without decryption. This mechanism should allow edge nodes to simultaneously verify the authorization legitimacy of the access structure and time interval, rather than verifying each attribute individually; check whether the encrypted timestamp falls within the authorized time interval; and verify whether the ciphertext was correctly generated by the sender holding a valid encryption key. The key technical challenges are: how to reduce the number of pairing operations to achieve overall verification of the access structure and time interval; and how to verify the validity of the timestamp without revealing the specific value of the time interval.
[0083] To address the above problems, this invention proposes a time-constrained, secure, and controllable data flow method in a cloud-edge computing environment, such as... Figure 1 As shown, the specific steps are as follows:
[0084] Step 1: Establish a communication scenario that includes the sending authorization agency, the receiving authorization agency, the sending party, edge nodes, cloud servers, and the receiving party;
[0085] All network communication between the sender and the cloud server is controlled by the purifier, and data access is controlled by the sender's access control policy.
[0086] like Figure 2 As shown, the authorized institution of the receiving party is responsible for initializing the system's public parameters, generating its master public key and master private key, and issuing decryption keys to data recipients within the domain. This institution is assumed to be completely trustworthy and cannot be compromised or collude with other entities.
[0087] The sending authority generates its master public and private keys using public parameters and issues encryption keys to senders within the domain. To ensure the effectiveness of the time constraint mechanism, the sending authority is equipped with a dedicated time server to maintain global clock synchronization and provide a reliable time reference for the system. The sending authority is also assumed to be completely trustworthy.
[0088] The sender obtains a time-limited encryption key from its authorized agency to encrypt shared data and transmits the original ciphertext to the edge node. The sender does not share the encryption key with others, but may intentionally disclose sensitive information to unauthorized recipients.
[0089] Edge nodes cleanse all original ciphertext sent by the sender and determine whether the sender is authorized to transmit data to the recipient specified in the ciphertext and whether the data has not expired within the current time period. If so, the edge node delivers the re-randomized ciphertext to the recipient; otherwise, it discards the original ciphertext. Edge nodes are considered semi-trusted entities; they honestly perform ciphertext cleansing operations and do not collude with other entities, but may be interested in transmitted sensitive information. The integrity of their timestamps is guaranteed by the signature of a trusted time server.
[0090] Cloud servers provide ample storage for sanitized ciphertext from edge nodes and send frequently accessed ciphertext to edge nodes for caching to enable fast access. Cloud servers are considered semi-trusted entities; they correctly store ciphertext according to the protocol but may become curious about the content of the stored encrypted data.
[0091] The receiver obtains the cleaned ciphertext from the edge node and decrypts it using its decryption key. If the set of attributes in the decryption key satisfies the access policy in the cleaned ciphertext, the receiver can recover the plaintext data. The receiver does not share the decryption key with others, but may attempt to recover unauthorized sensitive data.
[0092] Step 2: Specify security parameters The receiving authorized agency runs the global initialization algorithm. Output common parameters .
[0093] Given security parameters The receiving party's authorized agency operates To initialize the system's common parameters, choose an asymmetric bilinear group description. ,in It is a bilinear mapping. and The prime order is respectively Cyclic group and The generators in the dataset. Finally, the common parameters are output. .
[0094] Step 3: The receiving authorized agency runs the initialization algorithm. Input common parameters Output the domain public key of the authorized agency of the recipient. and domain private key .
[0095] Random selection and select a hash function. .
[0096] The system master private key is set to The master public key is Then, publish the domain public key. And retain the domain private key .
[0097] Represents the prime number of the module Integer field; This represents a bilinear pairing, used to group elements. and Mapping to cyclic group An element on;
[0098] Step 4: The sending authorization agency runs the initialization algorithm. Input common parameters domain public key of the recipient's authorized agency Output the domain public key of the sending authority. and domain private key ;
[0099] in Includes time tolerance threshold between encryption and sanitization operations .
[0100] First, define the time tolerance threshold between encryption and decryption timestamps within the system. .
[0101] Then, run Generate signature key and verification key pair ,in Representing groups respectively The maximum number of elements that can be processed in a given time.
[0102] Specifically, random selection Output the signature key and verification key Then, let's assume... For the relationship Defined language, running the initialization algorithm of a non-interactive zero-knowledge proof system. Generate public reference string .
[0103] Finally, the sending authority outputs the domain public key. and retain the domain private key .
[0104] Step 5: For each sender, the sender's authorizing authority assigns it an access structure. and an effective time interval By running the algorithm Generate encryption key .
[0105] in Encoded as Integers in the range.
[0106] Encryption key generation algorithm ,enter Access structure and time interval Output encryption key .
[0107] Specifically, for a given access structure Each attribute Represented as name Sum The combination
[0108] Right now And define its effective payload as Random selection and vectors and set .
[0109] Then calculate sequentially: for each ,make Simultaneous calculation ,as well as .
[0110] The final output aggregate access structure Then, construct the message vector. , And based on time interval Running the structure-preserving signature algorithm Random selection and output signature Finally, the encryption key is transmitted through a secure channel. Returned to the sender.
[0111] Step Six: For each recipient, the recipient's authorizing body assigns a set of attributes. and run the algorithm Generate the corresponding decryption key .
[0112] Decryption key generation algorithm Input and attribute set Output the decryption key .
[0113] Specifically, given the master key and attribute set Each attribute Includes name Sum ,Right now and define the payload. .
[0114] The key generation algorithm is randomly selected. Then calculate and At the same time, for each attribute ,calculate and .
[0115] Finally, the decryption key is transmitted through a secure channel. Return it to the recipient.
[0116] Step 7: Given plaintext data The sender runs the encryption algorithm Enter the encryption key. Encrypted timestamps and messages Output the original ciphertext .
[0117] Specifically, first, the encryption key is parsed. ,in Indicates a time window.
[0118] Given plaintext message and aggregate access structure Random selection , And calculate the ciphertext components in sequence: Set For each calculate Simultaneously calculate , , In the second part, calculations are performed. For each calculate ,as well as , , The final output is the original ciphertext. .
[0119] In order to commit to a valid time window, the sender... and Generate Pedersen commitments: , where random number .
[0120] make ,set up For statements,
[0121] To witness, and to define the following basic equation
[0122]
[0123] Then, the sender has the following relationship. Computational non-interactive zero-knowledge proofs . , Time-sharing refers to the start and end times of a system's lifecycle.
[0124]
[0125] More specifically, the proof This is achieved through the following components:
[0126] • Encryption Key and Ciphertext Verification: First, the sender provides a Sigma protocol and converts it into a non-interactive form using the Fiat-Shamir transformation to prove that it has knowledge of the aggregate structure. and time interval Valid SPS signature and use and secret value Ciphertext obtained through encryption The correctness of the statement.
[0127] Let the statement be ,witness and construct a relation Zero-knowledge proofs if and only if The equation in the equation holds true.
[0128] • Time range verification: Secondly, due to timestamps Since it is publicly available information, the sender further utilizes Bulletproof range proofs to demonstrate the promised time value. and satisfy without leaking and The specific value.
[0129] Let the statement be Witness as The sender proves the relationship. It is valid if and only if the following conditions are met:
[0130]
[0131] In other words, the Sigma protocol is used to construct proofs to verify signature validity and ciphertext correctness, while range proofs are used to ensure the timeliness of encryption. Based on the combinatorial construction method of non-interactive zero-knowledge proofs, the two sub-relations are... and The combination is a complex relationship. It is possible to construct proofs that satisfy correctness, reliability, knowledge extractability, and zero-knowledge property. .
[0132] Finally, the sender will send the original ciphertext. Securely transmit to edge nodes.
[0133] Step 8: For each received original ciphertext Edge node running algorithm Purification treatment is carried out.
[0134] Cleanup Algorithm Enter the original ciphertext. and purification timestamp ,like Legal, output the purified ciphertext Otherwise output .
[0135] First, check the timestamp when the ciphertext was generated. Does it meet the requirements? ,in It is the timestamp of the purification process. It is the time tolerance threshold set by the authorizing agency of the sender.
[0136] If the conditions are met, then further verify the proof related to the time range. The validity. If Then output and discard Otherwise, output the ciphertext. .
[0137] Specifically, given the original ciphertext The purification algorithm first randomly selects... The purified ciphertext components are calculated as follows: [Settings] For each ,calculate
[0138] ,
[0139] Simultaneously calculate:
[0140] , .
[0141] The final output is the purified ciphertext. Finally, if The edge nodes will clean up the ciphertext. It is passed to the cloud server.
[0142] Step 9: Decryption Algorithm Enter the decryption key. and the purified ciphertext Output message or .
[0143] For the purified ciphertext received from the cloud server The receiver runs the algorithm Perform decryption. If the decryption key... Attribute collection in Satisfy ciphertext If the associated access structure is available, the receiver can correctly recover the plaintext.
[0144] Specifically, given a private key and purification cipher The decryption algorithm first checks whether a subset of attributes exists. , making Able to match the effective load in the access structure If no subset satisfies the condition, return 0. Otherwise, the algorithm searches for a set of constants. , making And using this subset, perform the following bilinear pairing computation to reconstruct the message:
[0145] .
[0146] If the current subset cannot correctly recover the plaintext, try other matching subsets and repeat the calculation. If all possible subsets fail to decrypt, return [the previous value]. The final output is a plaintext message. .
[0147] This application proposes a mechanism for jointly binding a time interval and access structure to the sender's encryption key, and a time-aware sanitization verification method for edge nodes based on this mechanism. Specifically, this invention protects the use of tag-based structure-preserving signature technology to jointly sign the access structure and time interval output by a sanitizable attribute-based encryption scheme, generating an encryption key that simultaneously contains access control policies and time constraints. This achieves a time-aware access control policy, meaning that the sender is only authorized to transmit data when the receiver's attributes satisfy the access structure and the encryption time falls within the authorized time interval. Simultaneously, this method protects a design method for a combined zero-knowledge proof system, which combines the Sigma protocol based on the Fiat-Shamir heuristic transformation with Bulletproof range proofs. The former is used to prove the validity of the tag-based structure-preserving signature and the well-formedness of the ciphertext, while the latter is used to prove that the encrypted timestamp falls within the authorized interval. By using Pedersen commitments to hide the specific start and end times of the time interval, edge nodes can simultaneously confirm in a single verification that the ciphertext was generated by an authorized sender holding a valid encryption key, that the ciphertext complies with access control policy requirements, and that the encryption time is within the authorized interval, without needing to know sensitive time interval information and access policy details. This achieves efficient time-aware sanitization verification for privacy protection.
Claims
1. A method for time-constrained, secure, and controllable data flow in a cloud-edge environment, characterized in that, The specific steps are as follows: Step 1: Establish a communication scenario that includes the sending authorization agency, the receiving authorization agency, the sending party, edge nodes, cloud servers, and the receiving party; Step 2: Specify safety parameters The receiving authorized agency runs the global initialization algorithm. Output common parameters ; Common parameters Choose the asymmetric bilinear group to describe ,in It is a bilinear mapping. and The prime order is respectively Cyclic group and Generators in; Step 3: The receiving authorized agency runs the initialization algorithm. Input common parameters Output the domain public key of the authorized agency of the recipient. and domain private key ; Step 4: The sending authorized agency uses public parameters domain public key of the recipient's authorized agency Run the initialization algorithm Output the domain public key of the sending authority. and domain private key ; Step 5: For each sender, the sender's authorizing authority assigns it an access structure. and an effective time interval By running the algorithm Generate encryption key ; in Encoded as Integers in the encryption key , It is an aggregate access structure; For time interval The running structure preserves the signature obtained by the signature algorithm; Step Six: For each recipient, the recipient's authorizing body assigns a set of attributes. And run the decryption key generation algorithm. Generate the corresponding decryption key ; Step 7: Given plaintext data and encrypted timestamps The sender runs the encryption algorithm Output the original ciphertext To the edge node; Specifically, first, given a plaintext message and aggregate access structure Random selection , And calculate the original ciphertext. ; Then, set the parameters according to the effective time window. ;in Random numbers ; Next, calculate the composite relation. ,in and They are sub-relationships; , and construct a relation Zero-knowledge proof; Represents the verification key for the signature scheme; , The sender proves the relationship. It is valid if and only if the following conditions are met: in, and These are the start and end times of the system's lifecycle, respectively. Based on non-interactive zero-knowledge proofs The combined construction method allows the sender to send the original ciphertext. Securely transmit to edge nodes; For public reference strings; For public statements that need to be proven; It is private evidence held by the witness; Step 8: Running the algorithm at the edge nodes For each received original ciphertext The purified ciphertext was then processed. Passed to the cloud server; To clean up the timestamp, the edge nodes determine if the original ciphertext... Legal, output the purified ciphertext Otherwise, output the cutoff symbol. ; Step 9: Run the decryption algorithm on the cloud server. Enter the decryption key and the purified ciphertext Output message or ; If the decryption key Attribute collection in Satisfy ciphertext If the associated access structure is available, the receiver can correctly recover the plaintext.
2. The method as described in claim 1, characterized in that, In step one, the authorized agency of the receiving party is responsible for initializing the system's public parameters, generating its master public key and master private key, and issuing decryption keys to the receiving parties within the domain. The sending authority uses public parameters to generate its master public key and master private key, and issues encryption keys to senders within the domain. The sender obtains its time-limited encryption key from the sender's authorized agency and transmits the original ciphertext to the edge node; the edge node cleans up all the original ciphertext and determines whether the sender is allowed to transmit data to the recipient specified in the ciphertext and whether it has expired within the current time period. If so, the edge node will transmit the rerandomized ciphertext to the receiver; otherwise, the original ciphertext will be discarded. The receiver obtains the cleaned ciphertext from the edge node and uses its decryption key to decrypt the ciphertext; If the set of attributes in the decryption key satisfies the access policy in the cleansed ciphertext, the receiver can recover the plaintext data; The cloud server provides ample storage space for cleaned ciphertext from edge nodes and sends frequently accessed ciphertext to edge nodes for caching.
3. The method as described in claim 1, characterized in that, In step three Domain public key , ; Domain private key , ; To randomly select parameters, For hash functions; Represents the prime number of the module Integer field; This represents a bilinear pairing, used to group elements. and Mapping to cyclic group An element on.
4. The method as described in claim 1, characterized in that, In step four: First, define the time tolerance threshold between encryption and sanitization timestamps. ; Then, run Generate signature key and verification key pair ; in Representing groups respectively The maximum number of elements that can be processed in the medium; Specifically, parameters are selected randomly. Output the signature key and verification key ; ; ; Next, the non-interactive zero-knowledge proof system initialization algorithm is run. Generate public reference string ; For the relationship Defined language; Finally, the sending authority outputs the domain public key. and retain the domain private key .
5. The method as described in claim 4, characterized in that, Step five specifically involves: Given access structure And define its effective payload as ; Indicates the access structure corresponding to OK Column matrix; It is a mapping function that maps a matrix. The A row is mapped to a property; Representing attributes The attribute name; Represents attributes The attribute value; Representation matrix The OK; Then, set the random parameters. and vectors and set Compute aggregate access structure ; For each ,make ; ,as well as ; It is the access structure number The corresponding secret shared component is used to store the secret value. Bind to the rows of the access matrix; Used to set attributes With secret value and Bind to the group element; Next, construct the message vector. ;right The elements within are classified according to their bilinear group: Let [element name missing] for Belongs to the group The elements, namely , ;remember for Belongs to the group The elements, namely ; Based on time interval Running the signature algorithm Randomly select parameters Output signature ; Finally, the encryption key is transmitted through a secure channel. Returned to the sender.
6. The method as described in claim 3, characterized in that, Step six specifically involves: Attribute Collection Each attribute Includes name Sum ,Right now and define the payload. ; The key generation algorithm randomly selects parameters. Then calculate and At the same time, for each attribute ,calculate and ; Finally, the decryption key is transmitted through a secure channel. Return it to the recipient.
7. The method as described in claim 5, characterized in that, In step seven, each ciphertext component is: , , , , ; , ,as well as , , .
8. The method as described in claim 7, characterized in that, The specific process of step eight is as follows: First, check the timestamp when the ciphertext was generated. Does it meet the requirements? If the conditions are met, then further verify the proof related to the time range. The validity of the condition; that is, whether the condition is met: If so, output and discard ; Otherwise, output ciphertext. ; Purified ciphertext , ,in Randomly select parameters, , , 。 9. The method as described in claim 6, characterized in that, The specific process of step nine is as follows: Given a private key and purification cipher The decryption algorithm first checks whether a subset of attributes exists. This makes the attribute set effective payload Able to match the effective load in the access structure ; If no subset satisfies the condition, return 0. ; Otherwise, find a set of constants , making And using this subset, perform the following bilinear pairing computation to reconstruct the message: ; If the current subset cannot correctly recover the plaintext, try other matching subsets and repeat the calculation; if all possible subsets fail to decrypt, return. Finally, plaintext messages are output. .