A public key searchable encryption method and system against internal keyword guessing attacks
By introducing a binding design between the retrieval random value K and the keyword in the public-key searchable encryption scheme, and combining it with bilinear pairing operations, the contradiction between lightweight design and attack resistance and retrieval efficiency in existing schemes is resolved, and secure and efficient retrieval without the sender's key is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NANJING UNIV OF POSTS & TELECOMM
- Filing Date
- 2026-05-26
- Publication Date
- 2026-07-03
AI Technical Summary
Existing public-key searchable encryption schemes struggle to balance lightweight design with resistance to internal key guessing attacks, and also suffer from heavy key management burdens and low cloud retrieval efficiency.
In the encryption phase, a random value K is introduced and bound together with the keyword to be encrypted to generate keyword ciphertext. This ciphertext is then securely encapsulated in the ciphertext through bilinear pairing operations. Only the receiver can decapsulate and restore the random value to generate a trapdoor, thus blocking internal attack paths. The system consists of a sender, a receiver, and a cloud server, and does not require the sender's key.
It effectively resists internal keyword guessing attacks without increasing computational complexity, simplifies key management, reduces deployment and maintenance costs, improves cloud retrieval efficiency, and is suitable for large-scale, high-concurrency scenarios.
Smart Images

Figure CN122339840A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of information security and cloud storage data privacy protection, specifically to a public-key searchable encryption method and system that resists internal keyword guessing attacks. Background Technology
[0002] With the widespread adoption of cloud computing and cloud storage technologies, the low cost, high elasticity, and easy sharing characteristics of outsourced data storage have made it the mainstream data hosting model in fields such as government affairs, finance, healthcare, and the Internet of Things. To prevent data leakage in the cloud, data owners typically encrypt sensitive information before uploading it. This leads to the inherent contradiction that encrypted data cannot be retrieved: if users need to retrieve target data, they must download all the encrypted data to their local machine, decrypt it, and then perform the search operation, resulting in serious waste of network bandwidth and increased computing pressure on the terminal, making it difficult to adapt to large-scale, high-concurrency, and lightweight real-world application scenarios.
[0003] Boneh et al. first proposed the Searchable Public-Key Encryption (PEKS) method in 2004. PEKS allows the data sender to encrypt a keyword using the recipient's public key to generate keyword ciphertext. The data recipient then uses their private key to generate a keyword trapdoor and submits it to a cloud server. The cloud performs matching and verification between the ciphertext and the trapdoor, achieving accurate ciphertext retrieval without decryption, effectively balancing data privacy and usability requirements. However, after long-term development, existing searchable encryption schemes still have many security and structural flaws in balancing security and practicality, mainly in the following aspects:
[0004] 1. Lightweight design and resistance to internal attacks cannot be simultaneously achieved, leaving a gap in core technologies.
[0005] Traditional PEKS schemes maintain a lightweight architecture where only the recipient holds the key. However, the key space is typically a finite set. Malicious cloud services can use the recipient's public key to offline enumerate all possible keywords, forge candidate keyword ciphertext, and compare it with a search trapdoor to carry out an efficient internal keyword guessing attack, directly leaking user search privacy. While the subsequently proposed Public Key Authentication Searchable Encryption (PAEKS) scheme can effectively resist internal keyword guessing attacks (IKGA), it comes at the cost of introducing the sender's public and private keys and sacrificing lightweight architecture. Currently, the industry has not yet formed a unified technical approach: to resist internal keyword guessing attacks from the cryptographic level without relying on any sender key and while maintaining a lightweight architecture. This is a key technological gap in the field of public key searchable encryption.
[0006] 2. The sender's key management burden is too heavy, and the scalability in multi-user scenarios is poor.
[0007] To defend against internal keyword guessing attacks, mainstream improvement schemes generally adopt public-key authenticated searchable encryption structures, mandating that the data sender use its own private key for signature authentication during the encryption phase, and the receiver must also rely on the sender's public key when generating a trapdoor. While such schemes improve security, they introduce heavy key management overhead: the system needs to independently generate, distribute, maintain, and revoke public-private key pairs and digital certificates for each data sender. Key complexity increases almost linearly with the number of users, losing the lightweight advantage of traditional PEKS where only the receiver needs to hold the key, making it difficult to deploy in IoT and mobile internet scenarios where terminal resources are limited.
[0008] 3. Cloud-based retrieval efficiency has bottlenecks, making it difficult to support large-scale encrypted text retrieval.
[0009] Existing PEKS improvement schemes with attack resistance capabilities, such as PAEKS, generally require two or more bilinear pairing operations during cloud matching testing. Bilinear pairing is the most computationally expensive basic operation in public-key cryptography. In scenarios involving high-concurrency retrieval of massive amounts of ciphertext, multiple bilinear pairing operations significantly increase cloud computing latency, reduce retrieval response speed, and fail to meet real-time retrieval requirements.
[0010] In view of this, this invention proposes a public-key searchable encryption method resistant to internal keyword guessing attacks. The method changes the design architecture of traditional PEKS schemes and creatively introduces the concepts of retrieving random values and retrieving encapsulated ciphertext. A retrieval random value K is introduced during the keyword encryption stage. This parameter is bound together with the keyword to be encrypted to generate the keyword ciphertext. Simultaneously, the retrieval random value is securely encapsulated in the retrieval encapsulated ciphertext through bilinear pairing operations. During the retrieval stage, the receiver must first use its own private key to recover the retrieval random value K from the retrieval encapsulated ciphertext in order to generate a valid retrieval trapdoor. Because a malicious server does not possess the receiver's private key, it cannot recover the retrieval random value and therefore cannot offline enumerate keywords to forge legitimate ciphertext. Thus, while maintaining the lightweight architecture of traditional PEKS where only the receiver holds the key, it effectively resists internal keyword guessing attacks.
[0011] Regarding existing technologies for resisting internal key guessing attacks in the field of public-key searchable encryption, there are currently patents CN114884700B "Searchable Public-Key Encryption Batch Processing Method and System Resistant to Keyword Guessing Attacks" and CN114928440A "Authentication Searchable Encryption Method and System Based on SM9". The technical differences between this invention and these two patents are as follows:
[0012] 1. Technical comparison between this application and Chinese Patent CN114884700B "Searchable Public Key Encryption Batch Processing Method and System Resistant to Keyword Guessing Attacks":
[0013] (1) CN114884700B belongs to the trusted sender mode, which requires the receiver to distribute a group private key to each sender. The sender must hold the group private key to generate valid ciphertext. In contrast, this application does not require the sender to configure any key. The sender only needs to know the receiver's public key to encrypt. It achieves the same anti-attack capability through the joint binding mechanism of the retrieved random value K and the key. The sender's key management burden is zero. The two applications have fundamental differences in key management architecture.
[0014] (2) CN114884700B requires maintaining group relationships and key distribution processes, resulting in a complex system architecture. In contrast, this application generates public and private key pairs independently by the recipient, and the system consists of only three parties: the sender, the recipient, and the cloud server. Furthermore, for each encrypted keyword to be matched, cloud matching only requires one bilinear pairing operation, resulting in better retrieval efficiency.
[0015] 2. Technical comparison between this application and Chinese Patent CN114928440A "Authentication Searchable Encryption Method and System Based on SM9":
[0016] (1) CN114928440A belongs to Authentication Searchable Encryption (PAEKS), which requires the public and private keys of both the sender and receiver to participate in the generation of the index and trapdoor. This application, however, belongs to the PEKS category. The sender does not need any public / private key pair; it only needs to know the receiver's public key to encrypt. This application, through the binding design of the retrieved encapsulated ciphertext and the retrieved random value K, ensures that trapdoor generation depends on K recovered from the retrieved encapsulated ciphertext, thus achieving resistance to internal keyword guessing attacks without relying on the sender's key. The two applications differ fundamentally in their key management architecture and anti-attack mechanisms.
[0017] (2) CN114928440A is based on the SM9 identifier cryptosystem and requires the deployment of a key generation center to generate and distribute private keys for system users. However, this application is based on bilinear mapping, and the public and private key pairs are generated independently by the recipient without the participation of any third-party key generation center. The system architecture is simpler and the deployment cost is lower. Moreover, for each ciphertext of the keyword to be matched, cloud matching only requires one bilinear pairing operation, resulting in better retrieval efficiency.
[0018] While domestic research has made some progress in areas such as encrypted retrieval efficiency, multi-keyword retrieval, and attribute encryption, there are still significant shortcomings in achieving the core objective of resisting internal keyword guessing attacks without the sender's key involvement. This invention, based on bilinear mapping, allows the data receiver to independently generate public-private key pairs without the need for any third-party key generation center. By using a joint binding mechanism between a random value K and the keyword, it blocks internal keyword guessing attacks at the cryptographic primitive level, providing a new technical path for lightweight and secure deployment of PEKS.
[0019] Therefore, designing a public-key searchable encryption scheme that does not require the sender's key, can resist internal keyword guessing attacks, and requires only one bilinear pairing in the cloud can resolve the contradiction between security, lightweight and efficiency in existing schemes, and has important theoretical research value and practical application significance. Summary of the Invention
[0020] To address the problems of heavy sender key management burden, low cloud retrieval efficiency, and difficulty in balancing resistance to internal keyword guessing attacks and lightweight design in existing public-key searchable encryption schemes, this invention provides a public-key searchable encryption method and system that resists internal keyword guessing attacks, thereby fully resolving the problems existing in the aforementioned background technology.
[0021] The core design concept of this invention lies in introducing a random retrieval value K during the encryption phase. A hash function is used to jointly map the random retrieval value K and the keyword kw to be encrypted into a group element, establishing a strong binding relationship between this group element and the keyword. This is then used to generate the keyword ciphertext. Simultaneously, the random retrieval value K is encapsulated in the retrieval encapsulation ciphertext through bilinear pairing operations, forming a secure encapsulation that only a legitimate recipient can decrypt. During the retrieval phase, the data recipient must first recover the random retrieval value K from the retrieval encapsulation ciphertext using their own private key to generate a valid retrieval trapdoor. Since a malicious cloud server does not possess the recipient's private key and cannot recover the random retrieval value K from the retrieval encapsulation ciphertext, it cannot construct a legitimate keyword-binding parameter joint mapping value through offline keyword enumeration. This effectively blocks the implementation path of internal keyword guessing attacks from a cryptographic mechanism perspective. Throughout the encryption process, the data sender only needs to know the recipient's public key and does not need to configure any independent public-private key pairs, fully preserving the lightweight key management logic of traditional public-key searchable encryption. The technical solution provided by this invention is as follows:
[0022] In a first aspect, the present invention proposes a public-key searchable encryption method resistant to internal key guessing attacks, comprising the following steps:
[0023] S1 generates system public parameters based on bilinear mapping; the data receiver generates its own public-private key pair under the system public parameters, publishes the public key, and stores the private key locally securely;
[0024] S2, the data sender obtains the system public parameters and the public key of the data receiver, generates a search random value for the keyword to be encrypted, calculates the search encapsulation ciphertext to hide the search random value, and uses the search random value and the keyword to be encrypted to generate keyword ciphertext, and uploads the keyword ciphertext, the search encapsulation ciphertext and the business data ciphertext together to the cloud server.
[0025] S3, the data receiver sends a search request to the cloud server to obtain the search encapsulated ciphertext corresponding to the ciphertext set to be searched, uses its own private key to decapsulate the search encapsulated ciphertext to recover the search random value, and generates a search trapdoor through a trapdoor generation algorithm based on the recovered search random value and the keyword to be searched, and sends the search trapdoor to the cloud server.
[0026] S4 uses bilinear pairing operations to match and verify the search trap sent by the data receiver with the encrypted keyword uploaded by the data sender. If the verification is successful, the corresponding encrypted data is returned to the data receiver.
[0027] Preferably, the system generates system common parameters based on bilinear mapping, and the process by which the data receiver generates its own public-private key pair under the system common parameters is as follows:
[0028] S11, Set the safety parameter λ, and select the multiplicative cyclic group of prime order q. and and bilinear mapping e: → , where q is greater than Large prime numbers, g is a group The generators of the bilinear mapping e satisfy bilinearity, nondegeneracy, and computability;
[0029] S12, Set the first password hash function It is used to map bit strings of arbitrary length to cyclic groups. Elements in; set the second password hash function Used to group The elements in H1 are mapped to strings of length l bits, where l is the preset bit length of the retrieved random value; in this embodiment, H1 is instantiated using the hash-to-curve standard technique defined in IETF RFC9380. Constructed based on the national cryptographic SM3 algorithm, with l taking 256 bits;
[0030] S13, the data receiver receives the integer multiplication group modulo q. Randomly select x as the private key Calculate the public key The data recipient will use the public key. Released to the public through public channels, along with the private key. Stored securely on the local machine.
[0031] At this point, the system's common parameters can be summarized into a set. This set of public parameters is available to all entities.
[0032] Preferably, the process by which the data sender generates the retrieval encapsulated ciphertext and the keyword ciphertext is as follows:
[0033] S21, the data sender obtains the system's public parameter Param and the data receiver's public key from publicly available sources. The keyword to be encrypted is determined to be kw;
[0034] S22, the data sender from A bit string K is uniformly and randomly selected from the space as the random value for this encryption retrieval, and then... A uniformly random integer r is selected as a temporary random number.
[0035] S23, Calculate and retrieve the first part of the encapsulated ciphertext. Due to the discrete logarithm problem, no adversary can derive a random number r from U;
[0036] S24, Calculate and retrieve the second part of the encapsulated ciphertext. , where ⊕ represents the XOR operation. According to the properties of bilinear mappings, Only the data recipient holding the corresponding private key x can recover the same data from U. The value is then used to recover the random value K.
[0037] S25, Calculate the ciphertext of the key. The data sender first concatenates the retrieved random value K with the key to be encrypted kw to obtain the bit string K∥kw (the symbol "∥" indicates sequential concatenation of the bit strings). Then, the first cryptographic hash function is called. Map the cascade result to a group elements in Finally, the receiver's public key is used. Calculate the key ciphertext :
[0038]
[0039] S26, The data sender will retrieve the encapsulated ciphertext. and keyword ciphertext Along with the encrypted business data using a symmetric encryption algorithm, the encrypted data was uploaded to the cloud server. The cloud server then stored the keyword ciphertext. The encrypted data is associated with the encrypted business data for subsequent retrieval.
[0040] Preferably, the process by which the data receiver unblocks and restores the retrieval random value and generates the retrieval trapdoor is as follows:
[0041] S31, when the data receiver wants to retrieve data containing a certain keyword When retrieving encrypted data, a retrieval request is first sent to the cloud server. The cloud server then encapsulates the stored retrieval data into encrypted form based on the request scope. Returned to the data receiver;
[0042] S32, the data receiver uses its own private key Perform the decapsulation operation to restore the retrieved random value:
[0043]
[0044] The basis for restoring correctness here is: This value is consistent with the value in encryption phase S24. The input is completely identical. Therefore, if the retrieval encapsulated ciphertext has not been tampered with during transmission and storage, then... It must equal the original search random value K;
[0045] S33, based on the keyword to be searched and the recovered random values The data receiver calls the first cryptographic hash function to calculate... and using its own private key Perform an exponentiation operation on it to generate a keyword trapdoor uniquely bound to this search:
[0046]
[0047] S34, the data receiver sends the generated search trap Tw to the cloud server and waits for the matching test results;
[0048] Preferably, the process of the cloud server performing a bilinear pairing test is as follows:
[0049] S41, after receiving the retrieval trapdoor Tw, the cloud server iterates through its stored list of ciphertext keywords related to the recipient. For each ciphertext keyword... Perform the following verification operation;
[0050] S42, the cloud server uses the generator g from the system's public parameters to calculate the bilinear pairing value. ;
[0051] S43, Cloud Server Verification Equation Does it hold true? If the equation holds true, it indicates the keyword used to generate the trapdoor. If the keyword 'kw' used to generate the ciphertext is completely identical, the cloud server will return the ciphertext of the business data associated with that keyword to the data recipient. If the equation does not hold true, it indicates a keyword mismatch, and the cloud server will continue to verify the next keyword ciphertext until all ciphertexts have been traversed. If all ciphertexts do not match, a search failure result will be returned to the data recipient.
[0052] Secondly, the present invention also provides a public-key searchable encryption system resistant to internal key guessing attacks, comprising the following modules:
[0053] The system parameter generation module is used to generate common system parameters based on bilinear mapping;
[0054] The data sender module is used to obtain system public parameters and data receiver public keys, generate a search random value for the keyword to be encrypted, calculate the search encapsulation ciphertext to hide the search random value, and use the search random value and the keyword to be encrypted to generate keyword ciphertext. The keyword ciphertext, search encapsulation ciphertext and business data ciphertext are uploaded to the cloud server together. The sender module does not need to be configured with any independent public and private key pairs.
[0055] The data receiver module is used to generate its own public-private key pair under the system's public parameters, publicly disclose the public key, and securely store the private key locally; it is also used to send a retrieval request to the cloud server to obtain the retrieval encapsulated ciphertext, use its own private key to recover the retrieval random value and generate a retrieval trapdoor, and send the retrieval trapdoor to the cloud server; it is also used to receive encrypted data returned by the cloud server and decrypt it to obtain the original data.
[0056] The cloud server module is used to store the encrypted business data, keyword encrypted text, and retrieval encapsulation encrypted text uploaded by the data sender, and to associate and store them with the data receiver; it receives the retrieval trap sent by the data receiver, verifies the matching between the retrieval trap and the keyword encrypted text through a preset matching algorithm, and returns the corresponding encrypted data to the data receiver when the match is successful.
[0057] Compared with the prior art, the beneficial effects achieved by the present invention are:
[0058] This invention completely eliminates the need for a sender's key. The data sender only needs to know the receiver's public key to encrypt the data. The entire encryption process requires no third-party key generation center. The system consists of only the sender, receiver, and cloud server, greatly simplifying key management logic. This effectively avoids the operational burden of certificate distribution, storage, updates, and revocation caused by the existing PAEKS solution, which forces the sender to hold the key. It significantly reduces deployment costs and system maintenance complexity in multi-user scenarios. By binding random values to keywords, trapdoor generation relies on the retrieval encapsulated ciphertext Cip in the corresponding ciphertext. Malicious servers, lacking the receiver's private key, cannot recover this parameter and therefore cannot offline enumerate keywords to forge legitimate keyword ciphertexts for comparison with the trapdoor. This effectively defends against internal keyword guessing attacks at the cryptographic primitive level, ensuring the long-term security of user retrieval privacy. Attached Figure Description
[0059] The accompanying drawings form part of this specification and are used to further illustrate the technical solutions of this invention in conjunction with specific embodiments, but are not intended to limit the scope of protection of this invention in any way. In the drawings:
[0060] Figure 1 is a schematic diagram of the module interaction of the system of the present invention;
[0061] Figure 2 is a flowchart of the module interaction of the system of the present invention;
[0062] Figure 3 is a flowchart of the algorithm of the present invention. Detailed Implementation
[0063] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0064] Example 1:
[0065] A public-key searchable encryption method resistant to internal key guessing attacks, such as... Figure 2 , 3 As shown, it includes the following steps:
[0066] S1, generate system public parameters based on bilinear mapping; the data receiver generates its own public-private key pair under the system public parameters, publishes the public key, and stores the private key locally securely.
[0067] This step is used to establish the public parameters required for system operation and the receiver's public-private key pair. The system public parameters are generated by the system initialization algorithm, and the receiver's public-private key pair is independently generated by the data receiver based on the system public parameters. Specifically:
[0068] S11, Set safety parameters The cryptographic system is required to have a security strength of 128 bits. Let... and It is a cyclic group of prime order q. Bilinear mapping e: → This mapping satisfies the following three core properties:
[0069] (1) Bilinear: for any and , satisfying e( , )= ;
[0070] (2) Non-degeneracy: exists The generator g such that yes Generators;
[0071] (3) Computability: There exists an efficient algorithm for any input. They can all be calculated The value of .
[0072] In this embodiment, the bilinear mapping can be implemented using paired, friendly elliptic curves that meet a preset security level. These paired, friendly elliptic curves include the BN curve family, the BLS curve family, or other elliptic curves that support efficient bilinear pairing operations. The bilinear mapping can be implemented using Tate pairing or its equivalent pairing algorithm. The generator is denoted as g. Those skilled in the art can implement the above group operations and bilinear mapping operations using bilinear pairing operation libraries (such as the PBC library).
[0073] S12, Instantiate the cryptographic hash function. Select two cryptographic hash functions, one for each of the different mapping stages:
[0074] First cryptographic hash function It is used to map bit strings of arbitrary length to cyclic groups. In this embodiment, Instantiation is performed using the hash-to-curve standard technique defined in IETF RFC 9380, ensuring that the output is a group. The legal elements in.
[0075] Second cryptographic hash function Used to group The elements in the array are mapped to 256-bit hash values. In this embodiment, The SM3 cryptographic hash algorithm released by the State Cryptography Administration of my country is instantiated, and the SM3 hash calculation can be completed using the GmSSL tool.
[0076] To ensure the two hash functions are independent, different field separation labels are pre-set as input prefixes before each hash function is called. The system's common parameters then include: Where l=256 is the random value for retrieval and The length of the output bits.
[0077] S13, the data receiver receives the integer multiplication group modulo q. Randomly select a secret value x as its private key, denoted as . Then, the corresponding public key is calculated. The data recipient will use the public key. Released to the public through public channels, along with the private key. Encrypted storage on local secure storage media ensures confidentiality.
[0078] Therefore, the system's common parameters can be summarized as follows: This public parameter is available to all entities.
[0079] S2, the data sender obtains the system public parameters and the public key of the data receiver, generates a search random value for the keyword to be encrypted, calculates the search encapsulated ciphertext to hide the search random value, and uses the search random value and the keyword to be encrypted to generate keyword ciphertext, and uploads the keyword ciphertext and the search encapsulated ciphertext together with the business data ciphertext to the cloud server.
[0080] This step, performed by the data sender, encrypts the keywords associated with the data to be uploaded into a searchable ciphertext format, specifically as follows:
[0081] S21, the data sender obtains the system's public parameter Param and the data receiver's public key from publicly available sources. The keyword to be encrypted is determined as kw, where kw is a bit string of arbitrary length.
[0082] S22, the data sender performs two independent random samplings using a cryptographically secure random number generator: from A bit string K is uniformly and randomly selected from the space as the random value for this encryption retrieval; from A uniformly random integer r is selected as a temporary random number.
[0083] S23, calculate the first part U of the retrieved encapsulated ciphertext. This part is used to encapsulate the public information of the temporary random number r, and is calculated as follows: Due to the discrete logarithm problem, no adversary can derive a random number r from U. The data receiver holding the recipient's private key x can use U, combined with their own private key, to recover the intermediate value used for subsequent decryption and retrieval of the random value K through bilinear pairing operations. .
[0084] S24, calculate the second part V of the retrieval encapsulated ciphertext. This part is used to securely encapsulate the retrieval random value K. First, calculate the median value of the bilinear pairing. Based on the bilinear property of bilinear mappings, this value can be derived as follows: Subsequently, the intermediate value is mapped to a 256-bit mask using the second cryptographic hash function H2, and then XORed with the retrieved random value K, i.e.:
[0085]
[0086] Only the data recipient holding the corresponding private key x can recover the same data from U. The value is then used to remove the XOR mask and restore the retrieved random value K.
[0087] S25, Calculate the ciphertext of the key. The data sender first concatenates the retrieved random value K with the key to be encrypted kw, obtaining the bit string K∥kw (the symbol "∥" indicates sequential concatenation of the bit strings). Then, the first cryptographic hash function is called. Map the cascade result to a group elements in Finally, the receiver's public key is used. Calculate the key ciphertext :
[0088]
[0089] S26, The data sender encapsulates the calculated retrieval into ciphertext. The keyword ciphertext The encrypted business data, encrypted using a symmetric encryption algorithm, is uploaded to the cloud server; the cloud server then encapsulates the retrieval data into ciphertext. Keyword ciphertext The encrypted business data is stored in association with the encrypted data so that the data recipient can subsequently obtain the retrieval encapsulated encrypted data and perform encrypted retrieval.
[0090] In this embodiment, all steps involving elliptic curve dot product, bilinear pairing, and hash operations can be implemented using cryptographic tools such as bilinear pairing libraries (e.g., PBC library) and national cryptographic algorithm toolkits (e.g., GmSSL). The data sender uploads the generated retrieval encapsulated ciphertext and keyword ciphertext to the cloud server.
[0091] S3, the data receiver sends a search request to the cloud server to obtain the search encapsulated ciphertext corresponding to the ciphertext set to be searched, uses its own private key to decapsulate the search encapsulated ciphertext to recover the search random value, and generates a search trapdoor through a trapdoor generation algorithm based on the recovered search random value and the keyword to be searched, and sends the search trapdoor to the cloud server.
[0092] This step, performed by the data recipient, is used to generate a trapdoor for submission to the cloud server targeting specific keywords to be searched. Specifically:
[0093] S31, when the data receiver wants to retrieve data containing a certain keyword When retrieving encrypted data, a retrieval request is first sent to the cloud server. The cloud server then encapsulates the stored retrieval data into encrypted form based on the request scope. Return it to the data recipient.
[0094] S32, the data receiver uses its own private key Perform the decapsulation operation to restore the retrieved random value K'. The calculation formula is:
[0095]
[0096] The basis for restoring correctness here is the bilinear property of bilinear mappings. This value is consistent with the value in encryption phase S24. The input is completely identical. Therefore, if the retrieval encapsulated ciphertext has not been tampered with during transmission and storage, then... It must be equal to the original search random value K.
[0097] S33, based on the keyword to be searched and the recovered random values The data receiver calls the first cryptographic hash function to calculate... and using its own private key Perform an exponentiation operation on it to generate a search trapdoor uniquely bound to this search:
[0098]
[0099] S34, the data receiver sends the generated search trap Tw to the cloud server and waits for the matching test results.
[0100] In this embodiment, the relevant cryptographic tools used by those skilled in the art are largely the same as those used in step S2.
[0101] S4, the cloud server uses bilinear pairing operations to match and verify the search trap sent by the data receiver with the encrypted keyword uploaded by the data sender. If the verification is successful, the matching is determined to be successful, and the corresponding encrypted data is returned to the data receiver.
[0102] This stage is executed by the cloud server and is used to determine whether the retrieval trapdoor and the keyword ciphertext correspond to the same keyword. Specifically:
[0103] S41, after receiving the retrieval trapdoor Tw, the cloud server iterates through its stored list of ciphertext keywords related to the recipient. For each ciphertext keyword... Perform the following verification operation.
[0104] S42, the cloud server uses the generator g from the system's public parameters to calculate the bilinear pairing value. .
[0105] S43, Cloud Server Verification Equation Does it hold true? If the equation holds true, it indicates the keyword used to generate the trapdoor. If the keyword 'kw' used to generate the ciphertext is completely identical, the cloud server will return the ciphertext of the business data associated with that keyword to the data recipient. If the equation does not hold true, it indicates a keyword mismatch, and the cloud server will continue to verify the next keyword ciphertext until all ciphertexts have been traversed. If all ciphertexts do not match, a search failure result will be returned to the data recipient.
[0106] In this embodiment, bilinear pairing operations can be implemented using the PBC bilinear pairing operation library, which can efficiently implement bilinear pairing e: → The mapping operation and the exponentiation operation within the group are used to ensure the efficiency and accuracy of the matching verification process.
[0107] Verification of the correctness of the matching algorithm:
[0108] Correctness depends on the bilinear property of bilinear pairs: for any and , satisfying e( , )= The parameters involved in the matching algorithm in this method are calculated as follows:
[0109] Let the key used for encryption be kw, the random value for retrieval be K, and the key entered during retrieval be... Furthermore, the encrypted CIP file was found to be unaltered.
[0110] The first step is to verify the correctness of the retrieved random value recovery. From the bilinear property of bilinear mappings, we can obtain:
[0111]
[0112] In encryption phase S24, The input is The two inputs are exactly the same, therefore The outputs are the same, and the XOR operation correctly restores the correct output. .
[0113] The second step is to verify the correctness of the matching test. Substitute the retrieval trapdoor Tw into the bilinear pairing calculation:
[0114]
[0115] If and only if At that time, due to Therefore .at this time:
[0116]
[0117] The equation is true, and the match is successful. If Or, due to a mismatch between the retrieved and encapsulated ciphertext. Then it is determined by the cryptographic hash function. From the collision resistance and the non-degeneracy of the bilinear mapping e, it can be seen that... The probability of it being true is negligible. The correctness of the scheme is thus proven.
[0118] Example 2:
[0119] A public-key searchable cryptosystem resistant to internal key guessing attacks, such as Figure 1 As shown, it includes the following modules:
[0120] The system parameter generation module is used to generate common system parameters based on bilinear mapping;
[0121] The data sender module is used to obtain system public parameters and data receiver public keys, generate a search random value for the keyword to be encrypted, calculate the search encapsulation ciphertext to hide the search random value, and use the search random value and the keyword to be encrypted to generate keyword ciphertext. The keyword ciphertext, search encapsulation ciphertext and business data ciphertext are uploaded to the cloud server together. The sender module does not need to be configured with any independent public and private key pairs.
[0122] The data receiver module is used to generate its own public-private key pair under the system's public parameters, publicly disclose the public key, and securely store the private key locally; it is also used to send a retrieval request to the cloud server to obtain the retrieval encapsulated ciphertext, use its own private key to recover the retrieval random value and generate a retrieval trapdoor, and send the retrieval trapdoor to the cloud server; it is also used to receive encrypted data returned by the cloud server and decrypt it to obtain the original data.
[0123] The cloud server module is used to store the encrypted business data, keyword encrypted text, and retrieval encapsulation encrypted text uploaded by the data sender, and to associate and store them with the data receiver; it receives the retrieval trap sent by the data receiver, verifies the matching between the retrieval trap and the keyword encrypted text through a preset matching algorithm, and returns the corresponding encrypted data to the data receiver when the match is successful.
[0124] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device to execute the methods described in the various embodiments or some parts of the embodiments.
[0125] The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to limit it. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A public key searchable encryption method against an internal keyword guessing attack, characterized by, Includes the following steps: S1 generates system public parameters based on bilinear mapping; the data receiver generates its own public-private key pair under the system public parameters, publishes the public key, and stores the private key locally securely; S2, the data sender obtains the system public parameters and the public key of the data receiver, generates a search random value for the keyword to be encrypted, calculates the search encapsulated ciphertext to hide the search random value, and uses the search random value and the keyword to be encrypted to generate keyword ciphertext, and uploads the keyword ciphertext and the search encapsulated ciphertext together with the business data ciphertext to the cloud server. S3, the data receiver sends a search request to the cloud server to obtain the search encapsulated ciphertext corresponding to the ciphertext set to be searched, uses its own private key to decapsulate the search encapsulated ciphertext to recover the search random value, and generates a search trapdoor through a trapdoor generation algorithm based on the recovered search random value and the keyword to be searched, and sends the search trapdoor to the cloud server. S4 uses bilinear pairing operations to match and verify the search trap sent by the data receiver with the encrypted keyword uploaded by the data sender. If the verification is successful, the corresponding encrypted data is returned to the data receiver.
2. The public-key searchable encryption method for resisting internal key guessing attacks according to claim 1, characterized in that, Step S1 specifically involves: S11, Set the safety parameter λ, and select the multiplicative cyclic group of prime order q. and and bilinear mapping e: → , where q is greater than For large prime numbers, g is a generator of group G, and bilinear mapping e satisfies bilinearity, nondegeneracy, and computability. S12, select two cryptographic hash functions, namely: First cryptographic hash function It is used to map bit strings of arbitrary length to cyclic groups. middle; Second cryptographic hash function Based on the national cryptographic SM3 algorithm, it is used to group The elements in the array are mapped to strings of length l bits, where l is the preset bit length of the retrieved random value; ; The system's common parameters include: ; S13, the data receiver receives the integer multiplication group modulo q. Randomly select a secret value x as your private key Calculate the public key The data recipient will use the public key. Publicly available, private key Stored securely on the local machine.
3. The public-key searchable encryption method for resisting internal key guessing attacks according to claim 2, characterized in that, In step S2, the process of generating the retrieval-encapsulated ciphertext and the keyword ciphertext is as follows: S21, The data sender obtains system common parameters. and the recipient's public key To determine the keyword to be encrypted, kw, first from... A bit string K is uniformly and randomly selected from the space as the random value for this encryption retrieval; S22, the data sender from A temporary random number r is uniformly and randomly selected from the given data. The following operation is used to generate the retrieval encapsulated ciphertext. =(U,V) is used to hide the retrieved random value: ; Where ⊕ represents the XOR operation, and e is the bilinear mapping operation; S23, Combining the keyword and the retrieved random value, the data sender generates the keyword ciphertext through the following operation. : ; Where "∥" represents the concatenation of bit strings; S24, The data sender encapsulates the calculated retrieval into ciphertext. The keyword ciphertext The encrypted business data, encrypted using a symmetric encryption algorithm, is also uploaded to the cloud server. The cloud server encapsulates the retrieval into encrypted text. Keyword ciphertext The encrypted business data is stored in association with the encrypted data so that the data recipient can subsequently obtain the retrieval encapsulated encrypted data and perform encrypted retrieval.
4. The public-key searchable encryption method for resisting internal key guessing attacks according to claim 3, characterized in that, In step S3, the generation process of the keyword trapdoor is as follows: S31, The data receiver obtains the system's public parameters and its own private key. For the selected keywords to be searched A retrieval request is sent to the cloud server, and the cloud server returns the retrieval encapsulated ciphertext corresponding to the data recipient. After obtaining the CIP, the data receiver recovers the retrieved random value using the following operation. : ; S32, the data receiver uses the recovered retrieval random value K' to generate a retrieval trapdoor Tw through the following operation: ; S33, the data receiver uploads the retrieval trap Tw to the cloud server.
5. A public-key searchable encryption method resistant to internal key guessing attacks according to claim 4, characterized in that, In step S4, the cloud server verifies the match between the retrieval trapdoor and the encrypted keyword, specifically as follows: Cloud server retrieves encrypted keyword data uploaded by the data sender. Using the retrieval trapdoor Tw sent by the data receiver, and employing bilinear operations on e, the following verification is performed: ; If the above equation is true, the trapdoor and the keyword ciphertext are considered to be successfully matched, and the cloud server sends the corresponding business data ciphertext to the data recipient; if the equation is not true, the matching is considered to have failed, and the search failure result is returned.
6. A public-key searchable encryption system resistant to internal key guessing attacks, said system implementing the method according to any one of claims 1-5, characterized in that, Includes the following modules: The system parameter generation module is used to generate common system parameters based on bilinear mapping; The data sender module is used to obtain system public parameters and data receiver public keys, generate a search random value for the keyword to be encrypted, calculate the search encapsulation ciphertext to hide the search random value, and use the search random value and the keyword to be encrypted to generate keyword ciphertext. The keyword ciphertext, search encapsulation ciphertext and business data ciphertext are uploaded to the cloud server together. The sender module does not need to be configured with any independent public and private key pairs. The data receiver module is used to generate its own public-private key pair under the system's public parameters, publicly disclose the public key, and securely store the private key locally; it is also used to send a retrieval request to the cloud server to obtain the retrieval encapsulated ciphertext, use its own private key to recover the retrieval random value and generate a retrieval trapdoor, and send the retrieval trapdoor to the cloud server; it is also used to receive encrypted data returned by the cloud server and decrypt it to obtain the original data. The cloud server module is used to store the encrypted business data, keyword encrypted text, and retrieval encapsulation encrypted text uploaded by the data sender, and to associate and store them with the data receiver; it receives the retrieval trap sent by the data receiver, verifies the matching between the retrieval trap and the keyword encrypted text through a preset matching algorithm, and returns the corresponding encrypted data to the data receiver when the match is successful.