Privacy-preserving decentralized and traceable inner product function encryption method
By adopting a system model that independently issues key shares by multiple authorities and collaboratively tracks the threshold tracking committee, the centralization problem of existing inner product function encryption schemes is solved, achieving decentralization, privacy protection and distributed tracking, and providing a secure and efficient solution for data sharing and inner product calculation.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUIZHOU UNIV
- Filing Date
- 2026-06-15
- Publication Date
- 2026-07-14
AI Technical Summary
Existing inner product function encryption schemes struggle to simultaneously achieve decentralized multi-authority key issuance, distributed tracking of leaked keys, and user privacy protection.
The system adopts a multi-party entity interaction model, including global initialization, authoritative initialization, user registration, privacy key generation, data encryption, and distributed tracking. It protects user privacy by issuing key shares independently by multiple authorities and completing tracking collaboratively by a threshold tracking committee, combined with Pedersen commitments and zero-knowledge proof mechanisms.
It achieves decentralized key issuance and tracking, eliminates single-point trust bottlenecks, protects user privacy and provides an effective accountability mechanism, reduces the computational overhead of online encryption and decryption, and has good scalability and robustness.
Smart Images

Figure CN122394974A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the technical fields of privacy protection, distributed key issuance, and encryption algorithms, and specifically to a privacy-preserving, decentralized, and traceable inner product function encryption method. Background Technology
[0002] With the rapid development of cloud computing, the Internet of Things, and data-driven intelligent services, secure and fine-grained data sharing has become a fundamental requirement in modern distributed systems. In many practical scenarios, data owners are unwilling to disclose the original data to external entities, while authorized users only need to obtain a specific function value on the encrypted data, rather than the entire plaintext. Function cryptography (FE) provides a promising cryptographic paradigm for such applications because it allows the decryptor to recover only the specified function value on the encrypted message. Among various FE primitives, inner product function cryptography (FE-IP) has received particular attention due to its wide applicability in privacy-preserving search, secure machine learning, access control, and statistical analysis.
[0003] While FE-IPs possess strong expressive power, traditional constructs typically rely on a centralized key generation authority. This design introduces strong trust assumptions and creates a single point of failure. Once the central authority is compromised, the confidentiality of user keys and even the entire system can be threatened. To address this issue, recent research has begun exploring decentralized or multi-authority FE-IP schemes, where multiple independent authorities collaboratively support key issuance without relying on a single trusted entity. This research direction significantly reduces the concentration of trust in a single issuer and improves robustness in distributed environments. Furthermore, privacy-preserving decentralized key generation protocols further prevent authorities from directly obtaining the user's global identity during the key issuance process. However, existing decentralized FE-IP schemes primarily focus on confidentiality, anti-collusion, and privacy-preserving key issuance; they do not provide effective accountability mechanisms should a secret key be compromised.
[0004] On the other hand, traceable FE-IP schemes have been introduced to provide accountability for secret key leaks. In these schemes, leaked function secret keys can be traced back to the user who initially obtained the key. More importantly, privacy-preserving traceable FE-IP further prevents the issuer from knowing the user's true identity during key generation, while still allowing a designated tracer to restore identity in the event of a key leak. This design achieves an ideal balance between privacy and accountability. Nevertheless, existing privacy-preserving traceable FE-IP schemes are still largely built around a single issuer or a single tracer entity. Therefore, they do not adequately address the need for decentralized trust in multi-party environments, and their system architecture remains vulnerable to centralized bottlenecks in key issuance and traceability.
[0005] Therefore, a natural and important question arises: can a FE-IP scheme be constructed that simultaneously supports decentralized multi-authority key issuance, distributed tracking, and identity concealment consistency? This question is not trivial for at least three reasons. First, in a multi-authority setting, different authorities must issue key shares to the same user without knowing the user's true identity. Second, even if no single authority knows the user's identity independently, the leaked aggregated key must still remain traceable. Third, the tracking process itself should avoid becoming another centralized trust bottleneck. In particular, when tracking is distributed among multiple trackers, the system must ensure that only an authorized tracking committee can recover the embedded identity information, and that no strictly subset of trackers can obtain useful information about the user's identity. More fundamentally, once privacy-preserving issuance and distributed tracking are introduced simultaneously, cross-authority identity concealment consistency must be guaranteed; that is, all authorities must issue their shares for the same hidden identity, rather than issuing them separately for different hidden identities maliciously chosen by the user. Summary of the Invention
[0006] Based on the shortcomings of existing technologies, the main technical problem that this invention aims to solve is that existing inner product function encryption schemes are unable to simultaneously achieve decentralized multi-authority key issuance, distributed tracking of leaked keys, and user privacy protection.
[0007] Based on the first major aspect of the present invention, a privacy-preserving, decentralized, and traceable inner product function encryption method is provided. This method is based on a multi-party entity interaction system model, which includes the following entities: authorities, users, data owners, cloud servers, and a tracking committee. The method includes the following steps performed by a computer system:
[0008] The global initializer performs global initialization, establishes common parameters, and generates tracking key shares and a common tracking key for multiple trackers in the tracking committee.
[0009] Each authority independently performs authority initialization, generating its own public and private keys;
[0010] Users register based on their real identities and generate a hidden identity scalar, which in turn generates a commitment, a tracking tag, and a tracking ciphertext. The tracking tag is associated with the real identity and stored in the registry. The commitment and the tracking ciphertext are published as a public registration tuple.
[0011] The privacy key generation is performed by the user interacting with at least one authority, including: the user sending the public registration tuple, proof information and function vector to the authority; the authority verifying the proof and generating a key share based on its authority private key and signing and returning it.
[0012] The user will aggregate and verify the signatures of multiple key shares received from multiple authorities to obtain the aggregated secret key;
[0013] The data owner encrypts the message vector using an inner product function based on a selected authoritative public key to generate ciphertext;
[0014] The user uses the aggregated secret key, the ciphertext, and the hidden identity scalar to decrypt the message vector and obtain the inner product of the function vector;
[0015] The tracking committee performs distributed tracking, including: when a leaked aggregate key is obtained, at least a threshold number of trackers each use their own tracking key share to partially decrypt the tracking ciphertext contained therein, collaboratively recover the tracking tag, and query the corresponding real identity according to the registry.
[0016] Optionally, during the process of generating the privacy key, the proof information generated by the user includes a first interaction parameter and a second interaction parameter, as well as a zero-knowledge proof for proving that the commitment, the tracking ciphertext, and the first interaction parameter are bound to the same hidden identity scalar;
[0017] The key share generated by the authority includes the first share component, the second share component, and the digital signature of the issued share.
[0018] Optionally, during the generation of the privacy key, the authoritative calculation of the first share component and the second share component is performed as follows:
[0019] authority Choosing a finite field random numbers in Calculate the first intermediate variable:
[0020]
[0021] Calculate the second intermediate variable:
[0022]
[0023] in, These are generators in the common parameters; It is a function vector; The first interaction parameter sent to the user; For authoritative public key components; The random number generated by the authority for this interaction; For authority The private key components; For authority The private key vector;
[0024] The user will use the first intermediate variable As the first share and the second interaction parameter generated by the user With the second intermediate value Multiply to obtain the second share component ;
[0025] The authority uses its signing private key to digitally sign the commitment, tracking ciphertext, function vector, first share component, and second share component, generating a digital signature of the issued share. .
[0026] Further preferably, during the global initialization process of establishing common parameters, set , and It is a prime number. The cyclic group, in which, For the first group, For the second group, For the target group, It is a bilinear mapping; let Generates the common parameters and defines them. Generators in ;
[0027] During the key aggregation process, after verifying the validity of the digital signature of each key share, the user further verifies that the key share satisfies the following relationship:
[0028] The first product is obtained by multiplying each component of the authoritative public key by raising it to the power of the corresponding component of the function vector.
[0029] Calculate generators in common parameters The second product is obtained by bilinear mapping of the second share component of the key share;
[0030] Calculate generators in common parameters The result of the exponentiation operation with the hidden identity scalar is then bilinearly mapped to the authoritative public key component to obtain the third product;
[0031] Multiply the first product, the second product, and the third product together to get the value on the right.
[0032] The first share component of the key share is calculated in relation to the generator in the common parameters. The bilinear mapping yields the left-hand side value;
[0033] Finally, it was verified that the values on the left and right sides are equal.
[0034] Optionally, the data owner may encrypt the message vector using an inner product function based on a selected authoritative public key, specifically including:
[0035] Select an encrypted random number;
[0036] For each component of the message vector, multiply the corresponding dimension public key component of each selected authority, then exponentiate by the encrypted random number, and finally multiply by the target group. generator The ciphertext of the message component is obtained by raising the value of the message component to the power of ... message component.
[0037] Calculate the generators in the common parameters respectively The encrypted random number raised to the power of ... The encryption random number is raised to a power of 1 to obtain three auxiliary ciphertext components;
[0038] Combine all message ciphertext components, three auxiliary ciphertext components, and the selected set of authoritative information into a complete ciphertext.
[0039] Optionally, in the decryption step, the user uses the aggregated secret key, ciphertext, and hidden identity scalar to decrypt, and the inner product is calculated as follows:
[0040] Each ciphertext component of the message is raised to the power of the corresponding component of the function vector, and then multiplied together to obtain the first numerator.
[0041] The generator in the computation ciphertext The second numerator is obtained by bilinear mapping of the auxiliary ciphertext component, which is composed of the encryption random number power, and the product of the second share component of all authorities in the aggregate key;
[0042] Calculate generators in common parameters The bilinear mapping of the aggregated component with the authoritative public key in the ciphertext is then performed with the hidden identity scalar as the exponent to obtain the third numerator;
[0043] Multiply the first numerator, the second numerator, and the third numerator together to get the numerator;
[0044] Calculate the product of the first share components of all authorities in the aggregate key and the product of the generators in the ciphertext. The bilinear mapping of the auxiliary ciphertext components, which are formed by powers of the encrypted random number, yields the denominator;
[0045] Dividing the numerator by the denominator yields an intermediate result, which is equal to the target group. generator The inner product power;
[0046] Finally, the inner product value is obtained by solving the discrete logarithm.
[0047] Optionally, in the distributed tracing step, the specific method by which at least a threshold number of trackers collaborate to recover the tracking tag is as follows:
[0048] The first and second components of the tracking ciphertext were extracted from the leaked aggregate key;
[0049] Each tracker participating in the tracking uses their own tracking key share to exponentiate the first component of the tracking ciphertext to obtain a partial decryption result;
[0050] The tracking committee used the Lagrange interpolation method to calculate the interpolation coefficients based on a subset of trackers participating in the tracking. They then multiplied all the partial decryption results by exponentiation of the corresponding interpolation coefficients and reconstructed the master secret power of the first component of the tracking ciphertext.
[0051] Divide the second component of the tracking ciphertext by the reconstruction result to recover the tracking label;
[0052] The registry was queried using the recovered tracking tags as keys to obtain the corresponding real identity.
[0053] Based on a second key aspect of the present invention, a privacy-preserving, decentralized, and traceable inner product function encryption system for implementing the aforementioned method is provided, the system comprising:
[0054] Initialize the entity to perform global initialization, establish common parameters, and generate tracking key shares and a common tracking key for multiple trackers in the tracking committee;
[0055] Multiple authorities, each of which independently performs authority initialization to generate its own authority public and private keys, and interacts with users to perform privacy key generation to issue key shares;
[0056] The tracking committee, consisting of multiple trackers, holds a share of the tracking key generated through global initialization and collaborates to perform distributed tracking.
[0057] The user terminal is used to perform user registration to generate a hidden identity scalar, commitment and tracking ciphertext, perform privacy key generation and authoritative interaction to obtain key shares, aggregate key shares, and decrypt ciphertext;
[0058] The data owner terminal is used to encrypt the message vector using an inner product function based on the public key of a selected set of authorities, generating and uploading ciphertext.
[0059] Based on a third key aspect of the present invention, an electronic device is provided, comprising one or more processors;
[0060] Storage device for storing one or more programs;
[0061] When one or more programs are executed by one or more processors, the one or more processors implement the aforementioned privacy-preserving, decentralized, and traceable inner product function encryption method.
[0062] Based on a fourth key aspect of the present invention, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed, implements the aforementioned privacy-preserving, decentralized, and traceable inner product function encryption method.
[0063] Compared with existing technologies, the privacy-preserving, decentralized, and traceable inner product function encryption scheme proposed in this invention has the following advantages:
[0064] First, this invention achieves decentralized key issuance and tracking, eliminating single-point trust bottlenecks. Existing solutions either rely on a single authority to generate keys or on a single tracker to recover identities, which can easily create system vulnerabilities. This invention, through multiple authorities independently issuing key shares and having a threshold tracking committee collaboratively complete the tracking, ensures that no single authority or tracker can independently compromise system security or leak user privacy, thus improving the system's robustness and security.
[0065] Secondly, this invention achieves effective accountability for leaked keys while protecting user privacy. The user's real identity is hashed into a hidden identity scalar, and through Pedersen commitments, tracking ciphertext, and zero-knowledge proof mechanisms, it is ensured that all authorities can issue key shares for the same hidden identity without knowing the user's true identity. When a key leak is discovered, only a minimum threshold of trackers can collaborate to recover the tracking tag from the tracking ciphertext and trace back to the real user. Any trackers fewer than the threshold cannot obtain any identity information, thus achieving an ideal balance between privacy protection and traceability.
[0066] Third, it reduces the computational overhead of online encryption and decryption. Experimental results show that the encryption time of the proposed scheme is comparable to that of efficient existing decentralized schemes, while the decryption time is far lower than that of similar traceable schemes. This is because the tracking components and identity consistency verification are mainly integrated in the registration and key issuance stages, and the encryption and decryption processes only require a small number of bilinear mappings and exponentiation operations, making it suitable for use on cloud servers and terminal devices with limited computing resources.
[0067] Fourth, the threshold tracking mechanism in this invention exhibits good scalability and controllable overhead. Tracking time increases linearly with the threshold value rather than exponentially, and the tracking process only requires each participant to perform a single exponentiation and Lagrange interpolation, avoiding the communication and computational explosion problems caused by repeated tests in black-box tracking. Simultaneously, each authority signs the key share, ensuring verifiability of the share's origin and resistance to framing, preventing malicious authorities or attackers from forging shares.
[0068] In summary, this invention, with moderate additional overhead, simultaneously achieves decentralization, privacy protection, distributed tracing, and accountability, providing a complete and practical cryptographic solution for secure data sharing and inner product computation in cloud environments. Attached Figure Description
[0069] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, obtaining other drawings based on these drawings without creative effort still falls within the scope of the present invention.
[0070] Figure 1 The following is a flowchart illustrating the execution of a privacy-preserving, decentralized, and traceable inner product function encryption method according to one embodiment of the present invention.
[0071] Figure 2 A schematic diagram of a PPDTFE-IP system model for implementing the method of the present invention is shown in one embodiment of the present invention. Detailed Implementation
[0072] The preferred embodiments of the present invention will be described in detail below to provide a clearer understanding of the purpose, features, and advantages of the invention. It should be understood that the following embodiments are not intended to limit the scope of the invention, but are merely illustrative of the essential spirit of the technical solution of the invention.
[0073] like Figure 1 As shown, in one embodiment, the present invention provides a privacy-preserving, decentralized, and traceable inner product function encryption method. This method is based on a multi-party entity interaction system model, which includes the following entities: authority, user, data owner, cloud server, and tracking committee. The method includes the following steps S100-S800 executed by a computer system:
[0074] Step S100: The global initializer performs global initialization, establishes common parameters, and generates tracking key shares and common tracking keys for multiple trackers in the tracking committee;
[0075] Step S200: Each authority independently performs authority initialization, generating the authority's public key and private key;
[0076] In step S300, the user registers based on their real identity and generates a hidden identity scalar, which in turn generates a commitment, a tracking tag, and a tracking ciphertext. The tracking tag is associated with the real identity and stored in the registry, and the commitment and the tracking ciphertext are published as a public registration tuple.
[0077] Step S400 involves the user interacting with at least one authority to generate a privacy key, including: the user sending the public registration tuple, proof information, and function vector to the authority; the authority verifying the proof and generating a key share based on its authority private key, then signing and returning the share.
[0078] In step S500, the user aggregates and verifies the signatures of multiple key shares received from multiple authorities to obtain the aggregated secret key;
[0079] Step S600: The data owner encrypts the message vector using an inner product function based on the selected authoritative public key to generate ciphertext;
[0080] Step S700: The user uses the aggregated secret key, the ciphertext, and the hidden identity scalar to decrypt the message vector and the function vector to obtain the inner product of the message vector and the function vector.
[0081] Step S800: The tracking committee performs distributed tracking, including: when the leaked aggregation key is obtained, at least a threshold number of trackers each use their own tracking key share to partially decrypt the tracking ciphertext contained therein, collaboratively recover the tracking tag, and query the corresponding real identity according to the registry.
[0082] In this invention, the global initializer should be understood as a logical entity that performs one-time initialization work at system startup, rather than a persistent system role parallel to "user" or "authority." Its most direct materialized form is a temporary, trusted system deployment role, such as a system architect, deployment script, or a node with administrative privileges. Therefore, the global initializer is not considered a constituent entity of the system model in the following description of the system model framework.
[0083] In one embodiment, a system model framework for implementing the method of the present invention is as follows: Figure 2 As shown, the system model is named PPDTFE-IP, and its main entity descriptions are as follows:
[0084] Authority: Exists in the system Each is an independent authority. Generate your own key pair independently In this invention, a key share is issued to the user through a privacy-preserving key generation protocol. All of these represent index numbers.
[0085] User: User Holding a real identity To protect privacy, users never... Send directly to any authority. Instead, users derive hidden identity scalars. It is used to generate commitment and tracking ciphertext. This is a cryptographic hash function.
[0086] Data owner: The data owner in the selected set of authorities Public key encrypted message vector .in, For authoritative quantity, These are the components of the plaintext vector input by the data owner. For a finite field, It is the vector dimension.
[0087] Cloud server: The cloud server stores the encrypted data and returns it to the authorized user.
[0088] Tracking Committee: The system contains... A tracker Set a fixed tracking threshold. No single tracker can recover a user's identity on their own. Only those who meet the following conditions can recover the user's identity. Tracking subset Only then can the tracking tags embedded in the leaked aggregation key be recovered collaboratively. Furthermore, the tracking committee securely maintains the registry. The registry maps each registered tracking tag to a corresponding real identity. The number of trackers in the tracking committee. For tracking tags.
[0089] Based on the above system model, in one embodiment, the overall workflow of the computer executing this method can be described as follows:
[0090] (1) The global initializer executes the global initialization algorithm. and publish public parameters .
[0091] (2) Each authority Independent execution of authoritative initialization algorithm and publish its public key .
[0092] (3) User Execute user registration algorithm Generate publicly registered tuples and secret registration status .Depend on Derived tracking tags Securely logged in the registry middle. For Pedersen's commitment, In order to track the ciphertext, To conceal the identity scalar, To commit to random numbers, To track random numbers in the ciphertext.
[0093] (4) To obtain the function vector The function key, generated by the user through a privacy key generation algorithm. With authority Interact and receive key share set .
[0094] (5) The user aggregates these shares into an aggregated secret key using the KeyAgg key aggregation algorithm. .
[0095] (6) The data owner in the selected set of authorities Encryption vector The encrypted text is then uploaded to the cloud server CS.
[0096] (7) If Users can decrypt and recover the inner product. . For function vectors, This is for encrypted message vectors. This represents the dot product operation of vectors.
[0097] (8) If a leaked aggregate key is discovered, the tracking committee will jointly execute a tracking algorithm. Reconstruct tracking tags and access the registry. Retrieve the corresponding identity.
[0098] The above schemes may involve the following algorithms, defined below: global initialization algorithm Setup, authoritative initialization algorithm ASetup, user registration algorithm UserReg, privacy key generation algorithm PPKeyGen, key aggregation algorithm KeyAgg, encryption algorithm Encrypt, decryption algorithm Decrypt, and tracing algorithm Trace. The specific implementation methods of these algorithms are described below.
[0099] (1) The global initialization algorithm uses safety parameters Number of authoritative figures Number of trackers Tracking threshold and vector dimension As input, output common parameters and secret tracking share .
[0100] (2) The authoritative initialization algorithm uses common parameters and authority index As input, output private key-public key pair .
[0101] (3) User registration algorithm uses common parameters and users true identity As input, output secret registration status and publicly registered tuples .
[0102] (4) Privacy key generation algorithms in authoritative and users Execute between these steps. If successful, the user receives the function vector. Key share In this invention, Indicating authoritative institutions It does not obtain a valid output after the protocol ends; that is, it only participates in generating key shares, but ultimately does not obtain the user's functional key share. This indicates that the agreement has failed or has been terminated.
[0103] (5) Key aggregation algorithms use common parameters Publicly registered tuples Function vectors and key share set As input, the aggregated secret key is output. .
[0104] (6) Encryption algorithms use public parameters Selected set of authorities public key set and message vectors As input, output ciphertext .
[0105] (7) The decryption algorithm uses common parameters Aggregate secret key ciphertext and hidden identity scalar As input, output inner product or .
[0106] (8) The tracking algorithm uses common parameters ,satisfy Tracking subset Tracking share and leaked aggregation key As input, first restore the tracking tags, then query the registry. and output the tracked identity. or .
[0107] In the above embodiments, the solution of the present invention integrates two layers of decentralization. First, the issuance of function secret keys is distributed among multiple independent authorities. Second, the recovery of leaked user identities is distributed among a tracker committee, ensuring that no single tracker entity can recover an identity independently.
[0108] In the above embodiments, the scheme proposed in this invention uses triples of a digital signature scheme. This is used to authenticate each authoritative key share and bind it to the corresponding commitment, trace ciphertext, and function vector. Indicates the key generation algorithm, Indicates the signature algorithm, This indicates the verification algorithm.
[0109] To protect privacy, user identities are never directly exposed to authorities. Instead, users compute hidden identity scalars. Pedersen promise and tracking tags . To commit to random numbers.
[0110] in, and yes The generators in the group are publicly published as part of the common parameters in the Setup algorithm, serving as the base values of the Pedersen commitment. yes One generator in the group is publicly published as part of the public parameters in the Setup algorithm, specifically for generating tracking tags.
[0111] The specific operation steps of each algorithm are described in the following embodiments.
[0112] (1) Global initialization algorithm .
[0113] make For a Type-III bilinear group generator, input security parameters Output the bilinear group parameters. , and It is a prime number. The cyclic group, referred to in this invention as... For the first group, For the second group, For the target group, It is a bilinear mapping.
[0114] make Generates the common parameters and defines them. Generators in .make This is a cryptographic hash function used to map a real identity to a hidden identity scalar. It is a finite field.
[0115] To initialize the tracking committee, choose a random secret. And construct the number of times random polynomials:
[0116]
[0117] For each tracker index Define tracking share The public tracking key is Common parameters are The tracking committee privately holds a share of the tracking key. .in, To track threshold values. , etc. represent the random coefficients of a polynomial. is the independent variable in the polynomial.
[0118] (2) Authoritative initialization algorithm ASetup.
[0119] Every authority Independent choice , And generate a signature key pair:
[0120]
[0121] Subsequently each authority calculate:
[0122]
[0123]
[0124] For authority The private key components are randomly selected from a finite field. ; For authority The private key vector, each component Randomly selected from a finite field . It represents Random. For authoritative signing key pairs, For signing private key, This is the public key for signing. For safety parameters. For authority The public key component. For authority Public key components (corresponding dimensions) ). for The generators in the group are publicly published as part of the public parameters in the Setup algorithm. It means "for all", used to express that a statement is true for every element in a set. It is a discrete logarithmic relation, which guarantees that from Unable to calculate in reverse . The first of the authoritative private key vectors Each component.
[0125] authority The private key-public key pair is
[0126]
[0127]
[0128] in, For authority private key, For authority The public key.
[0129] (3) User registration algorithm UserReg.
[0130] For the real identity is users Calculate the hidden identity scalar Choose a random value and calculate commitments . To commit to random numbers, To track random numbers in the ciphertext.
[0131] Define tracking tags:
[0132] ;
[0133] Then construct the tracking ciphertext:
[0134]
[0135] in, For complete tracking of ciphertext tuples, To trace the first component of the ciphertext, To trace the second component of the ciphertext.
[0136] The user's secret status is The publicly registered tuple is To support subsequent tracing, the tracing service security logs are mapped as follows:
[0137]
[0138] (4) Encryption algorithm.
[0139] In the encryption step, the data owner encrypts the message vector using an inner product function based on a selected authoritative public key. This specifically includes:
[0140] Select an encrypted random number;
[0141] For each component of the message vector, multiply the corresponding dimension public key component of each selected authority, then exponentiate by the encrypted random number, and finally multiply by the target group. generator The ciphertext of the message component is obtained by raising the value of the message component to the power of ... message component.
[0142] Calculate the generators in the common parameters respectively The encrypted random number raised to the power of ... The encryption random number is raised to a power of 1 to obtain three auxiliary ciphertext components;
[0143] Combine all message ciphertext components, three auxiliary ciphertext components, and the selected set of authoritative information into a complete ciphertext.
[0144] Specifically, in one embodiment, given a message vector Data owners first select an authoritative set. , and select . To generate an encrypted random number. Then calculate:
[0145] ;
[0146]
[0147] The ciphertext is .
[0148] in, For authority Public key components (corresponding dimensions) ), The first of the ciphertext Each component corresponds to a message component. . This is the first auxiliary ciphertext component, used for pairing during decryption; For the second auxiliary ciphertext component, aggregate the authoritative public key; The third auxiliary ciphertext component is located at .
[0149] (5) Privacy key generation algorithm PPKeyGen
[0150] In the privacy key generation process, the user-generated proof information includes a first interaction parameter and a second interaction parameter, as well as a zero-knowledge proof used to prove that the commitment, the tracking ciphertext, and the first interaction parameter are bound to the same hidden identity scalar.
[0151] Let the function vector be
[0152] User side: User parses user registration status Select interactive random number and calculate
[0153]
[0154] in, As the first interaction parameter, This is the second interaction parameter;
[0155] The user then generates a zero-knowledge proof:
[0156]
[0157] Users will submit key share request packets with proof in ordered tuples. Send to the authority .in, It is a zero-knowledge proof protocol.
[0158] In the following embodiments, the key share generated by the authority includes a first share component, a second share component, and a digital signature of the issued share.
[0159] Authority side: After receiving the above values, the authority... Verifying zero-knowledge proofs If the zero-knowledge proof is invalid, then abort. Otherwise, choose... And calculate:
[0160]
[0161]
[0162] and These are two intermediate variables; The random number generated by the authority for this interaction.
[0163] Subsequently, authority Proof generation:
[0164]
[0165] Authority will order tuples Send to the user.
[0166] User output: User authentication If the verification is valid, then define... . Random numbers aggregated for users.
[0167] The user then calculated:
[0168]
[0169]
[0170] in, This is the first share of the quantity; This is the second share component.
[0171] The authorities sign off on the issued shares:
[0172]
[0173] Digital signatures for issued shares;
[0174] Therefore, the final key share is
[0175]
[0176] During the key aggregation process, after verifying the validity of the digital signature of each key share, the user further verifies that the key share satisfies the following relationship:
[0177] The first product is obtained by multiplying each component of the authoritative public key by raising it to the power of the corresponding component of the function vector.
[0178] Calculate generators in common parameters The second product is obtained by bilinear mapping of the second share component of the key share;
[0179] Calculate generators in common parameters The result of the exponentiation operation with the hidden identity scalar is then bilinearly mapped to the authoritative public key component to obtain the third product;
[0180] Multiply the first product, the second product, and the third product together to get the value on the right.
[0181] The first share component of the key share is calculated in relation to the generator in the common parameters. The bilinear mapping yields the left-hand side value;
[0182] Finally, it was verified that the values on the left and right sides are equal.
[0183] In one embodiment, the following share verification is performed: User verification:
[0184]
[0185] as well as
[0186]
[0187] The bilinear mapping involved and generator All are common parameters. Represents the first product. Indicates the second product. This represents the third product. "" indicates whether the equality sign is true or false. To verify the signature algorithm.
[0188] (6) Key aggregation algorithm KeyAgg.
[0189] From Once the authority in the group gains a share, users aggregate it into:
[0190]
[0191] in, To aggregate secret keys.
[0192] (7) Decrypt algorithm.
[0193] In the decryption steps of the following embodiments, the user performs decryption using the aggregated secret key, ciphertext, and hidden identity scalar. The inner product is calculated as follows:
[0194] Each ciphertext component of the message is raised to the power of the corresponding component of the function vector, and then multiplied together to obtain the first numerator.
[0195] The generator in the computation ciphertext The second numerator is obtained by bilinear mapping of the auxiliary ciphertext component, which is composed of the encryption random number power, and the product of the second share component of all authorities in the aggregate key;
[0196] Calculate generators in common parameters The bilinear mapping of the aggregated component with the authoritative public key in the ciphertext is then performed with the hidden identity scalar as the exponent to obtain the third numerator;
[0197] Multiply the first numerator, the second numerator, and the third numerator together to get the numerator;
[0198] Calculate the product of the first share components of all authorities in the aggregate key and the product of the generators in the ciphertext. The bilinear mapping of the auxiliary ciphertext components, which are formed by powers of the encrypted random number, yields the denominator;
[0199] Dividing the numerator by the denominator yields an intermediate result, which is equal to the target group. generator The inner product power;
[0200] Finally, the inner product value is obtained by solving the discrete logarithm.
[0201] The following provides a specific implementation method.
[0202] Given ciphertext as well as .like Output Otherwise, the user must first verify all... Digital signature If all are valid, then calculate:
[0203]
[0204] From the correctness, we can conclude that:
[0205]
[0206] Finally, user calculation Regarding the base The discrete logarithm of the expression is given, and the output is given. .in, This is an intermediate result. The first part of the ciphertext Each component is Element, corresponding message component . yes The exponentiation operation, where is Integer exponent.
[0207] (7) Trace algorithm.
[0208] In the distributed tracing process, the specific method by which at least a threshold number of trackers collaborate to recover the tracking tag is as follows:
[0209] The first and second components of the tracking ciphertext were extracted from the leaked aggregate key;
[0210] Each tracker participating in the tracking uses their own tracking key share to exponentiate the first component of the tracking ciphertext to obtain a partial decryption result;
[0211] The tracking committee used the Lagrange interpolation method to calculate the interpolation coefficients based on a subset of trackers participating in the tracking. They then multiplied all the partial decryption results by exponentiation of the corresponding interpolation coefficients and reconstructed the master secret power of the first component of the tracking ciphertext.
[0212] Divide the second component of the tracking ciphertext by the reconstruction result to recover the tracking label;
[0213] The registry was queried using the recovered tracking tags as keys to obtain the corresponding real identity.
[0214] Given the leaked aggregation key The tracking committee first verified all signatures:
[0215]
[0216] If any validation fails, output: .
[0217] make:
[0218]
[0219] For any satisfying subset of Each tracker calculate
[0220]
[0221] make For corresponding The Lagrange interpolation coefficients. The tracking committee then reconstructed:
[0222]
[0223] Therefore, it restores the tracking label:
[0224]
[0225] Finally, the committee output:
[0226]
[0227] If no matching entry is found, the tracking algorithm outputs... .
[0228] in, For the leaked aggregation key, To disclose the promise in the key, To leak the tracking ciphertext in the key, To trace the first component of the ciphertext, To trace the second component of the ciphertext, The function vector corresponding to the leaked key. To reveal the share of each authority in the key, For the signatures of various authorities, The authority to award these shares, For trackers The secret share, for No. Partial decryption results calculated by a tracker For the recovery of tracking tags, To track down the true identity of the user.
[0229] It should be understood that the program code used to implement the methods of the present invention can be written in any combination of one or more programming languages. This program code can be provided to a processor or controller of a general-purpose computer, special-purpose computer, or other programmable data processing device, such that when executed by the processor or controller, the program code causes the functions / operations specified in the flowcharts and / or block diagrams to be implemented. The program code can be executed entirely on the machine, partially on the machine, as a standalone software package partially on the machine and partially on a remote machine, or entirely on a remote machine or server.
[0230] The acquisition, storage, and application of user personal information involved in the technical solution of this invention all comply with the provisions of relevant laws and regulations and do not violate public order and good morals.
[0231] It should be understood that the various forms of processes shown above can be used to reorder, add, or delete steps. For example, the steps described in this invention can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution of this invention can be achieved, and this invention does not impose any limitations on them.
[0232] The technical terms, principles, or means related to the technical solutions of the present invention mentioned in the above embodiments, which are not described in detail above, are all well-known technologies or common practices that are known to those skilled in the art.
[0233] The foregoing has shown and described the basic principles, main features, and advantages of the present invention. Those skilled in the art should understand that the present invention is not limited to the above embodiments. The embodiments and descriptions in the specification are merely illustrative of the principles of the invention. Various changes and modifications can be made to the invention without departing from its spirit and scope, and all such changes and modifications fall within the scope of the present invention as claimed. The scope of protection of this invention is defined by the appended claims and their equivalents.
Claims
1. A privacy-preserving, decentralized, and traceable encryption method for inner product functions, characterized in that, This method is based on a multi-entity interaction system model, which includes the following entities: authorities, users, data owners, cloud servers, and tracking committees; the method includes the following steps performed by a computer system: The global initializer performs global initialization, establishes common parameters, and generates tracking key shares and a common tracking key for multiple trackers in the tracking committee. Each authority independently performs authority initialization, generating its own public and private keys; Users register based on their real identities and generate a hidden identity scalar, which in turn generates a commitment, a tracking tag, and a tracking ciphertext. The tracking tag is associated with the real identity and stored in the registry. The commitment and the tracking ciphertext are published as a public registration tuple. The privacy key generation is performed by the user interacting with at least one authority, including: the user sending the public registration tuple, proof information and function vector to the authority; the authority verifying the proof and generating a key share based on its authority private key and signing and returning it. The user will aggregate and verify the signatures of multiple key shares received from multiple authorities to obtain the aggregated secret key; The data owner encrypts the message vector using an inner product function based on a selected authoritative public key to generate ciphertext; The user uses the aggregated secret key, the ciphertext, and the hidden identity scalar to decrypt the message vector and obtain the inner product of the function vector; The tracking committee performs distributed tracking, including: when a leaked aggregate key is obtained, at least a threshold number of trackers each use their own tracking key share to partially decrypt the tracking ciphertext contained therein, collaboratively recover the tracking tag, and query the corresponding real identity according to the registry.
2. The privacy-preserving, decentralized, and traceable inner product function encryption method according to claim 1, characterized in that, During the process of generating the privacy key, the proof information generated by the user includes a first interaction parameter and a second interaction parameter, as well as a zero-knowledge proof used to prove that the commitment, the tracking ciphertext, and the first interaction parameter are bound to the same hidden identity scalar. The key share generated by the authority includes the first share component, the second share component, and the digital signature of the issued share.
3. The privacy-preserving, decentralized, and traceable inner product function encryption method according to claim 2, characterized in that, During the generation of the privacy key, the authoritative calculation of the first share component and the second share component is as follows: authority Choosing a finite field random numbers in Calculate the first intermediate variable: Calculate the second intermediate variable: in, These are generators in the common parameters; It is a function vector; The first interaction parameter sent to the user; For authoritative public key components; The random number generated by the authority for this interaction; For authority The private key components; For authority The private key vector; The user will use the first intermediate variable As the first share and the second interaction parameter generated by the user With the second intermediate value Multiply to obtain the second share component ; The authority uses its signing private key to digitally sign the commitment, tracking ciphertext, function vector, first share component, and second share component, generating a digital signature of the issued share. .
4. The privacy-preserving, decentralized, and traceable inner product function encryption method according to claim 3, characterized in that, During the global initialization process of establishing common parameters, set , and It is a prime number. The cyclic group, in which, For the first group, For the second group, For the target group, It is a bilinear mapping; let Generates the common parameters and defines them. Generators in ; During the key aggregation process, after verifying the validity of the digital signature of each key share, the user further verifies that the key share satisfies the following relationship: The first product is obtained by multiplying each component of the authoritative public key by raising it to the power of the corresponding component of the function vector. Calculate generators in common parameters The second product is obtained by bilinear mapping of the second share component of the key share; Calculate generators in common parameters The result of the exponentiation operation with the hidden identity scalar is then bilinearly mapped to the authoritative public key component to obtain the third product; Multiply the first product, the second product, and the third product together to get the value on the right. The first share component of the key share is calculated in relation to the generator in the common parameters. The bilinear mapping yields the left-hand side value; Finally, it was verified that the values on the left and right sides are equal.
5. The privacy-preserving, decentralized, and traceable inner product function encryption method according to claim 4, characterized in that, The data owner encrypts the message vector using an inner product function based on a selected authoritative public key, specifically including: Select an encrypted random number; For each component of the message vector, multiply the corresponding dimension public key component of each selected authority, then exponentiate by the encrypted random number, and finally multiply by the target group. generator The ciphertext of a component is obtained by raising the message component to the power of its value. Calculate the generators in the common parameters respectively The encrypted random number raised to the power of ... The encryption random number is raised to a power of 1 to obtain three auxiliary ciphertext components; Combine all message ciphertext components, three auxiliary ciphertext components, and the selected set of authoritative information into a complete ciphertext.
6. The privacy-preserving, decentralized, and traceable inner product function encryption method according to claim 4, characterized in that, In the decryption step, the user uses the aggregated secret key, ciphertext, and hidden identity scalar to decrypt the data. The inner product is calculated as follows: Each ciphertext component of the message is raised to the power of the corresponding component of the function vector, and then multiplied together to obtain the first numerator. The generator in the computation ciphertext The second numerator is obtained by bilinear mapping of the auxiliary ciphertext component, which is composed of the encryption random number power, and the product of the second share component of all authorities in the aggregate key; Calculate generators in common parameters The bilinear mapping of the aggregated component with the authoritative public key in the ciphertext is then performed with the hidden identity scalar as the exponent to obtain the third numerator; Multiply the first numerator, the second numerator, and the third numerator together to get the numerator; Calculate the product of the first share components of all authorities in the aggregate key and the product of the generators in the ciphertext. The bilinear mapping of the auxiliary ciphertext components, which are formed by powers of the encrypted random number, yields the denominator; Dividing the numerator by the denominator yields an intermediate result, which is equal to the target group. generator The inner product power; Finally, the inner product value is obtained by solving the discrete logarithm.
7. The privacy-preserving, decentralized, and traceable inner product function encryption method according to claim 4, characterized in that, In the distributed tracing process, the specific method by which at least a threshold number of trackers collaborate to recover the tracking tag is as follows: The first and second components of the tracking ciphertext were extracted from the leaked aggregate key; Each tracker participating in the tracking uses their own tracking key share to exponentiate the first component of the tracking ciphertext to obtain a partial decryption result; The tracking committee used the Lagrange interpolation method to calculate the interpolation coefficients based on a subset of trackers participating in the tracking. They then multiplied all the partial decryption results by exponentiation of the corresponding interpolation coefficients and reconstructed the master secret power of the first component of the tracking ciphertext. Divide the second component of the tracking ciphertext by the reconstruction result to recover the tracking label; The registry was queried using the recovered tracking tags as keys to obtain the corresponding real identity.
8. A privacy-preserving, decentralized, and traceable inner product function encryption system for implementing the method of any one of claims 1-7, characterized in that, The system includes: Initialize the entity to perform global initialization, establish common parameters, and generate tracking key shares and a common tracking key for multiple trackers in the tracking committee; Multiple authorities, each of which independently performs authority initialization to generate its own authority public and private keys, and interacts with users to perform privacy key generation to issue key shares; The tracking committee, consisting of multiple trackers, holds a share of the tracking key generated through global initialization and collaborates to perform distributed tracking. The user terminal is used to perform user registration to generate a hidden identity scalar, commitment and tracking ciphertext, perform privacy key generation and authoritative interaction to obtain key shares, aggregate key shares, and decrypt ciphertext; The data owner terminal is used to encrypt the message vector using an inner product function based on the public key of a selected set of authorities, generating and uploading ciphertext.
9. An electronic device, characterized in that, Includes one or more processors; Storage device for storing one or more programs; When one or more programs are executed by one or more processors, the one or more processors implement the privacy-preserving, decentralized, and traceable inner product function encryption method as described in any one of claims 1-7.
10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When executed, the computer program implements the privacy-preserving, decentralized, and traceable inner product function encryption method of any one of claims 1-7.