基于属性的可搜索加密协议研究

发布时间：2018-04-19 10:44

本文选题：存储安全 + 属性加密　；参考：《山东大学》2015年博士论文

【摘要】：随着互联网技术的飞速发展和用户数据的急速膨胀,用户慢慢倾向于在线存储个人数据。虽然这一方式带来了灵活的存储能力和低廉的存储开支,但也使得用户无法像本地存储一样对维护自己的数据,因此丧失了对数据的物理保护,用户的数据存在着极大的泄露风险。用户可以使用加密手段对在线数据进行保护,然而这也使用户丧失了对数据进行直接在线操作的能力,如用户无法对在线数据进行直接访问、搜索和计算等数据操作。搜索是用户访问互联网时最频繁的操作之一。如何在用户对数据进行检索时保护用户和数据存储方的隐私,即检索密文数据,成为近几年安全存储领域研究的一个热点,这就是可搜索加密所要解决的问题。可搜索加密协议分为公钥环境下的可搜索加密协议(可搜索公钥加密)和私钥环境下的可搜索加密(可搜索私钥加密)。第一篇可搜索加密协议是Song等提出的”Practical techniques for searches on encrypted data",属于可搜索私钥加密协议。其采用流密码(Steam Cipher)的思想,采用伪随机数生成器生成随机密钥与数据文件进行异或生成密文,搜索过程通过异或操作决定是否能够解密。而后出现的可搜索加密协议多以生成安全索引的方法来实现搜索。根据私钥加密协议的性质,可搜索私钥加密协议中数据文件的索引密文和搜索过程中的待搜索关键词使用相同的密钥进行运算。因此可搜索私钥加密协议多应用于个人的存储等服务中,当然如果结合密钥分发等技术可以适用于多用户检索的场景。可搜索公钥加密协议最早由Boneh, Crescenzo, Ostr-ovsky和Persiano在欧密会Eurocrypt2004年会上提出,其协议主要以邮件系统为应用场景,允许发信者使用收信方的公钥加密邮件和关键词,收信方使用自身的私钥生成搜索请求,由邮件服务器进行计算,将包含某个关键词的邮件返回给收信方。协议保证了搜索过程中用户和存储服务器均不泄露自身的隐私信息。根据公钥加密系统的性质,可搜索公钥加密的安全索引和待搜索关键词使用不同的密钥进行加密,因此可以实现用户加密后提供给第三方或多方实施搜索的能力。这一能力极大的拓展了可搜索加密的适用范围,可以很好的适应数据共享场景。在研究可搜索加密之前,我们首先对一个新型的公钥加密系统-属性加密进行了研究。属性加密最早由Sahai和Waters在2005年提出,是一个扩展的基于身份的加密协议。它将用户的身份信息拆分成一个属性集合,从而使每个用户拥有标明自身身份的属性集合,这种方式使得身份的定义更加灵活,将存取结构引入了加密协议中,使得协议具有弹性的解密能力。属性加密协议除了具有基于身份加密的优势外,因其具有独特的访问控制结构和属性集合,使得加密者能够更灵活的确定解密用户的身份。属性加密协议可以分为密文策略的属性加密协议(CP-ABE)和密钥策略的属性加密协议(KP-ABE),在KP-ABE协议中,访问控制策略存在于密钥中,而属性集合包含在密文中。在CP-ABE中却恰恰相反,密钥中包含了属性集合,而密文中包含了访问控制策略。从两者区别来看,作为一个密码协议,CP-ABE的性质明显优于KP-ABE.这是因为,在CP-ABE中,加密者在密文中定义了访问控制策略,而解密者使用自身属性生成的私钥验证是否满足访问控制策略以确定能否成功解密。作为一个加密协议,这显然更适合通常的加密场景。然而,在KP-ABE中,访问控制策略由解密者来定义,使得加密者无法完全控制解密过程,无法适应加密场景。而这一性质能够实现网络中保密的访问控制、外包计算和密文检索等功能。本文中,我们将主要关注可搜索加密协议,因此我们在此主要研究KP-ABE协议。为保证加密者的身份保密,匿名性也是公钥系统的一个重要性质。属性加密的匿名性能够保证攻击者无法区分用户加密所使用的属性信息,从而有效的保护用户的隐私。以往的属性加密协议都没有关注这一重要性质。本文中,我们对密钥策略的属性加密协议进行了研究和改进,提出了具有属性保密的属性加密协议,并具备了完全安全性。文中,我们使用了对偶系统加密的思想,使用合数阶双线性群这一工具为协议提供足够的安全性,该双线性群的阶为四个素数的乘积,也就是由四个素数阶子群构成,第一个子群用于正常的加解密操作,第二个子群为半功能空间,用于协议的证明,第三个子群可以保障密钥的随机性,而第四个子群用于保护用户的属性保密,属性保密性属于一种弱化的匿名性。我们属性保密性部分解决了属性加密的匿名性。这一性质虽然无法完全保障用户的属性安全,但足以在后文构造可搜索加密协议时提供关键词的保密。为构造一个安全的公钥可搜索加密协议,我们提出了一个由属性加密协议构造基于属性的可搜索加密协议的一般方法,同时证明了可搜索加密协议的相容性和安全性可以分别归约到属性加密协议的安全性和属性保密性。并根据这一方法,使用上述的属性加密协议构造了一个安全的可搜索属性加密协议。关键词猜测攻击是针对可搜索加密协议的一个有效的攻击手段。如何抵抗这一攻击,是可搜索加密研究领域的一个热点。关键词猜测攻击的攻击是因为有效关键词在明文空间的熵值过低而引起的。为关键词索引提供一定的随机性是抵抗这个攻击的有效手段,从而攻击者无法猜测有效的关键词以攻击协议。首先受Boneh, Raghunathan和Segev提出的函数保密的基于身份加密协议的启发,我们构造了一个具有函数保密性的属性加密协议,这一性质使攻击者无法区分用户属性生成的私钥,从而保证用户的身份保密。文中,我们使用”生成-附加-合成”三步法对原始的属性加密协议进行了改进,在生成阶段,添加一个随机数以增强私钥的随机性,在附加阶段,修改解密算法,随后对这些改动进行合成,保证协议正常解密的同时,保障了函数保密性。通过上述的构造可搜索加密的一般方法,我们以此协议为基础构造了一个可搜索加密协议,证明了可搜索加密协议抵抗关键词猜测攻击的能力可以归约为属性加密的函数保密性,使得我们的协议能够抵抗关键词猜测攻击。
[Abstract]:With the rapid development of Internet technology and the rapid expansion of user data, users tend to store personal data online. Although this way brings flexible storage capacity and low cost of storage, it also makes users unable to maintain their own data like local storage, thus losing the physical protection of data. The user's data has a great risk of leakage. Users can use encryption to protect online data. However, it also loses the user's ability to operate directly online, such as users can not direct access to online data, search and compute data operations. Search is the most frequent user access to the Internet. One of the operations. How to protect the privacy of the user and data store when the user retrieves the data, that is, to retrieve the encrypted data, has become a hot spot in the security storage field in recent years. This is the problem that can be solved by the search encryption. The first searchable encryption protocol is "Practical techniques for searches on encrypted data", which is a search private key encryption protocol, which uses the idea of stream cipher (Steam Cipher) and uses pseudo random number generator to generate random keys and numbers. According to the nature of private key encryption protocol, it can search the index ciphertext of the data files in private key encryption protocol and the search process in the search process. Key words use the same key, so the search private key encryption protocols are mostly used in personal storage and other services, of course, if combination of key distribution and other technologies can be applied to multi user retrieval scenarios. The earliest search public key encryption protocols are Boneh, Crescenzo, Ostr-ovsky and Persiano at the Eurocrypt2004 annual meeting of the European secret conference It is proposed that the protocol mainly uses the mail system as the application scene, allows the sender to use the public key of the receiver to encrypt the mail and key words, the receiver uses its own private key to generate the search request, calculates the mail server, and returns the message containing a key word to the receiver. The protocol guarantees the user and the storage in the search process. The server does not disclose its own privacy information. According to the nature of the public key encryption system, it can search the secure index of public key encryption and the key to be encrypted with different keys to the search key. Therefore, the ability to implement the search for third party or multi party after the user is encrypted. This ability greatly expands the search for encryption. Before we study searchable encryption, we first study a new public key encryption system - attribute encryption. First, the attribute encryption was proposed by Sahai and Waters in 2005. It is an extended identity based encryption protocol. It divides user's identity information into one. A set of attributes so that each user has a set of attributes that indicate its own identity, which makes the definition more flexible and introduces an access structure to an encryption protocol that makes the protocol have an elastic decryption ability. The attribute encryption protocol has unique access control, in addition to the advantage of identity based encryption. The structure and attribute set can make the encrypted person more flexible to determine the identity of the decryption user. The attribute encryption protocol can be divided into the attribute encryption protocol (CP-ABE) and the attribute encryption protocol (KP-ABE) of the key strategy. In the KP-ABE protocol, the access control strategy is stored in the key, and the attribute set is contained in the ciphertext. In CP-ABE On the contrary, the key contains the set of attributes, and the ciphertext contains access control strategy. As a cryptographic protocol, the nature of CP-ABE is obviously better than that of KP-ABE. because in CP-ABE, the cipher defines the access control strategy in the ciphertext, and the decryption uses the private key generated by its own property to verify it. Whether or not the access control strategy is met to determine whether or not it can be decrypted successfully. As an encryption protocol, it is obviously more suitable for the usual encryption scene. However, in KP-ABE, the access control strategy is defined by the decryption, so that the cipher can not fully control the decryption process and can not adapt the encrypted scene. This nature can achieve secrecy in the network. In this paper, we will mainly focus on the searchable encryption protocol, so we mainly study the KP-ABE protocol. In order to ensure the identity of the encrypted person, anonymity is also an important property of the public key system. The anonymity of the attribute encryption can guarantee that the attacker can not distinguish the user encryption. The attribute information is used to protect the user's privacy effectively. The previous attribute encryption protocol has not paid attention to this important nature. In this paper, we have studied and improved the attribute encryption protocol of key policy, and put forward the attribute encryption protocol with attribute secrecy, and have complete security. In this paper, we used the protocol The idea of dual system encryption, using a complex order bilinear group, provides sufficient security for the protocol. The order of the bilinear group is the product of four prime numbers, which is made up of four prime subgroups, the first subgroup is used for normal encryption and decryption operations, and second subgroups are semi functional space, used for protocol proof, third Subgroups can guarantee the randomness of the key, and the fourth subgroups are used to protect the privacy of the user's attributes. The property privacy is a weakening anonymity. Our attribute secrecy partly solves the anonymity of the attribute encryption. This nature can not fully guarantee the user's property security, but it is sufficient to construct a search encryption protocol in the later text. In order to construct a secure public key search encryption protocol, we propose a general method of constructing an attribute based search encryption protocol by attribute encryption protocol. At the same time, it is proved that the compatibility and security of the searchable encryption protocol can be divided into the security and genera of the attribute encryption protocol. And according to this method, a secure and searchable attribute encryption protocol is constructed using the above attribute encryption protocol. The keyword guessing attack is an effective attack means for the searchable encryption protocol. How to resist this attack is a hot spot in the domain of searchable encryption research. The attack is caused by the low entropy value of the valid keyword in the plaintext space. A certain randomness for the keyword index is an effective means to resist the attack, and the attacker can not guess the effective key words to attack the protocol. First, the identity based encryption protocol of the function secrecy proposed by Boneh, Raghunathan and Segev We construct an attribute encryption protocol with function confidentiality, which makes it impossible for an attacker to distinguish the private key generated by the user's attribute, thus ensuring the identity of the user. In this paper, we use the "generation - add - synthesis" three step method to improve the original attribute encryption protocol, and add one in the generation phase. Random numbers to enhance the randomness of the private key, modify the decryption algorithm in the additional stage, then synthesize these changes, ensure the normal decryption of the protocol, and ensure the function secrecy. Through the above construction, we can search for the general encryption method, and we construct a searchable encryption protocol based on this protocol, proving that the search can be searched. The ability of encryption protocol to resist keyword guess attack can be reduced to the function confidentiality of attribute encryption, making our protocol able to resist keyword guess attack.

【学位授予单位】：山东大学
【学位级别】：博士
【学位授予年份】：2015
【分类号】：TN918.4;TP393.04

【相似文献】