ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2020, Vol. 57 ›› Issue (5): 1057-1069.doi: 10.7544/issn1000-1239.2020.20190254

• 信息安全 • 上一篇    下一篇

支持用户权限动态变更的可更新属性加密方案

严新成1,陈越1,巴阳1,贾洪勇2,王仲辉3   

  1. 1( 战略支援部队信息工程大学 郑州 450001);2( 郑州大学软件与应用科技学院 郑州 450001);3( 西部战区陆军参谋部附属单位 兰州 730030) (imtodshine@163.com)
  • 出版日期: 2020-05-01
  • 基金资助: 
    国家自然科学基金项目(61702549);河南省科技攻关计划项目(172102210017)

Updatable Attribute-Based Encryption Scheme Supporting Dynamic Change of User Rights

Yan Xincheng1, Chen Yue1, Ba Yang1, Jia Hongyong2, Wang Zhonghui3   

  1. 1( Strategic Support Force Information Engineering University, Zhengzhou 450001);2( School of Software and Applied Technology, Zhengzhou University, Zhengzhou 450001);3( Subordinate Unit of the Army Staff, Western Theater Command, Lanzhou 730030)
  • Online: 2020-05-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61702549) and the Science and Technology Program of Henan Province (172102210017).

摘要: 属性加密在实现云数据细粒度安全共享方面具有较大优势.由于云存储中用户访问权限动态变化,当属性或用户私钥撤销时,数据重加密是保证密文前向安全性的有效方法,但相应的计算开销及数据上传下载的通信开销过大.针对上述问题,提出一种支持用户权限动态变更的可更新属性加密方案(updatable attribute-based encryption scheme supporting dynamic change of user rights, SDCUR-UABE).通过在密文策略属性加密中构造属性及用户版本密钥,在撤销用户属性时只需更新用户私钥对应的转换密钥构件;撤销系统属性时需要更新属性版本密钥来实现对密文密钥部分构件的可替换更新;撤销用户私钥时只需更新用户版本密钥.由此避免了基于数据重加密实现密文更新带来的巨大计算开销及通信开销.此外,在方案构造中利用密钥分割实现数据解密外包来降低用户的解密开销.理论分析及实验验证表明:在保证密文前向安全性的前提下,该方案能够有效解决云存储系统中用户权限动态变更时密文更新的计算效率与通信开销问题,同时减轻了用户解密的计算量.

关键词: 云存储, 属性加密, 解密外包, 属性撤销, 私钥撤销

Abstract: Attribute-based encryption has great advantages in achieving fine-grained secure sharing for cloud data. Due to the dynamic changes of user access rights in cloud storage, data re-encryption is an effective method to ensure the forward security of ciphertext when the attribute or user private key is revoked, but the corresponding computation overhead and communication overhead of data uploading and downloading are too large. To address these issues, an updatable attribute-based encryption scheme is proposed to support dynamic changes of user rights (SDCUR-UABE). By constructing the attribute version key and user version key in ciphertext-policy attribute-based encryption, only the corresponding components of transformation key in user’s private key need to be updated when the user attribute is revoked. Similarly, when a system attribute is revoked, the corresponding attribute version key needs to be updated to implement replaceable update of part components for the ciphertext and key. Next, only the user version key needs to be updated when the user private key is revoked. Therefore the expensive computation and communication overhead caused by ciphertext update based on data re-encryption can be avoided. Besides, key segmentation is used to realize data decryption outsourcing to reduce the user’s decryption overhead in the construction of the scheme. Theoretical analysis and experimental verification show that the proposed scheme can effectively solve the computing efficiency and communication overhead of ciphertext update when the user rights are dynamically changed in the cloud storage system, and greatly reduce the computational complexity of user decryption under the premise of guaranteeing forward security for ciphertext.

Key words: cloud storage, attribute-based encryption, decryption outsourcing, attribute revocation, private key revocation

中图分类号: