Block chain privacy protection method based on online offline attribute encryption
Technical Field
The invention relates to the technical field of blockchains, in particular to a blockchain privacy protection method based on online and offline attribute encryption.
Background
Blockchains are a trusted distributed data storage technology implemented based on P2P networks and cryptography, and are becoming popular and widely used in various scenarios based on their non-repudiation, consensus and transparency, and non-tampering, etc., as a decentralized distributed accounting system. However, the conventional blockchain achieves transparency and traceability of data, and meanwhile, the privacy security of a user is threatened to a certain extent. How to protect user privacy security while achieving the advantage of transparent traceability of blockchain has become a research hotspot.
Aiming at the problem of traceability of blockchain data and user privacy leakage, in order to protect user privacy security, reference 1 ("outsourced attribute-based encryption scheme with keyword search for self-adaptive security", guo Lifeng, wang Qianli, computer application, 2021, 41 (11): 3266-3273) and reference 2 ("CP-WABE scheme supporting offline/online encryption and verifiable outsource decryption", li Hang, feng Chaosheng, liu Shuaina, liu Bin, zhao Kaijiang, e-newspaper, 2020, 48 (11): 2146-2153) are searched to outsource partial encryption calculation and partial decryption calculation to offline institutions in an online/offline manner, and although the calculation cost of data owners and data users is reduced, the method is not well applicable to blockchain. Reference 3 ("blockchain manageable privacy protection scheme based on group signature and attribute encryption", li Li, du Huina, li Tao, computer engineering: 1-9[2022-01-04]. DOI: 10.19678/j.issn.1000-3428.0062464) proposes a blockchain privacy protection scheme of double-chain structure, which effectively protects private information of users through a group signature technique and an attribute encryption technique. However, the scheme has only one verifier, cannot effectively prevent collusion between the verifier and the user, cannot effectively ensure reality and transparency of information, and cannot be well applied to equipment with limited computing resources. Reference 4 ("blocking chain privacy protection scheme based on SM9 algorithm to prove security", yang Yatao, cai Juliang, zhangwei, yuan Zheng, software report, 2019, 30 (06): 1692-1704.DOI: 10.13328/j.cnki.jos.005745) proposes a privacy protection scheme mainly applied to federated chains, and by setting of a verifier population (i.e. federated chains), privacy information of users is effectively protected. However, the scheme is mainly applied to the alliance chain, cannot be well applied to the double-chain structure, and cannot be well applied to equipment with limited computing resources.
In combination with the features of references 1 to 4, in order to be suitable for devices with limited computing resources, fine-grained user privacy protection is realized, meanwhile, responsibility can be added to the owners and signers of data, and the security of the data is improved, so that a protection scheme based on online offline attributes is provided.
Disclosure of Invention
Aiming at the problems in the background technology, the invention provides a privacy protection method for protecting the privacy safety of users, which reduces the calculation cost of the users through an online offline attribute encryption algorithm, realizes fine-granularity user access control, and realizes bidirectional traceability of the users and verifiers through double-chain design and group signature verification so as to improve the safety of data, in particular to a blockchain privacy protection method based on online offline attribute encryption.
In order to solve the technical problems, the invention adopts the following technical scheme: the block chain privacy protection method based on online offline attribute encryption relates to a block chain system and a plurality of entity modules, wherein the entity modules comprise a data owner DO, a data user DU, a group manager GM, an offline encryption mechanism OEA, an offline decryption mechanism ODE, a alliance chain AC and a sharing chain EST; the block chain system is used for providing a distributed and trusted data storage cloud server system for the entity module, and the implementation mode of the block chain system comprises a system initialization stage, a user registration stage, an encryption stage, a group signature authentication stage, a data user decryption stage and a responsibility tracking stage.
Furthermore, the protection method based on online offline attribute encryption utilizes a blockchain to combine an offline encryption mechanism and an offline decryption mechanism through an online offline attribute encryption algorithm, so that fine-granularity user access control is realized while the calculation cost of a user is reduced, single-point fault problems are prevented, collusion is prevented between the user and a verifier through double-chain control of a shared chain and a alliance chain, and meanwhile, bidirectional traceability of a data owner and the verifier is realized through group signature verification, and the numerical control safety is improved; the data owner DO sends an access structure to an offline encryption mechanism ODE, the offline encryption mechanism calculates an intermediate ciphertext based on a time period tree and the access structure and returns the intermediate ciphertext to the data owner DO, and the data owner DO encrypts data by using the intermediate ciphertext and sends the ciphertext to a cloud server system in a blockchain system; the data user searches keywords through the cloud server system and obtains matched ciphertext; the data user DU sends the ciphertext to an offline decryption mechanism ODE, the offline decryption mechanism ODE carries out partial decryption on the ciphertext based on the attribute and the secret key of the data user DO to obtain a converted ciphertext, and the converted ciphertext is returned to the data user DO; the data user DO decrypts the transformed ciphertext using the transformed key to obtain the data.
Further, the blockchain privacy protection method based on online offline attribute encryption, disclosed by the invention, comprises the following specific implementation modes of the system initialization stage:
(1) In the system initialization stage, determining the related attribute of system initialization: data owner running System setup algorithm Systemsetup (1 λ ) -PK, MSK), i.e. inputting a security factor λ, the system generates a public key PK, saidMSK=(α,a,γ);
Wherein G1 and G2 are prime number p-order cyclic groups, and G is a generator of G1; e is bilinear map: g1×g1→g2; random numbers alpha, a, beta E Z p The method comprises the steps of carrying out a first treatment on the surface of the j represents the number of attributes; selecting j random numbers h j ∈G 1 The method comprises the steps of carrying out a first treatment on the surface of the Hash function H0: {0,1} → G1, H1: {0,1} → G2, H2: {0,1} → G2;
(2) Group administrator GM initialization: the group manager runs a system building algorithm GMSitup (PK) → (GMKey, GMPK, GMSK), inputs a public key PK, and generates a key GMKey, a group public key GMPK and a group tracking key GMSK of each group manager GM;
GMKey=γ i ,GMSK=(δ 1 ,δ 2 ),
wherein i represents the number of group administrators; gamma ray i Representing i random numbers; g1 is a generator of G1; random number delta 1 ,δ 2 ∈Z p ;u,v∈G 1 ;
(3) Alliance chain AC initialization: actetup (PK, id) → (sign mk, sign PK), inputting public key PK, the system generating a federation chain signature master key sign mk and each node signature private key sign PK; in the alliance chain, the alliance chain is divided into a main node and a secondary node, wherein the main node is responsible for maintenance work of the blockchain and distributes id and signature private keys for newly added blocks;
T=H 1 (id||hid,N)+ks;
wherein k represents the number of key generation centers AAk in the alliance chain; ks, kek is a random number of the key generation center, and ks, ke k ∈[1,N-1]Kek are respectively held by k key generating centers, and N is a finite field; p2 is a generator of G2, and P1 is a generator of G1; id is the unique identifier of each secondary node in the alliance chain, and is a string of random numbers issued for the primary node; the hide indicates concealment.
Further, the blockchain privacy protection method based on online offline attribute encryption, disclosed by the invention, comprises the following specific implementation modes of the user registration stage:
(1) The user obtains a user private key fragment UKey i: GMKeyGen (PK) → ukyi; the user puts forward a registration application Apply to the group manager GM, if the group manager GM agrees, the i group managers respectively generate corresponding user private key fragments UKey i for the user, and send the user private key fragments UKey i to the user; while in the blockchain, users may be subdivided into data owners DO and data consumers DU;
wherein, the random number x epsilon Z p ;
(2) User calculation: GMKeyGen (PK, S, ukyi) → (UKey, IDU, cpa_sk); the user calculates a user private key UKey and a user identifier IDU of the user through an algorithm, and submits a user attribute set AS= { a1, a2, & gt, aj } to a group administrator to obtain an attribute encryption key CPA_SK and an offline verification key VK;
CPA_SK=(g α h d ,z,TK),VK=(g 1/(β+μ) ,μ);
wherein vj is the weight value of each attribute in the user attribute set AS; TK is a ciphertext conversion key of attribute encryption; d, Z is a random number, and d, Z, μ ε Z p 。
Further, the blockchain privacy protection method based on online offline attribute encryption disclosed by the invention comprises the following specific implementation modes of the encryption stage:
(1) The offline encryption mechanism OEA performs offline encryption: OEA_Enc (PK) →IC, and the data owner DO selects a secret value s to be transmitted to the off-line encryption mechanism; the offline encryption mechanism calculates an intermediate ciphertext IC through a secret value s and sends the intermediate ciphertext IC to a data owner DO;
wherein the secret value s epsilon Z p The method comprises the steps of carrying out a first treatment on the surface of the Random number epsilon, y epsilon Z p ;
(2) The data owner DO encrypts: DO_Enc (PK, IC, VK, message) →CT. The data owner DO finally encrypts the plaintext Message through an access structure AC and an intermediate ciphertext IC to obtain an attribute encrypted ciphertext CT;
C 1 =g μ/(β+μ) ,g β ·g μ ,H 1 (e(g,g) μ ,R·H 1 (Message),
wherein,for the mapping of the attribute aj in the access structure ac= (M, ρ (x)), θ is the secret share of aj in the mapping function ρ (x); r is a random ciphertext parameter, and R epsilon G 2 The method comprises the steps of carrying out a first treatment on the surface of the M is a mapping matrix, and each row in M corresponds to an attribute.
Further, the blockchain privacy protection method based on online offline attribute encryption, disclosed by the invention, comprises the following specific implementation modes of the group signature authentication stage:
(1) The alliance chain AC secondary node a signs the ciphertext CT: AC_Sign (CT, signMK, signPK) → (SignCT, DO_Verify). The method comprises the steps that a secondary node A of a alliance chain signs a ciphertext CT, so that the secondary node A in the alliance chain carries out signature operation through a signature master key SignMK and a signature private key SignPK of the secondary node A, and a group signature SignCT and a source verification value DO_Verify of the secondary node in the alliance chain to the ciphertext CT are obtained.
Wherein the random number r 1 ,r 2 ∈[1,N-1]The method comprises the steps of carrying out a first treatment on the surface of the idA represents the id identification of the secondary node a; τ, χ is a random number, and τ, χ ε Z p The method comprises the steps of carrying out a first treatment on the surface of the Selecting a random blinding factor b 1 ,b 2 ,b 3 ,b 4 ,b 5 ∈Z p 。
(2) Alliance chain AC verification phase: AC Verify (SignCT) →1/0. The alliance chain receives the ciphertext CT and the corresponding group signature SignCT, and verifies the group signature through an algorithm. If it is proved that the signature is generated by a certain node in the alliance chain, outputting 1 and; otherwise, outputting 0 and discarding the ciphertext CT;
and (3) calculating: u (U) 1 =e(SS·SignAG),U 2 =e(SS·SignPK A );
Verification U 1 =U 2 If the two types of data are equal, performing next verification; if not, discarding the ciphertext CT;
from the received SignCT calculation:
the verification is performed such that,if the CT is equal, the CT is sent to a sharing chain for sharing; otherwise, discarding the ciphertext CT; the ciphertext CT can be proved to pass the alliance chain signature verification through verification;
(3) And (3) a step of uplink: the method comprises the steps that a UTXO mode is adopted for uplink, a secondary node A sends a Number of a last transaction, a hash value HLast of the last transaction and a group signature SignCT of the current transaction to a alliance chain master node V, the master node V generates a New block and verifies information in the block, if the verification is passed, the New block is integrated into a shared chain, otherwise, the block is discarded;
in the alliance chain AC verification stage, each node in the alliance chain searches the last transaction information associated with the new block in the shared chain, compares whether the input of the new block is the same with the output value of the last transaction, and if the new block is agreed by most nodes in the alliance chain, the main node merges the new block into the shared chain, otherwise, discards the new block.
Further, the blockchain privacy protection method based on online offline attribute encryption of the present invention, wherein the specific implementation manner of the data user decryption stage is as follows:
(1) The offline decryption mechanism ODA performs partial decryption: ODA_Dec (AC, CT, TK) →PC, and data user DU transmits ciphertext CT and ciphertext conversion key TK to offline decryption mechanism ODA; the offline encryption mechanism ODA firstly checks whether the attribute set AS of the data user meets the requirement of the access structure AC, if so, carries out partial decryption on the ciphertext CT and sends the partial decrypted ciphertext PC to the data user DU; otherwise, outputting 0;
PC=(AC,MM,R·e(g,g) αs ,g s ,e(g,g) daθ/z ,C 1 );
(2) The data user DU decrypts: DU_Dec (PC, CPA_SK) →R; the data user DU decrypts the partial decryption ciphertext PC through the attribute encryption key CPA_SK to obtain a random ciphertext parameter R;
R=R·e(g,g) αs /(e(g s ,g α h d )/e(g,g) das );
further, the blockchain privacy protection method based on online offline attribute encryption, disclosed by the invention, comprises the following specific implementation modes of the responsibility following stage:
(1) The responsibilities data owner DO: DO_Account (GMSK) →idDO. If the group administrator votes to pass through the requirement of the data owner, the id of the data owner can be calculated and obtained through the source verification value DO_verity and the group tracking key GMSK;
is known to beThen->
(2) Responsibility-pursuing signer a: a_accountability (sign ct, sign pk) →ida; in the uplink process, if a group administrator votes through a request for a responsibility-following data owner by adopting a group signature verification method and a UTXO uplink mode, a master node can find a first address to carry out responsibility-following through a chain-by-chain source tracing mode for the transaction; through the group signature SignCT and the signature private key SignP, the idA hash value HID of the signer A is extracted, and the host node can find the idA of the signer by comparing the HID values corresponding to the ids of the child nodes one by one.
Compared with the prior art, the blockchain privacy protection method based on online and offline attribute encryption has the beneficial effects that: the block chain is utilized to combine the offline encryption mechanism and the offline decryption mechanism through the online offline attribute encryption algorithm, so that the computing expense of a user is reduced, fine-granularity user access control is realized, the method is applicable to equipment with limited computing resources, single-point fault problems are prevented, collusion between the user and a verifier is prevented through double-chain control of a shared chain and a alliance chain, and meanwhile, bidirectional traceability of a data owner and the verifier is realized through group signature verification, and the numerical control safety is improved.
Drawings
The invention is described in further detail below with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of the corresponding structure of an access structure control tree and LSSS matrix according to the present invention;
FIG. 2 is a schematic diagram of a structural model of the entity module according to the present invention;
fig. 3 is a schematic block diagram of a protection method according to the present invention.
Detailed Description
In order to further illustrate the inventive concept, embodiments of the present invention are described in further detail below with reference to the drawings and examples. The following detailed description of the embodiments and the accompanying drawings are provided to illustrate the principles of the invention and are not intended to limit the scope of the invention, i.e., the invention is not limited to the embodiments described.
The invention discloses a blockchain privacy protection method based on online and offline attribute encryption, which is characterized in that an application scene is designed firstly, a doctor-patient communication platform based on a cloud service platform is assumed to exist, a user B is a patient registered on the internet and wants to consult doctors on the cloud service platform and acquire treatment suggestions, but the user B hopes that the doctor can acquire a diagnosis and treatment list without revealing own diagnosis and treatment information at the same time, and a promise can be provided for ensuring that the diagnosis and treatment list comes from a regular registered doctor and can follow up to a doctor and a verifier of diagnosis and treatment in the later medical accident. The scheme is suitable for equipment with limited computing resources, and can be used for carrying out responsibility-pursuing on owners and signers of data while achieving fine-grained user privacy protection. Meanwhile, in order to facilitate understanding of the technical scheme of the present invention, related knowledge of the access structure and bilinear map is involved, and the following description is made on the access structure and bilinear map:
access structure: assume there is a non-empty user attribute set a, a= { A1, A2,..an }; there is one non-empty access control set S, s= { S1, S2,..sk }; if A and S satisfyThen set a is referred to as the authorization set under access control S; otherwise, set a is referred to as an unauthorized set under access control S. In CP-ABE, if a is an authorization set, there is a matrix AA, and there is a function ρ (x), so that each row in the matrix AA can be mapped with the attributes in S one by one, then the matrix AA is called LSSS matrix, and the number of rows of the LSSS matrix is equal to the number of leaf nodes on the access control tree, i.e. the number of attributes. The access structure control tree and LSSS matrix map as shown in fig. 1.
Bilinear mapping: setting G1, G2 and G3 as prime number p-order cyclic groups; there is a mapping relationship e: g1×g2→g3, if e is a bilinear pair, then:
A. bilinear: any a, b E Zp, all have
B. Non-degradability: there is one G1, G2, such that e (G1, G2) noteq1;
C. calculability: there is an efficient algorithm to calculate e (G1, G2).
Aiming at the application scene, fine-granularity user privacy protection is realized, meanwhile, responsibility can be pursued for the owner and the signer of the data, bidirectional traceability is realized for the user and the verifier, and the safety of the data is improved, so that a blockchain privacy protection method based on online offline attribute encryption is provided, and the detailed design scheme of the protection method is as follows:
a block chain privacy protection method based on online offline attribute encryption relates to a block chain system and a plurality of entity modules, wherein the structure model of the block chain privacy protection method is shown in figure 2, and the entity modules comprise a data owner DO, a data user DU, a group manager GM, an offline encryption mechanism OEA, an offline decryption mechanism ODE, a alliance chain AC and a sharing chain EST; the block chain system is used for providing a distributed and credible data storage cloud server system for the entity module, and the implementation mode of the block chain system comprises a system initialization stage, a user registration stage, an encryption stage, a group signature authentication stage, a data user decryption stage and a responsibility tracking stage; the specific operation flow is shown in fig. 3, and specifically includes the following steps that the data owner DO sends an access structure to an offline encryption mechanism ODE, the offline encryption mechanism calculates an intermediate ciphertext based on a time period tree and the access structure and returns the intermediate ciphertext to the data owner DO, and the data owner DO encrypts data by using the intermediate ciphertext and sends the ciphertext to a cloud server system in the blockchain system; the data user searches keywords through the cloud server system and obtains matched ciphertext; the data user DU sends the ciphertext to an offline decryption mechanism ODE, the offline decryption mechanism ODE carries out partial decryption on the ciphertext based on the attribute and the secret key of the data user DO to obtain a converted ciphertext, and the converted ciphertext is returned to the data user DO; the data user DO decrypts the transformed ciphertext using the transformed key to obtain the data.
1. System initialization phase:
(1) First, the system initialization related attribute is to be determined: data owner running System setup algorithm Systemsetup (1 λ ) -PK, MSK), i.e. inputting a security factor λ, the system generates a public key PK, saidMSK=(α,a,γ);
Wherein G1 and G2 are prime number p-order cyclic groups, and G is a generator of G1; e is bilinear map: g1×g1→g2; random numbers alpha, a, beta E Z p The method comprises the steps of carrying out a first treatment on the surface of the j represents the number of attributes; selecting j random numbers h j ∈G 1 The method comprises the steps of carrying out a first treatment on the surface of the Hash function H0: {0,1} → G1, H1: {0,1} → G2, H2: {0,1} → G2;
(2) Secondly, initializing a group manager GM: the group manager runs a system building algorithm GMSitup (PK) → (GMKey, GMPK, GMSK), inputs a public key PK, and generates a key GMKey, a group public key GMPK and a group tracking key GMSK of each group manager GM;
GMKey=γ i ,GMSK=(δ 1 ,δ 2 ),
wherein i represents the number of group administrators; gamma ray i Representing i random numbers; g1 is a generator of G1; random number delta 1 ,δ 2 ∈Z p ;u,v∈G 1 ;
(3) Finally, alliance chain AC initialization: actetup (PK, id) → (sign mk, sign PK), inputting public key PK, the system generating a federation chain signature master key sign mk and each node signature private key sign PK; in the alliance chain, the alliance chain is divided into a main node and a secondary node, wherein the main node is responsible for maintenance work of the blockchain and distributes id and signature private keys for newly added blocks;
T=H 1 (id||hid,N)+ks;
wherein k represents the number of key generation centers AAk in the alliance chain; ks, kek is a random number of the key generation center, and ks, ke k ∈[1,N-1]Kek are respectively held by k key generating centers, and N is a finite field; p2 is a generator of G2, and P1 is a generator of G1; id is the unique identifier of each secondary node in the alliance chain, and is a string of random numbers issued for the primary node; the hide indicates concealment.
2. A user registration stage:
(1) The user obtains a user private key fragment UKey i: GMKeyGen (PK) → ukyi; the user puts forward a registration application Apply to the group manager GM, if the group manager GM agrees, the i group managers respectively generate corresponding user private key fragments UKey i for the user, and send the user private key fragments UKey i to the user; while in the blockchain, users may be subdivided into data owners DO and data consumers DU;
wherein, the random number x epsilon Z p ;
(2) User calculation: GMKeyGen (PK, S, ukyi) → (UKey, IDU, cpa_sk); the user calculates a user private key UKey and a user identifier IDU of the user through an algorithm, and submits a user attribute set AS= { a1, a2, & gt, aj } to a group administrator to obtain an attribute encryption key CPA_SK and an offline verification key VK;
CPA_SK=(g α h d ,z,TK),
VK=(g 1/(β+μ) ,μ);
wherein vj is the weight value of each attribute in the user attribute set AS; TK is a ciphertext conversion key of attribute encryption; d, Z is a random number, and d, Z, μ ε Z p 。
3. Encryption stage:
(1) The offline encryption mechanism OEA performs offline encryption: OEA_Enc (PK) →IC, and the data owner DO selects a secret value s to be transmitted to the off-line encryption mechanism; the offline encryption mechanism calculates an intermediate ciphertext IC through a secret value s and sends the intermediate ciphertext IC to a data owner DO;
wherein the secret value s epsilon Z p The method comprises the steps of carrying out a first treatment on the surface of the Random number epsilon, y epsilon Z p ;
(2) The data owner DO encrypts: DO_Enc (PK, IC, VK, message) →CT. The data owner DO finally encrypts the plaintext Message through an access structure AC and an intermediate ciphertext IC to obtain an attribute encrypted ciphertext CT;
C 1 =g μ/(β+μ) ,g β ·g μ ,H 1 (e(g,g) μ ,R·H 1 (Message),MM=H 1 (Message)⊕H 1 (R);
wherein,for the mapping of the attribute aj in the access structure ac= (M, ρ (x)), θ is the secret share of aj in the mapping function ρ (x); r is a random ciphertext parameter, and R epsilon G 2 The method comprises the steps of carrying out a first treatment on the surface of the M is a mapping matrix, and each row in M corresponds to an attribute.
4. Group signature authentication phase:
(1) The alliance chain AC secondary node a signs the ciphertext CT: AC_Sign (CT, signMK, signPK) → (SignCT, DO_Verify). The method comprises the steps that a secondary node A of a alliance chain signs a ciphertext CT, so that the secondary node A in the alliance chain carries out signature operation through a signature master key SignMK and a signature private key SignPK of the secondary node A, and a group signature SignCT and a source verification value DO_Verify of the secondary node in the alliance chain to the ciphertext CT are obtained.
Wherein the random number r 1 ,r 2 ∈[1,N-1]The method comprises the steps of carrying out a first treatment on the surface of the idA represents the id identification of the secondary node a; τ, χ is a random number, and τ, χ ε Z p The method comprises the steps of carrying out a first treatment on the surface of the Selecting a random blinding factor b 1 ,b 2 ,b 3 ,b 4 ,b 5 ∈Z p 。
(2) Alliance chain AC verification phase: AC Verify (SignCT) →1/0. The alliance chain receives the ciphertext CT and the corresponding group signature SignCT, and verifies the group signature through an algorithm. If it is proved that the signature is generated by a certain node in the alliance chain, outputting 1 and; otherwise, outputting 0 and discarding the ciphertext CT;
and (3) calculating: u (U) 1 =e(SS·SignAG),U 2 =e(SS·SignPK A );
Verification U 1 =U 2 If equal, thenPerforming next verification; if not, discarding the ciphertext CT;
from the received SignCT calculation:
the verification is performed such that,if the CT is equal, the CT is sent to a sharing chain for sharing; otherwise, discarding the ciphertext CT; the ciphertext CT can be proved to pass the alliance chain signature verification through verification;
(3) And (3) a step of uplink: the method comprises the steps that a UTXO mode is adopted for uplink, a secondary node A sends a Number of a last transaction, a hash value HLast of the last transaction and a group signature SignCT of the current transaction to a alliance chain master node V, the master node V generates a New block and verifies information in the block, if the verification is passed, the New block is integrated into a shared chain, otherwise, the block is discarded;
in the alliance chain AC verification stage, each node in the alliance chain searches the last transaction information associated with the new block in the shared chain, compares whether the input of the new block is the same with the output value of the last transaction, and if the new block is agreed by most nodes in the alliance chain, the main node merges the new block into the shared chain, otherwise, discards the new block.
5. Data user decryption stage:
(1) The offline decryption mechanism ODA performs partial decryption: ODA_Dec (AC, CT, TK) →PC, and data user DU transmits ciphertext CT and ciphertext conversion key TK to offline decryption mechanism ODA; the offline encryption mechanism ODA firstly checks whether the attribute set AS of the data user meets the requirement of the access structure AC, if so, carries out partial decryption on the ciphertext CT and sends the partial decrypted ciphertext PC to the data user DU; otherwise, outputting 0;
PC=(AC,MM,R·e(g,g) αs ,g s ,e(g,g) daθ/z ,C 1 );
(2) The data user DU decrypts: DU_Dec (PC, CPA_SK) →R; the data user DU decrypts the partial decryption ciphertext PC through the attribute encryption key CPA_SK to obtain a random ciphertext parameter R;
R=R·e(g,g) αs /(e(g s ,g α h d )/e(g,g) das );
6. and (4) a responsibility following stage:
(1) The responsibilities data owner DO: DO_Account (GMSK) →idDO. If the group administrator votes to pass through the requirement of the data owner, the id of the data owner can be calculated and obtained through the source verification value DO_verity and the group tracking key GMSK;
is known to beThen->
(2) Responsibility-pursuing signer a: a_accountability (sign ct, sign pk) →ida; in the uplink process, if a group administrator votes through a request for a responsibility-following data owner by adopting a group signature verification method and a UTXO uplink mode, a master node can find a first address to carry out responsibility-following through a chain-by-chain source tracing mode for the transaction; through the group signature SignCT and the signature private key SignP, the idA hash value HID of the signer A is extracted, and the host node can find the idA of the signer by comparing the HID values corresponding to the ids of the child nodes one by one.
By adopting the blockchain privacy protection method, the blockchain is utilized to combine the offline encryption mechanism and the offline decryption mechanism through the online offline attribute encryption algorithm, so that the computing expense of a user is reduced, the fine-granularity user access control is realized, the blockchain privacy protection method is suitable for equipment with limited computing resources, the single-point fault problem is prevented, collusion is prevented between the user and a verifier through double-chain control of a shared chain and a alliance chain, and meanwhile, the bidirectional traceability of a data owner and the verifier is realized through group signature verification, and the security of numerical control is increased.
The above description is only of the preferred embodiments of the present invention, and it should be understood that various changes and modifications can be made by those skilled in the art, and any modifications, equivalents, improvements and the like made by the present invention should be included in the scope of the present invention.