CN104468535A - Ciphertext storage and connecting query system and method suitable for cloud environment - Google Patents

Abstract

The invention discloses a ciphertext storage and connecting query system and method suitable for a cloud environment. The system comprises a first processor arranged on a client side, and a second processor arranged on a database server side, wherein the first processor comprises an encryption module, a decryption module and a query agent module, and the second processor comprises a query executing module. The method includes an encryption process, a decryption process and a query executing process. According to the system and method, an adopted algorithm is simple, implementation is convenient, and the system and method can be widely applied to ciphertext storage and connecting query in the cloud environment and have crucial effects on implementation of pushing an outsourcing database in the cloud environment.

Description

The ciphertext being applicable to cloud environment stores and connection query system and method

Technical field

The present invention relates to a kind of ciphertext to store and connection query system and method, especially a kind of ciphertext of applicable cloud environment stores and connection query system and method.Belong to information security field.

Background technology

Along with developing rapidly of cloud computing, its conveniently characteristic and flexibly charge method make increasing user by the Data Migration of this locality to cloud server end, save local data management expense and system maintenance spending with this.Departed from the control range of user because data are stored in high in the clouds, Cloud Server manager and disabled user can attempt attempting to obtain the information that comprises of data by visit data, and this may cause the leakage of data message and privacy of user.In recent years because hacker attacks causes the leakage that result in a large number of users data and private data of the cloud security accident caused with the improper operation of Cloud Server keeper; such as Sony company is in 2011 due to hacker attacks cause more than one hundred million subscriber data to leak Gmail large-scale consumer data leak event etc. that accident and Google company occurred in 2011, and the problems the such as whether fail safe of high in the clouds data and the individual privacy of oneself can be effectively protected are left in the consideration that these cloud accidents frequently occurred make user more careful in.

Cryptographic technique is a kind of important instrument realizing data-privacy protection under cloud computing environment.In order to ensure the confidentiality of data, user can select to be encrypted private data.After traditional data base management system is deployed in high in the clouds, the data of ciphertext form can be stored in cloud database by user.But the relational operation realized in ciphertext in traditional database will become the new difficult problem realizing cloud data base management system.A kind of the simplest method all encrypt datas is downloaded to this locality be decrypted, then on plaintext, relational operation is carried out, but this operation not only needs to expend huge network overhead, and user also needs because deciphering and search operation pay huge computing cost.Another extreme way is that key and query manipulation are issued cloud database server, allow cloud database server decrypting ciphertext data, and the relational operation carried out expressly, but this way can allow again Cloud Server again know the clear data of user, the safety of serious threat to data and the individual privacy of user.

In order to support the search in ciphertext, some cryptographic algorithm propose thus, and to obtain extensive research and the concern of researcher in recent years, wherein most of cryptographic algorithm is for keyword search, Connection inquiring is a kind of important relational operation in database, a kind ofly supports that the method for ciphertext Connection inquiring plays vital effect to promoting the realization of outsourcing database under cloud environment.

Summary of the invention

The object of the invention is the defect in order to solve above-mentioned prior art, a kind of ciphertext of applicable cloud environment is provided to store and connection query system, this system has that fail safe is high, algorithm is simple, implement feature easily, and the ciphertext that can be widely used in cloud environment stores and Connection inquiring.

Another object of the present invention is to provide a kind of ciphertext of applicable cloud environment to store and Connection inquiring method.

Object of the present invention can reach by taking following technical scheme:

The ciphertext being applicable to cloud environment stores and connection query system, it is characterized in that: comprise the first processor being arranged on client and the second processor being arranged on database server side, described first processor comprises encrypting module, deciphering module and inquiry proxy module, described second processor comprises query execution module, wherein:

Described encrypting module, is encrypted for the plaintext attribute column to be encrypted to user, forms ciphertext, completes encryption, and the ciphertext of generation be sent in ciphertext database and store;

Described deciphering module, is decrypted process for the ciphertext sent ciphertext database or query execution module, is formed expressly, completes deciphering, and verify ciphertext, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error;

Described inquiry proxy module, being encrypted for assisting, deciphering and query execution;

Described query execution module, ciphertext Connection inquiring for submitting to user performs on ciphertext database, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, call Bilinear map parts and mould exponentiation parts judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext is transferred to deciphering module, transmits expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

Preferably, described encrypting module is specific as follows:

For receiving user's plaintext attribute column to be encrypted, call generating random number parts, mould exponentiation parts and Hash parts, according to the PKI of the secret value in this attribute column that inquiry proxy module passes over and user, expressly calculating generating ciphertext is carried out to each in this plaintext attribute column, and the ciphertext of generation is sent in ciphertext database stores.

Preferably, described deciphering module is specific as follows:

For receiving the ciphertext that ciphertext database or query execution module are sent, call mould exponentiation parts and Hash parts, calculate expressly according to the private key of user, and the secret value in this ciphertext place attribute column utilizing inquiry proxy module to pass over, ciphertext is verified, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error.

Preferably, described query execution module is specific as follows:

For receiving the ciphertext Connection inquiring that user submits to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, calling Bilinear map parts and mould exponentiation calculates, judging that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext is transferred to deciphering module, transmits expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

Another object of the present invention can reach by taking following technical scheme:

The ciphertext being applicable to cloud environment stores and Connection inquiring method, it is characterized in that described method comprises:

Ciphering process: encrypting module is encrypted the plaintext attribute column that user is to be encrypted, forms ciphertext, completes encryption, and the ciphertext of generation be sent in ciphertext database and store;

Decrypting process: deciphering module is decrypted process to the ciphertext that ciphertext database or query execution module are sent, is formed expressly, completes deciphering, and verify ciphertext, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error;

Query execution process: query execution module performs on ciphertext database the ciphertext Connection inquiring that user submits to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, call bilinearity parts and mould exponentiation parts judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext is transferred to deciphering module, transmits expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

Preferably, described ciphering process is specific as follows:

Encrypting module receives user's plaintext attribute column to be encrypted, call generating random number parts, mould exponentiation parts and Hash parts, according to the PKI of the secret value in this plaintext attribute column that inquiry proxy module passes over and user, expressly calculating generating ciphertext is carried out to each in this plaintext attribute column, and the ciphertext of generation is sent in ciphertext database stores.

Preferably, described decrypting process is specific as follows:

The ciphertext that deciphering module reception ciphertext database or query execution module are sent, call mould exponentiation parts and Hash parts, calculate expressly according to the private key of user, and the secret value in this ciphertext place attribute column utilizing inquiry proxy module to pass over, ciphertext is verified, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error.

Preferably, described query execution process is specific as follows:

The ciphertext Connection inquiring that query execution module receives user is submitted to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, call Bilinear map parts and mould exponentiation parts calculate, judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext is transferred to deciphering module, transmits expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

Preferably, described method specifically comprises the following steps:

1) ciphering process

1.1), after the plaintext attribute column A of user relation R to be encrypted is transferred to encrypting module, encrypting module calls the secret value (α on inquiry proxy module acquisition plaintext attribute column A _a, β _a);

1.2) encrypting module obtains the PKI X=g of user ^x, call generating random number parts and obtain random number r ₁, r ₂, r ₃, then call mould exponentiation parts and Hash parts, by following formula, each on plaintext attribute column A expressly calculated, generating ciphertext:

$C_1=g^{r_1},C_2=g^{r_1/{\mathrm{\α}}_A},C_3=g^{r_2},C_4={m_1}^{r_1/{\mathrm{\α}}_A}{g}^{r_2{\mathrm{\β}}_A},$

$C_5=g^{r_3},C_6=H\left(C_1\right|\left|C_2\right|\left|C_3\right|\left|C_4\right|\left|C_5\right|\left|X^{r_3}\right)\⊕\left(m_1\right|\left|r_1\right|\left|r_2\right)$

1.3) ciphertext of generation is sent in ciphertext database stores;

2) decrypting process

2.1) deciphering module receives the ciphertext C that ciphertext database or query execution module are sent _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆), obtain the private key x of user;

2.2) deciphering module calls mould exponentiation parts and Hash parts, utilizes the private key x of user, is calculated as follows and obtains expressly m ₁:

$m_1\left|\right|r_1\left|\right|r_2=H\left(C_1\right|\left|C_2\right|\left|C_3\right|\left|C_4\right|\left|C_5\right|\left|{C_5}^x\right)\⊕C_6$

2.3) deciphering module calls inquiry proxy module and obtains ciphertext C _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆) secret value (α in the attribute column of place _a, β _a);

2.4) deciphering module utilizes m ₁, r ₁, r ₂, α _a, β _ato ciphertext C _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆) verify:

$C_1=g^{r_1},C_2=g^{r_1/{\mathrm{\α}}_A},C_3=g^{r_2},C_4={m_1}^{r_1/{\mathrm{\α}}_A}{g}^{r_2{\mathrm{\β}}_A}$

2.5) if above-mentioned equation is set up, be then verified, deciphering module will plaintext m ₁export to user; Otherwise deciphering module is to the warning message of user's output error;

3) query execution process

3.1) query execution module receive user submit to the ciphertext attribute column A of relation R to be connected and the ciphertext attribute column B of relation S on ciphertext Connection inquiring;

3.2) query execution module calls inquiry proxy module, obtains allowing the rear inquiry limit door trapdoor obtained needed for execution ciphertext Connection inquiring:

trapdoor＝(β _B/α _A，β _A/α _B)

3.3) query execution module obtains the upper ciphertext value C of ciphertext attribute column A of relation R _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆), a ciphertext value C on the ciphertext attribute column B of relation S _b=(C ₁', C ₂', C ₃', C ₄', C ₅', C ₆'), form ciphertext pair to be connected by following formula:

e(C ₂，C ₄′)，e(C ₄，C ₂′)，e(C ₁，C ₃′)，e(C ₁′，C ₃)

3.4) then query execution module utilizes inquiry limit door trapdoor, calls Bilinear map parts and mould exponentiation parts to ciphertext to be connected to carrying out following judgement:

$\frac{e(C_2,{C_4}^{\′})}{e({C_2}^{\′},C_4)}=\frac{e{(C_1,{C_3}^{\′})}^{{\mathrm{\β}}_B/{\mathrm{\α}}_A}}{e{({C_1}^{\′},C_3)}^{{\mathrm{\β}}_A/{\mathrm{\α}}_B}}$

3.5) if above-mentioned equation is set up, explanation meets condition of contact, then query execution module is by this ciphertext to being transferred to deciphering module, and deciphering module is according to above-mentioned steps 2) decrypting process to this ciphertext to being decrypted, and final result is returned to user; Otherwise, return step 3.3) continue to obtain next ciphertext pair to be connected, to this ciphertext to carrying out identical process, until all ciphertexts are to processing one time.

The present invention has following beneficial effect relative to prior art:

1, present system and method have the high feature of fail safe, when there is no client authorization (i.e. the inquiry limit door of inquiry proxy CMOS macro cell), cloud server end can not perform ciphertext and connect, when obtaining the mandate of client, cloud server end when not knowing expressly, can carry out the connection in ciphertext attribute column.

2, present system and method inquiry proxy module can be utilized to pass in client this attribute column on secret value and the PKI of user be encrypted, the private key of user can be utilized to be decrypted, encryption and decryption are without the need to Bilinear map computing, required time is short, response is fast, can realize in the terminal of weak computational resource.

3, the Connection inquiring of present system and method both applicable single user ciphertext, also the Connection inquiring of applicable multi-user's ciphertext, thus has application scenarios more flexibly.

4, the algorithm of present system and method employing is simple, and it is convenient to implement, and the ciphertext that can be widely used in cloud environment stores and Connection inquiring, plays vital effect to the realization of outsourcing database (i.e. ciphertext database) under promotion cloud environment.

Accompanying drawing explanation

Fig. 1 is that the ciphertext of the applicable cloud environment of the embodiment of the present invention stores and connection query system theory diagram.

Fig. 2 is that the ciphertext of the applicable cloud environment of the embodiment of the present invention stores the ciphering process schematic diagram with Connection inquiring method.

Fig. 3 is that the ciphertext of the applicable cloud environment of the embodiment of the present invention stores the decrypting process schematic diagram with Connection inquiring method.

Fig. 4 is that the ciphertext of the applicable cloud environment of the embodiment of the present invention stores the query execution process schematic with Connection inquiring method.

Embodiment

Embodiment 1:

As shown in Figure 1, the ciphertext of the present embodiment stores and connection query system, and comprise first processor and the second processor, described first processor is arranged on client, and it comprises encrypting module, deciphering module and inquiry proxy module; Described second processor is arranged on database server side, and it comprises query execution module, wherein:

Described encrypting module, be encrypted for the plaintext attribute column to be encrypted to user, form ciphertext, complete encryption, be specially: receive the plaintext attribute column that user is to be encrypted, call generating random number parts, mould exponentiation parts and Hash parts, according to the PKI of the secret value in this plaintext attribute column that inquiry proxy module passes over and user, expressly calculating generating ciphertext is carried out to each in this plaintext attribute column, and the ciphertext of generation is sent in ciphertext database stores;

Described deciphering module, ciphertext for sending ciphertext database or query execution module is decrypted process, form plaintext, complete deciphering, being specially: for receiving the ciphertext that ciphertext database or query execution module are sent, call mould exponentiation parts and Hash parts, calculating expressly according to the private key of user, and the secret value in this ciphertext place attribute column utilizing inquiry proxy module to pass over, ciphertext is verified, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error;

Described inquiry proxy module, being encrypted for assisting, deciphering and query execution, be specially: store the secret value for each attribute column, as required secret value is transferred to encrypting module to be encrypted, be transferred to the checking that deciphering module is decrypted, and be transferred to query execution module according to the query type generated query limit door that user submits to;

Described query execution module, ciphertext Connection inquiring for submitting to user performs on ciphertext database, be specially: receive the ciphertext Connection inquiring that user submits to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, call Bilinear map parts and mould exponentiation parts judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext is transferred to deciphering module, expressly Connection inquiring result is transmitted to user by deciphering module, otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

In the present embodiment, the ciphertext storage based on said system comprises with Connection inquiring method:

Ciphering process: encrypting module receives user's plaintext attribute column to be encrypted, call generating random number parts, mould exponentiation parts and Hash parts, according to the PKI of the secret value in this attribute column that inquiry proxy module passes over and user, expressly calculating generating ciphertext is carried out to each in this plaintext attribute column, and the ciphertext of generation is sent in ciphertext database stores;

Decrypting process: the ciphertext that deciphering module reception ciphertext database or query execution module are sent, call mould exponentiation parts and Hash parts, calculate expressly according to the private key of user, and the secret value in this ciphertext place attribute column utilizing inquiry proxy module to pass over, ciphertext is verified, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error;

Query execution process: the ciphertext Connection inquiring that query execution module receives user is submitted to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, call Bilinear map parts and mould exponentiation parts judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext is transferred to deciphering module, transmits expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

As shown in Figure 2, Figure 3 and Figure 4, the concrete steps of said method are as follows:

1) ciphering process

1.1), after the plaintext attribute column A of user relation R to be encrypted is transferred to encrypting module, encrypting module calls the secret value (α on inquiry proxy module acquisition plaintext attribute column A _a, β _a);

1.2) encrypting module obtains the PKI X=g of user ^x, call generating random number parts and obtain random number r ₁, r ₂, r ₃, then call mould exponentiation parts and Hash parts, by following formula, each on plaintext attribute column A expressly calculated, generating ciphertext:

$C_1=g^{r_1},C_2=g^{r_1/{\mathrm{\α}}_A},C_3=g^{r_2},C_4={m_1}^{r_1{\mathrm{\α}}_A}{g}^{r_2{\mathrm{\β}}_A},$

$C_5=g^{r_3},C_6=H\left(C_1\right|\left|C_2\right|\left|C_3\right|\left|C_4\right|\left|C_5\right|\left|X^{r_3}\right)\⊕\left(m_1\right|\left|r_1\right|\left|r_2\right)$

1.3) ciphertext of generation is sent in ciphertext database stores;

2) decrypting process

2.1) deciphering module receives the ciphertext C that ciphertext database or query execution module are sent _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆), obtain the private key x of user;

2.2) deciphering module calls mould exponentiation parts and Hash parts, utilizes the private key x of user, is calculated as follows and obtains expressly m ₁:

$m_1\left|\right|r_1\left|\right|r_2=H\left(C_1\right|\left|C_2\right|\left|C_3\right|\left|C_4\right|\left|C_5\right|\left|{C_5}^x\right)\⊕C_6$

2.3) deciphering module calls inquiry proxy module and obtain ciphertext C _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆) secret value (α in the attribute column of place _a, β _a);

2.4) deciphering module utilizes m ₁, r ₁, α _a, β _ato ciphertext C _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆) verify:

$C_1=g^{r_1},C_2=g^{r_1/{\mathrm{\α}}_A},C_3=g^{r_2},C_4={m_1}^{r_1{\mathrm{\α}}_A}{g}^{r_2{\mathrm{\β}}_A}$

2.5) if above-mentioned equation is set up, be then verified, deciphering module will plaintext m ₁export to user; Otherwise deciphering module is to the warning message of user's output error;

3) query execution process

3.1) query execution module receive user submit to the ciphertext attribute column A of relation R to be connected and the ciphertext attribute column B of relation S on ciphertext Connection inquiring;

3.2) query execution module calls inquiry proxy module, obtains allowing the rear inquiry limit door trapdoor obtained needed for execution ciphertext Connection inquiring:

trapdoor＝(β _B/α _A，β _A/α _B)

3.3) query execution module obtains the upper ciphertext value C of ciphertext attribute column A of relation R _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆), a ciphertext value C on the ciphertext attribute column B of relation S _b=(C ₁', C ₂', C ₃', C ₄', C ₅', C ₆'), form ciphertext pair to be connected by following formula:

e(C ₂，C ₄′)，e(C ₄，C ₂′)，e(C ₁，C ₃′)，e(C ₁′，C ₃)

3.4) then query execution module utilizes inquiry limit door trapdoor, calls Bilinear map parts and mould exponentiation parts to ciphertext to be connected to carrying out following judgement:

$\frac{e(C_2,{C_4}^{\′})}{e({C_2}^{\′},C_4)}=\frac{e{(C_1,{C_3}^{\′})}^{{\mathrm{\β}}_B/{\mathrm{\α}}_A}}{e{({C_1}^{\′},C_3)}^{{\mathrm{\β}}_A/{\mathrm{\α}}_B}}$

3.5) if above-mentioned equation is set up, explanation meets condition of contact, then query execution module is by this ciphertext to being transferred to deciphering module, and deciphering module is according to above-mentioned steps 2) decrypting process to this ciphertext to being decrypted, and final result is returned to user; Otherwise, return step 3.3) continue to obtain next ciphertext pair to be connected, to this ciphertext to carrying out identical process, until all ciphertexts are to processing one time.

One of ordinary skill in the art will appreciate that all or part of step realized in above-described embodiment method is that the hardware that can carry out instruction relevant by program has come, corresponding program can be stored in a computer read/write memory medium, described storage medium, as ROM/RAM, disk or CD etc.

In sum, the algorithm that present system and method adopt is simple, it is convenient to implement, and the ciphertext that can be widely used in cloud environment stores and Connection inquiring, plays vital effect to the realization of outsourcing database (i.e. ciphertext database) under promotion cloud environment.

The above; be only patent preferred embodiment of the present invention; but the protection range of patent of the present invention is not limited thereto; anyly be familiar with those skilled in the art in the scope disclosed in patent of the present invention; be equal to according to the technical scheme of patent of the present invention and patent of invention design thereof and replaced or change, all belonged to the protection range of patent of the present invention.

Claims (9)

1. the ciphertext being applicable to cloud environment stores and connection query system, it is characterized in that: comprise the first processor being arranged on client and the second processor being arranged on database server side, described first processor comprises encrypting module, deciphering module and inquiry proxy module, described second processor comprises query execution module, wherein:

Described encrypting module, is encrypted for the plaintext attribute column to be encrypted to user, forms ciphertext, completes encryption, and the ciphertext of generation be sent in ciphertext database and store;

Described deciphering module, is decrypted process for the ciphertext sent ciphertext database or query execution module, is formed expressly, completes deciphering, and verify ciphertext, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error;

Described inquiry proxy module, being encrypted for assisting, deciphering and query execution;

Described query execution module, ciphertext Connection inquiring for submitting to user performs on ciphertext database, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, judging that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext being transferred to deciphering module, transmit expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

2. the ciphertext of applicable cloud environment according to claim 1 stores and connection query system, it is characterized in that: described encrypting module is specific as follows:

For receiving user's plaintext attribute column to be encrypted, call generating random number parts, mould exponentiation parts and Hash parts, according to the PKI of the secret value in this attribute column that inquiry proxy module passes over and user, expressly calculating generating ciphertext is carried out to each in this plaintext attribute column, and the ciphertext of generation is sent in ciphertext database stores.

3. the ciphertext of applicable cloud environment according to claim 1 stores and connection query system, it is characterized in that: described deciphering module is specific as follows:

For receiving the ciphertext that ciphertext database or query execution module are sent, call mould exponentiation parts and Hash parts, calculate expressly according to the private key of user, and the secret value in this ciphertext place attribute column utilizing inquiry proxy module to pass over, ciphertext is verified, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error.

4. the ciphertext of applicable cloud environment according to claim 1 stores and connection query system, it is characterized in that: described query execution module is specific as follows:

For receiving the ciphertext Connection inquiring that user submits to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, calling Bilinear map parts and mould exponentiation parts judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext being transferred to deciphering module, transmit expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

5. the ciphertext based on the applicable cloud environment of system described in claim 1 stores and Connection inquiring method, it is characterized in that described method comprises:

Ciphering process: encrypting module is encrypted the plaintext attribute column that user is to be encrypted, forms ciphertext, completes encryption, and the ciphertext of generation be sent in ciphertext database and store;

Decrypting process: deciphering module is decrypted process to the ciphertext that ciphertext database or query execution module are sent, is formed expressly, completes deciphering, and verify ciphertext, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error;

Query execution process: query execution module performs on ciphertext database the ciphertext Connection inquiring that user submits to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext is transferred to deciphering module, transmits expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

6. the ciphertext of applicable cloud environment according to claim 5 stores and Connection inquiring method, it is characterized in that: described ciphering process is specific as follows:

Encrypting module receives user's plaintext attribute column to be encrypted, call generating random number parts, mould exponentiation parts and Hash parts, according to the PKI of the secret value in this attribute column that inquiry proxy module passes over and user, expressly calculating generating ciphertext is carried out to each in this plaintext attribute column, and the ciphertext of generation is sent in ciphertext database stores.

7. the ciphertext of applicable cloud environment according to claim 5 stores and Connection inquiring method, it is characterized in that: described decrypting process is specific as follows:

The ciphertext that deciphering module reception ciphertext database or query execution module are sent, call mould exponentiation parts and Hash parts, calculate expressly according to the private key of user, and the secret value in this ciphertext place attribute column utilizing inquiry proxy module to pass over, ciphertext is verified, if be verified, then expressly will export to user; Otherwise, to the warning message of user's output error.

8. the ciphertext of applicable cloud environment according to claim 5 stores and Connection inquiring method, it is characterized in that: described query execution process is specific as follows:

The ciphertext Connection inquiring that query execution module receives user is submitted to, two attribute column to be connected are obtained from ciphertext database, a ciphertext value is respectively got in these two attribute column, form ciphertext pair to be connected, utilize the inquiry limit door of inquiry proxy CMOS macro cell, calling Bilinear map parts and mould exponentiation parts judge that this ciphertext to be connected is to whether meeting condition of contact, if meet, ciphertext being transferred to deciphering module, transmit expressly Connection inquiring result by deciphering module to user; Otherwise, continue to obtain next ciphertext to be connected to judging, until all ciphertexts are to processing one time.

9. the ciphertext of the applicable cloud environment according to any one of claim 5-8 stores and Connection inquiring method, it is characterized in that described method specifically comprises the following steps:

1) ciphering process

1.1), after the plaintext attribute column A of user relation R to be encrypted is transferred to encrypting module, encrypting module calls the secret value (α on inquiry proxy module acquisition attribute column A _a, β _a);

1.2) encrypting module obtains the PKI X=g of user ^x, call generating random number parts and obtain random number r ₁, r ₂, r ₃, then call mould exponentiation parts and Hash parts, by following formula, each on plaintext attribute column A expressly calculated, generating ciphertext:

$C_1=g^{r_1},C_2=g^{r_1/{\mathrm{\α}}_A},C_3=g^{r_2},C_4={m_1}^{r_1/{\mathrm{\α}}_A}{g}^{r_2{\mathrm{\β}}_A},$

$C_5=g^{r_3},C_6=H\left(C_1\right|\left|C_2\right|\left|C_3\right|\left|C_4\right|\left|C_5\right|\left|X^{r_3}\right)\⊕\left(m_1\right|\left|r_1\right|\left|r_2\right)$

1.3) ciphertext of generation is sent in ciphertext database stores;

2) decrypting process

2.1) deciphering module receives the ciphertext C that ciphertext database or query execution module are sent _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆), obtain the private key x of user;

2.2) deciphering module calls mould exponentiation parts and Hash parts, utilizes the private key x of user, is calculated as follows and obtains expressly m ₁:

$m_1\left|\right|r_1\left|\right|r_2=H\left(C_1\right|\left|C_2\right|\left|C_3\right|\left|C_4\right|\left|C_5\right|\left|{C_5}^x\right)\⊕C_6$

2.3) deciphering module calls inquiry proxy module and obtains ciphertext C _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆) secret value (α in the attribute column of place _a, β _a);

2.4) deciphering module utilizes m ₁, r ₁, r ₂, α _a, β _ato ciphertext C _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆) verify:

$C_1=g^{r_1},C_2=g^{r_1/{\mathrm{\α}}_A},C_3=g^{r_2},C_4={m_1}^{r_1/{\mathrm{\α}}_A}{g}^{r_2{\mathrm{\β}}_A}$

2.5) if above-mentioned equation is set up, be then verified, deciphering module will plaintext m ₁export to user; Otherwise deciphering module is to the warning message of user's output error;

3) query execution process

3.1) query execution module receive user submit to the ciphertext attribute column A of relation R to be connected and the ciphertext attribute column B of relation S on ciphertext Connection inquiring;

3.2) query execution module calls inquiry proxy module, obtains allowing the rear inquiry limit door trapdoor obtained needed for execution ciphertext Connection inquiring:

trapdoor＝(β _B/α _A，β _A/α _B)

3.3) query execution module obtains the upper ciphertext value C of ciphertext attribute column A of relation R _a=(C ₁, C ₂, C ₃, C ₄, C ₅, C ₆), a ciphertext value C on the ciphertext attribute column B of relation S _b=(C ' ₁, C ' ₂, C ' ₃, C ' ₄, C ' ₅, C ' ₆), form ciphertext pair to be connected by following formula:

e(C ₂，C′ ₄)，e(C ₄，C′ ₂)，e(C ₁，C′ ₃)，e(C′ ₁，C ₃)

3.4) then query execution module utilizes inquiry limit door trapdoor, calls Bilinear map parts and mould exponentiation parts to ciphertext to be connected to carrying out following judgement:

$\frac{e(C_2,{C_4}^{\′})}{e({C_2}^{\′},C_4)}=\frac{e{(C_1,{C_3}^{\′})}^{{\mathrm{\β}}_B/{\mathrm{\α}}_A}}{e{\left({C_1}^{\′}{C}_3\right)}^{{\mathrm{\β}}_A/{\mathrm{\α}}_B}}$

3.5) if above-mentioned equation is set up, explanation meets condition of contact, then query execution module is by this ciphertext to being transferred to deciphering module, and deciphering module is according to above-mentioned steps 2) decrypting process to this ciphertext to being decrypted, and final result is returned to user; Otherwise, return step 3.3) continue to obtain next ciphertext pair to be connected, to this ciphertext to carrying out identical process, until all ciphertexts are to processing one time.