CN103699851A - Remote data completeness verification method facing cloud storage - Google Patents

Abstract

The invention provides a remote data completeness verification method facing cloud storage. According to the method, the aggregate signature and specified certifier signature technology is utilized, the verification function on the user data completeness by users and the third party auditors is realized, and meanwhile, the information of users for data completeness is enabled not to be leaked; the verification information transparency control is realized through the zero knowledge proving technology, and when the dispute exists between the users and a server, the third party auditors can generate the undeniable high-confidence-degree proving through the non-interactive zero knowledge proving technology. According to the method, under the condition that a cloud storage service provider is incredible, the accuracy of the cloud data completeness verification can also be ensured, and the method provided by the invention has the advantages that the realization is easy, the cost is low, the data protection performance is high, the third party audit is supported, the privacy protection mechanism is flexible, and the like.

Description

A kind of teledata integrity verification method of facing cloud storage

Technical field

The present invention relates to a kind of teledata integrity verification method of facing cloud storage; be specifically related to according to data integrity checking, specify reference's signature and zero-knowledge proof theory; for the data in cloud storage provide safe and efficient, support common authentication, third-party authentication and the integrity verification method with secret protection, belong to field of information security technology.

Background technology

The data, services outsourcing of cloud computing can reduce the storage and maintenance pressure of data owner this locality, yet cloud computing is when bringing advantage to the user, also for user data has brought new security challenge.Because user has lost the physical control to data reliability and security, the data integrity in cloud storage becomes one of safety problem of user's worry.Due to the huge communication cost that large-scale data causes, user verifies its correctness after can not downloading data to this locality again.Therefore, how to ensure the safety of data in Cloud Server, how helping user to carry out data integrity checking just becomes a study hotspot.

Find by prior art documents, realize the method for data integrity checking mainly based on digital signature (Digital Signatures) and Mei Keer Hash tree (Merkle Hash Tree).Typical work comprises: data restorability proves that (Proofs of Retrievability, POR) and provable data have (Provable Data Possession, PDP).Shacham and Waters2008 in published in "The14th, International, Conference, on, the, Theory, and, Application, of, Cryptology, and, Information, Security (14th Cryptography and Information Security Theory and Applications International Conference)," the paper "Compact, Proofs, of, Retrievability (compact recoverability proof)" proposes a universal compact recoverability proven model that is based on data partitioning techniques common ideas, using the same math on state properties for a proof t challenge blocks, it is possible to prove the polymerization of the O (t) the computational complexity of generating a O (1) length of the authentication value.The people such as Wang have in the method for secure storing > > of open checking and Data Dynamic and have proposed a kind of combination homomorphism authentication and Mei Keer Hash tree (MHT) in the paper < < Enabling Public Verifiability and Data Dynamics for Storage Security in Cloud Computing(cloud computing that is published in < < The 14th European Symposium on Research in Computer Security (the 14th European computer security Journal of Sex Research discussed annual meeting) > > for 2009, under cloud computing environment, support the storage means of open checking and Data Dynamic.Yet in these schemes, assailant still likely utilizes open indentification protocol to collect abundant information, cracks out data, causes data owner's leakage of data.Therefore these schemes exist the risk of information leakage, are not suitable for practical engineering application.

Summary of the invention

The present invention will overcome the deficiencies in the prior art, a kind of teledata integrity verification method based on specifying reference's endorsement method and the storage of zero-knowledge proof technology facing cloud is provided, signer adopts undeniable digital signature, but in compute signature, combine reference's PKI, checking must just can be carried out under signer or appointment reference's cooperation, strengthen the non-repudiation of signer, large at number of users, in the complicated Practical Project of the unreliable grade of server, guarantee the integrality of user's remote validation cloud data, supported data dynamically updates, open checking, third-party authentication, protection privacy of user.

For achieving the above object, first the present invention carries out system initialization, and it is several data blocks that user (User, U) uses the Reed-Solomon file division to be stored of encoding.User proposes the request that file integrality is verified by " challenge-response " pattern in cloud storage server.Cloud storage server (Cloud Storage Server, CSS) according to the data block being arrived by selective examination, generate a message aggregation and about the appointment reference signature of this message aggregation, add the information of root node simultaneously, generating the data integrity that a user can directly calculate proves.User carries out certain calculating to this proof can verify that whether stored data file is damaged to some extent.Meanwhile, because the appointment reference who generates signs, embedded the PKI of third party auditor (Third Party Auditor, TPA), third party auditor also can carry out to this data integrity the calculating checking of equal extent.On the other hand; in order to prevent that user from misapplying/abusing data integrity information; third party auditor is where necessary for data integrity proof provides a noninteractive zero-knowledge proof; anyone can verify that this zero-knowledge proof is to know data integrity information, reaches effective protection and the flexible object of controlling user authentication data integrity information.

Method of the present invention realizes by following concrete steps:

1 system initialization

System operation bilinear Diffie-Hellman (Bilinear Diffie-Hellman, BDH) parameter generators, produces two Bilinear Groups G that rank are prime number q, G _t, g is generator e:G * G → G of crowd G _tfor bilinearity is to computing, the Hash function H:{0 of a safety of definition, 1} ^*→ G.

Given file F, system is used Reed-Solomon coding that file is divided into n piece F (m ₁m ₂..., m _n) wherein

2 systems generate key

System operation key schedule KeyGen, for user U generates private key: random number corresponding PKI is similarly, system is that third party auditor TPA generates private key: random number corresponding PKI is $y_{\mathrm{TPA}}=g^{x_{\mathrm{TPA}}}.$

3 user's storage files

User moves signature generating algorithm SigGen (sk _u, F) be each data block m _igenerate a homomorphism authentication value (homomorphic authenticator):

metadata as file.The homomorphism authentication value of all data blocks can be gathered into label value: a φ={ σ _i, 1≤i≤n.

User adopts Merkle Hash tree by each block data structure, wherein the leaf node of the bottom has been stored the cryptographic hash of corresponding data piece in an orderly manner, inferior bottom layer node is the cryptographic hash of every two cryptographic hash, and step-by-step recursion constructs a binary tree thus, the cryptographic hash that root node is corresponding final.Root node R is signed simultaneously

user U is by { F, φ, σ _rsend to cloud storage server CSS.

4 general integrity verifications

The 4.1 users request of challenging

When user U carries out data integrity checking to file F, first to generate one group of challenge information.This challenge information is to select some random elements: I={s by user U ₁..., s _c, s ₁≤ i≤s _c, s wherein _irepresent i data block m _iindex.For each s _i∈ I, U chooses a random number

finally, U is by challenge information send to cloud storage server CSS.

4.2 servers generate proof

After cloud storage server CSS receives the challenge information of user U transmission, calculate and generate one section of proof:

${\mathrm{\&zeta;}}_i=y_{\mathrm{TPA}}^{r_i},{\mathrm{\&mu;}}_i={\mathrm{\&sigma;}}_i\&CenterDot;g^{r_i},\mathrm{\&zeta;}={\mathrm{\&Pi;}}_{i=s_1}^{s_c}{\mathrm{\&zeta;}}_i,\mathrm{\&mu;}={\mathrm{\&Pi;}}_{i=s_1}^{s_c}{\mathrm{\&mu;}}_i,\mathrm{\&theta;}={\mathrm{\&Sigma;}}_i^{s_c}{m}_i---\left(1\right)$

Meanwhile, CSS also can offer one group of supplementary of user: { Ω _i, s ₁≤ i≤s _c, represent that i leaf node (stored H (m _i)) to the set of all brotghers of node on the path of root node R.Finally, CSS issues mono-section of proof of user U:

P＝{(ζ，μ，θ)，{H(m _i)}，{Ω _i}，σ _R} (2)

S wherein ₁≤ i≤s _c, (ζ, μ) is the appointment reference signature about θ.

4.3 user's integrity verifications

After user U receives the proof P that cloud storage server sends, first utilize { H (m _i) { Ω _igeneration root node R.Then by calculation equation e (σ _r, g) ≡ e (H (R), y _u) whether set up, verify whether R value is tampered.If equation is false, U this proof that refuses inspection of books, and export failure information.If above-mentioned equation is set up, whether the following equation of U continuation calculating is set up:

$e(\mathrm{\&mu;},y_{\mathrm{TPA}})\&equiv;e(\mathrm{\&zeta;},g)\&CenterDot;e{({\mathrm{\&Pi;}}_{i=s_1}^{s_c}H\left(m_i\right)\&CenterDot;u^{\mathrm{\&theta;}},y_{\mathrm{TPA}})}^{x_U}---\left(3\right)$

If above-mentioned equation is set up, this checking passes through.If equation is false, export failure information.

5 undeniable integrity verifications

When there is dispute, third party auditor TPA can participate in integrity verification procedures, and provides the final certification of non-repudiation.After TPA receives the proof P that CSS cloud storage server sends, first utilize { H (m _i) { Ω _igeneration root node R.Then pass through calculation equation e, (σ _r, g) ≡ e (H (R), y _u) whether set up, verify whether R value is tampered.If equation is false, TPA this proof that refuses inspection of books, and export failure information 0.Otherwise whether TPA continues to calculate following equation and sets up:

$e(\mathrm{\&mu;},y_{\mathrm{TPA}})\&equiv;e(\mathrm{\&zeta;},g)\&CenterDot;e{({\mathrm{\&Pi;}}_{i=s_1}^{s_c}H\left(m_i\right)\&CenterDot;u^{\mathrm{\&theta;}},y_U)}^{x_{\mathrm{TPA}}}---\left(4\right)$

If above-mentioned equation is set up, this checking passes through, otherwise checking failure, output failure information 1.According to the result, generate undeniable proof.

If the verification passes, certified correct is described, TPA exports one section of noninteractive zero-knowledge proof π ₁, to prove two relations that discrete logarithm is equal.

If checking is not passed through, exported failure information 1, TPA is by { H (m _i) { Ω _ithis part information is directly open, thereby anyone can verify this conclusion, and export one section of noninteractive zero-knowledge proof π ₂, to prove two unequal relations of discrete logarithm.For above-mentioned noninteractive zero-knowledge proof, anyone can be verified by simple calculating.

Remarkable result of the present invention is the needs for the integrity verification of subscriber data file in cloud storage; utilize aggregate signature and specify reference's signature technology; general user and the authentication function of third party auditor to user data integrality have been realized; the protection that has simultaneously realized authorization information by zero-knowledge proof technology is controlled; have and be easy to realize; data protection is strong, can flexibly control information transparency etc. advantage.Under the incredible prerequisite of Yun storage service provider of the present invention, guarantee the accuracy of data integrity checking under cloud storage environment, reduce the checking cost of user side.

Accompanying drawing explanation

Fig. 1 structural drawing of the present invention.

Fig. 2 zero-knowledge proof process schematic diagram.

Specific implementation method

Below in conjunction with drawings and Examples, technical scheme of the present invention is described in further detail.Following examples are implemented take technical solution of the present invention under prerequisite, provided detailed embodiment and process, but protection scope of the present invention are not limited to following embodiment.

The method proposing in order to understand better the present embodiment, chooses the data integrity of the file that under a cloud storage environment, user U stores on cloud storage server CSS it and verifies event.

As shown in the inventive method structural drawing (Fig. 1), the concrete implementation step of the present embodiment is as follows:

1 system initialization

System operation bilinear Diffie-Hellman (Bilinear Diffie-Hellman, BDH) parameter generators, produces two Bilinear Groups G that rank are prime number q, G _t, g is the generator of crowd G, e:G * G → G _tfor bilinearity is to computing, the Hash function H:{0 of a safety of definition, 1} ^*→ G.

Given file F, system is used Reed-Solomon coding that file is divided into n piece F (m ₁, m ₂..., m _n), wherein

2 systems generate key

System operation key schedule KeyGen, for user U generates private key: random number corresponding PKI is

similarly, system is that third party auditor TPA generates private key: random number

corresponding PKI is $y_{\mathrm{TPA}}=g^{x_{\mathrm{TPA}}}.$

3 user's storage files

User moves signature generating algorithm SigGen (sk _u, F) be each data block m _igenerate a homomorphism authentication value (homomorphic authenticator):

metadata as file.The homomorphism authentication value of all data blocks can be gathered into label value: a φ={ σ _i, 1≤i≤n.

User adopts Merkle Hash tree by each block data structure, wherein the leaf node of the bottom has been stored the cryptographic hash of corresponding data piece in an orderly manner, inferior bottom layer node is the cryptographic hash of every two cryptographic hash, and step-by-step recursion constructs a binary tree thus, the cryptographic hash that root node is corresponding final.Root node R is signed simultaneously

user U is by { F, φ, σ _rsend to cloud storage server CSS.

4 general integrity verifications

The 4.1 users request of challenging

When user U carries out data integrity checking to file F, first to generate one group of challenge information.This challenge information is to select some random elements: I={s by user U ₁..., s _c, s ₁≤ i≤s _c, s wherein _irepresent i data block m _iindex.For each s _i∈ I, U chooses a random number

finally, U is by challenge information

send to cloud storage server CSS.

4.2 servers generate proof

After cloud storage server CSS receives the challenge information of user U transmission, calculate and generate one section of proof:

${\mathrm{\&zeta;}}_i=y_{\mathrm{TPA}}^{r_i},{\mathrm{\&mu;}}_i={\mathrm{\&sigma;}}_i\&CenterDot;g^{r_i},\mathrm{\&zeta;}={\mathrm{\&Pi;}}_{i=s_1}^{s_c}{\mathrm{\&zeta;}}_i,\mathrm{\&mu;}={\mathrm{\&Pi;}}_{i=s_1}^{s_c}{\mathrm{\&mu;}}_i,\mathrm{\&theta;}={\mathrm{\&Sigma;}}_i^{s_c}{m}_i---\left(1\right)$

Meanwhile, CSS also can offer one group of supplementary of user: { Ω _i, s ₁≤ i≤s _c, represent that i leaf node (stored H (m _i)) to the set of all brotghers of node on the path of root node R.Finally, CSS issues mono-section of proof of user U:

P＝{(ζ，μ，θ)，{H(m _i)}，{Ω _i}，σ _R} (2)

S wherein ₁≤ i≤s _c, and (ζ, μ) is the appointment reference signature about θ.

4.3 user's integrity verifications

After user U receives the proof P that cloud storage server sends, first utilize { H (m _i) { Ω _igeneration root node R.Then by calculation equation e (σ _r, g) ≡ e (H (R), y _u) whether set up, verify whether R value is tampered.If equation is false, U this proof that refuses inspection of books, and export failure information.If above-mentioned equation is set up, whether the following equation of U continuation calculating is set up:

$e(\mathrm{\&mu;},y_{\mathrm{TPA}})\&equiv;e(\mathrm{\&zeta;},g)\&CenterDot;e{({\mathrm{\&Pi;}}_{i=s_1}^{s_c}H\left(m_i\right)\&CenterDot;u^{\mathrm{\&theta;}},y_{\mathrm{TPA}})}^{x_U}---\left(3\right)$

If above-mentioned equation is set up, this checking passes through.If above-mentioned equation is false, export failure information.

5 undeniable integrity verifications

Suppose in 4.3 that user U is to equation e (σ R, g) ≡ e (H (R), y _u) be verified, and the checking of equation (3) is not passed through, but cloud storage server CSS denies this result, does not admit that the file F that user U stores has suffered to distort.For this dispute, third party auditor TPA can participate in integrity verification procedures, and provides undeniable final certification.After TPA receives the proof P that cloud storage server sends, first utilize { H (m _i) { Ω _igeneration root node R.Then by calculation equation e (σ R, g) ≡ e (H (R), y _u) whether set up, verify whether R value is tampered.If R value is tampered, this proof that refuses inspection of books, and export failure information 0.If R value is not tampered, TPA continues to calculate following equation:

$e(\mathrm{\&mu;},y_{\mathrm{TPA}})\&equiv;e(\mathrm{\&zeta;},g)\&CenterDot;e{({\mathrm{\&Pi;}}_{i=s_1}^{s_c}H\left(m_i\right)\&CenterDot;u^{\mathrm{\&theta;}},y_U)}^{x_{\mathrm{TPA}}}---\left(4\right)$

If equation is set up, show to be verified, certified correct, TPA exports one section of noninteractive zero-knowledge proof π ₁, to prove two relations that discrete logarithm is equal.

If equation is not set up, show to verify and do not pass through, TPA finally exports failure information 1, generates undeniable proof simultaneously.TPA exports one section of noninteractive zero-knowledge proof π ₂, to prove two unequal relations of discrete logarithm.Make W ₁=e (μ, y _tPA)/e (ζ, g),

noninteractive zero-knowledge proof π ₂to adopt Fiat-Shamir heuristic by one section of interactive proof:

(with reference to figure bis-) is transformed.Finally, TPA only need to be by (A, A ', the z that obtain after calculating ₁, z ₂, z ' ₁, z ' ₂, c ₁, c ₂, d ₁, d ₂, d ' ₁, d ' ₂) value sends to any people who needs verification.

Claims (1)

1. the teledata integrity verification method that facing cloud is stored, is characterized in that comprising the following steps:

Step 1, system initialization

System operation bilinear Diffie-Hellman (Bilinear Diffie-Hellman, BDH) parameter generators, produces two Bilinear Groups G that rank are prime number q, G _t, g is the generator of crowd G, e:G * G → G _tfor bilinearity is to computing, the Hash function H:{0 of a safety of definition, 1) ^*→ G;

Given file F, system is used Reed-Solomon coding that file is divided into n piece F (m ₁, m ₂..., m _n) wherein

Step 2, system generates key

System operation key schedule KeyGen, for user U generates private key: random number

corresponding PKI is

similarly, system is that third party auditor TPA generates private key: random number

corresponding PKI is $y_{\mathrm{TPA}}=g^{x_{\mathrm{TPA}}};$

Step 3, user's storage file

User moves signature generating algorithm SigGen (sk _u, F) be each data block m _igenerate a homomorphism authentication value (homomorphic authenticator):

as the metadata of file, the homomorphism authentication value of all data blocks is to be gathered into label value: a φ={ σ _i, 1≤i≤n;

User adopts Merkle Hash tree by each block data structure, root node R is signed simultaneously

by { F, φ, σ _rsend to cloud storage server CSS.

Step 4, general integrity verification

The 4.1 users request of challenging

When user U carries out data integrity checking to file F, generate one group of challenge information send to cloud storage server CSS, wherein I={s ₁..., s _c, s ₁≤ i≤s _c, for each s _i∈ I, s _irepresent i data block m _iindex, random number

4.2 servers generate proof

After cloud storage server CSS receives the challenge information of user U transmission, calculate and generate one section of proof:

${\mathrm{\&zeta;}}_i=y_{\mathrm{TPA}}^{r_i},{\mathrm{\&mu;}}_i={\mathrm{\&sigma;}}_i\&CenterDot;g^{r_i},\mathrm{\&zeta;}={\mathrm{\&Pi;}}_{i=s_1}^{s_c}{\mathrm{\&zeta;}}_i,\mathrm{\&mu;}={\mathrm{\&Pi;}}_{i=s_1}^{s_c}{\mathrm{\&mu;}}_i,\mathrm{\&theta;}={\mathrm{\&Sigma;}}_i^{s_c}{m}_i---\left(1\right)$

Meanwhile, CSS offers one group of supplementary of user: { Ω _i, s ₁≤ i≤s _c, represent that i leaf node (stored H (m _i)) to the set of all brotghers of node on the path of root node R, last, CSS issues mono-section of proof of user U:

P＝{(ζ，μ，θ)，{H(m _i)}，{Ω _i)，σ _R} (2)

S wherein _l≤ i≤s _c, and (ζ, μ) is the appointment reference signature about θ.；

4.3 user's integrity verifications

After user U receives the proof P that cloud storage server sends, first utilize { H (m _i) { Ω _i) generation root node R.Then by calculation equation e (σ _r, g) ≡ e (H (R), y _u) whether set up, verify whether R value is tampered.If equation is false, U this proof that refuses inspection of books, and export failure information.If above-mentioned equation is set up, whether the following equation of U continuation calculating is set up:

$e(\mathrm{\&mu;},y_{\mathrm{TPA}})\&equiv;e(\mathrm{\&zeta;},g)\&CenterDot;e{({\mathrm{\&Pi;}}_{i=s_1}^{s_c}H\left(m_i\right)\&CenterDot;u^{\mathrm{\&theta;}},y_{\mathrm{TPA}})}^{x_U}---\left(3\right)$

If above-mentioned equation is set up, this checking passes through.

Step 5, undeniable integrity verification

When there is dispute, third party auditor TPA can participate in integrity verification procedures, and provides undeniable final certification.After TPA receives the proof P that CSS cloud storage server sends, first utilize { H (m _i) { Ω _igeneration root node R.Then by calculation equation e (σ _r, g) ≡ e (H (R), y _u) whether set up, verify whether R value is tampered.If equation is false, TPA this proof that refuses inspection of books, and export failure information 1.Otherwise whether TPA continues to calculate following equation and sets up:

$e(\mathrm{\&mu;},y_{\mathrm{TPA}})\&equiv;e(\mathrm{\&zeta;},g)\&CenterDot;e{({\mathrm{\&Pi;}}_{i=s_1}^{s_c}H\left(m_i\right)\&CenterDot;u^{\mathrm{\&theta;}},y_U)}^{x_{\mathrm{TPA}}}---\left(4\right)$

If above-mentioned equation is set up, this checking passes through, otherwise checking failure, output failure information 1.In the time of need to generating undeniable proof, first TPA calls above-mentioned TPA verification algorithm.If the verification passes, certified correct is described, TPA exports one section of noninteractive zero-knowledge proof π ₁, to prove two relations that discrete logarithm is equal.

If checking is not passed through, exported failure information 0, and TPA is by { H (m _i) { Ω _ithis part information is directly open, thereby anyone can verify this conclusion.If TPA output is failure information 1, it exports one section of noninteractive zero-knowledge proof π ₂, to prove two unequal relations of discrete logarithm.For above-mentioned noninteractive zero-knowledge proof, anyone can be verified by simple calculating.

Images