CN115426117A - Multi-source aggregation query verification method - Google Patents
Multi-source aggregation query verification method Download PDFInfo
- Publication number
- CN115426117A CN115426117A CN202211037547.XA CN202211037547A CN115426117A CN 115426117 A CN115426117 A CN 115426117A CN 202211037547 A CN202211037547 A CN 202211037547A CN 115426117 A CN115426117 A CN 115426117A
- Authority
- CN
- China
- Prior art keywords
- query
- tree
- mdg
- output
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012795 verification Methods 0.000 title claims abstract description 76
- 230000002776 aggregation Effects 0.000 title claims abstract description 48
- 238000004220 aggregation Methods 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000012216 screening Methods 0.000 claims abstract description 14
- 238000010200 validation analysis Methods 0.000 claims description 18
- 238000004364 calculation method Methods 0.000 claims description 11
- 125000004122 cyclic group Chemical group 0.000 claims description 9
- 230000001186 cumulative effect Effects 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 6
- 238000006116 polymerization reaction Methods 0.000 claims description 4
- 230000035945 sensitivity Effects 0.000 claims description 4
- 230000009467 reduction Effects 0.000 claims description 3
- 230000004931 aggregating effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000013507 mapping Methods 0.000 abstract description 3
- 238000012545 processing Methods 0.000 abstract description 3
- 238000009825 accumulation Methods 0.000 abstract 2
- 238000011160 research Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Abstract
The invention relates to a multi-source aggregation query verification method, which is designed aiming at two stages of multi-source aggregation query respectively, wherein in the first stage, an expression accumulator technology is combined with a multi-level multi-dimensional grid tree to construct an MDG (multiple-dimensional grid tree), meanwhile, a root abstract of the MDG accumulation tree is signed by using a polymerizable signature, a cloud service provider processes the first stage of aggregation query according to the MDG accumulation tree to generate a range screening result and a verification object, the range screening result and the verification object are verified by a client after aggregation processing of an edge server, in the second stage, a query result and a proof are generated by using a bilinear mapping accumulator technology, and finally, the query result and the proof are verified by the client after the aggregation processing of the edge server.
Description
Technical Field
The invention belongs to the field of cloud computing security, and particularly relates to a verification method for multi-source aggregation query.
Background
With the explosion of internet big data, some data owners lack resources for data management, and then choose to outsource the data to a third party service provider. The service provider has sufficient hardware, software and network resource management databases and can process client-initiated queries. But the service provider is not trusted, outsourced data may be corrupted by malware or security intrusion, or malicious insiders modify the program and/or query results. It is therefore important that the user be able to verify the correctness and integrity of the results.
An aggregated query is an important query type, and its query results can be used for data analysis. The aggregation query is mainly divided into two stages, the first stage is a screening stage, namely range screening is carried out through non-sensitive attributes of the data set, and the second stage is a query stage, namely queries such as Count, sum, min and Max are carried out on the sensitive attributes of the screened objects.
At present, most of research aiming at the verifiable query of outsourced data is single-source, namely only one data owner exists, and the multi-source verifiable query research only has verifiable range query and verifiable keyword search. However, in consideration of an application scenario in which each city uploads weather data to a corresponding third-party cloud service provider, a meteorological research institution wants to query the highest temperature of all cities in an area with a longitude of 41.2 to 52.2 and a latitude of 50.1 to 60.4, and current research results are not applicable to the application scenario, so that a verification method for multi-source aggregation query needs to be designed for the application scenario.
In view of the above, the invention provides an efficient multi-source aggregation query verification scheme, which designs verification methods respectively for two stages of aggregation query, and improves the overall performance of the invention by reducing the calculation overhead of a client while ensuring that the sensitive attribute of a data set is not leaked.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a multi-source aggregation query verification method, and mainly aims to provide a verification method for aggregation query in an application scene of a multi-data owner multi-cloud service provider, which can ensure the correctness and integrity of a query result.
According to a first aspect of the present invention, there is provided a multi-source aggregation query validation method, characterized in that:
step 10: n data owners as respective data sets D i Building identity authentication data structuresADS i And D is i And ADS i And uploading to the corresponding cloud service providers.
Wherein i is ∈ [1, …, n]Identity authentication data Structure ADS i Comprising a multi-level and multi-dimensional lattice Tree MDG-Tree i Step 10 further comprises:
step 10A: according to D i MDG-Tree construction based on non-sensitive attribute of medium object i 。
Step 10B: the data owner performs an initialization algorithm (omega) E S) ← Setup (λ), inputs security parameter λ, outputs private key s and public key Ω E 。
Step 20: when the client side initiates a query Q, the n cloud service providers respectively process the query Q, generate a query result and verification information and send the query result and the verification information to the edge server;
wherein the query result comprises a second stage query result R i The verification information comprises first-stage query verification information VO i Second stage inquiring verification information pi i And abstractStep 20 comprises:
step 20A: the service provider obtains a first stage query result O according to Q i And a first stage of inquiring verification information VO i ,O i Is at D i Performing range query and screening according to the non-sensitive attribute to obtain a set of objects meeting preset screening conditions;
and step 20B: service provider offer O i Modeling sensitive attribute values of medium objects into multiple sets A i Executing the abstract obtaining algorithmNamely input A i 、Ω E Output ofPerforming a query algorithm { pi i ,R i }←Query(A i ,Q,Ω E ) I.e. input A i 、Q、Ω E Output R i And pi i ;
Step 30: the edge server aggregates the n query results and the verification information to generate an aggregated query result and aggregated query verification information, and sends the aggregated query result and the aggregated query verification information to the client;
wherein the aggregated query result comprises a second stage aggregated query result R * The aggregated query verification information comprises first-stage aggregated query verification information VO * Second stage aggregating inquiry verification information pi * And aggregate digestsStep 30 comprises:
step 30A: the edge server sends the { VO (VO) according to the n cloud service providers 1 ,...,VO n Reconstruction of { MDG-Tree } 1 ,...,MDG-Tree n And (4) root abstracting, and verifying the root signatures of the multi-level multi-dimensional grid trees according to the { V0 } 1 ,...,VO n Generating a polymerization multi-level multi-dimensional grid tree MDG * VO corresponding to Tree * ;
Step 30B: edge server execution aggregation algorithm Namely inputting { pi i, i belongs to n } and Ri, i belongs to n sent by n cloud service providers]And { dAi, i ∈ [ n ]]R, output R * 、π * And
step 40: the client side verifies the correctness and the integrity of the aggregation query result according to the aggregation query verification information, and the method comprises the following steps:
step 40A: the client end is according to VO * Validating first stage query results O i Whether within query range and divide by O in database i The other objects are not in the query range according to VO * Reduction of MDG * -root digest of Tree and judging if the reconstructed root digest is correct,
step 40B: client-side execution of authentication algorithmsNamely inputQ,R * 、π * And Ω E And outputting the correct accept or the incorrect reject of the verification result.
Further, the aggregated query verification method provided by the present invention is characterized in that step 10A includes:
step 10A1: data owner according to D i MDG-Tree construction based on non-sensitive attribute of medium object i All the nodes of (1);
wherein D is i Having a D-dimensional non-sensitive property, will D i Viewed as a d-dimensional cube, as an MDG-Tree i Then dividing the root node into 2 d The same size of the sub-cube is used as the next layer of sub-nodes, and each sub-node is subdivided into 2 d Taking the subcubes with the same size as the next layer of the subnodes, and continuously iterating until the size of the subcubes in a certain layer reaches the preset fine granularity;
step 10A2: the data owner is MDG-Tree from bottom to top i Calculating the abstract by the node; wherein, the MDG-Tree i Each of the nodes of (a) corresponds to a summary,
MDG-Tree i the digests of the leaf nodes are:
wherein, C j Set of sub-entries, LOC, for the jth leaf node k For the union of the non-sensitive attributes corresponding to the kth sub-entry, X j Is a set of sensitive attributes corresponding to sub-entries of the jth leaf node, G is a generator of a cyclic multiplicative group G of prime order p, ACC is a bilinear map accumulator,computing on a set X j Cumulative value of (d):is fromAnd a random value selected, to be added to the shared secret SK, which is known only to the data owner and the client,a cyclic multiplicative group of order p-1;
MDG-Tree i the digest of the non-leaf nodes is:
wherein, C h A set of child nodes that are the h-th non-leaf node;
step 10A3: data owner using RSA signature pairs MDG-Tree i Signing the root node abstract;
wherein n data owners are according to RSA public key omega R = (f, u) and RSA private key sk = (f, v), and based on preset key svkey, a multi-source verification key { ss) is generated 1 ,…,ss n -means for, among other things,f is two random large prime numbers p 1 And p 2 U and v satisfy u · v =1mod ((p) 1 -1)(p 2 -1)), the ith data owner uses the RSA homomorphic signature as MDG-Tree i Root abstract dig of 0 (i) Generating signatures Add (svkey, SK) to shared secret SK, add Ω R Adding public parameters params, public parametersThe number params is known to all parties in the application scenario.
Further, the multi-source aggregation query validation method provided by the present invention is characterized in that step 20A includes:
service provider from MDG-Tree according to Q i The root node starts to process range query, and O and VO are obtained through depth-first traversal;
wherein O comprises child entries of leaf nodes contained by Q;
VO includes: cube borders gb and summary dig corresponding to non-leaf nodes not contained by Q, gb and ACC (X) corresponding to leaf nodes not contained by Q and LOC of all sub-entries thereof, gb and ACC (X) corresponding to leaf nodes contained by Q and LOC of all sub-entries thereof;
service provider according to { O } 1 ,...O n Generate a set of sensitive attributes A 1 ,...A n };
{ss 1 ,…,ss n And { VO } 1 ,...VO n Is sent by the service provider to the edge server.
Further, the multi-source aggregation query validation method provided by the present invention is characterized in that step 30A includes:
edge server pass judgment equationWhether to verify MDG-Tree standing i Whether the root digest matches the signature of the corresponding data owner or not is verified that the aggregated signature can be obtained by the back edge server
SIG * And VO * Together sent by the edge server to the client.
Further, the multi-source aggregation query validation method provided by the present invention is characterized in that step 40A includes:
the client end is according to VO * Gb and LOC information in to verify the first stage query result O i Whether or not to inquireIn-range and in-database O i The rest of the objects outside are not in the query range;
the client end is according to VO * Restoring MDGs by recursively reconstructing digests of leaf and non-leaf nodes up to a root level * Root abstract of Tree, and according toWhether it holds, checks whether the reconstructed root digest is correct.
Further, the multi-source aggregation query validation method provided by the present invention is characterized in that step 10B includes:
(Ω E s) ← Setup (λ), calculationWherein pub = (p, G) T E, G) are generated by a bilinear pairing parameter generator based on lambda, G and G T Is a cyclic multiplicative group of two prime orders p, G is the generator of G, e: g → G T Is a bilinear pairing, [ q ]]For all sensitive properties, Ω E Adding a public parameter params as a verification related parameter;
step 20B includes:in (1),composed of two elementsIs composed of (a) wherein Wherein:U max for all dataThe maximum value of the set sensitivity attribute.
Further, the multi-source aggregation query validation method provided by the present invention is characterized in that, when the query Q initiated by the client is the COUNT query COUNT:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Calculating a i (x)=(A i (x)-A i (1) X-1), outputR i =A i (1) Wherein A is i (1) Is A i The number of elements in (1);
Step 40B includes:when judging that When the result is true, the accept is output, otherwise, the reject is output.
Further, the multi-source aggregation query validation method provided by the present invention is characterized in that, when the query Q initiated by the client is a SUM query SUM:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Calculation of b i (c)=(A i (x)-A i (1)-A′ i (1)(c-1))/(x-1) 2 ,π b =A i (1) Output pi i =(π ai ,π bi ),R i =A′ i (1) Wherein, A' i (1) Is A i The sum of the values of the elements in (a);
Step 40B includes:when judging that When the result is true, the accept is output, otherwise, the reject is output.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is the minimum query MIN:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Output ofR i =min i ,Wherein, min i Is A i Minimum value of (A) i (s) the lowest order of s;
Step 40B includes:when judging that When the result is true, the accept is output, otherwise, the reject is output.
Further, the multi-source aggregation query validation method provided by the invention is characterized in that when query Q initiated by the client is MAX query with the maximum value:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Output R i =max i ,Wherein,max i Is A i Maximum value of, i.e. B i (s) the lowest order of s;
Step 40B includes:when judging that When the result is true, the accept is output, otherwise, the reject is output.
Compared with the prior art, the invention has high efficiency and safety, and the invention mainly has the following functions:
(1) Designing a polymerizable cumulative tree structure for verifying a first polymerization query stage under a multi-source scene;
(2) A set of verification technology is designed for the inquiry of Count, sum, max and Min at the second stage of aggregation inquiry under the multi-source scene by utilizing the bilinear mapping accumulator technology;
(3) A verifiable multi-source aggregation query scheme is provided, and the correctness and the integrity of a query result can be ensured.
The invention has the following beneficial effects:
(1) The invention is suitable for application scenes of multi-data owner multi-cloud service providers, designs verification methods for two stages of aggregate query respectively, and is the first invention capable of performing multi-source aggregate query verification.
(2) The method has high efficiency, and improves the overall performance of the scheme by reducing the calculation burden of the client as much as possible.
(3) The method has safety, and once the method is attacked by an adversary model, errors can be found through the verification of the client.
(4) The method and the device have privacy, and the client cannot know the sensitive attribute of the data set through inquiry, so that the privacy of the sensitive attribute is protected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a system model diagram shown in accordance with an exemplary embodiment.
FIG. 2 is a diagram illustrating a process of building an MDG cumulative tree, according to an example embodiment.
FIG. 3 is a diagram illustrating a process for MDG cumulative tree merging, according to an example embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The invention designs verification methods aiming at two stages of aggregation query respectively. For the first stage, a Multi-Dimensional Grid Tree (MDG-Tree) and an accumulative value technology are combined to construct an MDG accumulative Tree as an identity Authentication Data Structure (ADS), a cloud service provider processes the first stage of aggregation query according to the ADS, and generates a range screening result and a Verification Object (VO) for client Verification. For the second stage, the query result and the proof are generated by mainly utilizing a bilinear mapping accumulator technology and are finally verified by the client.
The system flow of the invention is shown in fig. 1, and specifically comprises the following steps:
step 10: n data owners as respective data sets D i Constructing an identity authentication data structure ADS i And D is i And ADS i And uploading to the corresponding cloud service providers.
Step 20: when the client side initiates the query Q, the n cloud service providers respectively process the query Q, generate a query result and verification information and send the query result and the verification information to the edge server.
Wherein the query result comprises a second stage query result R i The verification information comprises first-stage query verification information VO i Second stage inquiring verification information pi i And abstract
Step 30: and the edge server aggregates the n query results and the verification information to generate an aggregated query result and aggregated query verification information, and sends the aggregated query result and the aggregated query verification information to the client.
Wherein the aggregated query result comprises a second stage aggregated query result R * The aggregated query verification information comprises first-stage aggregated query verification information VO * And the second stage aggregates the inquiry verification information pi * And aggregate digests
Step 40: and the client verifies the correctness and the integrity of the aggregated query result according to the aggregated query verification information.
The verification process of the first stage of aggregate query is as follows:
step 10A: according to D i MDG-Tree construction based on non-sensitive attribute of medium object i 。
Step 20A: the service provider obtains a first stage query result O according to Q i And a first stage of inquiring verification information VO i ,O i Is at D i According to the non-sensitive attribute, range query and screening are carried out to obtain a set of objects which accord with preset screening conditions.
Step 30A: the edge server sends the { VO (VO) according to the n cloud service providers 1 ,...,VO n Reconstruction of { MDG-Tree } 1 ,...,MDG-Tree n And verifying the root signatures of the multi-level multi-dimensional grid trees according to the (VO) 1 ,...,VO n Generating a polymerization multi-level multi-dimensional grid tree MDG * VO corresponding to Tree * 。
Step 40A: the client end is according to VO * Validating first stage query results O i Whether within query range and divide by O in database i The other objects are not in the query range according to VO * Reduction of MDG * -root digest of Tree and judging if reconstructed root digest is correct.
And in the second stage of aggregation query, the sensitive attribute values of the objects screened in the first stage are modeled into multiple sets, and the multiple sets are subjected to aggregation query. The scheme is composed of 5 PPT algorithms (initialization algorithm, abstract acquisition algorithm, query algorithm, aggregation algorithm and verification algorithm), and the second aggregation query stage specifically comprises the following steps:
step 10B: the data owner performs an initialization algorithm (omega) E S) ← Setup (λ), inputs security parameter λ, outputs private key s and public key Ω E 。
Step 20B: service provider will O i Modeling sensitive attribute values of medium objects into multiple sets A i Executing the abstract obtaining algorithmNamely input A i 、Ω E Output ofPerforming a query algorithm { pi i ,R i }←Query(A i ,Q,Ω E ) I.e. input A i 、Q、Ω E Output R i And pi i 。
Step 30B: edge server execution aggregation algorithm Namely inputting { pi i, i belongs to n } and Ri, i belongs to n sent by n cloud service providers]And { dAi, i ∈ [ n ]]R, output R * 、π * And
step 40B: client-side execution of authentication algorithmsNamely inputQ,R * 、π * And Ω E And outputting the correct accept or the incorrect reject of the verification result.
In the invention, after the client initiates the query, the edge server carries out partial processing in advance, so that the client only needs to verify for 1 time, the calculation burden of the client is greatly reduced, and the overall performance of the scheme is improved.
The verification steps of the two phases of the multi-source aggregate query are described in detail below.
In the first stage of aggregate query, range query and screening are performed on non-sensitive attributes of objects in a data set to obtain a part of objects meeting screening conditions, and detailed steps of the first stage of aggregate query verification are as follows:
step 10A includes:
step 10A1: data owner according to D i MDG-Tree construction based on non-sensitive attribute of medium object i OfThere are nodes;
wherein D is i Having a D-dimensional non-sensitive property, will D i Regarded as a d-dimensional cube as an MDG-Tree i Then dividing the root node into 2 d The same size of the sub-cube is used as the next layer of sub-nodes, and each sub-node is subdivided into 2 d And taking the subcubes with the same size as the next layer of the subnodes, and continuously iterating until the size of the subcubes in a certain layer reaches the preset fine granularity. Fig. 2 shows a process of constructing an MDG cumulative tree based on a 2-dimensional sensitivity attribute when the preset fine granularity is 1.
Step 10A2: the data owner is MDG-Tree from bottom to top i Calculating the abstract by the node; wherein, the MDG-Tree i Corresponds to a summary.
MDG-Tree i The digests of the leaf nodes are:
wherein, C j Set of sub-entries, LOC, for the jth leaf node k For the union of the non-sensitive attributes corresponding to the kth sub-entry, X j A set of sensitive attributes corresponding to the child entries of the jth leaf node, G being a generator of a cyclic multiplicative group G of prime order p, ACC being a bilinear map accumulator, computing a value for the set X j Cumulative value of (d):is fromA random value selected in the set is added into the shared secret key SK, the shared secret key SK is only known by the data owner and the client,is a cyclic multiplicative group of order p-1.
MDG-Tree i The digest of the non-leaf nodes is:
wherein, C h A set of child nodes that are the h-th non-leaf node.
Step 10A3: data owner using RSA signature pairs MDG-Tree i The root node digest of (a) is signed.
Wherein n data owners are based on RSA public key omega R And generating a multisource verification key { ss) based on the preset key svkey according to the preset key svkey and the RSA private key sk = (f, v) 1 ,…,ss n And (c) the step of (c) in which,f is two random large prime numbers p 1 And p 2 U and v satisfy u · v =1mod ((p) 1 -1)(p 2 -1)), the ith data owner uses the RSA homomorphic signature MDG-Tree i Root abstract dig of 0 (i) Generating signatures Add (svkey, SK) to shared secret SK, add Ω R A common parameter params is added, which is known to all parties in the application scenario.
Step 20A includes:
service provider from MDG-Tree according to Q i The root node starts to process range query, and O and VO are obtained through depth-first traversal;
wherein O comprises a child entry of a leaf node contained by Q;
the VO includes: cube borders gb and summary dig corresponding to non-leaf nodes not contained by Q, gb and ACC (X) corresponding to leaf nodes not contained by Q and LOC of all sub-entries thereof, gb and ACC (X) corresponding to leaf nodes contained by Q and LOC of all sub-entries thereof;
service provider according to { O } 1 ,...O n Generate a set of sensitive attributes A 1 ,...A n };
{ss 1 ,…,ss n And { VO } 1 ,...VO n Is sent by the service provider to the edge server.
Specifically, in some embodiments, the process by which the cloud service provider processes the range query is as shown by the Algorithm Algorithm 1:
step 30A includes:
edge server pass judgment equationVerifying MDG-Tree if true i Whether the root digest matches the signature of the corresponding data owner or not is verified that the aggregated signature can be obtained by the back edge server
The edge server is according to { VO 1 ,...,VO n Generation of MDG * VO corresponding to Tree * . Fig. 3 is an example of a merged MDG-Tree.
MDG * The summary of the nodes of the Tree consists of n MDG-Trees i The abstract of the corresponding node is obtained by multiplication calculation;
SIG * and VO * Together sent by the edge server to the client.
Step 40A includes:
the client end is according to VO * Gb and LOC information in to verify the first stage query result O i Whether within query range and divide by O in database i The rest of the objects outside are not within the query scope.
The client end is according to VO * Restoring MDGs by recursively reconstructing digests of leaf and non-leaf nodes up to a root level * Root abstract of Tree, and according toWhether it holds, checks whether the reconstructed root digest is correct.
In the second stage of aggregate query, the sensitive attribute values of the objects meeting the screening conditions in the first stage are modeled into multiple sets, and aggregate query is performed on the multiple sets i . For example, cloud service provider E 1 The objects screened in the first stage of the query are { o } 1 ,o 2 H, o therein 1 The corresponding attribute value is (1,2,3), o 2 The corresponding attribute value is (2,2,4), and if the first two attributes are non-sensitive attributes and the last attribute is a sensitive attribute, then E 1 Modeled set A 1 Is {3,4}.
The second phase mainly comprises 5 algorithms: initialization algorithm (omega) E S) ← Setup (lambda), abstract acquisition algorithmQuery algorithm { pi i ,R i }←Query(A i ,Q,Ω E ) Aggregation algorithm Verification algorithm In particular these algorithms are detailed as follows:
step 10B includes: (omega) E S) ← Setup (λ), calculationWherein pub = (p, G) T E, G) are generated by a bilinear pairing parameter generator based on lambda, G and G T Is a cyclic multiplicative group of two prime orders p, G is the generator of G, e: G → G T Is a bilinear pairing, [ q ]]For all sensitive properties, Ω E The common parameter params is added as a verification-related parameter.
Step 20B includes:in (1),composed of two elementsIs composed of (a) wherein Wherein:U max is the maximum value of the sensitivity attribute for all data sets.
The remaining three algorithms are introduced below from Count, sum, min, max queries, respectively:
when the query Q initiated by the client is the COUNT query COUNT:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Calculating a i (x)=(A i (x)-A i (1) X-1), outputR i =A i (1) Wherein A is i (1) Is A i Number of elements in (1).
Step 40B includes:when judging that When the result is true, the accept is output, otherwise, the reject is output.
When the query Q initiated by the client is a SUM query SUM:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Calculation of b i (x)=(A i (x)-A i (1)-A′ i (1)(x-1))/(x-1) 2 ,π b =A i (1) Output pi i =(π ai ,π bi ),R i =A′ i (1) Wherein, A' i (1) Is A i The sum of the values of the elements in (a).
Step 40B includes:when judging that When the result is true, outputting accept, otherwise outputting reject.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is the minimum query MIN:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Output R i =min i ,Wherein, min i Is A i Minimum value of (A) i The lowest order of s in(s).
Step 40B includes:when judging that When the result is true, the accept is output, otherwise, the reject is output.
Further, the multi-source aggregation query validation method provided by the invention is characterized in that when query Q initiated by the client is MAX query with the maximum value:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Output R i =max i ,Therein, max i Is A i Maximum value of, i.e. B i The lowest order of s in(s).
Step 40B includes:when judging that When the result is true, the accept is output, otherwise, the reject is output.
In Max and Min query, in order to ensure the security of the query, we provide the following calculation of pi * The steps of (1):
MIN inquiry:
(1) The n cloud service providers are respectively the minimum value (R) of the cloud service providers 1 ,R 2 ,…R n ) Sending to the edge server, the edge server calculates (R) 1 ,R 2 ,…R n ) Minimum value v of * ;
(2) The edge server sends R * Sending the data to n cloud service providers, and calculating the ith cloud service provider with the overall minimum valueAnd sending the data to an edge server for computing for other cloud service providersAnd sent to the edge server, where j e n]/i;
Max query:
(1) The n cloud service providers have a maximum value (R) of the respective cloud service providers 1 ,R 2 ,…R n ) Sending to the edge server, the edge server calculates (R) 1 ,R 2 ,…R n ) Maximum value of R * ;
(2) The edge server will v * Sending the data to n cloud service providers, and calculating the ith cloud service provider with the integral maximum valueAnd sending the data to an edge server for computing for other cloud service providersAnd sent to the edge server, where j e n]/i;
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (10)
1. A multi-source aggregation query verification method is characterized by comprising the following steps:
step 10: n data owners as respective data sets D i Constructing an identity authentication data structure ADS i And D is i And ADS i Uploading to respective corresponding cloud service providers;
wherein i is ∈ [1, …, n]The identity authentication data structure ADS i Including a multi-level multi-dimensional lattice tree MDG-Treei, the step 10 further includes:
step 10A: according to D i MDG-Tree construction based on non-sensitive attribute of medium object i ,
Step (ii) of10B: the data owner executes an initialization algorithm (Ω) E S) ← Setup (λ), inputs security parameter λ, outputs private key s and public key Ω E ;
Step 20: when a client side initiates a query Q, the n cloud service providers respectively process the query Q, generate a query result and verification information and send the query result and the verification information to an edge server;
wherein the query results comprise second stage query results R i The verification information comprises first-stage query verification information VO i Second stage inquiring verification information pi i And abstractThe step 20 comprises:
step 20A: the service provider obtains a first-stage query result O according to Q i And the first stage query verification information VO i ,O i Is at D i According to the non-sensitive attribute, carrying out range query screening to obtain a set of objects meeting preset screening conditions;
and step 20B: the service provider will O i Modeling sensitive attribute values of medium objects into multiple sets A i Executing the abstract obtaining algorithmNamely input A i 、Ω E Output ofPerforming a query algorithm { pi i ,R i }←Query(A i ,Q,Ω E ) I.e. input A i 、Q、Ω E Output R i And pi i ;
Step 30: the edge server aggregates the n query results and the verification information to generate an aggregated query result and aggregated query verification information, and sends the aggregated query result and aggregated query verification information to the client;
wherein the aggregated query result comprises a second stage aggregated query result R * The above-mentionedThe aggregated query verification information comprises first-stage aggregated query verification information VO * Second stage aggregating inquiry verification information pi * And aggregate digestsThe step 30 comprises:
step 30A: the edge server sends { VO (voice over Internet protocol) according to n cloud service providers 1 ,...,VO n Reconstruction of { MDG-Tree } 1 ,...,MDG-Tree n And verifying the root signatures of the multi-level multi-dimensional grid trees according to the (VO) 1 ,...,VO n Generating a polymerization multi-level multi-dimensional grid tree MDG * VO corresponding to Tree * ;
Step 30B: the edge server executes an aggregation algorithm Namely inputting n pi sent by the cloud service provider i ,i∈[n]}、{R i ,i∈[n]Andoutput R * 、π * And
step 40: the client side verifies the correctness and the integrity of the aggregation query result according to the aggregation query verification information, and the method comprises the following steps:
step 40A: the client end is according to VO * Validating the first stage query result O i Whether within query range and divide by O in database i The rest objects outside are not in the query range according to VO * Reduction of MDG * -root digest of Tree and judging if the reconstructed root digest is correct,
2. The aggregated query validation method of claim 1, wherein the step 10A comprises:
step 10A1: the data owner is according to D i MDG-Tree construction based on non-sensitive attribute of medium object i All the nodes of (1);
wherein D is i Having a D-dimensional non-sensitive property, will D i Viewed as a d-dimensional cube, as an MDG-Tree i Then dividing the root node into 2 d The same size of the sub-cube is used as the next layer of sub-nodes, and each sub-node is subdivided into 2 d Taking the subcubes with the same size as the next layer of the subnodes, and continuously iterating until the size of the subcubes in a certain layer reaches the preset fine granularity;
step 10A2: the data owner is MDG-Tree from bottom to top i Calculating the abstract by the node; wherein, the MDG-Tree i Each of the nodes of (a) corresponds to a summary,
MDG-Tree i the digests of the leaf nodes are:
wherein, C j Set of sub-entries, LOC, for the jth leaf node k For the union of the non-sensitive attributes corresponding to the kth sub-entry, X j A set of sensitive attributes corresponding to the sub-entry of the jth leaf node, G being a generator of a cyclic multiplicative group G of prime order p, ACC being a bilinear map accumulator, compute information aboutSet X j Cumulative value of (d): is fromA random value selected in (b) is added to the shared secret SK, which is only known to the data owner and the client,a cyclic multiplicative group of order p-1;
MDG-Tree i the digest of the non-leaf nodes is:
wherein, C h A set of child nodes that are the h-th non-leaf node;
step 10A3: the data owner utilizes RSA signature pairs MDG-Tree i Signing the root node abstract;
wherein n of the data owners are based on RSA public key omega R And generating a multisource verification key { ss) based on the preset key svkey according to the preset key svkey and the RSA private key sk = (f, v) 1 ,…,ss n And (c) the step of (c) in which,f is two random large prime numbers p 1 And p 2 U and v satisfy u · v =1mod ((p) 1 -1)(p 2 -1)), the ith said data owner using RSA homomorphic signature MDG-Tree i Root abstract dig of 0 (i) Generating signaturesWill(s)vkey, SK) into the shared secret SK, and Ω R A common parameter params is added, which is known to all parties in the application scenario.
3. The multi-source aggregation query validation method of claim 2, wherein the step 20A comprises:
the service provider derives an MDG-Tree from Q i The root node starts to process range query, and O and VO are obtained through depth-first traversal;
wherein O comprises child entries of leaf nodes contained by Q;
VO includes: cube borders gb and summary dig corresponding to non-leaf nodes not contained by Q, gb and ACC (X) corresponding to leaf nodes not contained by Q and LOC of all sub-entries thereof, gb and ACC (X) corresponding to leaf nodes contained by Q and LOC of all sub-entries thereof;
the service provider is according to { O } 1 ,...O n Generate a set of sensitive attributes A 1 ,...A n };
{ss 1 ,…,ss n And { VO } 1 ,...VO n Is sent by the service provider to the edge server.
4. The multi-source aggregation query validation method of claim 3, wherein the step 30A comprises:
the edge server passes the judgment equationVerifying MDG-Tree if true i Whether the root digest is matched with the signature of the corresponding data owner or not is verified, and the aggregated signature can be obtained by the edge server after the root digest is verified to pass
SIG * And VO * Sent to the client by the edge server together.
5. The multi-source aggregation query validation method of claim 4, wherein the step 40A comprises:
the client end is according to VO * To verify the first stage query result O i Whether within query range and divide by O in database i The rest of the objects outside are not in the query range;
6. The multi-source aggregation query validation method of claims 2-5, wherein the step 10B comprises:
(Ω E s) ← Setup (λ), calculationWherein pub = (p, G) T E, G) are generated by a bilinear pairing parameter generator based on lambda, G and G T Is a cyclic multiplicative group of two prime orders p, G is the generator of G, e: G × G → G T Is a bilinear pairing, [ q ]]For all sensitive properties, Ω E Adding a public parameter params as a verification related parameter;
7. The multi-source aggregation query validation method of claim 6, wherein when the client-initiated query Q is a COUNT query COUNT:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Calculating a i (x)=(A i (x)-A i (1) X-1), outputR i =A i (1) Wherein A is i (1) Is A i The number of elements in (1);
8. The multi-source aggregated query validation method according to claim 6, wherein when the client-initiated query Q is a SUM query SUM:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Calculation of b i (x)=(A i (x)-A i (1)-A′ i (1)(x-1))/(x-1) 2 ,π b =A i (1) Output pi i =(π ai ,π bi ),R i =A′ i (1) Wherein, A' i (1) Is A i The sum of the values of the elements in (a);
9. The multi-source aggregated query validation method of claim 6, wherein when the client-initiated query Q is a minimum query MIN:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Output R i =min i ,Wherein, min i Is A i Minimum value of (A) i (s) the lowest order of s;
10. The multi-source aggregation query validation method of claim 6, wherein when the query Q initiated by the client is a maximum query MAX:
step 20B includes: { Pi i ,R i }←Query(A i ,Q,Ω E ) Output R i =max i ,Therein, max i Is A i Maximum value of (i.e. B) i (s) the lowest order of s;
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211037547.XA CN115426117B (en) | 2022-08-26 | 2022-08-26 | Multisource aggregation query verification method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211037547.XA CN115426117B (en) | 2022-08-26 | 2022-08-26 | Multisource aggregation query verification method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115426117A true CN115426117A (en) | 2022-12-02 |
CN115426117B CN115426117B (en) | 2024-04-26 |
Family
ID=84199509
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211037547.XA Active CN115426117B (en) | 2022-08-26 | 2022-08-26 | Multisource aggregation query verification method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115426117B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9049185B1 (en) * | 2013-03-14 | 2015-06-02 | Emc Corporation | Authenticated hierarchical set operations and applications |
CN109800235A (en) * | 2019-01-28 | 2019-05-24 | 东北大学 | A kind of Outsourced database full operation inquiry validation system and method based on certification tree |
CN112804050A (en) * | 2021-04-14 | 2021-05-14 | 湖南大学 | Multi-source data query system and method |
WO2022082893A1 (en) * | 2020-10-22 | 2022-04-28 | 香港中文大学(深圳) | Privacy blockchain-based internet of vehicles protection method, and mobile terminal |
CN114417419A (en) * | 2022-01-24 | 2022-04-29 | 哈尔滨工业大学(深圳) | Outsourcing cloud storage medical data aggregation method with security authorization and privacy protection |
-
2022
- 2022-08-26 CN CN202211037547.XA patent/CN115426117B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9049185B1 (en) * | 2013-03-14 | 2015-06-02 | Emc Corporation | Authenticated hierarchical set operations and applications |
CN109800235A (en) * | 2019-01-28 | 2019-05-24 | 东北大学 | A kind of Outsourced database full operation inquiry validation system and method based on certification tree |
WO2022082893A1 (en) * | 2020-10-22 | 2022-04-28 | 香港中文大学(深圳) | Privacy blockchain-based internet of vehicles protection method, and mobile terminal |
CN112804050A (en) * | 2021-04-14 | 2021-05-14 | 湖南大学 | Multi-source data query system and method |
CN114417419A (en) * | 2022-01-24 | 2022-04-29 | 哈尔滨工业大学(深圳) | Outsourcing cloud storage medical data aggregation method with security authorization and privacy protection |
Non-Patent Citations (2)
Title |
---|
CHAO SHA等: "A Type of Virtual Force-Based Energy-Hole Mitigation Strategy for Sensor Networks", 《IEEE》, 31 December 2020 (2020-12-31) * |
侯林;冯达;玄鹏开;周福才;: "基于认证树的外包数据库连接查询验证方案", 信息网络安全, no. 02, 10 February 2020 (2020-02-10) * |
Also Published As
Publication number | Publication date |
---|---|
CN115426117B (en) | 2024-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Hu et al. | Spatial query integrity with voronoi neighbors | |
Yue et al. | Blockchain based data integrity verification in P2P cloud storage | |
US8572385B2 (en) | System and method for optimal verification of operations on dynamic sets | |
Yiu et al. | Efficient verification of shortest path search via authenticated hints | |
US9465874B1 (en) | Authenticated hierarchical set operations and applications | |
Zheng et al. | Efficient query integrity for outsourced dynamic databases | |
Esiner et al. | Flexdpdp: Flexlist-based optimized dynamic provable data possession | |
CN106897368B (en) | Merkle Hash summation tree and verifiable database updating operation method thereof | |
Shao et al. | Dynamic data integrity auditing method supporting privacy protection in vehicular cloud environment | |
Tamassia et al. | Certification and Authentication of Data Structures. | |
CN106991148B (en) | Database verification system and method supporting full-update operation | |
CN109088719B (en) | Outsourced database multi-key word can verify that cipher text searching method, data processing system | |
CN107451281B (en) | Outsourcing database SQL query integrity verification system and method based on ADS | |
Goodrich et al. | Efficient verification of web-content searching through authenticated web crawlers | |
Ozcelik et al. | An overview of cryptographic accumulators | |
CN112613601A (en) | Neural network model updating method, device and computer storage medium | |
Zhang et al. | Integrity authentication for SQL query evaluation on outsourced databases: A survey | |
Zhang et al. | New efficient constructions of verifiable data streaming with accountability | |
Xu et al. | Efficient public blockchain client for lightweight users | |
Papamanthou et al. | Optimal authenticated data structures with multilinear forms | |
Zhou et al. | Evss: An efficient verifiable search scheme over encrypted cloud data | |
CN115426117B (en) | Multisource aggregation query verification method | |
Chen et al. | Ensuring dynamic data integrity with public auditability for cloud storage | |
Ghosh et al. | Fully-dynamic verifiable zero-knowledge order queries for network data | |
Yao et al. | Verifiable query processing over outsourced social graph |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |