CN115426117B - Multisource aggregation query verification method - Google Patents
Multisource aggregation query verification method Download PDFInfo
- Publication number
- CN115426117B CN115426117B CN202211037547.XA CN202211037547A CN115426117B CN 115426117 B CN115426117 B CN 115426117B CN 202211037547 A CN202211037547 A CN 202211037547A CN 115426117 B CN115426117 B CN 115426117B
- Authority
- CN
- China
- Prior art keywords
- query
- output
- verification
- aggregated
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 99
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000002776 aggregation Effects 0.000 title claims abstract description 36
- 238000004220 aggregation Methods 0.000 title claims abstract description 36
- 238000012216 screening Methods 0.000 claims abstract description 14
- 230000008569 process Effects 0.000 claims abstract description 13
- 238000004364 calculation method Methods 0.000 claims description 9
- 125000004122 cyclic group Chemical group 0.000 claims description 9
- 230000001186 cumulative effect Effects 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims 3
- 239000011159 matrix material Substances 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000013507 mapping Methods 0.000 abstract description 2
- 238000009825 accumulation Methods 0.000 abstract 3
- 238000013461 design Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a multi-source aggregation query verification method, which is characterized in that verification methods are respectively designed for two stages of multi-source aggregation query, for the first stage, an expression accumulator technology is combined with a multi-level multi-dimensional grid tree to construct an MDG accumulation tree, meanwhile, a root abstract signature of the MDG accumulation tree is signed by utilizing a polymerizable signature, a cloud service provider processes the first stage of aggregation query according to the MDG accumulation tree to generate a range screening result and a verification object, the range screening result and the verification object are subjected to aggregation treatment of an edge server and then are subjected to verification by a client, for the second stage, a bilinear mapping accumulator technology is utilized to generate a query result and a verification, and finally, the query result and the verification result are subjected to aggregation treatment of the edge server and then are subjected to verification by the client.
Description
Technical Field
The invention belongs to the field of cloud computing security, and particularly relates to a verification method for multi-source aggregation query.
Background
With the explosion of large data on the internet, some data owners lack resources for data management, and then choose to outsource the data to a third party service provider. The service provider has sufficient hardware, software, and network resource management databases and can process client-initiated queries. But the service provider is not trusted, the outsourced data may be corrupted by malware or security intrusion, or malicious internals modify the program and/or query results. It is therefore important that the user be able to verify the correctness and integrity of the results.
Aggregate queries are an important type of query whose query results can be used for data analysis. The aggregation inquiry is mainly divided into two stages, wherein the first stage is a screening stage, namely, range screening is carried out through the non-sensitive attribute of the data set, and the second stage is an inquiry stage, namely, count, sum, min, max and other inquiry is carried out on the sensitive attribute of the screened object.
Most of the current studies of verifiable queries for outsourced data are single-source, namely only one data owner, and multi-source verifiable query studies only show verifiable range queries and verifiable keyword searches. However, considering an application scenario in which each city uploads weather data to its corresponding third party cloud service provider, a weather research institution wants to query the highest temperatures of all cities in the region with longitude of 41.2 to 52.2 and latitude of 50.1 to 60.4, and the current research results are not suitable for the application scenario, a multi-source aggregation query verification method needs to be designed for the application scenario.
In view of the above, the present invention proposes a high-efficiency multi-source aggregated query verification scheme, and designs verification methods for two phases of aggregated query respectively, and simultaneously improves the overall performance of the present invention by reducing the computing overhead of the client while ensuring that the sensitive attribute of the data set is not revealed.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a multi-source aggregation query verification method, and mainly aims to provide a verification method for aggregation query under an application scene of a multi-data-owner multi-cloud service provider, which can ensure the correctness and the integrity of a query result.
According to a first aspect of the present invention, there is provided a multi-source aggregated query verification method, characterized in that:
Step 10: the n data owners construct an authentication data structure ADS i for the respective data sets D i and upload D i and ADS i to the respective corresponding cloud service providers.
Wherein i epsilon [1, …, n ], the identity authentication data structure ADS i comprises a multi-level multi-dimensional mesh Tree MDG-Tree i, and the step 10 further comprises:
Step 10A: MDG-Tree i is constructed from the insensitive attributes of the objects in D i.
Step 10B: the data owner performs an initialization algorithm (Ω E, s) ≡setup (λ), inputs the security parameter λ, and outputs the private key s and the public key Ω E.
Step 20: when a client initiates a query Q, n cloud service providers respectively process the query Q, generate a query result and verification information and send the query result and verification information to an edge server;
Wherein the query result comprises a second-stage query result R i, and the verification information comprises a first-stage query verification information VO i, a second-stage query verification information pi i and a summary Step 20 comprises:
Step 20A: the service provider obtains a first-stage query result O i and first-stage query verification information VO i,Oi according to Q, wherein the first-stage query result O i and the first-stage query verification information VO i,Oi are a set of objects meeting preset screening conditions obtained by range query screening according to non-sensitive attributes in D i;
step 20B: the service provider models the sensitive attribute values of the objects in O i as a multiset A i, and executes a get summary algorithm Input A i、ΩE, output/>Executing a query algorithm { pi i,Ri}←Query(Ai,Q,ΩE), namely inputting A i、Q、ΩE, outputting R i and pi i;
Step 30: the edge server generates an aggregate query result and aggregate query verification information after aggregating n query results and verification information, and sends the aggregate query result and the aggregate query verification information to the client;
Wherein the aggregated query result comprises a second-stage aggregated query result R *, and the aggregated query verification information comprises a first-stage aggregated query verification information VO *, a second-stage aggregated query verification information pi * and an aggregated abstract Step 30 comprises:
Step 30A: the edge server reconstructs the root abstract of the { MDG-Tree 1,...,MDG-Treen } according to the { VO 1,...,VOn } sent by the n cloud service providers, verifies the root signatures of the multi-level multi-dimensional grid trees and generates VO * corresponding to the aggregated multi-level multi-dimensional grid Tree MDG * -Tree according to the { V0 1,...,VOn };
Step 30B: edge server executing aggregation algorithm I.e. input pi, i e n, ri, i e n and pi, i e n sent by n cloud service providers, output R *、π* and/>
Step 40: the client verifies the correctness and the integrity of the aggregated query result according to the aggregated query verification information, and the method comprises the following steps:
Step 40A: the client verifies whether the first-stage query result O i is in the query range according to the VO * and the rest of objects except O i in the database are not in the query range, restores the root abstract of the MDG * -Tree according to the VO * and judges whether the restored root abstract is correct,
Step 40B: client side execution verification algorithmI.e. input/>Q, R *、π* and Ω E, output the verification result either correct accept or incorrect reject.
Further, the method for verifying the aggregated query provided by the invention is characterized in that step 10A includes:
step 10A1: the data owner builds all nodes of the MDG-Tree i according to the insensitive attribute of the object in the D i;
D i has D-dimensional insensitive attribute, D i is regarded as a D-dimensional cube and is used as a root node of MDG-Tree i, then the root node is divided into 2 d subcubes with the same size and is used as a next-layer subcode, each subcube is divided into 2 d subcubes with the same size and is used as a next-layer subcode, and iteration is continued until the size of a certain-layer subcube reaches preset fine granularity;
Step 10A2: the data owner calculates the abstract for the MDG-Tree i node from bottom to top; wherein each node of the MDG-Tree i corresponds to a digest,
The summary of the MDG-Tree i leaf nodes is:
Wherein C j is a set of sub-entries of the jth leaf node, LOC k is a combination of non-sensitive attributes corresponding to the kth sub-entry, X j is a set of sensitive attributes corresponding to the sub-entry of the jth leaf node, G is a generator of a cyclic multiplication group G of prime order p, ACC is a bilinear map accumulator, and the accumulated value of the set X j is calculated: is from/> And a selected random value, is added to the shared key SK, which is known only to the data owner and the client,A cyclic multiplication group of order p-1;
the summary of the MDG-Tree i non-leaf nodes is:
wherein C h is the sub-node set of the h non-leaf node;
step 10A3: the data owner signs the root node digest of the MDG-Tree i with an RSA signature;
Wherein n data owners generate a multi-source authentication key { ss 1,…,ssn } based on a preset key svkey from RSA public key Ω R = (f, u) and RSA private key sk= (f, v), wherein, F is the product of two random large prime numbers p 1 and p 2, u and v satisfying u·v=1mod ((p 1-1)(p2 -1)), the ith data owner generates signature/>, using root digest dig 0 (i) with RSA homomorphic signature MDG-Tree i Adding (svkey, SK) to the shared key SK, adding Ω R to the public parameter params, which is known to all parties in the application scenario.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that step 20A includes:
The service provider starts to process the range query from the root node of the MDG-Tree i according to Q, and O and VO are obtained through depth-first traversal;
Wherein O comprises child entries of leaf nodes contained by Q;
VO includes: cube border gb and abstract dig corresponding to non-leaf nodes not included by Q, gb, ACC (X) corresponding to leaf nodes not included by Q, and LOC of all sub-entries thereof, gb, ACC (X) corresponding to leaf nodes included by Q, and LOC of all sub-entries thereof;
The service provider generates a sensitive attribute set { A 1,...An } according to { O 1,...On };
{ ss 1,…,ssn } and { VO 1,...VOn } are sent by the service provider to the edge server.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that step 30A includes:
the edge server determines the equation Whether or not the root digest of the MDG-Tree i matches the signature of the corresponding data owner is immediately verified, and whether or not the aggregate signature/>, which can be obtained by the trailing edge server, is verified
SIG * is sent by the edge server to the client along with VO *.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that step 40A includes:
The client verifies whether the first-stage query result O i is in the query range according to the gb and LOC information in the VO * and the rest of objects except O i in the database are not in the query range;
The client restores the root digest of the MDG * -Tree by recursively reconstructing the digests of leaf and non-leaf nodes to the root level according to VO *, and according to It is checked whether the reconstructed root digest is correct.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that step 10B includes:
(Ω E, s) ≡setup (λ), calculation Wherein pub= (p, G T, e, G) is generated by a bilinear pairing parameter generator according to λ, G and G T are cyclic multiplications of two prime orders p, G is the generator of G, e: gxg→g T is a bilinear pairing, [ q ] is all sensitive attributes, [ Ω E ] is added as a verification related parameter to the public parameter params;
step 20B includes: In/> By two elements/>Composition of which Wherein: /(I)U max is the maximum of all dataset sensitive properties.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is a COUNT query COUNT:
Step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) calculates a i(x)=(Ai(x)-Ai (1))/(x-1), and outputs R i=Ai (1), wherein A i (1) is the number of elements in A i;
step 30B includes: Output R *=R1+R2+…+Rn,π*=π1×π2×…×πn,/> Only get/>
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is a SUM query SUM:
step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) calculate b i(c)=(Ai(x)-Ai(1)-A′i(1)(c-1))/(x-1)2, Pi b=Ai (1), pi i=(πai,πbi),Ri=A′i (1) is output, where a' i (1) is the sum of the element values in a i;
step 30B includes: Calculation/> The output R *=R1+R2+…+Rn is provided with a signal, Only get/>
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is the minimum query MIN:
step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) output R i=mini, Wherein min i is the minimum of a i, i.e. the lowest order of s in a i(s);
step 30B includes: output R *=MIN(R1,R2,…Rn)/> Only get/>
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is the maximum value query MAX:
Step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) output R i=maxi, Where max i is the maximum of a i, i.e. the lowest order of s in B i(s);
step 30B includes: output R *=MAX(R1,R2,…Rn)/> Only get/>
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
Compared with the prior art, the invention has high efficiency and safety, and the main functions of the invention are as follows:
(1) Designing an aggregate cumulative tree structure for verifying the first stage of aggregate query in a multi-source scene;
(2) Utilizing bilinear mapping accumulator technology to design a set of verification technology for Count, sum, max, min inquiry of the second stage of aggregation inquiry in a multi-source scene;
(3) The verifiable multi-source aggregation query scheme is provided, and the correctness and the integrity of the query result can be ensured.
The beneficial effects of the invention are as follows:
(1) The method is suitable for application scenes of multi-data owner multi-cloud service providers, respectively designs verification methods for two stages of aggregation query, and is also the first invention capable of carrying out multi-source aggregation query verification.
(2) The method has high efficiency, and improves the overall performance of the scheme by reducing the calculation load of the client as much as possible.
(3) The invention has security, once attacked by the adversary model, errors can be found through the verification of the client.
(4) The method has privacy, and the client cannot know the sensitive attribute of the data set through inquiry, so that the privacy of the sensitive attribute is protected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a schematic diagram of a system model shown in accordance with an exemplary embodiment.
Fig. 2 is a schematic diagram illustrating a process of constructing an MDG cumulative tree according to an exemplary embodiment.
Fig. 3 is a schematic diagram illustrating a process of MDG cumulative tree merging, according to an example embodiment.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The invention designs a verification method aiming at two stages of the aggregation query respectively. For the first stage, we combine Multi-level Multi-dimensional mesh Tree (Multi-Dimensional Grid Tree, abbreviated as MDG-Tree) and cumulative value technique to construct MDG cumulative Tree as identity authentication data structure (Authenticated Data Structure, abbreviated as ADS), cloud service provider processes the first stage of aggregated query according to ADS, and generates range screening result and verification object (Verification Object, abbreviated as VO) for client verification. For the second stage, we mainly use bilinear map accumulator technology to generate query results and certificates, which are finally validated by the client.
The system flow of the invention is shown in figure 1, and specifically comprises the following steps:
Step 10: the n data owners construct an authentication data structure ADS i for the respective data sets D i and upload D i and ADS i to the respective corresponding cloud service providers.
Step 20: when the client initiates the query Q, n cloud service providers respectively process the query Q, generate a query result and verification information, and send the query result and verification information to the edge server.
Wherein the query result comprises a second-stage query result R i, and the verification information comprises a first-stage query verification information VO i, a second-stage query verification information pi i and a summary
Step 30: and the edge server aggregates the n inquiry results and the verification information to generate an aggregated inquiry result and aggregated inquiry verification information, and sends the aggregated inquiry result and the aggregated inquiry verification information to the client.
Wherein the aggregated query result comprises a second-stage aggregated query result R *, and the aggregated query verification information comprises a first-stage aggregated query verification information VO *, a second-stage aggregated query verification information pi * and an aggregated abstract
Step 40: and the client verifies the correctness and the integrity of the aggregated query result according to the aggregated query verification information.
The verification flow of the first stage of the aggregate query is as follows:
Step 10A: MDG-Tree i is constructed from the insensitive attributes of the objects in D i.
Step 20A: the service provider obtains a first-stage query result O i and first-stage query verification information VO i,Oi according to Q, where the set of objects meeting the preset screening conditions is obtained by performing range query screening according to the non-sensitive attribute in D i.
Step 30A: the edge server reconstructs the root abstract of the { MDG-Tree 1,...,MDG-Treen } according to the { VO 1,...,VOn } sent by the n cloud service providers, verifies the root signatures of the multi-level multi-dimensional grid trees and generates VO * corresponding to the aggregated multi-level multi-dimensional grid Tree MDG * -Tree according to the { VO 1,...,VOn }.
Step 40A: the client verifies whether the first-stage query result O i is in the query range according to the VO *, and other objects except O i in the database are not in the query range, restores the root abstract of the MDG * -Tree according to the VO *, and judges whether the restored root abstract is correct.
And the second stage of aggregation query models the sensitive attribute values of the objects screened in the first stage into multiple sets, and performs aggregation query on the multiple sets. The scheme consists of 5 PPT algorithms (an initialization algorithm, an acquisition summary algorithm, a query algorithm, an aggregation algorithm and a verification algorithm), and the second stage of aggregation query specifically comprises:
step 10B: the data owner performs an initialization algorithm (Ω E, s) ≡setup (λ), inputs the security parameter λ, and outputs the private key s and the public key Ω E.
Step 20B: the service provider models the sensitive attribute values of the objects in O i as a multiset A i, and executes a get summary algorithmInput A i、ΩE, output/>The query algorithm { pi i,Ri}←Query(Ai,Q,ΩE) is performed, input a i、Q、ΩE, output R i and pi i.
Step 30B: edge server executing aggregation algorithm I.e. input pi, i e n, ri, i e n and pi, i e n sent by n cloud service providers, output R *、π* and/>
Step 40B: client side execution verification algorithmI.e. input/>Q, R *、π* and Ω E, output the verification result either correct accept or incorrect reject.
According to the invention, after the client initiates the query, the edge server performs part of processing in advance, so that the client only needs to be verified for 1 time, the calculation load of the client is greatly reduced, and the overall performance of the scheme is improved.
The two-stage verification step of the multi-source aggregated query is described in detail below.
The non-sensitive attribute of the object in the data set is subjected to range query screening in the first stage of the aggregate query to obtain a part of objects meeting screening conditions, and the detailed steps of the first stage verification of the aggregate query are as follows:
step 10A includes:
step 10A1: the data owner builds all nodes of the MDG-Tree i according to the insensitive attribute of the object in the D i;
Wherein, D i has a D-dimensional insensitive attribute, D i is regarded as a D-dimensional cube and is used as a root node of the MDG-Tree i, then the root node is divided into 2 d subcubes with the same size and is used as a next-layer subcode, each subcube is divided into 2 d subcubes with the same size and is used as a next-layer subcode, and the iteration is continued until the size of a certain layer of subcubes reaches preset fine granularity. Fig. 2 illustrates the process of building an MDG cumulative tree based on 2-dimensional sensitive attributes with a preset fine granularity of 1.
Step 10A2: the data owner calculates the abstract for the MDG-Tree i node from bottom to top; wherein each node of the MDG-Tree i corresponds to a digest.
The summary of the MDG-Tree i leaf nodes is:
Wherein C j is a set of sub-entries of the jth leaf node, LOC k is a combination of non-sensitive attributes corresponding to the kth sub-entry, X j is a set of sensitive attributes corresponding to the sub-entry of the jth leaf node, G is a generator of a cyclic multiplication group G of prime order p, ACC is a bilinear map accumulator, and the accumulated value of the set X j is calculated: is from/> To the shared key SK, which is known only to the data owner and the client,Is a cyclic multiplication group of order p-1.
The summary of the MDG-Tree i non-leaf nodes is:
Wherein C h is the child node set of the h non-leaf node.
Step 10A3: the data owner signs the root node digest of the MDG-Tree i with the RSA signature.
Wherein n data owners generate a multi-source authentication key { ss 1,…,ssn } based on a preset key svkey from RSA public key Ω R = (f, u) and RSA private key sk= (f, v), wherein,F is the product of two random large prime numbers p 1 and p 2, u and v satisfying u·v=1mod ((p 1-1)(p2 -1)), the ith data owner generates signature/>, using root digest dig 0 (i) with RSA homomorphic signature MDG-Tree i Adding (svkey, SK) to the shared key SK, adding Ω R to the public parameter params, which is known to all parties in the application scenario.
Step 20A includes:
The service provider starts to process the range query from the root node of the MDG-Tree i according to Q, and O and VO are obtained through depth-first traversal;
Wherein O comprises child entries of leaf nodes contained by Q;
VO includes: cube border gb and abstract dig corresponding to non-leaf nodes not included by Q, gb, ACC (X) corresponding to leaf nodes not included by Q, and LOC of all sub-entries thereof, gb, ACC (X) corresponding to leaf nodes included by Q, and LOC of all sub-entries thereof;
The service provider generates a sensitive attribute set { A 1,...An } according to { O 1,...On };
{ ss 1,…,ssn } and { VO 1,...VOn } are sent by the service provider to the edge server.
Specifically, in some embodiments, the cloud service provider processes the range query as shown in the Algorithm algorism 1:
Step 30A includes:
the edge server determines the equation Whether or not it is established to verify whether or not the root digest of the MDG-Tree i matches the signature of the corresponding data owner, both verify that the aggregate signature/>, is available through the trailing edge server
And the edge server generates VO * corresponding to the MDG * -Tree according to the { VO 1,...,VOn }. Fig. 3 is an example of merging MDG-Tree.
The abstracts of the nodes of the MDG * -Tree are obtained by multiplying and calculating the abstracts of the nodes corresponding to the n MDG-Tree i;
SIG * is sent by the edge server to the client along with VO *.
Step 40A includes:
The client verifies from the gb and LOC information in VO * whether the first-stage query result O i is within the query scope and the rest of the objects in the database except O i are not within the query scope.
The client restores the root digest of the MDG * -Tree by recursively reconstructing the digests of leaf and non-leaf nodes to the root level according to VO *, and according toIt is checked whether the reconstructed root digest is correct.
The aggregate query second stage models the sensitive attribute values of the objects satisfying the screening condition in the first stage into multiple sets, and aggregate queries the multiple sets, and it is noted that each cloud service provider generates a multiple set a i. For example, the object screened by the cloud service provider E 1 in the first stage of query is { o 1,o2 }, where the attribute value corresponding to o 1 is (1, 2, 3), the attribute value corresponding to o 2 is (2, 4), and if the first two attributes are non-sensitive attributes and the last attribute is sensitive, the set a 1 modeled by E 1 is {3,4}.
The second stage mainly includes 5 algorithms: initializing algorithm (Ω E, s) ≡setup (λ), get summary algorithmQuery algorithm { pi i,Ri}←Query(Ai,Q,ΩE), aggregation algorithm/> Verification algorithm/> Specifically these algorithms are detailed as follows:
Step 10B includes: (Ω E, s) ≡setup (λ), calculation Wherein pub= (p, G T, e, G) is generated by a bilinear pairing parameter generator according to λ, G and G T are cyclic multiplications of two prime orders p, G is the generator of G, e: gxg→g T is a bilinear pairing, [ q ] is all sensitive properties, Ω E is added as verification related parameter to the public parameter params.
Step 20B includes: In/> By two elements/>Composition of which Wherein: /(I)U max is the maximum of all dataset sensitive properties.
The remaining three algorithms are presented below from the Count, sum, min, max queries:
when the query Q initiated by the client is the COUNT query COUNT:
Step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) calculates a i(x)=(Ai(x)-Ai (1))/(x-1), and outputs R i=Ai (1), wherein A i (1) is the number of elements in A i.
Step 30B includes: Output R *=R1+R2+…+Rn,π*=π1×π2×…×πn,/> Only get/>
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
When the query Q initiated by the client is a SUM query SUM:
step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) calculate b i(x)=(Ai(x)-Ai(1)-A′i(1)(x-1))/(x-1)2, Pi b=Ai (1), pi i=(πai,πbi),Ri=A′i (1), where A' i (1) is the sum of the element values in A i.
Step 30B includes: Calculation/> The output R *=R1+R2+…+Rn is provided with a signal, Only get/>
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is the minimum query MIN:
step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) output R i=mini, Where min i is the minimum of A i, i.e., the lowest order of s in A i(s).
Step 30B includes: Output R *=MIN(OR1,R2,…Rn)/> Only get/>
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
Further, the multi-source aggregation query verification method provided by the invention is characterized in that when the query Q initiated by the client is the maximum value query MAX:
Step 20B includes: { pi i,Ri}←Query(Ai,Q,ΩE) output R i=maxi, Where max i is the maximum of a i, i.e. the lowest order of s in B i(s).
Step 30B includes: output R *=MAX(R1,R2,…Rn)/> Is only taken out of
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
In the Max and Min queries, to ensure security of the query, we provide the following steps of calculating pi *:
MIN query:
(1) The n cloud service providers send the minimum value (R 1,R2,…Rn) of each cloud service provider to an edge server, and the edge server calculates the minimum value v * in (R 1,R2,…Rn);
(2) The edge server sends R * to n cloud service providers, and calculates for the ith cloud service provider with the integral minimum value stored And send to edge server, for other cloud service provider, calculateAnd sending to an edge server, wherein j E [ n ]/i;
(3) The edge server calculates according to the newly received information
Max query:
(1) The n cloud service providers send the maximum value (R 1,R2,…Rn) of each cloud service provider to an edge server, and the edge server calculates the maximum value R * in (R 1,R2,…Rn);
(2) The edge server sends v * to n cloud service providers, and calculates for the ith cloud service provider that holds the overall maximum value And sent to an edge server, for other cloud service providers, calculate/>And sending to an edge server, wherein j E [ n ]/i;
(3) The edge server calculates according to the newly received information
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the invention is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (10)
1. A multi-source aggregation query verification method is characterized in that:
Step 10: the individual data owners are the respective data sets/> Construction of an identity authentication data Structure/>And will/>And/>Uploading to respective corresponding cloud service providers;
wherein, The identity authentication data structure/>Including multi-level multidimensional grid tree/>The step 10 further includes:
Step 10A: according to Non-sensitive attribute construction/>, of a medium object,
Step 10B: the data owner performs an initialization algorithmInput of security parameters/>Output private key/>And public key/>;
Step 20: when a client initiates a queryTime,/>Each of the cloud service providers processes queries/>, respectivelyGenerating a query result and verification information and sending the query result and the verification information to an edge server;
Wherein the query results include second-stage query results The verification information comprises first-stage query verification information/>Second stage query verification information/>Sum abstract/>The step 20 includes:
Step 20A: the service provider is according to Obtain the first-stage query result/>And said first-stage query verification information/>,/>Is at/>According to the non-sensitive attribute, carrying out range query screening to obtain a set of objects meeting preset screening conditions;
Step 20B: the service provider will Sensitive attribute values of the medium object are modeled as multiple sets/>Executing the algorithm for obtaining the abstractI.e. input/>、/>Output/>Execute query algorithm/>I.e. input/>、/>、/>Output/>And/>;
Step 30: the edge server aggregates n inquiry results and verification information to generate an aggregated inquiry result and aggregated inquiry verification information, and sends the aggregated inquiry result and the aggregated inquiry verification information to the client;
wherein the aggregated query results include second stage aggregated query results The aggregated query verification information comprises first-stage aggregated query verification information/>Second stage aggregate query verification information/>And syndication summary/>The step 30 includes:
Step 30A: the edge server sends the data according to n cloud service providers Reconstruction ofRoot digests of these multi-level multidimensional trellis trees, and verifies root signatures based onGenerating an aggregated multi-level multidimensional grid tree/>Corresponding/>;
Step 30B: the edge server executes an aggregation algorithmI.e. input of/>, sent by n of said cloud service providers、/>And/>Output/>、/>And/>;
Step 40: the client verifies the correctness and the integrity of the aggregated query result according to the aggregated query verification information, and the method comprises the following steps:
step 40A: the client side is according to Validating the first-stage query result/>Whether or not it is within the query and in the databaseThe other objects are not in the query scope according to/>Reduction/>And determines whether the reconstructed root digest is correct,
Step 40B: the client executes a verification algorithmI.e. input/>,/>,/>、/>And/>Output verification result correct/>Or incorrect/>。
2. The method of aggregate query verification as claimed in claim 1, wherein said step 10A comprises:
step 10A1: the data owner according to Non-sensitive attribute construction/>, of a medium objectIs defined by the network, is a node of the network;
wherein, Having a d-dimensional non-sensitive property, will/>Considered as a d-dimensional cube, as/>Then dividing the root node into 2 d subcubes with the same size as the next layer of subcubes, dividing each subcube into 2 d subcubes with the same size as the next layer of subcubes, and continuously iterating until the size of one layer of subcubes reaches the preset fine granularity;
Step 10A2: the data owner is from bottom to top Node computing abstract; wherein/>Corresponds to a summary,
The summary of the leaf nodes is:
wherein/> For/>Child entry set of individual leaf nodes,/>For/>Federation of non-sensitive attributes corresponding to child entries,/>For/>Set of sensitive attributes corresponding to child entries of individual leaf nodes,/>Is a cyclic multiplication group/>, of prime order pIs a generator of/>For bilinear map accumulator, calculate the information about the set/>Is a cumulative value of (2):,/> is from/> Is added to the shared key SK, which is known only to the data owner and client,/>A cyclic multiplication group of order p-1;
The abstract of the non-leaf nodes is:
,
wherein, For/>A set of child nodes of the non-leaf nodes;
Step 10A3: the data owner uses RSA signature pairs Signing the root node abstract of (a);
Wherein, Each of the data owners is based on RSA public key/>And RSA private key/>Based on preset key/>Generating a multisource authentication key/>Wherein/>F is two random large prime numbersAnd/>And u and v satisfy/>First/>Each of the data owners is signed/>, using RSA homomorphic signaturesRoot abstract/>Generating signatures/>Will/>Joining the shared key SK, will/>And adding a public parameter params which is known to all parties in the application scene.
3. The multi-source aggregated query verification method of claim 2, wherein the step 20A comprises:
The service provider is according to From/>The root node of (1) starts to process the range query, and the/>, is obtained through depth-first traversalAnd/>;
Wherein,Including quilt/>Child entries of leaf nodes involved;
comprising the following steps: is not/> Cube border/>, corresponding to included non-leaf nodesSum abstract/>Is not/>Included leaf node corresponding/>、/>And/>, all sub-entries thereofIs/>Included leaf node corresponding/>、/>And/>, all sub-entries thereof;
The service provider is according toGenerating sensitive attribute set/>;
And/>Is sent by the service provider to the edge server.
4. The multi-source aggregated query verification method of claim 3, wherein said step 30A comprises:
The edge server determines the equation Whether or not to establish/>Whether the root digest of (1) matches the signature of the corresponding data owner or not, verifies that the aggregate signature/>, can be obtained by the back edge server;
And/>Together sent by the edge server to the client.
5. The method of multi-source aggregated query verification according to claim 4, wherein said step 40A comprises:
The client side is according to In/>And/>Information to validate the first stage query results/>Whether or not it is within the query and in the databaseThe other objects are not in the query range;
The client side is according to Restoring by recursively reconstructing summaries of leaf and non-leaf nodes up to root levelRoot abstract of (a) and according to/>It is checked whether the reconstructed root digest is correct.
6. The multi-source aggregated query verification method according to any one of claims 2-5, wherein said step 10B comprises:
In, calculate/> Wherein/>According to/>, by a bilinear pairing parameter generatorGeneration of/>Is a cyclic multiplication group of two prime orders p,/>Is/>Is used for generating the generation element of (a),Is a bilinear pairing,/>For all sensitive properties,/>Adding a public parameter params as a verification related parameter;
the step 20B includes: In/> By two elements [/>)Composition of ],/>Wherein: /(I),/>,/>Is the maximum of all data set sensitive properties.
7. The multi-source aggregated query verification method of claim 6, wherein when the client-initiated queryQuery COUNT for COUNTs:
step 20B includes: Calculation/> Output of,/>=/>Wherein/>For/>The number of elements in the matrix;
step 30B includes: Output of ,/>,/>Only get/>;
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
8. The multi-source aggregated query verification method of claim 6, wherein when the client-initiated queryTo query SUM for summation:
step 20B includes: Calculation/> ,,/>(1) Output/>,/>Wherein/>For/>Sum of the element values in (a);
step 30B includes: Calculation of ,/>Output/>,,/>Only get/>;
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
9. The multi-source aggregated query verification method of claim 6, wherein when the client-initiated query Q is a minimum query MIN:
step 20B includes: output/> ,/>Wherein/>Is/>Is the minimum of/>The lowest order of s;
step 30B includes: Output of ,/>,/>Only get/>;
Step 40B includes: judging the time/> The accept is output when true, otherwise the reject is output.
10. The multi-source aggregated query verification method of claim 6, wherein when the client-initiated query Q is a maximum value query MAX:
step 20B includes: output/> ,/>Wherein/>Is/>Maximum value of/>The lowest order of s;
step 30B includes: Output of ,/>,/>Only get/>;
Step 40B includes: Judging when it is
The accept is output when true, otherwise the reject is output.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211037547.XA CN115426117B (en) | 2022-08-26 | 2022-08-26 | Multisource aggregation query verification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211037547.XA CN115426117B (en) | 2022-08-26 | 2022-08-26 | Multisource aggregation query verification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115426117A CN115426117A (en) | 2022-12-02 |
| CN115426117B true CN115426117B (en) | 2024-04-26 |
Family
ID=84199509
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211037547.XA Active CN115426117B (en) | 2022-08-26 | 2022-08-26 | Multisource aggregation query verification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115426117B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9049185B1 (en) * | 2013-03-14 | 2015-06-02 | Emc Corporation | Authenticated hierarchical set operations and applications |
| CN109800235A (en) * | 2019-01-28 | 2019-05-24 | 东北大学 | A kind of Outsourced database full operation inquiry validation system and method based on certification tree |
| CN112804050A (en) * | 2021-04-14 | 2021-05-14 | 湖南大学 | Multi-source data query system and method |
| WO2022082893A1 (en) * | 2020-10-22 | 2022-04-28 | 香港中文大学(深圳) | Privacy blockchain-based internet of vehicles protection method, and mobile terminal |
| CN114417419A (en) * | 2022-01-24 | 2022-04-29 | 哈尔滨工业大学(深圳) | Outsourcing cloud storage medical data aggregation method with security authorization and privacy protection |
-
2022
- 2022-08-26 CN CN202211037547.XA patent/CN115426117B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9049185B1 (en) * | 2013-03-14 | 2015-06-02 | Emc Corporation | Authenticated hierarchical set operations and applications |
| CN109800235A (en) * | 2019-01-28 | 2019-05-24 | 东北大学 | A kind of Outsourced database full operation inquiry validation system and method based on certification tree |
| WO2022082893A1 (en) * | 2020-10-22 | 2022-04-28 | 香港中文大学(深圳) | Privacy blockchain-based internet of vehicles protection method, and mobile terminal |
| CN112804050A (en) * | 2021-04-14 | 2021-05-14 | 湖南大学 | Multi-source data query system and method |
| CN114417419A (en) * | 2022-01-24 | 2022-04-29 | 哈尔滨工业大学(深圳) | Outsourcing cloud storage medical data aggregation method with security authorization and privacy protection |
Non-Patent Citations (2)
| Title |
|---|
| A Type of Virtual Force-Based Energy-Hole Mitigation Strategy for Sensor Networks;Chao Sha等;《IEEE》;20201231;全文 * |
| 基于认证树的外包数据库连接查询验证方案;侯林;冯达;玄鹏开;周福才;;信息网络安全;20200210(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115426117A (en) | 2022-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | Gem^ 2-tree: A gas-efficient structure for authenticated range queries in blockchain | |
| Yue et al. | Blockchain based data integrity verification in P2P cloud storage | |
| Hu et al. | Spatial query integrity with voronoi neighbors | |
| Papamanthou et al. | Authenticated hash tables | |
| US8726034B2 (en) | Cryptographic accumulators for authenticated hash tables | |
| Mao et al. | A position-aware Merkle tree for dynamic cloud data integrity verification | |
| Esiner et al. | Flexdpdp: Flexlist-based optimized dynamic provable data possession | |
| US8572385B2 (en) | System and method for optimal verification of operations on dynamic sets | |
| Zheng et al. | Efficient query integrity for outsourced dynamic databases | |
| CN106897368B (en) | Merkle Hash summation tree and verifiable database updating operation method thereof | |
| US9152716B1 (en) | Techniques for verifying search results over a distributed collection | |
| CN109088719B (en) | Outsourced database multi-key word can verify that cipher text searching method, data processing system | |
| CN107451281B (en) | Outsourcing database SQL query integrity verification system and method based on ADS | |
| Tamassia et al. | Certification and Authentication of Data Structures. | |
| Li et al. | MMB $^{cloud} $-Tree: Authenticated index for verifiable cloud service selection | |
| Goodrich et al. | Efficient verification of web-content searching through authenticated web crawlers | |
| Papadopoulos et al. | Authenticated multistep nearest neighbor search | |
| Xu et al. | Efficient public blockchain client for lightweight users | |
| Zhang et al. | Integrity authentication for SQL query evaluation on outsourced databases: A survey | |
| Reddy | securePrune: Secure block pruning in UTXO based blockchains using Accumulators | |
| Dong et al. | Result integrity verification of outsourced frequent itemset mining | |
| CN115426117B (en) | Multisource aggregation query verification method | |
| Zhou et al. | Evss: An efficient verifiable search scheme over encrypted cloud data | |
| Chen et al. | Ensuring dynamic data integrity with public auditability for cloud storage | |
| WO2019070227A1 (en) | Device authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |