CN103425941B - The verification method of cloud storage data integrity, equipment and server - Google Patents

Abstract

The present invention provides the verification method of a kind of cloud storage data integrity, including: generate the identifier of file to be stored, described file is carried out coding simultaneously and obtain multiple module file；Utilize user's public-key cryptography and private cipher key that each module file is calculated the authenticating tag of each module file, each authenticating tag is generated authentication in open data；Described identifier, module file and authenticating tag are submitted to server；Generate file integrality inquiry request, send described inquiry request to server, receive what described server returned, utilize the report information of the described file of the authenticating tag generation that user's public-key cryptography, identifier, module file are corresponding with module file；Utilize report information described in user's public-key cryptography and described authentication in open data verification.The present invention also provides for checking equipment and the authentication server of correspondence, and the integrity of cloud storage data can carry out open checking.

Description

The verification method of cloud storage data integrity, equipment and server

Technical field

The present invention relates to cloud storage technical field, particularly relate to the verification method of a kind of cloud storage data integrity, one Plant the checking equipment of cloud storage data integrity, and the authentication server of a kind of cloud storage data integrity.

Background technology

Cloud storage is that storage resource is put on network the emerging scheme of one for people's access, with traditional storage mode phase Ratio, cloud storage is with in economy, and the aspect such as scale and management has the advantage can not ignore.Such as, when a client is because of it Locally stored space is the least and when cannot store substantial amounts of data file, client's be not required to upgrade oneself facility such as hardware comes Solving this problem, only need to spend rational expense, the data of these magnanimity are stored cloud storage service supplier is provided High in the clouds just can save many unnecessary worries.Although the facility that cloud storage is brought is apparent from, but therewith The safety issue produced but be can not ignore, for saving resource or consideration economically, server likely delete or The file that amendment user is uploaded.Therefore, the data file for a careful cloud storage user, to storage to high in the clouds Carry out integrity verification most important.

Assume that some data files are stored high in the clouds by upload user, and delete these literary compositions having stored high in the clouds in this locality Part, and the file that high in the clouds is arrived in these storages is shared by other user, so now these store the shared user of files All can carry out the integrity verification of file independently.In other words, (as at train or aircraft in the sight that some is special On), upload user in person cannot store the data file in high in the clouds and carry out integrity verification him.Now this upload user must not A trusted party (relatives, friend or subordinate) is not entrusted to carry out the integrity verification of high in the clouds storage file for him.Above-mentioned In situation, upload user in order to allow other entities that its storage to the data file in high in the clouds can carry out integrity verification, and incite somebody to action The private key of oneself is sent to other people way and there will naturally be great potential safety hazard.Therefore, it is necessary to design one is supported open The storage proof scheme of certification, solves above-mentioned safety problem.

Ateniese et al. give first open can the definition of certificate scheme, and storage proof problem is formally described (PDP) problem is stored for evincible data.But the authentication in open PDP scheme that they propose leading at cloud storage server end Letter is dissatisfactory with computational efficiency aspect.

Juels Yu Kaliski proposes first concept proving (POR) about time taking property, and the POR system to safety It is described in detail.Briefly, in the POR system of a safety, if a cloud storage server is for user Sent out its inquiry to return a correct response and make this user accept, then user enters in polynomial time with server After row is repeatedly mutual, from these interactive information, user can recover original data file.The first string that document is mentioned Not there is open confirmability (only supporting private key certification), and only support the certification of predefined constant number of times；Second side Although case can not limit the authentication in open of number of times, but O (l) is individual to be recognized to require server to send in certification interaction Card value.

Giving two effective POR schemes as Shacham with Waters, wherein the first string only supports that private key is recognized Card, second scheme be open can certification, but the two scheme is the highest with the calculation cost of cloud server end user.

Additionally, utilize homomorphism cryptographic methods, XuJia proposes several POR scheme.But these schemes the most only support private Key certification.AlptekinKupcu proposes first effective complete dynamically PDP scheme, and user is stored in the file in high in the clouds to it It is updated operation, and remains able to carry out the integrated authentication of file.But their scheme expands to support that disclosure can certification Time, higher calculating and communication cost can be produced.Give a disclosure as Yuan Jiawei and Yu Shucheng can recognize The POR scheme of card, utilizes the multinomial commitment scheme of a safety, the communication cost that their scheme acquirement is fixed, but he Scheme but need server to carry out exponent arithmetic repeatedly.

Summary of the invention

Based on this, the present invention provides the verification method of a kind of cloud storage data integrity, checking equipment and authentication server, The integrity of cloud storage data can be carried out open checking.

The verification method of a kind of cloud storage data integrity, comprises the steps:

Generate the identifier of file to be stored, described file is carried out coding simultaneously and obtain multiple module file；

Utilize user's public-key cryptography and private cipher key that each module file is calculated each module file to recognize Card label, generates authentication in open data to each authenticating tag；

Described identifier, module file and authenticating tag are submitted to server；

Generate file integrality inquiry request, send described inquiry request to server, receive what described server returned, Utilize the report of the described file of the authenticating tag generation that user's public-key cryptography, identifier, module file are corresponding with module file Information；

Utilize report information described in user's public-key cryptography and described authentication in open data verification.

The verification method of a kind of cloud storage data integrity, comprises the steps:

Receive identifier, module file and the authenticating tag corresponding with module file of user side transmission and store；

Receive the file integrality inquiry request that user side sends, utilize file integrality inquiry request, public affairs described in user Open key, authenticating tag that identifier, module file are corresponding with module file generates report information and feeds back to described user side, with Verify for described user side.

A kind of checking equipment of cloud storage data integrity, including:

Coding module, for generating the identifier of file to be stored, carries out module coding to described file simultaneously and obtains many Individual module file；

Generation module, is used for utilizing user's public-key cryptography and private cipher key to be calculated each to each module file The authenticating tag of module file, generates authentication in open data to each authenticating tag；

Submit module to, for described identifier, module file and authenticating tag are submitted to server；

Enquiry module, is used for generating file integrality inquiry request, sends described inquiry request to server, receives described Server returns, and utilizes the institute that the authenticating tag that user's public-key cryptography, identifier, module file are corresponding with module file generates State the report information of file；

Authentication module, is used for utilizing report information described in user's public-key cryptography and described authentication in open data verification.

A kind of authentication server of cloud storage data integrity, including:

Receiver module, for receiving identifier, module file and the certification mark corresponding with module file that user side sends Sign and store；

Feedback module, for receiving the file integrality inquiry request that user side sends, utilizes file described in user complete Property inquiry request, public-key cryptography, authenticating tag that identifier, module file are corresponding with module file generate report information and feed back to Described user side, verifies for described user side.

Verification method, equipment and the server of above-mentioned cloud storage data integrity, user is by the mould obtained after coding Block file is authenticated recognizing of the calculating of label, regeneration authentication in open data, server memory module file and module file Card label, when needs carry out file verification, it is not necessary to providing the private information of user, server may utilize user's public-key cryptography pair The module file of storage and authenticating tag generate report information, and verifier verifies report information with user's public-key cryptography again, it is achieved The authentication in open of cloud storage data integrity；The present invention allow arbitrary authority checking person without obtaining the private information of user, Just the data file that user can be stored in high in the clouds carries out integrity verification, and need not download file.

Accompanying drawing explanation

Fig. 1 is the verification method of cloud storage data integrity of the present invention schematic flow sheet in embodiment one.

Fig. 2 is the verification method of cloud storage data integrity of the present invention schematic flow sheet in embodiment two.

Fig. 3 is the verification method of cloud storage data integrity of the present invention schematic flow sheet in embodiment three.

Fig. 4 is the checking equipment of cloud storage data integrity of the present invention structural representation in embodiment four.

Fig. 5 is the authentication server of cloud storage data integrity of the present invention structural representation in embodiment five.

Detailed description of the invention

Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited to This.

The present invention program can include three class participants: user, Cloud Server and verifier.Some file is stored by user To Cloud Server, and delete these files in this locality.Cloud Server lays claim to ability and intactly stores the data file of client.Test Card person has permission and client is stored in the data file of Cloud Server carries out integrity verification, and need not the secret number of client According to.

Embodiment one

As it is shown in figure 1, be the verification method schematic flow sheet in the present embodiment of cloud storage data integrity of the present invention, Illustrate as a example by the handling process of user side in the present embodiment, comprise the steps:

S11, the identifier of generation file to be stored, carry out coding to described file simultaneously and obtain multiple module file；

S12, utilize user's public-key cryptography and private cipher key that each module file is calculated each module file Authenticating tag, to each authenticating tag generate authentication in open data；

S13, described identifier, module file and authenticating tag are submitted to server；

S14, generation file integrality inquiry request, send described inquiry request to server, receive described server and return Return, utilize the described file of the authenticating tag generation that user's public-key cryptography, identifier, module file are corresponding with module file Report information；

S15, utilize report information described in user's public-key cryptography and described authentication in open data verification.

In step s 11, user needs file is carried out pretreatment before upper transmitting file to Cloud Server, generates described file Identifier；Again file F to be stored being carried out module, rate-ρ algorithm can be used to process, user first arranges system ginseng Number ρ ∈ (0,1), the error correcting code of application rate-ρ encodes and generates multiple module file (F to data file F₀,…, F_n-1) so that each module F_i∈{0,1}^mλ, and arbitrary n module F of ρ_iAll can recover original data file F, its Middle n is total number of described module file.

In the present embodiment, the public-key cryptography of user and private cipher key can be generated by RSA key generating algorithm, specifically Generation step as follows:

Upload user randomly selects a λ bits RSA modulus N=pq so that It it is all element Count, and p, q have identical bit long；

OrderWherein(N) it is Euler's function, represents and be not more than N and coprime with N The number of positive integer；

From QR_NIn randomly select one generate unit g, wherein QR_NRepresent the quadratic residue subgroup of mould N；

Randomly selectWherein,Represent withCoprime and at mouldUnder residue class；

From pseudo-random function race { PRF_seed:{0,1}^2λ→Z_φ(N)Key space in randomly select a seed seed；

Make g_τ=g^τ, PKI is pk=(N, g, g_τ), private key is sk=(p, q, τ, seed).

Wherein in an embodiment, the identifier of described file meets constraints id ∈ { 0,1}^λ, wherein, id is institute Stating identifier, λ is the bit long of modulus in user's public-key cryptography.

Obtain multiple module file F_iAfter, user need to utilize public-key cryptography and private cipher key to calculate recognizing of each module file Card label, more each authenticating tag is generated authentication in open data；

The described user's of utilization public-key cryptography and private cipher key are calculated each module literary composition to the file of each module The step of the authenticating tag of part can be:

According to the following formula described authenticating tag of generation:

Wherein, i is the numbering of module file, F_iFor i-th module file, σ_iFor the authenticating tag that module file i is corresponding, τ For the random number in user's private cipher key, PRF_seedFor the pseudo random number that random seed seed in user's private cipher key is corresponding, i ∈ [0, n-1], n is total number of described module file, and N is the modulus in user's public-key cryptography.

The described step to each authenticating tag generation authentication in open data can be:

According to the following formula each authentication in open data of generation:

$g_i=g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}$

Wherein, g_iFor the authentication in open data of i-th module file, g is the generation unit in user's public-key cryptography.

After processing module file, the upper transmitting file of user is to Cloud Server, and in step s 13, user submits to cloud The data of server only need to include the authenticating tag of identifier, module file and correspondence thereof；I.e. cloud user can be by It is sent to server, and only local storage (id, n) and openWherein $g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

After data are submitted to successfully, verifier can generate file integrality inquiry request, sends inquiry request to server, Receive the report information that server returns；Finally checking this report information, it is judged that the integrity of data；

Wherein in an embodiment, the step of described generation file integrality inquiry request can be:

Randomly select the subset that scale is | C |=lTo each i ∈ C, fromIn random Choose weight ν_i, described inquiry request is { (i, ν_i):i∈C}.；

The step of described checking report information is:

Judge whether following equalities is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=Σ_i∈Cν_iF_iModN, σ=Σ_i∈Cν_iσ_iModN, i are described module literary composition The numbering of part,N is total number of described module file, ν_iFor the random weight that numbering i is corresponding, F_iFor i-th Module file, N is the modulus in user's public-key cryptography, σ_iFor the authenticating tag that i-th module file is corresponding；

If setting up, the storage of the most described file is complete；If being false, the storage of the most described file is imperfect.

Embodiment two

As in figure 2 it is shown, be the verification method schematic flow sheet in the present embodiment of cloud storage data integrity of the present invention, Illustrate as a example by the handling process of Cloud Server in the present embodiment, comprise the steps:

S22, identifier, module file and the authenticating tag corresponding with module file of reception user side transmission also store；

The file integrality inquiry request that S23, reception user side send, utilizes file integrality inquiry described in user to ask Ask, authenticating tag that public-key cryptography, identifier, module file are corresponding with module file generates report information and feeds back to described user End, verifies for described user side.

Wherein in an embodiment, described document validation requests includes the numbering of module file, and described numbering is right The random weight answered；

Described report information is (M, σ), according to the following formula described report information of generation:

M=Σ_i∈Cν_iF_iModN, σ=Σ_i∈Cν_iσ_imodN

Wherein, i is the numbering of described module file,N is total number of described module file, ν_iFor compiling Number random weight corresponding for i, F_iFor i-th module file, N is the modulus in user's public-key cryptography, σ_iFor i-th module file Corresponding authenticating tag.

Embodiment three

As it is shown on figure 3, again by one specific embodiment illustrate the present invention handling process, in the present embodiment, be with Illustrate as a example by family end and server two-way interactive.

S31, user side generate the identifier of file to be stored, described file carries out coding simultaneously and obtains multiple module literary composition Part；

S32, user side utilize user's public-key cryptography and private cipher key that each module file is calculated each mould The authenticating tag of block file, generates authentication in open data to each authenticating tag；

Described identifier, module file and authenticating tag are submitted to server by S33, user side；

S34, server receive identifier, module file and the authenticating tag corresponding with module file of user's transmission and deposit Storage；

S35, user side generate file integrality inquiry request, send described inquiry request to server；

S36, server, when receiving the inquiry request that user sends, utilize user's public-key cryptography, identifier, module literary composition The authenticating tag that part is corresponding with module file generates the report information of described file and feeds back to user side；

S37, user side receive the report information that described server returns；

S38, user side utilize report information described in user's public-key cryptography and described authentication in open data verification；

1. key generates ((1^λ) → (pk, sk))

A) upload user randomly selects a λ bits RSA modulus N=pq so that All Being prime number and p, q has identical bit long；

B) orderWhereinFor Euler's function, represent and be not more than N and coprime with N The number of positive integer；

C) from QR_NIn randomly select one generate unit g, wherein QR_NRepresent the quadratic residue subgroup of mould N；

D) randomly selectWherein,Represent withCoprime and at mouldUnder residue class；

E) from pseudo-random function raceKey space in randomly select a seed seed；

Make g_τ=g^τ, PKI is pk=(N, g, g_τ), private key is sk=(p, q, τ, seed).

2. coding $(\mathrm{sk},F)\→(\mathrm{id},\stackrel{\‾}{F},n,{\left\{g_i\right\}}_{i=1}^n)$

A) upload user arranges systematic parameter ρ ∈ (0,1).Data file F is encoded by the error correcting code of application rate-ρ And generate file module (F₀,…,F_n-1) so that each module F_i∈{0,1}^mλ, and n module F of arbitrary ρ_iAll can Recover original data file F；

B) it is that file F selects a unique identifier id ∈ { 0,1}^λ；

C) it is each data file module F_i, i ∈ [0, n-1], calculate an authenticating tag

D) order coding file isWillIt is sent to cloud storage server；

E) it is each σ_iCalculate a disclosed authentication data

Coding file isClient willIt is sent to server, only local Storage (id, n) and open

3. challenge (id, n) → Q

A) verifier randomly selects the subset that scale is | C |=l

B) for each i ∈ C, verifier fromIn random choose weight ν_i；

Make Q={ (i, ν_i):i∈C}；

4. prove $(\mathrm{id},\stackrel{\‾}{F},Q)\→(M,\mathrm{\σ})$

A) (id, the Q) that cloud server verifier sends；

B) Cloud Server finds out coding file according to identifier id

C) Cloud Server report calculated message (M, σ)；

M=Σ_i∈Cν_iF_iModN, σ=Σ_i∈Cν_iσ_imodN。

(M, σ) is sent to verifier by server.

5. checking $(\mathrm{pk},{\left\{g_i\right\}}_{i=0}^{n-1},Q,(M,\mathrm{\σ}))\→$ Refusal or acceptance

Utilize PKI pk and corresponding public information sequence { g_i, verifier verifies whether following equalities is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N.$

If the equation is set up, export " acceptance ", represent that file is complete；Otherwise output " refusal ", represents that file is imperfect.

Embodiment four

As shown in Figure 4, it is the checking equipment structural representation in the present embodiment of cloud storage data integrity of the present invention, Illustrate with subscriber equipment in the present embodiment, including:

Coding module 41, for generating the identifier of file to be stored, carries out coding to described file simultaneously and obtains multiple Module file；

Generation module 42, is used for utilizing user's public-key cryptography and private cipher key to be calculated each module file often The authenticating tag of individual module file, generates authentication in open data to each authenticating tag；

Submit module 43 to, for described identifier, module file and authenticating tag are submitted to server；

Enquiry module 44, is used for generating file integrality inquiry request, sends described inquiry request to server, receives institute State what server returned, utilize the authenticating tag that user's public-key cryptography, identifier, module file are corresponding with module file to generate The report information of described file；

Authentication module 45, is used for utilizing report information described in user's public-key cryptography and described authentication in open data verification.

Wherein in an embodiment, described user's public-key cryptography and private cipher key in described generation module 42 pass through RSA key algorithm generates:

Randomly select a λ bits RSA modulus N=pq so that It is all prime number, and P, q have identical bit long；

OrderWherein(N) it is Euler's function, represents and be not more than N and coprime with N The number of positive integer；

From QR_NIn randomly select one generate unit g, wherein QR_NRepresent the quadratic residue subgroup of mould N；

Randomly selectWherein,Represent withCoprime and at mouldUnder residue class；

From pseudo-random function raceKey space in randomly select a seed seed；

Make g_τ=g^τ, described user's public-key cryptography is pk=(N, g, g_τ), described user's private cipher key be sk=(p, q, τ, seed)。

Wherein in an embodiment, the identifier of described file meets constraints id ∈ { 0,1}^λ, wherein, id is institute Stating identifier, λ is the bit long of modulus in user's public-key cryptography.

Wherein in an embodiment, described generation module is additionally operable to:

According to the following formula described authenticating tag of generation:

Wherein, i is the numbering of module file, F_iFor i-th module file, σ_iFor the authenticating tag that module file i is corresponding, τ For the random number in user's private cipher key, PRF_seedFor the pseudo random number that random seed seed in user's private cipher key is corresponding, i ∈ [0, n-1], n is total number of described module file, and N is the modulus in user's public-key cryptography.

Wherein in an embodiment, described generation module is additionally operable to:

According to the following formula each authentication in open data of generation:

$g_i=g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}$

Wherein, g_iFor the authentication in open data of i-th module file, g is the generation unit in user's public-key cryptography.

Wherein in an embodiment, described enquiry module is additionally operable to:

Randomly select the subset that scale is | C |=lTo each i ∈ C, fromIn random choosing Take weight v_iWeigh described inquiry request for { (i, ν_i):i∈C}。

Wherein in an embodiment, described authentication module is additionally operable to:

Judge whether following equalities is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=Σ_i∈Cν_iF_iModN, σ=Σ_i∈Cν_iσ_iModN, i are described module literary composition The numbering of part,N is total number of described module file, ν_iFor the random weight that numbering i is corresponding, F_iFor i-th Module file, N is the modulus in user's public-key cryptography, σ_iFor the authenticating tag that i-th module file is corresponding；

If setting up, the storage of the most described file is complete；If being false, the storage of the most described file is imperfect.

Embodiment five

As it is shown in figure 5, be the authentication server structural representation in the present embodiment of cloud storage data integrity of the present invention Figure, illustrates in the present embodiment as a example by server, including:

Receiver module 51, for receiving identifier, module file and the certification corresponding with module file that user side sends Label also stores；

Feedback module 52, for receiving the file integrality inquiry request that user side sends, utilizes file described in user complete The authenticating tag that whole property inquiry request, public-key cryptography, identifier, module file are corresponding with module file generates report information feedback To described user side, verify for described user side.

Wherein in an embodiment, described document validation requests includes the numbering of module file, and described numbering is right The random weight answered；

Described report information is (M, σ), and described feedback module is additionally operable to according to the following formula described report information of generation:

M=Σ_i∈Cν_iF_iModN, σ=Σ_i∈Cν_iσ_imodN

Wherein, i is the numbering of described module file,N is total number of described module file, ν_iFor compiling Number random weight corresponding for i, F_iFor i-th module file, N is the modulus in user's public-key cryptography, σ_iFor i-th module file Corresponding authenticating tag.

Next beneficial effects of the present invention is illustrated.

First, it is defined below:

Definition 1: if for algorithm defined above (key generates, coding, challenge, it was demonstrated that, checking) any output, Prove that the response that algorithm is returned can make verification algorithm output accept, and this proof procedure is not related to any being given birth to by key Become the private key sk that algorithm is exported, then the scheme of these algorithms composition referred to as discloses evincible data storage (PPDP).

Definition 2: if a honest Cloud Server, when he the most intactly stores data file the honesty of client Ground runs proves that, when algorithm generates a response, total energy authenticatee accept, and the most such PPDP scheme is complete.

In order to prove the safety of PPDP scheme, here need to introduce a safety game.

Arrange: challenger runs key schedule and generates a pair public and private key (pk, sk).The open PKI pk of challenger, only Preserve private key sk.

Study: assailant makes the inquiry that some are following adaptively:

Storage inquiry: assailant chooses data file F and issues challenger, challenger returnsAs response.The last challenger of this step only preserves that (id n), and attacks Person can obtain encoding fileAnd corresponding file identifier id and one group of authentication in open information

Revene lookup: assailant sends a file identifier id to challenger, if id is in previous step by assailant Storage inquiry in produced, then the file F that challenger couple is corresponding with id initiates following authentication challenge to assailant:

Utilizing metadata n, challenger can select a random challenge Q and be sent to assailant.

The inquiry Q sent for challenger, assailant can generate a response R and return to challenger (R may be by arbitrarily side Formula generates).

R is verified by challenger's runtime verification algorithm, and exports b ∈ { accepting, refusal }.

Resolution bit b is sent to assailant by challenger.If it addition, id is not the storage inquiry former by assailant Generated in, then challenger not as.

Submit to: assailant selects a file identifier id* to be sent to challenger during learning.F* is made to represent The data file relevant to id*.

Return and take: data file F* is initiated the PPDP revene lookup of multinomial time by challenger.Wherein, challenger serves as checking Person, assailant plays the part of cloud storage server.From these interactive information, challenger utilizes the recovery algorithms of some PPT, it is possible to To a data file module F'.The inquiry initiated for challenger, if the response of assailant makes challenger at verification process Middle output accepts, then assailant wins in this game；If the file module F' that challenger obtains is equal to original file mould Block F*, then challenger wins this game.

From above-mentioned safety game, provide following one and define:

It is rational for defining 3: one PPDP schemes, if definition safety game in, attack win probability with choose The difference of the probability that war person wins is insignificant.(the inquiry Q initiated for challenger, when the response (M ', σ ') of assailant's output Can pass through certification, but (M ', σ ') ≠ (M, σ), and the probability that this event occurs is insignificant, and (M, σ) indicates card here The actual response of bright algorithm output.)

Lemma 1 (completeness of PPDP): above-mentioned PPDP scheme is complete under the description of definition 2.

Prove:

$g^{\mathrm{\σ}}=g^{{\mathrm{\Σ}}_{i\∈C}{v}_i{\mathrm{\σ}}_i}\mathrm{mod}N$

$=g^{{\mathrm{\Σ}}_{i\∈C}{v}_i{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)+{\mathrm{\Σ}}_{i\∈C}{v}_i\mathrm{\τ}{F}_i}\mathrm{mod}N$

$=\underset{i\∈C}{\mathrm{\Π}}{\left(g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}\right)}^{v_i}\·g_{\mathrm{\τ}}^M\mathrm{mod}N$

$=\underset{i\∈C}{\mathrm{\Π}}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Theorem 1: if the pseudo-random function race PRF in the present invention is safe, and discrete logarithm problem and big integer Resolution problem is all insoluble, then the PPDP scheme of the present invention is rational.

Before proving above-mentioned conclusion, first provide following lemma.

If the pseudo-random function race PRF in lemma 2 present invention is safe, and discrete logarithm problem divides with big integer Solution problem is all insoluble, then the assailant of PPT can obtain some of relevant τ after interacting in safety is played The probability of useful informationAnd due to λ ≈ logN ≈ 2+2logp ',It is to neglect Slightly, wherein φ (N), p ', q ' are defined in key schedule, and make p '=min{p ', q ' }.

Prove: because pseudo-random function PRF is safe, so there is not such PPT assailant in safety is played Output and the Z of PRF can be distinguished_φ(N)In true random number.Therefore, secret τ-value is at σ_iMiddle well concealed.And, Owing to DLP problem is difficult to resolve, the most there is not such PPT assailant can be from PKI pkg_τMiddle acquisition is any and τ Relevant effective information.So there is not the PPT assailant obtaining any effective information relevant with τ from safety is played.

The proof of theorem 1: assume assailant serve as Cloud Server generate in any way an effective response (M ', σ '), and make challenger accept, and be (M, σ) by proving the actual response that algorithm generates, it is clear that for effective response (M ', σ ') All can set up with real response (M, σ) certification equation.So we have

$g^{\mathrm{\σ}}=\underset{i\∈C}{\mathrm{\Π}}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N---\left(1\right)$

$g^{{\mathrm{\σ}}^{\′}}=\underset{i\∈C}{\mathrm{\Π}}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^{M^{\′}}\mathrm{mod}N---\left(2\right)$

By (1) formula divided by (2) formula, obtain

$\frac{g^{\mathrm{\σ}}}{g^{{\mathrm{\σ}}^{\′}}}=\frac{{\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M}{{\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^{M^{\′}}}\mathrm{mod}N$

$=g^{\mathrm{\σ}-{\mathrm{\σ}}^{\′}}\mathrm{mod}N$

$g_{\mathrm{\τ}}^{M-M^{\′}}\mathrm{mod}N$

$=g^{(M-M^{\′})\mathrm{\τ}}\mathrm{mod}N$

By above-mentioned calculating, assailant can obtain equation below

g^σ-σ′=g^(M-M′)τmodN (3)

For (3) formula, it is considered to two kinds of different situations below.

Case1:M ≠ M '.If M and M ' is unequal, then PPT assailant can obtain some and τ from (3) formula above Relevant effective information.But according to the conclusion of lemma 2, the probability that this situation occurs is insignificant.(otherwise, exist separately An outer assailant β can call above-mentioned assailant and solve DLP problem with the probability can not ignore.)

Case2:M=M '.As M=M ', it is meant that challenger wins safety game.Here M '=Σ_i∈Cν_iF_i, this Being a system of linear equations about coding module, its coefficient is the weight set { ν of challenger_i}_i∈C.Therefore, in order to be closed In unknown quantity F_i, l=| C | individual linear independence equation of i ∈ C, challenger needs agreeing to that index set C performs agreement l=| C | Secondary.So by solving a system of linear equations, challenger just can recover original file module F_i,i∈C。

By above-mentioned analysis, it is possible to obtain following inference:

Inference 1: the probability that the probability that assailant wins in safety is played occurs equal to case1 occurs plus case2 Probability.I.e.

Pr [assailant wins in safety is played]=Pr [case1 generation]+Pr [case2 generation]

Owing to Pr [case1 generation] is insignificant, and case2 means that challenger wins safety game, Therefore theorem 1 is proven.

The present invention allows arbitrary authority checking person without obtaining the secret knowledge of client, just client can be stored in high in the clouds Data file carry out integrity verification, and all these file need not be downloaded.

The server of the present invention is made without any exponent arithmetic, than existing many public affairs in terms of computational efficiency Open certificate scheme more effective, have more practicality.

Analysis of complexity: these modules MAC that verifier is inquired about by cloud storage server by utilizing isomorphism are to (F_i,σ_i) Being integrated into a single module, by (M, the σ) that calculate and return to verifier as response, such operation makes the present invention Become highly effective in communication, the calculating of server end: user and server-side are all communication cost and the Ο (λ) of Ο (λ) Storage cost, λ is the bit long of N here.The each inquiry sent for verifier, it is 2 λ that the response rule that server is returned are touched Bit.And server only needs to carry out the multiplying of 2l time and the additive operation of 2l time to generate such a response, This makes the solution of the present invention on the one hand this be better than many existing authentication in open schemes.Receiving the response of server After, verifier needs to carry out the exponent arithmetic of l+2 time and l+1 multiplying to perform identifying algorithm, this and those existing public affairs Open certificate scheme and there is comparability equally.Therefore, all these calculation cost all linearly closes with the element number in inquiry System.From label σ_i∈{0,1}^λWith F_i∈{0,1}^mλIn, it is known that the storage cost of server isBut, arranging In the stage, client needs to carry out primary group multiplication, primary group addition and a PRF for each data module and calculates and generate a phase The label answered.Additionally, client also needs to carry out primary group exponent arithmetic to generate public information g_i, and all these is located in advance Reason process all can be carried out by off-line.Here l=| C | represents index number selected in verification process.

Embodiment described above only have expressed the several embodiments of the present invention, and it describes more concrete and detailed, but also Therefore the restriction to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that, for those of ordinary skill in the art For, without departing from the inventive concept of the premise, it is also possible to make some deformation and improvement, these broadly fall into the guarantor of the present invention Protect scope.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.

Claims (18)

1. the verification method of a cloud storage data integrity, it is characterised in that comprise the steps:

Generate the identifier of file to be stored, described file to be stored is carried out coding simultaneously and obtain multiple module file；

Utilize user's public-key cryptography and private cipher key that each module file is calculated the certification mark of each module file Sign, each authenticating tag is generated authentication in open data；

Described identifier, module file and authenticating tag are submitted to server；

Generate file integrality inquiry request, send described inquiry request to server, receive what described server returned, utilize The report of the described file to be stored that the authenticating tag that user's public-key cryptography, identifier, module file are corresponding with module file generates Announcement information；

Utilize report information described in user's public-key cryptography and described authentication in open data verification；

Described file to be stored is encoded and obtains the step of multiple module file and include:

Using rate-ρ algorithm to process, arrange systematic parameter ρ ∈ (0,1), file F is carried out by the error correcting code of application rate-ρ Encode and generate multiple module file (F₀,…,F_n-1) so that each module file F_i∈{0,1}^mλ, and arbitrary n mould of ρ Block file F_iAll can recover original file F.

The verification method of cloud storage data integrity the most according to claim 1, it is characterised in that described user discloses close Key and private cipher key are generated by RSA key generating algorithm:

Randomly select a λ bits RSA modulus N=pq so thatIt is all prime number, and p, q tool There is identical bit long；

OrderWhereinFor Euler's function, represent and be not more than N and coprime with N the most whole The number of number；

From QR_NIn randomly select one generate unit g, wherein QR_NRepresent the quadratic residue subgroup of mould N；

Randomly selectWherein, the random number during τ is user's private cipher key；Represent withCoprime and MouldUnder residue class；

From pseudo-random function raceKey space in randomly select a seed seed；

Make g_τ=g^τ, described user's public-key cryptography is pk=(N, g, g_τ), described user's private cipher key be sk=(p, q, τ, seed)。

The verification method of cloud storage data integrity the most according to claim 2, it is characterised in that the mark of described file Symbol meets constraints id ∈ { 0,1}^λ, wherein, id is described identifier, and λ is the bit long of modulus in user's public-key cryptography.

The verification method of cloud storage data integrity the most according to claim 3, it is characterised in that described utilize user public The step opening the authenticating tag that key and private cipher key are calculated each module file to the file of each module is:

According to the following formula described authenticating tag of calculating:

Wherein, i is the numbering of module file, F_iFor i-th module file, σ_iFor the authenticating tag that module file i is corresponding, PRF_seedFor the pseudo random number that random seed seed in user's private cipher key is corresponding, i ∈ [0, n-1], n are described module file Total number, N is the modulus in user's public-key cryptography.

The verification method of cloud storage data integrity the most according to claim 3, it is characterised in that described to each certification Label generates the step of authentication in open data:

According to the following formula each authentication in open data of generation:

$g_i=g^{{\mathrm{PRF}}_{seed}\left(id\right|\left|i\right)}$

Wherein, g_iFor the authentication in open data of i-th module file, g is the generation unit in user's public-key cryptography.

The verification method of cloud storage data integrity the most according to claim 5, it is characterised in that described generation file is complete The step of whole property inquiry request is:

Randomly select the subset that scale is | C |=lC is a subset of set [0, n-1], and l represents C The number of middle element；To each i ∈ C, fromIn randomly select weight ν_i, described inquiry request is { (i, ν_i):i∈ C}。

The verification method of cloud storage data integrity the most according to claim 6, it is characterised in that described checking report letter The step of breath is:

Judge whether following equalities is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{{\mathrm{\ν}}_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=∑_i∈Cν_iF_iModN, σ=∑_i∈Cν_iσ_iModN, i are described module file Numbering,N is total number of described module file, ν_iFor the random weight that numbering i is corresponding, F_iFor i-th module File, N is the modulus in user's public-key cryptography, σ_iFor the authenticating tag that i-th module file is corresponding；

If setting up, the storage of the most described file is complete；If being false, the storage of the most described file is imperfect.

8. the verification method of a cloud storage data integrity, it is characterised in that comprise the steps:

Receive identifier, module file and the authenticating tag corresponding with module file of user side transmission and store；

Receive user side send file integrality inquiry request, utilize file integrality inquiry request described in user, disclose close The authenticating tag that key, identifier, module file are corresponding with module file generates report information and feeds back to described user side, for institute State user side checking；

Described module file is:

Using rate-ρ algorithm to process, arrange systematic parameter ρ ∈ (0,1), file F is carried out by the error correcting code of application rate-ρ Encode and generate multiple module file (F₀,…,F_n-1) so that each module file F_i∈{0,1}^mλ, and arbitrary n mould of ρ Block file F_iAll can recover original file F.

The verification method of cloud storage data the most according to claim 8, it is characterised in that

Described document validation requests includes the numbering of module file, and the random weight that described numbering is corresponding；

Described report information is (M, σ), according to the following formula described report information of generation:

M=∑_i∈Cν_iF_iModN, σ=∑_i∈Cν_iσ_imodN

Wherein, i is the numbering of described module file,C is a subset of set [0, n-1], and n is described mould Total number of block file, ν_iFor the random weight that numbering i is corresponding, F_iFor i-th module file, N is the mould in user's public-key cryptography Number, σ_iFor the authenticating tag that i-th module file is corresponding.

10. the checking equipment of a cloud storage data integrity, it is characterised in that including:

Coding module, for generating the identifier of file to be stored, carries out coding to described file to be stored simultaneously and obtains multiple Module file；

Generation module, is used for utilizing user's public-key cryptography and private cipher key that each module file is calculated each module The authenticating tag of file, generates authentication in open data to each authenticating tag；

Submit module to, for described identifier, module file and authenticating tag are submitted to server；

Enquiry module, is used for generating file integrality inquiry request, sends described inquiry request to server, receives described service Device returns, and utilizes and treats described in the authenticating tag generation that user's public-key cryptography, identifier, module file are corresponding with module file The report information of storage file；

Authentication module, is used for utilizing report information described in user's public-key cryptography and described authentication in open data verification；

Described file to be stored is encoded and obtains the step of multiple module file and include:

Using rate-ρ algorithm to process, arrange systematic parameter ρ ∈ (0,1), file F is carried out by the error correcting code of application rate-ρ Encode and generate multiple module file (F₀,…,F_n-1) so that each module file F_i∈{0,1}^mλ, and arbitrary n mould of ρ Block file F_iAll can recover original file F.

The checking equipment of 11. cloud storage data integrities according to claim 10, it is characterised in that described generation module In described user's public-key cryptography and private cipher key generated by RSA key generating algorithm:

Randomly select a λ bits RSA modulus N=pq so thatIt is all prime number, and p, q tool There is identical bit long；

OrderWhereinFor Euler's function, represent and be not more than N and coprime with N the most whole The number of number；

From QR_NIn randomly select one generate unit g, wherein QR_NRepresent the quadratic residue subgroup of mould N；

Randomly selectWherein, the random number during τ is user's private cipher key；Represent withCoprime and MouldUnder residue class；

From pseudo-random function raceKey space in randomly select a seed seed；

Make g_τ=g^τ, described user's public-key cryptography is pk=(N, g, g_τ), described user's private cipher key be sk=(p, q, τ, seed)。

The checking equipment of 12. cloud storage data integrities according to claim 11, it is characterised in that the mark of described file Know symbol and meet constraints id ∈ { 0,1}^λ, wherein, id is described identifier, and λ is the bit long of modulus in user's public-key cryptography.

The checking equipment of 13. cloud storage data integrities according to claim 12, it is characterised in that described generation module It is additionally operable to:

According to the following formula described authenticating tag of calculating:

Wherein, i is the numbering of module file, F_iFor i-th module file, σ_iFor the authenticating tag that module file i is corresponding, PRF_seedFor the pseudo random number that random seed seed in user's private cipher key is corresponding, i ∈ [0, n-1], n are described module file Total number, N is the modulus in user's public-key cryptography.

The checking equipment of 14. cloud storage data integrities according to claim 12, it is characterised in that described generation module It is additionally operable to:

According to the following formula each authentication in open data of generation:

$g_i=g^{{\mathrm{PRF}}_{seed}\left(id\right|\left|i\right)}$

Wherein, g_iFor the authentication in open data of i-th module file, g is the generation unit in user's public-key cryptography.

The checking equipment of 15. cloud storage data integrities according to claim 14, it is characterised in that described enquiry module It is additionally operable to:

Randomly select the subset that scale is | C |=lC is a subset of set [0, n-1], and l represents C The number of middle element；To each i ∈ C, fromIn random choose weight ν_i, described inquiry request is { (i, ν_i):i ∈C}。

The checking equipment of 16. cloud storage data integrities according to claim 15, it is characterised in that described authentication module It is additionally operable to:

Judge whether following equalities is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{{\mathrm{\ν}}_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=Σ_i∈Cν_iF_iModN, σ=Σ_i∈Cν_iσ_iModN, i are described module file Numbering,N is total number of described module file, ν_iFor the random weight that numbering i is corresponding, F_iFor i-th module File, N is the modulus in user's public-key cryptography, σ_iFor the authenticating tag that i-th module file is corresponding；

If setting up, the storage of the most described file is complete；If being false, the storage of the most described file is imperfect.

The authentication server of 17. 1 kinds of cloud storage data integrities, it is characterised in that including:

Receiver module, for receiving identifier, module file and the authenticating tag corresponding with module file of user side transmission also Storage；

Feedback module, for receiving the file integrality inquiry request that user side sends, utilizes file integrality described in user to look into The request of inquiry, public-key cryptography, authenticating tag that identifier, module file are corresponding with module file generate described in report information feeds back to User side, verifies for described user side；

Described module file is:

Using rate-ρ algorithm to process, arrange systematic parameter ρ ∈ (0,1), file F is carried out by the error correcting code of application rate-ρ Encode and generate multiple module file (F₀,…,F_n-1) so that each module file F_i∈{0,1}^mλ, and arbitrary n mould of ρ Block file F_iAll can recover original file F.

The authentication server of 18. cloud storage data according to claim 17, it is characterised in that

Described document validation requests includes the numbering of module file, and the random weight that described numbering is corresponding；

Described report information is (M, σ), and described feedback module is additionally operable to according to the following formula described report information of generation:

M=Σ_i∈Cν_iF_iModN, σ=Σ_i∈Cν_iσ_imodN

Wherein, i is the numbering of described module file, and C is a subset of set [0, n-1],N is described mould Total number of block file, ν_iFor the random weight that numbering i is corresponding, F_iFor i-th module file, N is the mould in user's public-key cryptography Number, σ_iFor the authenticating tag that i-th module file is corresponding.