CN103699851B - A kind of teledata integrity verification method of facing cloud storage - Google Patents

Abstract

The present invention proposes a kind of teledata integrity verification method of facing cloud storage, utilize aggregate signature, specify reference's signature technology, realize user and the authentication function of third party auditor to user data integrality, ensured that the information that user is used for data integrity is not revealed simultaneously; Realized the transparency control of authorization information by zero-knowledge proof technology, in the time of user and server generation dispute, third party auditor can be by a kind of noninteractive zero-knowledge proof technology, and producing undeniable high confidence level proves. The advantages such as the present invention, in the incredible situation of cloud storage service provider, also can ensure the accuracy of cloud data integrity checking, has and is easy to realize, and cost is low, and data protection is strong, supports third party's audit, and Privacy Preservation Mechanism is flexible.

Description

A kind of teledata integrity verification method of facing cloud storage

Technical field

The present invention relates to a kind of teledata integrity verification method of facing cloud storage, be specifically related to according to data integrity checking,Specify reference's signature and zero-knowledge proof theory, for the data in cloud storage provide safe and efficient, support common authentication, the 3rdSide verifies and has the integrity verification method of secret protection, belongs to field of information security technology.

Background technology

The data, services outsourcing of cloud computing can reduce the storage and maintenance pressure of data owner this locality, but use is being given in cloud computingWhen family offers convenience, also for user data has brought new security challenge. Because user has lost data reliability and peaceThe physical control of full property, the data integrity in cloud storage becomes one of safety problem of user's worry. Due to large-scale data instituteThe huge communication cost causing, user verifies its correctness after can not downloading data to this locality again. Therefore, how to ensure cloudThe safety of data in server, how helping user to carry out data integrity checking just becomes a study hotspot.

Find by prior art documents, realize the method for data integrity checking mainly based on digital signature (DigitalAnd Mei Keer Hash tree (MerkleHashTree) Signatures). Typical work comprises: data restorability proves (ProofsofRetrievability, POR) and provable data have (ProvableDataPossession, PDP). Shacham and Waters2008Year is being published in " The14thInternationalConferenceontheTheoryandApplicationo fCryptologyandInformationSecurity (the 14th cryptography and Information Security Theory and application international conference) " paper " CompactProofsOfRetrievability (compact restorability prove) " in proposed a kind of general compact restorability and proved model, this modelBased on the general thoughts of data fragmentation technology, use mathematical homomorphism character, the proof forming for t challenge piece, Neng GouThis proof of polymerization under O (t) computational complexity, generates an O (1) length authentication value. The people such as Wang were published in " The in 200914thEuropeanSymposiumonResearchinComputerSecurity (beg for by the 14th European computer security Journal of Sex ResearchOpinion annual meeting) " paper " EnablingPublicVerifiabilityandDataDynamicsforStorageSecu rityinCloudIn Computing(cloud computing, there is the method for secure storing of open checking and Data Dynamic " in proposed a kind of to recognize in conjunction with homomorphismCard and Mei Keer Hash tree (MHT), the storage means of the open checking of support and Data Dynamic under cloud computing environment. ButIn these schemes, assailant still likely utilizes open indentification protocol to collect abundant information, cracks out data, causes numberAccording to possessory leakage of data. Therefore these schemes exist the risk of information leakage, are not suitable for practical engineering application.

Summary of the invention

The present invention will overcome the deficiencies in the prior art, provides a kind of based on specifying reference's endorsement method and zero-knowledge proof technological sideTo the teledata integrity verification method of cloud storage, signer adopts undeniable digital signature, but in compute signatureCombine reference's PKI, checking must just can be carried out under signer or appointment reference's cooperation, strengthens signer notFalsifiability, in, the complicated Practical Project such as server is unreliable large at number of users, ensures user's remote validation cloud dataIntegrality, supported data dynamically updates, discloses checking, third-party authentication, protection privacy of user.

For achieving the above object, first the present invention carries out system initialization, and user (User, U) uses Reed-Solomon to encode willStored file division is several data blocks. User proposes file by " challenge-response " pattern in cloud storage serverThe request of integrity verification. Cloud storage server (CloudStorageServer, CSS), according to the data block being arrived by selective examination, generates oneIndividual message aggregation and about the appointment reference signature of this message aggregation adds the information of root node simultaneously, and generating a user canThe data integrity of directly calculating proves. Whether user carries out certain calculating to this proof can verify stored data fileDamaged to some extent. Meanwhile, because signing, the appointment reference who generates embedded third party auditor (ThirdPartyAuditor, TPA)PKI, third party auditor also can carry out to this data integrity the calculating checking of equal extent. On the other hand, for anti-Only user misapplies/abuses data integrity information, and third party auditor is where necessary for data integrity proves to provide a nonreciprocalThe zero-knowledge proof of formula, anyone can verify that this zero-knowledge proof is to know data integrity information, reach effective protection andControl flexibly the object of user authentication data integrity information.

Method of the present invention realizes by following concrete steps:

1 system initialization

System is moved bilinear Diffie-Hellman (BilinearDiffie-Hellman, BDH) parameter generators, produces two rank and isThe Bilinear Groups G of prime number q, G_t, g is generator e:G × G → G of crowd G_tFor bilinearity is to computing, a safety of definitionHash function H:{0,1}^*→G。

Given file F, system is used Reed-Solomon coding that file is divided into n piece F (m₁·m₂，...，m_n) wherein

2 systems generate key

System operation key schedule KeyGen, for user U generates private key: random numberCorresponding PKIForSimilarly, system is that third party auditor TPA generates private key: random numberCorresponding publicKey is $y_{\mathrm{TPA}}=g^{x_{\mathrm{TPA}}}.$

3 user's storage files

User moves signature generating algorithm SigGen (sk_U, F) and be each data block m_iGenerate a homomorphism authentication value(homomorphicauthenticator)：As the metadata of file. The homomorphism certification of all data blocksValue can be gathered into label value: a φ={ σ_i}，1≤i≤n。

User adopts Merkle Hash tree by each block data structure, and wherein the leaf node of the bottom has been stored corresponding number in an orderly mannerAccording to the cryptographic Hash of piece, inferior bottom layer node is the cryptographic Hash of every two cryptographic Hash, and step-by-step recursion constructs a binary tree, root thusThe cryptographic Hash that node is corresponding final. Root node R is signed simultaneouslyUser U is by { F, φ, σ_RSend toCloud storage server CSS.

4 general integrity verifications

The 4.1 users request of challenging

When user U carries out data integrity checking to file F, first to generate one group of challenge information. This challenge information is by usingFamily U selects some random elements: I={s₁，...，s_c}，s₁≤i≤s_c, wherein s_iRepresent i data block m_iIndex. RightIn each s_i∈ I, U chooses a random numberFinally, U is by challenge informationSendGive cloud storage server CSS.

4.2 servers generate to be proved

After cloud storage server CSS receives the challenge information of user U transmission, calculate and generate one section of proof:

${\mathrm{\ζ}}_i=y_{\mathrm{TPA}}^{r_i},{\mathrm{\μ}}_i={\mathrm{\σ}}_i\·g^{r_i},\mathrm{\ζ}={\mathrm{\Π}}_{i=s_1}^{s_c}{\mathrm{\ζ}}_i,\mathrm{\μ}={\mathrm{\Π}}_{i=s_1}^{s_c}{\mathrm{\μ}}_i,\mathrm{\θ}={\mathrm{\Σ}}_i^{s_c}{m}_i---\left(1\right)$

Meanwhile, CSS also can offer one group of supplementary of user: { Ω_i}，s₁≤i≤s_c, represent that i leaf node (storedH(m_i)) to the set of all brotghers of node on the path of root node R. Finally, CSS issues mono-section of proof of user U:

P＝{(ζ，μ，θ)，{H(m_i)}，{Ω_i}，σ_R}(2)

Wherein s₁≤i≤s_c, (ζ, μ) is the appointment reference signature about θ.

4.3 user's integrity verifications

After user U receives the proof P that cloud storage server sends, first utilize { H (m_i)}{Ω_iGeneration root node R.Then by calculation equation e (σ_R，g)≡e(H(R)，y_U) whether set up, verify whether R value is tampered. If equation does not becomeVertical, U this proof that refuses inspection of books, and export failure information. If above-mentioned equation is set up, the following equation of U continuation calculating isNo establishment:

$e(\mathrm{\μ},y_{\mathrm{TPA}})\≡e(\mathrm{\ζ},g)\·e{({\mathrm{\Π}}_{i=s_1}^{s_c}H\left(m_i\right)\·u^{\mathrm{\θ}},y_{\mathrm{TPA}})}^{x_U}---\left(3\right)$

If above-mentioned equation is set up, this checking passes through. If equation is false, export failure information.

5 undeniable integrity verifications

When there is when dispute, third party auditor TPA can participate in integrity verification procedures, and provides non-repudiationProve eventually. After TPA receives the proof P that CSS cloud storage server sends, first utilize { H (m_i)}{Ω_iGeneration rootNode R. Then pass through calculation equation e, (σ_R，g)≡e(H(R)，y_U) whether set up, verify whether R value is tampered. If etc.Formula is false, TPA this proof that refuses inspection of books, and export failure information 0. Otherwise TPA continues whether to calculate following equationSet up:

$e(\mathrm{\μ},y_{\mathrm{TPA}})\≡e(\mathrm{\ζ},g)\·e{({\mathrm{\Π}}_{i=s_1}^{s_c}H\left(m_i\right)\·u^{\mathrm{\θ}},y_U)}^{x_{\mathrm{TPA}}}---\left(4\right)$

If above-mentioned equation is set up, this checking passes through, otherwise checking failure, output failure information 1. According to testingCard result generates undeniable proof.

If the verification passes, illustrate that proof is errorless, TPA exports one section of noninteractive zero-knowledge proof π₁, with prove two fromThe loose equal relation of logarithm.

If checking is not passed through, export failure information 1, TPA is by { H (m_i)}{Ω_iThis part information is directly open, fromAnd anyone can verify this conclusion, and export one section of noninteractive zero-knowledge proof π₂, to prove not phase of two discrete logarithmsDeng relation. For above-mentioned noninteractive zero-knowledge proof, anyone can be verified by simple calculating.

Remarkable result of the present invention is, for the needs of the integrity verification of subscriber data file in cloud storage, to utilize aggregate signatureWith appointment reference signature technology, realize general user and the authentication function of third party auditor to user data integrality,Realized the protection control of authorization information simultaneously by zero-knowledge proof technology, had and be easy to realize, data protection is strong, can spiritThe advantages such as control information transparency alive. The present invention, under the incredible prerequisite of cloud storage service provider, ensures under cloud storage environmentThe accuracy of data integrity checking, the checking cost of reduction user side.

Brief description of the drawings

Fig. 1 structure chart of the present invention.

Fig. 2 zero-knowledge proof process schematic diagram.

Specific implementation method

Below in conjunction with drawings and Examples, technical scheme of the present invention is described in further detail. Following examples are with the present inventionTechnical scheme is to implement under prerequisite, provided detailed embodiment and process, but protection scope of the present invention is not limited to downThe embodiment stating.

The method proposing in order to understand better the present embodiment, choose under a cloud storage environment user U to it in cloud stores serviceThe data integrity checking event of the file of the upper storage of device CSS.

As shown in the inventive method structure chart (Fig. 1), the concrete implementation step of the present embodiment is as follows:

1 system initialization

System is moved bilinear Diffie-Hellman (BilinearDiffie-Hellman, BDH) parameter generators, produces two rank and isThe Bilinear Groups G of prime number q, G_t, g is the generator of crowd G, e:G × G → G_tFor bilinearity is to computing, a safety of definitionHash function H:{0,1}^*→G。

Given file F, system is used Reed-Solomon coding that file is divided into n piece F (m₁，m₂，...，m_n), wherein

2 systems generate key

System operation key schedule KeyGen, for user U generates private key: random numberCorresponding PKIForSimilarly, system is that third party auditor TPA generates private key: random numberCorresponding publicKey is $y_{\mathrm{TPA}}=g^{x_{\mathrm{TPA}}}.$

3 user's storage files

User moves signature generating algorithm SigGen (sk_U, F) and be each data block m_iGenerate a homomorphism authentication value(homomorphicauthenticator)：As the metadata of file. The homomorphism certification of all data blocksValue can be gathered into label value: a φ={ σ_i}，1≤i≤n。

User adopts Merkle Hash tree by each block data structure, and wherein the leaf node of the bottom has been stored corresponding number in an orderly mannerAccording to the cryptographic Hash of piece, inferior bottom layer node is the cryptographic Hash of every two cryptographic Hash, and step-by-step recursion constructs a binary tree, root thusThe cryptographic Hash that node is corresponding final. Root node R is signed simultaneouslyUser U is by { F, φ, σ_RSend toCloud storage server CSS.

4 general integrity verifications

The 4.1 users request of challenging

When user U carries out data integrity checking to file F, first to generate one group of challenge information. This challenge information is by usingFamily U selects some random elements: I={s₁，...，s_c}，s₁≤i≤s_c, wherein s_iRepresent i data block m_iIndex. RightIn each s_i∈ I, U chooses a random numberFinally, U is by challenge informationSendGive cloud storage server CSS.

4.2 servers generate to be proved

After cloud storage server CSS receives the challenge information of user U transmission, calculate and generate one section of proof:

${\mathrm{\ζ}}_i=y_{\mathrm{TPA}}^{r_i},{\mathrm{\μ}}_i={\mathrm{\σ}}_i\·g^{r_i},\mathrm{\ζ}={\mathrm{\Π}}_{i=s_1}^{s_c}{\mathrm{\ζ}}_i,\mathrm{\μ}={\mathrm{\Π}}_{i=s_1}^{s_c}{\mathrm{\μ}}_i,\mathrm{\θ}={\mathrm{\Σ}}_i^{s_c}{m}_i---\left(1\right)$

Meanwhile, CSS also can offer one group of supplementary of user: { Ω_i}，s₁≤i≤s_c, represent that i leaf node (storedH(m_i)) to the set of all brotghers of node on the path of root node R. Finally, CSS issues mono-section of proof of user U:

P＝{(ζ，μ，θ)，{H(m_i)}，{Ω_i}，σ_R}(2)

Wherein s₁≤i≤s_c, and (ζ, μ) is the appointment reference signature about θ.

4.3 user's integrity verifications

After user U receives the proof P that cloud storage server sends, first utilize { H (m_i)}{Ω_iGeneration root node R.Then by calculation equation e (σ_R，g)≡e(H(R)，y_U) whether set up, verify whether R value is tampered. If equation does not becomeVertical, U this proof that refuses inspection of books, and export failure information. If above-mentioned equation is set up, the following equation of U continuation calculating isNo establishment:

$e(\mathrm{\μ},y_{\mathrm{TPA}})\≡e(\mathrm{\ζ},g)\·e{({\mathrm{\Π}}_{i=s_1}^{s_c}H\left(m_i\right)\·u^{\mathrm{\θ}},y_{\mathrm{TPA}})}^{x_U}---\left(3\right)$

If above-mentioned equation is set up, this checking passes through. If above-mentioned equation is false, export failure information.

5 undeniable integrity verifications

Suppose in 4.3 that user U is to equation e (σ R, g) ≡ e (H (R), y_U) be verified, and the checking of equation (3) is not passed through,But cloud storage server CSS denies this result, do not admit that the file F that user U stores has suffered to distort. For thisDispute, third party auditor TPA can participate in integrity verification procedures, and provides undeniable final certification. TPAAfter receiving the proof P that cloud storage server sends, first utilize { H (m_i)}{Ω_iGeneration root node R. Then pass throughCalculation equation e (σ R, g) ≡ e (H (R), y_U) whether set up, verify whether R value is tampered. If R value is tampered, refusal is testedDemonstrate,prove this proof, and export failure information 0. If R value is not tampered, TPA continues to calculate following equation:

$e(\mathrm{\μ},y_{\mathrm{TPA}})\≡e(\mathrm{\ζ},g)\·e{({\mathrm{\Π}}_{i=s_1}^{s_c}H\left(m_i\right)\·u^{\mathrm{\θ}},y_U)}^{x_{\mathrm{TPA}}}---\left(4\right)$

If equation is set up, show to be verified, prove errorlessly, TPA exports one section of noninteractive zero-knowledge proof π₁, withProve two relations that discrete logarithm is equal.

If equation is not set up, show to verify and do not pass through, TPA finally exports failure information 1, generates undeniable card simultaneouslyBright. TPA exports one section of noninteractive zero-knowledge proof π₂, to prove two unequal relations of discrete logarithm. OrderW₁＝e(μ，y_TPA)/e(ζ，g)，Noninteractive zero-knowledge proof π₂To adoptFiat-Shamir heuristic is by one section of interactive proof:TurnChange and form (with reference to figure bis-). Finally, TPA only need to be by (A, A ', the z that obtain after calculating₁，z₂，z′₁，z′₂，c₁，c₂，d₁，d₂，d′₁，d′₂)Value sends to any people who needs verification.

Claims (1)

1. a teledata integrity verification method for facing cloud storage, is characterized in that comprising the following steps:

Step 1, system initialization

System operation bilinear Diffie-Hellman (BilinearDiffie-Hellman, BDH) parameter generators, produces two Bilinear Groups G that rank are prime number q, G_t, g is the generator of crowd G, e:G × G → G_tFor bilinearity is to computing, the Hash function H:{0 of a safety of definition, 1}^*→G；

Given file F, system is used Reed-Solomon coding that file is divided into n piece F (m₁，m₂，...，m_n), wherein

Step 2, system generates key

System operation key schedule KeyGen, for user U generates private key: random numberCorresponding PKI is y_U＝g^xU; System is that third party auditor TPA generates private key: random numberCorresponding PKI is y_TPA＝g^xTPA；

Step 3, user's storage file

User moves signature generating algorithm SigGen (sk_U, F) and be each data block m_iGenerate a homomorphism authentication value (homomorphicauthenticator):As the metadata of file, the homomorphism authentication value of all data blocks can be gathered into label value: a Φ={ σ_i}，1≤i≤n；

User adopts Merkle Hash tree by each block data structure, root node R is signed simultaneouslyBy { F, Φ, σ_RSend to cloud storage server CSS;

Step 4, general integrity verification

The 4.1 users request of challenging

When user U carries out data integrity checking to file F, generate one group of challenge informationSend to cloud storage server CSS, wherein I={s₁，...，s_c},s₁≤i≤s_c, for each s_i∈I，s_iRepresent i data block m_iIndex, random number

4.2 servers generate to be proved

After cloud storage server CSS receives the challenge information of user U transmission, calculate and generate one section of proof:

Meanwhile, CSS offers one group of supplementary of user: { Ω_i}，s₁≤i≤s_c, represent that i has been stored H (m_i) leaf node to the set of all brotghers of node on the path of root node R, last, CSS issues mono-section of proof of user U:

P＝{(ζ，μ，θ)，{H(m_i)}，{Ω_i}，σ_R}(2)

Wherein s₁≤i≤s_c, and (ζ, μ) is the appointment reference signature about θ;

4.3 user's integrity verifications

After user U receives the proof P that cloud storage server sends, first utilize { H (m_i)}{Ω_iGeneration root node R; Then by calculation equation e (σ_R，g)≡e(H(R)，y_U) whether set up, verify whether R value is tampered; If equation is false, U this proof that refuses inspection of books, and export failure information; If above-mentioned equation is set up, whether the following equation of U continuation calculating is set up:

If above-mentioned equation is set up, this checking passes through;

Step 5, undeniable integrity verification

In the time there is dispute, third party auditor TPA can participate in integrity verification procedures, and provides undeniable final certification; After TPA receives the proof P that CSS cloud storage server sends, first utilize { H (m_i)}{Ω_iGeneration root node R; Then by calculation equation e (σ_R，g)≡e(H(R)，y_U) whether set up, verify whether R value is tampered; If equation is false, TPA this proof that refuses inspection of books, and export failure information 0; Otherwise whether TPA continues to calculate following equation and sets up:

If above-mentioned equation is set up, this checking passes through, otherwise checking failure, output failure information 1; Need to generate undeniable proof time, first TPA calls above-mentioned TPA verification algorithm; If the verification passes, illustrate that proof is errorless, TPA exports one section of noninteractive zero-knowledge proof π₁, to prove two relations that discrete logarithm is equal;

If checking is not passed through, exported failure information 0, and TPA is by { H (m_i)}{Ω_iThis part information is directly open, thereby anyone can release the conclusion that checking is not passed through; If TPA output is failure information 1, one section of noninteractive zero-knowledge proof π of its output₂, to prove two unequal relations of discrete logarithm; For above-mentioned noninteractive zero-knowledge proof, anyone can be verified by simple calculating.