CN104954390A

CN104954390A - Cloud storage integrity detection method for recovering lost secret keys and system applying cloud storage integrity detection method

Info

Publication number: CN104954390A
Application number: CN201510423853.0A
Authority: CN
Inventors: 于佳; 沈文婷; 郝蓉
Original assignee: Qingdao University
Current assignee: Changfeng Shuzhi Technology Shandong Co ltd
Priority date: 2015-07-17
Filing date: 2015-07-17
Publication date: 2015-09-30
Anticipated expiration: 2035-07-17
Also published as: CN104954390B

Abstract

The invention provides a cloud storage integrity detection method capable of recovering lost keys and a system applied to the method. The system includes a parameter generation center module, a cloud module, a key distribution center module, a group member module, and an audit center module . With this system, when the key of a member in the group is lost, it is possible to avoid regenerating a new key and re-signing some data; the key is verifiable, that is, each member of the group can verify that the key distribution center has given Whether the key he sent is correct, the user who lost the key can also verify whether the shares sent to him by other t+1 members in the group are correct. This can prevent the key distribution center or the user who distributes the share to the lost user from being dishonest; when the key is restored, the user's key is blinded, so that each member does not know each other's key. This improves the security of key recovery and prevents malicious users from framing the cloud.

Description

Cloud storage integrity detection method and system capable of recovering lost keys

技术领域technical field

本发明涉及云存储安全技术领域，尤其涉及一种可恢复丢失密钥的云存储完整性检测方法及系统。The invention relates to the technical field of cloud storage security, in particular to a cloud storage integrity detection method and system capable of recovering lost keys.

背景技术Background technique

近年来，随着互联网技术的快速发展，以及云服务提供商的不断增多，云计算服务越来越深入地走进人们的生活，云中数据的存储也成为人们关心的热点。如今，随着网络的发展，科技的进步，生活中便会产生大量的交互式应用以及海量的数据，而这些数据需要大量的软硬件来存储和计算，而数据的维护费用非常高。云存储作为云计算的一种重要应用形式，能提供价格低廉，使用方便的大规模存储服务，为用户存储和管理数据。用户可按需使用服务，将数据外包存储到云端，从而改变了资源部署和服务提供的方式，避免了用户对本地软硬件和维护的大量投入。In recent years, with the rapid development of Internet technology and the increasing number of cloud service providers, cloud computing services have entered people's lives more and more deeply, and data storage in the cloud has also become a hot spot of concern. Today, with the development of the network and the advancement of technology, a large number of interactive applications and massive data will be generated in life, and these data require a large amount of software and hardware for storage and calculation, and the maintenance cost of the data is very high. As an important application form of cloud computing, cloud storage can provide low-cost and convenient large-scale storage services to store and manage data for users. Users can use services on demand and outsource data storage to the cloud, thus changing the way of resource deployment and service provision, and avoiding users' large investment in local software, hardware and maintenance.

但是，云存储也存在很多威胁，例如，系统软件存在漏洞，遭受黑客的入侵、硬件出现故障，造成数据丢失、云服务提供商为节省存储空间，故意删除不常用的数据，但为了保持好的声誉，而故意隐瞒数据丢失的事实。当用户的数据和应用系统移到云端后，用户就失去了对它们直接控制的权限。而且，任何云端的错误都可能导致用户数据的修改或丢失。因此，用户有理由怀疑存储在云端的数据是否完整、可用。数据拥有者需要一种安全可靠的服务机制来确保数据是否被真实、完整地存储在云服务器中。However, there are also many threats to cloud storage. For example, there are loopholes in the system software, hackers’ intrusion, hardware failure, resulting in data loss, and cloud service providers deliberately delete infrequently used data in order to save storage space. reputation, while deliberately concealing the fact that data was lost. When the user's data and application systems are moved to the cloud, the user loses the authority to directly control them. Moreover, any errors in the cloud may result in modification or loss of user data. Therefore, users have reason to doubt whether the data stored in the cloud is complete and usable. Data owners need a safe and reliable service mechanism to ensure that the data is truly and completely stored in the cloud server.

云存储数据完整性审计是一个很好的解决办法，用来确保存储在云端的数据的完整性和可用性。但是，传统的验证数据完整性的方法需要下载全部的数据才可完成验证任务，这在数据外包的情况下是不切实际的。因为存储在云端的数据量非常大，这会花费大量的通信计算开销，还会给I/O设备带来很大的负担。而私有审计效率较高，但只能用户自己完成验证。但公开审计允许任何人质询和验证数据的完整性。由于存储在云端的数据量非常大，使得审计任务非常繁重。由于用户设备的计算能力和时间有限，在公开审计中，用户可将审计任务委托给可信第三方审计中心，而且不需要下载完整的数据便可验证数据的完整性。审计中心通过给云端发送质询，云端根据质询给审计中心发送审计证明，审计中心通过验证证明，可以验证存储在云端的数据是否完整。Cloud storage data integrity auditing is a good solution to ensure the integrity and availability of data stored in the cloud. However, the traditional method of verifying data integrity needs to download all the data to complete the verification task, which is impractical in the case of data outsourcing. Because the amount of data stored in the cloud is very large, it will cost a lot of communication and computing overhead, and it will also bring a great burden to the I/O device. The private audit is more efficient, but only the user can complete the verification by himself. But public auditing allows anyone to challenge and verify the integrity of the data. Due to the large amount of data stored in the cloud, the audit task is very heavy. Due to the limited computing power and time of user equipment, in public audit, users can entrust audit tasks to trusted third-party audit centers, and can verify the integrity of data without downloading complete data. The audit center sends a query to the cloud, and the cloud sends an audit certificate to the audit center based on the query. The audit center can verify the integrity of the data stored in the cloud through the verification certificate.

在云存储的实际应用中，群体共享数据存储是一种非常重要的应用。在这种共享数据的云存储形式中，属于某个群体的任何成员都可以对云端的数据进行访问，修改等操作。因此，针对共享数据的云存储数据完整性审计方法得到了一定的关注。而在共享数据群体中，群体成员的密钥可能因为硬件故障、移动设备丢失等原因，丢失并无法恢复，如果使用传统的方法，需要给这个密钥丢失的成员重新分发新的密钥，然后需要从云端下载这个用户的全部数据，并用新的密钥对这些数据进行重新签名，否则会存在安全问题。但是，这会花费难以容忍的计算和通信开销，不能适用于云存储环境。因此，需要有一种有效的方法，可以在成员密钥丢失时，恢复出他的密钥，而不需要重新产生新的密钥，进行签名的重新计算。In the practical application of cloud storage, group shared data storage is a very important application. In this cloud storage form of shared data, any member belonging to a certain group can access, modify, and other operations on the data in the cloud. Therefore, cloud storage data integrity audit methods for shared data have received some attention. In the shared data group, the key of the group member may be lost and cannot be recovered due to hardware failure, loss of mobile device, etc. If the traditional method is used, a new key needs to be redistributed to the member whose key is lost, and then It is necessary to download all the data of this user from the cloud and re-sign the data with a new key, otherwise there will be security problems. However, this would cost intolerable computational and communication overheads and cannot be applied to cloud storage environments. Therefore, there needs to be an effective method that can recover his key when the member key is lost, without regenerating a new key and recalculating the signature.

本发明专利提出了一个高效的可恢复丢失密钥的云存储完整性检测方法。当群里有成员的密钥丢失时，可以通过群体里的其他t+1个(t+1为门限值)成员的密钥恢复出他的密钥，而且各个用户均不知道群体里其他用户的密钥。本方案提出的云存储方法不仅可以保证数据的完整性，而且可以为密钥丢失的成员恢复密钥。The patent of the present invention proposes an efficient cloud storage integrity detection method that can recover lost keys. When the key of a member in the group is lost, his key can be recovered through the keys of other t+1 members (t+1 is the threshold value) in the group, and each user does not know other members in the group user's key. The cloud storage method proposed in this scheme can not only ensure the integrity of the data, but also recover the key for the member whose key is lost.

发明内容Contents of the invention

本发明所要解决的技术问题是防止在共享数据中，群成员密钥丢失造成的安全问题。基于此，本专利提出了一种可恢复丢失密钥的云存储完整性检测方法。该方法中，当群里有成员的密钥丢失时，可以通过群体里的其他t+1个(这里t+1表示门限值)成员的密钥恢复出他的密钥，而且各个用户均不知道群体里其他成员的密钥。本发明专利电子医疗系统、海量数据存储等诸多领域有广阔的应用。The technical problem to be solved by the invention is to prevent the security problem caused by the loss of the key of the group member in the shared data. Based on this, this patent proposes a cloud storage integrity detection method that can recover lost keys. In this method, when the key of a member in the group is lost, his key can be recovered through the keys of other t+1 members in the group (where t+1 represents the threshold value), and each user can The keys of other members of the group are not known. The patented electronic medical system of the present invention, massive data storage and many other fields have broad application.

为解决上述技术问题，本发明提供了一种可恢复丢失密钥的云存储完整性检测系统，其包括参数生成中心模块、云端模块、密钥分发中心模块、群成员模块、审计中心模块(简称TPA)；In order to solve the above technical problems, the present invention provides a cloud storage integrity detection system capable of recovering lost keys, which includes a parameter generation center module, a cloud module, a key distribution center module, a group member module, and an audit center module (referred to as TPA);

所述参数生成中心模块产生各种系统参数，为用户生成公私钥、计算审计参数等；The parameter generation center module generates various system parameters, generates public and private keys for users, calculates audit parameters, etc.;

所述云端模块为群成员提供数据存储，数据共享服务，数据文件F被分割成n个数据块{m₁，…，m_n}存储在云端；The cloud module provides data storage and data sharing services for group members, and the data file F is divided into n data blocks {m ₁ ,..., m _n } and stored in the cloud;

所述密钥分发中心模块为群成员模块中的各个成员产生密钥和公钥，并把密钥分发给各个成员，公开各个成员的公钥；The key distribution center module generates a key and a public key for each member in the group member module, and distributes the key to each member, and discloses the public key of each member;

所述群成员模块中包括数据拥有者和其他用户(假设群体有n个成员U＝{U₁，U₂，…，U_n})，数据拥有者将数据文件上传到云端，并且共享给群里的其他用户，而其他用户可以对数据进行访问，二者不做区分；The group member module includes the data owner and other users (assuming that the group has n members U={U ₁ , U ₂ ,..., U _n }), the data owner uploads the data file to the cloud and shares it with the group Other users in the database, while other users can access the data, there is no distinction between the two;

所述审计中心模块受用户的委托验证存储在云端模块的数据的完整性。The audit center module is entrusted by the user to verify the integrity of the data stored in the cloud module.

本发明还提供了采用上述可恢复丢失密钥的云存储完整性检测系统进行可恢复丢失密钥的云存储完整性检测方法，其包括：The present invention also provides a cloud storage integrity detection method for recoverable lost keys using the cloud storage integrity detection system for recoverable lost keys, which includes:

第一步，系统参数生成，采用所述系统的参数生成中心模块生成各种系统参数；The first step, system parameter generation, adopts the parameter generation center module of the system to generate various system parameters;

第二步，密钥分发，采用密钥分发中心模块随机选择一个多项式，计算出n个份额{s_i}_1≤i≤n并将份额分发给为群体的各个成员U_i(i=1，2，…，n)作为密钥，并计算和公开各成员的公钥 The second step, key distribution, uses the key distribution center module to randomly select a polynomial, calculates n shares {s _i } _1≤i≤n and distributes the shares to each member U _i of the group (i=1, 2,...,n) as the key, and calculate and publish the public key of each member

第三步，数据上传和审计，数据上传为群成员用自己的密钥对要上传到云端模块的数据签名，群成员将数据和数据块签名一起上传到云端，所述数据审计为由审计中心模块随机选择需要质询的采样数据，并把质询chal发送给云端，云端模块根据审计中心模块发来的质询chal产生审计证明proof并且发送给审计中心模块，审计中心模块接收到云端发来的证明proof后，通过验证等式验证质询的数据块是否是正确的。The third step is data uploading and auditing. For data uploading, the group members use their own keys to sign the data to be uploaded to the cloud module. The group members upload the data and the data block signature to the cloud together. The module randomly selects the sampling data that needs to be questioned, and sends the challenge chal to the cloud. The cloud module generates an audit proof proof according to the challenge chal sent by the audit center module and sends it to the audit center module. The audit center module receives the proof proof sent by the cloud. After that, verify whether the challenged data block is correct by verifying the equation.

第四步，密钥恢复，群体里的用户U_x密钥丢失时，他可通过群体里的其他t+1个成员的密钥，进行重构操作，恢复自己的密钥s_x。The fourth step is key recovery. When the key of user U _x in the group is lost, he can reconstruct his own key s _x through the keys of other t+1 members in the group.

所述系统参数生成步骤进一步具体为参数生成中心模块生成两个乘法循环群G₁，G₂(它们的阶均为大素数p)，和一个双线性配对：其中，g，u是G₁中两个互相独立的生成元。然后选择密码哈希函数其中最后选择素数q，使得q|p-1，(q是Z_p ^*的阶)。则全体公共参数为 The system parameter generating step is further specifically generating two multiplicative cyclic groups G ₁ and G ₂ (their order is a large prime number p) for the parameter generating central module, and a bilinear pairing: Among them, g, u are two independent generators in _G1 . Then choose a cryptographic hash function in Finally choose a prime q such that q|p-1, (q is the order of Z _p ^* ). Then all public parameters are

所述密钥分发步骤进一步具体包括：The key distribution step further specifically includes:

第a步，密钥分发中心模块随机选择一个多项式(a_i∈Z_p)，计算各个成员的密钥s_i＝f(i)，i＝1，2....，n和公钥 In step a, the key distribution center module randomly selects a polynomial (a _i ∈ Z _p ), calculate each member’s key s _i =f(i), i=1, 2...., n and public key

第b步，密钥分发中心模块广播承诺值g^s，把s_i(i＝1，2，K，n)发给群里的各个成员U_i(i＝1，2，…，n)，并公开各个成员的公钥 In step b, the key distribution center module broadcasts the commitment value g ^s , Send s _i (i=1, 2, K, n) to each member U _i (i=1, 2, ..., n) in the group, and disclose the public key of each member

第c步，群体里的每个用户U_i(i＝1，2，…，n)接收到密钥分发中心模块发送的密钥s_i后，验证以下等式是否成立：Step c, after each user U _i (i=1, 2, ..., n) in the group receives the key _si sent by the key distribution center module, verify whether the following equation is true:

${g g}^{{s the s}_{i i}} = = {g g}^{s the s} {Π Π}_{j j = = 11}^{t t} {(({g g}^{{a a}_{j j}}))}^{{i i}^{j j}} mod mod p p$

如果等式成立，则说明用户U_i相信密钥分发中心模块给他的密钥s_i是正确的。而且每个用户存储承诺值g^s， If the equation is established, it means that the user U _i believes that the key _si given to him by the key distribution center module is correct. And each user stores a commitment value g ^s ,

所述数据上传和审计步骤进一步包括：The data uploading and auditing steps further include:

第a步，数据文件上传，群成员U_i将他要上传到云端模块的数据文件F分割成n个数据块，即F＝(m_i，…，m_n)。然后用他的密钥s_i计算数据块m_i(i＝1，2，…，n)的签名最后将数据块(m₁，…，m_n)和数据块对应的签名Φ＝{σ_i}_1≤i≤n发送给云端模块，并且在本地删除数据块及其对应的签名；In step a, the data file is uploaded. The group member U _i divides the data file F to be uploaded to the cloud module into n data blocks, that is, F=(m _i , . . . , m _n ). Then use his key _si to calculate the signature of data block m _i (i=1, 2, ..., n) Finally, send the data block (m ₁ ,..., m _n ) and the signature Φ={σ _i } _1≤i≤n corresponding to the data block to the cloud module, and delete the data block and its corresponding signature locally;

第b步，数据文件审计，Step b, data file audit,

(b1)产生质询：审计中心模块随机选择一个有c个元素的集合I，且I∈[1，n]，然后产生一个随机元素v_i∈Z_p，i∈I，生成质询chal＝{(i，v_i)}_i∈I并发送给云端；(b1) Generate a challenge: the audit center module randomly selects a set I with c elements, and I∈[1,n], then generates a random element v _i ∈ Z _p , i∈I, and generates a challenge chal={( i, v _i )} _i∈I and sent to the cloud;

(b2)产生证明：云端模块收到质询后，把集合I分割为n份，即I＝{I₁，…I_n}，其中，I_i表示在集合I中被用户U_i签名的数据块的集合，I_i中有c_i个元素。所以有，I＝I₁∪K∪I_n且I_i∩I_j＝φ。然后，对每个集合I_j，云端模块计算数据块的线性组合并计算签名的聚合最后将(σ，μ)作为证明proof发给审计中心模块，其中σ＝{σ₁，…，σ_n}，μ＝{μ₁，K，μ_n}；(b2) Proof generation: After receiving the challenge, the cloud module divides the set I into n parts, that is, I={I ₁ ,...I _n }, where I _i represents the data block signed by the user U _i in the set I The set of , I _i has c _i elements. F, I=I ₁ ∪K∪I _n and I _i ∩I _j =φ. Then, for each set I _j , the cloud module calculates the linear combination of data blocks and compute the aggregate of the signature Finally, (σ, μ) is sent to the audit center module as proof, where σ={σ ₁ ,…,σ _n }, μ={μ ₁ , K, μ _n };

(b3)证明验证：当审计中心模块收到证明proof后，验证以下等式是否成立，(b3) Proof verification: When the audit center module receives the proof proof, it verifies whether the following equations are true,

$\overset{^^}{e e} (({Π Π}_{j j = = 11}^{n no} {σ σ}_{j j},, g g)) = = {Π Π}_{j j = = 11}^{n no} \overset{^^}{e e} (({Π Π}_{i i &Element; &Element; {I I}_{j j}} H h {((i i))}^{{v v}_{i i}} \cdot \cdot {u u}^{{μ μ}_{j j}},, {pk pk}_{j j})) . .$

当等式成立时，说明云端模块存储的数据是正确的；否则，认为至少有一个数据块是不正确的。When the equation is established, it means that the data stored in the cloud module is correct; otherwise, it is considered that at least one data block is incorrect.

所述密钥恢复步骤进一步包括：The key recovery step further includes:

当群体的用户U_x密钥丢失时，他可从群体里的t+1个成员获得t+1个密钥，进行重构操作，进而恢复自己的密钥s_x。不失一般性，假定这t+1个成员为U_i(i＝1，2，…，t+1)；When the user U _x key of the group is lost, he can obtain t+1 keys from t+1 members in the group, perform reconstruction operation, and then recover his own key s _x . Without loss of generality, it is assumed that these t+1 members are U _i (i=1, 2, ..., t+1);

群成员U_i(i＝1，2，…，t+1)随机选择一个多项式去计算u_ij＝f_i(j)和u_ix＝f_i(x)，其中，j＝1，2，…，t+1。然后通过安全信道广播承诺值u_ix，(l＝0，1，…t)，u_ij，(j＝1，2，…，t+1)；Group member U _i (i=1, 2, ..., t+1) randomly selects a polynomial To calculate u _ij =f _i (j) and u _ix =f _i (x), where j=1, 2, . . . , t+1. The committed value is then broadcast over a secure channel u _ix , (l=0,1,...t), u _ij , (j=1, 2, ..., t+1);

当密钥丢失的用户U_x接收到用户U_i(i＝1，2，…，t+1)广播的消息u_ix后，验证下面等式是否成立，After the user U _x whose key is lost receives the message u _ix broadcast by the user U _i (i=1, 2, ..., t+1), verify whether the following equation holds true,

${g g}^{{u u}_{i i x x}} = = {g g}^{{a a}_{i i o o}} {Π Π}_{l l = = 00}^{t t} {(({g g}^{{a a}_{i i l l}}))}^{{x x}^{l l}} ((mod mod p p))$

若等式成立，则用户U_x计算 If the equation holds, the user U _x calculates

成员U_j(j＝1，2，…，t+1)接收到其他t个用户广播的消息u_ij后，然后验证下面等式是否成立，Member U _j (j=1, 2, ..., t+1) receives the message u _ij broadcast by other t users, and then verifies whether the following equation holds true,

${g g}^{{u u}_{i i j j}} = = {g g}^{{a a}_{i i o o}} {Π Π}_{l l = = 11}^{t t} {(({g g}^{{a a}_{i i l l}}))}^{{j j}^{l l}} ((mod mod p p))$

若等式成立，则成员U_j(j＝1，2，…，t+1)计算即对密钥s_j进行了盲化，然后通过安全信道广播s_j′；If the equality is established, the member U _j (j=1, 2, ..., t+1) calculates That is, the key s _j is blinded, and then s _j ′ is broadcast through a secure channel;

用户U_x接收到用户U_j(j＝1，2，…，t+1)广播的消息s_j′后，验证下面等式是否成立，After the user U _x receives the message s _j ′ broadcast by the user U _j (j=1, 2, ..., t+1), it verifies whether the following equation holds true,

${g g}^{{s the s}_{j j}^{' '}} = = {g g}^{s the s} {Π Π}_{l l = = 00}^{t t} {(({g g}^{{a a}_{l l}}))}^{{j j}^{l l}} \cdot &Center Dot; {Π Π}_{i i = = 11}^{t t + + 11} {ϵ ϵ}_{i i j j}$

若等式成立，则用户U_x计算他的密钥其中， $C_{B j} x = Π_{i = {1, 2, ..., t + 1} \ {j}} \frac{x - i}{j - i} .$ If the equality holds, user U _x computes his key in, $C_{B j} x = Π_{i = {1, 2, ..., t + 1} \ {j}} \frac{x - i}{j - i} .$

本发明的有益效果：Beneficial effects of the present invention:

1、当群里有成员的密钥丢失时，可以通过群体里的其他t+1个成员的密钥恢复出他的密钥，避免重新产生新的密钥以及对部分数据重新产生签名；1. When the key of a member in the group is lost, his key can be recovered through the keys of other t+1 members in the group, avoiding regenerating a new key and re-signing some data;

2、密钥是可验证的，即群体各个成员均可验证密钥分发中心给他发送的密钥是否正确，密钥丢失的用户也可验证群体里的其他t+1个成员给他发送的份额是否正确。这可防止密钥分发中心或者给密钥丢失用户分发份额的用户是不诚实的；2. The key is verifiable, that is, each member of the group can verify whether the key sent to him by the key distribution center is correct, and the user who lost the key can also verify the key sent to him by other t+1 members in the group Is the share correct. This prevents the key distribution center or the user who distributes shares to the lost user of the key from being dishonest;

3、密钥恢复时，对用户的密钥进行盲化，使得各个成员彼此间都不知对方的密钥。这提高了密钥恢复的安全性，避免恶意的用户去诬陷云。3. When the key is restored, the user's key is blinded, so that each member does not know each other's key. This improves the security of key recovery and prevents malicious users from framing the cloud.

附图说明Description of drawings

图1是可恢复丢失密钥的云存储完整性检测方法的系统结构图，介绍了本系统五大组成部分参数生成中心、云端、密钥分发中心、群成员、审计中心之间的工作关系，密钥分发中心给群里的所有成员产生密钥，当群里有成员密钥丢失时，可通过群体的其他t+1个成员的密钥恢复出他的密钥。Figure 1 is a system structure diagram of a cloud storage integrity detection method that can recover lost keys. The key distribution center generates keys for all members in the group. When a member key in the group is lost, his key can be recovered from the keys of other t+1 members of the group.

图2是可恢复丢失密钥的云存储完整性检测方法的系统参数产生阶段示意图。由参数生成中心来完成。参数生成中心产生方案中所用到各种系统参数。Fig. 2 is a schematic diagram of the system parameter generation stage of the cloud storage integrity detection method capable of recovering lost keys. This is done by the parameter generation center. The parameter generation center generates various system parameters used in the scheme.

图3是可恢复丢失密钥的云存储完整性检测方法的密钥分发阶段示意图。密钥分发中心随机选择一个多项式，计算出n个份额并将份额分发给为群体的各个成员作为密钥，并计算和公开各成员的公钥。Fig. 3 is a schematic diagram of the key distribution stage of the cloud storage integrity detection method capable of recovering lost keys. The key distribution center randomly selects a polynomial, calculates n shares and distributes the shares to each member of the group as a key, and calculates and publishes the public key of each member.

图4是可恢复丢失密钥的云存储完整性检测方法的数据上传与审计阶段示意图。群成员把数据以及数据块签名存储到云端。审计中心向云端提出质询，以便验证云端存储数据的完整性。Fig. 4 is a schematic diagram of the data upload and audit stages of the cloud storage integrity detection method that can restore lost keys. Group members store data and block signatures in the cloud. The audit center issues queries to the cloud in order to verify the integrity of the data stored in the cloud.

图5是可恢复丢失密钥的云存储完整性检测方法的密钥恢复阶段示意图。当群体的用户U_x密钥丢失时，他可从群体里的成员得到不少于t+1个密钥，进行重构操作，进而恢复自己的密钥。Fig. 5 is a schematic diagram of the key recovery stage of the cloud storage integrity detection method capable of recovering lost keys. When the user U _x key of the group is lost, he can get no less than t+1 keys from the members of the group, perform reconstruction operation, and then recover his own key.

具体实施方式Detailed ways

以下采用实施例来详细说明本发明的实施方式，借此对本发明如何应用技术手段来解决技术问题，并达成技术效果的实现过程能充分理解并据以实施。The following examples are used to describe the implementation of the present invention in detail, so as to fully understand and implement the process of how to apply technical means to solve technical problems and achieve technical effects in the present invention.

一、本发明所应用的相关理论One, the relevant theory applied in the present invention

(1)双线性配对(1) Bilinear pairing

设G₁，G₂是两个阶为素数q的乘法群，若映射满足以下性质：Let G ₁ and G ₂ be two multiplicative groups whose order is a prime number q, if the mapping satisfy the following properties:

1)双线性：对于 $\begin{matrix} &ForAll; P, Q &Element; G_{1}, & a, b &Element; Z_{q}^{*}, \end{matrix}$ 满足 $\hat{e} (P^{a}, Q^{b}) = \hat{e} {(P, Q)}^{a b};$ 1) Bilinear: For $\begin{matrix} &ForAll; P, Q &Element; G_{1}, & a, b &Element; Z_{q}^{*}, \end{matrix}$ satisfy $\hat{e} (P^{a}, Q^{b}) = \hat{e} {(P, Q)}^{a b};$

2)非退化性：存在P，Q∈G，使得 2) Non-degenerate: there exists P, Q∈G, such that

3)可计算性：存在有效算法，对于均可计算 3) Computability: There is an effective algorithm for can be calculated

则称该映射为双线性配对。then the mapping for a bilinear pairing.

(2)拉格朗日插值公式(2) Lagrange interpolation formula

给定t个点(x₁，y₁)，K，(x_t，y_t)，能够通过下面的插值公式确定并唯一确定一个次数小于t且给定的t个点均在其上的多项式：Given t points (x ₁ , y ₁ ), K, (x _t , y _t ), the following interpolation formula can be used to determine and uniquely determine a polynomial whose degree is less than t and the given t points are all on it :

$f f ((x x)) = = {Σ Σ}_{i i = = 11}^{t t} {y the y}_{i i} {Π Π}_{j j = = 11,, j j &NotEqual; &NotEqual; i i}^{t t} \frac{x x - - {x x}_{i i}}{{x x}_{j j} - - {x x}_{i i}} . .$

图1是本发明实施例提供的可恢复丢失密钥的云存储完整性检测方法的系统结构图。FIG. 1 is a system structure diagram of a cloud storage integrity detection method for recovering lost keys provided by an embodiment of the present invention.

其中，系统参数生成阶段由参数生成中心执行，生成系统所需公共参数 Among them, the system parameter generation stage is executed by the parameter generation center to generate the public parameters required by the system

密钥分发中心随机选择一个多项式，计算群体里各个成员U_i(i＝1，2，…，n)的密钥s_i(i＝1，2，…，n)和公钥然后把密钥s_i(i＝1，2，…，n)分发给群里的各个成员U_i(i＝1，2，…，n)，并公开各个成员的公钥群体里的每个用户U_i(i＝1，2，…，n)接收到密钥分发中心发送的密钥s_i后，验证接收到的s_i是否正确。The key distribution center randomly selects a polynomial, and calculates the key s _i (i=1, 2, ..., n) and public key of each member U _i (i = 1, 2, ..., n) in the group Then distribute the key s _i (i=1, 2, ..., n) to each member U _i (i = 1, 2, ..., n) in the group, and disclose the public key of each member After each user U _i (i=1, 2, ..., n) in the group receives the key _si sent by the key distribution center, it verifies whether the received _si is correct.

群成员U_i将他要上传到云端的数据文件F分割成n个数据块，即F＝(m₁，…，m_n)。然后用他的密钥s_i计算数据块m_i(i＝1，2，…，n)的签名最后将数据块(m₁，…，m_n)和数据块对应的签名Φ＝{σ_i}_1≤i≤n发送给云端，并且在本地删除数据块及其对应的签名。The group member U _i divides the data file F to be uploaded to the cloud into n data blocks, that is, F=(m ₁ , . . . , m _n ). Then use his key _si to calculate the signature of data block m _i (i=1, 2, ..., n) Finally, send the data block (m ₁ , . . . , m _n ) and the signature Φ={σ _i } _1≤i≤n corresponding to the data block to the cloud, and delete the data block and its corresponding signature locally.

审计中心TPA随机选择需要质询的采样数据，并把质询chal发送给云端。云端根据TPA发来的质询chal产生审计证明proof并且发送给TPA。TPA接收到云端发来的证明proof后，TPA通过证明验证云端数据块的完整性。The audit center TPA randomly selects the sampling data that needs to be challenged, and sends the challenge chal to the cloud. The cloud generates audit proof proof according to the challenge chal sent by TPA and sends it to TPA. After TPA receives the proof from the cloud, TPA verifies the integrity of the cloud data block through the proof.

群体里的用户U_x密钥丢失时，他可通过群体里的其他t+1个成员的密钥，进行重构操作，恢复自己的密钥s_x。When the key of user U _x in the group is lost, he can reconstruct his own key s _x through the keys of other t+1 members in the group.

图2是本发明实施例提供的可恢复丢失密钥的云存储完整性检测方法的系统参数生成阶段示意图。Fig. 2 is a schematic diagram of the system parameter generation stage of the cloud storage integrity detection method for recoverable lost keys provided by an embodiment of the present invention.

系统参数生成阶段由参数生成中心执行。参数生成中心生成两个乘法循环群G₁，G₂(它们的阶均为大素数p)，和一个双线性配对：其中，g，u是G₁中两个互相独立的生成元。然后选择密码哈希函数其中最后选择素数q，使得q|p-1，(q是Z_p ^*的阶)。全体公共参数为参数生成中心为密钥分发中心提供产生各个群成员公密钥的参数；为审计中心提供产生质询以及验证的参数；为群用户产生数据块签名提供参数。The system parameter generation stage is executed by the parameter generation center. The parameter generation center generates two multiplicative cyclic groups G ₁ , G ₂ (their order is a large prime number p), and a bilinear pairing: Among them, g, u are two independent generators in _G1 . Then choose a cryptographic hash function in Finally choose a prime q such that q|p-1, (q is the order of Z _p ^* ). All public parameters are The parameter generation center provides the key distribution center with the parameters to generate the public keys of each group member; provides the audit center with the parameters for generating the challenge and verification; and provides the group users with the parameters for generating the data block signature.

图3是本发明实施例提供的可跟踪身份的共享数据云审计方法的密钥分发阶段示意图。Fig. 3 is a schematic diagram of the key distribution stage of the identity-traceable shared data cloud audit method provided by the embodiment of the present invention.

在密钥分发阶段，密钥分发中心随机选择一个多项式计算各个成员的密钥s_i＝f(i)，i＝1，2，…，n和公钥然后，广播承诺值g^s，并把密钥s_i(i＝1，2，…，n)发给群里的各个成员U_i(i＝1，2，…，n)，公开各个成员的公钥群体里的每个用户U_i(i＝1，2，…，n)接收到密钥分发中心发送的密钥s_i后，验证密钥分发中心给他的密钥s_i是否正确。而且每个用户存储承诺值g^s， In the key distribution phase, the key distribution center randomly selects a polynomial Calculate each member's key s _i =f(i), i=1, 2,..., n and public key Then, the broadcast commitment value g ^s , And send the key s _i (i=1, 2, ..., n) to each member U _i (i = 1, 2, ..., n) in the group, and disclose the public key of each member After receiving the key _si sent by the key distribution center, each user U _i (i=1, 2, ..., n) in the group verifies whether the key _si given to him by the key distribution center is correct. And each user stores a commitment value g ^s ,

图4是本发明实施例提供的可恢复丢失密钥的云存储完整性检测方法的数据上传和审计阶段示意图。Fig. 4 is a schematic diagram of the data upload and audit stages of the cloud storage integrity detection method for recoverable lost keys provided by an embodiment of the present invention.

在数据上传阶段，群成员U_i将他要上传到云端的数据文件F分割成n个数据块，即F＝(m₁，…，m_n)。然后用他的密钥s_i计算数据块m_i(i＝1，2，…，n)的签名最后将数据块(m₁，…，m_n)和数据块对应的签名Φ＝{σ_i}_1≤i≤n发送给云端，并且在本地删除数据块及其对应的签名。在审计阶段，审计中心TPA选择一个质询chal＝{(i，v_i)}_i∈I发送给云端，云端收到质询后，计算质询数据块的线性组合和签名的聚合，然后得到证明proof＝(σ，μ)，发给审计中心。审计中心收到证明proof后，通过验证验证等式是否成立来验证存储在云端的数据是否完整性。In the data upload stage, the group member U _i divides the data file F to be uploaded to the cloud into n data blocks, that is, F=(m ₁ , . . . , m _n ). Then use his key _si to calculate the signature of data block m _i (i=1, 2, ..., n) Finally, send the data block (m ₁ , . . . , m _n ) and the signature Φ={σ _i } _1≤i≤n corresponding to the data block to the cloud, and delete the data block and its corresponding signature locally. In the audit stage, the audit center TPA selects a challenge chal={(i, v _i )} _i∈I and sends it to the cloud. After receiving the challenge, the cloud calculates the linear combination of the challenge data blocks and the aggregation of the signature, and then obtains proof= (σ, μ), sent to the audit center. After receiving the proof, the audit center verifies the integrity of the data stored in the cloud by verifying whether the verification equation holds.

图5是本发明实施例提供的可恢复丢失密钥的云存储完整性检测方法的密钥恢复阶段示意图。Fig. 5 is a schematic diagram of a key recovery stage of a cloud storage integrity detection method for recovering a lost key provided by an embodiment of the present invention.

当群体的用户U_x密钥丢失时，他可从群体里的t+1个成员U_i(i＝1，2，…t+1)获得t+1个盲化后的密钥，然后验证这些盲化后的密钥是否正确。如果正确，则进行重构操作，进而恢复自己的密钥s_x。When the user U _x key of the group is lost, he can obtain t+1 blinded keys from t+1 members U _i (i=1, 2,...t+1) in the group, and then verify Are these blinded keys correct. If it is correct, perform reconstruction operation, and then recover its own key s _x .

二、本发明的具体实现过程Two, the concrete realization process of the present invention

1.系统参数产生阶段：如图2所示，由参数生成中心来完成。参数生成中心产生各种系统参数。1. System parameter generation stage: as shown in Figure 2, it is completed by the parameter generation center. The parameter generating center generates various system parameters.

参数生成中心生成两个乘法循环群G₁，G₂(它们的阶均为大素数p)，和一个双线性配对：其中，g，u是G₁中两个互相独立的生成元。然后选择密码哈希函数其中最后选择素数q，使得q|p-1，(q是Z_p ^*的阶)。则全体公共参数为 The parameter generation center generates two multiplicative cyclic groups G ₁ , G ₂ (their order is a large prime number p), and a bilinear pairing: Among them, g, u are two independent generators in _G1 . Then choose a cryptographic hash function in Finally choose a prime q such that q|p-1, (q is the order of Z _p ^* ). Then all public parameters are

2.密钥分发阶段：如图3所示，密钥分发中心随机选择一个多项式，计算出n个份额{s_i}_1≤i≤n并将份额分发给为群体的各个成员U_i(i＝1，2，…，n)作为密钥，并计算和公开各成员的公钥 2. Key distribution stage: as shown in Figure 3, the key distribution center randomly selects a polynomial, calculates n shares {s _i } _1≤i≤n and distributes the shares to each member U _i (i =1, 2,..., n) as the key, and calculate and publish the public key of each member

(1)密钥分发中心随机选择一个多项式计算各个成员的密钥s_i＝f(i)，i＝1，2，…，n和公钥 (1) The key distribution center randomly selects a polynomial Calculate each member's key s _i =f(i), i=1, 2,..., n and public key

(2)密钥分发中心广播承诺值g^s，把s_i(i＝1，2，…，n)发给群里的各个成员U_i(i＝1，2，…，n)，并公开各个成员的公钥 (2) The key distribution center broadcasts the commitment value g ^s , Send s _i (i=1, 2, ..., n) to each member U _i (i = 1, 2, ..., n) in the group, and disclose the public key of each member

(3)群体里的每个用户U_i(i＝1，2，…，n)接收到密钥分发中心发送的密钥s_i后，验证以下等式是否成立：(3) After each user U _i (i=1, 2, ..., n) in the group receives the key _si sent by the key distribution center, it verifies whether the following equation holds true:

如果等式成立，则说明用户U_i相信密钥分发中心给他的密钥s_i是正确的。而且每个用户存储g^s， If the equation is established, it means that the user U _i believes that the key _si given to him by the key distribution center is correct. And each user stores g ^s ,

3.数据上传和审计阶段：如图4所示。3. Data upload and audit stage: as shown in Figure 4.

数据上传时，群成员用自己的密钥对要上传到云端的数据签名，群成员将数据和数据块签名一起上传到云端。When data is uploaded, the group members use their own keys to sign the data to be uploaded to the cloud, and the group members upload the data and the data block signature to the cloud together.

数据审计时，由审计中心TPA随机选择需要质询的采样数据，并把质询chal发送给云端。云端根据TPA发来的质询chal产生审计证明proof并且发送给TPA。TPA接收到云端发来的证明proof后，通过验证等式验证质询的数据块是否是正确的。During data auditing, the audit center TPA randomly selects the sampling data that needs to be challenged, and sends the challenge chal to the cloud. The cloud generates audit proof proof according to the challenge chal sent by TPA and sends it to TPA. After receiving the proof from the cloud, TPA verifies whether the challenged data block is correct through the verification equation.

数据文件上传：Data file upload:

(1)群成员U_i将他要上传到云端的数据文件F分割成n个数据块，即F＝(m₁，…，m_n)。然后用他的密钥s_i计算数据块m_i(i＝1，2，…，n)的签名最后将数据块(m₁，…，m_n)和数据块对应的签名Φ＝{σ_i}_1≤i≤n发送给云端，并且在本地删除数据块及其对应的签名。(1) The group member U _i divides the data file F to be uploaded to the cloud into n data blocks, that is, F=(m ₁ , . . . , m _n ). Then use his key _si to calculate the signature of data block m _i (i=1, 2, ..., n) Finally, send the data block (m ₁ , . . . , m _n ) and the signature Φ={σ _i } _1≤i≤n corresponding to the data block to the cloud, and delete the data block and its corresponding signature locally.

数据文件审计：Data file audit:

(2)产生质询：审计中心TPA随机选择一个有c个元素的集合I，且I∈[1，n]，然后产生一个随机元素v_i∈Z_p，i∈I，生成质询chal＝{(i，v_i)}_i∈I并发送给云端。(2) Generate a challenge: the audit center TPA randomly selects a set I with c elements, and I∈[1,n], then generates a random element v _i ∈ Z _p , i∈I, and generates a challenge chal={( i, v _i )} _i∈I and send to the cloud.

(3)产生证明：云端收到质询后，把集合I分割为n份，即I＝{I₁，…I_n}，其中，I_i表示在集合I中被用户U_i签名的数据块的集合，I_i中有c_i个元素。所以有，I＝I₁∪K∪I_n且I_i∩I_j＝φ。然后，对每个集合I_j，云端计算数据块的线性组合并计算签名的聚合最后将(σ，μ)作为证明proof发给TPA，其中σ＝{σ₁，…，σ_n}，μ＝{μ₁，K，μ_n}。(3) Proof generation: After receiving the challenge, the cloud divides the set I into n parts, that is, I={I ₁ ,...I _n }, where I _i represents the number of data blocks signed by user U _i in set I Set, I _i has c _i elements. F, I=I ₁ ∪K∪I _n and I _i ∩I _j =φ. Then, for each set I _j , the cloud computes a linear combination of data blocks and compute the aggregate of the signature Finally, (σ, μ) is sent to TPA as a proof, where σ={σ ₁ ,…,σ _n }, μ={μ ₁ , K, μ _n }.

(4)证明验证：当TPA收到证明proof后，验证以下等式是否成立，(4) Proof verification: When TPA receives the proof proof, it verifies whether the following equations hold,

当等式成立时，说明云端存储的数据是正确的；否则，认为至少有一个数据块是不正确的。When the equation is established, it means that the data stored in the cloud is correct; otherwise, it is considered that at least one data block is incorrect.

4.密钥恢复阶段：如图5所示，当群体的用户U_x密钥丢失时，他可从群体里的t+1成员获得t+1个密钥，进行重构操作，进而恢复自己的密钥s_x。不失一般性，假定这t+1个成员为U_i(i＝1，2，…，t+1)。4. Key recovery stage: as shown in Figure 5, when the user U _x key of the group is lost, he can obtain t+1 keys from t+1 members in the group, perform reconstruction operations, and then restore himself The key s _x . Without loss of generality, assume that these t+1 members are U _i (i=1, 2, . . . , t+1).

(1)群成员U_i(i＝1，2，…，t+1)随机选择一个多项式去计算u_ij＝f_i(j)和u_ix＝f_i(x)，其中，j＝1，2，…，t+1。然后通过安全信道广播承诺值u_ix，(l＝0，1，…，t)，u_ij，(j＝1，2，…，t+1)。(1) Group member U _i (i=1, 2, ..., t+1) randomly selects a polynomial To calculate u _ij =f _i (j) and u _ix =f _i (x), where j=1, 2, . . . , t+1. The committed value is then broadcast over a secure channel u _ix , (l=0,1,...,t), u _ij , (j=1, 2, . . . , t+1).

(2)当密钥丢失的用户U_x接收到用户U_i(i＝1，2，…，t+1)广播的消息u_ix后，然后验证下面等式是否成立。(2) After the user U _x whose key is lost receives the message u _ix broadcast by the user U _i (i=1, 2, . . . , t+1), then verify whether the following equation holds true.

(3)每个成员U_j(i＝1，2，…，t+1)接收到其他t个用户U_i(i＝1，2，…，t)广播的消息u_ij后，然后验证下面等式是否成立。(3) After each member U _j (i=1, 2, ..., t+1) receives the message u _ij broadcast by other t users U _i (i = 1, 2, ..., t), then verify the following Whether the equality holds.

若等式成立，则成员U_j(i＝1，2，…，t+1)计算即对密钥s_j进行了盲化，然后通过安全信道广播s_j′。If the equation is established, the member U _j (i=1, 2,..., t+1) calculates That is, the key s _j is blinded, and then s _j ′ is broadcast through a secure channel.

(4)用户U_x接收到用户U_j(j＝1，2，…，t+1)广播的消息s_j′后，然后验证下面等式是否成立。(4) After the user U _x receives the message s _j ′ broadcast by the user U _j (j=1, 2, . . . , t+1), it verifies whether the following equation holds true.

${g g}^{{s the s}_{j j}^{' '}} = = {g g}^{s the s} {Π Π}_{l l = = 00}^{t t} {(({g g}^{{a a}_{l l}}))}^{{j j}^{l l}} \cdot \cdot {Π Π}_{i i = = 11}^{t t + + 11} {ϵ ϵ}_{i i j j}$

所有上述的首要实施这一知识产权，并没有设定限制其他形式的实施这种新产品和/或新方法。本领域技术人员将利用这一重要信息，上述内容修改，以实现类似的执行情况。但是，所有修改或改造基于本发明新产品属于保留的权利。All of the above-mentioned primary implementations of this intellectual property rights are not intended to limit other forms of implementations of this new product and/or new method. Those skilled in the art will, with this important information, modify the above to achieve a similar implementation. However, all modifications or alterations to the new product based on the present invention belong to reserved rights.

以上所述，仅是本发明的较佳实施例而已，并非是对本发明作其它形式的限制，任何熟悉本专业的技术人员可能利用上述揭示的技术内容加以变更或改型为等同变化的等效实施例。但是凡是未脱离本发明技术方案内容，依据本发明的技术实质对以上实施例所作的任何简单修改、等同变化与改型，仍属于本发明技术方案的保护范围。The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention to other forms. Any skilled person who is familiar with this profession may use the technical content disclosed above to change or remodel it into an equivalent change. Example. However, any simple modifications, equivalent changes and modifications made to the above embodiments according to the technical essence of the present invention without departing from the content of the technical solution of the present invention still belong to the protection scope of the technical solution of the present invention.

Claims

1. A cloud storage integrity detection system capable of recovering lost keys is characterized in that: the system comprises a parameter generation center module, a cloud end module, a key distribution center module, a group member module and an auditing center module (TPA for short);

the parameter generation center module generates various system parameters, generates public and private keys for users, calculates audit parameters and the like;

the cloud module provides data storage and data sharing service for group members, and the data file F is divided into n data blocks { m₁，...，m_nStoreAt the cloud end;

the key distribution center module generates a key and a public key for each member in the group member module, distributes the key to each member and discloses the public key of each member;

the group member module includes data owners and other users (assuming that a group has n members U ═ U-₁，U₂，...，U_nThe data owner uploads the data file to the cloud end and shares the data file with other users in the group, and the other users can access the data without distinguishing the data;

and the audit center module is entrusted by a user to verify the integrity of the data stored in the cloud end module.

2. The method for detecting the integrity of the cloud storage with the recoverable lost key by using the system for detecting the integrity of the cloud storage with the recoverable lost key according to claim 1, comprises the following steps:

firstly, generating system parameters, namely generating various system parameters by adopting a parameter generation central module of the system;

secondly, key distribution is carried out, a polynomial is randomly selected by adopting a key distribution center module, and n shares { s ] are calculated_i}_1≤i≤nAnd distribute shares to individual members U of the population_i(i ═ 1, 2.. times, n) as a key, and a public key of each member is calculated and disclosed

And thirdly, data uploading and auditing, wherein the data uploading is that the group members sign data to be uploaded to a cloud module by using own keys, the group members upload the data and the data block signatures to the cloud together, the data auditing is that sampling data to be queried are randomly selected by an auditing center module and inquiry chal is sent to the cloud, the cloud module generates an auditing proof according to the inquiry chal sent by the auditing center module and sends the auditing proof to the auditing center module, and after the auditing center module receives the proof sent by the cloud, whether the queried data block is correct is verified through a verification equation.

Fourthly, recovering the key, and users U in the group_xWhen the key is lost, the user can reconstruct the key of other t +1 members in the group to recover the key s of the user_x。

3. The cloud storage integrity detection method of claim 2, wherein: the system parameter generation step is further embodied as that the parameter generation central module generates two multiplication cycle groups G₁，G₂(their order is all large prime p), and a bilinear pairing:wherein G, u are G₁Two independent generators. Then selecting a cryptographic hash functionWhereinFinally, the prime number q is chosen such that q | p-1, (q is Z_p ^*The step (d). Then the overall common parameter is

4. The cloud storage integrity detection method of claim 2 or 2, wherein: the key distribution step further specifically comprises,

step a, the key distribution center module randomly selects a polynomial Calculating the secret key s of each member_iF (i), i 1, 2, n and a public key

Step b, the key distribution center module broadcasts the commitment value g^s，Handle s_i(i 1, 2.., n) to each member U in the group_i(i ═ 1, 2.. times, n), and discloses the public keys of the individual members

Step c, each user U in the group_i(i 1, 2.. n.) receiving the key s sent by the key distribution center module_iThen, it is verified whether the following equation holds:

if the equation is true, the user U is stated_iBelieving the key s given to him by the key distribution center module_iIs correct. And each user stores a commitment value g^s，

5. The cloud storage integrity detection method of claims 2 to 4, wherein: the data uploading and auditing steps further include,

step a, uploading data files and making group members U_iThe data file F to be uploaded to the cloud module is divided into n data blocks, i.e. F ═ m₁，...，m_n). Then uses his key s_iCalculating a data block m_iA signature of (i ═ 1, 2.., n)Finally, the data block (m)₁，...，m_n) Signature Φ ═ σ corresponding to data block_i}_1≤i≤nSending the data block to a cloud module, and locally deleting the data block and a signature corresponding to the data block;

step b, auditing the data file,

(b1) generating a challenge: the audit center module randomly selects a set I with c elements, and the I belongs to [1, n ]]Then generating a random element v_i∈Z_pI belongs to I, generates challenge chal { (I, v)_i)}_i∈IAnd sending to the cloud;

(b2) proof of generation: after the cloud module receives the inquiry, the set I is divided into n parts, namely I ═ I₁，...I_nIn which I_iRepresented in set I by user U_iSet of signed data blocks, I_iIn is c_iAnd (4) each element. So that the method has the advantages that,I＝I₁∪K∪I_nand I_i∩I_jPhi is given. Then, for each set I_jCloud module computing linear combinations of data blocksAnd compute aggregations of signaturesFinally, (sigma, mu) is sent to the audit center module as proof, wherein sigma is { sigma ═ sigma₁，...，σ_n}，μ＝{μ₁，K，μ_n}；

(b3) And (3) proving and verifying: after the audit center module receives the proof, whether the following equation is established or not is verified,

<math> <mrow> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <msubsup> <mo>Π</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <msub> <mi>σ</mi> <mi>j</mi> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> </mrow> <mo>=</mo> <msubsup> <mo>Π</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <msub> <mo>Π</mo> <mrow> <mi>i</mi> <mo>&Element;</mo> <msub> <mi>I</mi> <mi>j</mi> </msub> </mrow> </msub> <mi>H</mi> <msup> <mrow> <mo>(</mo> <mi>i</mi> <mo>)</mo> </mrow> <msub> <mi>v</mi> <mi>i</mi> </msub> </msup> <mo>·</mo> <msup> <mi>u</mi> <msub> <mi>μ</mi> <mi>j</mi> </msub> </msup> <mo>,</mo> <msub> <mi>pk</mi> <mi>j</mi> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow> </math>

when the equation is established, the data stored by the cloud module is correct; otherwise, at least one of the data blocks is deemed incorrect.

6. The cloud storage integrity detection method of claims 2 to 5, wherein: the key recovery step further comprises the step of,

user U of current group_xWhen the key is lost, the user can obtain t +1 keys from t +1 members in the group to reconstruct the key s_x. Without loss of generality, assume that the t +1 members are U_i(i＝1，2，...，t+1)；

Group member U_i(i 1, 2.., t +1) randomly selecting a polynomialTo calculate u_ij＝f_i(j) And u_ix＝f_i(x) Wherein j is 1, 2. The commitment value is then broadcast over a secure channel

User U when key is lost_xReceiving user U_i(i 1, 2.. t +1) broadcast message u_ixAfter that, it is verified whether the following equation is established,

if the equation is true, the user U_xComputing

Member U_j(j 1, 2.. t +1) receiving message u broadcast by other t users_ijAfter that, the air conditioner is started to work,it is then verified whether the following equation holds,

if the equation is true, then member U_j(j ═ 1, 2.., t +1) calculationI.e. the pair key s_jBlinded and then broadcast s over a secure channel_j′；

User U_xReceiving user U_j(j ═ 1, 2.. gtt +1) broadcasted message s_jAfter that, it is verified whether the following equation is true,

if the equation is true, the user U_xCalculate his keyWherein,