CN104954390A - Cloud storage integrity detection method for recovering lost secret keys and system applying cloud storage integrity detection method - Google Patents

Abstract

The invention provides a cloud storage integrity detection method for recovering lost secret keys, and a system applying the cloud storage integrity detection method. The system comprises a parameter generation center module, a cloud module, a secret key distribution center module, a group member module and an audit center module. Through the adoption of the system, when the secrete keys of members in a group are lost, the conditions that new secrete keys are regenerated and signatures are regenerated for part of data can be avoided; the secrete keys can be verified, namely, each member in the group can verify whether the secrete key sent by a secrete key distribution center is correct or not, and the user of which the secrete key is lost can also verify whether the share, sent by other t+1 members in the group, is correct or not, so as to avoid the condition that the secret key distribution center or the user distributing the share to the user of which the secrete key is lost is dishonest; when the secrete keys are recovered, the secrete keys of the members are blinded, so that all the members do not know the secrete keys of the others. Therefore, the secrete key recovering safety is improved, and a cloud is prevented from being framed by malicious users.

Description

Cloud storage integrity detection method and system capable of recovering lost key

Technical Field

The invention relates to the technical field of cloud storage security, in particular to a cloud storage integrity detection method and system capable of recovering lost keys.

Background

In recent years, with the rapid development of internet technology and the increasing of cloud service providers, cloud computing services increasingly and deeply enter people's lives, and the storage of data in the cloud also becomes a focus of people's attention. Nowadays, with the development of networks and the advancement of technology, a large amount of interactive applications and massive data are generated in life, and the data need a large amount of software and hardware for storage and calculation, and the maintenance cost of the data is very high. Cloud storage is an important application form of cloud computing, can provide large-scale storage service with low price and convenient use, and stores and manages data for users. The user can use the service as required, and outsources and stores the data to the cloud, so that the resource deployment and service providing mode is changed, and a large amount of investment on local software, hardware and maintenance is avoided.

However, cloud storage also has many threats, for example, system software has a vulnerability, the system is invaded by hackers, hardware is out of order, data is lost, and the cloud service provider intentionally deletes unusual data to save storage space, but intentionally hides the fact that data is lost in order to maintain good reputation. When the user's data and applications move to the cloud, the user loses the right to directly control them. Moreover, any cloud errors may result in modification or loss of user data. Therefore, the user has reason to question whether the data stored in the cloud is complete and available. A safe and reliable service mechanism is required by a data owner to ensure whether data is really and completely stored in a cloud server.

Cloud storage data integrity auditing is a good solution for ensuring the integrity and availability of data stored in the cloud. However, conventional methods of verifying data integrity require downloading the entire data to complete the verification task, which is impractical in the case of outsourcing. Because the amount of data stored in the cloud is very large, it costs a lot of communication computation overhead and also puts a great burden on the I/O device. The private audit efficiency is higher, but only the user can complete the verification by himself. Public auditing allows anyone to challenge and verify the integrity of the data. The amount of data stored in the cloud is very large, so that the auditing task is very heavy. Because the computing power and time of the user equipment are limited, in the public audit, the user can entrust the audit task to the trusted third party audit center, and the integrity of the data can be verified without downloading the complete data. The cloud sends an audit certificate to the audit center according to the inquiry, and the audit center can verify whether the data stored in the cloud is complete or not through the verification certificate.

In the practical application of cloud storage, group shared data storage is a very important application. In the cloud storage form of the shared data, any member belonging to a certain group can access, modify and the like the data in the cloud. Therefore, the cloud storage data integrity auditing method for the shared data has received a certain attention. In a shared data group, a key of a group member may be lost and cannot be recovered due to hardware failure, loss of a mobile device and the like, if a conventional method is used, a new key needs to be redistributed to the member with the lost key, all data of the user needs to be downloaded from a cloud, and the data needs to be re-signed by the new key, otherwise, a security problem exists. However, this can cost intolerable computing and communication overhead and is not suitable for use in a cloud storage environment. Therefore, there is a need for an efficient method to recover a member key when it is lost, without the need to re-generate a new key for signature re-computation.

The invention provides an efficient cloud storage integrity detection method capable of recovering lost keys. When the key of a member in the group is lost, the key of the other t +1 members in the group (t +1 is a threshold value) can be recovered, and each user does not know the keys of the other users in the group. The cloud storage method provided by the scheme can not only ensure the integrity of data, but also recover the key for the member with the lost key.

Disclosure of Invention

The invention aims to solve the technical problem of preventing the security problem caused by the loss of the group member key in the shared data. Based on the method, the cloud storage integrity detection method capable of recovering the lost key is provided. In the method, when the key of a member in the group is lost, the key of the other t +1 members in the group (where t +1 represents a threshold value) can be recovered, and each user does not know the keys of the other members in the group. The invention has wide application in the fields of electronic medical systems, mass data storage and the like.

In order to solve the technical problem, the invention provides a cloud storage integrity detection system capable of recovering lost keys, which comprises a parameter generation center module, a cloud end module, a key distribution center module, a group member module and an audit center module (TPA for short);

the parameter generation center module generates various system parameters, generates public and private keys for users, calculates audit parameters and the like;

the cloud module provides data storage and data sharing service for group members, and the data file F is divided into n data blocks { m₁，…，m_nStoring in the cloud;

the key distribution center module generates a key and a public key for each member in the group member module, distributes the key to each member and discloses the public key of each member;

said group formingThe member module includes data owners and other users (assuming that the group has n members U ═ U-₁，U₂，…，U_nThe data owner uploads the data file to the cloud end and shares the data file with other users in the group, and the other users can access the data without distinguishing the data;

and the audit center module is entrusted by a user to verify the integrity of the data stored in the cloud end module.

The invention also provides a cloud storage integrity detection method for recovering the lost key by adopting the cloud storage integrity detection system capable of recovering the lost key, which comprises the following steps:

firstly, generating system parameters, namely generating various system parameters by adopting a parameter generation central module of the system;

secondly, key distribution is carried out, a polynomial is randomly selected by adopting a key distribution center module, and n shares { s ] are calculated_i}_1≤i≤nAnd distribute shares to individual members U of the population_i(i =1, 2, …, n) as a key, and calculating and disclosing a public key of each member

And thirdly, data uploading and auditing, wherein the data uploading is that the group members sign data to be uploaded to a cloud module by using own keys, the group members upload the data and the data block signatures to the cloud together, the data auditing is that sampling data to be queried are randomly selected by an auditing center module and inquiry chal is sent to the cloud, the cloud module generates an auditing proof according to the inquiry chal sent by the auditing center module and sends the auditing proof to the auditing center module, and after the auditing center module receives the proof sent by the cloud, whether the queried data block is correct is verified through a verification equation.

Fourthly, recovering the key, and users U in the group_xWhen the key is lost, he can pass other t +1 members of the groupA secret key is reconstructed to recover the secret key s_x。

The system parameter generation step is further embodied as that the parameter generation central module generates two multiplication cycle groups G₁，G₂(their order is all large prime p), and a bilinear pairing:wherein G, u are G₁Two independent generators. Then selecting a cryptographic hash functionWhereinFinally, the prime number q is chosen such that q | p-1, (q is Z_p ^*The step (d). Then the overall common parameter is

The key distribution step further specifically includes:

step a, the key distribution center module randomly selects a polynomial(a_i∈Z_p) Calculating the secret key s of each member_iF (i), i 1, 2, n and a public key

Step b, the key distribution center module broadcasts the commitment value g^s，Handle s_i(i ═ 1, 2, K, n) to each member U in the group_i(i ═ 1, 2, …, n), and discloses the public keys of the individual members

Step c, each user U in the group_i(i 1, 2, …, n) receiving the key s sent by the key distribution center module_iThen, it is verified whether the following equation holds:

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>s</mi> <mi>i</mi> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mi>j</mi> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>i</mi> <mi>j</mi> </msup> </msup> <mi>mod</mi> <mi>p</mi> </mrow> </math>

if the equation is true, the user U is stated_iBelieving the key s given to him by the key distribution center module_iIs correct. And each user stores a commitment value g^s，

The data uploading and auditing step further comprises:

step a, uploading data files and making group members U_iThe data file F to be uploaded to the cloud module is divided into n data blocks, i.e. F ═ m_i，…，m_n). Then uses his key s_iCalculating a data block m_i(i-1, 2, …, n) signatureFinally, theData block (m)₁，…，m_n) Signature Φ ═ σ corresponding to data block_i}_1≤i≤nSending the data block to a cloud module, and locally deleting the data block and a signature corresponding to the data block;

step b, auditing the data file,

(b1) generating a challenge: the audit center module randomly selects a set I with c elements, and the I belongs to [1, n ]]Then generating a random element v_i∈Z_pI belongs to I, generates challenge chal { (I, v)_i)}_i∈IAnd sending to the cloud;

(b2) proof of generation: after the cloud module receives the inquiry, the set I is divided into n parts, namely I ═ I₁，…I_nIn which I_iRepresented in set I by user U_iSet of signed data blocks, I_iIn is c_iAnd (4) each element. So that the method has the advantages that,I＝I₁∪K∪I_nand I_i∩I_jPhi is given. Then, for each set I_jCloud module computing linear combinations of data blocksAnd compute aggregations of signaturesFinally, (sigma, mu) is sent to the audit center module as proof, wherein sigma is { sigma ═ sigma₁，…，σ_n}，μ＝{μ₁，K，μ_n}；

(b3) And (3) proving and verifying: after the audit center module receives the proof, whether the following equation is established or not is verified,

<math> <mrow> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <msubsup> <mi>&Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <msub> <mi>&sigma;</mi> <mi>j</mi> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> </mrow> <mo>=</mo> <msubsup> <mi>&Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <msub> <mi>&Pi;</mi> <mrow> <mi>i</mi> <mo>&Element;</mo> <msub> <mi>I</mi> <mi>j</mi> </msub> </mrow> </msub> <mi>H</mi> <msup> <mrow> <mo>(</mo> <mi>i</mi> <mo>)</mo> </mrow> <msub> <mi>v</mi> <mi>i</mi> </msub> </msup> <mo>&CenterDot;</mo> <msup> <mi>u</mi> <msub> <mi>&mu;</mi> <mi>j</mi> </msub> </msup> <mo>,</mo> <msub> <mi>pk</mi> <mi>j</mi> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow> </math>

when the equation is established, the data stored by the cloud module is correct; otherwise, at least one of the data blocks is deemed incorrect.

The key recovery step further comprises:

user U of current group_xWhen the key is lost, the user can obtain t +1 keys from t +1 members in the group to reconstruct the key s_x. Without loss of generality, assume that the t +1 members are U_i(i＝1，2，…，t+1)；

Group member U_i(i-1, 2, …, t +1) randomly selecting a polynomialTo calculate u_ij＝f_i(j) And u_ix＝f_i(x) Where j is 1, 2, …, t + 1. The commitment value is then broadcast over a secure channelu_ix，(l＝0，1，…t)，u_ij，(j＝1，2，…，t+1)；

User U when key is lost_xReceiving user U_i(i ═ 1, 2, …, t +1) broadcast message u_ixAfter that, it is verified whether the following equation is established,

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>x</mi> </mrow> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>o</mi> </mrow> </msub> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>l</mi> <mo>=</mo> <mn>0</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>x</mi> <mi>l</mi> </msup> </msup> <mrow> <mo>(</mo> <mrow> <mi>mod</mi> <mi>p</mi> </mrow> <mo>)</mo> </mrow> </mrow> </math>

if the equation is true, the user U_xComputing

Member U_j(j ═ 1, 2, …, t +1) messages u broadcast by other t users are received_ijThen, it is verified whether the following equation is established,

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>o</mi> </mrow> </msub> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>l</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>j</mi> <mi>l</mi> </msup> </msup> <mrow> <mo>(</mo> <mrow> <mi>mod</mi> <mi>p</mi> </mrow> <mo>)</mo> </mrow> </mrow> </math>

if the equation is true, then member U_j(j ═ 1, 2, …, t +1) calculationI.e. the pair key s_jBlinded and then broadcast s over a secure channel_j′；

User U_xReceiving user U_j(j ═ 1, 2, …, t +1) broadcast message s_jAfter' verify that the following equation isIf the determination is not true, then,

<math> <mrow> <msup> <mi>g</mi> <mrow> <msup> <msub> <mi>s</mi> <mi>j</mi> </msub> <mo>&prime;</mo> </msup> </mrow> </msup> <mo>=</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>l</mi> <mo>=</mo> <mn>0</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mi>l</mi> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>j</mi> <mi>l</mi> </msup> </msup> <mo>&CenterDot;</mo> <msubsup> <mi>&Pi;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mrow> <mi>t</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <msub> <mi>&epsiv;</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> </mrow> </math>

if the equation is true, the user U_xCalculate his keyWherein, <math> <mrow> <msub> <mi>C</mi> <mrow> <mi>B</mi> <mi>j</mi> </mrow> </msub> <mi>x</mi> <mo>=</mo> <msub> <mi>&Pi;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mo>{</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mo>...</mo> <mo>,</mo> <mi>t</mi> <mo>+</mo> <mn>1</mn> <mo>}</mo> <mo>\</mo> <mo>{</mo> <mi>j</mi> <mo>}</mo> </mrow> </msub> <mfrac> <mrow> <mi>x</mi> <mo>-</mo> <mi>i</mi> </mrow> <mrow> <mi>j</mi> <mo>-</mo> <mi>i</mi> </mrow> </mfrac> <mo>.</mo> </mrow> </math>

the invention has the beneficial effects that:

1. when the key of a member in the group is lost, the key of the other t +1 members in the group can be recovered, so that the new key is prevented from being regenerated, and the signature is prevented from being regenerated on part of data;

2. the key is verifiable, that is, each member of the group can verify whether the key sent by the key distribution center to the member is correct, and the user with the lost key can also verify whether the shares sent by other t +1 members in the group to the member are correct. This may prevent the key distribution center or the user distributing shares to the key-losing user from being dishonest;

3. when the key is recovered, the key of the user is blinded, so that the members do not know the key of the other side. This improves the security of key recovery, preventing malicious users from going to \35820andtrapping clouds.

Drawings

Fig. 1 is a system structure diagram of a cloud storage integrity detection method capable of recovering lost keys, which introduces working relationships among a parameter generation center, a cloud, a key distribution center, group members, and an audit center, in which the key distribution center generates keys for all members in a group, and when a member key in the group is lost, the key of the other t +1 members in the group can be recovered.

Fig. 2 is a schematic diagram of a system parameter generation phase of a cloud storage integrity detection method capable of recovering a lost key. This is done by a parameter generation center. Various system parameters are used in the parameter generation center generation scheme.

Fig. 3 is a key distribution phase diagram of a cloud storage integrity detection method that can recover lost keys. The key distribution center randomly selects a polynomial, calculates n shares and distributes the shares to members of the group as keys, and calculates and discloses the public keys of the members.

Fig. 4 is a schematic diagram of a data uploading and auditing stage of a cloud storage integrity detection method capable of recovering a lost key. The group members store the data and the data block signatures to the cloud. And the audit center provides inquiry to the cloud so as to verify the integrity of the data stored in the cloud.

Fig. 5 is a key recovery phase diagram of a cloud storage integrity detection method that can recover a lost key. User U of current group_xWhen the key is lost, the user can obtain at least t +1 keys from the members in the group to carry out reconstruction operation, and then recover the key of the user.

Detailed Description

The following embodiments are described in detail to solve the technical problems by applying technical means to the present invention, and the implementation process of achieving the technical effects can be fully understood and implemented.

First, the related theory applied by the invention

(1) Bilinear pairing

Let G₁，G₂Are two multiplicative groups of prime q order, if mappedThe following properties are satisfied:

1) bilinear: for the <math> <mfenced open = '' close = ''> <mtable> <mtr> <mtd> <mrow> <mo>&ForAll;</mo> <mi>P</mi> <mo>,</mo> <mi>Q</mi> <mo>&Element;</mo> <msub> <mi>G</mi> <mn>1</mn> </msub> <mo>,</mo> </mrow> </mtd> <mtd> <mrow> <mi>a</mi> <mo>,</mo> <mi>b</mi> <mo>&Element;</mo> <msubsup> <mi>Z</mi> <mi>q</mi> <mo>*</mo> </msubsup> <mo>,</mo> </mrow> </mtd> </mtr> </mtable> </mfenced> </math> Satisfy the requirement of $\hat{e}(P^a,Q^b)=\hat{e}{(P,Q)}^{ab};$

2) Non-degradability: there is P, Q ∈ G, such that

3) Calculability: there are efficient algorithms forAll can calculate

The mapping is said to beAre bilinear pairings.

(2) Lagrange interpolation formula

Given t points (x)₁，y₁)，K，(x_t，y_t) A polynomial with a degree less than t and over which the given t points are all can be determined and uniquely determined by the following interpolation formula:

<math> <mrow> <mi>f</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>)</mo> </mrow> <mo>=</mo> <msubsup> <mi>&Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msub> <mi>y</mi> <mi>i</mi> </msub> <msubsup> <mi>&Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> <mo>,</mo> <mi>j</mi> <mo>&NotEqual;</mo> <mi>i</mi> </mrow> <mi>t</mi> </msubsup> <mfrac> <mrow> <mi>x</mi> <mo>-</mo> <msub> <mi>x</mi> <mi>i</mi> </msub> </mrow> <mrow> <msub> <mi>x</mi> <mi>j</mi> </msub> <mo>-</mo> <msub> <mi>x</mi> <mi>i</mi> </msub> </mrow> </mfrac> <mo>.</mo> </mrow> </math>

fig. 1 is a system structure diagram of a cloud storage integrity detection method capable of recovering a lost key according to an embodiment of the present invention.

Wherein, the generation stage of the system parameters is executed by the parameter generation center to generate the common parameters required by the system

The key distribution center randomly selects a polynomial to calculate each member U in the group_iKey s of (i ═ 1, 2, …, n)_i(i ═ 1, 2, …, n) and public keyThen the secret key s_i(i-1, 2, …, n) to each member U in the group_i(i ═ 1, 2, …, n), and discloses the public keys of the individual membersEach user U in the group_i(i 1, 2, …, n) receiving the key s sent by the key distribution center_iThereafter, the received s is verified_iWhether it is correct.

Group member U_iA data file F to be uploaded to the cloud is divided into n data blocks, that is, F ═ m (m)₁，…，m_n). Then uses his key s_iCalculating a data block m_i(i-1, 2, …, n) signatureFinally, the data block (m)₁，…，m_n) Signature Φ ═ σ corresponding to data block_i}_1≤i≤nAnd sending the data block to the cloud, and locally deleting the data block and the signature corresponding to the data block.

And the TPA randomly selects the sampling data to be queried and sends the query chal to the cloud. The cloud generates an audit certificate proof according to the challenge chal sent by the TPA and sends the audit certificate proof to the TPA. After receiving the proof sent by the cloud, the TPA verifies the integrity of the cloud data block through the proof.

Users U in a group_xWhen the key is lost, the user can reconstruct the key of other t +1 members in the group to recover the key s of the user_x。

Fig. 2 is a schematic diagram of a system parameter generation phase of the cloud storage integrity detection method capable of recovering a lost key according to the embodiment of the present invention.

The system parameter generation phase is performed by the parameter generation center. Generating two multiplication cycle groups G by parameter generation center₁，G₂(their order is all large prime p), and a bilinear pairing:wherein G, u are G₁Two independent generators. Then selecting a cryptographic hash functionWhereinFinally, the prime number q is chosen such that q | p-1, (q is Z_p ^*The step (d). The collective common parameter isThe parameter generation center provides parameters for generating public keys of all group members for the key distribution center; providing parameters for generating the inquiry and the verification for the auditing center; parameters are provided for group users to generate data block signatures.

Fig. 3 is a key distribution stage schematic diagram of an identity traceable shared data cloud auditing method according to an embodiment of the present invention.

In the key distribution phase, the key distribution center randomly selects a polynomialCalculating the secret key s of each member_iF (i), i 1, 2, …, n and a public keyThen, broadcasting the commitment value g^s，And key s_i(i-1, 2, …, n) to each member U in the group_i(i-1, 2, …, n) disclosing each member's publicKey with a key bodyEach user U in the group_i(i 1, 2, …, n) receiving the key s sent by the key distribution center_iThereafter, the key s given to him by the key distribution center is verified_iWhether it is correct. And each user stores a commitment value g^s，

Fig. 4 is a schematic diagram of a data upload and audit stage of a cloud storage integrity detection method capable of recovering a lost key according to an embodiment of the present invention.

In the data uploading phase, the group member U_iA data file F to be uploaded to the cloud is divided into n data blocks, that is, F ═ m (m)₁，…，m_n). Then uses his key s_iCalculating a data block m_i(i-1, 2, …, n) signatureFinally, the data block (m)₁，…，m_n) Signature Φ ═ σ corresponding to data block_i}_1≤i≤nAnd sending the data block to the cloud, and locally deleting the data block and the signature corresponding to the data block. In the auditing stage, the auditing center TPA selects a challenge chal { (i, v)_i)}_i∈IAnd sending the information to a cloud, calculating the linear combination of the inquiry data blocks and the aggregation of the signatures after the inquiry is received by the cloud, obtaining the proof (sigma, mu), and sending the proof to an audit center. And after the audit center receives the proof, verifying whether the integrity of the data stored in the cloud is verified by verifying whether a verification equation is established.

Fig. 5 is a key recovery phase diagram of a cloud storage integrity detection method capable of recovering a lost key according to an embodiment of the present invention.

User U of current group_xWhen the key is lost, t +1 member U in the group_i(i＝1，2，…t+1)T +1 blinded keys are obtained and then verified whether the blinded keys are correct. If the key is correct, the reconstruction operation is carried out, and the key s of the user is recovered_x。

Secondly, the specific implementation process of the invention

1. A system parameter generation stage: as shown in fig. 2, is done by a parameter generation center. The parameter generation center generates various system parameters.

Generating two multiplication cycle groups G by parameter generation center₁，G₂(their order is all large prime p), and a bilinear pairing:wherein G, u are G₁Two independent generators. Then selecting a cryptographic hash functionWhereinFinally, the prime number q is chosen such that q | p-1, (q is Z_p ^*The step (d). Then the overall common parameter is

2. And a key distribution stage: as shown in FIG. 3, the key distribution center randomly selects a polynomial to calculate n shares s_i}_1≤i≤nAnd distribute shares to individual members U of the population_i(i ═ 1, 2, …, n) as a key, and calculating and disclosing the public key of each member

(1) Random selection of a polynomial by a key distribution centerCalculating the secret key s of each member_iF (i), i 1, 2, …, n and a public key

(2) Key distribution center broadcast commitment value g^s，Handle s_i(i-1, 2, …, n) to each member U in the group_i(i ═ 1, 2, …, n), and discloses the public keys of the individual members

(3) Each user U in the group_i(i 1, 2, …, n) receiving the key s sent by the key distribution center_iThen, it is verified whether the following equation holds:

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>s</mi> <mi>i</mi> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mi>j</mi> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>i</mi> <mi>j</mi> </msup> </msup> <mi>mod</mi> <mi>p</mi> </mrow> </math>

if the equation is true, the user U is stated_iBelieving a key s given to him by a key distribution center_iIs correct. And stores g per user^s，

3. Data uploading and auditing stages: as shown in fig. 4.

When the data is uploaded, the group members sign the data to be uploaded to the cloud end by using the own secret keys, and the group members upload the data and the data block signatures to the cloud end together.

During data examination, the auditing center TPA randomly selects the sampling data to be inquired, and sends the inquiry chal to the cloud. The cloud generates an audit certificate proof according to the challenge chal sent by the TPA and sends the audit certificate proof to the TPA. After receiving the proof sent by the cloud, the TPA verifies whether the data block of the challenge is correct through a verification equation.

Uploading a data file:

(1) group member U_iA data file F to be uploaded to the cloud is divided into n data blocks, that is, F ═ m (m)₁，…，m_n). Then uses his key s_iCalculating a data block m_i(i-1, 2, …, n) signatureFinally, the data block (m)₁，…，m_n) Signature Φ ═ σ corresponding to data block_i}_1≤i≤nAnd sending the data block to the cloud, and locally deleting the data block and the signature corresponding to the data block.

Auditing the data file:

(2) generating a challenge: an auditing center TPA randomly selects a set I with c elements, and the I belongs to [1, n ]]Then generating a random element v_i∈Z_pI belongs to I, generates challenge chal { (I, v)_i)}_i∈IAnd sends to the cloud.

(3) Proof of generation: after the cloud receives the inquiry, the set I is divided into n parts, namely I ═ I₁，…I_nIn which I_iRepresented in set I by user U_iSet of signed data blocks, I_iIn is c_iAnd (4) each element. So that the method has the advantages that,I＝I₁∪K∪I_nand I_i∩I_jPhi is given. Then, for each set I_jLinear combination of cloud computing data blocksAnd compute aggregations of signaturesFinally (σ, μ) is issued to TPA as proof of proof, where σ ═ σ₁，…，σ_n}，μ＝{μ₁，K，μ_n}。

(4) And (3) proving and verifying: after the TPA receives proof of proof, it is verified whether the following equation holds,

<math> <mrow> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <mrow> <msubsup> <mi>&Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <msub> <mi>&sigma;</mi> <mi>j</mi> </msub> <mo>,</mo> <mi>g</mi> </mrow> <mo>)</mo> </mrow> <mo>=</mo> <msubsup> <mi>&Pi;</mi> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <mrow> <msub> <mi>&Pi;</mi> <mrow> <mi>i</mi> <mo>&Element;</mo> <msub> <mi>I</mi> <mi>j</mi> </msub> </mrow> </msub> <mi>H</mi> <msup> <mrow> <mo>(</mo> <mi>i</mi> <mo>)</mo> </mrow> <msub> <mi>v</mi> <mi>i</mi> </msub> </msup> <mo>&CenterDot;</mo> <msup> <mi>u</mi> <msub> <mi>&mu;</mi> <mi>j</mi> </msub> </msup> <mo>,</mo> <msub> <mi>pk</mi> <mi>j</mi> </msub> </mrow> <mo>)</mo> </mrow> <mo>.</mo> </mrow> </math>

when the equation is established, the data stored in the cloud is correct; otherwise, at least one of the data blocks is deemed incorrect.

4. And a key recovery stage: as shown in FIG. 5, when the users U of the group_xWhen the key is lost, he can obtain t +1 keys from t +1 members in the group, and then rebuild the key s to recover the key s_x. Without loss of generality, assume that the t +1 members are U_i(i＝1，2，…，t+1)。

(1) Group member U_i(i-1, 2, …, t +1) randomly selecting a polynomialTo calculate u_ij＝f_i(j) And u_ix＝f_i(x) Where j is 1, 2, …, t + 1. The commitment value is then broadcast over a secure channelu_ix，(l＝0，1，…，t)，u_ij，(j＝1，2，…，t+1)。

(2) User U when key is lost_xReceiving user U_i(i ═ 1, 2, …, t +1) broadcast message u_ixThereafter, it is then verified whether the following equation holds.

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>x</mi> </mrow> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>o</mi> </mrow> </msub> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>l</mi> <mo>=</mo> <mn>0</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>x</mi> <mi>l</mi> </msup> </msup> <mrow> <mo>(</mo> <mrow> <mi>mod</mi> <mi>p</mi> </mrow> <mo>)</mo> </mrow> </mrow> </math>

If the equation is true, the user U_xComputing

(3) Each member U_j(i-1, 2, …, t +1) receives other t users U_i(i-1, 2, …, t) broadcast message u_ijThereafter, it is then verified whether the following equation holds.

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>o</mi> </mrow> </msub> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>l</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>j</mi> <mi>l</mi> </msup> </msup> <mrow> <mo>(</mo> <mrow> <mi>mod</mi> <mi>p</mi> </mrow> <mo>)</mo> </mrow> </mrow> </math>

If the equation is true, then member U_j(i ═ 1, 2, …, t +1) calculationI.e. the pair key s_jBlinded and then broadcast s over a secure channel_j′。

(4) User U_xReceiving user U_j(j ═ 1, 2, …, t +1) broadcast message s_jAfter that, it is then verified whether the following equation holds.

<math> <mrow> <msup> <mi>g</mi> <mrow> <msup> <msub> <mi>s</mi> <mi>j</mi> </msub> <mo>&prime;</mo> </msup> </mrow> </msup> <mo>=</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> <msubsup> <mi>&Pi;</mi> <mrow> <mi>l</mi> <mo>=</mo> <mn>0</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mi>l</mi> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>j</mi> <mi>l</mi> </msup> </msup> <mo>&CenterDot;</mo> <msubsup> <mi>&Pi;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mrow> <mi>t</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <msub> <mi>&epsiv;</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> </mrow> </math>

If the equation is true, the user U_xCalculate his keyWherein, <math> <mrow> <msub> <mi>C</mi> <mrow> <mi>B</mi> <mi>j</mi> </mrow> </msub> <mi>x</mi> <mo>=</mo> <msub> <mi>&Pi;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mo>{</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mo>...</mo> <mo>,</mo> <mi>t</mi> <mo>+</mo> <mn>1</mn> <mo>}</mo> <mo>\</mo> <mo>{</mo> <mi>j</mi> <mo>}</mo> </mrow> </msub> <mfrac> <mrow> <mi>x</mi> <mo>-</mo> <mi>i</mi> </mrow> <mrow> <mi>j</mi> <mo>-</mo> <mi>i</mi> </mrow> </mfrac> <mo>.</mo> </mrow> </math>

all of the above mentioned intellectual property rights are not intended to be restrictive to other forms of implementing the new and/or new products. Those skilled in the art will take advantage of this important information, and the foregoing will be modified to achieve similar performance. However, all modifications or alterations are based on the new products of the invention and belong to the reserved rights.

The foregoing is directed to preferred embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow. However, any simple modification, equivalent change and modification of the above embodiments according to the technical essence of the present invention are within the protection scope of the technical solution of the present invention.

Claims (6)

1. A cloud storage integrity detection system capable of recovering lost keys is characterized in that: the system comprises a parameter generation center module, a cloud end module, a key distribution center module, a group member module and an auditing center module (TPA for short);

the parameter generation center module generates various system parameters, generates public and private keys for users, calculates audit parameters and the like;

the cloud module provides data storage and data sharing service for group members, and the data file F is divided into n data blocks { m₁，...，m_nStoreAt the cloud end;

the key distribution center module generates a key and a public key for each member in the group member module, distributes the key to each member and discloses the public key of each member;

the group member module includes data owners and other users (assuming that a group has n members U ═ U-₁，U₂，...，U_nThe data owner uploads the data file to the cloud end and shares the data file with other users in the group, and the other users can access the data without distinguishing the data;

and the audit center module is entrusted by a user to verify the integrity of the data stored in the cloud end module.

2. The method for detecting the integrity of the cloud storage with the recoverable lost key by using the system for detecting the integrity of the cloud storage with the recoverable lost key according to claim 1, comprises the following steps:

firstly, generating system parameters, namely generating various system parameters by adopting a parameter generation central module of the system;

secondly, key distribution is carried out, a polynomial is randomly selected by adopting a key distribution center module, and n shares { s ] are calculated_i}_1≤i≤nAnd distribute shares to individual members U of the population_i(i ═ 1, 2.. times, n) as a key, and a public key of each member is calculated and disclosed

And thirdly, data uploading and auditing, wherein the data uploading is that the group members sign data to be uploaded to a cloud module by using own keys, the group members upload the data and the data block signatures to the cloud together, the data auditing is that sampling data to be queried are randomly selected by an auditing center module and inquiry chal is sent to the cloud, the cloud module generates an auditing proof according to the inquiry chal sent by the auditing center module and sends the auditing proof to the auditing center module, and after the auditing center module receives the proof sent by the cloud, whether the queried data block is correct is verified through a verification equation.

Fourthly, recovering the key, and users U in the group_xWhen the key is lost, the user can reconstruct the key of other t +1 members in the group to recover the key s of the user_x。

3. The cloud storage integrity detection method of claim 2, wherein: the system parameter generation step is further embodied as that the parameter generation central module generates two multiplication cycle groups G₁，G₂(their order is all large prime p), and a bilinear pairing:wherein G, u are G₁Two independent generators. Then selecting a cryptographic hash functionWhereinFinally, the prime number q is chosen such that q | p-1, (q is Z_p ^*The step (d). Then the overall common parameter is

4. The cloud storage integrity detection method of claim 2 or 2, wherein: the key distribution step further specifically comprises,

step a, the key distribution center module randomly selects a polynomial Calculating the secret key s of each member_iF (i), i 1, 2, n and a public key

Step b, the key distribution center module broadcasts the commitment value g^s，Handle s_i(i 1, 2.., n) to each member U in the group_i(i ═ 1, 2.. times, n), and discloses the public keys of the individual members

Step c, each user U in the group_i(i 1, 2.. n.) receiving the key s sent by the key distribution center module_iThen, it is verified whether the following equation holds:

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>s</mi> <mi>i</mi> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> <msubsup> <mo>&Pi;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mi>j</mi> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>i</mi> <mi>j</mi> </msup> </msup> <mi>mod</mi> <mi> </mi> <mi>p</mi> </mrow> </math>

if the equation is true, the user U is stated_iBelieving the key s given to him by the key distribution center module_iIs correct. And each user stores a commitment value g^s，

5. The cloud storage integrity detection method of claims 2 to 4, wherein: the data uploading and auditing steps further include,

step a, uploading data files and making group members U_iThe data file F to be uploaded to the cloud module is divided into n data blocks, i.e. F ═ m₁，...，m_n). Then uses his key s_iCalculating a data block m_iA signature of (i ═ 1, 2.., n)Finally, the data block (m)₁，...，m_n) Signature Φ ═ σ corresponding to data block_i}_1≤i≤nSending the data block to a cloud module, and locally deleting the data block and a signature corresponding to the data block;

step b, auditing the data file,

(b1) generating a challenge: the audit center module randomly selects a set I with c elements, and the I belongs to [1, n ]]Then generating a random element v_i∈Z_pI belongs to I, generates challenge chal { (I, v)_i)}_i∈IAnd sending to the cloud;

(b2) proof of generation: after the cloud module receives the inquiry, the set I is divided into n parts, namely I ═ I₁，...I_nIn which I_iRepresented in set I by user U_iSet of signed data blocks, I_iIn is c_iAnd (4) each element. So that the method has the advantages that,I＝I₁∪K∪I_nand I_i∩I_jPhi is given. Then, for each set I_jCloud module computing linear combinations of data blocksAnd compute aggregations of signaturesFinally, (sigma, mu) is sent to the audit center module as proof, wherein sigma is { sigma ═ sigma₁，...，σ_n}，μ＝{μ₁，K，μ_n}；

(b3) And (3) proving and verifying: after the audit center module receives the proof, whether the following equation is established or not is verified,

<math> <mrow> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <msubsup> <mo>&Pi;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <msub> <mi>&sigma;</mi> <mi>j</mi> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> </mrow> <mo>=</mo> <msubsup> <mo>&Pi;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <mover> <mi>e</mi> <mo>^</mo> </mover> <mrow> <mo>(</mo> <msub> <mo>&Pi;</mo> <mrow> <mi>i</mi> <mo>&Element;</mo> <msub> <mi>I</mi> <mi>j</mi> </msub> </mrow> </msub> <mi>H</mi> <msup> <mrow> <mo>(</mo> <mi>i</mi> <mo>)</mo> </mrow> <msub> <mi>v</mi> <mi>i</mi> </msub> </msup> <mo>&CenterDot;</mo> <msup> <mi>u</mi> <msub> <mi>&mu;</mi> <mi>j</mi> </msub> </msup> <mo>,</mo> <msub> <mi>pk</mi> <mi>j</mi> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow> </math>

when the equation is established, the data stored by the cloud module is correct; otherwise, at least one of the data blocks is deemed incorrect.

6. The cloud storage integrity detection method of claims 2 to 5, wherein: the key recovery step further comprises the step of,

user U of current group_xWhen the key is lost, the user can obtain t +1 keys from t +1 members in the group to reconstruct the key s_x. Without loss of generality, assume that the t +1 members are U_i(i＝1，2，...，t+1)；

Group member U_i(i 1, 2.., t +1) randomly selecting a polynomialTo calculate u_ij＝f_i(j) And u_ix＝f_i(x) Wherein j is 1, 2. The commitment value is then broadcast over a secure channel <math> <mrow> <msub> <mi>&epsiv;</mi> <mrow> <mi>i</mi> <mi>x</mi> </mrow> </msub> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>x</mi> </mrow> </msub> </msup> <mo>,</mo> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>x</mi> </mrow> </msub> <mo>,</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>,</mo> <mrow> <mo>(</mo> <mi>l</mi> <mo>=</mo> <mn>0</mn> <mo>,</mo> <mn>1</mn> <mo>,</mo> <mo>...</mo> <mo>,</mo> <mi>t</mi> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&epsiv;</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> </msup> <mo>,</mo> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> <mo>,</mo> <mrow> <mo>(</mo> <mi>j</mi> <mo>=</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mo>...</mo> <mo>,</mo> <mi>t</mi> <mo>+</mo> <mn>1</mn> <mo>)</mo> </mrow> <mo>;</mo> </mrow> </math>

User U when key is lost_xReceiving user U_i(i 1, 2.. t +1) broadcast message u_ixAfter that, it is verified whether the following equation is established,

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>x</mi> </mrow> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>o</mi> </mrow> </msub> </msup> <msubsup> <mo>&Pi;</mo> <mrow> <mi>l</mi> <mo>=</mo> <mn>0</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>x</mi> <mi>l</mi> </msup> </msup> <mrow> <mo>(</mo> <mi>mod</mi> <mi> </mi> <mi>p</mi> <mo>)</mo> </mrow> </mrow> </math>

if the equation is true, the user U_xComputing

Member U_j(j 1, 2.. t +1) receiving message u broadcast by other t users_ijAfter that, the air conditioner is started to work,it is then verified whether the following equation holds,

<math> <mrow> <msup> <mi>g</mi> <msub> <mi>u</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> </msup> <mo>=</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>o</mi> </mrow> </msub> </msup> <msubsup> <mo>&Pi;</mo> <mrow> <mi>l</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>j</mi> <mi>l</mi> </msup> </msup> <mrow> <mo>(</mo> <mi>mod</mi> <mi> </mi> <mi>p</mi> <mo>)</mo> </mrow> </mrow> </math>

if the equation is true, then member U_j(j ═ 1, 2.., t +1) calculationI.e. the pair key s_jBlinded and then broadcast s over a secure channel_j′；

User U_xReceiving user U_j(j ═ 1, 2.. gtt +1) broadcasted message s_jAfter that, it is verified whether the following equation is true,

<math> <mrow> <msup> <mi>g</mi> <msubsup> <mi>s</mi> <mi>j</mi> <mo>&prime;</mo> </msubsup> </msup> <mo>=</mo> <msup> <mi>g</mi> <mi>s</mi> </msup> <msubsup> <mo>&Pi;</mo> <mrow> <mi>l</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>t</mi> </msubsup> <msup> <mrow> <mo>(</mo> <msup> <mi>g</mi> <msub> <mi>a</mi> <mrow> <mi>i</mi> <mi>l</mi> </mrow> </msub> </msup> <mo>)</mo> </mrow> <msup> <mi>j</mi> <mi>l</mi> </msup> </msup> <mo>&CenterDot;</mo> <msubsup> <mo>&Pi;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mrow> <mi>t</mi> <mo>+</mo> <mn>1</mn> </mrow> </msubsup> <msub> <mi>&epsiv;</mi> <mrow> <mi>i</mi> <mi>j</mi> </mrow> </msub> </mrow> </math>

if the equation is true, the user U_xCalculate his keyWherein, <math> <mrow> <msub> <mi>C</mi> <mrow> <mi>B</mi> <mi>j</mi> </mrow> </msub> <mi>x</mi> <mo>=</mo> <msub> <mo>&Pi;</mo> <mrow> <mi>i</mi> <mo>=</mo> <mo>{</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mo>...</mo> <mo>,</mo> <mi>t</mi> <mo>+</mo> <mn>1</mn> <mo>}</mo> <mo>\</mo> <mo>{</mo> <mi>j</mi> <mo>}</mo> </mrow> </msub> <mfrac> <mrow> <mi>x</mi> <mo>-</mo> <mi>i</mi> </mrow> <mrow> <mi>j</mi> <mo>-</mo> <mi>i</mi> </mrow> </mfrac> <mo>.</mo> </mrow> </math>