CN109274504B - Multi-user big data storage sharing method and system based on cloud platform - Google Patents
Multi-user big data storage sharing method and system based on cloud platform Download PDFInfo
- Publication number
- CN109274504B CN109274504B CN201811384064.0A CN201811384064A CN109274504B CN 109274504 B CN109274504 B CN 109274504B CN 201811384064 A CN201811384064 A CN 201811384064A CN 109274504 B CN109274504 B CN 109274504B
- Authority
- CN
- China
- Prior art keywords
- data
- user
- sharer
- storage server
- challenge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000013500 data storage Methods 0.000 title claims abstract description 22
- 238000003860 storage Methods 0.000 claims abstract description 75
- 230000004044 response Effects 0.000 claims abstract description 35
- 238000012545 processing Methods 0.000 claims abstract description 22
- 238000012795 verification Methods 0.000 claims description 25
- 125000004122 cyclic group Chemical group 0.000 claims description 19
- 238000013507 mapping Methods 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 4
- 230000001419 dependent effect Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 8
- 239000002904 solvent Substances 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012946 outsourcing Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 239000000126 substance Substances 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013496 data integrity verification Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/561—Adding application-functional data or data for application control, e.g. adding metadata
Abstract
The invention provides a multi-user big data storage sharing method based on a cloud platform, which comprises the following steps: a trusted authority TA selects a safety parameter, a collision-resistant hash function and a digital signature scheme to generate a system public parameter; each user generates a respective public key and a private key according to the system public parameters, and the users comprise data sharers and data users; the data sharer executes data processing according to a private key of the data sharer and public keys of a group of data users, generates processed shared data and data labels corresponding to the shared data and uploads the shared data and the data labels to the cloud storage server; the data user verifies the data label corresponding to the shared data, if the data label is legal, a challenge is generated, and the challenge is sent to the cloud storage server; the cloud storage server calculates the received challenge to obtain a response, and replies the response to the data user; the data user verifies the received response to judge the integrity of the shared data.
Description
Technical Field
The invention relates to the field of information security passwords, in particular to a multi-user big data storage sharing method and system based on a cloud platform.
Background
With the tremendous advances in information and communication technology, various types of smart devices have been widely used in people's work and life, and these devices may generate large amounts of data every day. For example, in a certain department of a company, large-scale data of a certain employee may need to be shared in the department, so that all employees in the department can obtain the data. In order to save storage resources, an effective method is to upload data to a cloud storage server and store the data under an account number of the department, so that all employees in the department can access and download the data by using the same account number.
Obviously, the cloud storage server can provide people with strong storage capacity and flexible data access modes, and the access to data is not limited by time and place any more. However, data uploaded to the cloud storage server is often damaged for some reasons, for example, the cloud storage server may delete data with very few accesses to save storage space, or data damage is caused by hardware errors of the cloud storage server itself. In summary, data corruption by the user will affect the confidence that the user continues to employ the present approach to preserve data and will likely result in an economic loss to the user.
Therefore, when the company staff store the local department data by using the cloud platform, it is necessary to ensure the integrity of the outsourced data and issue the authority for executing the integrity verification to the local department staff. The existing cloud storage integrity verification method can be divided into two categories, one category is a private verification scheme and only allows users holding the same private key to verify the integrity of cloud storage data, and the other category is a public verification scheme and allows any person to verify the integrity of outsourced data. It is easy to see that the above two schemes are not suitable for the cloud storage scenario supporting the employees in the company department to perform integrity verification. The first category of solutions requires all employees to share one data processing private key and it is difficult to tell which employee the outsourced data was processed and uploaded. The second type of solution would allow non-corporate, non-department personnel to verify the integrity of the outsourced data.
Typical existing cloud storage integrity verification techniques include a data holding certification technique proposed by ATENIESE et al and a data recovery certification technique proposed by JUELS et al. Since the data holding certification technology and the data recovery certification technology are proposed, researchers have proposed improvement schemes for various application scenarios based on the two technologies. Generally, a user needs to perform certain processing on data before uploading the data, generate verifiable metadata, and store the metadata and original data together to a cloud storage server for performing integrity verification at a later stage.
At present, some researchers have proposed a scheme for supporting a designated auditor to execute outsourced data integrity verification, and allowing a data holder to designate a user to execute an integrity verification protocol through interaction with a cloud storage server. The protocol realizes data sharing of outsourced data between two users and supports integrity verification, an authorization process does not need to be generated independently, and the problem of authorization execution of integrity verification to multiple users at the same time cannot be solved.
Disclosure of Invention
In view of the above drawbacks of the prior art, an object of the present invention is to provide a distributed secure communication method and system based on a blockchain, which aim to solve the problem of large data sharing supporting integrity verification in a multi-user environment.
In order to achieve the above and other related objects, the present invention provides a method for sharing big data of multiple users based on a cloud platform, including:
a trusted authority TA selects a safety parameter, a collision-resistant hash function and a digital signature scheme to generate a system public parameter;
each user generates a respective public key and a private key according to the system public parameters, and the users comprise data sharers and data users;
the data sharer executes data processing according to a private key of the data sharer and public keys of a group of data users, generates processed shared data and data labels corresponding to the shared data and uploads the shared data and the data labels to the cloud storage server;
the data user verifies the data label corresponding to the shared data, if the data label is legal, a challenge is generated, and the challenge is sent to the cloud storage server;
the cloud storage server calculates the received challenge to obtain a response, and replies the response to the data user;
the data user verifies the received response to judge the integrity of the shared data.
Optionally, the system disclosure parameter para is specifically:
wherein G is1And G2Is a cyclic group with the order of prime number p, and G represents a cyclic group G1Is generated by the one of the generators of (1),
representing a bilinear mapping operation
H1(. and H)2(. cndot.) represents a collision-resistant hash function,
is a digital signature scheme.
Optionally, the generating, by each user, a respective public key and a respective private key according to the system public parameter specifically includes:
each user PiRandom selection of ZpOne non-0 element in a Domain
Computing
0≤i≤n,
Representation field ZpIs given as a non-zero subset of elements {1,2, ·, p-1}, viRepresenting the calculation result on the right side of the equal sign;
represents group G1And (4) performing the power-up operation.
Each user PiExecute
l is a safety parameter, 1lIndicates the input mode, tpk, of the safety parameter li,tskiRespectively represent
Outputting a public key and a private key;
is a digital signature scheme
The key generation algorithm in (1);
user PiGet the public key pki=(vi,tpki) And the private key ski=(zi,tski)。
Optionally, the data sharer performs data processing according to a private key of the data sharer and a public key of a group of data users to generate processed shared data and a data tag corresponding to the shared data, and the data processing specifically includes:
data sharer P0Random selection of ZpTwo non-0 elements in a domain
And constructs the following polynomial:
wherein, | | represents string concatenation;
all represent group G1A power-up operation;
the expression is that the power operation results of the left side and the right side of | | are taken as character strings to be connected;
data sharer P0The polynomial psi (x) is arranged to obtain:
ψ(x)=cnxn+cn-1xn-1+…+c1x+c0modp
data sharer P0Computing
c0,c1,cnCoefficients representing a polynomial ψ (x); eta0,η1,ηnRepresents group G1A power-up operation;
data sharer P0Randomly selecting a unique identifier LidDividing the data M into lambda data blocks MjI.e. M ═ M1||m2||…||mλ;
Data sharer P0Randomly selecting a cyclic group G1One element μ of (1);
data sharer P0Construct a string τ as follows:
τ←Lid||pk0||pk1||…||pkn||λ||μ||gθ||η0||η1||…||ηn,
computing
Obtaining a data tag τ0← τ | δ, δ representing the result of performing the operation to the right of the arrow;
representing execution of a digital signature scheme
The signature generation algorithm Sign () in (1), the input of which is tsk0And τ;
data sharer P0For each data block mjOne metadata γ is calculated and generated as followsj,1≤j≤λ:
j represents the number of data blocks;
represents group G1A power-up operation;
data sharer P0Obtaining processed data
Optionally, the data user verifies the data tag corresponding to the shared data, and if the data tag is legal, a challenge is generated, which specifically includes:
data user PiReading processed data from a cloud storage server
And a data tag τ0Decomposing the data tag τ0τ and δ were obtained and verified
Whether the result is true or not; if not, terminating the execution of the subsequent steps;
data user PiFrom [1, lambda ]]Randomly selecting a subset delta, and randomly selecting Z for each element j in the subset deltapOne non-0 element in a Domain
The data consumer gets the challenge Θ { (j, α)j):j∈Δ}。
Optionally, the computing, by the cloud storage server, of the received challenge to obtain a response specifically includes:
the cloud storage server receives a challenge theta and processed data
And corresponding data tag τ0Computing aggregated metadata
The cloud storage server aggregates the challenged data blocks and calculates the challenged data blocks to obtain
Cloud storage server gets a response to challenge Θ
Optionally, the verifying the received response by the data user to determine the integrity of the shared data specifically includes:
data user PiComputing
Data user PiComputing
hnRepresents ZpThe operation of the power of (a) above,
represents group G1A power-up operation;
data user PiVerification equation
Whether the result is true or not; if yes, outputting 1 to indicate that the data is completely stored, and the user obtains complete shared data; otherwise, a 0 is output indicating that the data has been corrupted, wherein
Represents group G1And (4) performing the power-up operation.
In order to achieve the above objects and other related objects, the present invention further provides a multi-user big data storage sharing system based on a cloud platform, including:
the initialization module is used for the trusted authority TA to select a safety parameter, a collision-resistant hash function and a digital signature scheme to generate a system public parameter;
the user key generation module is used for generating a public key and a private key of each user according to the system public parameters, and the users comprise data sharers and data users;
the data processing module is used for performing data processing by a data sharer according to a private key of the data sharer and public keys of a group of data users, generating processed shared data and data labels corresponding to the shared data, and uploading the data labels to the cloud storage server;
the integrity challenge generating module is used for verifying a data tag corresponding to the shared data by a data user, generating a challenge if the data tag is legal, and sending the challenge to the cloud storage server;
the integrity response module is used for calculating the received challenge by the cloud storage server to obtain a response and replying the response to the data user;
and the integrity verification module is used for verifying the received response by the data user so as to judge the integrity of the shared data.
As described above, the multi-user big data storage sharing method and system based on the cloud platform of the present invention have the following beneficial effects:
the invention provides a multi-user big data storage and sharing method based on a cloud platform, which is used for processing, outsourcing, verifying and sharing user data in a multi-user environment, can reduce the burden of the user on storing big data, reduce the communication burden of a data sharer and solve the worry of a data user on the source and the integrity of shared data. The data sharing method comprises the steps that data are processed, a data sharer uploads the processed data to a cloud storage server, and the cloud storage server further provides data access and sharing services for data users by means of strong storage, calculation and communication capabilities of the cloud storage server. In the data processing stage, the data sharer can indirectly designate a group of data users, so that the designated data users can verify the integrity of the data through interaction with the cloud storage server, and a big data sharing mechanism supporting integrity verification is realized.
Drawings
To further illustrate the description of the present invention, the following detailed description of the embodiments of the present invention is provided with reference to the accompanying drawings. It is appreciated that these drawings are merely exemplary and are not to be considered limiting of the scope of the invention.
Fig. 1 is a flowchart of a multi-user big data storage sharing method based on a cloud platform according to the present invention;
fig. 2 is a system architecture diagram of a multi-user big data storage sharing system based on a cloud platform according to the present invention;
fig. 3 is a block diagram of a multi-user big data storage sharing system based on a cloud platform according to the present invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
In order to make the technical solution of the present invention more clearly understood, some technical terms used in the present invention will be described.
(1) Trusted Authority (TA): and trusted by each entity of the system and responsible for generating the public parameters of the system.
(2) Cloud Storage Server (CS): the system has strong data storage and computing power, provides data storage service for users, and is not completely trusted by the users.
(3) Data Sharer (DS): the method comprises the steps of calculating a pair of public and private keys of a user according to system public parameters, sharing data of the user to a group of data users, processing the data by using the private key of the user and the public keys of the group of data users when executing a data processing algorithm, and finally uploading the processed shared data and corresponding data labels to a cloud storage server.
(4) Data users (DataUser, DU): and calculating a pair of public and private keys of the system according to the public parameters of the system, reading the content of the shared data and the corresponding data label from the cloud storage server, and verifying the integrity of the shared data through interaction with the cloud storage server.
The present invention uses the mathematical knowledge associated with bilinear mapping, and is described in detail herein as the associated definition.
Defining a function mapping
Will circulate group G1Mapping of elements in (1) to cyclic group G2In which G is1And G2Both are two cyclic groups of prime order p. Bilinear mapping
The following characteristics are required:
(1) bilinear property: for any α, β ∈ G1Any u, v ∈ ZpAll are provided with
Is formed wherein Zp={0,1,2,..,p-1};
(2) Non-degenerate characteristics: group G1In the presence of at least one element g, such that
Is a group G2A generator of (2);
(3) high efficiency: there are efficient algorithms that make β ∈ G for any α1Can effectively calculate
The value of (c).
The hash function used in the present invention has two basic characteristics: unidirectionality and impact resistance; unidirectionality means that it is efficient to derive an output from the input of the hash function, but it is infeasible to calculate its input from the output of the hash function; crashworthiness means that two different inputs cannot be found to have the same hash function value.
As shown in fig. 1 and fig. 2, the present invention provides a multi-user big data storage sharing method based on a cloud platform, including the following steps:
step 1, the trusted authority TA selects a safety parameter, a collision-resistant hash function and a digital signature scheme to generate a system public parameter.
Specifically, the step 1 specifically includes the following substeps:
step 11: the trusted authority TA inputs system security parameters l and runs an initialization algorithm xi (1)l) Outputting two cyclic groups G with prime p1And G2And a bilinear map operation
Wherein the initialization algorithm xi (1)l) The operation method comprises the following steps: the trusted authority TA inputs a system security parameter l, and the system selects a corresponding elliptic curve according to the size of l: y is2=X3+ sX + t (s and t are coefficients), with points on the elliptic curve forming two circulant groups G of prime order p1And G2Selecting a mapping function e to group the cycles G1Mapping of elements in (1) to cyclic group G2Performing the following steps; generally, the larger the value of the safety parameter/, the more points on the selected elliptic curve and the larger the cyclic group.
Step 12: the trusted authority TA runs a random number generation algorithm to randomly select a group G1One generator g of (1);
the random number generation algorithm comprises the following steps: according to the elliptic curve Y selected in step 112=X3+ sX + t, randomly selecting a value a of the independent variable X, and calculating a value b corresponding to the dependent variable Y; if point(a, b) in the group to be mapped, a random element is successfully generated; if point (a, b) is not in the cluster, the value of X continues to be reselected until a point is found that appears in the cluster.
Step 13: trusted authority TA selects two anti-collision hash functions H1(. and H)2(. H), collision resistant hash function H1(. and H)2(. The) satisfies all the characteristics of the collision-resistant hash function. Wherein the anti-collision hash function H1(. and H)2(. The) can call run from the Pair-Based cryptography library function. Collision resistant hash function H1The input of (-) is a character string of arbitrary length and the output is a field ZpOne element of (1); collision resistant hash function H2The input of (is) a character string of any length and the output is a cyclic group G1One element of (1).
Step 14: trusted authority TA selects a secure subscription scheme
Where Kgen, Sign and Vrfy denote signature schemes, respectively
A key generation algorithm, a signature algorithm and a verification algorithm.
Finally, the system disclosure parameter is expressed as
Step 2, each user generates a respective public key and private key according to the public parameters, and the users comprise data sharers P0And data user P1,P2,…,Pn。
Specifically, the step 2 specifically includes the following sub-steps:
step 21: each user Pi(i is more than or equal to 0 and less than or equal to n) randomly selecting ZpOne non-0 element in a Domain
Computing
viRepresenting the calculation result on the right side of the equal sign;
represents group G1A power-up operation;
wherein the content of the first and second substances,
represents ZpA subset of non-zero elements {1, 2., p-1} of the domain is randomly selected
The function of the middle element can be called and run from the Pairing-Based cryptography library function.
Step 22: each user PiExecute
tpki,tskiRespectively represent
Outputting a public key and a private key;
is a digital signature scheme
The key generation algorithm of (1).
Finally, user PiGet the public key pki=(vi,tpki) And the private key ski=(zi,tski)。
Step 3. data sharer P0According to its own private key sk0And data user Pi(1 ≦ i ≦ n) public key pkiAnd executing a data processing process, generating processed data and data labels and uploading the processed data and data labels to the cloud storage server.
Specifically, the step 3 specifically includes the following sub-steps:
step 31: data sharer P0Randomly selecting field ZpTwo non-0 elements of (1)
And constructs the following polynomial:
wherein, | | represents string concatenation;
all represent group G1A power-up operation;
the expression is that the power operation results of the left side and the right side of | | are taken as character strings to be connected;
step 32: data sharer P0The polynomial psi (x) is arranged to obtain:
ψ(x)=cnxn+cn-1xn-1+…+c1x+c0modp
step 33: data sharer P0Computing
c0,c1,cnCoefficients representing a polynomial ψ (x); eta0,η1,ηnRepresents group G1A power-up operation;
step 34: data sharer P0Randomly selecting a unique identifier LidDividing the data M into lambda data blocks MiI.e. M ═ M1||m2||…||mλ;
Step 35: data sharer P0Randomly selecting a cyclic group G1One element μ of (1);
step 36: data sharer P0Construct aThe following character string
τ←Lid||pk0||pk1||…||pkn||λ||μ||gθ||η0||η1||…||ηn
Computing
Obtaining a data tag τ0← τ | δ, δ representing the result of performing the operation to the right of the arrow;
representing execution of a digital signature scheme
The signature generation algorithm Sign () in (1), the input of which is tsk0And τ;
step 37: data sharer P0For each data block mj(1. ltoreq. j. ltoreq. lambda.) is calculated as follows to generate a metadata gammaj:
j represents the number of data blocks;
represents group G1A power-up operation;
finally, the data sharer P0Obtaining processed data
It is combined with the data label tau0And uploading the data to the cloud storage server together.
Step 4. each data user PiAnd (i is more than or equal to 1 and less than or equal to n), verifying the data label, if the data label is correct, generating a challenge, and sending the challenge to the cloud storage server.
Specifically, the step 4 specifically includes the following sub-steps:
step 41: data user PiReading processed data from a cloud storage server
And a data tag τ0Decomposing the data tag τ0τ and δ were obtained and verified
Whether the result is true or not; if not, terminating the execution of the subsequent steps;
step 42: data user PiFrom [1, lambda ]]Randomly selecting a subset delta, and randomly selecting a field Z for each element j epsilon deltapIs not a 0 element
Finally, the data consumer gets the challenge Θ { (j, α)j) J is equal to delta, and the information is sent to the cloud storage server.
And 5, computing a response to the received challenge by the cloud storage server, and sending the response to the corresponding data user.
Specifically, the step 5 specifically includes the following substeps:
step 51: the cloud storage server receives the challenge theta and stores the processed data
And corresponding data tag τ0Computing aggregated metadata
Step 52: the cloud storage server aggregates the challenged data blocks and calculates the challenged data blocks to obtain
Finally, the cloud storage server gets a response to the challenge Θ
Returns the response to the data consumer Pi。
Step 6, data user PiAnd verifying the received response to judge whether the shared data stored in the cloud is completely stored.
Specifically, the step 6 specifically includes the following sub-steps:
step 61: data user PiComputing
Step 62: data user PiComputing
hnRepresents ZpThe operation of the power of (a) above,
represents group G1A power-up operation;
and step 63: data user PiVerification equation
Whether the result is true or not; if yes, outputting 1 to indicate that the data is completely stored, and the user obtains complete shared data; otherwise, a 0 is output indicating that the data has been corrupted, wherein
Represents group G1And (4) performing the power-up operation.
In summary, the invention provides a multi-user big data storage sharing method based on a cloud platform. Firstly, a data sharer processes data and stores the data in a cloud storage server, so that the local storage burden and the communication burden during data sharing can be reduced; secondly, the processed data are stored on a cloud storage server, so that the strong computing and communication capabilities of the cloud storage server can be fully utilized, and more personalized data access and sharing access are provided for data users; and thirdly, the data sharer can designate a group of data users, so that the data users can interactively verify the integrity of the data through the cloud storage server while accessing the cloud storage data, and the large data sharing supporting the integrity verification is realized.
In another embodiment, as shown in fig. 3, the present invention further provides a multi-user big data storage sharing apparatus based on a cloud platform, the apparatus includes: the system comprises an initialization module, a user key generation module, a data processing module, an integrity challenge generation module, an integrity response module and an integrity verification module.
The initialization module is suitable for the trusted authority TA to select safety parameters, the anti-collision hash function and the digital signature scheme to generate system public parameters. In particular, the amount of the solvent to be used,
the trusted authority TA inputs system security parameters l and runs an initialization algorithm xi (1)l) Outputting two cyclic groups G with prime p1And G2And a bilinear map operation
Wherein the initialization algorithm xi (1)l) The operation method comprises the following steps: the trusted authority TA inputs a system security parameter l, and the system selects a corresponding elliptic curve according to the size of l: y is2=X3+ sX + t (s and t are coefficients), with points on the elliptic curve forming two circulant groups G of prime order p1And G2Selecting a mapping function e to group the cycles G1Mapping of elements in (1) to cyclic group G2Performing the following steps; generally, the larger the value of the safety parameter/, the more points on the selected elliptic curve and the larger the cyclic group.
The trusted authority TA runs a random number generation algorithm to randomly select a group G1One generator g of (1);
the random number generation algorithm comprises the following steps: according to the elliptic curve Y selected in step 112=X3+ sX + t, random selectionCalculating a value a of the independent variable X and a value b corresponding to the dependent variable Y; if the point (a, b) is in the group to be mapped, then the random element is successfully generated; if point (a, b) is not in the cluster, the value of X continues to be reselected until a point is found that appears in the cluster.
Trusted authority TA selects two anti-collision hash functions H1(. and H)2(. H), collision resistant hash function H1(. and H)2(. The) satisfies all the characteristics of the collision-resistant hash function. Wherein the anti-collision hash function H1(. and H)2(. The) can call run from the Pair-Based cryptography library function. Collision resistant hash function H1The input of (-) is a character string of arbitrary length and the output is a field ZpOne element of (1); collision resistant hash function H2The input of (is) a character string of any length and the output is a cyclic group G1One element of (1).
Trusted authority TA selects a secure subscription scheme
Where Kgen, Sign and Vrfy denote signature schemes, respectively
A key generation algorithm, a signature algorithm and a verification algorithm.
Finally, the system disclosure parameter is expressed as
Each user generates a respective public key and a private key according to the system public parameters by the user key generation module, and the users comprise data sharers P0And data user P1,P2,…,Pn。
In particular, each user Pi(i is more than or equal to 0 and less than or equal to n) randomly selecting ZpOne non-0 element in a Domain
Computing
Wherein the content of the first and second substances,
represents ZpA subset of non-zero elements {1, 2., p-1} of the domain is randomly selected
The function of the middle element can be called from the Pairing-based cryptography library function to run.
Each user PiExecute
Finally, user PiGet the public key pki=(vi,tpki) And the private key ski=(zi,tski)。
And the data processing module is used for performing data processing by the data sharer according to the private key of the data sharer and the public keys of a group of data users, generating processed shared data and data labels and uploading the shared data and the data labels to the cloud storage server. In particular, the amount of the solvent to be used,
data sharer P0Randomly selecting field ZpTwo non-0 elements of (1)
And constructs the following polynomial:
wherein, | | represents string concatenation;
data sharer P0The polynomial psi (x) is arranged to obtain:
ψ(x)=cnxn+cn-1xn-1+…+c1x+c0mod p
data sharer P0Computing
Data sharer P0Randomly selecting a unique identifier LidDividing the data M into lambda data blocks MjI.e. M ═ M1||m2||…||mλ;
Data sharer P0Randomly selecting a cyclic group G1One element μ of (1);
data sharer P0Construct a string of characters
τ←Lid||pk0||pk1||…||pkn||λ||μ||gθ||η0||η1||…||ηn
Computing
Obtaining a data tag τ0←τ||δ;
Data sharer P0For each data block mj(1. ltoreq. j. ltoreq. lambda.) is calculated as follows to generate a metadata gammaj:
Finally, the data sharer P0Obtaining processed data
It is combined with the data label tau0And uploading the data to the cloud storage server together.
And the integrity challenge generation module verifies the data label corresponding to the shared data by the data user, generates a challenge if the data label is legal, and sends the challenge to the cloud storage server. In particular, the amount of the solvent to be used,
data user PiReading processed data from a cloud storage server
And a data tag τ0Decomposing the data tag τ0τ and δ were obtained and verified
Whether the result is true or not; if not, terminating the execution of the subsequent steps;
data user PiFrom [1, lambda ]]Randomly selecting a subset delta, and randomly selecting a field Z for each element j epsilon deltapIs not a 0 element
Finally, the data consumer gets the challenge Θ { (j, α)j) J is equal to delta, and the information is sent to the cloud storage server.
And the integrity response module calculates a response to the received challenge by the cloud storage server and replies the response to the data user. In particular, the amount of the solvent to be used,
the cloud storage server receives the challenge theta and stores the processed data
And corresponding data tag τ0Computing aggregated metadata
The cloud storage server aggregates the challenged data blocks and calculates the challenged data blocks to obtain
Finally, the cloud storage server gets a response to the challenge Θ
Returns the response to the data consumer Pi。
And the integrity verification module verifies the received response by the data user so as to judge the integrity of the shared data. In particular, the amount of the solvent to be used,
data user PiComputing
Data user PiComputing
Data user PiVerification equation
Whether the result is true or not; if yes, outputting 1 to represent the data stored in the cloud storage server
The storage is complete, and the user obtains complete shared data; otherwise, a 0 is output indicating that the data has been corrupted.
The multi-user big data storage and sharing device based on the cloud platform realizes big data sharing among multiple users, reduces the burden of the users on storing big data, reduces the communication burden of data sharers, and solves the worry of data users about the source and the integrity of shared data.
In conclusion, the method is used for processing, outsourcing, verifying integrity and sharing the user data in the multi-user environment, the burden of storing the big data by the user can be relieved, the data sharer is prevented from becoming the bottleneck of sharing the big data, and the worry of the data user about the source and the integrity of the shared data is solved. The data sharer can explicitly designate the intended data users so that only those designated users can verify the integrity of the shared data. The method has the advantages and effects that:
1) compared with a method that a data sharer directly sends data to a group of data users, the method greatly reduces the communication burden of the data sharer, and the data users can access the data in the cloud without being limited by time and place.
2) The method allows the data sharer to designate a group of data users, and although unspecified users can access and use the data stored in the cloud, the integrity of the unspecified users cannot be ensured, and the designated group of data users can interact with the cloud storage server to further verify the integrity of the data. When any designated data user performs integrity verification, the designated data user can independently interact with the cloud storage server without the assistance of data sharers and other designated data users.
3) When a data sharer uses the method to designate a group of data users, the public keys of the data users are only required to be embedded in the data processing stage, and separate authorization processes are not required to be executed additionally, special authorization is calculated for the data users, and the data users are sent to each designated data user.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (7)
1. A multi-user big data storage sharing method based on a cloud platform is characterized by comprising the following steps:
a trusted authority TA selects a safety parameter, a collision-resistant hash function and a digital signature scheme to generate a system public parameter;
each user generates a respective public key and a private key according to the system public parameters, and the users comprise data sharers and data users;
the data sharer executes data processing according to a private key of the data sharer and public keys of a group of data users, generates processed shared data and data labels corresponding to the shared data and uploads the shared data and the data labels to the cloud storage server;
the data user verifies the data label corresponding to the shared data, if the data label is legal, a challenge is generated, and the challenge is sent to the cloud storage server;
the cloud storage server calculates the received challenge to obtain a response, and replies the response to the data user;
the data user verifies the received response to judge the integrity of the shared data;
the method for generating the system public parameters by the trusted authority TA comprises the following steps of:
the trusted authority TA inputs system security parameters l and runs an initialization algorithm xi (1)l) Outputting two cyclic groups G with prime p1And G2And a bilinear map operation
Wherein the initialization algorithm xi (1)l) The operation method comprises the following steps: the trusted authority TA inputs a system security parameter l, and the system selects a corresponding elliptic curve according to the size of l: y is2=X3+ sX + t, where s and t are coefficients, with points on the elliptic curve forming two circulant groups G of prime order p1And G2Selecting a mapping function e to group the cycles G1Mapping of elements in (1) to cyclic group G2Performing the following steps;
the trusted authority TA runs a random number generation algorithm to randomly select a group G1One generator g of (1);
the random number generation algorithm comprises the following steps: according to the selected elliptic curve Y2=X3+ sX + t, randomly selecting a value a of the independent variable X, and calculating a value b corresponding to the dependent variable Y; if the point (a, b) is in the group to be mapped, then the random element is successfully generated; if the point (a, b) is not in the cluster, the value of X is continuously reselected untilTo find a point that appears in the cluster;
trusted authority TA selects two anti-collision hash functions H1(. and H)2(. H), collision resistant hash function H1(. and H)2Satisfies all the characteristics of the collision-resistant hash function, wherein the collision-resistant hash function H1(. and H)2() can invoke a run from the Pair-Based cryptography library function; collision resistant hash function H1The input of (-) is a character string of arbitrary length and the output is a field ZpOne element of (1); collision resistant hash function H2The input of (is) a character string of any length and the output is a cyclic group G1One element of (1);
trusted authority TA selects a secure subscription scheme
Where Kgen, Sign and Vrfy denote signature schemes, respectively
The key generation algorithm, the signature algorithm and the verification algorithm;
finally, the system disclosure parameter is expressed as
2. The cloud platform-based multi-user big data storage sharing method according to claim 1, wherein each user generates a respective public key and a private key according to the system public parameters, and specifically comprises:
each user PiRandom selection of ZpOne non-0 element in a Domain
Computing
Representation field ZpIs given as a non-zero subset of elements {1,2, ·, p-1}, viRepresenting the calculation result on the right side of the equal sign;
represents group G1A power-up operation;
each user PiExecute
l is a safety parameter, 1lIndicates the input mode, tpk, of the safety parameter li,tskiRespectively represent
Outputting a public key and a private key;
is a digital signature scheme
The key generation algorithm in (1);
user PiGet the public key pki=(vi,tpki) And the private key ski=(zi,tski)。
3. The method according to claim 2, wherein the data sharer performs data processing according to a private key of the data sharer and a public key of a group of data users to generate processed shared data and a data tag corresponding to the shared data, and specifically includes:
data sharer P0Random selection of ZpTwo non-0 elements in a domain
And constructs the following polynomial:
wherein, | | represents string concatenation; the sum of g and theta is equal to or greater than g,
all represent group G1A power-up operation;
the expression is to connect the power operation results of the left side and the right side of | | as a character string, wherein p is a prime number, H1(. and H)2(. h) represents a collision resistant hash function;
data sharer P0The polynomial psi (x) is arranged to obtain:
ψ(x)=cnxn+cn-1xn-1+…+c1x+c0 mod p
data sharer P0Computing
c0,c1,cnCoefficients representing a polynomial ψ (x); eta0,η1,ηnRepresents group G1A power-up operation;
data sharer P0Randomly selecting a unique identifier LidDividing the data M into lambda data blocks MjI.e. M ═ M1||m2||…||mλ;
Data sharer P0Randomly selecting a cyclic group G1One element μ of (1);
data sharer P0Construct a string τ as follows:
τ←Lid||pk0||pk1||…||pkn||λ||μ||gθ||η0||η1||…||ηn,
computing
Obtaining a data tag τ0← τ | δ, δ representing the result of performing the operation to the right of the arrow;
representing execution of a digital signature scheme
The signature generation algorithm Sign () in (1), the input of which is tsk0And τ;
data sharer P0For each data block mjOne metadata γ is calculated and generated as followsj,1≤j≤λ:
j represents the number of data blocks;
represents group G1A power-up operation;
data sharer P0Obtaining processed data
4. The cloud platform-based multi-user big data storage sharing method according to claim 3, wherein the data user verifies a data tag corresponding to the shared data, and if the data tag is legal, a challenge is generated, which specifically includes:
data user PiReading processed data from a cloud storage server
And a data tag τ0Decomposing the data tag τ0τ and δ were obtained and verified
Whether the result is true or not; if not, terminating the execution of the subsequent steps;
data user PiFrom [1, lambda ]]Randomly selecting a subset delta, and randomly selecting Z for each element j in the subset deltapOne non-0 element in a Domain
The data consumer gets the challenge Θ { (j, α)j):j∈Δ}。
5. The cloud platform-based multi-user big data storage sharing method according to claim 4, wherein the cloud storage server calculates the received challenge to obtain a response, and specifically comprises:
the cloud storage server receives a challenge theta and processed data
And corresponding data tag τ0Computing aggregated metadata
The cloud storage server aggregates the challenged data blocks and calculates the challenged data blocks to obtain
Cloud storage server gets a response to challenge Θ
6. The cloud platform-based multi-user big data storage sharing method according to claim 5, wherein the data user verifies the received response to judge the integrity of the shared data, and specifically comprises:
data user PiComputing
Data user PiComputing
hnRepresents ZpThe operation of the power of (a) above,
represents group G1A power-up operation;
data user PiVerification equation
Whether the result is true or not; if yes, outputting 1 to indicate that the data is completely stored, and the user obtains complete shared data; otherwise, a 0 is output indicating that the data has been corrupted, wherein
Represents group G1The exponentiation of (A) wherein p is a prime number, H1(. and H)2(. cndot.) represents an anti-collision hash function.
7. A multi-user big data storage sharing system based on a cloud platform is characterized by comprising:
the initialization module is used for the trusted authority TA to select a safety parameter, a collision-resistant hash function and a digital signature scheme to generate a system public parameter;
the user key generation module is used for generating a public key and a private key of each user according to the system public parameters, and the users comprise data sharers and data users;
the data processing module is used for performing data processing by a data sharer according to a private key of the data sharer and public keys of a group of data users, generating processed shared data and data labels corresponding to the shared data, and uploading the data labels to the cloud storage server;
the integrity challenge generating module is used for verifying a data tag corresponding to the shared data by a data user, generating a challenge if the data tag is legal, and sending the challenge to the cloud storage server;
the integrity response module is used for calculating the received challenge by the cloud storage server to obtain a response and replying the response to the data user;
and the integrity verification module is used for verifying the received response by the data user so as to judge the integrity of the shared data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811384064.0A CN109274504B (en) | 2018-11-20 | 2018-11-20 | Multi-user big data storage sharing method and system based on cloud platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811384064.0A CN109274504B (en) | 2018-11-20 | 2018-11-20 | Multi-user big data storage sharing method and system based on cloud platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109274504A CN109274504A (en) | 2019-01-25 |
| CN109274504B true CN109274504B (en) | 2021-07-13 |
Family
ID=65190241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811384064.0A Active CN109274504B (en) | 2018-11-20 | 2018-11-20 | Multi-user big data storage sharing method and system based on cloud platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109274504B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109905230B (en) * | 2019-02-13 | 2020-11-03 | 中国科学院信息工程研究所 | Data confidentiality verification method and system in cloud storage |
| CN111090842B (en) * | 2019-12-23 | 2022-04-26 | 上海源庐加佳信息科技有限公司 | Supply chain financial customer loan information protection method based on zero knowledge certification |
| CN114598715A (en) * | 2022-03-11 | 2022-06-07 | 数坤科技(宁波)有限公司 | Efficient cloud storage data auditing method, device and medium without bilinear pairing |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103002040A (en) * | 2012-12-14 | 2013-03-27 | 南京邮电大学 | Method for checking cloud computation user data |
| CN103605784A (en) * | 2013-11-29 | 2014-02-26 | 北京航空航天大学 | Data integrity verifying method under multi-cloud environment |
| CN104394155A (en) * | 2014-11-27 | 2015-03-04 | 暨南大学 | Multi-user cloud encryption keyboard searching method capable of verifying integrity and completeness |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018009612A1 (en) * | 2016-07-06 | 2018-01-11 | Patient Doctor Technologies, Inc. | Secure and zero knowledge data sharing for cloud applications |
-
2018
- 2018-11-20 CN CN201811384064.0A patent/CN109274504B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103002040A (en) * | 2012-12-14 | 2013-03-27 | 南京邮电大学 | Method for checking cloud computation user data |
| CN103605784A (en) * | 2013-11-29 | 2014-02-26 | 北京航空航天大学 | Data integrity verifying method under multi-cloud environment |
| CN104394155A (en) * | 2014-11-27 | 2015-03-04 | 暨南大学 | Multi-user cloud encryption keyboard searching method capable of verifying integrity and completeness |
Non-Patent Citations (1)
| Title |
|---|
| 指定审计员的云数据安全存储方案;赵萌,丁勇,王玉珏;《信息网络安全》;20181110(第11期);66-71 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109274504A (en) | 2019-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Schröder et al. | Verifiable data streaming | |
| CN107426165B (en) | Bidirectional secure cloud storage data integrity detection method supporting key updating | |
| CA2792267C (en) | Verifying implicit certificates and digital signatures | |
| CN109274504B (en) | Multi-user big data storage sharing method and system based on cloud platform | |
| US9219602B2 (en) | Method and system for securely computing a base point in direct anonymous attestation | |
| Fu et al. | DIPOR: An IDA-based dynamic proof of retrievability scheme for cloud storage systems | |
| US20180026798A1 (en) | Method for the generation of a digital signature of a message, corresponding generation unit, electronic apparatus and computer program product | |
| CN109691010B (en) | System and method for data transmission | |
| CN113098691B (en) | Digital signature method, signature information verification method, related device and electronic equipment | |
| CN112560091B (en) | Digital signature method, signature information verification method, related device and electronic equipment | |
| CN108092766B (en) | Ciphertext search authority verification method and system | |
| Hu et al. | Secure outsourced computation of the characteristic polynomial and eigenvalues of matrix | |
| US20150023498A1 (en) | Byzantine fault tolerance and threshold coin tossing | |
| CN114760052A (en) | Bank Internet of things platform key generation method and device, electronic equipment and medium | |
| CN109818944B (en) | Cloud data outsourcing and integrity verification method and device supporting preprocessing | |
| Sun et al. | Public data integrity auditing without homomorphic authenticators from indistinguishability obfuscation | |
| JP2010166549A (en) | Method and apparatus of generating finger print data | |
| CN113407976A (en) | Digital signature method, signature information verification method, related device and electronic equipment | |
| US8325913B2 (en) | System and method of authentication | |
| Khatri et al. | Improving dynamic data integrity verification in cloud computing | |
| US20210028926A1 (en) | Secure computation device, secure computation authentication system, secure computation method, and program | |
| CN109784094B (en) | Batch outsourcing data integrity auditing method and system supporting preprocessing | |
| CN115906149A (en) | KP-ABE based on directed acyclic graph and user data credible sharing method of block chain | |
| CN107046465B (en) | Intrusion-tolerant cloud storage data auditing method | |
| JP6844696B2 (en) | Authentication tag generator, authentication tag verification device, method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240305 Address after: Building 302B, West Lake Industrial Zone, No. 63 Cuishan Road, Lvjing Community, Dongxiao Street, Luohu District, Shenzhen City, Guangdong Province, 518000 Patentee after: Fine horse Si Kaiqi developments in science and technology Co.,Ltd. of Shenzhen Country or region after: China Address before: 541004 1 Jinji Road, Qixing District, Guilin, the Guangxi Zhuang Autonomous Region Patentee before: GUILIN University OF ELECTRONIC TECHNOLOGY Country or region before: China |
|
| TR01 | Transfer of patent right |