CN110933044B - Data possession proving method capable of realizing public auditing and readable storage medium - Google Patents

Data possession proving method capable of realizing public auditing and readable storage medium Download PDF

Info

Publication number
CN110933044B
CN110933044B CN201911086248.3A CN201911086248A CN110933044B CN 110933044 B CN110933044 B CN 110933044B CN 201911086248 A CN201911086248 A CN 201911086248A CN 110933044 B CN110933044 B CN 110933044B
Authority
CN
China
Prior art keywords
data block
party
data
public key
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911086248.3A
Other languages
Chinese (zh)
Other versions
CN110933044A (en
Inventor
方俊涛
熊欣
万胜刚
吴亚辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201911086248.3A priority Critical patent/CN110933044B/en
Publication of CN110933044A publication Critical patent/CN110933044A/en
Application granted granted Critical
Publication of CN110933044B publication Critical patent/CN110933044B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3033Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention discloses a data possession proving method capable of realizing public auditing and a readable storage medium, belonging to the field of information security. The method comprises the following steps: the user stores the private key set locally, and the public key set is sent to a third party for auditing; a user divides a file to be stored into blocks and slices, generates characteristic values of data blocks based on slice information and a public key set, signs the characteristic values by a private key set to generate labels, and sends each data block and the label set to a data storage party, wherein each data block corresponds to an index subscript set and is sent to a third party for auditing; the third party audits and sends the index subscript set and the public key set of the data block to be challenged to the data storage party to initiate a challenge; the data storage party aggregates the holdup evidences of all the data blocks and sends the aggregated holdup evidences to a third party for auditing so as to respond to the challenge; and the third party audits according to the index subscript set and the public key set of the data block to be challenged, and verifies the characteristic value and the label, the characteristic value and the verification value in the possession evidence through bilinear mapping, if verification is successful, the challenge is successful, and if not, the verification fails.

Description

Data possession proving method capable of realizing public auditing and readable storage medium
Technical Field
The invention belongs to the field of information security, and particularly relates to a data possession proving method capable of publicly auditing and a readable storage medium.
Background
At present, there is a distributed system providing a storage function for a user, that is, a user may store a local file at another node in the system, but since the user cannot directly control file Data, and the storage node is not trusted, the stored Data is likely to be maliciously tampered or lost due to various reasons, it is necessary to provide a periodic and public Data permission certification (PDP) service for the user. The data possession proof ensures that the purpose of verifying the data integrity is achieved under the condition that the file data itself is not revealed.
In the existing PDP scheme based on Elliptic Curve Cryptography (ECC), both the ECDSA Signature algorithm proposed by Scott and Vanstone in 1992 and the Schnorr Signature algorithm proposed by Schnorr in 1992 have the problems of complicated Signature process, large space loss and incapability of aggregating verification, and the BLS Signature algorithm (Boneh-Lynn-Shacham Signature scheme) in 2001 can aggregate a large number of tags at one time for verification based on the isomorphism of the generated tags, and the tags and parameters for verification are relatively small in length, so that a large amount of space is saved.
However, the conventional PDP scheme based on BLS signature has many disadvantages: or the tag's overhead is large, or the data store can respond to a challenge without storing the complete data, or the proof of possession is large.
Disclosure of Invention
Aiming at the defects and improvement requirements of the prior art, the invention provides a data possession proving method and a readable storage medium capable of realizing public auditing, which aim to achieve the purpose of public auditing under the condition of not revealing the original information of a data block, and meanwhile, the method has the advantages of high safety, high efficiency and the like.
To achieve the above object, according to a first aspect of the present invention, there is provided a data possession proving method publicly auditable in a distributed storage system, the method including the steps of:
s1, initializing a user, a third party audit and a data storage party in a distributed storage system respectively;
s2, the user stores a private key set formed by the signature private key and the encryption private key in a local place, and sends a public key set formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing;
s3, a user performs blocking processing and slicing processing on a file to be stored, a characteristic value of the data block is generated based on each piece information of the data block and an encryption public key, a signature private key performs signature on the characteristic value to generate a corresponding label, each data block and a corresponding label set are sent to a data storage party, a corresponding index subscript set of each data block is sent to a third party for auditing, and the blocking processing is as follows: all the file data F to be stored are n × len (Z)r) I.e. F ═ m0,m1,…,ms-1) Data block miThe index of (b) is (Q, i),i is 0,1, …, s-1, Q represents the unique identifier of the home file of the data block, and s represents the number of data blocks; the slicing process was as follows: each data block miAre equally divided into len (Z) in sizer) Data slice of (2), each data slice is mapped to ZrIn, is denoted by mijI.e. mij∈ZrJ-0, 1, …, n-1, n indicating the number of data slices,
the method for generating the characteristic value of the data block based on the slice information and the encryption public key of the data block comprises the following steps: (1) data block miIs mapped to group G1To obtain the index hash value HQi,HQiH (Q, i); (2) based on each slice data mijAnd encrypting the public key to calculate the data block miCharacteristic value mu ofi(ii) a (3) Indexing the hash value HQ using the private signature key skiAnd the characteristic value mu of the data blockiSigning to generate miCorresponding label delta ofi=(HQii)sk
The data block miCharacteristic value mu ofiThe calculation method is any one of the following methods: computing combined with encrypted public key U
Figure GDA0002792492140000031
Calculation of encrypted private key x and encrypted public key U
Figure GDA0002792492140000032
Figure GDA0002792492140000033
S4, third party auditing sends the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to a data storage party to initiate the challenge;
s5, the data storage party forms the possession evidence of the data block by the tag, the characteristic value and the verification value of the data block to be challenged, then aggregates the possession evidences of all the data blocks to serve as the possession evidence of the challenge, and sends the possession evidence of the challenge to a third party for auditing so as to respond to the challenge;
and S6, third party auditing verifies the characteristic value and the label in the held evidence by utilizing bilinear mapping according to the index subscript set and the public key set of the data block to be challenged, verifies the characteristic value and the verification value in the held evidence by utilizing bilinear mapping, successfully challenges when and only two steps of verification are carried out and pass, otherwise fails.
Preferably, step S1 is specifically as follows:
the user side, the data storage side and the third party audit all generate a finite field ZrAnd a cyclic group G having the same prime order1、G2GT, selecting the same security parameter N and challenge parameter N, wherein N and N are positive integers, and N<N;
The user party and the third party audit define the same one-way hash function h: (.)*→G1
The data storage party and the third party audit define the same pseudo-random function prn (·).
Preferably, step S2 includes the steps of:
s21, the user is in a limited domain ZrInternal random selection of signature private key sk E ZrIn group G2In the method, one element is randomly selected as a signature substrate G E G2Combining with the private key of signature to calculate out public key pk ═ g of signaturesk
S22, the user is in a limited domain ZrInternal random selection of encryption private key x E ZrIn group G1In the method, one element u belongs to G at random1And calculating to obtain an encryption public key U ═ { U ═ by combining the encryption private keykAnd (c) the step of (c) in which,
Figure GDA0002792492140000041
in group G2In the method, one element w belongs to G at random2And obtaining a verification public key W ═ W by combining with the calculation of the encryption private keykAnd (c) the step of (c) in which,
Figure GDA0002792492140000042
and S23, the user stores the signature private key and the encryption private key as a private key set SK { SK, x } in a local place, and sends a public key set PK { PK, g, U, W } formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing.
Preferably, step S4 includes the steps of:
s41, according to the security parameter N and the challenge parameter N, the third party audit generates an offset r through a pseudo-random function, namely prn (N-N) → r, and randomly selects index subscripts of data blocks to be challenged to form a set I, wherein I ═ { I ═ I → rcT is I in the set IcThe number of (2);
and S42, sending the offset, the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to the data storage party by the third party audit so as to initiate the challenge.
Preferably, step S5 includes the steps of:
s51, according to the received data block index set I to be challenged, aiming at each data block to be challenged
Figure GDA0002792492140000051
Obtaining the label of the data block from the local storage
Figure GDA0002792492140000052
S52, for each data block to be challenged
Figure GDA0002792492140000053
Obtaining the data block from the local storage, and then combining the data block with the encryption public key to generate the characteristic value of the data block
Figure GDA0002792492140000054
Figure GDA0002792492140000055
t is I in the set IcThe number of (2);
s53, for each data block to be challenged
Figure GDA0002792492140000056
Obtaining the data block from local storage, and comparing with the data blockThe verification value of the data block is generated by combining the certificate public key W and the offset r
Figure GDA0002792492140000057
S54, taking the label, the characteristic value and the verification value of each data block as the holding evidence of the data block
Figure GDA0002792492140000058
S55, aggregating the holdup evidence of each data block to be challenged, wherein the specific calculation formula is
Figure GDA0002792492140000059
Figure GDA00027924921400000510
Resulting holdup evidence for this challenge (μ, v, δ);
and S56, the data storage party holds the sexual evidence and sends the sexual evidence to a third party audit to respond to the challenge.
Preferably, step S6 includes the steps of:
s61. to be challenged
Figure GDA00027924921400000511
Index (Q, i)c) Mapping to G1To obtain
Figure GDA00027924921400000512
Figure GDA00027924921400000513
S62, the third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and the formula to be verified is
Figure GDA00027924921400000514
Figure GDA00027924921400000515
If the equation is established, the verification is passed, and step S63 is performed, otherwise, if the verification is not passed, failure is returned, and e () represents bilinear mapping;
s63, the third party audit verifies the characteristic value and the verification value in the possession evidence according to the public key information of the user, and the formula to be verified is e (mu, W)r)=e(U0V), if the equation is established, the verification is passed, and success is returned; otherwise, if the verification fails, returning failure.
To achieve the above object, according to a second aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a data possession proving method that can openly audit in a distributed storage system as described in the first aspect.
Generally, by the above technical solution conceived by the present invention, the following beneficial effects can be obtained:
(1) the invention can aggregate a large number of data blocks at one time for data holding verification, thereby greatly improving the proving efficiency, and meanwhile, under the condition of aggregating the data blocks for verification, the data volume which needs to be transmitted for verification is still small. In addition, the challenge and verification process only needs to transmit the evidence generated based on the data and does not need to expose the data content, so that the safety of data storage is effectively ensured, and the rights and interests of data owners are maintained.
(2) The invention divides the file data into n × len (Z) sizer) And then slicing the data block into len (Z) sizer) Data slice of (3), mapping to ZrAnd (4) the following steps. Such that the size of the data slice and its mapping to ZrThe size of the result in the data storage party is the same, so that the mapping result is prevented from being stored in advance by a dishonest data storage party.
(3) The invention generates an offset r through a pseudo-random function according to a safety parameter N and a challenge parameter N, wherein the offset r is an unpredictable random value for a data storage side, and r belongs to (0, N-N)]If the data storage party wants to pre-store the verification value, N-N patterns need to be stored for each data block to be challenged
Figure GDA0002792492140000061
The data volume required to be prestored far exceeds the size of the data block, so that the prestoring action is not cost-effective, and therefore, a data storage party originally prepared for implementing the prestoring action is forced to keep honest to a certain extent.
(4) The method adopts two-step verification, and because the characteristic value in the possession evidence and the label verification still have the possibility that the possession evidence is stored in advance to cause the loss of the stored data, the characteristic value in the possession evidence and the verification value are further verified to be corresponding, the verification value is calculated by the data, and the data confirmed by proving that the verification value is not stored in advance is not tampered or lost indeed.
Drawings
Fig. 1 is a flowchart of a data possession proving method for public auditing in a distributed storage system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of file blocking and slicing according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
First, the terms of art to which the present invention relates are explained as follows:
bilinear mapping: zrIs a finite field, G1、G2And GT are all same-order circulation groupsBilinear mapping e: g1×G2→ GT, satisfies the condition that for any G ∈ G1,h∈G2,a,b∈ZrHaving a value of e (g)a,hb)=e(g,h)ab
The invention discloses a data possession proving method based on bilinear mapping. The invention relates to three roles-user, data storage and third party auditing: the user generates a verification tag for each data block and then sends the data block and the corresponding tag to a data storage party. Second, third party audits initiate challenges to data storage parties. And thirdly, the data storage party generates a holding evidence by using the stored data block information and the corresponding label information, and sends the evidence to a third party for auditing. And fourthly, the third party audits and judges whether the data is complete or not by using the public information and the holdup evidence of the user.
As shown in fig. 1, the present invention provides a method for proving data possession that can be audited publicly in a distributed storage system, the method comprising the following steps:
and S1, generating system parameters by all nodes in the system based on the same elliptic curve. The user generates a private key set and a public key set, then the private key set is stored locally and the public key set is sent to a third party for auditing.
Step S1 specifically includes the following steps:
s11, generating a finite field Z by the user side, the data storage side and the third party auditrAnd a cyclic group G having the same prime order1、G2And GT, the user party and the third party audit define the same one-way hash function, and the data storage party and the third party audit define the same pseudo-random function. Selecting a security parameter N and a challenge parameter N, N<N, N and N are positive integers.
The invention is suitable for asymmetric elliptic curves, and the elliptic curve of the BLS12_381 is selected in the embodiment. User side, data storage side and third party audit in the distributed storage system are all based on the same elliptic curve generation system parameter, and based on the system parameter, a circulation group G with the same prime order is further generated1、G2GT, and finite field ZrAnd defineDefining a one-way hash function h: (.)*→G1And a pseudo-random function prn (·). Properly selecting a safety parameter N and a challenge parameter N to satisfy N<N, N and N are positive integers.
S12, the user is in a limited domain ZrInternal random selection of private signature key in group G2Randomly selecting an element as a signature substrate, and calculating by combining a signature private key to obtain a signature public key.
User is in a limited domain ZrInternal random selection of signature private key sk E Zr. In group G2In the method, one element is randomly selected as a signature substrate G E G2Combining with the private key of signature to calculate out public key pk ═ g of signaturesk
S13, the user is in a limited domain ZrInternal random selection of the encryption private key, in group G1Randomly selecting an element, and calculating by combining an encryption private key to obtain an encryption public key; in group G2Randomly selecting an element, and calculating by combining an encryption private key to obtain a verification public key.
User is in a limited domain ZrInternal random selection of encryption private key x E ZrIn group G1In the method, one element u belongs to G at random1And calculating to obtain an encryption public key U ═ { U ═ by combining the encryption private keykAnd (c) the step of (c) in which,
Figure GDA0002792492140000091
in group G2In the method, one element w belongs to G at random2And obtaining a verification public key W ═ W by combining with the calculation of the encryption private keykAnd (c) the step of (c) in which,
Figure GDA0002792492140000092
to UkAnd WkAll have k equal to 0,1, …, N-1. And performing N times of calculation to obtain an encryption public key/verification public key, which is used for preventing the data storage party from prestoring information for generating the holdup evidence.
And S14, the user stores the signature private key and the encryption private key as a private key set locally, and sends the signature public key, the signature substrate, the encryption public key and the verification public key as a public key set to a third party for auditing.
The user stores the signature private key and the encryption private key as a private key set SK { SK, x } in the local, and sends the signature public key, the signature base, the encryption public key and the verification public key PK { PK, g, U, W } as a public key set to a third party for auditing.
And S2, the user generates a characteristic value of the data block by combining the data block information and the public key set, the characteristic value is signed and calculated by the private key set to obtain a label, all the data blocks to be stored and a set of the corresponding labels of the data blocks are sent to a data storage party, and a set of the corresponding index subscripts of each data block is sent to a third party for auditing.
Step S2 specifically includes the following steps:
and S21, the user divides the file data to be stored into data blocks with equal size, and each data block has different indexes.
As shown in FIG. 2, assume ZrLength of element (2) is len (Z)r) The user divides the file data F to be stored into n × len (Z) sizer) I.e. F ═ m0,m1,…,ms-1) Defining a block of data miIs (Q, i), i ═ 0,1, …, s-1, Q denotes the unique identifier of the home file F of the data block.
And S22, generating a corresponding label for each data block.
For each data block miGenerating a corresponding label delta according to the following stepsi
Step S221, mapping the index of the data block to the group G1Thereby obtaining the index hash value.
Mapping the index of the data block to group G1Get the index hash value HQi,HQi=h(Q,i)。
S222, for each data block, dividing the data block into data slices with equal size and mapping the data slices to ZrAnd generating the characteristic value of the data block in combination with the encryption public key.
In the prior art, a user directly maps a data block to ZrAnd calculating to obtain a calculation result which is far smaller than the size of the data block, so that the data storage party can pre-store the mapping result. Therefore, the present inventionClearly divide the file data into size n × len (Z)r) And then slicing the data block into len (Z) sizer) Is sliced and then mapped to ZrAnd (4) the following steps. Thus, the size of the data slice and its mapping to ZrThe size of the result in the data storage party is the same, so that the mapping result can be prevented from being stored in advance by a dishonest data storage party.
As shown in fig. 2, for each data block miFurther divide it equally into len (Z) in sizer) Is sliced and mapped to ZrIn, is denoted by mijI.e. mij∈ZrJ is 0,1, …, n-1, and then the calculation generates a data block miCharacteristic value mu ofiJ is the index of the data slice, n is the number of slices in the data block, there are 2 calculation methods:
computing combined with encrypted public key U
Figure GDA0002792492140000111
Calculation of encrypted private key x and encrypted public key U
Figure GDA0002792492140000112
And S223, signing the index hash value and the characteristic value of the data block by using a signature private key, namely generating a label.
Indexing the hash value HQ using the private signature key skiAnd the characteristic value mu of the data blockiCarry out signature, i.e. generate miCorresponding label delta ofi=(HQii)sk
And S23, the user sends the file data to be stored after the block and the fragment and the corresponding label set thereof to a data storage party, and sends the corresponding index subscript set of each data block to a third party for auditing.
And S3, auditing by a third party to generate an offset according to the security parameter and the challenge parameter, then randomly selecting index subscripts of the data blocks to be challenged to form a set, and sending the offset, the index subscript set of the data blocks to be challenged and a public key set of a corresponding user to a data storage party to initiate a challenge.
And S31, generating an offset by a third party audit through a pseudo-random function according to the security parameter and the challenge parameter, and randomly selecting index subscripts of the data blocks to be challenged to form a set.
The third party audit generates an offset r, namely prn (N-N) → r, through a pseudo-random function according to the security parameter N and the challenge parameter N, and randomly selects index subscripts of data blocks to be challenged to form a set I, wherein I ═ { I → rcJ in set IcThe number of (d) is t.
And S32, sending the offset, the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to the data storage party by the third party audit so as to initiate the challenge.
The third party audit sends the offset r, the index subscript set I of the data block to be challenged and the public key set PK initiating the challenge to the data storage party to initiate the challenge.
And S4, the data storage party locally acquires the data block to be challenged and the label according to the acquired index subscript set of the data block to be challenged, calculates the characteristic value and the verification value of each data block by combining the offset and the public key set, and the set of the characteristic value, the verification value and the label is the holding evidence of a single data block, and then performs aggregation operation to acquire the holding evidence of the challenge and sends the holding evidence to a third party for auditing so as to respond to the challenge.
And S41, acquiring the data block and the label thereof from the local storage for each data block to be challenged according to the received data block index subscript set to be challenged.
According to the received index set I of the data block to be challenged, aiming at each data block to be challenged
Figure GDA0002792492140000121
Obtaining the label of the data block from the local storage
Figure GDA0002792492140000122
And S42, for each data block to be challenged, acquiring the data block from a local storage, and combining the data block with the encrypted public key to generate a characteristic value of the data block.
For each data block to be challenged
Figure GDA0002792492140000123
Obtaining the data block from the local storage, and then combining the data block with the encryption public key U to generate the characteristic value of the data block
Figure GDA0002792492140000124
Figure GDA0002792492140000131
And S43, for each data block to be challenged, acquiring the data block from the local storage, and then combining the data block with the verification public key and the offset to generate a verification value of the data block.
For each data block to be challenged
Figure GDA0002792492140000132
Obtaining the data block from the local storage, and combining the obtained data block with the verification public key W and the offset r to generate the verification value of the data block
Figure GDA0002792492140000133
Figure GDA0002792492140000134
The offset r is an unpredictable random value to the data storage side, and r ∈ (0, N-N)]If the data storage party wants to pre-store the verification value, N-N patterns need to be stored for each data block to be challenged
Figure GDA0002792492140000135
Such data, which requires that the amount of pre-stored data already far exceeds the size of the data block itself, makes the pre-storing act less cost effective, and thus the data storage party, which is originally prepared to perform the pre-storing act, is forced to remain honest to some extent.
And S44, taking the label, the characteristic value and the verification value of each data block as the holding evidence of the data block.
The label, the characteristic value and the verification value of each data block are taken as the holding evidence of the data block
Figure GDA0002792492140000136
And S45, aggregating the holdup evidences of each data block to be challenged to obtain the holdup evidence of the challenge.
Aggregating the holdup evidence of each data block to be challenged, and specifically calculating according to the formula
Figure GDA0002792492140000137
Figure GDA0002792492140000138
Resulting in a held proof of this challenge (μ, v, δ).
And S46, the data storage party holds the sexual evidence and sends the sexual evidence to a third party audit to respond to the challenge.
And S5, verifying the characteristic value and the label in the possession evidence by combining the public key set and utilizing bilinear mapping according to the index subscript set of the data block to be challenged obtained in the step S3 through third party auditing, continuously verifying the characteristic value and the verification value in the possession evidence if the characteristic value and the label pass through, successfully challenging when the verification of the two steps is carried out and passes through, and otherwise, failing to challenge.
And S51, the third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and if the verification is passed, the step S53 is carried out. If the verification fails, failure is returned.
To be challenged
Figure GDA0002792492140000141
Is (Q, i)c) The index is mapped to G1To obtain
Figure GDA0002792492140000142
The third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and the formula to be verified is
Figure GDA0002792492140000143
Figure GDA0002792492140000144
If the equation is established, the verification is passed, and step S53 is performed. Otherwise, if the verification is not passed, failure is returned. If the verification fails, it indicates that the data is indeed tampered or lost.
And S52, verifying the characteristic value and the verification value in the possession evidence according to the public key information of the user by the third party audit, and if the verification is passed, returning success. If the verification fails, failure is returned.
The third party audit verifies the characteristic value and the verification value in the possession evidence according to the public key information of the user, and the formula to be verified is e (mu, W)r)=e(U0V), if the equation is established, the verification is passed, and success is returned. Otherwise, if the verification is not passed, failure is returned. The verification failure indicates that the holdover evidence returned by the data depositor is false and unreliable.
Since the first step is to verify without exposing the data, there is still a possibility that the proof of possession is preserved in advance resulting in loss of stored data in the verification. In this regard, the present invention employs a second layer of verification, by verifying whether μ and v in the proof correspond, it is worth noting that v must be calculated from the data itself, so that the data confirmed by proving that v was not stored in advance is indeed not tampered with or lost.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (7)

1. A method for publicly auditing data possession attestation in a distributed storage system, the method comprising the steps of:
s1, initializing a user, a third party audit and a data storage party in a distributed storage system respectively;
s2, the user stores a private key set formed by the signature private key and the encryption private key in a local place, and sends a public key set formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing;
s3, a user performs blocking processing and slicing processing on a file to be stored, a characteristic value of the data block is generated based on each piece information of the data block and an encryption public key, a signature private key performs signature on the characteristic value to generate a corresponding label, each data block and a corresponding label set are sent to a data storage party, a corresponding index subscript set of each data block is sent to a third party for auditing, and the blocking processing is as follows: all the file data F to be stored are n × len (Z)r) I.e. F ═ m0,m1,…,ms-1) Data block miIs (Q, i), i is 0,1, …, s-1, Q represents the unique identifier of the home file of the data block, s represents the number of data blocks; the slicing process was as follows: each data block miAre equally divided into len (Z) in sizer) Data slice of (2), each data slice is mapped to ZrIn, is denoted by mijI.e. mij∈ZrJ-0, 1, …, n-1, n indicating the number of data slices,
the method for generating the characteristic value of the data block based on the slice information and the encryption public key of the data block comprises the following steps: (1) data block miIs mapped to group G1To obtain the index hash value HQi,HQiH (Q, i); (2) based on each slice data mijAnd encrypting the public key to calculate the data block miCharacteristic value mu ofi(ii) a (3) Indexing the hash value HQ using the private signature key skiAnd the characteristic value mu of the data blockiSigning to generate miCorresponding label delta ofi=(HQii)sk
The data block miCharacteristic value mu ofiThe calculation method is any one of the following methods: computing combined with encrypted public key U
Figure FDA0002792492130000021
Calculation of encrypted private key x and encrypted public key U
Figure FDA0002792492130000022
Figure FDA0002792492130000023
S4, third party auditing sends the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to a data storage party to initiate the challenge;
s5, the data storage party forms the possession evidence of the data block by the tag, the characteristic value and the verification value of the data block to be challenged, then aggregates the possession evidences of all the data blocks to serve as the possession evidence of the challenge, and sends the possession evidence of the challenge to a third party for auditing so as to respond to the challenge;
and S6, third party auditing verifies the characteristic value and the label in the held evidence by utilizing bilinear mapping according to the index subscript set and the public key set of the data block to be challenged, verifies the characteristic value and the verification value in the held evidence by utilizing bilinear mapping, successfully challenges when and only two steps of verification are carried out and pass, otherwise fails.
2. The method of claim 1, wherein step S1 is specifically as follows:
the user side, the data storage side and the third party audit all generate a finite field ZrAnd a cyclic group G having the same prime order1、G2GT, selecting the same safety parameter N and challenge parameter N, wherein N and N are positive integers, and N is less than N;
the user party and the third party audit define the same one-way hash function h: (.)*→G1
The data storage party and the third party audit define the same pseudo-random function prn (·).
3. The method of claim 2, wherein the step S2 includes the steps of:
s21, the user is in a limited domain ZrInternal random selection of signature private key sk E ZrIn group G2In the method, one element is randomly selected as a signature substrate G E G2Combining with the private key of signature to calculate out public key pk ═ g of signaturesk
S22, the user is in a limited domain ZrInternal random selection of encryption private key x E ZrIn group G1In the method, one element u belongs to G at random1And calculating to obtain an encryption public key U ═ { U ═ by combining the encryption private keykAnd (c) the step of (c) in which,
Figure FDA0002792492130000031
in group G2In the method, one element w belongs to G at random2And obtaining a verification public key W ═ W by combining with the calculation of the encryption private keykAnd (c) the step of (c) in which,
Figure FDA0002792492130000032
k=0,1,…,N-1;
and S23, the user stores the signature private key and the encryption private key as a private key set SK { SK, x } in a local place, and sends a public key set PK { PK, g, U, W } formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing.
4. The method of claim 2, wherein the step S4 includes the steps of:
s41, according to the security parameter N and the challenge parameter N, the third party audit generates an offset r through a pseudo-random function, namely prn (N-N) → r, and randomly selects index subscripts of data blocks to be challenged to form a set I, wherein I ═ { I ═ I → rcT is I in the set IcThe number of (2);
and S42, sending the offset, the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to the data storage party by the third party audit so as to initiate the challenge.
5. The method of claim 2, wherein the step S5 includes the steps of:
s51, according to the received data block index set I to be challenged, aiming at each data block to be challenged
Figure FDA0002792492130000033
Obtaining the label of the data block from the local storage
Figure FDA0002792492130000034
S52, for each data block to be challenged
Figure FDA0002792492130000035
Obtaining the data block from the local storage, and then combining the data block with the encryption public key to generate the characteristic value of the data block
Figure FDA0002792492130000036
ic0,1, …, t-1, t is I in the set IcThe number of (2);
s53, for each data block to be challenged
Figure FDA00027924921300000410
Obtaining the data block from the local storage, and combining the obtained data block with the verification public key W and the offset r to generate the verification value of the data block
Figure FDA0002792492130000041
S54, taking the label, the characteristic value and the verification value of each data block as the holding evidence of the data block
Figure FDA0002792492130000042
S55, aggregating the holdup evidence of each data block to be challenged, and specifically calculating a formulaIs composed of
Figure FDA0002792492130000043
Figure FDA0002792492130000044
Resulting holdup evidence for this challenge (μ, v, δ);
and S56, the data storage party holds the sexual evidence and sends the sexual evidence to a third party audit to respond to the challenge.
6. The method of claim 2, wherein the step S6 includes the steps of:
s61. to be challenged
Figure FDA0002792492130000045
Index (Q, i)c) Mapping to G1To obtain
Figure FDA0002792492130000046
Figure FDA0002792492130000047
S62, the third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and the formula to be verified is
Figure FDA0002792492130000048
Figure FDA0002792492130000049
If the equation is established, the verification is passed, and step S63 is performed, otherwise, if the verification is not passed, failure is returned, and e () represents bilinear mapping;
s63, the third party audit verifies the characteristic value and the verification value in the possession evidence according to the public key information of the user, and the formula to be verified is e (mu, W)r)=e(U0V), if the equation is established, the verification is passed, and success is returned; otherwise, if the verification fails, returningAnd returning to failure.
7. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements a data-possession proof method for publicly auditing in a distributed storage system as recited in any one of claims 1-6.
CN201911086248.3A 2019-11-08 2019-11-08 Data possession proving method capable of realizing public auditing and readable storage medium Active CN110933044B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911086248.3A CN110933044B (en) 2019-11-08 2019-11-08 Data possession proving method capable of realizing public auditing and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911086248.3A CN110933044B (en) 2019-11-08 2019-11-08 Data possession proving method capable of realizing public auditing and readable storage medium

Publications (2)

Publication Number Publication Date
CN110933044A CN110933044A (en) 2020-03-27
CN110933044B true CN110933044B (en) 2021-03-26

Family

ID=69852475

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911086248.3A Active CN110933044B (en) 2019-11-08 2019-11-08 Data possession proving method capable of realizing public auditing and readable storage medium

Country Status (1)

Country Link
CN (1) CN110933044B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859030B (en) * 2020-07-09 2023-04-28 西南交通大学 Public auditing method supporting composite data
CN112491529B (en) * 2020-11-12 2022-03-29 安徽工业大学 Data file encryption and integrity verification method and system used in untrusted server environment
CN112560075B (en) * 2021-02-22 2021-05-25 西南石油大学 Lightweight searchable encryption method and device based on elliptic curve
CN113609533B (en) * 2021-08-23 2024-02-27 东北大学秦皇岛分校 Integrity auditing method for smart grid data
CN113625972A (en) * 2021-08-26 2021-11-09 上海应用技术大学 Hierarchical data possession proving method capable of realizing public auditing
CN115630409B (en) * 2022-10-28 2023-08-08 深圳市元兴信息技术有限公司 Data storage control method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8954389B2 (en) * 2012-11-30 2015-02-10 Dell Products, Lp Content generation service for software testing
CN104023044A (en) * 2014-01-01 2014-09-03 电子科技大学 Cloud-storage data lightweight-level public auditing method with privacy protection
CN104601605B (en) * 2015-02-28 2018-01-02 北方工业大学 Efficient privacy protection auditing method based on chameleon hash function in cloud storage
CN108629040A (en) * 2018-05-11 2018-10-09 北京奇虎科技有限公司 Data proof of possession method, apparatus and system

Also Published As

Publication number Publication date
CN110933044A (en) 2020-03-27

Similar Documents

Publication Publication Date Title
CN110933044B (en) Data possession proving method capable of realizing public auditing and readable storage medium
CN102420691B (en) Certificate-based forward security signature method and system thereof
Baek et al. Public key encryption with keyword search revisited
JP4785851B2 (en) Digital signatures, including identity-based aggregate signatures
CA2827519C (en) Incorporating data into cryptographic components of an ecqv certificate
Luo et al. Ensuring the data integrity in cloud data storage
JP2009526411A5 (en)
US8170203B2 (en) Message authentication code with elliptic polynomial hopping
JP6043804B2 (en) Combined digital certificate
JP2010220212A (en) Securing communications sent by first user to second user
JP2012019559A (en) Custom static diffie-hellman groups
CA2693133A1 (en) Method and system for generating implicit certificates and applications to identity-based encryption (ibe)
US10263773B2 (en) Method for updating a public key
CN110138543A (en) Blind label decryption method under lattice public-key cryptosystem
JP6041864B2 (en) Method, computer program, and apparatus for data encryption
Guo et al. Attribute‐based ring signcryption scheme
Harn et al. Efficient identity-based RSA multisignatures
US8954728B1 (en) Generation of exfiltration-resilient cryptographic keys
CN110784300A (en) Secret key synthesis method based on multiplication homomorphic encryption
Thakur An access control protocol for wireless sensor network using double trapdoor chameleon hash function
Yap et al. On the security of a lightweight authentication and encryption scheme for mobile ad hoc network
Wei et al. Ensuring file authenticity in private DFA evaluation on encrypted files in the cloud
Wang Signer‐admissible strong designated verifier signature from bilinear pairings
Yang et al. On the authentication of certificateless RSA public key
WO2023134576A1 (en) Data encryption method, attribute authorization center, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant