CN110933044B - Data possession proving method capable of realizing public auditing and readable storage medium - Google Patents
Data possession proving method capable of realizing public auditing and readable storage medium Download PDFInfo
- Publication number
- CN110933044B CN110933044B CN201911086248.3A CN201911086248A CN110933044B CN 110933044 B CN110933044 B CN 110933044B CN 201911086248 A CN201911086248 A CN 201911086248A CN 110933044 B CN110933044 B CN 110933044B
- Authority
- CN
- China
- Prior art keywords
- data block
- party
- data
- public key
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3033—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The invention discloses a data possession proving method capable of realizing public auditing and a readable storage medium, belonging to the field of information security. The method comprises the following steps: the user stores the private key set locally, and the public key set is sent to a third party for auditing; a user divides a file to be stored into blocks and slices, generates characteristic values of data blocks based on slice information and a public key set, signs the characteristic values by a private key set to generate labels, and sends each data block and the label set to a data storage party, wherein each data block corresponds to an index subscript set and is sent to a third party for auditing; the third party audits and sends the index subscript set and the public key set of the data block to be challenged to the data storage party to initiate a challenge; the data storage party aggregates the holdup evidences of all the data blocks and sends the aggregated holdup evidences to a third party for auditing so as to respond to the challenge; and the third party audits according to the index subscript set and the public key set of the data block to be challenged, and verifies the characteristic value and the label, the characteristic value and the verification value in the possession evidence through bilinear mapping, if verification is successful, the challenge is successful, and if not, the verification fails.
Description
Technical Field
The invention belongs to the field of information security, and particularly relates to a data possession proving method capable of publicly auditing and a readable storage medium.
Background
At present, there is a distributed system providing a storage function for a user, that is, a user may store a local file at another node in the system, but since the user cannot directly control file Data, and the storage node is not trusted, the stored Data is likely to be maliciously tampered or lost due to various reasons, it is necessary to provide a periodic and public Data permission certification (PDP) service for the user. The data possession proof ensures that the purpose of verifying the data integrity is achieved under the condition that the file data itself is not revealed.
In the existing PDP scheme based on Elliptic Curve Cryptography (ECC), both the ECDSA Signature algorithm proposed by Scott and Vanstone in 1992 and the Schnorr Signature algorithm proposed by Schnorr in 1992 have the problems of complicated Signature process, large space loss and incapability of aggregating verification, and the BLS Signature algorithm (Boneh-Lynn-Shacham Signature scheme) in 2001 can aggregate a large number of tags at one time for verification based on the isomorphism of the generated tags, and the tags and parameters for verification are relatively small in length, so that a large amount of space is saved.
However, the conventional PDP scheme based on BLS signature has many disadvantages: or the tag's overhead is large, or the data store can respond to a challenge without storing the complete data, or the proof of possession is large.
Disclosure of Invention
Aiming at the defects and improvement requirements of the prior art, the invention provides a data possession proving method and a readable storage medium capable of realizing public auditing, which aim to achieve the purpose of public auditing under the condition of not revealing the original information of a data block, and meanwhile, the method has the advantages of high safety, high efficiency and the like.
To achieve the above object, according to a first aspect of the present invention, there is provided a data possession proving method publicly auditable in a distributed storage system, the method including the steps of:
s1, initializing a user, a third party audit and a data storage party in a distributed storage system respectively;
s2, the user stores a private key set formed by the signature private key and the encryption private key in a local place, and sends a public key set formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing;
s3, a user performs blocking processing and slicing processing on a file to be stored, a characteristic value of the data block is generated based on each piece information of the data block and an encryption public key, a signature private key performs signature on the characteristic value to generate a corresponding label, each data block and a corresponding label set are sent to a data storage party, a corresponding index subscript set of each data block is sent to a third party for auditing, and the blocking processing is as follows: all the file data F to be stored are n × len (Z)r) I.e. F ═ m0,m1,…,ms-1) Data block miThe index of (b) is (Q, i),i is 0,1, …, s-1, Q represents the unique identifier of the home file of the data block, and s represents the number of data blocks; the slicing process was as follows: each data block miAre equally divided into len (Z) in sizer) Data slice of (2), each data slice is mapped to ZrIn, is denoted by mijI.e. mij∈ZrJ-0, 1, …, n-1, n indicating the number of data slices,
the method for generating the characteristic value of the data block based on the slice information and the encryption public key of the data block comprises the following steps: (1) data block miIs mapped to group G1To obtain the index hash value HQi,HQiH (Q, i); (2) based on each slice data mijAnd encrypting the public key to calculate the data block miCharacteristic value mu ofi(ii) a (3) Indexing the hash value HQ using the private signature key skiAnd the characteristic value mu of the data blockiSigning to generate miCorresponding label delta ofi=(HQi*μi)sk;
The data block miCharacteristic value mu ofiThe calculation method is any one of the following methods: computing combined with encrypted public key UCalculation of encrypted private key x and encrypted public key U
S4, third party auditing sends the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to a data storage party to initiate the challenge;
s5, the data storage party forms the possession evidence of the data block by the tag, the characteristic value and the verification value of the data block to be challenged, then aggregates the possession evidences of all the data blocks to serve as the possession evidence of the challenge, and sends the possession evidence of the challenge to a third party for auditing so as to respond to the challenge;
and S6, third party auditing verifies the characteristic value and the label in the held evidence by utilizing bilinear mapping according to the index subscript set and the public key set of the data block to be challenged, verifies the characteristic value and the verification value in the held evidence by utilizing bilinear mapping, successfully challenges when and only two steps of verification are carried out and pass, otherwise fails.
Preferably, step S1 is specifically as follows:
the user side, the data storage side and the third party audit all generate a finite field ZrAnd a cyclic group G having the same prime order1、G2GT, selecting the same security parameter N and challenge parameter N, wherein N and N are positive integers, and N<N;
The user party and the third party audit define the same one-way hash function h: (.)*→G1;
The data storage party and the third party audit define the same pseudo-random function prn (·).
Preferably, step S2 includes the steps of:
s21, the user is in a limited domain ZrInternal random selection of signature private key sk E ZrIn group G2In the method, one element is randomly selected as a signature substrate G E G2Combining with the private key of signature to calculate out public key pk ═ g of signaturesk;
S22, the user is in a limited domain ZrInternal random selection of encryption private key x E ZrIn group G1In the method, one element u belongs to G at random1And calculating to obtain an encryption public key U ═ { U ═ by combining the encryption private keykAnd (c) the step of (c) in which,in group G2In the method, one element w belongs to G at random2And obtaining a verification public key W ═ W by combining with the calculation of the encryption private keykAnd (c) the step of (c) in which,
and S23, the user stores the signature private key and the encryption private key as a private key set SK { SK, x } in a local place, and sends a public key set PK { PK, g, U, W } formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing.
Preferably, step S4 includes the steps of:
s41, according to the security parameter N and the challenge parameter N, the third party audit generates an offset r through a pseudo-random function, namely prn (N-N) → r, and randomly selects index subscripts of data blocks to be challenged to form a set I, wherein I ═ { I ═ I → rcT is I in the set IcThe number of (2);
and S42, sending the offset, the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to the data storage party by the third party audit so as to initiate the challenge.
Preferably, step S5 includes the steps of:
s51, according to the received data block index set I to be challenged, aiming at each data block to be challengedObtaining the label of the data block from the local storage
S52, for each data block to be challengedObtaining the data block from the local storage, and then combining the data block with the encryption public key to generate the characteristic value of the data block t is I in the set IcThe number of (2);
s53, for each data block to be challengedObtaining the data block from local storage, and comparing with the data blockThe verification value of the data block is generated by combining the certificate public key W and the offset r
S54, taking the label, the characteristic value and the verification value of each data block as the holding evidence of the data block
S55, aggregating the holdup evidence of each data block to be challenged, wherein the specific calculation formula is Resulting holdup evidence for this challenge (μ, v, δ);
and S56, the data storage party holds the sexual evidence and sends the sexual evidence to a third party audit to respond to the challenge.
Preferably, step S6 includes the steps of:
S62, the third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and the formula to be verified is If the equation is established, the verification is passed, and step S63 is performed, otherwise, if the verification is not passed, failure is returned, and e () represents bilinear mapping;
s63, the third party audit verifies the characteristic value and the verification value in the possession evidence according to the public key information of the user, and the formula to be verified is e (mu, W)r)=e(U0V), if the equation is established, the verification is passed, and success is returned; otherwise, if the verification fails, returning failure.
To achieve the above object, according to a second aspect of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a data possession proving method that can openly audit in a distributed storage system as described in the first aspect.
Generally, by the above technical solution conceived by the present invention, the following beneficial effects can be obtained:
(1) the invention can aggregate a large number of data blocks at one time for data holding verification, thereby greatly improving the proving efficiency, and meanwhile, under the condition of aggregating the data blocks for verification, the data volume which needs to be transmitted for verification is still small. In addition, the challenge and verification process only needs to transmit the evidence generated based on the data and does not need to expose the data content, so that the safety of data storage is effectively ensured, and the rights and interests of data owners are maintained.
(2) The invention divides the file data into n × len (Z) sizer) And then slicing the data block into len (Z) sizer) Data slice of (3), mapping to ZrAnd (4) the following steps. Such that the size of the data slice and its mapping to ZrThe size of the result in the data storage party is the same, so that the mapping result is prevented from being stored in advance by a dishonest data storage party.
(3) The invention generates an offset r through a pseudo-random function according to a safety parameter N and a challenge parameter N, wherein the offset r is an unpredictable random value for a data storage side, and r belongs to (0, N-N)]If the data storage party wants to pre-store the verification value, N-N patterns need to be stored for each data block to be challengedThe data volume required to be prestored far exceeds the size of the data block, so that the prestoring action is not cost-effective, and therefore, a data storage party originally prepared for implementing the prestoring action is forced to keep honest to a certain extent.
(4) The method adopts two-step verification, and because the characteristic value in the possession evidence and the label verification still have the possibility that the possession evidence is stored in advance to cause the loss of the stored data, the characteristic value in the possession evidence and the verification value are further verified to be corresponding, the verification value is calculated by the data, and the data confirmed by proving that the verification value is not stored in advance is not tampered or lost indeed.
Drawings
Fig. 1 is a flowchart of a data possession proving method for public auditing in a distributed storage system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of file blocking and slicing according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
First, the terms of art to which the present invention relates are explained as follows:
bilinear mapping: zrIs a finite field, G1、G2And GT are all same-order circulation groupsBilinear mapping e: g1×G2→ GT, satisfies the condition that for any G ∈ G1,h∈G2,a,b∈ZrHaving a value of e (g)a,hb)=e(g,h)ab。
The invention discloses a data possession proving method based on bilinear mapping. The invention relates to three roles-user, data storage and third party auditing: the user generates a verification tag for each data block and then sends the data block and the corresponding tag to a data storage party. Second, third party audits initiate challenges to data storage parties. And thirdly, the data storage party generates a holding evidence by using the stored data block information and the corresponding label information, and sends the evidence to a third party for auditing. And fourthly, the third party audits and judges whether the data is complete or not by using the public information and the holdup evidence of the user.
As shown in fig. 1, the present invention provides a method for proving data possession that can be audited publicly in a distributed storage system, the method comprising the following steps:
and S1, generating system parameters by all nodes in the system based on the same elliptic curve. The user generates a private key set and a public key set, then the private key set is stored locally and the public key set is sent to a third party for auditing.
Step S1 specifically includes the following steps:
s11, generating a finite field Z by the user side, the data storage side and the third party auditrAnd a cyclic group G having the same prime order1、G2And GT, the user party and the third party audit define the same one-way hash function, and the data storage party and the third party audit define the same pseudo-random function. Selecting a security parameter N and a challenge parameter N, N<N, N and N are positive integers.
The invention is suitable for asymmetric elliptic curves, and the elliptic curve of the BLS12_381 is selected in the embodiment. User side, data storage side and third party audit in the distributed storage system are all based on the same elliptic curve generation system parameter, and based on the system parameter, a circulation group G with the same prime order is further generated1、G2GT, and finite field ZrAnd defineDefining a one-way hash function h: (.)*→G1And a pseudo-random function prn (·). Properly selecting a safety parameter N and a challenge parameter N to satisfy N<N, N and N are positive integers.
S12, the user is in a limited domain ZrInternal random selection of private signature key in group G2Randomly selecting an element as a signature substrate, and calculating by combining a signature private key to obtain a signature public key.
User is in a limited domain ZrInternal random selection of signature private key sk E Zr. In group G2In the method, one element is randomly selected as a signature substrate G E G2Combining with the private key of signature to calculate out public key pk ═ g of signaturesk。
S13, the user is in a limited domain ZrInternal random selection of the encryption private key, in group G1Randomly selecting an element, and calculating by combining an encryption private key to obtain an encryption public key; in group G2Randomly selecting an element, and calculating by combining an encryption private key to obtain a verification public key.
User is in a limited domain ZrInternal random selection of encryption private key x E ZrIn group G1In the method, one element u belongs to G at random1And calculating to obtain an encryption public key U ═ { U ═ by combining the encryption private keykAnd (c) the step of (c) in which,in group G2In the method, one element w belongs to G at random2And obtaining a verification public key W ═ W by combining with the calculation of the encryption private keykAnd (c) the step of (c) in which,to UkAnd WkAll have k equal to 0,1, …, N-1. And performing N times of calculation to obtain an encryption public key/verification public key, which is used for preventing the data storage party from prestoring information for generating the holdup evidence.
And S14, the user stores the signature private key and the encryption private key as a private key set locally, and sends the signature public key, the signature substrate, the encryption public key and the verification public key as a public key set to a third party for auditing.
The user stores the signature private key and the encryption private key as a private key set SK { SK, x } in the local, and sends the signature public key, the signature base, the encryption public key and the verification public key PK { PK, g, U, W } as a public key set to a third party for auditing.
And S2, the user generates a characteristic value of the data block by combining the data block information and the public key set, the characteristic value is signed and calculated by the private key set to obtain a label, all the data blocks to be stored and a set of the corresponding labels of the data blocks are sent to a data storage party, and a set of the corresponding index subscripts of each data block is sent to a third party for auditing.
Step S2 specifically includes the following steps:
and S21, the user divides the file data to be stored into data blocks with equal size, and each data block has different indexes.
As shown in FIG. 2, assume ZrLength of element (2) is len (Z)r) The user divides the file data F to be stored into n × len (Z) sizer) I.e. F ═ m0,m1,…,ms-1) Defining a block of data miIs (Q, i), i ═ 0,1, …, s-1, Q denotes the unique identifier of the home file F of the data block.
And S22, generating a corresponding label for each data block.
For each data block miGenerating a corresponding label delta according to the following stepsi。
Step S221, mapping the index of the data block to the group G1Thereby obtaining the index hash value.
Mapping the index of the data block to group G1Get the index hash value HQi,HQi=h(Q,i)。
S222, for each data block, dividing the data block into data slices with equal size and mapping the data slices to ZrAnd generating the characteristic value of the data block in combination with the encryption public key.
In the prior art, a user directly maps a data block to ZrAnd calculating to obtain a calculation result which is far smaller than the size of the data block, so that the data storage party can pre-store the mapping result. Therefore, the present inventionClearly divide the file data into size n × len (Z)r) And then slicing the data block into len (Z) sizer) Is sliced and then mapped to ZrAnd (4) the following steps. Thus, the size of the data slice and its mapping to ZrThe size of the result in the data storage party is the same, so that the mapping result can be prevented from being stored in advance by a dishonest data storage party.
As shown in fig. 2, for each data block miFurther divide it equally into len (Z) in sizer) Is sliced and mapped to ZrIn, is denoted by mijI.e. mij∈ZrJ is 0,1, …, n-1, and then the calculation generates a data block miCharacteristic value mu ofiJ is the index of the data slice, n is the number of slices in the data block, there are 2 calculation methods:
And S223, signing the index hash value and the characteristic value of the data block by using a signature private key, namely generating a label.
Indexing the hash value HQ using the private signature key skiAnd the characteristic value mu of the data blockiCarry out signature, i.e. generate miCorresponding label delta ofi=(HQi*μi)sk。
And S23, the user sends the file data to be stored after the block and the fragment and the corresponding label set thereof to a data storage party, and sends the corresponding index subscript set of each data block to a third party for auditing.
And S3, auditing by a third party to generate an offset according to the security parameter and the challenge parameter, then randomly selecting index subscripts of the data blocks to be challenged to form a set, and sending the offset, the index subscript set of the data blocks to be challenged and a public key set of a corresponding user to a data storage party to initiate a challenge.
And S31, generating an offset by a third party audit through a pseudo-random function according to the security parameter and the challenge parameter, and randomly selecting index subscripts of the data blocks to be challenged to form a set.
The third party audit generates an offset r, namely prn (N-N) → r, through a pseudo-random function according to the security parameter N and the challenge parameter N, and randomly selects index subscripts of data blocks to be challenged to form a set I, wherein I ═ { I → rcJ in set IcThe number of (d) is t.
And S32, sending the offset, the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to the data storage party by the third party audit so as to initiate the challenge.
The third party audit sends the offset r, the index subscript set I of the data block to be challenged and the public key set PK initiating the challenge to the data storage party to initiate the challenge.
And S4, the data storage party locally acquires the data block to be challenged and the label according to the acquired index subscript set of the data block to be challenged, calculates the characteristic value and the verification value of each data block by combining the offset and the public key set, and the set of the characteristic value, the verification value and the label is the holding evidence of a single data block, and then performs aggregation operation to acquire the holding evidence of the challenge and sends the holding evidence to a third party for auditing so as to respond to the challenge.
And S41, acquiring the data block and the label thereof from the local storage for each data block to be challenged according to the received data block index subscript set to be challenged.
According to the received index set I of the data block to be challenged, aiming at each data block to be challengedObtaining the label of the data block from the local storage
And S42, for each data block to be challenged, acquiring the data block from a local storage, and combining the data block with the encrypted public key to generate a characteristic value of the data block.
For each data block to be challengedObtaining the data block from the local storage, and then combining the data block with the encryption public key U to generate the characteristic value of the data block
And S43, for each data block to be challenged, acquiring the data block from the local storage, and then combining the data block with the verification public key and the offset to generate a verification value of the data block.
For each data block to be challengedObtaining the data block from the local storage, and combining the obtained data block with the verification public key W and the offset r to generate the verification value of the data block
The offset r is an unpredictable random value to the data storage side, and r ∈ (0, N-N)]If the data storage party wants to pre-store the verification value, N-N patterns need to be stored for each data block to be challengedSuch data, which requires that the amount of pre-stored data already far exceeds the size of the data block itself, makes the pre-storing act less cost effective, and thus the data storage party, which is originally prepared to perform the pre-storing act, is forced to remain honest to some extent.
And S44, taking the label, the characteristic value and the verification value of each data block as the holding evidence of the data block.
The label, the characteristic value and the verification value of each data block are taken as the holding evidence of the data block
And S45, aggregating the holdup evidences of each data block to be challenged to obtain the holdup evidence of the challenge.
Aggregating the holdup evidence of each data block to be challenged, and specifically calculating according to the formula Resulting in a held proof of this challenge (μ, v, δ).
And S46, the data storage party holds the sexual evidence and sends the sexual evidence to a third party audit to respond to the challenge.
And S5, verifying the characteristic value and the label in the possession evidence by combining the public key set and utilizing bilinear mapping according to the index subscript set of the data block to be challenged obtained in the step S3 through third party auditing, continuously verifying the characteristic value and the verification value in the possession evidence if the characteristic value and the label pass through, successfully challenging when the verification of the two steps is carried out and passes through, and otherwise, failing to challenge.
And S51, the third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and if the verification is passed, the step S53 is carried out. If the verification fails, failure is returned.
The third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and the formula to be verified is If the equation is established, the verification is passed, and step S53 is performed. Otherwise, if the verification is not passed, failure is returned. If the verification fails, it indicates that the data is indeed tampered or lost.
And S52, verifying the characteristic value and the verification value in the possession evidence according to the public key information of the user by the third party audit, and if the verification is passed, returning success. If the verification fails, failure is returned.
The third party audit verifies the characteristic value and the verification value in the possession evidence according to the public key information of the user, and the formula to be verified is e (mu, W)r)=e(U0V), if the equation is established, the verification is passed, and success is returned. Otherwise, if the verification is not passed, failure is returned. The verification failure indicates that the holdover evidence returned by the data depositor is false and unreliable.
Since the first step is to verify without exposing the data, there is still a possibility that the proof of possession is preserved in advance resulting in loss of stored data in the verification. In this regard, the present invention employs a second layer of verification, by verifying whether μ and v in the proof correspond, it is worth noting that v must be calculated from the data itself, so that the data confirmed by proving that v was not stored in advance is indeed not tampered with or lost.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (7)
1. A method for publicly auditing data possession attestation in a distributed storage system, the method comprising the steps of:
s1, initializing a user, a third party audit and a data storage party in a distributed storage system respectively;
s2, the user stores a private key set formed by the signature private key and the encryption private key in a local place, and sends a public key set formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing;
s3, a user performs blocking processing and slicing processing on a file to be stored, a characteristic value of the data block is generated based on each piece information of the data block and an encryption public key, a signature private key performs signature on the characteristic value to generate a corresponding label, each data block and a corresponding label set are sent to a data storage party, a corresponding index subscript set of each data block is sent to a third party for auditing, and the blocking processing is as follows: all the file data F to be stored are n × len (Z)r) I.e. F ═ m0,m1,…,ms-1) Data block miIs (Q, i), i is 0,1, …, s-1, Q represents the unique identifier of the home file of the data block, s represents the number of data blocks; the slicing process was as follows: each data block miAre equally divided into len (Z) in sizer) Data slice of (2), each data slice is mapped to ZrIn, is denoted by mijI.e. mij∈ZrJ-0, 1, …, n-1, n indicating the number of data slices,
the method for generating the characteristic value of the data block based on the slice information and the encryption public key of the data block comprises the following steps: (1) data block miIs mapped to group G1To obtain the index hash value HQi,HQiH (Q, i); (2) based on each slice data mijAnd encrypting the public key to calculate the data block miCharacteristic value mu ofi(ii) a (3) Indexing the hash value HQ using the private signature key skiAnd the characteristic value mu of the data blockiSigning to generate miCorresponding label delta ofi=(HQi*μi)sk;
The data block miCharacteristic value mu ofiThe calculation method is any one of the following methods: computing combined with encrypted public key UCalculation of encrypted private key x and encrypted public key U
S4, third party auditing sends the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to a data storage party to initiate the challenge;
s5, the data storage party forms the possession evidence of the data block by the tag, the characteristic value and the verification value of the data block to be challenged, then aggregates the possession evidences of all the data blocks to serve as the possession evidence of the challenge, and sends the possession evidence of the challenge to a third party for auditing so as to respond to the challenge;
and S6, third party auditing verifies the characteristic value and the label in the held evidence by utilizing bilinear mapping according to the index subscript set and the public key set of the data block to be challenged, verifies the characteristic value and the verification value in the held evidence by utilizing bilinear mapping, successfully challenges when and only two steps of verification are carried out and pass, otherwise fails.
2. The method of claim 1, wherein step S1 is specifically as follows:
the user side, the data storage side and the third party audit all generate a finite field ZrAnd a cyclic group G having the same prime order1、G2GT, selecting the same safety parameter N and challenge parameter N, wherein N and N are positive integers, and N is less than N;
the user party and the third party audit define the same one-way hash function h: (.)*→G1;
The data storage party and the third party audit define the same pseudo-random function prn (·).
3. The method of claim 2, wherein the step S2 includes the steps of:
s21, the user is in a limited domain ZrInternal random selection of signature private key sk E ZrIn group G2In the method, one element is randomly selected as a signature substrate G E G2Combining with the private key of signature to calculate out public key pk ═ g of signaturesk;
S22, the user is in a limited domain ZrInternal random selection of encryption private key x E ZrIn group G1In the method, one element u belongs to G at random1And calculating to obtain an encryption public key U ═ { U ═ by combining the encryption private keykAnd (c) the step of (c) in which,in group G2In the method, one element w belongs to G at random2And obtaining a verification public key W ═ W by combining with the calculation of the encryption private keykAnd (c) the step of (c) in which,k=0,1,…,N-1;
and S23, the user stores the signature private key and the encryption private key as a private key set SK { SK, x } in a local place, and sends a public key set PK { PK, g, U, W } formed by the signature public key, the signature base, the encryption public key and the verification public key to a third party for auditing.
4. The method of claim 2, wherein the step S4 includes the steps of:
s41, according to the security parameter N and the challenge parameter N, the third party audit generates an offset r through a pseudo-random function, namely prn (N-N) → r, and randomly selects index subscripts of data blocks to be challenged to form a set I, wherein I ═ { I ═ I → rcT is I in the set IcThe number of (2);
and S42, sending the offset, the index subscript set of the data block to be challenged and the public key set of the user initiating the challenge to the data storage party by the third party audit so as to initiate the challenge.
5. The method of claim 2, wherein the step S5 includes the steps of:
s51, according to the received data block index set I to be challenged, aiming at each data block to be challengedObtaining the label of the data block from the local storage
S52, for each data block to be challengedObtaining the data block from the local storage, and then combining the data block with the encryption public key to generate the characteristic value of the data blockic0,1, …, t-1, t is I in the set IcThe number of (2);
s53, for each data block to be challengedObtaining the data block from the local storage, and combining the obtained data block with the verification public key W and the offset r to generate the verification value of the data block
S54, taking the label, the characteristic value and the verification value of each data block as the holding evidence of the data block
S55, aggregating the holdup evidence of each data block to be challenged, and specifically calculating a formulaIs composed of Resulting holdup evidence for this challenge (μ, v, δ);
and S56, the data storage party holds the sexual evidence and sends the sexual evidence to a third party audit to respond to the challenge.
6. The method of claim 2, wherein the step S6 includes the steps of:
S62, the third party audit verifies the characteristic value and the label in the persistent evidence according to the public key information of the user and the index subscript set of the data block to be challenged, and the formula to be verified is If the equation is established, the verification is passed, and step S63 is performed, otherwise, if the verification is not passed, failure is returned, and e () represents bilinear mapping;
s63, the third party audit verifies the characteristic value and the verification value in the possession evidence according to the public key information of the user, and the formula to be verified is e (mu, W)r)=e(U0V), if the equation is established, the verification is passed, and success is returned; otherwise, if the verification fails, returningAnd returning to failure.
7. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements a data-possession proof method for publicly auditing in a distributed storage system as recited in any one of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911086248.3A CN110933044B (en) | 2019-11-08 | 2019-11-08 | Data possession proving method capable of realizing public auditing and readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911086248.3A CN110933044B (en) | 2019-11-08 | 2019-11-08 | Data possession proving method capable of realizing public auditing and readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110933044A CN110933044A (en) | 2020-03-27 |
CN110933044B true CN110933044B (en) | 2021-03-26 |
Family
ID=69852475
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911086248.3A Active CN110933044B (en) | 2019-11-08 | 2019-11-08 | Data possession proving method capable of realizing public auditing and readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110933044B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111859030B (en) * | 2020-07-09 | 2023-04-28 | 西南交通大学 | Public auditing method supporting composite data |
CN112491529B (en) * | 2020-11-12 | 2022-03-29 | 安徽工业大学 | Data file encryption and integrity verification method and system used in untrusted server environment |
CN112560075B (en) * | 2021-02-22 | 2021-05-25 | 西南石油大学 | Lightweight searchable encryption method and device based on elliptic curve |
CN113609533B (en) * | 2021-08-23 | 2024-02-27 | 东北大学秦皇岛分校 | Integrity auditing method for smart grid data |
CN113625972A (en) * | 2021-08-26 | 2021-11-09 | 上海应用技术大学 | Hierarchical data possession proving method capable of realizing public auditing |
CN115630409B (en) * | 2022-10-28 | 2023-08-08 | 深圳市元兴信息技术有限公司 | Data storage control method and device |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8954389B2 (en) * | 2012-11-30 | 2015-02-10 | Dell Products, Lp | Content generation service for software testing |
CN104023044A (en) * | 2014-01-01 | 2014-09-03 | 电子科技大学 | Cloud-storage data lightweight-level public auditing method with privacy protection |
CN104601605B (en) * | 2015-02-28 | 2018-01-02 | 北方工业大学 | Efficient privacy protection auditing method based on chameleon hash function in cloud storage |
CN108629040A (en) * | 2018-05-11 | 2018-10-09 | 北京奇虎科技有限公司 | Data proof of possession method, apparatus and system |
-
2019
- 2019-11-08 CN CN201911086248.3A patent/CN110933044B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN110933044A (en) | 2020-03-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110933044B (en) | Data possession proving method capable of realizing public auditing and readable storage medium | |
CN102420691B (en) | Certificate-based forward security signature method and system thereof | |
Baek et al. | Public key encryption with keyword search revisited | |
JP4785851B2 (en) | Digital signatures, including identity-based aggregate signatures | |
CA2827519C (en) | Incorporating data into cryptographic components of an ecqv certificate | |
Luo et al. | Ensuring the data integrity in cloud data storage | |
JP2009526411A5 (en) | ||
US8170203B2 (en) | Message authentication code with elliptic polynomial hopping | |
JP6043804B2 (en) | Combined digital certificate | |
JP2010220212A (en) | Securing communications sent by first user to second user | |
JP2012019559A (en) | Custom static diffie-hellman groups | |
CA2693133A1 (en) | Method and system for generating implicit certificates and applications to identity-based encryption (ibe) | |
US10263773B2 (en) | Method for updating a public key | |
CN110138543A (en) | Blind label decryption method under lattice public-key cryptosystem | |
JP6041864B2 (en) | Method, computer program, and apparatus for data encryption | |
Guo et al. | Attribute‐based ring signcryption scheme | |
Harn et al. | Efficient identity-based RSA multisignatures | |
US8954728B1 (en) | Generation of exfiltration-resilient cryptographic keys | |
CN110784300A (en) | Secret key synthesis method based on multiplication homomorphic encryption | |
Thakur | An access control protocol for wireless sensor network using double trapdoor chameleon hash function | |
Yap et al. | On the security of a lightweight authentication and encryption scheme for mobile ad hoc network | |
Wei et al. | Ensuring file authenticity in private DFA evaluation on encrypted files in the cloud | |
Wang | Signer‐admissible strong designated verifier signature from bilinear pairings | |
Yang et al. | On the authentication of certificateless RSA public key | |
WO2023134576A1 (en) | Data encryption method, attribute authorization center, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |