CN113656840B - Dynamic integrity verification method with accountability - Google Patents

Dynamic integrity verification method with accountability Download PDF

Info

Publication number
CN113656840B
CN113656840B CN202110805387.8A CN202110805387A CN113656840B CN 113656840 B CN113656840 B CN 113656840B CN 202110805387 A CN202110805387 A CN 202110805387A CN 113656840 B CN113656840 B CN 113656840B
Authority
CN
China
Prior art keywords
algorithm
data
metric
new
ltoreq
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110805387.8A
Other languages
Chinese (zh)
Other versions
CN113656840A (en
Inventor
周泽全
罗喜伶
柏艺
王晓超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Innovation Research Institute of Beihang University
Original Assignee
Hangzhou Innovation Research Institute of Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Innovation Research Institute of Beihang University filed Critical Hangzhou Innovation Research Institute of Beihang University
Priority to CN202110805387.8A priority Critical patent/CN113656840B/en
Publication of CN113656840A publication Critical patent/CN113656840A/en
Application granted granted Critical
Publication of CN113656840B publication Critical patent/CN113656840B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a dynamic integrity verification method with accountability. According to the scheme, a random number is introduced in audit, the possibility of extracting original data by TPA is eliminated, each read-write operation of a user is signed through BLS signature, and a server can prove whether the user performs denial attack or not. The scheme calculates the measure of the data so that it can be calculated as O (lambda ‑k ) The damaged data is recovered by combining the Markov distance and the damage degree of the damaged data is calculated, in addition, the scheme of the invention is safe under the premise of CDH and CL, and the whole audit process is privacy-protected. The invention eliminates the possibility of extracting the original data from repeated audit by the TPA and supports the full dynamic operation of insertion, deletion, modification and the like. By evaluating the calculation, storage and communication costs of the scheme, the scheme of the invention has the advantages of small storage cost and O (1) as the whole communication cost.

Description

Dynamic integrity verification method with accountability
Technical Field
The invention belongs to the field of information security, and relates to an integrity verification method with responsibility.
Background
Existing integrity verification schemes can be divided into a Provable Data Possession (PDP) model and a retrievable certification (POR) model, depending on whether corrupted data can be recovered. However, these schemes rarely consider how to let the server assume responsibility when the data is corrupted. In addition, many schemes introduce Third Party Auditors (TPAs) to perform audit tasks to relieve the burden on users. However, TPA should not be fully trusted in a practical scenario. Malicious TPA can extract raw data from repeated audit tasks. More importantly, almost all schemes default to users being trusted, but they may deny their behavior and impose a penalty on data loss on the server. In particular, in a dynamic running environment, a malicious user with read-write permission can initiate a denial of attack. For example, a malicious competitor of the cloud service provider impersonates the user, denies itself to delete part of the data, and transfers responsibility to the cloud service provider.
Yumerefendi et al (Yumerefendi AR, chase J s. Strong accountability for network storage J ACM Transactions On Storage (TOS), 2007,3 (3): 11-es.) first proposed that participants should be responsible for the storage network, but this approach relies on an authenticated data structure, which is inefficient because of the high cost of communication and computation. Atenie et al (Atenie G, goodrich M T, lekakis V, et al, account Storage [ C ]// International Conference on Applied Cryptography and Network Security. Springer, cham, 2017.) propose a responsible Storage solution. However, their solution is only responsible for cloud servers and does not consider other parties to be responsible in a dynamic environment. Furthermore, this approach may expose its locally stored information after the audit is successful, which may not be able to track down the responsibility of the server.
Disclosure of Invention
To solve the above problems, we propose a dynamic integrity verification scheme with accountability. We define that a solution is accountable if it provides a way for each participant to detect or eliminate improper behavior. Through the auditing algorithm, the auditor can check whether the remote data is good. We then introduced a random number into the audit, eliminating the possibility of TPA extraction of the original data. Finally, the BLS signature is used for signing each read-write operation of the user, and the server can prove whether the user performs denial of attack or not. Further, metrics by computing the data are stored locally; when the data is damaged, the utilization quantity recovers the damaged data, and then the mahalanobis distance between the damaged data and the original data is calculated to obtain the damage degree of the damaged data. The user may claim from the cloud service provider based on the degree of damage.
The technical scheme of the invention is as follows:
the invention provides a dynamic integrity verification method with accountability, which comprises the following steps:
1) The client C slices the data M into n blocks, and generates a key (pk= (g, g) by the KeyGen algorithm x U), sk=x), where g is a multiplicative group generator, u is a multiplicative group random number, x is a random integer; then through the StateGen algorithm, the homomorphic test of the sequence ID, the data signature SIG and the block is outputSyndrome label (HVL) sequence Φ= { σ i } 1≤i≤n And a metric B; the client C sends pk, SIG, M and phi to the cloud service provider S for storage and deletes the storage of M and phi locally;
the StateGen algorithm is described as (pk, sk) and data m= { M 1 ,m 2 ,...,m n As input, for data M, an id is generated for each block i =H id (m i ) Wherein 1.ltoreq.i.ltoreq.n and forms the sequence ID= { ID 1 ,id 2 ,...,id n The HVL of each block is calculated,and runs an updateB algorithm to generate a metric B, and then calculates r=id 1 ·id 2 ·,...,·id n Signature sig=r x Output (ID, SIG, Φ= { σ i } 1≤i≤n ,B);
2) Third party audit TPA generates random number k according to security parameter k 1 And k 2 And sets the number of samples c to ensure a certain confidence probability, generating challenge chal= (c, k) 1 ,k 2 ) And transmits it to the cloud service provider S; the cloud service provider obtains the integrity certification P according to a Response algorithm and returns the integrity certification P to the TPA, wherein the Response algorithm is: selecting a secret random number r+.z p According to chal= (c, k 1 ,k 2 ) For j.ltoreq.c.1.ltoreq.j.ltoreq.c, a pseudo-random permutation function is usedAnd pseudo-random function->Calculate the random censoring position->And random number->For random censoring position i 1 ,i 2 ,...,i c Calculating aggregate HVL, < >>And privacy preserving parameter μ=u μ′ ·g r E G, where linear combinations of data blocksThe Response algorithm outputs an integrity proof p= (σ, μ);
third party audit runs a CheckProof algorithm to check validity of integrity certification, wherein the CheckProof algorithm is based on challenge chal= (c, k 1 ,k 2 ) For 1.ltoreq.j.ltoreq.c, calculateAnd->For i= { I 1 ,i 2 ,...,i c The verification equation is as follows,
outputting 1 if the verification is passed; otherwise, outputting 0;
if the output is 0, the client will retrieve all the data, run the update B algorithm to generate metric B for the data block that remains intact 2 Extracting original data by combining the locally stored metric B with an extractB algorithm, and calculating the mahalanobis distance between the original data and the lost data as a loss metric;
3) The client C generates an update request through a UPrequest algorithm and sends the update request to the cloud service provider S, the cloud service provider S performs update operation according to the update request, and operates a UPresponse algorithm to acquire a response message RM, and finally the client C operates a UPover algorithm to acquire a new metric B new And stores the new metric B new
Preferably, metric B is a table, each cell containing three fields, count, ID and DataSum, count representing the number of blocks mapped to the cell; ID represents the product of the IDs of all the blocks; dataSum represents the exclusive or of all blocks;
the updateB algorithm specifically comprises:
initializing the number of measurement cells to b= (k+1) lambda, initializing three fields of each cell to zero, and for 1.ltoreq.i.ltoreq.n, generating id first i =H id (m i ) Then use the hash setRespectively divide the block m i The field of k different cells is calculated by setting z=1 or z= -1 to determine whether to insert or delete data, mapping to k different cells of the metric: count=count+z, id=id·id z ,/>And after the progress quantity B is calculated for all the data blocks, storing the data blocks in the local area.
Preferably, the extrab algorithm specifically includes:
for two metrics B and B 2 Having the same number of b cells, for each cell: count=b.count-B 2 .Count,B.ID=B.ID/B 2 .ID,Then, finding the cell containing only one data block, extracting the data block as recovered data, setting z= -1, updating the metric B by using an updateB algorithm, and then finding the cell containing only one data block, extracting the data block, and taking the cell as a loop until the content of the metric is 0, thereby recovering all the damaged data blocks.
Preferably, in step 3), the UPrequest algorithm input is (pk, sk) and a write type, the write type includes an insert typeOr deletion type->
Wherein for the insertion typeWherein i represents m after insertion into the ith position Representing the inserted data block, the algorithm is m Generating id =H id (m ) And inserting the ID to obtain a new sequence ID And a new hash value R =R·id Then calculate m HVL of->And signature sig= (R ) x The output is an insert request, +.>
For delete typesWhere i represents the deletion position, the algorithm deletes the ID in the ID i Obtain a new ID And calculates a new hash value R =R/id Then calculate signature sig= (R ) x Output a delete request +.>
Preferably, in step 3), the UPresponse algorithm is:
for the followingAlgorithm computes id =H id (m ) And R is =R·id The validity of the signature is then verified by the following equation: e (v, R) ) =e (SIG, g), if validated, id will be Insert ID,m Insert M, sigma Inserting phi and outputting a response message rm= { Success }; otherwise, outputting a response message rm= { Failure };
for the followingAlgorithm deletes ID in ID i Calculating R =R/id i The validity of the signature is then verified by an equation, and if verification passes, M in M is deleted i Sigma in phi i And outputs a response message rm= { Success, m i -a }; otherwise, the response message rm= { Failure }, is output.
Preferably, in step 3), the above algorithm is executed when the response message RM includes Success, specifically:
for the followingAlgorithm run B new ←updateB(B,m 1) the output is a new metric B new
For the followingAlgorithm run B based on response message RM new ←updateB(B,m i (1) outputting a new metric B new
In contrast to the prior art, the present invention formally defines that a solution is accountability if it provides a means to detect or eliminate improper behavior. We propose a dynamic integrity verification scheme with accountability that can detect improper behavior of cloud servers and users. Meanwhile, the scheme eliminates the possibility of extracting the original data from repeated audit of the TPA and supports full-dynamic operations such as insertion, deletion, modification and the like.
The present invention calculates the metric B so that it can be calculated as O (lambda -k ) And (d) recovering corrupted data (λ is the maximum number of corrupted blocks allowed, k is a system parameter), and calculating the degree of corruption of the corrupted data in combination with the mahalanobis distance. At the same time, the invention proves that the scheme is in CDH and CThe L is safe under the assumption that the whole audit process is privacy-protected.
The present invention performs a series of experiments to evaluate the computational, storage and communication overhead of the scheme. The result shows that when the integrity verification with high confidence is realized, such as 99%, the calculation complexity of audit is unchanged; the storage overhead isOnly 1/400 of the original data size; the overall communication overhead is O (1).
Drawings
FIG. 1 is a diagram of a network model of a system of the present invention;
FIG. 2 is a pseudo code schematic diagram of the updateB algorithm and the extraB algorithm.
Detailed Description
The invention is further illustrated and described below in connection with specific embodiments. The technical features of the embodiments of the invention can be combined correspondingly on the premise of no mutual conflict.
As shown in fig. 1, the network model consists of three entities: users (clients), cloud Service Providers (CSPs), and Third Party Auditors (TPAs). After the user uploads or updates the data to the cloud server provided by the CSP through the client C, the TPA may be authorized to audit the cloud data. All entities are semi-trusted. Thus, the present invention primarily considers the following three threat models.
1. Malicious CSPs attempt to let auditors trust that the corrupted data is still complete. In other words, a malicious CSP wishes to forge an integrity certificate to pass verification when data is corrupted.
2. The user authorizes the TPA audit cloud data. The TPA may repeatedly audit the same data block to extract the original data.
3. The user can read and write. Malicious users deny that they modified the data, thereby subjecting the server to punishment.
With C representing the client or user, TPA representing the third party audit and S representing the server provided by CSP. The dynamic integrity verification method with accountability comprises the following steps:
1) The client C slices the data M into n blocks, and generates a secret key (pk, sk) through a KeyGen algorithm; then through the StateGen algorithm, the sequence ID, the data signature SIG and the homomorphic verification tag (HVL) sequence phi= { sigma of the block are output i } 1≤i≤n And a metric B; the client C sends pk, SIG, M and phi to the cloud service provider S for storage and deletes the storage of M and phi locally;
the StateGen algorithm is described as (pk, sk) and data m= { M 1 ,m 2 ,...,m n As input, for data M, an id is generated for each block i =H id (m i ) Wherein 1.ltoreq.i.ltoreq.n and forms the sequence ID= { ID 1 ,id 2 ,...,id n The HVL of each block is calculated,and runs an updateB algorithm to generate a metric B, and then calculates r=id 1 ·id 2 ·,...,·id n Signature sig=r x Output (ID, SIG, Φ= { σ i } 1≤i≤n ,B);
2) Third party audit TPA generates random number k according to security parameter k 1 And k 2 And sets the number of samples c to ensure a certain confidence probability, generating challenge chal= (c, k) 1 ,k 2 ) And transmits it to the cloud service provider S; the cloud service provider obtains the integrity certification P according to a Response algorithm and returns the integrity certification P to the TPA, wherein the Response algorithm is: selecting a secret random number r+.z p According to chal= (c, k 1 ,k 2 ) For j.ltoreq.c.ltoreq.1, calculateAnd->For i 1 ,i 2 ,...,i c Calculating aggregate HVL, < >>And μ=u μ′ ·g r E G, where->The Response algorithm outputs an integrity proof p= (σ, μ);
third party audit runs a CheckProof algorithm to check validity of integrity certification, wherein the CheckProof algorithm is based on challenge chal= (c, k 1 ,k 2 ) For 1.ltoreq.j.ltoreq.c, calculateAnd->For i= { I 1 ,i 2 ,...,i c The verification equation is as follows,
outputting 1 if the verification is passed; otherwise, outputting 0;
if the output is 0, the client will retrieve all the data, run the update B algorithm to generate metric B for the data block that remains intact 2 Extracting original data by combining the locally stored metric B with an extractB algorithm, and calculating the mahalanobis distance between the original data and the lost data as a loss metric;
3) The client C generates an update request through a UPrequest algorithm and sends the update request to the cloud service provider S, the cloud service provider S performs update operation according to the update request, and operates a UPresponse algorithm to acquire a response message RM, and finally the client C operates a UPover algorithm to acquire a new metric B new And stores the new metric B new
From the above steps, the scheme of the invention is a set of eight polynomial time algorithms (KenGen, stateGen, challenge, response, checkProof, UPrequest, UPresponse, UPover).
The respective polynomial algorithms will now be described. Before the description, symbols are defined: let k be oneThe security parameter, p, is a large prime number. Z is Z p Representing an integer group of prime orders p, G represents a multiplicative cyclic group of prime orders p with bilinear mapping, where G is the generator of G. Set H id Is a secure global hash function, H id :{0,1} * G. Furthermore, we use a pseudo random permutation function (PRP),and a pseudo-random function (PRF), f {0,1} * ×{0,1} κ →Z p 。/>Indicating that a new block m is inserted after the ith block ,/>Indicating that the i-th block is deleted.
KeyGen(1 κ ) The term (pk, sk) is a probabilistic key generation algorithm that is run by the client C to initialize the scheme. It takes the security parameter k as input, outputs a pair of keys (pk, sk), where pk is the public key and sk is the private key.
Specifically, in the embodiment of the present invention, keyGen (1 κ ) The (pk, sk) algorithm is at Z p x≡Z is selected randomly p And randomly selecting u+.G from G. Then calculate v=g x E G. It outputs public key pk= (g, v, u) and private key sk=x.
StateGen (pk, sk, M) → (ID, SIG, Φ, B) is a deterministic algorithm run by C that will pair (pk, sk) and data m= { M 1 ,m 2 ,...,m n As input, its output includes sequence ID, data signature, homomorphic verification tag (HVL) sequence of blocks Φ= { σ i } 1≤i≤n And a metric B.
Specifically, in the embodiment of the present invention, the StateGen (pk, sk, M) → (ID, R, Φ, B) algorithm is: for data m= { M 1 ,m 2 ,...,m n The algorithm generates an id for each block i =H id (m i ) Wherein 1.ltoreq.i.ltoreq.n, and formSequence id= { ID 1 ,id 2 ,...,id n }. The HVL for each block is then calculated,and run B++updateB (B, m) i 1) and hash set->Then calculate r=id 1 ·id 2 ·,...,·id n Signature sig=r x Algorithm output (ID, SIG, Φ= { σ i } 1≤i≤n ,B)。
It should be noted that: the present invention is stored locally by calculating metric B, and when data is corrupted, the corrupted data is recovered, showing how metric B is calculated and loss data is extracted:
let m= (M 1 ,...,m n ) The representation data set M comprises n blocks M 1 ,...,m n Lambda represents the maximum number of corrupted blocks allowed. Except for hash setsWe also use an additional function id generator H id It maps a block to a block with a bilinear pair H id :{0,1} * The multiplication of G loops around the elements of group G. Each cell of the metric contains three fields, count, ID and DataSum. Count represents the number of blocks mapped to a cell; ID represents the product of the IDs of all the blocks; dataSum represents the exclusive or of all blocks.
Theorem 1: let M 1 Is a data set, the subset of which is M 2 Wherein |M 1 ∣-∣M 2 And is smaller than or equal to lambda. They generate respective metrics, B, respectively, by the updateB algorithm 1 And B 2 。B 1 And B 2 There is b= (k+1) λ cell. Then with probability O (lambda) -k ) The extractB algorithm outputs Fail, failing to extract the difference M 1 -M 2
(1) Metric B setting and generation
We will measure the number of cells initiallyLet b= (k+1) λ, as described in theorem 1, three fields per cell are zero. For 1.ltoreq.i.ltoreq.n, we first generate id i =H id (m i ). We then use the collectionRespectively divide the block m i Mapped to k different cells of the metric. From the updateB algorithm, we can determine whether to insert or delete data by setting z=1 or z= -1.
(2) Data extraction
We define a cell B ind of the metric B when the following two conditions are met]Is pure: (1) B [ ind ]].Count=1;(2)B[ind].ID=H id (B[ind]DataSum). Specific procedure for extracting the difference between two metrics, B 3 =B 1 -B 2 As shown by the extractB algorithm.
A pseudo code schematic diagram of the update B algorithm and the extrab algorithm is shown in FIG. 2, and the update B algorithm specifically comprises: initializing the number of measurement cells to b= (k+1) lambda, initializing three fields of each cell to zero, and for 1.ltoreq.i.ltoreq.n, generating id first i =H id (m i ) Then use the hash setRespectively divide the block m i Mapping to metrics
By setting z=1 or z= -1 to determine whether to insert or delete data, a field of k different cells is calculated: count=count+z, id=id·id z
The extractB algorithm specifically comprises: for two metrics B and B 2 Having the same number of b cells, for each cell: count=b.count-B 2 .Count,B.ID=B.ID/B 2 .ID,Then, finding the cell containing only one data block, extracting the data block as recovered data, setting z= -1, updating the metric B by using an updateB algorithm, and then finding the cell containing only one data block, extracting the data block, and taking the cell as a loop until the content of the metric is 0, thereby recovering all the damaged data blocks.
Challenge(1 κ ) Chal is the probabilistic algorithm run by the auditor. It takes as input a security parameter k. It outputs a challenge chal containing a specific block that the auditor needs to prove integrity.
Specifically, in the embodiment of the present invention, change (1 κ ) The chal algorithm generates a random number k according to a security parameter k 1 And k 2 . It sets c to ensure a certain confidence probability. Algorithm output chal= (c, k 1 ,k 2 )。
Response (pk, cha, Φ, M) →p is a stochastic and deterministic algorithm run by S. Its inputs are the public key pk, challenge chal, HVL sequence Φ and data M. Its output is the integrity manifest P.
Specifically, in the embodiment of the present invention, response (pk, chal, M) →P: algorithm selects a secret random number r≡Z p . According to chal= (c, k 1 ,k 2 ) For j.ltoreq.c.ltoreq.1, calculateAnd->For i 1 ,i 2 ,...,i c It calculates aggregate HVL,/->And μ=u μ′ ·g r E G, where->The algorithm outputs a proof p= (σ, μ).
CheckProof (pk, P, chal, ID) → { "1", "0" is the deterministic algorithm run by the auditor. It inputs the public key pk, the proof P, the challenge chal and the sequence ID. The data at output 1 is an integer; otherwise, outputting the data at 0 time is damaged.
Specifically, in an embodiment of the present invention, the algorithm is based on challenge chal= (c, k) in the CheckProof (pk, P, chal, ID) → { "1", "0" } 1 ,k 2 ) For j.ltoreq.c.1, the algorithm calculatesAnd->For i= { I 1 ,i 2 ,...,i c The verification equation is as follows,
outputting 1 if the verification is passed; otherwise, output 0.
Is a deterministic algorithm performed by client C. Its inputs are a pair (pk, sk) and a write type, including insertion type +.>Or deletion type->The algorithm outputs an update request UR.
In particular, in embodiments of the present invention,the algorithm operates in two cases, depending on the write type:
for the followingThe algorithm is m Generating id =H id (m ) And inserts the entry ID to obtain a new sequence ID And a new hash value R =R·id . Then calculate m HVL of->And signature sig= (R ) x . The algorithm output is an insert request, +.>
For the followingAlgorithm deletes ID in ID i Obtain a new ID And calculates a new hash value R =R/id . Then calculate signature sig= (R ) x . The algorithm outputs a delete request +.>
UPresponse (pk, ID, Φ, M, UR). Fwdarw.RM is a deterministic algorithm performed by S. Its inputs are the public key pk, HVLs sequence Φ, the data M and the update request UR, outputting the response message RM.
Specifically, in an embodiment of the present invention, the UPresponse (pk, ID, Φ, M, UR) →RM: } algorithm updates data according to $UR$:
for the followingAlgorithm computes id =H id (m ) And R is =R·id . It then verifies the validity of the signature by the following equation: e (v, R) ) =e (SIG, g), if validated, id will be Insert ID, m Insert M, sigma Inserting phi and outputting a response message rm= { Success }; otherwise, it outputs a responseMessage rm= { Failure }.
For the followingAlgorithm deletes ID in ID i Calculating R =R/id i . It then verifies the validity of the signature by means of an equation. If the verification is passed, M in M is deleted i Sigma in phi i And outputs a response message rm= { Success, m i -a }; otherwise, it outputs a response message rm= { Failure }.
Is a deterministic algorithm run by C. It takes as input the public key pk, the sequence ID, the update request UR, the metric B and the response message RM. It outputs a new B new
Specifically, in an embodiment of the present invention, if the RM contains SuccessThe algorithm operates as follows:
for the followingAlgorithm run B new ←updateB(B,m 1) the output is a new metric B new
For the followingAlgorithm run B based on response message RM new ←updateB(B,m i , -1). It requires a new index B new As an output.
The inventive approach is fully dynamic and the invention can modify data by using one insert operation and one delete operation. Meanwhile, the scheme of the invention requires the user to sign the updating behavior of the user, so that the user is prevented from refusing to attack. However, the server may be subject to replay attacks, i.e. providing the old signature of the client and declaring its validity. This problem is easily solved by only providing a signature on the response message by the server; at the same time, all signed content contains a time stamp. Finally, the present invention may use a common ledger, such as a blockchain, to enforce accountability attributes. For example, the scheme uploads all public information, such as update records and audit records, to the blockchain.
The scheme of the present invention is analyzed in terms of correctness, security, privacy and accountability as follows.
1. Regarding correctness
According to the scheme, a corresponding id is generated for each data block through a hash function. Thus, the serial ID can be effectively prevented from being tampered with or falsified. In the challenge, a random number k is randomly generated according to a security parameter k 1 And k 2 The randomness of the audit is ensured. If the data remains intact, the CSP sends a proof that it is correct.
2. Regarding security
The security of the ADS-IV scheme is based on CDH and DL problems. If an adversary can crack the scheme, we can use the adversary to solve the CDH problem or the DL problem.
Theorem 2-ADS-IV scheme is secure in the random predictor model under CDH assumption and DL assumption.
And (3) proving: we will hash the function H id (. Cndot.) is modeled as a random predictor. For the CHD problem, given (g, g x H) ∈G and h is calculated x . For the DL problem, given (G, h) ∈G and find y to satisfy G y =h。
We assume that malicious server tampers with block m i . If he or she wants to pass the verification, he or she needs to construct a valid HVLHowever, the malicious server does not know the private key x, so it is impossible to forge a satisfactionUnless he or she can solve the CDH problem or the DL problem.
3. With respect to privacy
To eliminate the possibility of TPA extracting the original data from the repeated audit process, a random number was introduced during the audit process. Thus, from the perspective of TPA, the entire audit process is indistinguishable. The demonstrated randomness makes TPA unable to extract any data.
Theorem 3 if the audit process is random, the ADS-IV scheme is privacy preserving, which eliminates malicious behavior of TPA.
And (3) proving: in the algorithm Response, the server selects a random number r that is unknown to the auditor. The certification includesAnd μ=u μ′ ·g r E G, where->In each audit, the server selects a new random number to evenly distribute σ and μ. Thus, an auditor cannot distinguish, from the perspective of the auditor, even a proof of the same block, unless the malicious TPA is able to know the random number in advance. This may prevent malicious TPAs from obtaining raw data from repeated audits. The ADS-IV scheme is privacy preserving.
4. About responsibility of question
The scheme of the invention involves three entities: user, CSP, and TPA. Meanwhile, we consider three threat models: users can use their read-write capability to frame-destroy data to the server; CSP hopes to pass verification by auditors by counterfeit evidence; TPA wishes to extract raw data from the auditing process. Thus, we define the responsibility of the scheme as follows:
definition: a solution is responsible if it provides a means to detect or eliminate improper behavior.
The result of relying solely on integrity verification is not yet sufficient as a basis for the user to seek reimbursement from the CSP. Therefore, we calculate and store the data to recover from damage and use the mahalanobis distance to calculate the damage level as a basis for seeking reimbursement to the CSP.
Theorem 4: under definition, a schema is accountable.
And (3) proving: when uploading or updating data, the hash value of the data needs to be signed with BLS. Thus, if the user denies their behavior, the server can prove the user's malicious behavior. According to theorem 2, our solution is secure under the CDH and CL assumptions, which means that malicious behavior of the server will be detected by the auditor. Theorem 1 proves that if the number of damaged blocks is less than λ, the probability that the user cannot recover the original data does not exceed O (λ -k ) Where k is the size of the hash set. The user can seek compensation from the CSP through restoring the data, so that the motivation of the CSP on malicious behaviors is greatly reduced. Thus, the server may assume responsibility. According to theorem 3, the entire audit process eliminates the possibility of TPA extraction of data. By definition, all inappropriate behavior can be detected or eliminated. The scheme is responsible.
The invention further relates to an experimental method for evaluation.
Based on the prototype protocol, we set up a series of experiments to test the performance of our protocol. We performed experiments using a pairing-based password library (PBC, http:// crypto. Stanford. Edu/PBC /). Experiments were compiled in the C programming language and performed on an Inter (R) Core (TM) i5-3470 operating at 3.20GHz and 16GB RAM. The security level is selected to be 80 bits, i.e., |p|=160. We randomly generated 100 to 50,000 blocks of the same size (8 KB) from Fake File Generator (https:// www.fakefilegenerator.com). Throughout the evaluation we reported the average of these 10 trials.
We first measure the computational cost and storage overhead during the setup phase. As shown in the table below, the first column is the number of blocks that are different, the second column is the size of the HVLs sequence, the third column is the size of the ID sequence, and the fourth column is the storage overhead of the metric. We can see that the storage overhead of the ID sequence is very small, only around 1/400 of the whole data size. We set upAnd k=10. The user can restore the original data with overwhelming probability. We can see that the space overhead of the metric is only
During the audit phase, TPA will chal= (c, k 1 ,k 2 ) And the communication overhead is only O (1) when the communication overhead is sent to the server. The server returns proof p= (σ, μ) and its overhead is also O (1). Thus, the overall communication complexity is O (1) +o (1) =o (1).
Due to(P x Representing the probability that if a server breaks a t block, TPA will detect improper behavior of the server after him or she requires auditing c file blocks), we set c=460 and c=300 to reach 99% and 95% confidence when 1% of the blocks are broken.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of the invention should be assessed as that of the appended claims.

Claims (6)

1. A method for dynamic integrity verification with accountability, comprising the steps of:
1) The client C slices the data M into n blocks, and generates a key (pk= (g, g) by the KeyGen algorithm x U), sk=x), where g is a multiplicative group generator, u is a multiplicative group random number, x is a random integer; then through the StateGen algorithm, the sequence ID, the data signature SIG and the block are outputHomomorphic verification tag HVL sequence Φ= { σ i } 1≤i≤n And a metric B; the client C sends pk, SIG, M and phi to the cloud service provider S for storage and deletes the storage of M and phi locally;
the StateGen algorithm is described as (pk, sk) and data m= { M 1 ,m 2 ,...,m n As input, for data M, an id is generated for each block i =H id (m i ) Wherein 1.ltoreq.i.ltoreq.n and forms the sequence ID= { ID 1 ,id 2 ,...,id n The HVL of each block is calculated,and runs an updateB algorithm to generate a metric B, and then calculates r=id 1 ·id 2 ·,...,·id n Signature sig=r x Output (ID, SIG, Φ= { σ i } 1≤i≤n ,B);
2) Third party audit TPA generates random number k according to security parameter k 1 And k 2 And sets the number of samples c to ensure a certain confidence probability, generating challenge chal= (c, k) 1 ,k 2 ) And transmits it to the cloud service provider S; the cloud service provider obtains the integrity certification P according to a Response algorithm and returns the integrity certification P to the TPA, wherein the Response algorithm is: selecting a secret random number r+.z p According to chal= (c, k 1 ,k 2 ) For j.ltoreq.c.1.ltoreq.j.ltoreq.c, a pseudo-random permutation function is usedAnd pseudo-random function->Calculate the random censoring position->And random number->For the followingRandom censoring position i 1 ,i 2 ,...,i c Calculating aggregate HVL, < >>And privacy preserving parameter μ=u μ′ ·g r E G, where linear combinations of data blocksThe Response algorithm outputs an integrity proof p= (σ, μ);
third party audit runs a CheckProof algorithm to check validity of integrity certification, wherein the CheckProof algorithm is based on challenge chal= (c, k 1 ,k 2 ) For 1.ltoreq.j.ltoreq.c, calculateAnd->For i= { I 1 ,i 2 ,...,i c The verification equation is as follows,
outputting 1 if the verification is passed; otherwise, outputting 0;
if the output is 0, the client will retrieve all the data, run the update B algorithm to generate metric B for the data block that remains intact 2 Extracting original data by combining the locally stored metric B with an extractB algorithm, and calculating the mahalanobis distance between the original data and the lost data as a loss metric;
3) The client C generates an update request through a UPrequest algorithm and sends the update request to the cloud service provider S, the cloud service provider S performs update operation according to the update request, and operates a UPresponse algorithm to acquire a response message RM, and finally the client C operates a UPover algorithm to acquire a new metric B new And stores the new metric B new
2. The dynamic integrity verification method with responsibility of claim 1, wherein metric B is a table, each cell containing three fields, count, ID and DataSum, count representing the number of blocks mapped to the cell; ID represents the product of the IDs of all the blocks; dataSum represents the exclusive or of all blocks;
the updateB algorithm specifically comprises:
initializing the number of measurement cells to b= (k+1) lambda, initializing three fields of each cell to zero, and for 1.ltoreq.i.ltoreq.n, generating id first i =H id (m i ) Then use the hash setRespectively divide the block m i The field of k different cells is calculated by setting z=1 or z= -1 to determine whether to insert or delete data, mapping to k different cells of the metric: count=count+z, id=id·id z ,/>And after the progress quantity B is calculated for all the data blocks, storing the data blocks in the local area.
3. The dynamic integrity verification method with responsibility of claim 2, wherein the extrab algorithm is specifically:
for two metrics B and B 2 Having the same number of b cells, for each cell: count=b.count-B 2 .Count,B.ID=B.ID/B 2 .ID,Then find the cell that contains only one data block, extract this data block as recovered data, and set z= -1, update metric B with the updateB algorithm, then find the cell that contains only one data block,the data block is extracted and circulated until the content of the metric is 0, and all the damaged data blocks are recovered.
4. The dynamic integrity verification method with responsibility of claim 1, wherein in step 3), the UPrequest algorithm input is (pk, sk) and a write type, the write type comprising an insert typeOr deletion type->
Wherein for the insertion typeWherein i represents m after insertion into the ith position Representing the inserted data block, the algorithm is m Generating id =H id (m ) And inserting the ID to obtain a new sequence ID And a new hash value R =R·id Then calculate m HVL, sigma of =(id ·u m* ) x And signature sig= (R ) x The output is an insert request, +.>
For delete typesWhere i represents the deletion position, the algorithm deletes the ID in the ID i Obtain a new ID And calculates a new hash value R =R/id Then calculate signature sig= (R ) x Output a delete request +.>
5. The dynamic integrity verification method with responsibility of claim 4, wherein in step 3), the UPresponse algorithm is:
for the followingAlgorithm computes id =H id (m ) And R is =R·id The validity of the signature is then verified by the following equation: e (v, R) ) =e (SIG, g), if validated, id will be Insert ID, m Insert M, sigma Inserting phi and outputting a response message rm= { Success }; otherwise, outputting a response message rm= { Failure };
for the followingAlgorithm deletes ID in ID i Calculating R =R/id i The validity of the signature is then verified by an equation, and if verification passes, M in M is deleted i Sigma in phi i And outputs a response message rm= { Success, m i -a }; otherwise, the response message rm= { Failure }, is output.
6. The dynamic integrity verification method with responsibility according to claim 5, wherein in step 3), the above algorithm is run when the response message RM contains Success, in particular:
for the followingAlgorithm run B new ←updateB(B,m 1) the output is a new metric B new
For the followingAlgorithm run B based on response message RM new ←updateB(B,m i (1) outputting a new metric B new
CN202110805387.8A 2021-07-16 2021-07-16 Dynamic integrity verification method with accountability Active CN113656840B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110805387.8A CN113656840B (en) 2021-07-16 2021-07-16 Dynamic integrity verification method with accountability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110805387.8A CN113656840B (en) 2021-07-16 2021-07-16 Dynamic integrity verification method with accountability

Publications (2)

Publication Number Publication Date
CN113656840A CN113656840A (en) 2021-11-16
CN113656840B true CN113656840B (en) 2024-01-02

Family

ID=78478046

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110805387.8A Active CN113656840B (en) 2021-07-16 2021-07-16 Dynamic integrity verification method with accountability

Country Status (1)

Country Link
CN (1) CN113656840B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2936106A1 (en) * 2016-07-14 2018-01-14 Mirza Kamaludeen Encrypted data - data integrity verification and auditing system
CN108965258A (en) * 2018-06-21 2018-12-07 河南科技大学 A kind of cloud environment data integrity verification method based on full homomorphic cryptography
CN109525403A (en) * 2018-12-29 2019-03-26 陕西师范大学 A kind of anti-leakage that supporting user's full dynamic parallel operation discloses cloud auditing method
CN109951296A (en) * 2019-03-05 2019-06-28 北京邮电大学 A kind of remote data integrity verification method based on short signature
CN110008755A (en) * 2019-03-21 2019-07-12 广东优世联合控股集团股份有限公司 Dynamic data integrity verification system and method can be revoked in a kind of cloud storage
CN112671712A (en) * 2020-11-04 2021-04-16 中国科学院信息工程研究所 Cloud data integrity verification method and system supporting efficient dynamic update

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2936106A1 (en) * 2016-07-14 2018-01-14 Mirza Kamaludeen Encrypted data - data integrity verification and auditing system
CN108965258A (en) * 2018-06-21 2018-12-07 河南科技大学 A kind of cloud environment data integrity verification method based on full homomorphic cryptography
CN109525403A (en) * 2018-12-29 2019-03-26 陕西师范大学 A kind of anti-leakage that supporting user's full dynamic parallel operation discloses cloud auditing method
CN109951296A (en) * 2019-03-05 2019-06-28 北京邮电大学 A kind of remote data integrity verification method based on short signature
CN110008755A (en) * 2019-03-21 2019-07-12 广东优世联合控股集团股份有限公司 Dynamic data integrity verification system and method can be revoked in a kind of cloud storage
CN112671712A (en) * 2020-11-04 2021-04-16 中国科学院信息工程研究所 Cloud data integrity verification method and system supporting efficient dynamic update

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
用户可动态撤销及数据可实时更新的云审计方案;韩静;李艳平;禹勇;丁勇;;软件学报(第02期);全文 *

Also Published As

Publication number Publication date
CN113656840A (en) 2021-11-16

Similar Documents

Publication Publication Date Title
CN111639361B (en) Block chain key management method, multi-person common signature method and electronic device
EP3451579B1 (en) Multiple-phase rewritable blockchain
Yu et al. Strong key-exposure resilient auditing for secure cloud storage
US9785369B1 (en) Multiple-link blockchain
Zhang et al. SCLPV: Secure certificateless public verification for cloud-based cyber-physical-social systems against malicious auditors
Jiang et al. PFLM: Privacy-preserving federated learning with membership proof
Garg et al. RITS-MHT: Relative indexed and time stamped Merkle hash tree based data auditing protocol for cloud computing
CN109525403B (en) Anti-leakage public cloud auditing method supporting full-dynamic parallel operation of user
Khedr et al. Cryptographic accumulator-based scheme for critical data integrity verification in cloud storage
Yu et al. Comments on “public integrity auditing for dynamic data sharing with multiuser modification”
Yang et al. A compressive integrity auditing protocol for secure cloud storage
Liu et al. Public data integrity verification for secure cloud storage
Ding et al. A public auditing protocol for cloud storage system with intrusion-resilience
Fan et al. Identity-based auditing for shared cloud data with efficient and secure sensitive information hiding
Yu et al. Veridedup: A verifiable cloud data deduplication scheme with integrity and duplication proof
Shin et al. A Survey of Public Provable Data Possession Schemes with Batch Verification in Cloud Storage.
Xu et al. Secure fuzzy identity-based public verification for cloud storage
CN109981736B (en) Dynamic public auditing method supporting mutual trust of user and cloud server
Mishra et al. BB-tree based secure and dynamic public auditing convergence for cloud storage
Tian et al. DIVRS: Data integrity verification based on ring signature in cloud storage
Hamian et al. Blockchain-based User Re-enrollment for Biometric Authentication Systems
CN113656840B (en) Dynamic integrity verification method with accountability
CN109462581A (en) The ciphertext De-weight method that violence dictionary opponent persistently attacks can be resisted
CN111539031B (en) Data integrity detection method and system for privacy protection of cloud storage tag
Lyu et al. NSSIA: A New Self‐Sovereign Identity Scheme with Accountability

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant