CN114398648A - Practical cloud storage method and system supporting dynamic operation and multi-user storage certification - Google Patents

Abstract

The invention belongs to the technical field of storage security, and discloses a practical cloud storage method and a practical cloud storage system supporting dynamic operation and multi-user storage certification, wherein the practical cloud storage method supporting the dynamic operation and the multi-user storage certification comprises the following steps: the system initializes all participants according to a Setup protocol, wherein the participants comprise users, cloud service providers and third party verifiers; triggering an Upload protocol when a client wants to Upload data; the POR protocol is used for assisting the verifier to verify the integrity of data and copies in the cloud by the cloud user; the Update protocol is used for independently updating files according to own will in a system for realizing data deduplication by a cloud user. The invention can effectively resist the malicious attacks of all parties including the user and the cloud storage provider and the collusion between part of users and the cloud storage provider; and computing, storage and bandwidth overhead of cloud storage providers and cloud user sides can be significantly reduced.

Description

Practical cloud storage method and system supporting dynamic operation and multi-user storage certification

Technical Field

The invention belongs to the technical field of storage security, and particularly relates to a practical cloud storage method and system supporting dynamic operation and multi-user storage certification.

Background

At present, with continuous innovation and breakthrough of information technology, particularly generation and development of internet of things, artificial intelligence and cloud computing technology, data is undergoing explosive growth. According to IDC estimation, the average data volume of people reaches 5200GB by 2020. The appearance of cloud storage provides a solution to this problem, and cloud storage becomes a development trend of future information storage. Since individuals and businesses can store, access, and seamlessly synchronize data from different devices, cloud storage services have become an indispensable part of everyday life and have received widespread attention from both academic and industrial communities.

Since the Cloud Service Provider (CSP) is an independent management entity, outsourcing is actually relinquishing the user's ultimate control over their data fate. Thus, availability and integrity are the most important challenges in cloud storage, but data may be corrupted due to hardware bugs, software bugs, and human mishandling. Recently, large cloud service providers have experienced large data loss or severe outage events, exacerbating these concerns. And in a general cloud storage model, a semi-honest CSP may decide to hide data errors or losses for profit. Recent studies have shown that in standard file systems, deduplication across users can save more than 50% of storage cost, and in backup applications up to 90-95% of storage cost. Data deduplication is therefore a common technique used by CSPs to save storage and bandwidth, which would ideally allow customers to gain economic benefit from a CSP's discount.

Currently, the current state of the art commonly used in the industry is such that: [1] the [2], [3], [4], [5] take a lot of effort to effectively verify the integrity of the outsourced data. In these solutions, the owner pre-processes the document prior to outsourcing, creates a validation tag using secret material, and then the owner or verifier verifies the integrity of the document.

However, the above scheme is only applicable to static archive storage, i.e. files that are outsourced and never altered. In fact, outsourced data will be frequently updated in real-world cloud storage, such as business transaction logs, editable documents, cloud databases, and health records for hospitals. Therefore, supporting data dynamics through the most common forms of data manipulation (e.g., block modification, insertion, and deletion) is also an important step towards practical use. Later, to solve this problem, dynamic versions of prior PDP/POR schemes [6], [7], [8], [9], [10], [11], [12] were proposed to support a more generic storage model. These schemes basically implement data dynamics using skip list or merkle hash trees.

Inspired by the benefits of data deduplication, many researchers explored various data deduplication mechanisms [13], [14], [15] on cloud storage platforms. Critical or sensitive data needs to be uploaded to a remote server in encrypted form for security and privacy concerns. Convergent Encryption (CE) [16], Message-Locked Encryption (MLE) [17] and its variants [18], [19], [20], [21], [22] are intended to support cross-user data deduplication in the encrypted domain, ensure that files are only accessible by legitimate owners, and to resist curious cloud providers.

[1].F.Armknecht,J.-M.Bohli,G.O.Karame,Z.Liu,and C.A.Reuter,“Outsourced proofs of retrievability,”ACM SIGSAC Conference on Computer and Communications Security,CCS’14,p.831–843,Association for Computing Machinery,2014.

[2].K.D.Bowers,A.Juels,and A.Oprea,“Hail:A high-availability and integrity layer for cloud storage,”16th ACM Conference on Computer and Communications Security,CCS’09,p.187–198,Association Computing Machinery,2009.

[3].A.Juels and B.S.Kaliski,“Pors:Proofs of retrievability for large files,”14th ACM Conference on Computer and Communications Security,CCS’07,p.584–597,Association for Computing Machinery,2007.

[4].H.Shacham and B.Waters,“Compact proofs of retrievability,”in Advances in Cryptology–ASIACRYPT 2008(J.Pieprzyk,ed.),(Berlin,Heidelberg),pp.90–107,Springer Berlin Heidelberg,2008.

[5].G.Ateniese,R.Burns,R.Curtmola,J.Herring,L.Kissner,Z.Peterson,and D.Song,“Provable data possession at untrusted stores,”in Proceedings of the 14th ACM Conference on Computer and Communications Security,CCS’07,(New York,NY,USA),p.598–609,Association for Computing Machinery,2007.

[6].Q.Wang,C.Wang,K.Ren,W.Lou,and J.Li,“Enabling public auditability and data dynamics for storage security in cloud computing,”IEEE Transactions on Parallel and Distributed Systems,vol.22,no.5,pp.847–859,2011.

[7].G.Ateniese,R.Di Pietro,L.V.Mancini,and G.Tsudik,“Scalable and efficient provable data possession,”in Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks,SecureComm’08,(New York,NY,USA),Association for Computing Machinery,2008.

[8].C.Erway,A.

C.Papamanthou,and R.Tamassia,“Dynamic provable data possession,”CCS’09,(New York,NY,USA),p.213–222,Association for Computing Machinery,2009.

[9].E.Shi,E.Stefanov,and C.Papamanthou,“Practical dynamic proofs of retrievability,”in 2013 ACM SIGSAC Conference on Computer and Communications Security,CCS’13,Berlin,Germany,November 4-8,2013(A.Sadeghi,V.D.Gligor,and M.Yung,eds.),pp.325–336,ACM,2013.

[10].D.Cash,A.

and D.Wichs,“Dynamic proofs of retrievability via oblivious RAM,”in Advances in Cryptology–EUROCRYPT 2013,32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques,Athens,Greece,May 26-30,2013.Proceedings(T.Johansson and P.Q.Nguyen,eds.),vol.7881 of Lecture Notes in Computer Science,pp.279–295,Springer,2013.

[11].M.Etemad and A.

“Transparent,distributed,and replicated dynamic provable data possession,”in Applied Cryptography and Network Security(M.Jacobson,M.Locasto,P.Mohassel,and R.Safavi-Naini,eds.),(Berlin,Heidelberg),pp.1–18,Springer Berlin Heidelberg,2013.

[12].W.Guo,S.Qin,F.Gao,H.Zhang,W.Li,Z.Jin,and Q.Wen,“Comments on“provable multicopy dynamic data possession in cloud computing systems”,”IEEE Transactions on Information Forensics and Security,vol.15,pp.2584–2586,2020.

[13].D.Bhagwat,K.Eshghi,D.D.E.Long,and M.Lillibridge,“Extreme binning:Scalable,parallel deduplication for chunk-based file backup,”in 2009 IEEE International Symposium on Modeling,Analysis Simulation of Computer and Telecommunication Systems,pp.1–9,2009.

[14].K.Srinivasan,T.Bisson,G.R.Goodson,and K.Voruganti,“idedup:latency-aware,inline data deduplication for primary storage.,”in Fast,vol.12,pp.1–14,2012.

[15].W.Xia,H.Jiang,D.Feng,and Y.Hua,“Silo:A similarity-locality based near-exact deduplication scheme with low ram overhead and high throughput.,”in USENIX annual technical conference,pp.26–30,2011.

[16].J.R.Douceur,A.Adya,W.J.Bolosky,P.Simon,and M.Theimer,“Reclaiming space from duplicate files in a serverless distributed file system,”in Proceedings 22nd International Conference on Distributed Computing Systems,pp.617–624,2002.

[17].M.Bellare,S.Keelveedhi,and T.Ristenpart,“Message-locked encryption and secure deduplication,”in Advances in Cryptology–EURO-CRYPT 2013(T.Johansson and P.Q.Nguyen,eds.),(Berlin,Heidelberg),pp.296–312,Springer Berlin Heidelberg,2013.

[18].M.Abadi,D.Boneh,I.Mironov,A.Raghunathan,and G.Segev,“Message-locked encryption for lock-dependent messages,”in Advances in Cryptology–CRYPTO 2013(R.Canetti and J.A.Garay,eds.),(Berlin,Heidelberg),pp.374–391,Springer Berlin Heidelberg,2013.

[19].M.Bellare and S.Keelveedhi,“Interactive message-locked encryption and secure deduplication,”in Public-Key Cryptography–PKC 2015(J.Katz,ed.),(Berlin,Heidelberg),pp.516–538,Springer Berlin Heidelberg,2015.

[20].S.Keelveedhi,M.Bellare,and T.Ristenpart,“Dupless:Server-aided encryption for deduplicated storage,”in 22nd USENIX Security Symposium(USENIX Security 13),(Washington,D.C.),pp.179–194,USENIX Association,Aug.2013.

[21].J.Liu,N.Asokan,and B.Pinkas,“Secure deduplication of encrypted data without additional independent servers,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security,CCS’15,(New York,NY,USA),p.874–885,Association for Computing Machinery,2015.

[22].R.Di Pietro and A.Sorniotti,“Proof of ownership for deduplication systems:A secure,scalable,and efficient solution,”Computer Communications,vol.82,pp.71–82,2016.

In summary, the problems of the prior art are as follows:

(1) since most of the existing technologies only focus on one or two technical problems, the assumed cloud storage model is not universal enough to be inconsistent with the existing cloud storage system. And the current scheme can not efficiently integrate data deduplication, data dynamics and data integrity verification characteristics of multiple users into the same system.

(2) The inefficiency of the prior art that enables cloud service providers to spend a great deal of computing, communication, and storage overhead, even beyond the overhead of storing files, for implementing certain functions makes current cloud storage providers undesirable to integrate such functions in their own systems.

(3) In the existing technology supporting data dynamics, when data is modified, the identification of a file is not updated synchronously, which is not beneficial to data deduplication across users, and is also not practical.

The difficulty of solving the technical problems is as follows:

(1) as the number of users sharing the same file increases, the metadata storage for each block is quite considerable. Although the publicly verifiable POR allows anyone to challenge the cloud server without using the private key, in practice, different users tend to be untrusted each other, and if a malicious user shares his private key to the CSP, the security of the other users is defeated.

(2) In the new cloud storage model, dynamic operation of data should also be separated, that is, although data deduplication is performed on files of different users, the files are updated individually as desired.

The significance of solving the technical problems is as follows: the present invention designs a DPOR-MU scheme to solve the above-mentioned problems, which efficiently supports cross-user data deduplication and flexible multi-user data dynamic storage. Allowing different users to share metadata of the same file, even if they do not trust each other, enhances the economic incentive for cloud storage providers to integrate storage attestation functions in their products. Although files of different users are deduplicated, the files can be updated independently according to own wishes, so that the flexibility of the cloud storage system is improved, and the requirements of users in the real world on the encryption cloud storage system are met. From the perspective of a cloud storage provider, the DPOR-MU scheme can perform file-level and block-level data deduplication on files uploaded by multiple users, while providing storage service proof with lower resources. From the user's perspective, the DPOR-MU allows users to publicly verify the availability/integrity of their files and update the files independently. The DPOR-MU scheme is ingenious in design, and can remarkably reduce the computing, storage and bandwidth overhead of CSP and cloud user sides. And the scheme can resist collusion attacks between malicious users and cloud service providers and between the users and CSPs.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a practical cloud storage method and system supporting dynamic operation and multi-user storage certification.

The invention is realized in such a way that a practical cloud storage method supporting dynamic operation and multi-user storage certification comprises the following steps:

initializing all participants according to a Setup protocol, wherein the participants comprise a user, a cloud service provider and a third party verifier;

triggering an Upload protocol when a client wants to Upload data;

the POR protocol is used for assisting the verifier to verify the integrity of data and copies in the cloud by the cloud user;

the Update protocol is used for independently updating files according to own will in a system for realizing data deduplication by a cloud user.

Further, the Setup protocol is used for initialization of all system participants, and comprises a group of key generation algorithms; first, the system operates

The algorithm generates and shares corresponding common parameters with all participants, where k is a security parameter,

is a population of Gap-Diffie-Hellman (GDH), p is the number of kappa prime and g is a generator; all legitimate users then need to run

Wherein, pk_PIs a public key, sk_PIs a private key, accepts as input a public parameter and outputs a pair of public/private keys (pk)_P，sk_P) (ii) a P, S and V generate a key pair for authentication and encrypted communication, respectively, where P is the data owner, S is the remote cloud server, and V is the third party auditor; eventually, each party secretly stores its private key and transmits its public key to the other parties in the system.

Further, the Upload protocol is an interactive protocol running between P and S, as shown in the following formula:

for preprocessing files to be uploaded, completing cross-client data deduplication and uploading files to S, P-outsourced files F ═ { b }₁，...，b_m}, and its private key sk_PAs input, S takes the public key pk of P_PDatabase, and recording medium

And F as input, where log_FRecording the updating and uploading log of the F;

p wants to upload F ═ b in an encrypted manner₁，...，b_mTo protect privacy, P runs

Obtaining an encryption key set and running an Encyypt algorithm

Get ciphertext, P run

Constructing a rank-based Mercker hash Tree RMHT and obtaining an ID_FAnd sig (. gamma.), where ID_FAs the only handler for F, sig (γ) is the signature of root γ; before uploading, P will check if any other user passes the ID_FAnd log_FStoring F for source end data deduplication; but block identification

Is derived from a ciphertext for server-side block-level data deduplication, and performs P to verify whether an outsourced file in a storage server is intact and not compromised as contractually specified

Calculating homomorphic integrity verification labels by an algorithm, and uploading corresponding files to the S; upon receipt of the data, S aggregates tags and sig (γ) from multiple untrusted users, and logs_FUpdated to log_F′(ii) a Finally, S maintains the ciphertext block correctly

And metadata; and P deletes the source file F, corresponding tag, block identification, and RMHT from its local memory.

Further, the rank-based merkel tree is constructed in a bottom-up order and includes the rank of the node in each node, and includes an algorithm: location, Verification, Updates;

location: locating the positions of leaf nodes on the tree according to the indexes of the blocks;

verification: the server verifies the integrity of the block i for the verifier through the tree;

updates: the tree is updated to support data operations where clients perform data modification, data insertion, and data deletion.

Further, the POR protocol allows verifier V to check whether the file is still completely stored at S, as shown in the following equation:

p outsourcing the integrity verification of F to V without his/her secret material, V randomly generating and sending a challenge chal to S; s is used and stored according to the requirements of chalDocumentation of file and metadata calculation stored in its database_vAnd responds to V; on the validating side, V scrutinizes prof_vAnd outputs res ═ { True, False }; if res ═ True, the data is complete; otherwise, the data is corrupt or the computing process is in error; v notifies the owner in time and assists in re-verifying or negotiating claims.

Further, the Update protocol is an interactive protocol running between P and S, as shown in the following formula:

files for independently updating P stored on the server, dynamic operations commonly used in cloud storage including modification, insertion and deletion, denoted M, I and D respectively; the mentioned flexible data deduplication involves two cases: (a) the updated file will also create a separate entry; (b) the updating operation also triggers data deduplication, and if the updated file F' is judged to exist, the P directly subscribes to the file;

p ID of file to be updated_FIts private key sk_POperation type op, index i and new block b^*As an input; first, P obtains the key k^*And calculates ciphertext block c^*Its identity id^*And a mark σ^*Then P sends update request with data to S; s generates ID of new file through Tree_F′And determining subsequent operations; s, executing different operations according to different conditions, and completing updating for P; s-construct update prof_uAnd returned to P; finally, P-checks prove and update the new root γ 'of Tree' and its signature sig '(γ').

It is a further object of the invention to provide a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of the utility cloud storage method supporting dynamic operations and multi-user storage attestation.

It is another object of the present invention to provide a computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the utility cloud storage method supporting dynamic operations and multi-user storage attestation.

Another object of the present invention is to provide an information data processing terminal for implementing the practical cloud storage method that supports dynamic operations and multi-user storage attestation.

Another object of the present invention is to provide a utility cloud storage system supporting dynamic operation and multi-user storage attestation implementing the utility cloud storage method supporting dynamic operation and multi-user storage attestation, the utility cloud storage supporting dynamic operation and multi-user storage attestation including:

the client side is used for storing the data by using the cloud storage service, and is used for blocking file data, generating an encryption key, encrypting a file, constructing file uploading, downloading and deleting data, checking whether the file stored in the cloud storage server is complete or not and realizing dynamic data updating;

the cloud service provider CSP is used for executing cross-user duplicate removal, storing the files uploaded by the client, and simultaneously ensuring the integrity and reliability of the files, ensuring the data availability of all data owners and executing a deletion request of the client;

and the third party auditor TPA is used for triggering the POR protocol to periodically perform data integrity audit for the client.

By combining all the technical schemes, the invention has the advantages and positive effects that: the invention provides a DPOR-MU scheme to effectively support cross-user data deduplication and flexible multi-user data dynamic storage by using secret key homomorphism based on bilinear mapping and a Merckel tree based on rank. The DPOR-MU provided by the invention is the first scheme for simultaneously supporting data deduplication, disclosing multi-user storage certification and multi-user data dynamics, and the cloud storage model can better meet the use requirements of individuals and organizations in the real world. The DPOR-MU can save storage space in the server through the combination of file-level data deduplication and block-level data deduplication and the aggregation of multi-user data labels on the premise of not influencing data confidentiality and integrity. So that cloud storage providers are more willing to integrate storage attestation functions in their products. Compared with the prior art, the invention can reduce the storage overhead from a linear level to a constant level (such as table 1) without increasing the calculation and communication overhead. In addition, the invention can resist collusion attack between malicious users and cloud service providers and between the users and CSP.

Drawings

Fig. 1 is a flowchart of a practical cloud storage method supporting dynamic operation and multi-user storage attestation according to an embodiment of the present invention.

FIG. 2 is a schematic structural diagram of a practical cloud storage system supporting dynamic operations and multi-user storage attestation, provided by an embodiment of the present invention;

in fig. 2: 1. client (data owner); 2. CSP (cloud service provider); 3. TPA (third party auditor).

Fig. 3 is a specific flowchart of modifying the ith block of F in the Update protocol according to an embodiment of the present invention.

Fig. 4 is a specific flowchart of the Upload protocol according to the embodiment of the present invention.

Fig. 5 is a specific flowchart of POR protocol provided by the embodiment of the present invention.

Fig. 6 is a specific flowchart of the Update protocol according to an embodiment of the present invention.

Fig. 7 is a process of preprocessing a file F before uploading the file F in the Upload protocol according to the embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

In view of the problems in the prior art, the present invention provides a practical cloud storage method and system supporting dynamic operation and multi-user storage certification, and the following describes the present invention in detail with reference to the accompanying drawings.

As shown in fig. 1, the method for supporting a dynamic operation and a multi-user storage attestation for a utility cloud storage provided by the present invention includes the following steps:

s101: the system initializes all participants according to a Setup protocol, wherein the participants comprise users, cloud service providers and third party verifiers;

s102: triggering an Upload protocol when a client wants to Upload data;

s103: the POR protocol is used for assisting the verifier to verify the integrity of data and copies in the cloud by the cloud user;

s104: the Update protocol is used for independently updating files according to own will in a system for realizing data deduplication by a cloud user.

Those of ordinary skill in the art may also implement other steps in the method for providing a practical cloud storage supporting dynamic operations and multi-user storage attestation, and the invention of fig. 1 is provided as only one specific embodiment.

As shown in fig. 2, the utility cloud storage system supporting dynamic operation and multi-user storage attestation provided by the present invention includes:

the client 1 is used for storing data by using a cloud storage service, and is used for blocking file data, generating an encryption key, encrypting a file, constructing file uploading, downloading and deleting data, checking whether the file stored in the cloud storage server is complete or not and realizing dynamic data updating;

a CSP (cloud service provider) 2, configured to perform cross-user deduplication, store files uploaded by the client, and simultaneously ensure integrity and reliability of the files, ensure data availability of all data owners, and perform a delete request of the client;

TPA (third party auditor) 3 for triggering the POR protocol to periodically perform data integrity audits for clients.

The technical solution of the present invention is further described below with reference to the accompanying drawings.

The practical cloud storage system supporting dynamic operation and multi-user storage certification comprises a group of clients 1, a cloud storage server 2 and a third-party auditor 3. The work performed by each end of the system is shown in fig. 2, where client 1 (i.e., Users) stores files in CSP. The cloud storage server 2 (i.e., CSP) manages a large amount of storage resources, powerful computing power, and professional administrators, and provides a flexible and reliable data storage service for individuals or organizations. TPA (third party auditor) 3 has professional capabilities and resources to perform data integrity audits on a regular basis instead of the data owner.

The core of the system comprises a Setup operation, an Upload operation, an Update operation and a POR protocol, through the operations and the protocols, and a rank-based Merkle hash tree (RMHT) obtained by improving the traditional Merkle hash tree, the invention can complete cross-user data deduplication, multi-user storage certification and flexible data dynamic storage, so that a cloud provider can effectively prove the integrity of data stored on the cloud provider to a client. And can be resistant to curious or malicious system parties.

The rank-based Merkle Hash Tree (RMHT) obtained by improving the traditional Merkle Hash Tree is an efficient data structure supporting data dynamics, and each node v of the RMHT stores two pointers, namely left children and right children, which are respectively represented by lft (v) and rgt (v). Note that a leaf node has no child node, and therefore lft (v) null, rgt (v) null. Further, in this configuration, each node v of the RMHT stores the number of leaf nodes associated with v. This value is referred to herein as the rank of v and is denoted by r (v). In addition, node v also stores a label l (v) that is calculated by applying an anti-collision hash function (i.e., l (v) ═ h (l (lft (v)), l (rgt (v)), r (v))). While MHT is generally used to verify the value of a data block, in the proposed scheme, the invention further uses MHT to verify the value and location of a data block. Suppose now that file F and the RMHT of the file are already stored on the semi-honest server, and the order of the leaf nodes (i.e., left to right) indicates the order of the file blocks. That is, the leftmost node of RMHT is associated with the first block. The value of node a is l (a) ═ H (c)₁) 1), where 1 is the rank of the leaf node. In the second level, the children of node E are node a and node B, whose labels are l (E) ═ h (l (a), l (B), 2 of whichIs the rank of node E. If the Merkle tree has only four leaves, then the rank of the RMHT root is 4. Note that RMHT is constructed bottom-up, so for non-leaf nodes v, r (v) ═ r (lft (v)) + r (rgt (v)). RMHT includes the algorithm: location, Verification, Updates.

Location: both verifying integrity and updating the tree require locating the positions of leaf nodes on the tree based on the index of the block. The server then first executes an algorithm to find leaf nodes for later verification or update operations.

Verification: the verifier wants to verify the integrity of block i and therefore sends a verification request to the server, which executes the algorithm. It is first determined which leaf in RMHT that block i corresponds to. The server then constructs a peer set of this leaf (i.e., the peer nodes on the path from the leaf to the RMHT root R), denoted as Ω_i＝{vx，...，v_kWhere k is the leaf depth (root depth is zero). Finally, the server returns an MHT verification certificate of pi (i) { H (c) }_i)，Ω_iGiving the verifier. The verifier generates a root R' using Π (i) and checks its correctness by comparison with R.

Updates: in the solution of the invention, the possible data operations include data modification (i.e. modification of the ith block), data insertion (i.e. insertion of a new block after a given block i) and data deletion (i.e. deletion of the ith block). For data modification, the operation is relatively simple, assuming that the client wishes to have the ith chunk c_iIs modified to c'_i. The server locates the ith leaf using a location algorithm and puts H (H (c) in RMHT_i) 1) is replaced by H (H (c'_i) 1), then regenerating a new root R'. Finally, the server generates a sibling node set omega_iAnd use demonstration of prof_u＝{Π_iR '} in response to the client making an update, the client will validate the update and update the root R with R'.

In contrast to data modification, which does not change the logical structure of the client data file, another general form of data manipulation, data insertion, refers to the insertion of new blocks after some specified location in the data file F. Suppose a client wants to be in the ith block c_iThen insert block c^*. In this scheme, forThe present invention defines rules: 1) the original ith leaf node is no longer a leaf node, but is the parent node of the original ith block and the inserted block; 2) the inserted block is the sibling node of the original ith block and the inserted node must be the right child. Obviously, only a portion of the nodes are affected by the insert operation. The server will add a leaf H (H (c)^*) 1) leaf H (H (c) in RMHT₁) 1) thereafter, a new root R' is regenerated according to the above rules. Finally, as with the modification described above, the server generates a proof and proves to the client that the client updates the root R with R'.

Data deletion is the reverse of data insertion. For deletion, the invention also defines rules: the deleted leaf node is deleted from the RMHT with its parent node replaced with its remaining sibling nodes. At the same time, the remaining nodes are adjusted according to the deletion rules, wherein the label values of the nodes affected by the operation are changed. The details of the program are similar to those of the data modification and insertion, and are therefore omitted here.

The relevant interactive protocols in the system are as follows:

(1) setup protocol: in DPOR-MU, a multiple signature scheme based on BLS signatures is employed. To this end, the system executes the Init algorithm to deploy a group with a prime order p of generator g

And a computationally efficient bilinear map

Each client P participating in the scheme then needs to prepare a pair of signature and authentication keys. More precisely, P selects a random

And by calling KeyGen_PTo calculate y ← g^xmod p. In this scenario, the present invention assumes that communications between all participants in the system are previously authenticated and encrypted. Thus, P, S and V generate their key pairs to authenticate and encrypt communications, respectively. Finally, the parties' secretsSaves its private key and transmits its public key to other parties in the system.

(2) The Upload protocol: whenever the client P wishes to upload the file F ═ b₁，...，b_mWill trigger the Upload protocol. First, P runs KeyGen_EncTo obtain a set of encryption keys for each block

More precisely, for each block, by k_i＝H(b_i) (i is more than or equal to 1 and less than or equal to m). A message-based key is computed. Next, P performs the Encrypt algorithm to Encrypt block b_i(i is more than or equal to 1 and less than or equal to m) generating ciphertext block

Wherein c is_i←Enc(k_i，b_i)。

Then, P is in the ciphertext

Is sequentially constructed on the block of (a) a rank-based Merkle hash tree, i.e., the labels of the leaf nodes are c with the rank of the leaf_i(i 1.. m) an ordered set of hashes, i.e., l (v)_i)＝h(c_i,1). Get root γ of RMHT, and assign the identity of F as the root, i.e., ID, of RMHT_Fγ. P sends ID to S_FThen S checks that it has ID_FWhether the corresponding file has been stored by other users. Now, depending on the query results, two cases arise: (a) the file has not been previously stored, (b) the file has been stored by other owners. In the latter case, the user will continue to execute the Upload^*And (4) protocol.

The present invention proposes the concept of an ancestor file, which represents the initial version of the file in S. Although the file has been updated, its ancestor (ID)_A) Will not change, therefore, the ID of F_AIs ID_F. P signs the root under the private key. Sig (gamma) ← h₁(γ)^x. Similar to most schemes, each ciphertext block has a length of s sectors, where each sector is

And c is an element of_ijWherein i is more than or equal to 1 and less than or equal to m, and j is more than or equal to 1 and less than or equal to s. For 1. ltoreq. j. ltoreq. s, group elements

Is pseudo-randomly extracted from the duplicate copy as u_j＝h₂(ID_AJ). Subsequent uploaders of third party auditors V or documents may access the public parameter ID_AGenerating { u_j}_{j＝1，...，s}. In addition, P computes block identification for block-level data deduplication in S

Wherein

Next, for subsequent integrity verification of F, P executes the TagGen algorithm to obtain a verification tag set. Similar to the BLS scheme, for each block index i ∈ { 1., m }, the validation token σ is verified_iIs calculated as follows:

then, the mark set

Please note that σ_iThe BLS signature under private key x, which effectively represents the following value:

after TagGen, user P sends to cloud service provider S

S after receiving the data, firstlyThe validity of the upload tag is checked. More specifically, the cloud service provider S samples each chunk index i as a random index

And checks whether the following verification holds:

wherein ω is_iCalculated by S based on the public knowledge and the ciphertext block. If the key and token are correct, S will create a log file consisting of tuples to store the authentication key of F. Each tuple contains two sets, the former being a set of public keys and the other being a set of indices, indicating that the authentication key corresponding to the block in the latter consists of the key in the former. Here, log_FBy { ({ pk)_P}, {1,.., m }) }.

S then returns P a file access link which can be identified by the file and log file log_FThe document is retrieved. To ensure log_FP checks if his/her public key is log_FIn the first tuple. Finally, P may delete source file F, its ciphertext block, and the corresponding tag from its local memory. But P stores the ID of the file locally_F、ID_b、

Log for generating authentication keys_FAnd for subsequently generating the value { u }_j}_{j＝1，...，s}ID of ancestor file_A。

(3) Upload protocol: due to source-side data deduplication, the protocol is not used for uploading files twice, but for updating the authentication token and the root of RMHT, which may allow the new client P to obtain file guarantees.

First, S compares the ID of file F_AAnd returning to P. Similar to the Upload protocol, P generates a set of encryption keys

And calculate a ciphertext set

Block ID_bDocument authentication mark

And signature tree root set sig (γ). Note that due to file identity, it is used for computation

{ u } of_j}_{j＝1，...，s}As with the previous owner. Then, unlike the Upload protocol, P will only be

And uploading to S.

Upon receiving

Afterwards, S still checks the correctness of the newly uploaded tag. Of course, S may perform tag validation using the method in the Upload protocol, but this may require S to recalculate or store the value ω_i. Has been stored

The verification tags of (1) are correct because S has previously verified them, S has no incentive to damage them. It is shown that S can be on the newly uploaded tag T ═ σ₁，...，σ_m}

And tags already stored in S

Cross validation is applied in between. Suppose that

Wherein

So the key set

Wherein

For batch verification, S samples a portion of the blocks (e.g., ξ blocks), treating the index of each block as i, where 1 ≦ i ≦ ξ. Then S selects a random index

And check if the following equations are equal:

if not, the subscription is rejected, and if equal, the flag is correct. The correctness of sig (gamma) is verified in the same way. After successful verification, S needs to update log_F、

And sig' (γ) to ensure that POR access is successful across multiple users. More precisely, for labels

Sigma for S_i·σ_i' update them. Similarly, S updates the stored signatures sig '(γ) by replacing them with sig' (γ) · sig (γ), and by replacing pk_PAttached to each tuple

To update log_F。

Finally, S sends the user the access link and log of the file_F. Similar to the Upload protocol, P checks if his/her public key is log_FAnd delete the source file, its ciphertext block, and the corresponding tag.

(4) POR protocol: the purpose of the POR protocol is to allow trusted verifier V (or owner) to check whether the file is still fully stored at S by querying server S and verifying the response from S. First, to help the owner P prove the integrity of F, V needs to compute a set of authentication keys

And the authentication key pk of RMHT_γ. Although P or V stores log locally_FHowever, the new user may also perform data deduplication on the same file. Thus, V downloads from S to be current

And check whether or not all

Comprising pk_P. If so, the set of keys is verified as

And

wherein

Is log'_FThe last one of (a).

V then creates a random challenge chal ═ { l, k₁，k₂And sends it to S, where l is the number of blocks to challenge. k is a radical of₁(PRP π) and k₂(PRF ψ) is a new key chosen randomly in each challenge. K for both V and S₁Keyed sum of pi and k₂The keyed psi generates a set of pairs of random exponentials and random values Q { (i, v)_i) Therein of

And

after receiving chal and generating a set Q, S calculates:

wherein j is not less than 1 and not more than s, and:

wherein

In addition, S also prepares for RMHT verification that pi ═ { pi (i) |1 ≦ i ≦ l } as described in section IV-B. Finally, prof will be demonstrated_v＝{{μ_θ，1，...，μ_θ，sThe } sigma, sig (gamma), pi } is sent back to V.

At the verifier end, V also gets the set Q and uses the ID_AGenerating u_i. First, V builds RMHT using knowledge of Π, and generates root γ'. V then authenticates it by checking if it is equal:

e(sig(γ)，g)＝e(γ′，pk_γ)

if authentication fails, V will reject by returning False, otherwise V will further verify whether the following equations are equal:

if the two are equal, the output is True; otherwise, the output is False. If this verification fails, V determines that the file has been modified and takes action, such as notifying the user or downloading and rewriting the file.

(5) Update protocol: common dynamic operations in cloud storage include modification, insertion, and deletion. P is valid assuming F is shared by multiple users. P intends to modify the ith block, insert a new block after the ith block or delete the ith block, which other users do not. Obviously, modifications and insertions require preparation for the sameData block b of^*And the delete operation does not. For modifications and insertions, P passed KeyGen_EncGenerating a secret key k^*And obtain ciphertext block c^*←Enc(k^*，b^*). P then calculates the block id according to the Upload protocol^*And a label sigma^*From the ID_AMiddle extracted value { u }_j}_{j＝1，...，s}. Update request update ═ { op, i, [ c [ ]^*，id^*，σ^*]Send S, where op may be M, I or D. If op ═ D, then the data in square brackets is not needed.

For example, P modifies the i-th block to b^*Then update is { M, i, c ═ M^*，id^*，σ^*It sends it to S. S is based on { c₁，...，c_i-1，c^*，...，c_mGenerate a new RMHT and obtain a modified ID_F′. Then, S checks whether the ID is already stored_F′The corresponding file of (2). If file F' does not exist, S will create a session ID_F′New file entry of index, i.e. F' ═ { c₁，...，c_i-1，c^*，...，c_m}. In fact, F is not modified, nor is blocks of data copied, but these blocks are each pointed to an ID by a pointer_FOr ID_F′. S Create Log_F′And initialize it to

Wherein

Suppose that the index i is

Then, S direction log_F′Appending a tuple ({ pk)_PH, { i }) and from

In deletion of i, i

Then, S will be one tuple ({ pk)_PI) attached to log_F′. Namely, it is

Finally, S updates prof with_u＝{Π_i，sig(γ)，ID_F′，log_F′P, where Π_iSig (. gamma.) at ID_FOn the RMHT of (c). P is used first_iRoot gamma of RMHT, and

wherein

Is that

The second last digit of (c). And by checking e (sig (γ), g) ═ e (γ, pk)_γ) The root is verified if equal. If true, P is determined by using { Ω }_i，H(c_i) Calculate the new root γ' and associate it with ID_F′A comparison is made to check if the server has performed the modification as required. P then signs the new root and sends it to S.

If the file F' already exists, S verifies the signature σ using a cross-validation method^*And registers P with F'. S will mark σ_iSubstitution as sigma_i·σ^*And by mixing pk_PAppended to the last tuple

To update log_F′. Furthermore, S updates prof with_u＝{Π_i，sig(γ)，ID_F′，log_F′The proof of response P, P verifies the update and sends a signature sig (γ') to S. Finally, S verifies the signature and replaces it with sig (γ '). sig ' (γ ').

The whole process of insertion and deletion is the same as the modification process, note that the index of the file block is changed during the insertion or deletion process, and S is managed separately using two sets of indexes.

The technical effects of the present invention will be described in detail with reference to simulations.

The invention realizes DPOR by simulation and evaluates the performance of DPOR in detail, realizes a DPOR prototype system by using a C/C + + language and OpenSSL and PBC code libraries, and stores metadata information related to each file by using a MySQL database as a back-end data storage system. The experiment simulates a client, a verifier and a cloud server on three independent machines, and the client, the verifier and the cloud server all run on a system with a CPU of 3.10GHz Intel Core i9-9900 and a memory of 16GB Ubuntu 16.04 LTS. The communication bandwidth of the wired connection between the two is set to be 100Mbps, and Socket is adopted for communication. In the experiment, a plurality of computers are used as clients, a large number of files are uploaded, downloaded, integrity audited and updated on the same server host to evaluate the overall performance of the system, and various malicious behaviors such as tampering, forging and destroying of the server and malicious users are simulated. Typically, users can correctly recover and audit their files, and the audit will fail once the server makes any malicious activity. Experiment results show that the communication and calculation cost of the system is similar to that of the existing scheme and is acceptable, and the storage cost meets the requirement of table 1, so that the method is greatly improved compared with other schemes.

TABLE 1

It should be noted that the embodiments of the present invention can be realized by hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided on a carrier medium such as a disk, CD-or DVD-ROM, programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier, for example. The apparatus and its modules of the present invention may be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., or by software executed by various types of processors, or by a combination of hardware circuits and software, e.g., firmware.

The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A practical cloud storage method supporting dynamic operation and multi-user storage attestation is characterized by comprising the following steps:

initializing all participants according to a Setup protocol, wherein the participants comprise a user, a cloud service provider and a third party verifier;

triggering an Upload protocol when a client wants to Upload data;

the POR protocol is used for assisting the verifier to verify the integrity of data and copies in the cloud by the cloud user;

the Update protocol is used for independently updating files according to own will in a system for realizing data deduplication by a cloud user.

2. The utility cloud storage method supporting dynamic operations and multi-user storage attestation of claim 1, wherein the Setup protocol is used for initialization of all participants of the system, including a set of key generation algorithms; first, the system operates

The algorithm generates and shares corresponding common parameters with all participants, where k is a security parameter,

is a population of Gap-Diffie-Hellman (GDH), p is the number of kappa prime and g is a generator; all legitimate users then need to run

Wherein, pk_PIs a public key, sk_PIs a private key, accepts as input a public parameter and outputs a pair of public/private keys (pk)_P，sk_P) (ii) a P, S and V generate a key pair for authentication and encrypted communication, respectively, where P is the data owner, S is the remote cloud server, and V is the third party auditor; eventually, each party secretly stores its private key and transmits its public key to the other parties in the system.

3. The method of claim 1, wherein the Upload protocol is an interactive protocol running between P and S, as shown in the following equation:

for preprocessing files to be uploaded, completing cross-client data deduplication and uploading files to S, P-outsourced files F ═ { b }₁，...，b_m}, and its private key sk_PAs input, S takes the public key pk of P_PDatabase, and recording medium

And F as input, where log_FRecording the updating and uploading log of the F;

p wants to upload F ═ b in an encrypted manner₁，...，b_mTo protect privacy, P runs

Obtaining an encryption key set and operating an Encrypt algorithm

Get ciphertext, P run

Constructing a rank-based Mercker hash Tree RMHT and obtaining an ID_FAnd sig (. gamma.), where ID_FAs the only handler for F, sig (γ) is the signature of root γ; before uploading, P will check if any other user passes the ID_FAnd log_FStoring F for source end data deduplication; but block identification

Is derived from a ciphertext for server-side block-level data deduplication, and performs P to verify whether an outsourced file in a storage server is intact and not compromised as contractually specified

Calculating homomorphic integrity verification labels by an algorithm, and uploading corresponding files to the S; upon receipt of the data, S aggregates tags and sig (γ) from multiple untrusted users, and logs_FUpdated to log_F′(ii) a Finally, S maintains the ciphertext block correctly

And metadata; and P deletes the source file F, corresponding tag, block identification, and RMHT from its local memory.

4. The method of claim 3, wherein the rank-based Mercker tree is constructed in bottom-up order and includes in each node the rank of the node, and comprises an algorithm: location, Verification, Updates;

location: locating the positions of leaf nodes on the tree according to the indexes of the blocks;

verification: the server verifies the integrity of the block i for the verifier through the tree;

updates: the tree is updated to support data operations where clients perform data modification, data insertion, and data deletion.

5. The method of claim 1 in which the POR protocol allows verifier V to check whether the file is still fully stored at S, as shown by the following equation:

p outsourcing the integrity verification of F to V without his/her secret material, V randomly generating and sending a challenge chal to S; s uses the files and metadata stored in its database to compute proof prof according to the requirements of chal_vAnd responds to V; on the validating side, V scrutinizes prof_vAnd outputs res ═ { True, False }; if res ═ True, the data is complete; otherwise, the data is corrupt or the computing process is in error; v notifies the owner in time and assists in re-verifying or negotiating claims.

6. The method of claim 1, wherein the Update protocol is an interactive protocol running between P and S, as shown in the following equation:

files for independently updating P stored on the server, dynamic operations commonly used in cloud storage including modification, insertion and deletion, denoted M, I and D respectively; the mentioned flexible data deduplication involves two cases: (a) the updated file will also create a separate entry; (b) the updating operation also triggers data deduplication, and if the updated file F' is judged to exist, the P directly subscribes to the file;

p ID of file to be updated_FIts private key sk_POperation type op, index i and new block b^*As an input; first, P obtains the key k^*And calculates ciphertext block c^*Its identity id^*And a mark σ^*Then P sends update request with data to S; s generates ID of new file through Tree_F′And determining subsequent operations; s, executing different operations according to different conditions, and completing updating for P; s-construct update prof_uAnd returned to P; finally, P-checks prove and update the new root γ 'of Tree' and its signature sig '(γ').

7. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the method of any one of claims 1 to 6 for utility cloud storage supporting dynamic operations and multi-user storage attestation.

8. A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the utility cloud storage method supporting dynamic operations and multi-user storage attestation of any one of claims 1 to 6.

9. An information data processing terminal, characterized in that the information data processing terminal is used for implementing a practical cloud storage method for supporting dynamic operation and multi-user storage certification according to any one of claims 1 to 6.

10. A utility cloud storage system supporting dynamic operations and multi-user storage attestation implementing the utility cloud storage method supporting dynamic operations and multi-user storage attestation of any one of claims 1 to 6, characterized in that implementing utility cloud storage supporting dynamic operations and multi-user storage attestation comprises:

the client side is used for storing the data by using the cloud storage service, and is used for blocking file data, generating an encryption key, encrypting a file, constructing file uploading, downloading and deleting data, checking whether the file stored in the cloud storage server is complete or not and realizing dynamic data updating;

the cloud service provider CSP is used for executing cross-user duplicate removal, storing the files uploaded by the client, and simultaneously ensuring the integrity and reliability of the files, ensuring the data availability of all data owners and executing a deletion request of the client;

and the third party auditor TPA is used for triggering the POR protocol to periodically perform data integrity audit for the client.

Images