CN117094037B - Path+ORAM-based multipath cache write-back method and device and related equipment - Google Patents
Path+ORAM-based multipath cache write-back method and device and related equipment Download PDFInfo
- Publication number
- CN117094037B CN117094037B CN202311333876.3A CN202311333876A CN117094037B CN 117094037 B CN117094037 B CN 117094037B CN 202311333876 A CN202311333876 A CN 202311333876A CN 117094037 B CN117094037 B CN 117094037B
- Authority
- CN
- China
- Prior art keywords
- hash
- node
- tree
- path
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000012795 verification Methods 0.000 claims abstract description 117
- 238000004364 calculation method Methods 0.000 claims abstract description 22
- 238000003491 array Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 8
- 238000010276 construction Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000013496 data integrity verification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a path+ORAM-based multipath cache write-back method, a device, computer equipment and a storage medium, wherein the method comprises the following steps: leaf identification allocation is carried out on all the data blocks, access paths are determined, and an access path set is constructed according to the access paths; selecting and downloading nodes to be accessed from an ORAM tree of a cloud server based on the access path set; based on the hash value corresponding to each node to be accessed, carrying out integrity verification on the initial hash table to obtain a verification result; when the verification result is that the integrity verification is passed, storing the data block into an initial linked list array to obtain a target linked list array; carrying out hash value calculation on nodes in the target linked list array to obtain a hash value; and writing the target linked list array back to the cloud server, updating all the hash nodes and writing the corresponding hash values back to the hash verification tree of the cloud server.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a path+oram-based multipath cache write-back method, apparatus, computer device, and storage medium.
Background
In order to save storage cost, many companies outsource and store sensitive data onto a cloud server and make data requests through clients to operate on the data stored on the cloud server. However, in the interaction process of the client and the cloud server, important access modes which can be utilized are easily obtained by a third party, including the result privacy information searched by the user, wherein the access modes refer to the sequence of accessing the file by an Input/output operation (IO) operation, the frequency of accessing the file, the reading and writing sequence and the like. Therefore, when the client terminal performs data query privacy, the third party can easily acquire the sensitive data, and as the query times are more, the leakage quantity is more, and even in extreme cases, the third party can acquire all the sensitive data.
A conventional approach to solve the above problem is to use ORAM (Oblivious Random Access Machine, inadvertent random access machine) to hide the access pattern. ORAM is an encryption scheme that can be used to completely hide the data access pattern of IO operations, preventing search and access pattern leakage by constantly transforming data storage locations and re-encrypting the accessed data. The path+oram (Path 0blivious RAM, path-based invisible memory) is the ORAM scheme with highest current access and storage efficiency and highest feasibility, a binary tree is stored by a cloud server, and a Position Map area (Position Map) and a local temporary storage area (flash) are stored by a client. When a client side makes a data request, the Path+ORAM needs to search the position mapping area to acquire a leaf identifier, then downloads a complete Path from a leaf to a root node from a binary tree of a cloud server according to the leaf identifier, and writes the complete Path into a local temporary storage area. To hide the access pattern, path+oram reassigns a new random leaf identifier, re-encrypts the Path corresponding to the random leaf identifier, and moves the entries in the temporary storage area to a single Path one by one, thereby completing the data operation.
However, in the protection access mode, each update using the path+oram scheme requires multiple interactions with the cloud server, resulting in huge access overhead. To reduce access overhead, the following are generally employed: 1. by identifying and discarding redundant request parts between path accesses, a part of overhead is reduced, but the method has dependence among data, certain limitation and poor feasibility; 2. according to the phenomenon that data can not be read again in a short time after being written back, the read operation is advanced to the front of the write operation, and the method can effectively improve the system performance, but the reduced overhead is small in proportion, and the access cost is still large; 3. by setting a small ORAM tree for the main ORAM tree as its cache, the approach is similar to the second effect, and the access overhead of Path+ORAM is still large.
Therefore, the existing path+oram scheme still has the technical problem of huge access overhead.
Disclosure of Invention
The embodiment of the invention provides a multipath cache write-back method, a multipath cache write-back device, a multipath cache write-back computer device and a multipath cache write-back storage medium based on a path+ORAM (object oriented access memory), so as to reduce the access overhead of the path+ORAM.
In order to solve the above technical problems, an embodiment of the present application provides a path+oram-based multipath cache write-back method, including:
When a user initiates a data request, carrying out leaf identification distribution on all data blocks in the data request, and determining a leaf identification corresponding to each data block, wherein the leaf identification is used for marking the storage position of the data block written back to a cloud server;
determining access paths corresponding to the data blocks according to the leaf identifications corresponding to the data blocks, and constructing an access path set based on all the acquired access paths;
selecting and downloading nodes to be accessed from an ORAM tree of a cloud server based on the access path set, storing data of the nodes to be accessed into an initial linked list array, and downloading hash values corresponding to the nodes to be accessed from a hash verification tree of the cloud server, wherein the hash verification tree corresponds to the nodes of the ORAM tree one by one;
based on the hash value corresponding to each node to be accessed, carrying out integrity verification on the initial hash table to obtain a verification result;
when the verification result is that the integrity verification is passed, storing the data blocks into positions corresponding to the initial linked list arrays based on the leaf identifiers corresponding to the data blocks to obtain target linked list arrays;
Carrying out hash value calculation on each hash node in the target linked list array to obtain a hash value corresponding to each hash node;
and writing the target linked list array back to the cloud server, and writing the hash values corresponding to all the hash nodes back to a hash verification tree of the cloud server.
In order to solve the above technical problem, an embodiment of the present application further provides a path+oram-based multipath cache write-back device, including:
the system comprises a leaf identifier distribution module, a cloud server and a cloud server, wherein the leaf identifier distribution module is used for distributing leaf identifiers of all data blocks in a data request when a user initiates the data request, and determining a leaf identifier corresponding to each data block, wherein the leaf identifier is used for marking the data block to be written back to the storage position of the cloud server;
the access path set construction module is used for determining the access path corresponding to each data block according to the leaf identifier corresponding to each data block and constructing an access path set based on all the acquired access paths;
the node to be accessed determining module is used for selecting and downloading nodes to be accessed from an ORAM tree of a cloud server based on the access path set, storing data of the nodes to be accessed into an initial linked list array, and downloading hash values corresponding to the nodes to be accessed from a hash verification tree of the cloud server, wherein the hash verification tree corresponds to the nodes of the ORAM tree one by one;
The integrity verification module is used for carrying out integrity verification on the initial linked list array based on the hash value corresponding to each node to be accessed to obtain a verification result;
the storage module is used for storing the data blocks into the positions corresponding to the initial linked list arrays based on the leaf identifiers corresponding to the data blocks when the verification result is that the integrity verification is passed, so as to obtain target linked list arrays;
the hash calculation module is used for calculating hash values of each hash node in the target linked list array to obtain a hash value corresponding to each hash node;
and the write-back module is used for writing the target linked list array back to the cloud server and writing the hash values corresponding to all the hash nodes back to the hash verification tree of the cloud server.
In order to solve the above technical problem, the embodiments of the present application further provide a computer device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the steps of the path+oram-based multipath cache write-back method are implemented when the processor executes the computer program.
To solve the above technical problem, the embodiments of the present application further provide a computer readable storage medium, where a computer program is stored, where the computer program implements the steps of the path+oram-based multipath cache write-back method described above when executed by a processor.
According to the path+ORAM-based multipath cache write-back method, the path+ORAM-based multipath cache write-back device, the computer equipment and the storage medium, when a user initiates a data request, leaf identification distribution is carried out on all data blocks in the data request, and leaf identifications corresponding to each data block are determined, wherein the leaf identifications are used for marking storage positions of the data blocks to be written back to a cloud server; determining access paths corresponding to the data blocks according to the leaf identifications corresponding to the data blocks, and constructing an access path set based on all the acquired access paths; selecting and downloading nodes to be accessed from an ORAM tree of a cloud server based on the access path set, storing data of the nodes to be accessed into an initial linked list array, and downloading hash values corresponding to the nodes to be accessed from a hash verification tree of the cloud server, wherein the hash verification tree corresponds to the nodes of the ORAM tree one by one; based on the hash value corresponding to each node to be accessed, carrying out integrity verification on the initial linked list array to obtain a verification result; when the verification result is that the integrity verification is passed, storing the data blocks into positions corresponding to the initial linked list arrays based on the leaf identifiers corresponding to the data blocks to obtain target linked list arrays; carrying out hash value calculation on each hash node in the target linked list array to obtain a hash value corresponding to each hash node; and writing the target linked list array table back to the cloud server, and writing the hash values corresponding to all the hash nodes back to a hash verification tree of the cloud server. By the steps, the hash verification tree with the same structure as the ORAM tree is introduced, so that on the premise of ensuring the data integrity, the access cost of Path+ORAM is reduced, namely the system execution time is reduced, the data authenticity is ensured, and the system performance is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow chart of one embodiment of a Path+ORAM-based multi-Path cache write-back method of the present application;
FIG. 3 is a schematic diagram of one embodiment of a Path+ORAM-based multi-Path cache write-back device according to the present application;
FIG. 4 is a schematic structural diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the applications herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description and claims of the present application and in the description of the figures above are intended to cover non-exclusive inclusions. The terms first, second and the like in the description and in the claims or in the above-described figures, are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, as shown in fig. 1, the cloud server includes an ORAM tree 101 and a hash verification tree 102. The client comprises a cache area 201 and a location mapping area 202.
ORAM tree 101 is an encrypted full binary tree stored at the cloud server for storing private data uploaded by the user from the local client.
It should be noted that the ORAM trees 101 with the height L are commonEach tree node can be regarded as a data bucket, Z data tuples can be stored in one data bucket, and each data tuple has three attributes. Wherein (1)>Is an identifier of a data bucket, indicating that the data tuple is stored in the ith data bucket; />The key value pair is used for representing a data block with a fixed size, the stored data is file data uploaded by a user, and virtual data is adopted for filling if the stored data does not reach a specified value; the value indicates that data of an arbitrary fixed size is stored; l (L)eaf is a leaf identifier that marks the path of the leaf node to the root node where the current data tuple is located.
In ORAM tree 101, the path from the root node to any node can be represented by a string.
Preferably, starting from the root node, the left branch represents '0', the right branch represents '1', and the '01' character string formed by connecting paths represents a path; tree nodes in ORAM tree 101 are encoded according to the following rule, with the root node being encoded as 0, the node being encoded as x, with the left child being encoded as (2x+1), and the right child being encoded as (2x+2). Then at most can be stored in the ORAM tree 101 with a height L A data tuple with leaf value range of +.>To->。
The hash verification tree 102 is identical to the result of the ORAM tree 101 and is used for storing hash values corresponding to tree nodes of the ORAM tree 101.
Assume thatFor the ith data bucket in ORAM tree 101, -, is>Verifying +.in tree 102 and ORAM tree 101 for hash>The corresponding node. In a high level, the hash value of each node in the hash verification tree 102 depends on its two children and the data bucket of the corresponding path ORAM tree 101, i.e./>. Wherein->Andis->Is used to represent +.>Whether or not to contain the real data tuple, when +.>Containing the real data tuple, f=1, otherwise f=0. Root Hash->Stored in the local client, cannot be modified by an adversary, the security of which depends on the collision resistance of the hash function.
The buffer 201 is used for storing hash tables in the client. The linked list array includes an initial linked list array and a target linked list array. The target linked list array consists of linked lists and arrays, and the linked list array is indicated by BD (BucketData) and is used for storing data downloaded from a cloud server and facilitating the operation of a user on the data. And meanwhile, root hashes of the hash verification tree 102 are stored, so that subsequent data integrity verification is facilitated. The target linked list array consists of an array and a linked list. And storing the data information of the data tuples stored in each corresponding data bucket in the linked list, and storing the linked list in the array.
The location mapping area 202 is used for storing a location relation mapping table. The location relationship mapping table may map data blocks in the data request, assign leaf identifiers to the data blocks, and store the data blocks in leaf nodes in the ORAM tree 101 corresponding to the leaf identifiers. Wherein the leaf identifier is given by a random function upon initialization of the location mapping area, which is subsequently updated by the leaf identifier reassignment module.
It should be noted that, the path+oram-based multipath cache write-back method provided in the embodiments of the present application is executed by the client, and accordingly, the path+oram-based multipath cache write-back device is disposed in the client.
It should be understood that the number of nodes of the ORAM tree and the number of nodes of the hash verification tree in fig. 1 are merely illustrative. There may be any number of ORAM trees and hash verification trees depending on implementation requirements.
Referring to fig. 2, fig. 2 shows a path+oram-based multipath cache write-back method according to an embodiment of the present invention, and the method is applied to the client in fig. 1 for illustration, and is described in detail as follows:
and S201, when a user initiates a data request, carrying out leaf identification distribution on all data blocks in the data request, and determining a leaf identification corresponding to each data block, wherein the leaf identification is used for marking the storage position of the data block and writing back to the cloud server.
The data request includes, but is not limited to, a request to upload a file, a request to download a file, and a request to delete a file.
The leaf id allocation is a random allocation.
The data block refers to data obtained by dividing the data request uploading file.
Specifically, when a user initiates a data request, all data blocks in the data request have an address, a leaf identifier is randomly allocated to the data blocks according to the address, and the address of the data blocks and the leaf identifier corresponding to the data blocks are recorded in the position mapping area.
S202, determining access paths corresponding to the data blocks according to the leaf identifications corresponding to the data blocks, and constructing an access path set based on all the acquired access paths.
Specifically, one data block corresponds to one access path, and all access paths constitute an access path set.
The access path is used for downloading the node to be accessed from the cloud server.
The presentation forms of the access paths include, but are not limited to, character strings and tuples. Preferably, the present application uses a string form to represent the access path.
S203, selecting and downloading nodes to be accessed from an ORAM tree of the cloud server based on the access path set, storing data of the nodes to be accessed into an initial linked list array, and downloading hash values corresponding to the nodes to be accessed from a hash verification tree of the cloud server, wherein the hash verification tree corresponds to the nodes of the ORAM tree one by one.
Specifically, for each access path in the access path set, the access path is processed, and a node corresponding to the access path in an ORAM tree of the cloud server is determined, wherein the node is a node to be accessed. It should be noted that, if the cloud server is accessed for the first time for the client, no data is stored on the node to be accessed.
The hash verification tree is consistent with the ORAM tree structure. Nodes of the ORAM tree are used for storing data, and nodes of the hash verification tree are used for storing hash values corresponding to the nodes of the ORAM tree.
The initial linked list array is located in the buffer area of the client and stores each data tuple in the form of linked list array, and the linked list array is formed by the modes including but not limited to array adding linked list and array adding binary tree. Preferably, the present application uses a linked list array consisting of linked lists and arrays. The linked list array is denoted by BD (BucketData) and is used for storing data downloaded from the cloud server and facilitating the operation of the data by a user. Meanwhile, root hashes of the hash verification tree are stored, so that subsequent data integrity verification is facilitated. The target linked list array consists of an array and a linked list. And storing the data information of the data tuples stored in each corresponding data bucket in the linked list, and storing the linked list in the array.
The hash verification tree with the same structure as the ORAM tree is introduced to verify the integrity of the data in the transmission process, so that the integrity of the data is ensured.
S204, based on the hash value corresponding to each node to be accessed, carrying out integrity verification on the initial linked list array to obtain a verification result.
The method comprises the steps of calculating a hash value corresponding to each downloaded node to be accessed again, determining a verification hash value according to the calculated hash value, and carrying out integrity verification on the initial linked list array through the verification hash value to obtain a verification result.
Wherein the verification hash value is a hash value for verifying integrity.
The verification hash value may be a hash value of each node to be accessed, a hash value of a preset number of nodes to be accessed, and a hash value corresponding to a root node in a hash tree constructed by the nodes to be accessed.
Preferably, the present application adopts, as the verification hash value, a hash value corresponding to a root node in a hash tree constructed by a node to be accessed.
And S205, storing the data blocks into positions corresponding to the initial linked list array based on the leaf identifiers corresponding to the data blocks when the verification result is that the integrity verification is passed, and obtaining the target linked list array.
Specifically, when the verification result is that the integrity verification is passed, the data transmission process is not tampered. And constructing a data tuple by the data block and the leaf identifier corresponding to the data block, and storing the data tuple in a position corresponding to the initial linked list array to obtain the target linked list array.
It should be appreciated that the initial linked list array is an organization on the client side after being downloaded at the nodes of the cloud.
The target linked list array is a linked list array used for storing data in the user data request.
The target linked list array comprises hash nodes, and each hash node is in one-to-one relation with the node to be accessed and is used for storing data blocks in the user data request.
S206, carrying out hash value calculation on each hash node in the target hash table to obtain a hash value corresponding to each hash node.
Specifically, the above hash value calculation may be specifically limited according to actual situations.
S207, writing the target linked list array back to the cloud server, and writing hash values corresponding to all the hash nodes back to a hash verification tree of the cloud server.
Specifically, data stored by each hash node in the target hash table is written back to a node to be accessed corresponding to the cloud server in batches, and hash values corresponding to the hash nodes are written back to nodes corresponding to the node to be accessed in the cloud server hash verification tree in batches.
In the embodiment, by introducing the hash verification tree with the same structure as the ORAM tree to be used for verifying the integrity in the data transmission process, the access cost of Path+ORAM is reduced, namely the system execution time is reduced, the authenticity of data is ensured, and the system performance is improved.
In some optional implementations of the present embodiment, step S203 includes:
s2031, carrying out character serialization on each access path in the access path set to obtain a path character string corresponding to each access path.
S2032, constructing a path character string set based on all the acquired path character strings.
S2033, selecting two target path character strings from the path character string set to construct tree nodes, and adding the constructed tree nodes into the tree node set until the path character string set is traversed.
S2034, selecting and downloading nodes to be accessed from an ORAM tree of the cloud server based on the tree node set.
For the above step S2031, the above character serialization is a method of binarizing the access path.
That is, from the root node, the left branch represents '0', the right branch represents '1', and the '01' string formed by connecting paths represents a path.
For step S2032 described above, the path strings in the path string set are not repeated.
The target path string refers to the path string in which the tree node structure is being performed, as in step S2033 described above.
Specifically, two target path character strings are selected from the path character string set to be subjected to AND or calculation, and the obtained value is used as a path of the tree node. And constructing a tree node set according to the obtained paths of all the tree nodes until the path character string set is traversed.
Tree nodes in the set of tree nodes do not repeat.
For example, when the path string set is {0,1,10,11,100,101,110,111}, selecting any two target path strings in turn for performing an and or calculation to obtain tree nodes, and adding the tree nodes to the tree node set as { root nodes, 0,1,00,01,10,11,000, 001,010,011,100,101,110,111}.
For the above step S2034, it is specifically: and obtaining the target node and the brother node of the target node from the hash verification tree of the cloud server, wherein the target node and the tree nodes of the tree node set are in one-to-one relation. Adding the target node and the brother node of the target node into the hash node set to be detected. And selecting and downloading nodes to be accessed from an ORAM tree of the cloud server, wherein the nodes to be accessed and the nodes in the hash node set to be detected are in one-to-one relation.
The target nodes refer to nodes corresponding to tree nodes in the tree node set one by one
The brother node of the target node refers to a node in the same level as the target node, and the brother node is used for ensuring that the node in the hash node set to be detected can construct a complete binary tree.
In the embodiment, by introducing the hash verification tree with the same structure as the ORAM tree to be used for verifying the integrity in the data transmission process, the access cost of Path+ORAM is reduced, namely the system execution time is reduced, the authenticity of data is ensured, and the system performance is improved.
In some alternative implementations of the present embodiment, step 204 includes:
s2041, calculating the hash value of each target node according to a preset hash value calculation mode.
S2042, carrying out integrity verification on the hash value corresponding to the root node and the root hash value of the cache region to obtain a verification result, wherein the root node is the root node in the hash node set to be detected, and the root hash value of the cache region is the verification hash value stored by the client.
For step S2041, the hash value of each target node is calculated according to the following formula:
wherein,refers to the ith target node, i is a positive integer,/- >Refers to the ith data bucket on the ORAM tree,refers to 2i+1st node on hash verification tree, ++>Refers to 2i+2 nodes on the hash verification tree,and->Is->Is used to represent +.>Whether or not to contain the real data tuple, when +.>Containing the real data tuple, f=1, otherwise f=0.
For step S2042, the root hash value in the buffer is the verification hash value stored at the time of the last round of user data request.
When the hash value corresponding to the root node is consistent with the root hash value of the cache region, determining that the verification result is that the integrity verification is passed. When the hash value corresponding to the root node is inconsistent with the root hash value of the cache region, determining that the verification result is that the integrity verification is not passed.
In this embodiment, the integrity of the data in the data transmission process is verified by verifying the hash value corresponding to the root node and the root hash value of the buffer area, so that the integrity of the data is ensured.
In some optional implementations of the present embodiment, after S206, the method further includes:
and storing the hash value corresponding to the root node in the target hash table as a verification hash value on the client.
Specifically, the hash value corresponding to the root node in the target hash table is stored as a verification hash value on the client, and when the next round of user data requests are started, the verification hash value is used as the verification hash value of the next round of user data requests.
In this embodiment, the hash value corresponding to the root node in the target hash table is stored as the verification hash value on the client, so that the integrity in the data transmission process is verified later, and the integrity of the data is ensured.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present invention.
Fig. 3 shows a schematic block diagram of a path+oram-based multi-Path buffer write-back device in one-to-one correspondence with the path+oram-based multi-Path buffer write-back method of the above embodiment. As shown in fig. 3, the path+oram-based multipath cache write-back device includes a leaf identifier allocation module 31, an access Path set construction module 32, a node to be accessed determination module 33, an integrity verification module 34, a storage module 35, a hash calculation module 36, and a write-back module 37. The functional modules are described in detail as follows:
and the leaf identifier allocation module 31 is configured to allocate leaf identifiers to all data blocks in the data request when the user initiates the data request, and determine a leaf identifier corresponding to each data block, where the leaf identifier is used to mark the data block and write back to a storage location of the cloud server.
The access path set construction module 32 is configured to determine an access path corresponding to each data block according to the leaf identifier corresponding to each data block, and construct an access path set based on all the obtained access paths.
The node to be accessed determining module 33 is configured to select and download a node to be accessed from an ORAM tree of the cloud server based on the access path set, store data of the node to be accessed into an initial hash table, and download a hash value corresponding to the node to be accessed from a hash verification tree of the cloud server, where the hash verification tree corresponds to nodes of the ORAM tree one by one.
And the integrity verification module 34 is configured to perform integrity verification on the initial linked list array based on the hash value corresponding to each node to be accessed, so as to obtain a verification result.
And the storage module 35 is configured to store the data blocks into positions corresponding to the initial linked list array based on the leaf identifiers corresponding to each data block when the verification result is that the integrity verification is passed, so as to obtain the target linked list array.
The hash calculation module 36 is configured to perform hash value calculation on each hash node in the target linked list array, so as to obtain a hash value corresponding to each hash node.
And the write-back module 37 is used for writing back the target linked list array to the cloud server and writing back hash values corresponding to all the hash nodes to the hash verification tree of the cloud server.
In some optional implementations of the present embodiment, the node to be accessed determination module 33 includes:
and the path character string determining unit is used for carrying out character serialization on each access path in the access path set to obtain a path character string corresponding to each access path.
And the path character string set construction unit is used for constructing a path character string set based on all the acquired path character strings.
And the tree node set determining unit is used for selecting two target path character strings from the path character string set to construct tree nodes, and adding the constructed tree nodes into the tree node set until the path character string set traversal is finished.
And the node to be accessed determining unit is used for selecting and downloading the node to be accessed from the ORAM tree of the cloud server based on the tree node set. In some optional implementations of the present embodiment, the node to be accessed determining unit includes:
the target node obtaining unit is used for obtaining the target node and the brother node of the target node from the hash verification tree of the cloud server, wherein the target node and the tree nodes of the tree node set are in one-to-one relation.
And the hash node set to be detected determining unit is used for adding the target node and the brother node of the target node into the hash node set to be detected.
And the node to be accessed downloading unit is used for selecting and downloading the node to be accessed from the ORAM tree of the cloud server, wherein the node to be accessed and the node in the hash node set to be detected are in one-to-one relation.
In some alternative implementations of the present embodiment, the integrity verification module 34 includes:
and the hash value calculation unit is used for calculating the hash value of each target node according to a preset hash value calculation mode.
And the integrity verification unit is used for carrying out integrity verification on the hash value corresponding to the root node and the root hash value of the cache region to obtain a verification result, wherein the root node is the root node in the hash node set to be detected, and the root hash value of the cache region is stored by the root hash value client.
Further, the hash value calculation unit is:
the hash value for each target node is calculated according to the following formula:
wherein,refers to the ith target node, i is a positive integer,/->Refers to the ith data bucket on the ORAM tree,refers to 2i+1st node on hash verification tree, ++>Refers to 2i+2 nodes on the hash verification tree,and->Is->Is used to represent +.>Whether or not to contain the real data tuple, when +.>Containing the real data tuple, f=1, otherwise f=0.
In some optional implementations of this embodiment, after the write-back module 37, the path+oram-based multipath cache write-back apparatus further includes:
and the verification hash value storage module is used for storing the hash value corresponding to the root node in the target hash table as a verification hash value to the client.
For specific limitations on the path+oram-based multipath cache write-back device, reference may be made to the above limitation on the path+oram-based multipath cache write-back method, and no further description is given here. The various modules in the path+oram-based multipath cache write-back device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In order to solve the technical problems, the embodiment of the application also provides computer equipment. Referring specifically to fig. 4, fig. 4 is a basic structural block diagram of a computer device according to the present embodiment.
The computer device 4 comprises a memory 41, a processor 42, a network interface 43 communicatively connected to each other via a system bus. It is noted that only a computer device 4 having a component connection memory 41, a processor 42, a network interface 43 is shown in the figures, but it is understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead. It will be appreciated by those skilled in the art that the computer device herein is a device capable of automatically performing numerical calculations and/or information processing in accordance with predetermined or stored instructions, the hardware of which includes, but is not limited to, microprocessors, application specific integrated circuits (Application Specific Integrated Circuit, ASICs), programmable gate arrays (fields-Programmable Gate Array, FPGAs), digital processors (Digital Signal Processor, DSPs), embedded devices, etc.
The computer equipment can be a desktop computer, a notebook computer, a palm computer, a cloud server and other computing equipment. The computer equipment can perform man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch pad or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or D interface display memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the storage 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the computer device 4. Of course, the memory 41 may also comprise both an internal memory unit of the computer device 4 and an external memory device. In this embodiment, the memory 41 is typically used for storing an operating system and various application software installed on the computer device 4, such as program codes for controlling electronic files, etc. Further, the memory 41 may be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute a program code stored in the memory 41 or process data, such as a program code for executing control of an electronic file.
The network interface 43 may comprise a wireless network interface or a wired network interface, which network interface 43 is typically used for establishing a communication connection between the computer device 4 and other electronic devices.
The present application also provides another embodiment, namely, a computer readable storage medium storing an interface display program, where the interface display program is executable by at least one processor, so that the at least one processor performs the steps of the path+oram-based multi-Path cache write-back method as described above.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method described in the embodiments of the present application.
It is apparent that the embodiments described above are only some embodiments of the present application, but not all embodiments, the preferred embodiments of the present application are given in the drawings, but not limiting the patent scope of the present application. This application may be embodied in many different forms, but rather, embodiments are provided in order to provide a more thorough understanding of the present disclosure. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described in the foregoing, or equivalents may be substituted for elements thereof. All equivalent structures made by the specification and the drawings of the application are directly or indirectly applied to other related technical fields, and are also within the protection scope of the application.
Claims (7)
1. The path+ORAM-based multipath cache write-back method is characterized by comprising the following steps of:
when a user initiates a data request, carrying out leaf identification distribution on all data blocks in the data request, and determining a leaf identification corresponding to each data block, wherein the leaf identification is used for marking the storage position of the data block written back to a cloud server;
Determining access paths corresponding to the data blocks according to the leaf identifications corresponding to the data blocks, and constructing an access path set based on all the acquired access paths;
selecting and downloading nodes to be accessed from an ORAM tree of a cloud server based on the access path set, storing data of the nodes to be accessed into an initial linked list array, and downloading hash values corresponding to the nodes to be accessed from a hash verification tree of the cloud server, wherein the hash verification tree corresponds to the nodes of the ORAM tree one by one;
based on the hash value corresponding to each node to be accessed, carrying out integrity verification on the initial linked list array to obtain a verification result;
when the verification result is that the integrity verification is passed, storing the data blocks into positions corresponding to the initial linked list arrays based on the leaf identifiers corresponding to the data blocks to obtain target linked list arrays;
carrying out hash value calculation on each hash node in the target linked list array to obtain a hash value corresponding to each hash node;
writing the target linked list array back to the cloud server, updating hash values corresponding to all the hash nodes, and then writing the hash values back to a hash verification tree of the cloud server;
Wherein the step of selecting and downloading nodes to be accessed from the ORAM tree of the cloud server based on the access path set comprises:
carrying out character serialization on each access path in the access path set to obtain a path character string corresponding to each access path;
constructing a path character string set based on all the acquired path character strings;
selecting two target path character strings from the path character string set to perform AND or calculation, wherein the obtained value is used as a path of a tree node; constructing tree nodes according to the obtained paths of all the tree nodes, and adding the constructed tree nodes into a tree node set until the path character string set is traversed;
obtaining a target node and child nodes of the target node from a hash verification tree of a cloud server, wherein the target node and tree nodes of the tree node set are in one-to-one relation;
adding the target node and the child nodes of the target node into a hash node set to be detected;
and selecting and downloading nodes to be accessed from the ORAM tree of the cloud server, wherein the nodes to be accessed and the nodes in the hash node set to be detected are in one-to-one relation.
2. The path+oram-based multipath cache write-back method as claimed in claim 1, wherein said step of performing integrity verification on said initial linked list array based on the hash value corresponding to each node to be accessed, to obtain a verification result includes:
calculating the hash value of each target node according to a preset hash value calculation mode;
and carrying out integrity verification on the hash value corresponding to the root node and the root hash value of the cache region to obtain a verification result, wherein the root node is the root node in the hash node set to be detected, and the verification hash value stored by the root hash value client of the cache region.
3. The path+oram-based multipath cache write-back method of claim 2, wherein the step of calculating the hash value of each target node according to a preset hash value calculation manner includes:
the hash value for each target node is calculated according to the following formula:
H i =Hash((B i ^f)||H 2i+1 ||H 2i+2 )
wherein H is i Refers to the ith target node, i is a positive integer, B i Refers to the ith data bucket, H, on the ORAM tree 2i+1 Refers to 2i+1st node, H on hash verification tree 2i+2 Refers to 2i+2th node, H, on the hash verification tree 2i+1 And H 2i+2 Is H i F is used to represent B i Whether or not to contain the real data tuple, when B i Containing the real data tuple, f=1, otherwise f=0.
4. The path+oram-based multipath cache write-back method of claim 2, wherein after the writing back of the target linked list array to the cloud server and the updating of hash values corresponding to all the hash nodes to the hash verification tree of the cloud server, the method further comprises:
and storing the hash value corresponding to the root node in the target linked list array as a verification hash value to the client.
5. The multipath cache write-back device based on the Path+ORAM is characterized by comprising:
the system comprises a leaf identifier distribution module, a cloud server and a cloud server, wherein the leaf identifier distribution module is used for distributing leaf identifiers of all data blocks in a data request when a user initiates the data request, and determining a leaf identifier corresponding to each data block, wherein the leaf identifier is used for marking the data block to be written back to the storage position of the cloud server;
the access path set construction module is used for determining the access path corresponding to each data block according to the leaf identifier corresponding to each data block and constructing an access path set based on all the acquired access paths;
The node to be accessed determining module is used for selecting and downloading nodes to be accessed from an ORAM tree of a cloud server based on the access path set, storing data of the nodes to be accessed into an initial linked list array, and downloading hash values corresponding to the nodes to be accessed from a hash verification tree of the cloud server, wherein the hash verification tree corresponds to the nodes of the ORAM tree one by one;
the integrity verification module is used for carrying out integrity verification on the initial linked list array based on the hash value corresponding to each node to be accessed to obtain a verification result;
the storage module is used for storing the data blocks into the positions corresponding to the initial linked list arrays based on the leaf identifiers corresponding to the data blocks when the verification result is that the integrity verification is passed, so as to obtain target linked list arrays;
the hash calculation module is used for calculating hash values of each hash node in the target linked list array to obtain a hash value corresponding to each hash node;
the write-back module is used for writing back the target linked list array to the cloud server and writing back hash values corresponding to all the hash nodes to a hash verification tree of the cloud server;
The node to be accessed determining module comprises:
the path character string determining unit is used for carrying out character serialization on each access path in the access path set to obtain a path character string corresponding to each access path;
the path character string set construction unit is used for constructing a path character string set based on all the acquired path character strings;
a tree node set determining unit, configured to select two target path strings from the path string set to perform an and or calculation, where the obtained value is used as a path of a tree node; constructing tree nodes according to the obtained paths of all the tree nodes, and adding the constructed tree nodes into a tree node set until the path character string set is traversed;
the node to be accessed determining unit is used for acquiring a target node and child nodes of the target node from a hash verification tree of a cloud server, wherein the target node and tree nodes of the tree node set are in one-to-one relation;
adding the target node and the child nodes of the target node into a hash node set to be detected;
and selecting and downloading nodes to be accessed from the ORAM tree of the cloud server, wherein the nodes to be accessed and the nodes in the hash node set to be detected are in one-to-one relation.
6. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the path+oram based multipath cache write back method of any of claims 1 to 4 when the computer program is executed.
7. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a path+oram based multipath cache write back method as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311333876.3A CN117094037B (en) | 2023-10-16 | 2023-10-16 | Path+ORAM-based multipath cache write-back method and device and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311333876.3A CN117094037B (en) | 2023-10-16 | 2023-10-16 | Path+ORAM-based multipath cache write-back method and device and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117094037A CN117094037A (en) | 2023-11-21 |
| CN117094037B true CN117094037B (en) | 2024-01-05 |
Family
ID=88770134
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311333876.3A Active CN117094037B (en) | 2023-10-16 | 2023-10-16 | Path+ORAM-based multipath cache write-back method and device and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117094037B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117349801B (en) * | 2023-12-04 | 2024-02-13 | 南京磐数志星科技有限公司 | Privacy calculation method, device, medium and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101976322A (en) * | 2010-11-11 | 2011-02-16 | 清华大学 | Safety metadata management method based on integrality checking |
| US9715546B1 (en) * | 2016-02-18 | 2017-07-25 | Yahoo! Inc. | Method and system for searching encrypted data |
| CN109586896A (en) * | 2018-11-14 | 2019-04-05 | 陕西师范大学 | A kind of data integrity verification method based on Hash prefix trees |
| CN110287262A (en) * | 2019-06-28 | 2019-09-27 | 中国科学技术大学 | The bit coin Transaction Inquiries method of effective protection privacy of user |
| CN112182615A (en) * | 2020-09-29 | 2021-01-05 | 北京电子科技学院 | Cloud computing key protection system based on SGX and ORAM technology |
| WO2021114918A1 (en) * | 2019-12-13 | 2021-06-17 | 华为技术有限公司 | Integrity checking method and apparatus, terminal device and verification server |
| CN113722366A (en) * | 2021-09-14 | 2021-11-30 | 长沙理工大学 | Safety data retrieval method based on reverse index of oblivious ciphertext |
-
2023
- 2023-10-16 CN CN202311333876.3A patent/CN117094037B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101976322A (en) * | 2010-11-11 | 2011-02-16 | 清华大学 | Safety metadata management method based on integrality checking |
| US9715546B1 (en) * | 2016-02-18 | 2017-07-25 | Yahoo! Inc. | Method and system for searching encrypted data |
| CN109586896A (en) * | 2018-11-14 | 2019-04-05 | 陕西师范大学 | A kind of data integrity verification method based on Hash prefix trees |
| CN110287262A (en) * | 2019-06-28 | 2019-09-27 | 中国科学技术大学 | The bit coin Transaction Inquiries method of effective protection privacy of user |
| WO2021114918A1 (en) * | 2019-12-13 | 2021-06-17 | 华为技术有限公司 | Integrity checking method and apparatus, terminal device and verification server |
| CN112182615A (en) * | 2020-09-29 | 2021-01-05 | 北京电子科技学院 | Cloud computing key protection system based on SGX and ORAM technology |
| CN113722366A (en) * | 2021-09-14 | 2021-11-30 | 长沙理工大学 | Safety data retrieval method based on reverse index of oblivious ciphertext |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117094037A (en) | 2023-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN117094037B (en) | Path+ORAM-based multipath cache write-back method and device and related equipment | |
| CN107633088B (en) | File management method and device | |
| CN111400308B (en) | Processing method of cache data, electronic device and readable storage medium | |
| CN103064797B (en) | Data processing method and virtual machine management platform | |
| CN112765271A (en) | Block chain transaction index storage method and device, computer equipment and medium | |
| US10891074B2 (en) | Key-value storage device supporting snapshot function and operating method thereof | |
| CN110799961B (en) | System and method for creating and deleting tenants in database | |
| CN109460406B (en) | Data processing method and device | |
| CN110413711B (en) | Differential data acquisition method and storage medium thereof | |
| CN108881261B (en) | Service authentication method and system based on block chain technology in container environment | |
| CN108108633B (en) | Data file and access method, device and equipment thereof | |
| CN110352410B (en) | Tracking access patterns of index nodes and pre-fetching index nodes | |
| CN111803917A (en) | Resource processing method and device | |
| CN112988055A (en) | Machine including key-value store and method of operating key-value store | |
| CN104767761A (en) | Cloud storage platform access control method and device | |
| CN114691617A (en) | Intelligent terminal data compression redundancy-prevention interaction method and device and related components | |
| CN116842012A (en) | Method, device, equipment and storage medium for storing Redis cluster in fragments | |
| CN111382179A (en) | Data processing method and device and electronic equipment | |
| CN113419687B (en) | Object storage method, system, equipment and storage medium | |
| CN113076086B (en) | Metadata management system and method for modeling model object using the same | |
| CN112036133B (en) | File storage method and device, electronic equipment and storage medium | |
| WO2019047142A1 (en) | Method for program patching, device, micro control unit, and terminal device | |
| CN114443583A (en) | Method, device and equipment for arranging fragment space and storage medium | |
| CN113672162A (en) | Data storage method, device and equipment | |
| CN115221360A (en) | Tree structure configuration method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |