CN102710757B

CN102710757B - Distributed cloud storage data integrity protection method

Info

Publication number: CN102710757B
Application number: CN201210159546.2A
Authority: CN
Inventors: 毛剑; 徐先栋; 刘建伟; 张晏; 李坤; 修春娣
Original assignee: Beihang University
Current assignee: Beihang University
Priority date: 2012-05-21
Filing date: 2012-05-21
Publication date: 2014-11-05
Anticipated expiration: 2032-05-21
Also published as: CN102710757A

Abstract

A distributed cloud storage data integrity protection method, the method has seven steps: Step 1: Data segmentation and encoding {F→M}; Step 2: Generation of homomorphic label HVTs {(sk,F)→HVTs} ; Step 3: Remote storage of data {(M ^(j) ,HVT)→S _j }; Step 4: User initiates a challenge {chal}; Step 5: Server responds {R}; Step 6: Verification {(R, sk)→("success", "failure")}; Step 7: Data repair {(M ^* ,P)→F}. In the present invention, the user adopts random data block sampling to reduce communication overhead, adopts linear coding to realize data error location and error recovery, and the number of times of data possession verification is not limited, the verification confidence is high, and it is safe and reliable. It has good practical value and broad application prospects in the field of cloud computing security technology.

Description

A distributed cloud storage data integrity protection method

（一）技术领域 (1) Technical field

本发明涉及一种分布式云存储数据完整性保护方法，它也是一种用于验证存储于云服务器中的用户数据完整性并且可进行数据纠错的方法，属于云计算安全领域。The invention relates to a distributed cloud storage data integrity protection method, which is also a method for verifying the integrity of user data stored in a cloud server and performing data error correction, and belongs to the field of cloud computing security.

（二）背景技术 (2) Background technology

Internet网络应用技术快速发展普及，加之Web2.0的发展导致网络用户和网络数据量高速增长，用户对数据的处理能力提出了更高的要求，云计算的特点迎合了这些需求。云计算为用户存储提供了极大的方便，用户不必再关心复杂的硬件管理。The rapid development and popularization of Internet network application technology, coupled with the development of Web2.0 has led to the rapid growth of network users and network data volume, and users have put forward higher requirements for data processing capabilities. The characteristics of cloud computing cater to these needs. Cloud computing provides great convenience for user storage, and users no longer need to care about complicated hardware management.

尽管云计算有这些吸引人的优势，但它也给数据保护带来了新的安全挑战与威胁：首先，由于用户物理上不再拥有他们的数据，传统的用于数据保护的加密不能直接被采用。因此就需要能够验证数据正确存储的方法，考虑到云中大量的用户和大量的数据，对云计算中的数据存储安全来说，如何有效验证外包数据的正确性是一个巨大的挑战。其次，虽然云计算下的设施比个人计算设备更加强大和可靠，但它们仍然面临内部和外部的数据完整性威胁，大量觊觎云端数据的黑客们不停的挖掘着服务商Web应用上的漏洞，以期望打开缺口，获得有价值的数据。最后，具有数据优先访问权的并不是用户自己，而是云计算服务商。由于利益问题，云服务供应商对用户的数据就可能存在不诚实行为。Although cloud computing has these attractive advantages, it also brings new security challenges and threats to data protection: First, because users no longer physically own their data, traditional encryption for data protection cannot be directly use. Therefore, a method that can verify the correct storage of data is needed. Considering a large number of users and a large amount of data in the cloud, how to effectively verify the correctness of outsourced data is a huge challenge for data storage security in cloud computing. Secondly, although cloud computing facilities are more powerful and reliable than personal computing devices, they still face internal and external data integrity threats. A large number of hackers coveting cloud data are constantly digging for loopholes in service providers' Web applications. Open the gap with expectations and get valuable data. Finally, it is not the users themselves who have priority access to data, but the cloud computing service provider. Due to interest issues, cloud service providers may act dishonestly with user data.

因此，在云计算的实际应用中，设计能够保证数据正确存储的健壮安全的方案尤为重要。对云存储这种海量数据存储，我们一方面要考虑到数据的持有性验证的高效和低开销，另一方面要考虑到数据一旦存储出错可以采取的应对措施。基于此考虑，我们发明了本方法，涉及的主要技术为Goppa纠错编码，基于椭圆曲线的签名技术，Paillier加性同态加密算法。Therefore, in the practical application of cloud computing, it is particularly important to design a robust and secure solution that can ensure the correct storage of data. For mass data storage such as cloud storage, on the one hand, we must consider the high efficiency and low overhead of data possession verification, and on the other hand, we must consider the countermeasures that can be taken in case of data storage errors. Based on this consideration, we invented this method. The main technologies involved are Goppa error correction coding, signature technology based on elliptic curve, and Paillier additive homomorphic encryption algorithm.

首先，Goppa码是20世纪70年代初俄国学者Goppa系统构造出的一类有理分式码。它是一类重要的线性纠错码，其最主要的优点是它的某些子类能够达到Shannon信道编码定理所给的性能，并且有快速译码算法。特别是它的不等价码类数目很大，于是，在1978年，McElice用Goppa码构造了一类公钥密码体制，自此开始了用纠错码构造密码体制及各种认证码。因此无论在实际中还是理论上，也无论在是在差错控制系统还是在密码中，Goppa码都具有重要意义。其定义如下：设0<n≤q^m,L={a₀,a₁,…a_n-1}是一个有序集合，a_i∈GF(q^m)且互不相等，又设GF(q)上的n维空间GFⁿ(q)，码字C=[c_n-1c_n-2...c₀]∈GFⁿ(q)，与C对于的GF(q^m)上的z有理式为此时，Goppa码的生成多项式g(z)满足：{C;R_c(z)=0modg(z)}。First, Goppa codes are a class of rational fractional codes constructed by the Russian scholar Goppa system in the early 1970s. It is an important class of linear error-correcting codes, and its main advantage is that some of its subclasses can achieve the performance given by Shannon's channel coding theorem, and it has a fast decoding algorithm. In particular, the number of its unequal codes is very large, so, in 1978, McElice used Goppa codes to construct a class of public-key cryptosystems, and since then began to use error-correcting codes to construct cryptosystems and various authentication codes. Therefore, no matter in practice or theory, and no matter in error control system or in cipher, Goppa code is of great significance. Its definition is as follows: Suppose 0<n≤q ^m , L={a ₀ ,a ₁ ,…a _n-1 } is an ordered set, a _i ∈GF(q ^m ) and not equal to each other, and let GF( In the n-dimensional space GF ⁿ (q) on q), the code word C=[c _n-1 c _n-2 ...c ₀ ]∈GF ⁿ (q), and C on GF(q ^m ) The rational expression of z is At this point, the generator polynomial g(z) of the Goppa code satisfies: {C; R _c (z)=0modg(z)}.

其次，Paillier密码算法满足加法同态的性质，即对于数据m∈Z_n，用公钥n和生成元g进行加密的结果为：ε(m)=g^mrⁿmodn²，其中r为随机数，其同态的性质为：Secondly, the Paillier cryptographic algorithm satisfies the property of additive homomorphism, that is, for data m∈Z _n , the encrypted result with public key n and generator g is: ε(m)=g ^m r ⁿ mod n ² , where r is random number, its homomorphic properties are:

$ϵ ϵ (({m m}_{11})) \cdot \cdot ϵ ϵ (({m m}_{22})) = = (({g g}^{{m m}_{11}} {r r}^{n no})) (({g g}^{{m m}_{22}} {r r}^{n no})) = = {g g}^{{m m}_{11} + + {m m}_{22}} {(({r r}_{11} {r r}_{22}))}^{n no} = = ϵ ϵ (({m m}_{11} + + {m m}_{22} mod mod n no)) . .$

最后，椭圆曲线密码（Elliptic curve cryptography，缩写为ECC）为密码学里运用最为广泛的公钥密码体制。ECC的主要优势是在某些情况下它比其他的方法使用更小的密钥（比如RSA加密算法），提供相当的或更高等级的安全。其安全性建立在椭圆曲线上的离散对数问题，即在椭圆曲线构成的Abel群E_p(a,b)上考虑方程Q=kP，其中P,Q∈E_p(a,b),k<p,则由k和P易求Q,但是由P、Q求k则是困难的。Finally, Elliptic curve cryptography (ECC for short) is the most widely used public key cryptosystem in cryptography. The main advantage of ECC is that in some cases it uses smaller keys than other methods (such as the RSA encryption algorithm), providing an equivalent or higher level of security. Its security is based on the discrete logarithm problem on the elliptic curve, that is, the equation Q=kP is considered on the Abel group E _p (a, b) composed of the elliptic curve, where P, Q∈E _p (a, b), k < p, then it is easy to find Q from k and P, but it is difficult to find k from P and Q.

（三）发明内容 (3) Contents of the invention

（1）发明目的(1) Purpose of the invention

本发明的目的是提出供一种分布式云存储数据完整性保护方法，它克服了现有技术的不足。可用于解决云存储环境中用户对远端数据的保护和控制，其实现了用户对其存储在云服务器中数据的完整性和持有型的验证，该发明有验证次数不受限制，验证时采用随机抽取数据块，数据存储出错时错误定位和错误恢复的功能。The purpose of the present invention is to provide a distributed cloud storage data integrity protection method, which overcomes the shortcomings of the prior art. It can be used to solve the protection and control of remote data by users in the cloud storage environment. It realizes the verification of the integrity and ownership of the data stored in the cloud server by the user. The invention has an unlimited number of verifications. Using random data block extraction, error location and error recovery functions when data storage errors.

（2）技术方案(2) Technical solution

为了达到上述目的，本发明结合了Goppa纠错编码技术，椭圆曲线密码技术和Paillier同态加密技术,其技术方案如下。In order to achieve the above object, the present invention combines Goppa error correction coding technology, elliptic curve cryptographic technology and Paillier homomorphic encryption technology, and its technical scheme is as follows.

本发明包括两个实体，用户（User）和云服务提供商（CSP）。以下将结合附图对所述的持有性验证的技术方案进行阐述，图1为本发明流程框图；图2为数据预处理后的分布存储示意图；图3为挑战-响应机制交互图。The present invention includes two entities, a user (User) and a cloud service provider (CSP). The technical solution for possession verification will be described below in conjunction with the accompanying drawings. Figure 1 is a flow chart of the present invention; Figure 2 is a schematic diagram of distributed storage after data preprocessing; Figure 3 is a challenge-response mechanism interaction diagram.

如图1，本发明共包括7步，按照执行阶段其可分为初始化、挑战-响应和交互操作三个阶段。As shown in Fig. 1, the present invention includes 7 steps in total, which can be divided into three stages of initialization, challenge-response and interactive operation according to the execution stage.

本发明是一种分布式云存储数据完整性保护方法，该方法具体步骤如下：The present invention is a distributed cloud storage data integrity protection method, the specific steps of the method are as follows:

阶段1：初始化：包括第(1)~(3)步,数据块F的拥有者执行数据分割和编码{F→M}操作，同态标签（HVTs）的生成{(sk,F)→HVTs}操作,然后将编码数据M和同态标签HVTs外包到云端服务器进行存储和管理，用户需严格保证私钥的安全。Phase 1: Initialization: including steps (1)~(3), the owner of the data block F performs data segmentation and encoding {F→M} operations, and the generation of homomorphic tags (HVTs) {(sk,F)→HVTs } operation, and then outsource the coded data M and homomorphic label HVTs to the cloud server for storage and management, and the user must strictly ensure the security of the private key.

步骤1：数据分割与编码{F→M}:User首先对原始数据F（以文件的形式存在）进行预处理生成存储数据M。F被分割成m个等大小的数据块{F₁,F₂,…,F_m}，每一个数据块进一步被分割成l部分接着我们对其进行编码处理，方案中采用Goppa码编码方案对原始数据F进行编码处理，生成编码数据M，最后用户（User）外包编码数据M至云端CSP进行存储和管理；Step 1: Data segmentation and encoding {F→M}: User first preprocesses the original data F (existing in the form of files) to generate storage data M. F is divided into m data blocks of equal size {F ₁ , F ₂ ,...,F _m }, and each data block is further divided into l parts Then we encode it. In the scheme, the Goppa code encoding scheme is used to encode the original data F to generate the encoded data M. Finally, the user (User) outsources the encoded data M to the cloud CSP for storage and management;

步骤2：同态标签（Homomorphic Verifiable Tags(HVTs)）的生成{(sk,F)→HVTs}:对于每一个数据块基于同态加密算法，我们根据设定的安全参数为其计算同态标签，我们所生成的同态标签具有加法同态的性质；Step 2: Generation of Homomorphic Verifiable Tags (HVTs) {(sk,F)→HVTs}: For each data block Based on the homomorphic encryption algorithm, we calculate the homomorphic label for it according to the set security parameters, and the homomorphic label we generate has the property of additive homomorphism;

步骤3：数据的远程存储{(M^(j),HVT)→S_j}:用户将同态标签和数据块M^(j)一起存入第j个服务器，类似地，其它数据库则存储至其它的n个服务器中。用户则自己存储私钥和一些随机数。Step 3: Remote storage of data {(M ^(j) ,HVT)→S _j }: the user assigns the homomorphic label It is stored in the jth server together with the data block M ^(j) , and similarly, other databases are stored in other n servers. Users store private keys and some random numbers themselves.

阶段2：挑战-响应:包括第(4)~(6)步,用户生成挑战，指定其要检测的随机数据块，根据用户挑战，云服务器通过执行生成证据（GenProof）{(chal,HVTs,M)→R}操作作出响应。最后用户通过执行验证{(R,sk)→("success","failure")}操作，作出最后的数据检测结果判断。Phase 2: Challenge-Response: Including steps (4)~(6), the user generates a challenge and specifies the random data block to be detected. According to the user challenge, the cloud server executes GenProof {(chal, HVTs, M)→R} operation to respond. Finally, the user makes the final data detection result judgment by performing the verification {(R, sk)→("success","failure")} operation.

步骤4：用户发起挑战{chal}：当用户想要验证服务器S_j是否正确持有数据的时，用户向其发出挑战：用户生成一个挑战chal，发送给服务器S_j；Step 4: The user initiates a challenge {chal}: when the user wants to verify whether the server S _j holds data correctly, the user sends a challenge to it: the user generates a challenge chal and sends it to the server S _j ;

步骤5：服务器作出响应：生成证据（GenProof）{(chal,HVTs,M)→R}:当服务器收到挑战chal时，存储数据块M^(j)的服务器需要产生一个证据R=(T,ρ)。之后，服务器将R返回给用户；Step 5: The server responds: GenProof (GenProof) {(chal, HVTs, M)→R}: When the server receives the challenge chal, the server storing the data block M ^(j) needs to generate a proof R=(T, ρ). After that, the server returns R to the user;

步骤6：验证{(R,sk)→("success","failure")}：当用户收到服务器返回的R时，利用自己的私钥sk进行运算，从而对其服务器存储的数据状态进行判断，结果为“success”或者“failure”。Step 6: Verification {(R,sk)→("success","failure")}: When the user receives the R returned by the server, he uses his private key sk to perform calculations, thereby performing an operation on the data state stored in the server Judgment, the result is "success" or "failure".

阶段3：交互操作：包括第(7)步，如果验证{(R,sk)→("success","failure")}操作的输出结果为“failure”,用户则要求CSP进行数据恢复操作，这可能会需要双方之间的交互。普通情况下,用户可将数据M下载下来，然后执行修复{(M^*,P)→F}即可恢复出原数据。Phase 3: Interactive operation: including step (7), if the output result of the verification {(R,sk)→("success","failure")} operation is "failure", the user requires the CSP to perform data recovery operations, This may require interaction between the two parties. Under normal circumstances, the user can download the data M, and then perform repair {(M ^* ,P)→F} to restore the original data.

步骤7：数据修复{(M^*,P)→F}:如果检测到数据损坏，我们就可确定存储该数据块的服务器S_j出现的存储错误，这时可利用预处理时采用的纠错码进行数据恢复，对损坏数据M^*和P进行译码即可恢复出原数据F。Step 7: Data repair {(M ^* ,P)→F}: If data corruption is detected, we can determine the storage error occurred on the server S _j storing the data block, at this time, the error correction adopted in preprocessing can be used The original data F can be restored by decoding the damaged data M ^* and P.

（3）优点及功效(3) Advantages and effects

本发明一种分布式云存储数据完整性保护方法，该方法涉及数据的编码，数据验证和数据的恢复方面，其优点和功效是：1）用户的本地量存储小，用户只需存储编码生成矩阵和私钥就可以对数据的持有性验证；2）交互数据量小，用户发出的挑战和服务器作出的响应的通信量固定的，与存储数据大小无关；3）用户可发起的持有性验证挑战次数不受限制；4）采用随机抽样计算校验块的方法，在减小服务器计算开销的同时，仍可保证检查的高置信度；5）采用线性纠错编码技术预处理存储数据实现了数据错误定位和错误纠正。The present invention is a distributed cloud storage data integrity protection method, the method involves data encoding, data verification and data recovery, its advantages and effects are: 1) the user's local storage is small, and the user only needs to store the code to generate The matrix and the private key can verify the possession of the data; 2) The amount of interactive data is small, the communication volume of the challenge sent by the user and the response made by the server is fixed, and has nothing to do with the size of the stored data; 3) The user can initiate the holding The number of verification challenges is not limited; 4) The method of calculating the check block by random sampling can ensure the high confidence of the check while reducing the computing cost of the server; 5) The linear error correction coding technology is used to preprocess the stored data Data error location and error correction are realized.

（四）附图说明 (4) Description of drawings

图1为本发明流程框图；Fig. 1 is a flow chart of the present invention;

图2数据预处理及分布存储图；Figure 2 Data preprocessing and distribution storage diagram;

图3挑战-响应机制流程图；Figure 3 Challenge-response mechanism flow chart;

图中符号说明如下：The symbols in the figure are explained as follows:

在图1中，数字1,2,3,4,5,6,7代表各个步骤的序号，F代表原文件，M代表编码后的文件；In Figure 1, numbers 1, 2, 3, 4, 5, 6, and 7 represent the serial numbers of each step, F represents the original file, and M represents the encoded file;

在图2中，M^(j)表示编码后的数据，表示将M^(j)分块后的每一块数据，S_i代表第i个服务器，chal表示用户生成的挑战，R^(j)表示服务器S_j的响应；In Fig. 2, M ^(j) represents the encoded data, Indicates each block of data after M ^(j) is divided into blocks, S _i represents the i-th server, chal represents the challenge generated by the user, and R ^(j) represents the response of server S _j ;

（五）具体实施方式 (5) Specific implementation methods

以下将结合附图对所述的完整性保护方法详细阐述，图1为本发明流程框图；图2为本发明数据预处理后的分布存储示意图；图3为本发明挑战-响应机制交互图。The integrity protection method described below will be described in detail with reference to the accompanying drawings. Fig. 1 is a flow chart of the present invention; Fig. 2 is a schematic diagram of distributed storage after data preprocessing in the present invention; Fig. 3 is an interactive diagram of the challenge-response mechanism of the present invention.

主要的符号及算法解释：Main symbols and algorithm explanations:

（1）F代表用户原数据，M为编码后的数据，包含n×l个数据块。为第j个数据向量的第i块，它将被存储到服务器S_j·G^*=(I_(n-r)×(n-r)|P^T)代表Goppa码的生成矩阵，其中P为冗余校验块生成矩阵；M^*代表了服务器中存储出错的数据块。(1) F represents the user's original data, and M represents the encoded data, including n×l data blocks. is the i-th block of the j-th data vector, it will be stored in the server S _j G ^* = (I _(nr)×(nr) |P ^T ) represents the generation matrix of the Goppa code, where P is the redundancy check Block generation matrix; M ^* represents the data blocks stored in the server with errors.

（2）E()和D()为分别为paillier密码算法的加密算法和解密算法，k₁为其公钥，k₂为其私钥，N为模数，paillier加密算法满足加法同态的性质。(2) E() and D() are the encryption algorithm and decryption algorithm of the Paillier encryption algorithm respectively, k ₁ is its public key, k ₂ is its private key, N is the modulus, and the Paillier encryption algorithm satisfies the additive homomorphism nature.

（3）G为椭圆曲线E_P(a,b)的生成元，其中大素数p<N，P=yG，P表示在挑战中的公开参数，y为用户产生的保密参数；(3) G is the generator of the elliptic curve E _P (a,b), where the large prime number p<N, P=yG, P represents the public parameters in the challenge, and y is the confidential parameter generated by the user;

（4）π(·)是一个伪随机置换(pseudorandom permutation，PRP)函数，即满足 $π : {0,1}^{k_{3}} \times {0,1}^{\log_{2} (n)} &RightArrow; {0,1}^{\log_{2} (n)};$ 其中k₃为其密钥，用于确定每次随机抽取的数据块的位置。(4) π( ) is a pseudorandom permutation (PRP) function, which satisfies $π : {0,1}^{k_{3}} \times {0,1}^{\log_{2} (no)} &Right Arrow; {0,1}^{\log_{2} (no)};$ Among them, k ₃ is its key, which is used to determine the position of the data block randomly drawn each time.

（5）为保密的随机数，p为（3）中设定的大素数，可以由带密钥的伪随机发生器产生，为用户的保密参数；(5) is a confidential random number, p is a large prime number set in (3), It can be generated by a pseudo-random generator with a key, which is the user's confidentiality parameter;

本发明可分为初始化、挑战-响应、交互操作三个阶段。见图1，本发明一种分布式云存储数据完整性保护方法，该方法具体步骤如下：The present invention can be divided into three stages of initialization, challenge-response, and interactive operation. See Fig. 1, a kind of distributed cloud storage data integrity protection method of the present invention, the concrete steps of this method are as follows:

1.初始化阶段1. Initialization phase

本阶段中，数据的分割，编码和分布式存储如图2所示。In this stage, data segmentation, encoding and distributed storage are shown in Figure 2.

步骤1：数据分块与编码：Step 1: Data chunking and encoding:

（1）用户将要存储到云端的数据文件F分割成l×m块，每一块都可表示为伽罗华域中的元素GF(p)，其中p为大素数。用矩阵表即为：(1) The user divides the data file F to be stored in the cloud into l×m blocks, and each block can be expressed as an element GF(p) in the Galois field, where p is a large prime number. Using a matrix table is:

（2）采用Goppa码对原数据进行编码，编码后变为l×n块，其最小码距为d_min≥r+1，即其检错能力为r，纠错能力为(d_min-1)/2。编码后数据即为：(2) Use the Goppa code to encode the original data, and after encoding, it becomes l×n blocks, and its minimum code distance is d _min ≥ r+1, that is, its error detection ability is r, and its error correction ability is (d _min -1 )/2. The encoded data is:

其中G^*为Goppa码的生成矩阵。Among them, G ^* is the generating matrix of Goppa code.

步骤2：同态标签HVT的生成：Step 2: Generation of homomorphic label HVT:

（1）设置相关参数。用户选择一条椭圆曲线E_p(a,b)，取其生成元为G；设置Paillier加密算法的公钥为k₁=(n,g)，私钥为k₂=(λ，μ)；选择伪随机置换函数π(·)；生成随机整数并且用户需要为其保密。(1) Set relevant parameters. The user selects an elliptic curve E _p (a,b), and takes its generator as G; sets the public key of the Paillier encryption algorithm as k ₁ =(n,g), and the private key as k ₂ =(λ,μ); choose Pseudorandom permutation function π( ); generates random integers And users need to keep it confidential.

（2）用户为编码后的每个数据块生成同态标签 $T_{i}^{(j)} = E_{k_{1}} (x_{i}^{(j)} + f_{i}^{(j)}) \mod N^{2},$ 其中，表示采用Paillier密码算法的公钥k₁=(n,g)进行加密。所以，编码矩阵中每一列数据的同态标签为 $(T_{1}^{(j)}, T_{2}^{(j)}, \cdot \cdot \cdot, T_{l}^{(j)}) .$ (2) The user codes each data block Generate homomorphic tags $T_{i}^{(j)} = {E.}_{k_{1}} (x_{i}^{(j)} + f_{i}^{(j)}) \mod N^{2},$ in, Indicates that the public key k ₁ =(n,g) of the Paillier cryptographic algorithm is used for encryption. Therefore, the homomorphic label of each column of data in the encoding matrix is $(T_{1}^{(j)}, T_{2}^{(j)}, &Center Dot; \cdot \cdot, T_{l}^{(j)}) .$

步骤3：数据的远程存储：Step 3: Remote storage of data:

如图2所示，用户将同态标签和数据块M^(j)一起存入第j个服务器S_j，用户则自己存储私钥和随机数 As shown in Figure 2, the user assigns the homomorphic label It is stored in the jth server S _j together with the data block M ^(j) , and the user stores the private key and random number by himself

2.挑战-响应阶段2. Challenge-response phase

本阶段中，用户和服务器的交互操作流程如图3所示。In this stage, the interactive operation process between the user and the server is shown in Figure 3.

步骤4：用户发起挑战：Step 4: User initiates a challenge:

当用户想要验证服务器S_j是否正确持有数据的时，用户向其发出挑战：用户生成一个挑战chal=(c,k₃)，发送给服务器S_j。其中，1≤c≤l，k₃为伪随机置换函数π(·)的密钥，P=yG。When the user wants to verify whether the server S _j holds data correctly, the user sends a challenge to it: the user generates a challenge chal=(c,k ₃ ) and sends it to the server S _j . Among them, 1≤c≤l, k ₃ is the key of the pseudo-random permutation function π(·), P=yG.

步骤5：服务器作出响应：Step 5: The server responds:

（1）服务器S_j根据挑战chal，对于每一个1≤r≤c进行如下计算：(1) Server S _j performs the following calculation for each 1≤r≤c according to the challenge chal:

${i i}_{r r} = = {π π}_{{k k}_{33}} ((r r))$

然后根据所得到的i_r，进行如下计算：Then according to the obtained i _r , perform the following calculation:

${T T}^{((j j))} = = {T T}_{{f f}_{{i i}_{11}}}^{((j j))} . . . . . . . . . . . . {T T}_{{f f}_{ic ic}}^{((j j))} mod mod {N N}^{22}$

${ρ ρ}^{((j j))} = = (({f f}_{{i i}_{11}}^{((j j))} + + {f f}_{{i i}_{22}}^{((j j))} + + \cdot \cdot \cdot \cdot \cdot \cdot + + {f f}_{{i i}_{c c}}^{((j j))})) P P mod mod N N$

（2）服务器S_j将计算的证据(T^(j),ρ^(j))返回给用户。(2) The server S _j returns the calculated evidence (T ^(j) , ρ ^(j) ) to the user.

步骤6：用户验证服务器返回的证据：Step 6: The user verifies the evidence returned by the server:

（1）用户收到服务器S_j返回的证据(T^(j),ρ^(j))后，执行如下操作：用私钥k₂=(n,g)依据Paillier密码算法对T^(j)进行解密得到对于每一个1≤r≤c计算然后依据i_r选择执行c次 $τ^{(j)} = τ^{(j)} - x_{i_{r}}^{(j)} \mod N,$ 得到 $τ^{(j)} = τ^{(j)} - x_{i_{r}}^{(j)} \mod N .$ (1) After receiving the evidence (T ^(j) ,ρ ^(j) ) returned by the server S _j , the user performs the following operations: use the private key k ₂ =(n,g ⁾ to perform Decrypt to get For every 1≤r≤c compute Then select according to i _r Execute c times $τ^{(j)} = τ^{(j)} - x_{i_{r}}^{(j)} \mod N,$ get $τ^{(j)} = τ^{(j)} - x_{i_{r}}^{(j)} \mod N .$

（2）验证n·τ^(j)·G=ρ^(j)，若等式成立则验证成功，说明服务器S_j正确持有用户的数据；否则，则说明该服务器S_j数据存储出现了错误。(2) Verify that n·τ ^(j) ·G=ρ ^(j) , if the equation is established, the verification is successful, indicating that the server S _j correctly holds the user's data; otherwise, it indicates that the data storage of the server S _j has errors .

3.交互操作阶段3. Interactive operation stage

步骤7：数据恢复Step 7: Data Recovery

当用户检测到数据存储出错时，用户可要求从服务器上下载所有的数据，并通过Goppa码生成矩阵G^*对应的校验矩阵P对下载的数据进行纠错，恢复数据，然后将恢复之后的数据重新置于各服务器的对应位置。When the user detects a data storage error, the user can request to download all the data from the server, and correct the downloaded data through the parity check matrix P corresponding to the Goppa code generation matrix G ^* , restore the data, and then restore the data The data is relocated to the corresponding location on each server.

Claims

1. A distributed cloud storage data integrity protection method is characterized in that:

the notation and algorithm are explained as follows:

(1) f represents original user data, M is coded data and comprises n multiplied by l data blocks;is the ith block of the jth data vector, which is to be stored to the server S_j.G^*＝(I_(n-r)×(n-r)|P^T) Representing Goppa codesGenerating a matrix, wherein P is a redundancy check block generating matrix; m^*Representing the data block with error stored in the server;

(2) e () and D () are the encryption and decryption algorithms, respectively, of the paillier cipher algorithm, k₁For its public key, k₂The special encryption algorithm is a private key, N is a modulus, and the paillier encryption algorithm meets the property of addition homomorphism;

(3) g is an elliptic curve E_PA generator of (a, b), wherein a large prime number P < N, P ═ yG, P denotes a public parameter in the challenge, and y is a secret parameter generated by the user;

(4) π (-) is a pseudo-random permutation function, i.e., satisfiesWherein k is₃For its key, to determine the position of each randomly drawn data block;

(5)p is a large prime number set in (3) as a secret random number,generated by a pseudorandom generator with a secret key, which is a secret parameter of a user;

the method comprises the following specific steps:

1. initialization phase

Step 1: data blocking and encoding:

(1) a user divides a data file F to be stored in a cloud into l x m blocks, wherein each block is represented as an element GF (p) in a Galois field, and p is a large prime number; the matrix table is used as follows:

(2) the original data is coded by using Goppa code and becomes l multiplied by n blocks after being coded, and the minimum code distance is d_minR +1, i.e. the error detection capability is r, anderror capability is (d)_min-1)/2; the encoded data is:

wherein G is^*Generating a matrix for the Goppa code;

step 2: generation of homomorphic tag HVT:

(1) setting related parameters; the user selects an elliptic curve E_p(a, b), taking the generator as G; setting the public key of the Paillier encryption algorithm as k₁K as the private key (n, g)₂(λ, μ); selecting a pseudo-random permutation function pi (·); generating random integersAnd the user needs to keep his privacy;

(2) user is each data block after being codedGenerating homomorphic tagsWherein,public key k representing the use of the Paillier cryptographic algorithm₁Encrypting (n, g); therefore, the homomorphic label of each column of data in the coding matrix is

And step 3: remote storage of data:

as shown in FIG. 2, the user tags homomorphismAnd a data block M^(j)Stored together in the jth server S_jThe user thenSelf-storing private key and random number

2. Challenge-response phase

And 4, step 4: the user initiates a challenge:

when the user wants to authenticate the server S_jWhen the data is held correctly, the user challenges it: the user generates a challenge chal ═ (c, k)₃) Is sent to the server S_j(ii) a Wherein c is more than or equal to 1 and less than or equal to l, k₃A secret key that is a pseudo-random permutation function pi (·), P ═ yG;

and 5: the server responds:

(1) server S_jFrom the challenge chal, the following calculation is made for each 1 ≦ r ≦ c:

then according to the obtained i_rThe following calculation is performed:

<math> <mrow> <msup> <mi>T</mi> <mrow> <mo>(</mo> <mi>j</mi> <mo>)</mo> </mrow> </msup> <mo>&equiv;</mo> <msubsup> <mi>T</mi> <msub> <mi>f</mi> <msub> <mi>i</mi> <mn>1</mn> </msub> </msub> <mrow> <mo>(</mo> <mi>j</mi> <mo>)</mo> </mrow> </msubsup> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <mo>.</mo> <msubsup> <mi>T</mi> <msub> <mi>f</mi> <mi>ic</mi> </msub> <mrow> <mo>(</mo> <mi>j</mi> <mo>)</mo> </mrow> </msubsup> <mi>mod</mi> <msup> <mi>N</mi> <mn>2</mn> </msup> </mrow> </math>

(2) server S_jEvidence to be calculated (T)^(j),ρ^(j)) Returning to the user;

step 6: evidence returned by the user authentication server:

(1) user receives server S_jReturned evidence (T)^(j),ρ^(j)) Then, the following operations are performed: using a private key k₂Pair T (n, g) according to Paillier cipher algorithm^(j)Carry out decryption to obtainFor each 1 ≦ r ≦ c calculationThen according to i_rSelectingIs executed c times

To obtain

(2) Verification of n.tau^(j)·G＝ρ^(j)If the equality is established, the verification is successful, which indicates the server S_jCorrectly holding the data of the user; otherwise, the server S is indicated_jAn error occurs in data storage;

3. interaction phase

And 7: data recovery

When the user detects that the data storage is wrong, the user requests to download all data from the server, and a matrix G is generated through the Goppa code^*The corresponding check matrix P corrects the downloaded data and recoversAnd then, the recovered data is placed in the corresponding position of each server again.