CN103425941B

CN103425941B - The verification method of cloud storage data integrity, equipment and server

Info

Publication number: CN103425941B
Application number: CN201310330155.7A
Authority: CN
Inventors: 刘; 唐春明; 王胜男; 张永强
Original assignee: Age Of Security Polytron Technologies Inc; Guangzhou University
Current assignee: Age Of Security Polytron Technologies Inc; Guangzhou University
Priority date: 2013-07-31
Filing date: 2013-07-31
Publication date: 2016-12-28
Anticipated expiration: 2033-07-31
Also published as: CN103425941A

Abstract

The invention provides a method for verifying the integrity of cloud storage data, including: generating an identifier of a file to be stored, and encoding the file to obtain multiple module files; using the user's public key and private key to The file is calculated to obtain the authentication label of each module file, and public authentication data is generated for each authentication label; the identifier, module file and authentication label are submitted to the server; a file integrity query request is generated, and the query is sent to the server Request, receiving the report information of the file returned by the server, using the user public key, identifier, module file and authentication label corresponding to the module file; using the user public key and the public authentication data to verify the report information. The invention also provides a corresponding verification device and a verification server, which can publicly verify the integrity of cloud storage data.

Description

Method, device and server for verifying cloud storage data integrity

技术领域technical field

本发明涉及云存储技术领域，特别是涉及一种云存储数据完整性的验证方法、一种云存储数据完整性的验证设备，以及一种云存储数据完整性的验证服务器。The present invention relates to the technical field of cloud storage, in particular to a method for verifying the integrity of cloud storage data, a device for verifying the integrity of cloud storage data, and a server for verifying the integrity of cloud storage data.

背景技术Background technique

云存储是将存储资源放到网络上供人存取的一种新兴方案，与传统的存储方式相比，云存储与在经济，规模以及管理等方面具有不可忽略的优势。例如，当一个客户因为其本地存储空间太小而无法存储大量的数据文件时，客户并不需要升级自己的硬件等设施来解决这个问题，只需花费合理的费用，将这些海量的数据存储到云存储服务供应商所提供的云端便可省去许多不必要的烦恼。尽管云存储所带来的便利是显而易见的，但是随之而产生的安全性问题却是不可忽略的，出于节省资源或经济上的考虑，服务器有可能删除或修改用户所上传的文件。因此，对于一个谨慎的云存储用户来说，对存储到云端的数据文件进行完整性验证至关重要。Cloud storage is an emerging solution that puts storage resources on the network for people to access. Compared with traditional storage methods, cloud storage has advantages that cannot be ignored in terms of economy, scale, and management. For example, when a customer cannot store a large number of data files due to the small local storage space, the customer does not need to upgrade his own hardware and other facilities to solve this problem, and only needs to spend a reasonable fee to store these massive data in the The cloud provided by the cloud storage service provider can save many unnecessary troubles. Although the convenience brought by cloud storage is obvious, the accompanying security issues cannot be ignored. For resource saving or economic considerations, the server may delete or modify the files uploaded by users. Therefore, for a prudent cloud storage user, it is very important to verify the integrity of data files stored in the cloud.

假设上传用户将一些数据文件存储到云端，并在本地删除这些已存储到云端的文件，而且这些存储到云端的文件被其他的用户所共享，所以此时这些存储文件的共享用户均能够独立地进行文件的完整性验证。或者说，在某些特殊的情景中（如在火车或者飞机上），上传用户无法亲自对他存储到云端的数据文件进行完整性验证。此时该上传用户不得不委托一个可信方（亲人，朋友或下属）来替他进行云端存储文件的完整性验证。在上述的情形中，上传用户为了让其他实体能够对其存储到云端的数据文件进行完整性验证，而将自己的私钥发送给他人的做法显然存在极大的安全隐患。因此，有必要设计一个支持公开认证的存储证明方案，来解决上述安全问题。Assume that the uploading user stores some data files in the cloud, and deletes these files stored in the cloud locally, and these files stored in the cloud are shared by other users, so at this time, the shared users of these stored files can independently Perform file integrity verification. In other words, in some special scenarios (such as on a train or plane), the uploading user cannot personally verify the integrity of the data files he stores in the cloud. At this time, the uploading user has to entrust a trusted party (relative, friend or subordinate) to verify the integrity of the cloud storage file for him. In the above situation, the uploading user sends his private key to others in order to allow other entities to verify the integrity of the data files stored in the cloud. Obviously, there is a great security risk. Therefore, it is necessary to design a proof-of-storage scheme that supports public authentication to solve the above security problems.

Ateniese等人首次给出了公开可认证方案的定义，并将存储证明问题正式地描述为可证明的数据存储（PDP）问题。但是他们提出的公开认证PDP方案在云存储服务器端的通信与计算效率方面是不够理想的。Ateniese et al. gave the definition of publicly verifiable schemes for the first time, and formally described the storage proof problem as the provable data storage (PDP) problem. However, the public certification PDP scheme proposed by them is not ideal in terms of communication and computing efficiency on the cloud storage server side.

Juels与Kaliski提出了第一个关于回取性证明（POR）的概念，并对安全的POR体制进行了详细的描述。简单地说，在一个安全的POR体制中，如果一个云存储服务器对于用户所发其的查询能够返回一个正确的应答使该用户接受，则用户与服务器在多项式时间内进行多次交互后，从这些交互信息中，用户能够恢复原始的数据文件。文献提到的第一个方案并不具有公开可认证性（仅支持私钥认证），且仅支持预定义的常数次数的认证；第二个方案虽然能够进行不限次数的公开认证，但是却要求服务器在认证交互过程中发送O(l)个认证值。Juels and Kaliski proposed the first concept of Proof of Retrievability (POR), and gave a detailed description of the secure POR system. To put it simply, in a secure POR system, if a cloud storage server can return a correct answer to the user's query for the user to accept, then the user and the server interact with each other multiple times in polynomial time, from In these interactive messages, users can restore the original data files. The first scheme mentioned in the literature does not have public verifiability (only supports private key authentication), and only supports a predefined constant number of authentications; although the second scheme can perform unlimited public authentications, it does not The server is required to send O(l) authentication values during the authentication interaction.

Shacham与Waters同样给出了两个有效的POR方案，其中第一个方案仅支持私钥认证，第二个方案是公开可认证的，但这两个方案在用户与云服务器端的计算代价较为高昂。Shacham and Waters also gave two effective POR schemes, the first scheme only supports private key authentication, and the second scheme is publicly certifiable, but the calculation costs of these two schemes on the user and cloud server side are relatively high .

此外，利用同态密码方法，XuJia提出了几个POR方案。但是这些方案同样仅支持私钥认证。AlptekinKupcu提出了第一个有效的全动态PDP方案，用户对其存储在云端的文件进行更新操作，并仍然能够进行文件的完整性认证。但他们的方案扩展到支持公开可认证时，会产生较高的计算与通信代价。Yuan Jiawei与Yu Shucheng同样给出了一个公开可认证的POR方案，利用一个安全的多项式承诺方案，他们的方案取得固定的通信代价，但是他们的方案却需要服务器进行多次的指数运算。In addition, using the homomorphic encryption method, XuJia proposed several POR schemes. But these schemes also only support private key authentication. Alptekin Kupcu proposed the first effective full-motion PDP scheme. Users can update their files stored in the cloud and still be able to authenticate the integrity of the files. However, when their scheme is extended to support public verifiability, it will incur high computational and communication costs. Yuan Jiawei and Yu Shucheng also proposed a publicly verifiable POR scheme, using a secure polynomial commitment scheme. Their scheme achieves a fixed communication cost, but their scheme requires the server to perform multiple exponential operations.

发明内容Contents of the invention

基于此，本发明提供一种云存储数据完整性的验证方法、验证设备和验证服务器，能对云存储数据的完整性进行公开验证。Based on this, the present invention provides a method for verifying the integrity of cloud storage data, a verification device and a verification server, capable of publicly verifying the integrity of cloud storage data.

一种云存储数据完整性的验证方法，包括如下步骤：A verification method for cloud storage data integrity, comprising the steps of:

生成待存储文件的标识符，同时对所述文件进行编码得到多个模块文件；generating an identifier of the file to be stored, and encoding the file at the same time to obtain a plurality of module files;

利用用户公开密钥和私有密钥对每个模块文件进行计算得到每个模块文件的认证标签，对每个认证标签生成公开认证数据；Calculate each module file by using the user's public key and private key to obtain an authentication label for each module file, and generate public authentication data for each authentication label;

将所述标识符、模块文件和认证标签提交给服务器；submitting said identifier, module file and authentication tag to the server;

生成文件完整性查询请求，向服务器发送所述查询请求，接收所述服务器返回的，利用用户公开密钥、标识符、模块文件和模块文件对应的认证标签生成的所述文件的报告信息；Generate a file integrity query request, send the query request to the server, receive the report information of the file returned by the server, using the user public key, identifier, module file, and authentication label corresponding to the module file to generate;

利用用户公开密钥和所述公开认证数据验证所述报告信息。The report information is verified using the user public key and the public authentication data.

接收用户端发送的标识符、模块文件和与模块文件对应的认证标签并存储；Receive and store the identifier, module file and authentication label corresponding to the module file sent by the client;

接收用户端发送的文件完整性查询请求，利用用户所述文件完整性查询请求、公开密钥、标识符、模块文件和模块文件对应的认证标签生成报告信息反馈给所述用户端，以供所述用户端验证。Receive the file integrity query request sent by the user terminal, use the user's file integrity query request, public key, identifier, module file and the authentication label corresponding to the module file to generate report information and feed it back to the user terminal for all User-side authentication described above.

一种云存储数据完整性的验证设备，包括：A verification device for cloud storage data integrity, comprising:

编码模块，用于生成待存储文件的标识符，同时对所述文件进行模块编码得到多个模块文件；An encoding module, configured to generate an identifier of a file to be stored, and simultaneously perform module encoding on the file to obtain a plurality of module files;

生成模块，用于利用用户公开密钥和私有密钥对每个模块文件进行计算得到每个模块文件的认证标签，对每个认证标签生成公开认证数据；A generating module, configured to calculate each module file by using the user's public key and private key to obtain an authentication label for each module file, and generate public authentication data for each authentication label;

提交模块，用于将所述标识符、模块文件和认证标签提交给服务器；submitting a module for submitting the identifier, the module file and the authentication label to the server;

查询模块，用于生成文件完整性查询请求，向服务器发送所述查询请求，接收所述服务器返回的，利用用户公开密钥、标识符、模块文件和模块文件对应的认证标签生成的所述文件的报告信息；A query module, configured to generate a file integrity query request, send the query request to the server, and receive the file returned by the server and generated using the user public key, identifier, module file, and authentication label corresponding to the module file report information;

验证模块，用于利用用户公开密钥和所述公开认证数据验证所述报告信息。A verification module, configured to verify the report information by using the user's public key and the public authentication data.

一种云存储数据完整性的验证服务器，包括：A verification server for cloud storage data integrity, comprising:

接收模块，用于接收用户端发送的标识符、模块文件和与模块文件对应的认证标签并存储；The receiving module is used to receive and store the identifier, the module file and the authentication label corresponding to the module file sent by the client;

反馈模块，用于接收用户端发送的文件完整性查询请求，利用用户所述文件完整性查询请求、公开密钥、标识符、模块文件和模块文件对应的认证标签生成报告信息反馈给所述用户端，以供所述用户端验证。The feedback module is used to receive the file integrity query request sent by the user terminal, and use the user's file integrity query request, public key, identifier, module file and authentication label corresponding to the module file to generate report information and feed back to the user terminal for authentication by the client.

上述云存储数据完整性的验证方法、设备和服务器，用户通过对编码后得到的模块文件进行认证标签的计算，再生成公开认证数据，服务器存储模块文件和模块文件的认证标签，当需要进行文件验证时，无需提供用户的私密信息，服务器可利用用户公开密钥对存储的模块文件和认证标签生成报告信息，验证者再用用户公开密钥验证报告信息，实现云存储数据完整性的公开认证；本发明允许任意的授权验证者无需获得用户的私密信息，便可对用户存储在云端的数据文件进行完整性验证，并且不用下载文件。In the method, device and server for verifying the integrity of cloud storage data, the user calculates the authentication label of the encoded module file to generate public authentication data, and the server stores the module file and the authentication label of the module file. When verifying, there is no need to provide the user's private information. The server can use the user's public key to generate report information on the stored module files and authentication labels, and the verifier can use the user's public key to verify the report information to achieve public authentication of cloud storage data integrity. ; The present invention allows any authorized verifier to verify the integrity of the data files stored in the cloud by the user without obtaining the user's private information, and without downloading the files.

附图说明Description of drawings

图1为本发明云存储数据完整性的验证方法在实施例一中的流程示意图。FIG. 1 is a schematic flowchart of a method for verifying cloud storage data integrity in Embodiment 1 of the present invention.

图2为本发明云存储数据完整性的验证方法在实施例二中的流程示意图。FIG. 2 is a schematic flowchart of the method for verifying the integrity of cloud storage data in Embodiment 2 of the present invention.

图3为本发明云存储数据完整性的验证方法在实施例三中的流程示意图。FIG. 3 is a schematic flowchart of the third embodiment of the method for verifying the integrity of cloud storage data in the present invention.

图4为本发明云存储数据完整性的验证设备在实施例四中的结构示意图。FIG. 4 is a schematic structural diagram of a verification device for cloud storage data integrity in Embodiment 4 of the present invention.

图5为本发明云存储数据完整性的验证服务器在实施例五中的结构示意图。FIG. 5 is a schematic structural diagram of a verification server for cloud storage data integrity in Embodiment 5 of the present invention.

具体实施方式detailed description

下面结合实施例及附图对本发明作进一步详细说明，但本发明的实施方式不限于此。The present invention will be described in further detail below in conjunction with the embodiments and accompanying drawings, but the embodiments of the present invention are not limited thereto.

本发明方案可包括三类参与方：用户，云服务器以及验证者。用户将某些文件存储至云服务器，并在本地删除这些文件。云服务器宣称有能力完整地存储客户的数据文件。验证者有权限对客户存储在云服务器的数据文件进行完整性验证，并且不需要客户的私密数据。The solution of the present invention may include three types of participants: users, cloud servers and verifiers. A user stores certain files to a cloud server and deletes these files locally. Cloud servers claim to have the ability to completely store customer data files. The verifier has the authority to verify the integrity of the customer's data files stored in the cloud server, and does not need the customer's private data.

实施例一Embodiment one

如图1所示，是本发明云存储数据完整性的验证方法在本实施例中的流程示意图，在本实施例中以用户端的处理流程为例进行说明，包括如下步骤：As shown in Figure 1, it is a schematic flow diagram of the verification method of cloud storage data integrity in this embodiment of the present invention. In this embodiment, the processing flow at the client end is used as an example to illustrate, including the following steps:

S11、生成待存储文件的标识符，同时对所述文件进行编码得到多个模块文件；S11. Generate identifiers of files to be stored, and simultaneously encode the files to obtain multiple module files;

S12、利用用户公开密钥和私有密钥对每个模块文件进行计算得到每个模块文件的认证标签，对每个认证标签生成公开认证数据；S12. Calculate each module file by using the user's public key and private key to obtain an authentication label for each module file, and generate public authentication data for each authentication label;

S13、将所述标识符、模块文件和认证标签提交给服务器；S13. Submit the identifier, module file and authentication label to the server;

S14、生成文件完整性查询请求，向服务器发送所述查询请求，接收所述服务器返回的，利用用户公开密钥、标识符、模块文件和模块文件对应的认证标签生成的所述文件的报告信息；S14. Generate a file integrity query request, send the query request to the server, and receive the report information of the file returned by the server and generated by using the user public key, identifier, module file, and authentication label corresponding to the module file ;

S15、利用用户公开密钥和所述公开认证数据验证所述报告信息。S15. Verify the report information by using the user public key and the public authentication data.

在步骤S11中，用户在上传文件至云服务器前需对文件进行预处理，生成所述文件的标识符；再将待存储的文件F进行模块，可采用rate-ρ算法进行处理，用户先设置系统参数ρ∈(0,1)，应用rate-ρ的纠错码对数据文件F进行编码并生成多个模块文件(F₀,…,F_n-1),使得每个模块F_i∈{0,1}^mλ，并且任意的ρn个模块F_i均能够恢复原始的数据文件F，其中n为所述模块文件的总个数。In step S11, the user needs to preprocess the file before uploading the file to the cloud server to generate the identifier of the file; and then process the file F to be stored, which can be processed by the rate-ρ algorithm. The user first sets System parameter ρ∈(0,1), apply the rate-ρ error correction code to encode the data file F and generate multiple module files (F ₀ ,…,F _n-1 ), so that each module F _i ∈{ 0,1} ^mλ , and any ρn modules F _i can restore the original data file F, where n is the total number of the module files.

在本实施例中，用户的公开密钥和私有密钥可通过RSA密钥生成算法来生成，具体的生成步骤如下：In this embodiment, the user's public key and private key can be generated by the RSA key generation algorithm, and the specific generation steps are as follows:

上传用户随机选取一个λbits RSA模数N＝pq，使得均是素数，并且p,q具有相同的比特长；The upload user randomly selects a λbits RSA modulus N=pq, so that Both are prime numbers, and p, q have the same bit length;

令其中（N）为欧拉函数，表示不大于N且与N互素的正整数的个数；make in (N) is the Euler function, indicating the number of positive integers not greater than N and mutually prime with N;

从QR_N中随机选取一个生成元g，其中QR_N表示模N的二次剩余子群；Randomly select a generator g from QR _N , where QR _N represents the quadratic residual subgroup modulo N;

随机选取其中，表示与互素且在模下的剩余类；choose randomly in, express with coprime and in the modulus the remaining classes under;

从伪随机函数族{PRF_seed:{0,1}^2λ→Z_φ(N)}的密钥空间中随机选取一个种子seed；Randomly select a seed seed from the key space of the pseudo-random function family {PRF _seed :{0,1} ^2λ →Z _φ(N) };

令g_τ＝g^τ，公钥为pk＝(N,g,g_τ)，私钥为sk＝(p,q,τ,seed)。Let g _τ =g ^τ , the public key is pk=(N,g,g _τ ), and the private key is sk=(p,q,τ,seed).

在其中一个实施例中，所述文件的标识符满足约束条件id∈{0,1}^λ，其中，id为所述标识符，λ为用户公开密钥中模数的比特长。In one embodiment, the identifier of the file satisfies the constraint condition id ∈ {0,1} ^λ , where id is the identifier, and λ is the bit length of the modulus in the user's public key.

得到多个模块文件F_i后，用户需利用公开密钥和私有密钥计算每个模块文件的认证标签，再对每个认证标签生成公开认证数据；After obtaining multiple module files F _i , the user needs to use the public key and private key to calculate the authentication label of each module file, and then generate public authentication data for each authentication label;

所述利用用户公开密钥和私有密钥对每个模块的文件进行计算得到每个模块文件的认证标签的步骤可为：The step of using the user public key and private key to calculate the file of each module to obtain the authentication label of each module file can be:

根据下式生成所述认证标签：The authentication label is generated according to the following formula:

其中，i为模块文件的编号，F_i为第i个模块文件，σ_i为模块文件i对应的认证标签，τ为用户私有密钥中的随机数，PRF_seed为用户私有密钥中随机种子seed对应的伪随机数，i∈[0,n-1]，n为所述模块文件的总个数，N为用户公开密钥中的模数。Among them, i is the number of the module file, F _i is the i-th module file, σ _i is the authentication label corresponding to the module file i, τ is the random number in the user's private key, and PRF _seed is the random seed in the user's private key The pseudo-random number corresponding to the seed, i∈[0,n-1], n is the total number of the module files, and N is the modulus in the user's public key.

所述对每个认证标签生成公开认证数据的步骤可为：The step of generating public authentication data for each authentication tag may be:

根据下式生成每个公开认证数据：Each public authentication data is generated according to the following formula:

${g g}_{i i} = = {g g}^{{PRF PRF}_{seed seeds} ((id id | | | | i i))}$

其中，g_i为第i个模块文件的公开认证数据，g为用户公开密钥中的生成元。Among them, g _i is the public authentication data of the i-th module file, and g is the generator in the user's public key.

在对模块文件进行处理后，用户上传文件至云服务器，在步骤S13中，用户提交给云服务器的数据只需包括标识符、模块文件及其对应的认证标签即可；即云用户可将发送给服务器，仅在本地存储(id,n)并公开其中 $g^{σ} = Π_{i &Element; C} {(g_{i})}^{v_{i}} g_{τ}^{M} \mod N$ After processing the module file, the user uploads the file to the cloud server. In step S13, the data submitted by the user to the cloud server only needs to include the identifier, the module file and its corresponding authentication label; Send to the server, only store (id,n) locally and make it public in $g^{σ} = Π_{i &Element; C} {(g_{i})}^{v_{i}} g_{τ}^{m} \mod N$

在数据提交成功后，验证者可生成文件完整性查询请求，向服务器发送查询请求，接收服务器返回的报告信息；最后验证该报告信息，判断数据的完整性；After the data is successfully submitted, the verifier can generate a file integrity query request, send the query request to the server, and receive the report information returned by the server; finally verify the report information and judge the integrity of the data;

在其中一个实施例中，所述生成文件完整性查询请求的步骤可为：In one of the embodiments, the step of generating a file integrity query request may be:

随机选取一个规模为|C|＝l的子集对每个i∈C，从中随机的选取一个权重ν_i，所述查询请求为{(i,ν_i):i∈C}。；Randomly select a subset of size |C|=l For each i ∈ C, from Randomly select a weight ν _i in , and the query request is {(i,ν _i ):i∈C}. ;

所述验证报告信息的步骤为：The steps for verifying the report information are:

判断下列等式是否成立：Determine whether the following equation holds:

${g g}^{σ σ} = = {Π Π}_{i i &Element; &Element; C C} {(({g g}_{i i}))}^{{v v}_{i i}} {g g}_{τ τ}^{M m} mod mod N N$

其中，所述报告信息为(M,σ)，M＝Σ_i∈Cν_iF_imodN,σ＝Σ_i∈Cν_iσ_imodN，i为所述模块文件的编号，n为所述模块文件的总个数，ν_i为编号i对应的随机权重，F_i为第i个模块文件，N为用户公开密钥中的模数，σ_i为第i个模块文件对应的认证标签；Wherein, the report information is (M, σ), M=Σ _i∈C ν _i F _i modN, σ=Σ _i∈C ν _i σ _i modN, i is the serial number of the module file, n is the total number of the module files, ν _i is the random weight corresponding to the number i, F _i is the i-th module file, N is the modulus in the user public key, and σ _i is the i-th module file corresponding certification label;

若成立，则所述文件存储完整；若不成立，则所述文件存储不完整。If true, the file storage is complete; if not, the file storage is incomplete.

实施例二Embodiment two

如图2所示，是本发明云存储数据完整性的验证方法在本实施例中的流程示意图，在本实施例中以云服务器的处理流程为例进行说明，包括如下步骤：As shown in Figure 2, it is a schematic flow diagram of the method for verifying the integrity of cloud storage data in this embodiment of the present invention. In this embodiment, the processing flow of the cloud server is used as an example to illustrate, including the following steps:

S22、接收用户端发送的标识符、模块文件和与模块文件对应的认证标签并存储；S22. Receive and store the identifier, the module file and the authentication label corresponding to the module file sent by the client;

S23、接收用户端发送的文件完整性查询请求，利用用户所述文件完整性查询请求、公开密钥、标识符、模块文件和模块文件对应的认证标签生成报告信息反馈给所述用户端，以供所述用户端验证。S23. Receive the file integrity query request sent by the client, use the file integrity query request, the public key, the identifier, the module file, and the authentication label corresponding to the module file to generate report information and feed it back to the client, to for the client to verify.

在其中一个实施例中，所述文件验证请求包括模块文件的编号，以及所述编号对应的随机权重；In one of the embodiments, the file verification request includes the serial number of the module file and the random weight corresponding to the serial number;

所述报告信息为(M,σ)，根据下式生成所述报告信息：The report information is (M, σ), and the report information is generated according to the following formula:

M＝Σ_i∈Cν_iF_imodN,σ＝Σ_i∈Cν_iσ_imodNM=Σ _i∈C ν _i F _i modN,σ=Σ _i∈C ν _i σ _i modN

其中，i为所述模块文件的编号，n为所述模块文件的总个数，ν_i为编号i对应的随机权重，F_i为第i个模块文件，N为用户公开密钥中的模数，σ_i为第i个模块文件对应的认证标签。Among them, i is the number of the module file, n is the total number of the module files, ν _i is the random weight corresponding to the number i, F _i is the i-th module file, N is the modulus in the user public key, and σ _i is the i-th module file corresponding certification label.

实施例三Embodiment three

如图3所示，再通过一具体实施例阐述本发明的处理流程，在本实施例中，是以用户端与服务器双向交互为例进行说明的。As shown in FIG. 3 , the processing flow of the present invention is described through a specific embodiment. In this embodiment, the two-way interaction between the client and the server is taken as an example for illustration.

S31、用户端生成待存储文件的标识符，同时对所述文件进行编码得到多个模块文件；S31. The client generates an identifier of a file to be stored, and simultaneously encodes the file to obtain a plurality of module files;

S32、用户端利用用户公开密钥和私有密钥对每个模块文件进行计算得到每个模块文件的认证标签，对每个认证标签生成公开认证数据；S32. The user end calculates each module file by using the user public key and private key to obtain an authentication label of each module file, and generates public authentication data for each authentication label;

S33、用户端将所述标识符、模块文件和认证标签提交给服务器；S33. The client submits the identifier, the module file and the authentication label to the server;

S34、服务器接收用户发送的标识符、模块文件和与模块文件对应的认证标签并存储；S34. The server receives and stores the identifier, the module file and the authentication label corresponding to the module file sent by the user;

S35、用户端生成文件完整性查询请求，向服务器发送所述查询请求；S35. The client generates a file integrity query request, and sends the query request to the server;

S36、服务器在接收到用户发送的查询请求时，利用用户公开密钥、标识符、模块文件和模块文件对应的认证标签生成所述文件的报告信息反馈给用户端；S36. When the server receives the query request sent by the user, it uses the user's public key, the identifier, the module file, and the authentication label corresponding to the module file to generate the report information of the file and feed it back to the client;

S37、用户端接收所述服务器返回的报告信息；S37. The client receives the report information returned by the server;

S38、用户端利用用户公开密钥和所述公开认证数据验证所述报告信息；S38. The user terminal verifies the report information by using the user public key and the public authentication data;

1.密钥生成（(1^λ)→(pk,sk)）1. Key generation ((1 ^λ )→(pk,sk))

a)上传用户随机选取一个λbits RSA模数N＝pq，使得均是素数并且p,q具有相同的比特长；a) The upload user randomly selects a λbits RSA modulus N=pq, so that Both are prime numbers and p, q have the same bit length;

b)令其中为欧拉函数，表示不大于N且与N互素的正整数的个数；b) order in is the Euler function, indicating the number of positive integers not greater than N and mutually prime with N;

c)从QR_N中随机选取一个生成元g，其中QR_N表示模N的二次剩余子群；c) Randomly select a generator g from QR _N , where QR _N represents a quadratic residual subgroup modulo N;

d)随机选取其中，表示与互素且在模下的剩余类；d) randomly selected in, express with coprime and in the modulus the remaining classes under;

e)从伪随机函数族的密钥空间中随机选取一个种子seed；e) from the family of pseudorandom functions Randomly select a seed seed in the key space of ;

2.编码 $(sk, F) &RightArrow; (id, \overset{&OverBar;}{F}, n, {g_{i}}_{i = 1}^{n})$ 2. Coding $(sk, f) &Right Arrow; (id, \overset{&OverBar;}{f}, no, {g_{i}}_{i = 1}^{no})$

a)上传用户设置系统参数ρ∈(0,1)。应用rate-ρ的纠错码对数据文件F进行编码并生成文件模块(F₀,…,F_n-1),使得每个模块F_i∈{0,1}^mλ，并且任意的的ρn个模块F_i均能够恢复原始的数据文件F；a) Upload user setting system parameters ρ∈(0,1). Apply the rate-ρ error correction code to encode the data file F and generate file modules (F ₀ ,…,F _n-1 ), so that each module F _i ∈ {0,1} ^mλ , and any ρn All modules F _i can restore the original data file F;

b)为文件F选择一个唯一的标识符id∈{0,1}^λ；b) Choose a unique identifier id∈{0,1} ^λ for the file F;

c)为每个数据文件模块F_i,i∈[0,n-1],计算一个认证标签 c) For each data file module F _i , i∈[0,n-1], calculate an authentication label

d)令编码文件为将发送给云存储服务器；d) Let the encoded file be Will Send to cloud storage server;

e)为每个σ_i计算一个公开的认证数据 e) Compute a public authentication data for each σ _i

编码文件是客户将发送给服务器，仅在本地存储(id,n)并公开 The encoded file is customer will Send to the server, only store (id,n) locally and make it public

3.挑战(id,n)→Q3. Challenge(id,n)→Q

a)验证者随机选取一个规模为|C|=l的子集 a) The verifier randomly selects a subset with size |C|=l

b)对于每个i∈C，验证者从中随机的选取一个权重ν_i；b) For each i ∈ C, the verifier starts from Randomly select a weight ν _i in ;

令Q＝{(i,ν_i):i∈C}；Let Q={(i,ν _i ):i∈C};

4.证明 $(id, \overset{&OverBar;}{F}, Q) &RightArrow; (M, σ)$ 4. Proof $(id, \overset{&OverBar;}{f}, Q) &Right Arrow; (m, σ)$

a)云服务器接收验证者发送的(id,Q)；a) The cloud server receives the (id, Q) sent by the verifier;

b)云服务器根据标识符id找出编码文件 b) The cloud server finds the encoded file according to the identifier id

c)云服务器计算报告消息(M,σ)；c) The cloud server calculates the report message (M, σ);

M＝Σ_i∈Cν_iF_imodN,σ＝Σ_i∈Cν_iσ_imodN。M=Σ _i∈C ν _i F _i modN, σ=Σ _i∈C ν _i σ _i modN.

服务器将(M,σ)发送给验证者。The server sends (M,σ) to the verifier.

5.验证 $(pk, {g_{i}}_{i = 0}^{n - 1}, Q, (M, σ)) &RightArrow;$ 拒绝或接受5. Verify $(pk, {g_{i}}_{i = 0}^{no - 1}, Q, (m, σ)) &Right Arrow;$ reject or accept

利用公钥pk以及相应的公开信息序列{g_i}，验证者验证下列等式是否成立:Using the public key pk and the corresponding public information sequence {g _i }, the verifier verifies whether the following equation holds:

${g g}^{σ σ} = = {Π Π}_{i i &Element; &Element; C C} {(({g g}_{i i}))}^{{v v}_{i i}} {g g}_{τ τ}^{M m} mod mod N N . .$

若该等式成立，输出“接受”，表示文件完整；否则输出“拒绝”，表示文件不完整。If the equation is true, output "accept", indicating that the file is complete; otherwise, output "reject", indicating that the file is incomplete.

实施例四Embodiment Four

如图4所示，是本发明云存储数据完整性的验证设备在本实施例中的结构示意图，在本实施例中以用户设备进行说明，包括：As shown in FIG. 4, it is a schematic structural diagram of a verification device for cloud storage data integrity in this embodiment of the present invention. In this embodiment, a user device is used for illustration, including:

编码模块41，用于生成待存储文件的标识符，同时对所述文件进行编码得到多个模块文件；An encoding module 41, configured to generate an identifier of a file to be stored, and simultaneously encode the file to obtain a plurality of module files;

生成模块42，用于利用用户公开密钥和私有密钥对每个模块文件进行计算得到每个模块文件的认证标签，对每个认证标签生成公开认证数据；Generating module 42, is used for utilizing user's public key and private key to calculate each module file to obtain the authentication label of each module file, and generates public authentication data for each authentication label;

提交模块43，用于将所述标识符、模块文件和认证标签提交给服务器；A submission module 43, configured to submit the identifier, module file and authentication label to the server;

查询模块44，用于生成文件完整性查询请求，向服务器发送所述查询请求，接收所述服务器返回的，利用用户公开密钥、标识符、模块文件和模块文件对应的认证标签生成的所述文件的报告信息；The query module 44 is configured to generate a file integrity query request, send the query request to the server, and receive the query returned by the server, using the user public key, identifier, module file, and authentication label generated by the module file. the report information of the file;

验证模块45，用于利用用户公开密钥和所述公开认证数据验证所述报告信息。A verification module 45, configured to verify the report information by using the user's public key and the public authentication data.

在其中一个实施例中，所述生成模块42中的所述用户公开密钥和私有密钥通过RSA密钥算法生成：In one of the embodiments, the user public key and private key in the generation module 42 are generated by RSA key algorithm:

随机选取一个λbits RSA模数N＝pq，使得均是素数，并且p,q具有相同的比特长；Randomly select a λbits RSA modulus N=pq, so that Both are prime numbers, and p, q have the same bit length;

从伪随机函数族的密钥空间中随机选取一个种子seed；From the family of pseudorandom functions Randomly select a seed seed in the key space of ;

令g_τ＝g^τ，所述用户公开密钥为pk＝(N,g,g_τ)，所述用户私有密钥为sk＝(p,q,τ,seed)。Let g _τ =g ^τ , the user public key is pk=(N,g,g _τ ), and the user private key is sk=(p,q,τ,seed).

在其中一个实施例中，所述生成模块还用于：In one of the embodiments, the generating module is also used for:

根据下式生成所述认证标签： The authentication label is generated according to the following formula:

${g g}_{i i} = = {g g}^{{PRF PRF}_{seed seeds} ((id id | | | | i i))}$

在其中一个实施例中，所述查询模块还用于：In one of the embodiments, the query module is also used for:

随机选取一个规模为|C|=l的子集对每个i∈C，从中随机的选取一个权重v_i权所述查询请求为{(i,ν_i):i∈C}。Randomly select a subset of size |C|=l For each i ∈ C, from Randomly select a weight v _i from which the query request is {(i,ν _i ):i∈C}.

在其中一个实施例中，所述验证模块还用于：In one of the embodiments, the verification module is also used for:

实施例五Embodiment five

如图5所示，是本发明云存储数据完整性的验证服务器在本实施例中的结构示意图，在本实施例中以服务器为例进行说明，包括：As shown in FIG. 5, it is a schematic structural diagram of a verification server for cloud storage data integrity in this embodiment of the present invention. In this embodiment, the server is used as an example for illustration, including:

接收模块51，用于接收用户端发送的标识符、模块文件和与模块文件对应的认证标签并存储；The receiving module 51 is used to receive and store the identifier, the module file and the authentication label corresponding to the module file sent by the client;

反馈模块52，用于接收用户端发送的文件完整性查询请求，利用用户所述文件完整性查询请求、公开密钥、标识符、模块文件和模块文件对应的认证标签生成报告信息反馈给所述用户端，以供所述用户端验证。The feedback module 52 is configured to receive the file integrity query request sent by the client, and use the user's file integrity query request, public key, identifier, module file, and authentication label corresponding to the module file to generate report information and feed it back to the a client for authentication by the client.

所述报告信息为(M,σ)，所述反馈模块还用于根据下式生成所述报告信息：The report information is (M, σ), and the feedback module is also used to generate the report information according to the following formula:

接下来阐述本发明的有益效果。Next, the beneficial effects of the present invention are set forth.

首先，有如下定义：First, there are the following definitions:

定义1:如果对于上述定义的算法（密钥生成，编码，挑战，证明，验证）的任意输出，证明算法所返回的应答总能使验证算法输出接受，并且该验证过程不涉及任何的由密钥生成算法所输出的私钥sk，则这些算法组成的方案称之为公开可证明的数据存储（PPDP）。Definition 1: If for any output of the algorithm defined above (key generation, encoding, challenge, proof, verification), the response returned by the proof algorithm can always make the output of the verification algorithm acceptable, and the verification process does not involve any The private key sk output by the key generation algorithm, then the scheme composed of these algorithms is called publicly provable data storage (PPDP).

定义2:如果一个诚实的云服务器，当他确实完整地存储着客户的数据文件并诚实地运行证明算法生成一个应答时，总能被验证者接受，则这样的PPDP方案是完备的。Definition 2: If an honest cloud server can always be accepted by the verifier when it does store the client's data file completely and runs the proof algorithm honestly to generate a response, then such a PPDP scheme is complete.

为了证明PPDP方案的安全性，在这里需引入一个安全游戏。In order to prove the security of the PPDP scheme, a security game needs to be introduced here.

设置：挑战者运行密钥生成算法生成一对公私钥(pk,sk)。挑战者公开公钥pk，仅保存私钥sk。Setup: The challenger runs the key generation algorithm to generate a pair of public and private keys (pk, sk). The challenger discloses the public key pk and only saves the private key sk.

学习：攻击者适应性地做出一些如下的查询：Learning: The attacker adaptively makes some queries like:

存储查询:攻击者选取一个数据文件F发给挑战者，挑战者返回作为应答。该步骤的最后挑战者仅保存(id,n)，而攻击者能够得到编码文件及相应的文件标识符id和一组公开认证信息 Storage query: the attacker selects a data file F and sends it to the challenger, and the challenger returns in response. At the end of this step, the challenger only saves (id,n), and the attacker can get the encoded file And the corresponding file identifier id and a set of public authentication information

验证查询:攻击者发送一个文件标识符id给挑战者，如果id是由攻击者在上一步的存储查询中所产生的，则挑战者对与id相对应的文件F向攻击者发起如下的认证查询：Verification query: The attacker sends a file identifier id to the challenger. If the id is generated by the attacker in the storage query in the previous step, the challenger initiates the following authentication to the attacker for the file F corresponding to the id Inquire:

利用元数据n，挑战者能够选择一个随机查询Q并发送给攻击者。Using the metadata n, the challenger is able to choose a random query Q and send it to the attacker.

对于挑战者发出的查询Q，攻击者会生成一个应答R返回给挑战者（R可能由任意方式生成）。For the query Q sent by the challenger, the attacker will generate a response R and return it to the challenger (R may be generated by any means).

挑战者运行验证算法对R进行验证，并输出b∈{接受，拒绝}。The challenger runs the verification algorithm to verify R, and outputs b ∈ {accept, reject}.

挑战者将决议比特b发送给攻击者。另外，如果id不是由攻击者在以前的存储查询中所生成的，则挑战者不作为。The challenger sends the resolution bit b to the attacker. Also, if the id was not generated by the attacker in a previous stored query, the challenger does nothing.

提交:攻击者从learning过程中选择一个文件标识符id*发送给挑战者。令F*表示与id*相关的数据文件。Submit: The attacker selects a file identifier id* from the learning process and sends it to the challenger. Let F* denote the data file associated with id*.

回取:挑战者对数据文件F*发起多项式次的PPDP验证查询。其中，挑战者充当验证者，攻击者扮演云存储服务器。从这些交互信息中，挑战者利用一些PPT的恢复算法，能够得到一个数据文件模块F'。对于挑战者发起的查询，如果攻击者的应答使挑战者在认证过程中输出接受，则攻击者在该游戏中获胜；如果挑战者得到的文件模块F'等于原始的文件模块F*，则挑战者赢得该游戏。Retrieval: The challenger initiates a polynomial PPDP verification query on the data file F*. Among them, the challenger acts as the verifier, and the attacker acts as the cloud storage server. From these interactive information, the challenger can obtain a data file module F' by using some PPT recovery algorithms. For the query initiated by the challenger, if the response of the attacker makes the challenger output acceptance during the authentication process, the attacker wins the game; if the file module F' obtained by the challenger is equal to the original file module F*, the challenge wins the game.

从上述安全游戏中，给出下面的一个定义：From the above safe game, give the following definition:

定义3:一个PPDP方案是合理的，如果在定义的安全游戏中，攻击获胜的概率与挑战者获胜的概率之差是可忽略的。（对于挑战者发起的查询Q，当攻击者输出的应答(M′,σ′)能够通过认证，但是(M′,σ′)≠(M,σ)，该事件发生的概率是可忽略的，这里(M,σ)表示有证明算法输出的真实应答。）Definition 3: A PPDP scheme is rational if the difference between the probability of the attacker winning and the probability of the challenger winning in the defined security game is negligible. (For the query Q initiated by the challenger, when the response (M′,σ′) output by the attacker can pass the authentication, but (M′,σ′)≠(M,σ), the probability of this event is negligible , where (M,σ) denotes the true answer with proof algorithm output.)

引理1(PPDP的完备性):上述PPDP方案在定义2的描述下是完备的。Lemma 1 (Completeness of PPDP): The above PPDP scheme is complete under the description of Definition 2.

证明:prove:

${g g}^{σ σ} = = {g g}^{{Σ Σ}_{i i &Element; &Element; C C} {v v}_{i i} {σ σ}_{i i}} mod mod N N$

$= = {g g}^{{Σ Σ}_{i i &Element; &Element; C C} {v v}_{i i} {PRF PRF}_{seed seeds} ((id id | | | | i i)) + + {Σ Σ}_{i i &Element; &Element; C C} {v v}_{i i} τ τ {F f}_{i i}} mod mod N N$

$= = \underset{i i &Element; &Element; C C}{Π Π} {(({g g}^{{PRF PRF}_{seed seeds} ((id id | | | | i i))}))}^{{v v}_{i i}} \cdot &Center Dot; {g g}_{τ τ}^{M m} mod mod N N$

$= = \underset{i i &Element; &Element; C C}{Π Π} {(({g g}_{i i}))}^{{v v}_{i i}} {g g}_{τ τ}^{M m} mod mod N N$

定理1：如果本发明中的伪随机函数族PRF是安全的，并且离散对数问题与大整数分解问题均是难以解决的，那么本发明的PPDP方案是合理的。Theorem 1: If the pseudo-random function family PRF in the present invention is safe, and the discrete logarithm problem and the large integer decomposition problem are difficult to solve, then the PPDP scheme of the present invention is reasonable.

在证明上述结论之前，首先给出下面的引理。Before proving the above conclusion, the following lemma is given first.

引理2如果本发明中的伪随机函数族PRF是安全的，并且离散对数问题与大整数分解问题均是难以解决的，则PPT的攻击者在安全游戏中进行交互之后能够得到有关τ的一些有用信息的概率而且由于λ≈logN≈2+2logp′，是可以忽略的，其中φ(N),p′,q′在密钥生成算法中被定义，并且令p′＝min{p′,q′}。Lemma 2 If the pseudorandom function family PRF in the present invention is safe, and the discrete logarithm problem and the large integer decomposition problem are difficult to solve, then the attacker of the PPT can get the relevant τ after interacting in the safe game probability of some useful information And since λ≈logN≈2+2logp', is negligible, where φ(N), p′, q′ are defined in the key generation algorithm, and let p′=min{p′,q′}.

证明:因为伪随机函数PRF是安全的，所以不存在这样的PPT攻击者在安全游戏中能够区分PRF的输出与Z_φ(N)中真实随机数。因此，秘密的τ值在σ_i中被很好的隐藏了。而且，由于DLP问题是难解的，因此同样不存在这样的PPT攻击者能够从公钥pkg_τ中获得任何与τ有关的有效信息。所以不存在从安全游戏中获得任何与τ有关的有效信息的PPT攻击者。Proof: Because the pseudo-random function PRF is secure, there is no such PPT attacker who can distinguish the output of PRF from the real random number in Z _φ(N) in the security game. Therefore, the secret value of τ is well hidden in _σi . Moreover, since the DLP problem is intractable, there is also no such PPT attacker who can obtain any valid information related to τ from the public key pkg _τ . So there is no PPT attacker who obtains any valid information about τ from the security game.

定理1的证明:假设攻击者充当云服务器以任意方式生成一个有效的应答(M′,σ′)，并使挑战者接受，而由证明算法生成的真实应答为(M,σ)，显然对于有效应答(M′,σ′)与真实的应答(M,σ)认证等式均会成立。所以我们有Proof of Theorem 1: Assume that the attacker acts as a cloud server to generate a valid response (M', σ') in any way and make the challenger accept it, and the real response generated by the proof algorithm is (M, σ), obviously for Both valid response (M′,σ′) and true response (M,σ) authentication equations will hold. so we have

${g g}^{σ σ} = = \underset{i i &Element; &Element; C C}{Π Π} {(({g g}_{i i}))}^{{v v}_{i i}} {g g}_{τ τ}^{M m} mod mod N N - - - - - - ((11))$

${g g}^{{σ σ}^{' '}} = = \underset{i i &Element; &Element; C C}{Π Π} {(({g g}_{i i}))}^{{v v}_{i i}} {g g}_{τ τ}^{{M m}^{' '}} mod mod N N - - - - - - ((22))$

用(1)式除以(2)式，得到Divide (1) by (2) to get

$\frac{{g g}^{σ σ}}{{g g}^{{σ σ}^{' '}}} = = \frac{{Π Π}_{i i &Element; &Element; C C} {(({g g}_{i i}))}^{{v v}_{i i}} {g g}_{τ τ}^{M m}}{{Π Π}_{i i &Element; &Element; C C} {(({g g}_{i i}))}^{{v v}_{i i}} {g g}_{τ τ}^{{M m}^{' '}}} mod mod N N$

$= = {g g}^{σ σ - - {σ σ}^{' '}} mod mod N N$

${g g}_{τ τ}^{M m - - {M m}^{' '}} mod mod N N$

$= = {g g}^{((M m - - {M m}^{' '})) τ τ} mod mod N N$

通过上述计算，攻击者能够得到下面的等式Through the above calculation, the attacker can get the following equation

g^σ-σ′＝g^(M-M′)τmodN (3)g ^σ-σ′ = g ^(MM′)τ mod N (3)

对于(3)式，考虑下面的两种不同情况。For (3), consider the following two different cases.

case1：M≠M′。如果M与M′不相等，则PPT攻击者能够从上面的(3)式中得到一些与τ有关的有效信息。但是根据引理2的结论，这种情形发生的概率是可忽略的。(否则，存在另外一个攻击者β能够调用上述的攻击者以不可忽略的概率解决DLP问题。)case1: M≠M'. If M is not equal to M', the PPT attacker can get some valid information related to τ from the above formula (3). But according to the conclusion of Lemma 2, the probability of this situation happening is negligible. (Otherwise, there exists another attacker β that can invoke the above-mentioned attacker to solve the DLP problem with non-negligible probability.)

case2：M＝M′。当M＝M′时，意味着挑战者赢得安全性游戏。这里M′＝Σ_i∈Cν_iF_i，这是关于编码模块的一个线性方程组，其系数为挑战者的权重集合{ν_i}_i∈C。因此，为了得到关于未知量F_i,i∈C的l=|C|个线性无关方程，挑战者需要对同意索引集合C执行协议l=|C|次。这样通过解一个线性方程组，挑战者便能够恢复原始的文件模块F_i,i∈C。case2: M=M'. When M=M', it means that the challenger wins the security game. Here M′=Σ _i∈C ν _i F _i , which is a linear equation system about the encoding module, and its coefficient is the challenger's weight set {ν _i } _i∈C . Therefore, in order to obtain l=|C| linearly independent equations about the unknown F _i ,i∈C, the challenger needs to execute the protocol l=|C|times on the consensus index set C. In this way, by solving a linear equation system, the challenger can restore the original file module F _i ,i∈C.

通过上述分析，能够得到下面的推论：Through the above analysis, the following inferences can be drawn:

推论1:攻击者在安全游戏中获胜的概率等于case1发生的概率加上case2发生的概率。即Corollary 1: The probability of an attacker winning the security game is equal to the probability of case1 occurring plus the probability of case2 occurring. which is

Pr[攻击者在安全游戏中获胜]＝Pr[case1发生]+Pr[case2发生]Pr[the attacker wins the security game] = Pr[case1 happened] + Pr[case2 happened]

由于Pr[case1发生]是可忽略的，并且case2发生意味着挑战者赢得安全性游戏，因此定理1得到证明。Since Pr[case1 occurrence] is negligible and case2 occurrence means the challenger wins the security game, Theorem 1 is proved.

本发明允许任意的授权验证者无需获得客户的秘密知识，便可对客户存储在云端的数据文件进行完整性验证，并且不用下载所有的这些文件。The invention allows any authorized verifier to verify the integrity of the data files stored in the cloud by the client without obtaining the secret knowledge of the client, and without downloading all these files.

本发明的服务器不需要进行任何的指数运算，在计算效率方面要比现存的许多公开认证方案更有效，更具有实用性。The server of the invention does not need to perform any exponential calculation, and is more effective and practical than many existing public authentication schemes in terms of calculation efficiency.

复杂度分析：云存储服务器利用同态性将验证者所查询的这些模块MAC对（F_i,σ_i)整合成一个单个的模块，将计算的(M,σ)并作为应答返回给验证者，这样的操作使得本发明在通信、服务器端的计算变得非常有效：用户和服务器双方均是Ο(λ)的通信代价和Ο(λ)存储代价，这里λ是N的比特长。对于验证者发出的每个查询，服务器所返回的应答规摸为2λ比特。并且服务器仅需要进行2l次的乘法运算和2l次的加法运算来生成这样的一个应答，这使得本发明的方案在这一方面优于许多现存的公开认证方案中。在收到服务器的应答后，验证者需要进行l+2次的指数运算和l+1乘法运算来执行认证算法，这与那些现存的公开认证方案同样具有可比性。因此，所有的这些计算代价均与查询中的元素个数呈线性关系。从标签σ_i∈{0,1}^λ与F_i∈{0,1}^mλ中，可知服务器的存储代价为但是，在设置阶段，客户需要为每个数据模块进行一次群乘法，一次群加法和一次PRF计算来生成一个相应的标签。此外，客户还需要进行一次群指数运算来生成公开信息g_i，而且所有的这些预处理过程均可离线进行。这里l=|C|表示在认证过程中所选取的索引数目。Complexity analysis: The cloud storage server uses homomorphism to integrate these module MAC pairs (F _i , σ _i ) queried by the verifier into a single module, and returns the calculated (M, σ) to the verifier as a response , such an operation makes the calculation of the present invention on the communication and server side very effective: both the user and the server have a communication cost of O(λ) and a storage cost of O(λ), where λ is the bit length of N. For each query issued by the verifier, the size of the response returned by the server is 2λ bits. And the server only needs to perform 21 multiplication operations and 21 addition operations to generate such a response, which makes the scheme of the present invention superior to many existing public authentication schemes in this respect. After receiving the response from the server, the verifier needs to perform l+2 exponent operations and l+1 multiplication operations to execute the authentication algorithm, which is also comparable to those existing public authentication schemes. Therefore, all these computational costs are linear in the number of elements in the query. From the labels σ _i ∈ {0,1} ^λ and F _i ∈ {0,1} ^mλ , it can be known that the storage cost of the server is However, during the setup phase, customers need to perform a group multiplication, a group addition and a PRF calculation for each data module to generate a corresponding label. In addition, the client also needs to perform a group exponent operation to generate the public information g _i , and all these preprocessing processes can be performed offline. Here l=|C| represents the index number selected in the authentication process.

以上所述实施例仅表达了本发明的几种实施方式，其描述较为具体和详细，但并不能因此而理解为对本发明专利范围的限制。应当指出的是，对于本领域的普通技术人员来说，在不脱离本发明构思的前提下，还可以做出若干变形和改进，这些都属于本发明的保护范围。因此，本发明专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation modes of the present invention, and the description thereof is relatively specific and detailed, but should not be construed as limiting the patent scope of the present invention. It should be pointed out that those skilled in the art can make several modifications and improvements without departing from the concept of the present invention, and these all belong to the protection scope of the present invention. Therefore, the protection scope of the patent for the present invention should be based on the appended claims.

Claims

1. A verification method for cloud storage data integrity is characterized by comprising the following steps:

generating an identifier of a file to be stored, and coding the file to be stored to obtain a plurality of module files;

calculating each module file by using the user public key and the private key to obtain an authentication tag of each module file, and generating public authentication data for each authentication tag;

submitting the identifier, the module file and the authentication tag to a server;

generating a file integrity query request, sending the query request to a server, and receiving report information of the file to be stored, which is returned by the server and generated by using a user public key, an identifier, a module file and an authentication tag corresponding to the module file;

verifying the reporting information using a user public key and the public authentication data;

the step of coding the file to be stored to obtain a plurality of module files comprises the following steps:

processing by adopting a rate-rho algorithm, setting system parameters rho ∈ (0,1), coding the file F by using an error correcting code of the rate-rho and generating a plurality of module files (F₀,…,F_n-1) So that each module file F_i∈{0,1}^mλAnd arbitrary ρ n module files F_iThe original file F can be restored.

2. The method for verifying the integrity of cloud storage data according to claim 1, wherein the user public key and the user private key are generated by an RSA key generation algorithm:

randomly selecting a lambda bits RSA modulus N ═ pq so thatAre both prime numbers, and p, q have the same bit length;

order toWhereinIs Euler function, and represents the number of positive integers not greater than N and prime with N;

from QR_NIn the method, a generator g is randomly selected, wherein, QR_NRepresenting a quadratic residue subgroup modulo N;

random selectionWherein tau is a random number in the user private key;is shown andrelatively prime and in the moldThe remaining classes of;

from a family of pseudo-random functionsRandomly selecting a seed from the key space;

let g_τ＝g^τThe user public key is pk ═ (N, g)_τ) The user private key sk ═ (p, q, τ, seed).

3. The verification method for the integrity of cloud storage data according to claim 2, wherein the identifier of the file satisfies the constraint condition id ∈ {0,1}^λAnd wherein id is the identifier, and λ is the bit length of the modulus in the user public key.

4. The method for verifying the integrity of the cloud storage data according to claim 3, wherein the step of calculating the file of each module by using the public key and the private key of the user to obtain the authentication tag of the file of each module comprises:

calculating the authentication tag according to:

wherein i is the number of the module file, F_iFor the ith module file, σ_iFor authentication tags, PRF, corresponding to module files i_seedPseudo-random number corresponding to random seed in user private key, i ∈ [0, n-1]N is the total number of the module files, and N is the modulus in the user public key.

5. The method for verifying the integrity of cloud storage data according to claim 3, wherein the step of generating public authentication data for each authentication tag is:

each public authentication data is generated according to the following formula:

g_{i} = g^{{PRF}_{s e e d} (i d | | i)}

wherein, g_iG is a generator in the public key of the user for the public authentication data of the ith module file.

6. The method for verifying the integrity of the cloud storage data according to claim 5, wherein the step of generating the file integrity query request is as follows:

randomly selecting a subset with the scale of | C | ═ lC is a set [0, n-1 ]]L represents the number of elements in C, for each i ∈ C, fromIn the method, a weight v is randomly selected_iWhat is, what isThe query request is { (i, v)_i):i∈C}。

7. The method for verifying the integrity of the cloud storage data according to claim 6, wherein the step of verifying the report information is:

determining whether the following equation holds:

g^{σ} = Π_{i &Element; C} {(g_{i})}^{ν_{i}} g_{τ}^{M} \mod N

wherein the report information is (M, σ), and M is ∑_i∈Cν_iF_imodN,σ＝∑_i∈Cν_iσ_imod N, i is the number of the module file,n is the total number of the module files, v_iIs a random weight corresponding to the number i, F_iFor the ith module file, N is the modulus, σ, in the user's public key_iAn authentication label corresponding to the ith module file;

if yes, the file is stored completely; if not, the file storage is incomplete.

8. A verification method for cloud storage data integrity is characterized by comprising the following steps:

receiving and storing an identifier, a module file and an authentication tag corresponding to the module file sent by a user side;

receiving a file integrity query request sent by a user side, and generating report information by using the file integrity query request, a public key, an identifier, a module file and an authentication tag corresponding to the module file of the user to feed back to the user side for the user side to verify;

the module file is as follows:

9. The method for verifying cloud storage data according to claim 8,

the file verification request comprises the serial number of the module file and the random weight corresponding to the serial number;

the report information is (M, σ), and is generated according to the following formula:

M＝∑_i∈Cν_iF_imodN,σ＝∑_i∈Cν_iσ_imodN

wherein i is the number of the module file,c is a set [0, n-1 ]]N is the total number of the module files, v_iIs a random weight corresponding to the number i, F_iFor the ith module file, N is the modulus, σ, in the user's public key_iAnd the identification label is corresponding to the ith module file.

10. A verification device for cloud storage data integrity, comprising:

the encoding module is used for generating identifiers of files to be stored and encoding the files to be stored to obtain a plurality of module files;

the generating module is used for calculating each module file by utilizing the public key and the private key of the user to obtain an authentication tag of each module file and generating public authentication data for each authentication tag;

the submitting module is used for submitting the identifier, the module file and the authentication tag to a server;

the query module is used for generating a file integrity query request, sending the query request to a server, and receiving report information of the file to be stored, which is returned by the server and generated by using a user public key, an identifier, a module file and an authentication tag corresponding to the module file;

a verification module for verifying the reporting information using a user public key and the public authentication data;

11. The apparatus for verifying integrity of cloud storage data according to claim 10, wherein the user public key and private key in the generation module are generated by RSA key generation algorithm:

12. The cloud storage data integrity verification device according to claim 11, wherein the identifier of the file satisfies a constraint condition id ∈ {0,1}^λAnd wherein id is the identifier, and λ is the bit length of the modulus in the user public key.

13. The apparatus for verifying integrity of cloud storage data according to claim 12, wherein the generating module is further configured to:

calculating the authentication tag according to:

14. The apparatus for verifying integrity of cloud storage data according to claim 12, wherein the generating module is further configured to:

g_{i} = g^{{PRF}_{s e e d} (i d | | i)}

15. The apparatus for verifying integrity of cloud storage data according to claim 14, wherein the query module is further configured to:

randomly selecting a subset with the scale of | C | ═ lC is a set [0, n-1 ]]A sub ofSet, l represents the number of elements in C, for each i ∈ C, fromIn the random selection of a weight v_iThe query request is { (i, v)_i):i∈C}。

16. The apparatus for verifying integrity of cloud storage data as claimed in claim 15, wherein said verification module is further configured to:

determining whether the following equation holds:

g^{σ} = Π_{i &Element; C} {(g_{i})}^{ν_{i}} g_{τ}^{M} \mod N

wherein the report information is (M, σ), and M ═ Σ_i∈Cν_iF_imodN,σ＝Σ_i∈Cν_iσ_imod N, i is the number of the module file,n is the total number of the module files, v_iIs a random weight corresponding to the number i, F_iFor the ith module file, N is the modulus, σ, in the user's public key_iAn authentication label corresponding to the ith module file;

if yes, the file is stored completely; if not, the file storage is incomplete.

17. A verification server for cloud storage data integrity, comprising:

the receiving module is used for receiving and storing the identifier, the module file and the authentication tag corresponding to the module file which are sent by the user side;

the feedback module is used for receiving a file integrity query request sent by a user side, and generating report information by using the file integrity query request, a public key, an identifier, a module file and an authentication tag corresponding to the module file of the user to feed back to the user side for the user side to verify;

the module file is as follows:

18. The cloud storage data validation server of claim 17,

the report information is (M, σ), and the feedback module is further configured to generate the report information according to the following equation:

M＝Σ_i∈Cν_iF_imodN,σ＝Σ_i∈Cν_iσ_imodN

wherein i is the number of the module file, and C is the set [0, n-1 ]]Is selected from a group consisting of (a) a subset of,n is the total number of the module files, v_iIs a random weight corresponding to the number i, F_iFor the ith module file, N is the modulus, σ, in the user's public key_iAnd the identification label is corresponding to the ith module file.