CN101729250B - Verification method, equipment and system of increment provable data integrity (IPDI) - Google Patents

Abstract

The invention provides a verification method of increment provable data integrity (IPDI), which comprises the following steps: firstly, generating digital fingerprints of data at a client, and sending the fingerprints and the data together to an archive server; when necessary, sending an 'inquiry' to the archive server by the client or a third party verifier to determine the integrity of the data, and proving the integrity of the data through the archive server by using the received fingerprints; and finally, verifying the integrity of the data by the client or the third party verifier according to the output for responding to the 'inquiry' from the archive server. In addition, the IPDI scheme securely realizes the purpose of adding incremental data into a data file which already generates fingerprints and is outsourced.

Description

Increment provable data integrity (IPDI) verification method, equipment and system

Technical field

The present invention relates to storage networking security fields, be specifically related to increment provable data integrity (IPDI) (IPDI) verification method, equipment and system.

Background technology

Outsourcing service is just stored and high speed development towards this locality storage from individual to the data of global scale in the Internet.Amazon Simple Storage Service (Amazon S3) (list of references 1:Amazon Simple Storage Service (Amazon S3), http://aws.amazon.com/s3) is one of this Internet storage system.Amazon S3 provides the network service interface that can be used for storage and obtain data.The service of Amazon S3 is global scale and business category, and its price is very reasonable: for memory space used, and the US $ 0.15GB/ month; For all data of importing into, the US $ 0.10GB/ month; Data for first 10TB/ month spread out of, the US $ 0.18GB/ month.For the people who seeks free global scale stores service, also there is following service.MediaMax (list of references 2:MediaMax Free Online Storage, http://www.mediamax.com) provide the storage of 25GB free online, Gmail FileSystem (list of references 3:Gmail Drive Shell Extension, http://www.viksoe.dk/code/gmail.htm) project has been converted to free Gmail account a permanent free network storage space.

Utilize the service of these public memory space, client can abandon the local storage subsystem of oneself, by the Internet from obtaining at any time Anywhere data.This surprising prospect has attracted a large amount of industry strength, and these strength have made to store outsourcing becomes inevitable trend.

IETF Network WG has caught this trend, thereby issued RFC4810 " Long-Term Archive Service Requirement " (list of references 4:RFC4810, Long-Term Archive Service Requirement, IETF Network WG, http://www.ietf.org/rfc/rfc4810.txt).RFC4810 has described being responsible for the requirement of the long term archival service of long-term save data.What supported data existed is the major requirement to long term archival service without the property denied, integrality and belongingness.As RFC4810 records, long term archival service must be from receiving data until the grandfather cycle of these data while expiring, provides the evidence of the integrality of the data that can be used for proving that this service is responsible.

From client stores, to file service outsourcing data, there are two basic steps, the one, submit data to, another step is to obtain data.The immature solution of verifying for data integrity comprises from archive server obtains data.But in the current and foreseeable future, it is unpractical that the high bandwidth from long-range archive server to client validation device is provided.Especially for mobile client, be difficult to enjoy high bandwidth and connect.In addition as described in RFC4810, can be for checking the third-party authentication device of user's integrality.In this case, third-party authentication device should calling party data; Otherwise it may invade user data privacy.For verification of data integrity, avoid obtaining data from archive server simultaneously, prior art has adopted three step operation models, as shown in Figure 1.Note, for reduced representation (and without loss of generality), will be below that user data integrity verification device is for example with client (that is, data owner).But as mentioned above,, in fact validator can be also third party, rather than data owner.

In step 0, the digital finger-print of data is produced by client and is sent in the lump archive server with these data.Except data itself, archive server also needs to store the fingerprint of data.In step 1, client sends the inquiry about data integrity to archive server.Archive server utilizes data content, data fingerprint and client to address inquires in the lump, and calculated data integrity certification, in step 2, returns to this data integrity proof to client, for checking.Step 1 and step 2 can be repeatedly, until the grandfather cycle of data expires.

Based on aforesaid operations model, below listed the key factor that should consider for any technical scheme of provable data integrity (IPDI) problem.

(I) client produces the time that data fingerprint spends

(II) the archive server storage size that data fingerprint consumes

(III) size of the inquiry that validator sends to archive server

(IV) the archive server calculated data integrity certification time used

(V) size of the data integrity proof that archive server sends to validator

(VI) validator checks that data integrity proves the time used

(VII) ability that deal with data increment changes

Existence seems simple workaround that can deal with data integrality.Initially, data owner is divided into a plurality of parts by data, and calculates in advance Message Authentication Code (MAC) for each part.No matter when validator, data owner or third party need data integrity to prove, it obtains the part of a plurality of random selections from the service of filing, and recalculates the MAC of each part, for relatively.

The people such as Deswarte (list of references 5:Y.Deswarte, J.J.Quisquater, A.Saidane, Remote integrity checking, In Proc.of Conferenceon Integrity and Internal control in Information systems (IICIS ' 03), 2003) and people (the list of references 6:D.L.G.Filho such as Filho, P.S.L.M.Baretto.Demonstrating Data Possession and UncheatableData Transfer, http://eprint.iacr.org/2006/150.pdf) proposed to use hash function based on RSA to verify that archive server correctly stored file.

Recently, the people such as Ateniese (list of references 7:G.Ateniese, R.Burns, R.Curtmola, J.Herring, L.Kissner, Z.Peterson, D.Song, ProvableData Possession at Untrusted Stores, http://eprint.iacr.org/2007/202.pdf) proposed a kind of data demonstrate,proved based on RSA and held scheme, be i.e. S-PDP scheme, wherein " S " representative " sampling ".The meaning of sampling is that client is selected a part of data at random, and requires archive server to show the evidence of these random data of selecting in health status (that is, the data integrity of selected data is held).S-PDP scheme does not need whole file to carry out power operation, and communication complexity is also constant, and this makes S-PDP scheme become the most effective scheme in prior art scheme.

The shortcoming of immature scheme is, its communication complexity is linear with the data volume size of inquiring about.In addition,, the in the situation that of third-party authentication device, forbid sending user data to validator, because this has invaded data owner's privacy.For fear of obtain data from storage server, can be by selecting a plurality of privacy keys also to calculate in advance a plurality of band key Hash MAC of these data.Therefore, validator can be at every turn to the storage server key of opening secret, and require its calculating with the Hash MAC of key, for relatively.But, can verify that the number of times of particular data is subject to the restriction of the number of the fixing privacy key of necessary priori.When key is finished, in order to calculate the new Hash MAC with key, unavoidably to from archive server, obtain data.

The shortcoming of list of references 5 and 6 proposal is that archive server has to whole file to carry out power operation.As a reference, given 2048 bit RSA moduluses, carry out a total index number power operation at Intel Core Duo2.16GHz and will spend 61.325 milliseconds.Therefore, the power operation of every Mbytes needs 251.3 seconds.This means in order to test the integrality of 64MB file, before client can receive data integrity proof, archive server will spend 16083.8 seconds.

A problem of S-PDP scheme is its purpose of design, i.e. sampling sometimes may be meaningless for data owner.By sampling, the detection probability that S-PDP scheme attempts to seem higher is allowed file block error.For example, the situation that how list of references 7 has been discussed in 1% file block error is issued to 99% detection probability.But very eurypalynous file even can't stand the mistake of a bit.For example, in media file, the loss of the present stem of encoding and decoding configuration parameter can cause being difficult to present this document.Another example is that the damage that embeds (public key encryption) symmetric cryptographic key in encrypt file can cause reverting to rubbish ciphertext expressly again.Conventionally, data owner requires is 100% data security.This in no case can compromise.

Another problem of S-PDP scheme is, utilizes the can third-party authentication (or so-called open verifiability) system effectiveness very low of its structure.In order openly to verify, S-PDP scheme forces each blocks of files must be less than RSA PKI e.The 2048 bit RSA moulds of take are example, and PKI can be at most 1024 bits.Therefore, according to the solution that openly can verify S-PDP scheme, must logically file be divided into the blocks of files of a plurality of 1024 bits.Result produces heap file piece, and is necessary for each blocks of files generation label.In other words, the size of label is at least the twice of file itself, and client is also oversize to file spent time that tags, thereby is infeasible in practice.

The formerly Chinese invention patent application CN200810165864.3 that transfers the same applicant of the application has proposed a kind of provable data integrity (IPDI) (PDI) scheme based on pairing.This formerly PDI scheme met well above-mentioned requirements (I) to (VI), but can not meet above-mentioned requirements (VII).That is, this PDI scheme can not be carried out increment change to the data of outsourcing.Increment change means to data file increases new data segment.If this PDI scheme allows to carry out increment change, can breach security.That is to say, for example, once data file had been carried out preliminary treatment (, producing fingerprint for this PDI scheme) and had been contracted out outward,, to third-party authentication device, disclose data preliminary treatment key used, to allow new data segment enter file be unsafe to this PDI scheme so.

Notice, prior art still can not meet all seven requirements (I) to (VII).

Summary of the invention

Shortcoming in view of above-mentioned prior art, the present invention proposes increment provable data integrity (IPDI) (IPDI) verification method, the method is based on disclosed PDI scheme in CN200810165864.3 (enclosing it at this openly uses for referencial use in full), and overcome the increment that prior art (being not only this PDI scheme) runs into and change a difficult problem.

According to the PDI scheme of previous proposition, a kind of method that produces data fingerprint has been proposed, comprise step: data are divided into N piece M _i, i=1,2 ..., N; By every n _bindividual piece is combined into super piece, to obtain

individual super piece; From finite cyclic group

middle selection n _bindividual element h _j, j=1,2 ..., n _b; By using the finger URL W for the super piece of k _k, selected n _bindividual element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=1,2 ..., n.

The new IPDI scheme proposing is mainly from the different of this PDI scheme: this IPDI scheme has been introduced the concept that is called " virtual file piece (VFB) ".In this IPDI scheme, VFB is regarded as " truly " blocks of files, and

each super piece in individual super piece is by n _bindividual data block adds that virtual file piece (VFB) forms.

Therefore, according to the IPDI scheme of new proposition, provide a kind of method that produces data fingerprint, comprised step: data are divided into N piece M _i, i=1,2 ..., N; By every n _bindividual piece and virtual file piece

be combined into super piece, to obtain

individual super piece; From finite cyclic group

middle selection n _b+ 1 element h _j, j=+0,1,2 ..., n _b; By using the finger URL W for the super piece of k _k, selected n _b+ 1 element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=1,2 ..., n.

Preferably, described n _b+ 1 element h _jit is a part for the PKI corresponding with the first private key x.

Preferably, described n _b+ 1 element h _jmeet relation $h_j=g_1^{r_j}$ , r _jit is privacy key.

Preferably, according to

$T_k={(W_k\·\underset{j=+0}{\overset{n_B}{\mathrm{\Π}}}{h_j}^{M_{(k-1)*n_B+j}})}^{\frac{1}{x+z_M}}$

Produce the fingerprint T of the super piece of k _k, z _mit is the identifier of described data.More preferably, the finger URL W of the super piece of k _kbe at least take k as input cryptographic Hash.

Preferably, according to

$T_k={(W_k\·\underset{j=+0}{\overset{n_B}{\mathrm{\Π}}}{h_j}^{M_{(k-1)*n_B+j}})}^x$

Produce the fingerprint T of the super piece of k _k.More preferably, the finger URL W of the super piece of k _kat least with the identifier z of k and described data _mcryptographic Hash for input.

According to second aspect present invention, a kind of equipment for generation of data fingerprint is provided, comprising: virtual file piece generation unit, for for each super piece to be generated, produces virtual file piece ; Super piece generation unit, for being divided into data N piece M _i, i=1,2 ..., N, and by every n _bindividual piece with from the virtual file piece of virtual file piece generation unit

be combined into super piece, to obtain

individual super piece; And fingerprint generation unit, for from finite cyclic group

middle selection n _b+ 1 element h _j, j=+0,1,2 ..., n _b, and by using the finger URL W for the super piece of k _k, selected n _b+ 1 element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=1,2 ..., n.

Preferably, described n _b+ 1 element h _jit is a part for the PKI corresponding with the first private key x.

Preferably, described n _b+ 1 element h _jmeet relation $h_j=g_1^{r_j}$ , r _jit is privacy key.

The PDI scheme previously having proposed can for example, at high probability (, 1-2 ^-64) on guarantee the data integrity of data.Than the data integrity that has realized (1) and guarantee each Bit data, (2) client is sent to the constant magnitude of the inquiry of archive server, and (3) archive server is sent to the constant magnitude of the data integrity proof of client, prior art, this PDI scheme mainly has following four advantages:

(I) client produces the fastest of data fingerprint;

(II) archive server produces the fastest of client challenge response;

(III) response of client validation archive server is fastest;

(IV) validator can be third-party authentication device, still keeps above-mentioned three advantages (I)-(III) simultaneously.In addition, the size of fingerprint is minimum.

The data file of 64MB of specifically take is example.Security intensity is made as and can compares with 2048 bit RSA features, l=64.When client is Intel Core Duo 2.16GHz processor, when archive server end is Intel Qx6700 Core2 Quad 2.66GHz processor, use PDI scheme, client cost produces file fingerprint for 12.7 seconds; Archive server cost produces the knowledge proof of conversion fingerprint and the super piece of conversion for 1.4 seconds; 0.4 second checking knowledge proof of client cost.The theory lower bound that all these time values even can reach under best-case lower than the existing archive server based on RSA scheme.

Advantageously, the new IPDI scheme proposing can realize safely to producing fingerprint and being added incremental data by the data file of outsourcing.This IPDI scheme has met all seven requirements (I) to (VII), and can not bring extra storage consumption.

Accompanying drawing explanation

By reference to the accompanying drawings, from below, to the detailed description of non-limiting example of the present invention, above and other object of the present invention, feature and advantage will be more obvious, in accompanying drawing:

Fig. 1 shows for proving the working model of data integrity;

Fig. 2 shows according to the flow chart of data integrity method of proof of the present invention (atom proof procedure) and data integrity verification method (atom proof procedure);

Fig. 3 is according to the logic diagram of the data of the PDI scheme previously having proposed;

Fig. 3 a is according to the logic diagram of the data of the new IPDI scheme proposing;

Fig. 4 shows the working model of optional data integrity proof;

Fig. 5 shows the working model of another optional data integrity proof;

Fig. 6 shows for realizing the block diagram of client 1400 of the present invention;

Fig. 7 shows for realizing the block diagram of archive server 1500 of the present invention; And

Fig. 8 shows for realizing the block diagram of validator 1600 of the present invention.

Embodiment

Below, the present invention is described with reference to the accompanying drawings.In the following description, some specific embodiments only, for describing object, have any restriction and should not be construed to the present invention, and are example of the present invention.Conventional structure or structure have been omitted, in order to avoid cause the understanding of the present invention unclear.

principle explanation

Here increment provable data integrity (IPDI) (IPDI) scheme proposing has not only overcome all problems running in prior art, is also better than various prior aries in performance.

IPDI scheme has following three steps substantially, and this is consistent with the working model shown in Fig. 1.

Step 0 ':

IPDI scheme needs finite cyclic group

.Preferably,

it is the finite cyclic group on elliptic curve.In the present invention is open, use traditional multiplicative group symbol, rather than the add character of often using under elliptic curve background.Client has private key x and corresponding PKI.

Client is divided into N piece M by data file _i, i=1,2 ..., N.Every n _bindividual piece and virtual file piece

combine, form super piece.Therefore, data are divided into

individual super piece.If it is required that the length of data file is less than n super piece, logically data file is added to zero.In this manual, in logic, in super piece, virtual file piece is positioned at n _bbefore individual piece.But virtual file piece can be positioned at n in super piece _bafter individual piece, or can be positioned at any assigned address.At this, subscript "+0 " is used for representing in super piece the piece before the first authentic document piece immediately.

For each data file, client is prepared

n _b+ 1 element h _i, i=+0,1,2 ..., n _b.In the preferred case, client is selected r _i, so that $h_i={g_1}^{r_i}$ , and keep r _isecret.Preferred, these elements h _ibe a part for client public key, thereby be independent of data file.

Client is utilized its private key and said n _b+ 1 element h _i, produce the fingerprint of all super pieces.For example, the form of the fingerprint of i super piece is $T_i={(W_i\·\underset{j=+0}{\overset{n_B}{\mathrm{\Π}}}{h_j}^{M_{(i-1)*n_B+j}})}^{\frac{1}{x+z_M}},$ Finger URL W wherein _iat least to take i to be the cryptographic Hash of input, for example, finger URL W _iinput can also comprise filename and/or the version number of data file; z _mbeing the identifier of selecting especially for data file, for example, is that one group of data file is selected an identifier z _m, and be that another group data file is selected another identifier

.Alternatively, fingerprint may be calculated $T_i={(W_i\·\underset{j=+0}{\overset{n_B}{\mathrm{\Π}}}{h_j}^{M_{(i-1)*n_B+j}})}^x$ , finger URL W wherein _iadopt i and z _mas input.In the preferred case, client is known r _i, so that $h_i={g_1}^{r_i}$ 。Therefore, by inciting somebody to action

replace with

, client can be utilized knowledge r _iaccelerate fingerprint production process.

Step 0 ' result be that client obtains n fingerprint of n super piece.Client is by all fingerprints and data file and n _bindividual element h _isend in the lump archive server.In the preferred case, n _bindividual element h _ia part for client public key, archive server can be from for example obtaining these elements PKI catalogue.Therefore, will together with data file, not transmit by these elements.

Step 1 ':

Client sends " inquiry " to archive server, with the integrality of specified data.

Based on from client to inquiry, archive server need to be carried out repeatedly atom proof procedure, for example, carries out ψ time.

For each atom proof procedure, first archive server constructs Φ=2 ^φindividual box, and randomly n fingerprint is assigned in box.Number Φ and randomness by from client to " inquiry " determine.Each fingerprint must be put into one and this box only.Note, each fingerprint is accurately corresponding to a super piece, and after all n fingerprint is all put into box, each box all has " encapsulating super piece " and is somebody's turn to do " the encapsulation fingerprint " of " encapsulating super piece ", and the latter is that the fingerprint based on distributing to this box produces.For example, consider to only have two fingerprints on η and ω super piece to put into the situation of λ box.This box " encapsulating super piece " comprises ${\hat{M}}_{\mathrm{\λj}}=M_{\mathrm{\η}*n_B+j}+M_{\mathrm{\ω}*n_B+j}$ , j=+0,1,2 ..., n _b, " the encapsulation fingerprint " that be somebody's turn to do on " encapsulating super piece " is ${\hat{T}}_{\mathrm{\λ}}=T_{\mathrm{\η}}\·T_{\mathrm{\ω}}.$

Next, by " encapsulating super piece " and " encapsulation fingerprint " to all boxes, apply another randomness, archive server produces one " converting super piece " and is somebody's turn to do " conversion fingerprint " on " converting super piece ".The randomness here equally by from client to " inquiry " determine.Continue to adopt above-mentioned example, " converting super piece " comprises $E_j=\underset{\mathrm{\λ}=1}{\overset{\mathrm{\Φ}}{\mathrm{\Σ}}}{a}_{\mathrm{\λ}}\·{\hat{M}}_{\mathrm{\λj}}$ , j=1,2 ..., n _b, " conversion fingerprint " on " converting super piece " is $T=\underset{\mathrm{\λ}=1}{\overset{\mathrm{\Φ}}{\mathrm{\Π}}}{\hat{T}}_{\mathrm{\λ}}^{a_{\mathrm{\λ}}}$ , a wherein _λby the definite random number of client " inquiry ".

Finally, archive server produces " knowledge proof of the super piece of conversion ", and this can be directly " converting super piece ".The knowledge of the content that alternatively, the knowledge proof of the super piece of conversion can " convert super piece " by standard interactive mode or non-interactive zero-knowledge proof technology.Alternatively, client " inquiry " comprises , i=+0,1,2 ..., n _b, client is addressed inquires to and is selected difference for each

and right

maintain secrecy.In the preferred case, H _ia part for client public key,

it is a part for client private key.Archive server is utilized H _i, calculating " knowledge proof of the super piece of conversion " is $H=\underset{i=+0}{\overset{n_B}{\mathrm{\Π}}}{H_i}^{E_i}.$

Archive server need to send " conversion fingerprint " T and " knowledge proof of the super piece of the conversion " H as the output of atom proof procedure to client.

Archive server should repeat atom proof procedure ψ time altogether, thereby can select

for determining the box sum of structure, wherein l is selected by client, and has determined level of security.Select random number a _λbit length be φ.By repeating this atom process ψ time, the level of security of PDI scheme can be (n/ ψ) 2 ^-lif at least one piece of this expression is damaged, archive server can persuade the probability of validator mostly to be (n/ ψ) 2 most ^-l.

Above-mentioned " number Φ and randomness by from client to inquiry determine " and " a _λby the definite random number of the inquiry of client " also have other with reference to realization.For example select φ=n, and n fingerprint is assigned in n box equably.Be that each box has and only have a fingerprint.Select a _λbit length be l.Now select ψ=1 can realize level of security n2 ^-l.

Step 2 ':

Client is from the output of whole ψ subatom proof procedures of archive server.

" conversion fingerprint " on " converting super piece " for each of a subatom proof procedure and " knowledge proof of the super piece of conversion ", client executing atom proof procedure.

For each atom proof procedure, first client constructs Φ box, and logically randomly by finger URL W _ibe assigned in box.Because " inquiry " that this randomness is selected by client determined, this randomness is used for distributing the randomness of fingerprint identical with archive server.Each finger URL must be put into and only put in a box.After all n finger URL is all put into box, in each box, there is the finger URL based on distributing to this box to produce " encapsulation finger URL ".For example, consider to only have two finger URL W _ηand W _ωput into the situation of λ box." the encapsulation finger URL " of this box is ${\hat{W}}_{\mathrm{\λ}}=W_{\mathrm{\η}}\·W_{\mathrm{\ω}}.$

Next, by " encapsulation finger URL " to all boxes, apply above-mentioned another randomness, client produces one " conversion finger URL ".Because " inquiry " that this randomness is selected by client determined, this randomness is identical for the randomness of calculating " conversion fingerprint " with archive server." conversion finger URL " is $W=\underset{\mathrm{\λ}=1}{\overset{\mathrm{\Φ}}{\mathrm{\Π}}}{\hat{W}}_{\mathrm{\λ}}^{a_{\mathrm{\λ}}}$ , a wherein _λby the definite random number of client " inquiry ".

Finally, if archive server produces " knowledge proof of the super piece of conversion ", be exactly that " converting super piece " is own, client is calculated " knowledge proof of inferring that converts super piece " and is $H\′=(T^{x+z_M}/W)$ And by its with

relatively.If equated, atom proof procedure is exported successfully.Optionally, client calculating " converts the knowledge proof of inferring of super piece "

, and by itself and the value H comparison receiving from archive server.If H=H ', atom proof procedure is exported successfully.Alternatively, if fingerprint is calculated as $T_i={(W_i\·\underset{j=+0}{\overset{n_B}{\mathrm{\Π}}}{h_j}^{M_{(i-1)*n_B+j}})}^x$ , will " convert the knowledge proof of inferring of super piece " and be calculated as

Only, when all atom proof procedures are all successful, just make client believe that archive server end has kept data integrity.In the situation that archive server end has at least one piece to damage, the maximum probability that client is persuaded by mistake is 2 ^-l.

describe in detail

The present invention will be described in further detail below.

Use traditional multiplicative group symbol, rather than elliptic curve arrange in conventional add character.

If

with

to there is additional clusters

two finite cyclic groups so that

wherein p is a certain larger prime number.Bilinear map e:

function, to guarantee:

Bilinearity: for all

all $e({h_1}^a,{h_2}^b)=e{({\mathrm{<figure-callout\; id="1"\; label="h"\; filenames="H2008101708040E00041.png"\; state="\{\{state\}\}">h</figure-callout>}}_1,h_2)}^{\mathrm{ab}}.$

Non degenerate:

so that e (h ₁, h ₂) ≠ I, wherein I is

identical element.

Can calculate: exist for calculating the highly effective algorithm of e.

Suppose to arrange algorithm Setup (), when input security parameter 1 ^ktime, export above-mentioned bilinear map setting, and writing

Because

with

all there is identical prime number rank p, according to bilinear characteristics and non degenerate characteristic, be easy to get

Given

, and 6 pseudo-random function

with

as system parameters.

Client produces data fingerprint

Client has privacy key

and PKI

.Preferably, client has the certificate about Y from certification authority.Alternatively, for example, client privacy key may be calculated

In addition, client is calculated

, i=+0,1,2 ..., n _bas its PKI.

Givenly be divided into N piece M _i(i=1,2 ..., data M N), each piece is l _mbit long, must meet l _m<logp.Take M as reference, and for example, its qualified file name is expressed as FN _m.

How Fig. 3 shows in PDI scheme in logic dividing data M and is configured to n super piece.

the quantity that represents super piece.Attention is not equal to Nl in the length of data M _mor n (n _bl _m) situation under, logically to data M, append zero.

According to this IPDI scheme, at i, i=1,2 ..., n, the n of super piece _bindividual authentic document piece

add virtual file piece before

.With length be l _mthe authentic document piece of bit is different, virtual file piece

length be p bit.Client is pressed

Calculate virtual file piece

.In Fig. 3 a, illustrated and the first surpassed piece, wherein M _{+ 0}be virtual file piece, subscript "+0 " is used for representing immediately the first authentic document piece M here ₁piece before.Same rule is also applicable to other super pieces.

Alternatively, by selecting prf _vFB: { 0,1} ^*→ Z, wherein

, the length of virtual file piece can be less than p bit.

The following process of client executing is to produce the fingerprint of data.

A) client is selected , and compute location symbol

, i=1,2 ..., n.By T _ithe fingerprint of called after i super piece.

B) privacy key x signature (FN for client _m, M, z _m, { T _i), produce signature s.

C) client is for FN _mstorage z _m.

D) client sends FN to archive server _m, M,

and s.

E) when receiving FN _m, M, during with s, archive server checking s is (FN _m, M, z _m, { T _i) effective signature.

Client produces the increment fingerprint of data

The following process of client executing changes and produces fingerprint with the increment to data.File references are

and the file that file key is z

there is n _sBindividual super piece.In order to add one group of new data to the ending of F

, j=1,2 ..., n _b, that is, and by i=n _sBincrease to i=n _sB+ 1, carry out operation as follows:

A) client is calculated virtual file piece (VFB)

B) client is calculated

Archive server proof data integrity

In order to determine whether archive server keeps FN with 0 bit error _mcontent (except maximum allows error probability 2 ^-1), client is addressed inquires to archive server, and archive server responds as follows.

I) client is selected repetition factor 1≤ψ≤l.

Ii) client is selected

, and send FN to archive server _m, chal=(l, ψ, κ ₁, κ ₂).

Iii) when receiving FN _mand chal=(l, ψ, κ ₁, κ ₂) time, first archive server is calculated

, and initialization conversion fingerprint

, k=1,2 ..., ψ, wherein be

identical element.Then, archive server is repeated below atom proof procedure independently ψ time:

Iii-a. initialization encapsulates fingerprint

, encapsulate super piece e _vj=0, convert super piece E _j=0, υ=1,2 ..., Φ=2 ^φ, j=+0,1,2 ..., n _b

Iii-b. for each i=1,2 ..., n, calculates

b-i. σ＝prf ₃(i，k，κ ₁)

B-ii.

, represent to add T to the encapsulation fingerprint of σ box _i

B-iii. for each j=+0,1,2 ..., n _b, calculate $e_{\mathrm{\&sigma;j}}+=M_{(i-1)*n_B+j}\mathrm{mod}p$ , represent to add to the super piece of encapsulation of σ box $M_{(i-1)*n_B+j}$

Iii-c. for each υ=1,2 ..., Φ, calculates

c-i. a _v＝prf ₄(v，k，κ ₂)

c-ii. $T_k*={\stackrel{\&RightArrow;}{T}}_v^{a_v}$

C-iii. for each j=+0,1,2 ..., n _b, calculate E _j+=a _υe _vjmod p,

Iii-d. calculate $H_k={\mathrm{prf}}_5\left(\underset{j=+0}{\overset{n_B}{\mathrm{\&Pi;}}}{H_j}^{E_j}\right)$ , as the knowledge proof of the super piece of conversion

Iv) archive server sends (T to client _k, H _k), k=1,2 ..., ψ.

Alternatively, for example, client is selected

and calculate κ ₂=prf ₁(κ ₁, ＂ second randomness defining key ＂).κ like this ₂can transmit.

Compare with " the archive server proof data integrity " process in the PDI scheme of previous proposition, in any step of calculating by blocks of files or device, with VFB, carry out this calculating equally, wherein VFB is considered as to a true piece.

Client validation data integrity

When receiving (T _k, H _k), k=1,2 ..., during ψ, client is repeated below atom proof procedure ψ time independently:

I) initialization

, encapsulation finger URL

υ=0,1 ..., Φ-1=2 ^φ-1

II) for each i=1,2 ..., n, calculates σ=prf ₃(i, k, κ ₁) and W _σ ^*=prf ₂(i, FN _m).

III) for each υ=1,2 ..., Φ, calculates a _υ=prf ₄(υ, k, κ ₂) and $W_k*=W_v^{-a_v}.$

IV) calculate and verify

.Only when consistency, set up, output is true.

If all atom proof procedures are all exported very, client is persuaded by data integrity proof.

Compare with " client validation data integrity " process in the PDI scheme of previous proposition, needn't carry out any modification.

other embodiment

possibility 1:

Step IV to the step I ii-d of " archive server proof data integrity " and " client validation data integrity ") slightly make an amendment, obtain IPDI-2 scheme.This is the scheme of supporting public verifiability.

Additionally, client needs to calculate

with

as its PKI.

Modification to the step I ii-d of " archive server proof data integrity ":

Iii-dd. calculate $H_k=\underset{j=+0}{\overset{n_B}{\mathrm{\&Pi;}}}{H_j}^{E_j}$ , as the knowledge proof of the super piece of conversion.

Step IV to " client validation data integrity ") modification:

IV ') calculate and verify

IPDI-2 scheme is supported public verifiability, and this is because any step of " archive server proof data integrity " and " client validation data integrity " does not all relate to the key of client, thereby can effectively be carried out by third-party authentication device.

Possibility 1.1:

" client validation data integrity " to IPDI-2 slightly makes an amendment, and produces the IPDI-2 scheme of accelerating.

Step IV ' to " client validation data integrity ") modification:

IV-e) select k random number

, k=1,2 ..., ψ, calculates and verifies

Adopt the IPDI-2 scheme of accelerating, the bilinearity of the required execution of client validation data integrity is reduced calculating number.

Possibility 2:

To the step of " client generation data fingerprint " a) and the step IV of " client validation data integrity ") slightly make an amendment, obtain IPDI-3 scheme.

To the step of " client generation data fingerprint " modification a):

Aa) client is selected identifier , and calculate

Step IV to " client validation data integrity ") modification:

IV ") calculate and verify

Possibility 3:

After above-mentioned possibility 2, the step IV to the step I ii-d of " archive server proof data integrity " and " client validation data integrity ") slightly make an amendment, obtain IPDI-4 scheme.This is another program of supporting public verifiability.

Additionally, client needs to calculate

with

, as its PKI.

Modification to the step I ii-d of " archive server proof data integrity ":

Iii-ddd. calculate $H_k=\underset{j=+0}{\overset{n_B}{\mathrm{\&Pi;}}}{H_j}^{E_j}$ , as the knowledge proof of the super piece of conversion.

Step IV to " client validation data integrity ") modification:

IV " ') calculate and verify

PDI-3 scheme is supported public verifiability, and this is because any step of " archive server proof data integrity " and " client validation data integrity " does not all relate to the privacy key of client, thereby can effectively be carried out by third-party authentication device.

Possibility 3.1:

" client validation data integrity " to IPDI-4 slightly makes an amendment, and produces the IPDI-4 scheme of accelerating.

Step IV to " client validation data integrity " " ') modification:

IV-f) select k random number

, k=1,2 ..., ψ, calculates and verifies

Adopt the IPDI-4 scheme of accelerating, the bilinearity of the required execution of client validation data integrity is reduced calculating number.

Possibility 4:

For above-mentioned all schemes, the step of the system parameters of " client generation data fingerprint " and step and " client validation data integrity " is slightly made an amendment, produce the scheme of supporting sampling.

In order to support sampling, need additional system parameters prf ₆: { 0,1} ^*→ 1,2 ..., n}.Address inquires to chal=(l, ψ, κ ₁, κ ₂) also additionally comprise key

with positive number Λ.

Then, for " client generation data fingerprint " and " client validation data integrity ", institute in steps, uses i=prf ₆(κ ₃, 1), prf ₆(κ ₃, 2) ..., prf ₆(κ ₃, Λ) replace all i=1,2 ..., n.Therefore, owing to only relating to by i=prf ₆(κ ₃, 1), prf ₆(κ ₃, 2) ..., prf ₆(κ ₃, Λ Λ) selecting a super piece, so the data integrity of the super piece that only checking is sampled.

So, adopting possibility 4, archive server can not produce data integrity with all super pieces and prove.But which and how many super pieces the inquiry of client will select produce proof to archive server notice.

optional working model:

The timestamp authoritative institution (TSA) of advising by introducing list of references 4 (RFC4810), can use from the digital signature timestamp of TSA and replace and address inquires to key

as shown in Figure 4.For example, this timestamp is expressed as to T.Use standard hash algorithm SHA-1, can obtain κ ₁=SHA-1 (T, " 1 ") and κ ₂=SHA-1 (T, " 2 ").Adopt this replacement, client is addressed inquires to: until be no earlier than the timestamp of being issued by TSA, whether data are correctly kept.Now, except the final step of atom proof procedure (this step must be utilized the response of archive server, that is, (T _k, H _k)) outside, archive server and client all can be benefited from precomputation largely.

In addition, as shown in Figure 5, in the situation that validator is third-party authentication device, also can derive κ from the timestamp of TSA ₁and κ ₂.In the situation that can sampling, for example, can derive κ from the timestamp of TSA ₃for κ ₃=SHA-1 (T, " 3 ").

Possibility 5:

Virtual file piece (VFB) can be accepted " truly " blocks of files $\left\{M_{(i-1)\&CenterDot;n_B+j}\right\},j=\mathrm{1,2},...,n_B$ As additional input.That is to say, VFB can calculate as follows:

Hardware is realized:

To those skilled in the art, it is evident that the present invention also can realize by hardware configuration.Below show some examples, these examples are only for describing object, and should not be considered as that the present invention is had to any restriction.

Client

Fig. 6 shows for realizing the block diagram of client 1400 of the present invention.Here, client 1400 is as the equipment that produces data fingerprint.

As shown in Figure 6, client 1400 comprises: virtual file piece generation unit 1405, for for each super piece to be generated, produces virtual file piece

super piece generation unit 1410, for being divided into data N piece M _i, i=1,2 ..., N, and by every n _bindividual piece with from the virtual file piece of virtual file piece generation unit 1405

be combined into super piece, to obtain

individual super piece; And fingerprint generation unit 1420, for from finite cyclic group

middle selection n _b+ 1 element h _j, j=+0,1,2 ..., n _b, and by using the finger URL W for the super piece of k _k, selected n _b+ 1 element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=1,2 ..., n.Client 1400 also comprises memory 1430, for example, for storing the information of being used or being produced by super piece generation unit 1410 and fingerprint generation unit 1420, the super piece that produced, finite cyclic group, the fingerprint producing, finger URL and private key.But those skilled in the art must be clear, memory 1430 can be above-mentioned independently unit, or can be one/a plurality of integrated units that are combined in super piece generation unit 1410 and/or fingerprint generation unit 1420.

Similarly, n _b+ 1 element h _jit can be a part for the PKI corresponding with the first private key x.In addition n, _b+ 1 element h _jcan meet relation $h_j=g_1^{r_j}$ , r _jit is privacy key.PKI and/or privacy key also can be stored in memory 1430.

Archive server

Fig. 7 shows for realizing the block diagram of archive server 1500 of the present invention.Here, the archive server 1500 use equipment of data integrity of testifying.

As shown in Figure 7, archive server 1500 comprises: receiving element 1510, for receiving inquiry, described inquiry at least comprises the first randomness definition key κ ₁with the second randomness definition key κ ₂; Encapsulation unit 1520, for constructing Φ box, described number Φ is determined by described inquiry; For defining key κ with the first randomness ₁the first random fashion of definition, is assigned to n fingerprint in a described Φ box randomly, and each fingerprint is placed in a box; And for the distribution based on a described n fingerprint, produce Φ the super piece of encapsulation and corresponding encapsulation fingerprint; Converter unit 1530, for to define key κ by the second randomness ₂the second random fashion of definition, converts described Φ the super piece of encapsulation and corresponding encapsulation fingerprint randomly, to produce the super piece of conversion and conversion fingerprint; And knowledge proof generation unit 1540, for generation of the knowledge proof of the super piece of described conversion.Archive server 1500 can also comprise memory 1550, for storing the information of being used or being produced by receiving element 1510, encapsulation unit 1520, converter unit 1530 and knowledge proof generation unit 1540.But, those skilled in the art must be clear, memory 1550 can be above-mentioned independently unit, or can be one/a plurality of integrated units that are combined in receiving element 1510, encapsulation unit 1520, converter unit 1530 and knowledge proof generation unit 1540.

Knowledge proof generation unit 1540 can produce the knowledge proof as the super piece of conversion of conversion super piece itself.Alternatively, knowledge proof generation unit 1540 can produce based on PKI the knowledge proof of the super piece of conversion with the super piece of conversion.

Inquiry can also comprise that super piece selection key is to (κ ₃, Λ), for defining, will select any A super piece and corresponding fingerprint to prove for data integrity by encapsulation unit 1520, rather than all n super piece and corresponding fingerprint.

Inquiry can also comprise repetition factor ψ, the operation of receiving element 1510, encapsulation unit 1520, converter unit 1530 and knowledge proof generation unit 1540 is repeated Ψ time, each knowledge proof that all produces the super piece of conversion, is expressed as m the knowledge proof H that converts super piece _m, m=1,2 ..., ψ.

Inquiry can comprise the digital signature timestamp from timestamp authoritative institution (TSA).

In addition, according to digital signature timestamp, produce the first and second randomness definition key κ ₁and κ ₂and super piece is selected key κ ₃in at least one.

In addition, archive server 1500 can also comprise transmitting element 1560, for sending conversion fingerprint and the knowledge proof of the super piece of conversion.

Validator (client or third-party authentication device)

Fig. 8 shows for realizing the block diagram of validator 1600 of the present invention.Here, validator 1600 is as the equipment of verification of data integrity.To those skilled in the art, it is evident that validator 1600 can be client 1400 itself or third-party authentication device.At validator 1600, be under the previous case of client 1400 itself, refer to client 1400 comprise as shown in Figure 6 for generation of the subsystem of data fingerprint and the subsystem for verification msg as shown in Figure 8.On the other hand, at validator 1600, be under the latter event of third-party authentication device, refer to the necessary just structure as shown in Figure 8 of third-party authentication device, and the structure shown in Fig. 6 is optional.

As shown in Figure 8, validator 1600 comprises: address inquires to and produce and transmitting element 1610, for generation of also sending and address inquires to, described inquiry at least comprises the first randomness definition key κ ₁with the second randomness definition key κ ₂; Receiving element 1620, for conversion fingerprint and the knowledge proof of the super piece of receiving conversion; Finger URL encapsulation unit 1630, for constructing Φ box, with described the first random fashion, randomly by n finger URL W _kbe assigned in Φ box, each finger URL is placed in a box, and the distribution based on a described n finger URL, produces Φ encapsulation finger URL; Infer knowledge proof generation unit 1640, for described the second random fashion, Φ encapsulation finger URL described in stochastic transformation, to produce conversion finger URL, and according to described conversion fingerprint and described conversion finger URL, produces the knowledge proof of inferring of the super piece of described conversion; Comparator 1650, for comparing the knowledge proof of inferring of the super piece of described conversion with the knowledge proof of the received super piece of described conversion; And authentication unit 1660, if comparative result is sure, verify the data integrity of described data.Validator 1600 also can comprise memory 1670, for storing by inquiry generation and transmitting element 1610, receiving element 1620, finger URL encapsulation unit 1630, inferring the information that knowledge proof generation unit 1640, comparator 1650 and authentication unit 1660 are used or produce.But, those skilled in the art must be clear, memory 1670 can be above-mentioned independently unit, or can be to be combined in address inquires to produce and transmitting element 1610, receiving element 1620, finger URL encapsulation unit 1630, infer one/a plurality of integrated units in knowledge proof generation unit 1640, comparator 1650 and authentication unit 1660.

Infer the identifier z of knowledge proof generation unit 1640 based on data _m, conversion fingerprint and conversion finger URL, produce the knowledge proof of inferring of the super piece of conversion.

Infer knowledge proof generation unit 1640 also based on the first and second private key x and

produce the knowledge proof of inferring of the super piece of described conversion.

By the inquiry of addressing inquires to generation and transmitting element 1610 generations, also comprise that super piece selection key is to (κ ₃, Λ), for defining, will select any Λ finger URL to prove for data integrity by finger URL encapsulation unit 1630, rather than all n finger URL.

By the inquiry of addressing inquires to generation and transmitting element 1610 generations, also comprise repetition factor Ψ, the operation of finger URL encapsulation unit 1630, deduction knowledge proof generation unit 1640 and comparator 1650 is repeated Ψ time, only, when all comparative results are when sure, authentication unit 1660 is just verified described data integrity.

By the inquiry of addressing inquires to generation and transmitting element 1610 generations, comprise the digital signature timestamp from timestamp authoritative institution (TSA).

By addressing inquires to generation and transmitting element 1610, according to described digital signature timestamp, determine that the first and second randomnesss define key κ ₁and κ ₂and super piece is selected key κ ₃in at least one.

the optional application of the VFB proposing

The thought of VFB also can be applied to PDP scheme.Therefore, can construct as follows the IPDP that can deal with data file increment changes (based on the 11st page of list of references 7).In principle, PDP scheme can be considered as PDI scheme at n _bthe simplification situation of=1 o'clock.

What IPDP scheme was done is to each blocks of files m substantially _icalculate VFB

.If consider that super piece comprises blocks of files, i.e. a n _b=1 situation, this is identical with the core concept of IPDI scheme so, in IPDI scheme, each super piece (one group of blocks of files) is calculated VFB and adds this VFB to this super piece.

IPDP scheme also slightly makes an amendment to original PDP scheme, to consider VFB in calculating.

The advantage of IPDP scheme is: this is can meet so far above-mentioned requirements (I) to unique scheme based on RSA of (VII).

TagBlock(.)：

$T_{i,m}={(\mathrm{PRF}\left(W_i\right)\&CenterDot;{h_0}^{\stackrel{\&OverBar;}{m}}\&CenterDot;g^m)}^d\mathrm{mod}N,$ VFB wherein $\tilde{m}=\mathrm{prf}(\mathrm{\&upsi;},i)$ 。And, h ₀∈ _rqR _nadditional parameter (for example N, e, g and the PRF (): { 0,1} of PKI ^*→ QR _n, ed ≡ 1mod φ (N) wherein).

GenProof(.)：

$T={\mathrm{<figure-callout\; id="1"\; label="T\; i"\; filenames="H2008101708040E00041.png"\; state="\{\{state\}\}">T</figure-callout>}}_{i_{}}^{{}_1,m_{i_1}}\&CenterDot;\&CenterDot;\&CenterDot;\&CenterDot;\&CenterDot;T_{i_c,m_{i_c}}^{a_c}={(\mathrm{PRF}{\left(W_{i_1}\right)}^{a_1}\&CenterDot;\&CenterDot;\&CenterDot;\&CenterDot;\&CenterDot;\&CenterDot;\mathrm{PRF}{\left(W_{i_c}\right)}^{a_c}\&CenterDot;{h_0}^{a_1{\stackrel{\&OverBar;}{m}}_{i_1}+\&CenterDot;\&CenterDot;\&CenterDot;+a_c{\stackrel{\&OverBar;}{m}}_{i_c}}\&CenterDot;g^{a_1{\mathrm{<figure-callout\; id="1"\; label="m\; i"\; filenames="H2008101708040E00041.png"\; state="\{\{state\}\}">m</figure-callout>}}_{i_{}}+\&CenterDot;\&CenterDot;\&CenterDot;+a_c{m}_{i_c}})}^d\mathrm{mod}N$ 。 $\mathrm{\&rho;}=H\left(({h_{0s}}^{a_1{\stackrel{\&OverBar;}{m}}_{i_1}+\&CenterDot;\&CenterDot;\&CenterDot;+a_c{\stackrel{\&OverBar;}{m}}_{i_c}}\&CenterDot;{g_s}^{a_1{\mathrm{<figure-callout\; id="1"\; label="m\; i"\; filenames="H2008101708040E00041.png"\; state="\{\{state\}\}">m</figure-callout>}}_{i_{}}+\&CenterDot;\&CenterDot;\&CenterDot;+a_c{m}_{i_c}})\mathrm{mod}N\right)$ , h wherein _0s=h ₀ ^s∈ QR _n, and H (): { 0,1} ^*→ Z is for example SHA-1 hash function.Parameter c, a _j, i _j, j=1,2 ..., c, g _sand h _0sby addressing inquires to, determine.

CheckProof(.)：

This part remains unchanged.

In order more to know and systematically understand these details of the present invention, by whole disclosures of Chinese invention patent application CN200810165864.3 formerly in the lump in this as reference, thereby be equivalent to describe in this manual all these published contents, and no longer repeat.If run into some queries or puzzlement in understanding process of the present invention, can, with reference to CN200810165864.3, even explain these queries and puzzlement to solve.

More than describe and only provided the preferred embodiments of the present invention, and be not to limit by any way the present invention.Therefore any modification of, carrying out in the present invention's spirit and principle, replacement, improvement etc. should be contained by the scope of the invention.

Claims (12)

1. a method that produces data fingerprint, comprises step:

Data are divided into N piece M _i, i=1,2 ..., N;

By every n _bindividual piece and virtual file piece

be combined into super piece, to obtain

individual super piece;

From finite cyclic group

middle selection n _b+ 1 element h _j, j=+0,1,2 ..., n _b;

By using the finger URL W for the super piece of k _k, selected n _b+ 1 element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=1,2 ..., n,

Wherein at the finger URL W of the super piece of k _kbe at least take k as input cryptographic Hash, z _min the situation of identifier of described data, according to

$T_k={(W_k\&CenterDot;\underset{j=+0}{\overset{n_B}{\mathrm{\&Pi;}}}{h_j}^{M_{(k-1)*n_B+j}})}^{\frac{1}{x+z_M}}$

Produce the fingerprint T of the super piece of k _k,

Or

Finger URL W at the super piece of k _kat least with the identifier z of k and described data _min the situation of cryptographic Hash for input, according to

$T_k={(W_k\&CenterDot;\underset{j=+0}{\overset{n_B}{\mathrm{\&Pi;}}}{h_j}^{M_{(k-1)*n_B+j}})}^x$

Produce the fingerprint T of the super piece of k _k.

2. the method for generation data fingerprint according to claim 1, wherein said n _b+ 1 element h _jit is a part for the PKI corresponding with the first private key x.

3. the method for generation data fingerprint according to claim 1, wherein said n _b+ 1 element h _jmeet relation

r _jit is privacy key.

4. the method for generation data fingerprint according to claim 1, when new data will add the ending of available data to, comprises step:

New data is divided into N ^nEWindividual piece i=N+1, N+2 ..., N+N ^nEW;

By every n _bindividual piece and virtual file piece

be combined into super piece, to obtain individual super piece;

By using the finger URL W for the super piece of k _k, selected n _b+ 1 element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=n+1, n+2 ..., n+n ^nEW.

5. according to the method for the generation data fingerprint described in claim 1 or 4, wherein virtual file piece

following generation:

$M_{(k-1)\&CenterDot;n_B{+}^{\&prime;}+0^{\&prime;}}={\mathrm{prf}}_{\mathrm{VFB}}(k,z_M,{\mathrm{FN}}_M)$

Wherein, z _mthe identifier of data, FN _mthe file identifier of data, prf _vFB() represents pseudo-random function.

6. according to the method for the generation data fingerprint described in claim 1 or 4, wherein virtual file piece following generation:

$M_{(k-1)\&CenterDot;n_B{+}^{\&prime;}+0^{\&prime;}}={\mathrm{prf}}_{\mathrm{VFB}}(k,z_M,{\mathrm{FN}}_M,\{M_{(k-1)\&CenterDot;n_B+j}\left\}\right),j=\mathrm{1,2},...,n_B$

Wherein, z _mthe identifier of data, FN _mthe file identifier of data, be will with virtual file piece

be combined into together the n of super piece _bthe data set of individual piece, prf _vFB() represents pseudo-random function.

7. for generation of an equipment for data fingerprint, comprising:

Virtual file piece generation unit, for for each super piece to be generated, produces virtual file piece

Super piece generation unit, for being divided into data N piece M _i, i=1,2 ..., N, and by every n _bindividual piece with from the virtual file piece of virtual file piece generation unit be combined into super piece, to obtain

individual super piece; And

Fingerprint generation unit, for from finite cyclic group

middle selection n _b+ 1 element h _j, j=+0,1,2 .., n _b, and by using the finger URL W for the super piece of k _k, selected n _b+ 1 element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=1,2 ..., n,

Wherein at the finger URL W of the super piece of k _kbe at least take k as input cryptographic Hash, z _min the situation of identifier of described data, fingerprint generation unit basis

$T_k={(W_k\&CenterDot;\underset{j=+0}{\overset{n_B}{\mathrm{\&Pi;}}}{h_j}^{M_{(k-1)*n_B+j}})}^{\frac{1}{x+z_M}}$

Produce the fingerprint T of the super piece of k _k,

Or

Finger URL W at the super piece of k _kat least with the identifier z of k and described data _min the situation of cryptographic Hash for input, fingerprint generation unit basis

$T_k={(W_k\&CenterDot;\underset{j=+0}{\overset{n_B}{\mathrm{\&Pi;}}}{h_j}^{M_{(k-1)*n_B+j}})}^x$

Produce the fingerprint T of the super piece of k _k.

8. the equipment of generation data fingerprint according to claim 7, wherein said n _b+ 1 element h _jit is a part for the PKI corresponding with the first private key x.

9. the equipment of generation data fingerprint according to claim 7, wherein said n _b+ 1 element h _jmeet relation

r _jit is privacy key.

10. the equipment of generation data fingerprint according to claim 7, when new data will add the ending of available data to,

Virtual file piece generation unit, for each super piece to be generated, produces virtual file piece

Super piece generation unit is divided into N by new data ^nEWindividual piece

i=N+1, N+2 ..., N+N ^nEW, and by every n _bindividual piece and virtual file piece

be combined into super piece, to obtain

individual super piece; And

Fingerprint generation unit is by being used the finger URL W for the super piece of k _k, selected n _b+ 1 element h _jwith the first private key x, produce respectively the fingerprint T of the super piece of k _k, k=n+1, n+2 ...., n+n ^nEW.

11. according to the equipment of the generation data fingerprint described in claim 7 or 10, and wherein fingerprint generation unit produces virtual file piece as follows

$M_{(k-1)\&CenterDot;n_B{+}^{\&prime;}+0^{\&prime;}}={\mathrm{prf}}_{\mathrm{VFB}}(k,z_M,{\mathrm{FN}}_M)$

Wherein, z _mthe identifier of data, FN _mthe file identifier of data, prf _vFB() represents pseudo-random function.

12. according to the equipment of the generation data fingerprint described in claim 7 or 10, and wherein fingerprint generation unit produces virtual file piece as follows

$M_{(k-1)\&CenterDot;n_B{+}^{\&prime;}+0^{\&prime;}}={\mathrm{prf}}_{\mathrm{VFB}}(k,z_M,{\mathrm{FN}}_M,\{M_{(k-1)\&CenterDot;n_B+j}\left\}\right),j=\mathrm{1,2},...,n_B$

Wherein, z _mthe identifier of data, FN _mthe file identifier of data,

be will with virtual file piece

be combined into together the n of super piece _bthe data set of individual piece, prf _vFB() represents pseudo-random function.

Images