WO2018201730A1

WO2018201730A1 - Lattice-based cloud storage data security audit method supporting uploading of data via proxy

Info

Publication number: WO2018201730A1
Application number: PCT/CN2017/116287
Authority: WO
Inventors: 张晓均; 龚捷; 郑俊松; 赵芥; 牟黎明
Original assignee: 西南石油大学
Priority date: 2017-05-02
Filing date: 2017-12-14
Publication date: 2018-11-08
Also published as: CN107124272A

Abstract

The present invention pertains to the field of information security technologies, and in particular relates to a lattice-based cloud storage data security audit method supporting uploading of data via a proxy. The audit method of the present invention assists a data owner to authorize a proxy signer to generate a proxy signature for data and to upload the data to a cloud server, helping a trusted auditor to perform an integrity audit on cloud storage data. In the audit method of the present invention, a random masking code is constructed by using a lattice preimage sampling algorithm, effectively preventing the trusted auditor from recovering original data block information of an original signer from the data file. In a process of performing integrity verification on the cloud storage data, the trusted auditor only needs to compute a limited quantity of linear combinations, instead of computing costlier bilinear pairwise and modular exponential operations. Thereby, the audit method is highly beneficial to trusted auditors in terms of computational efficiency. Moreover, the method of the present invention can effectively resist attacks by quantum computers and will have important application value in security of cloud computing environments in the coming quantum communications era.

Description

支持数据代理上传的格基云存储数据安全审计方法Gage cloud storage data security auditing method supporting data agent upload

技术领域Technical field

本发明属于信息安全技术领域，具体的说是涉及支持数据代理上传的格基云存储数据安全审计方法。The invention belongs to the technical field of information security, and in particular relates to a security auditing method for a grid-based cloud storage data supporting data agent uploading.

背景技术Background technique

随着云计算技术的快速发展，特别是在大数据时代，将会有越来越多的用户将海量数据存储在云服务器上。这将势必造成用户对存储在远程云服务器的数据隐私安全的担忧，由于用户失去了对数据的实际掌控，存储在云服务器上的数据是否被篡改，即数据完整性是用户最关心的。With the rapid development of cloud computing technology, especially in the era of big data, more and more users will store massive amounts of data on cloud servers. This will inevitably cause users to worry about the privacy of data stored in the remote cloud server. Since the user loses the actual control of the data, whether the data stored on the cloud server has been tampered with, that is, data integrity is the most concerned by the user.

云存储数据审计方案能够有效解决远程数据完整性验证的问题，这不仅能够释放终端用户管理数据的压力，也避免了终端用户对存储在云服务器上的远程数据遭到篡改的担忧。在一些特殊的应用环境中，数据拥有者访问公共云服务器的权利受限，如数据拥有者(经理)可能因为经济纠纷问题，或者被投诉其具有商业欺骗的行为而遭到质疑和调查，为了防止合谋欺骗，数据拥有者暂时被取消处理公司的相关数据的权利，但是这段时间内这位数据拥有者(经理)的合法事物还需要继续处理。当他所在的公司每日产生海量的数据，为了不让公司遭受损失，他将指定代理者(如秘书)帮助其及时处理公司的数据。目前已经出现很多具有数据完整性验证功能的云存储数据安全审计方案，而真正具有支持数据代理上传的云存储数据安全审计方案还非常少，仅有一个具有这种功能的构造方案，但此方案不能抵抗量子计算机的攻击能力。这是因为此云存储数据安全审计方案是基于需要计算开销更高的双线性对运算设计的，其安全性是基于离散对数的密码学困难问题，这在量子计算的环境下是很容易被攻破的。而格密码被认为是抗量子计算的密码，即后量子密码中最有前景的一类密码。因为格在代数结构上实质上是一个加法交换群，在几何上是空间的一些排列整齐的离散点集合，结构比较简单，在***中硬件和软件都容易实现。而且密码学者Ajta开创性地证明了某类格中一些平均情况下的困难问题和NP困难问题的难度等价，这一结论极大地促进了格密码算法的发展。另外，格上具有丰富的困难问题假设，包括最短向量问题、最近向量问题、近似最短向量问题、近似最近向量问题等，这些困难性问题之间都有现成的可证明安全归约技术，极大地增强了人们对格公钥密码算法安全性的信心。The cloud storage data auditing solution can effectively solve the problem of remote data integrity verification, which not only relieves the pressure of end user management data, but also avoids the end user's concern about the tampering of remote data stored on the cloud server. In some special application environments, data owners have limited access to public cloud servers. For example, data owners (managers) may be questioned and investigated because of economic disputes or complaints about commercial fraud. To prevent conspiracy to deceive, the data owner is temporarily disqualified from processing the company's relevant data, but the legal owner of the data owner (manager) needs to continue processing during this time. When his company produces massive amounts of data every day, in order not to let the company suffer losses, he will assign agents (such as secretaries) to help them process the company's data in a timely manner. At present, there are many cloud storage data security auditing schemes with data integrity verification functions. However, there are very few cloud storage data security auditing schemes that support data agent uploading. There is only one configuration scheme with this function, but this scheme Can not resist the attack power of quantum computers. This is because this cloud storage data security auditing scheme is based on the design of bilinear pairing operations that require more computational overhead. The security is based on the cryptographic difficulty of discrete logarithm, which is very easy in the quantum computing environment. Being broken. The lattice password is considered to be an anti-quantum computing password, the most promising type of password in the post-quantum cryptosystem. Because the lattice is essentially an additive exchange group in the algebraic structure, it is geometrically a set of neatly arranged discrete points in space. The structure is relatively simple, and hardware and software are easy to implement in the system. Moreover, the cryptographer Ajta has pioneered the equivalence of some difficult problems in an average case and the difficulty of NP-hard problems. This conclusion greatly promotes the development of the lattice cipher algorithm. In addition, there are rich and difficult problem hypotheses, including the shortest vector problem, the nearest vector problem, the approximate shortest vector problem, the approximate nearest vector problem, etc. These difficult problems have ready-to-proven secure reduction techniques, greatly Increased confidence in the security of the public key cryptography algorithm.

因此，考虑到大数据将会在量子时代长期存在，研究支持数据代理上传的基于格困难问题假设的云存储数据安全审计方法具有重要的应用价值。Therefore, considering that big data will exist for a long time in the quantum age, it is of great practical value to study the cloud storage data security audit method based on the assumption of grid difficulty uploaded by data agent.

发明内容Summary of the invention

本发明的目的在于，针对上述目的，提出一种支持数据代理上传的格基云存储数据安全审计方法，需要说明的是，在本发明的方法中要求原始数据拥有者不仅需要授权代理者帮助其产生数据的签名和上传数字签名到云服务器，而且需要数据拥有者指定一个专门的可信审计者帮助其审计存储在云服务器上的数据完整性；此外为了避免复杂的证书管理，本发明的审计方法需要在基于身份的密码学的基础上设计。The object of the present invention is to provide a method for security auditing of a grid-based cloud storage data supporting data agent uploading. It should be noted that in the method of the present invention, the original data owner is required not only to authorize an agent to assist him or her. Generate data signatures and upload digital signatures to the cloud server, and require the data owner to specify a dedicated trusted auditor to help them audit the data integrity stored on the cloud server; in addition, to avoid complex certificate management, the audit of the present invention The method needs to be designed on the basis of identity-based cryptography.

为了便于理解本发明的技术方案，在详细描述本发明的技术方案之前，先集中描述本发明采用的符号的定义和介绍本发明采用的基础算法：In order to facilitate the understanding of the technical solutions of the present invention, before describing the technical solutions of the present invention in detail, the definitions of the symbols used in the present invention are collectively described and the basic algorithms adopted by the present invention are introduced:

符号定义：Symbol definition:

q＝poly(n)：q是关于正整数n的多项式；{0,1} ^*:随机长度比特串； q=poly(n): q is a polynomial for a positive integer n; {0, 1} ^* : a random length bit string;

模q上的n维向量；

模q上的m维向量；

An n-dimensional vector on the modulo q;

The m-dimensional vector on the modulo q;

模q上的n×m维矩阵；

模q上的m×m维矩阵；

An n × m dimensional matrix on the modulo q;

m×m-dimensional matrix on the modulo q;

表示从

均匀随机的选取模q上的n维向量ξ；

Express from

Uniform random selection of n-dimensional vectors 模 on modulo q;

f＝<η,λ>：f为η与λ的内直积；||T||：表示矩阵

的欧式范数； f=<η,λ>:f is the inner direct product of η and λ; ||T||: represents the matrix

European norm

q模格:给定矩阵

其中q是素数，m，n为正整数，定义q模格如下:

q mode: given matrix

Where q is a prime number, m, n are positive integers, and the q-module is defined as follows:

基于低范数m×m维可逆矩阵的离散噪声分布；

Discrete noise distribution based on a low norm m×m dimensional invertible matrix;

基础算法：Basic algorithm:

陷门生成算法(TrapGen):令正整数q≥2和m≥5n log q，存在概率多项式时间算法TrapGen(q,n)在多项式时间内输出一个矩阵

和格

的一个短基

使得A在统计上接近均匀分布

并且短基

满足||T _A||＝O(n log q),其中O(n log q)表示关于n log q的多项式计算复杂度。 Trapdoor generation algorithm (TrapGen): Let positive integers q≥2 and m≥5n log q, existence probability polynomial time algorithm TrapGen(q,n) outputs a matrix in polynomial time

And

a short base

Make A statistically close to uniform distribution

Short base

Satisfying ||T _A ||=O(n log q), where O(n log q) represents the polynomial computational complexity with respect to n log q.

格基代理算法(NewBasisDel)：令q≥2，

以及可逆矩阵

取自分布

令

是格

的短基，存在概率多项式时间算法NewBasisDel(A,R,T _A,s ₁)，在多项式时间内输出格

的短基

Geki proxy algorithm (NewBasisDel): let q ≥ 2,

Reversible matrix

Taken from distribution

make

Yes

Short base, existence probability polynomial time algorithm NewBasisDel(A,R,T _A ,s ₁ ), output lattice in polynomial time

Short base

原像抽样算法(SamplePre)：输入矩阵

格

的短基

高斯安全参数s ₂，对任意给定的向量

SamplePre(A,T _A,ξ,s ₂)算法输出为从统计接近于离散高斯分布χ中抽取的一个向量

其满足Ae＝ξmod q。 Original image sampling algorithm (SamplePre): input matrix

grid

Short base

Gaussian safety parameter s ₂ , for any given vector

The SamplePre(A,T _A ,ξ,s ₂ ) algorithm outputs a vector extracted from a statistically close to the discrete Gaussian distribution χ

It satisfies Ae=ξmod q.

本发明的技术方案是：The technical solution of the present invention is:

支持数据代理上传的格基云存储数据安全审计方法，其特征在于，包括以下步骤：A grid security data storage auditing method supporting data agent uploading, characterized in that it comprises the following steps:

S1、***初始化：S1, system initialization:

***首先对数据文件进行分块处理，设置此阶段所需格密码算法的安全参数以及安全的哈希函数；密钥产生中心KGC(Key Generation Center)调用格基代理算法分别产生原始签名者、代理签名者以及云服务器的公私钥对；The system first performs block processing on the data file, sets the security parameters of the required cryptographic algorithm and the secure hash function at this stage; the key generation center KGC (Key Generation Center) calls the lattice-based proxy algorithm to generate the original signer and agent respectively. The public and private key pair of the signer and the cloud server;

S2、代理签名私钥产生阶段：S2, proxy signature private key generation phase:

原始签名者为了授权代理签名权利给代理签名者，利用原像抽样算法导出基于代理授权委任书的合法签名；所述的授权委任书中有明确的关于原始签名者和代理签名者的执行权利信息描述，验证者将其作为验证信息的组成部分；代理签名者验证授权委任书签名的有效性，并据此利用格基代理算法产生代理签名私钥；In order to authorize the agent to sign the right to the proxy signer, the original signer uses the original image sampling algorithm to derive the legal signature based on the proxy authorization letter; the authorization letter has explicit execution rights information about the original signer and the proxy signer. Describe the verifier as part of the verification information; the proxy signer verifies the validity of the signature of the authorization letter, and accordingly generates a proxy signature private key using the grid-based proxy algorithm;

S3、数据代理签名产生与上传阶段：S3, data agent signature generation and upload phase:

代理签名者利用步骤S2中获得的代理签名私钥，采用格上基于身份的线性同态代理签名算法产生原始签名者的数据文件的代理签名，代理签名者将这些数据文件、文件名称以及数据文件的代理签名的集合上传到公共云服务器，并且在客户端将这些数据删除；The proxy signer uses the proxy signature private key obtained in step S2 to generate the proxy signature of the original signer's data file by using the grid-based identity-based linear homomorphic proxy signature algorithm, and the proxy signer will use these data files, file names, and data files. The set of proxy signatures is uploaded to the public cloud server and the data is deleted at the client;

S4、审计证明产生与验证阶段：S4, the audit certification generation and verification phase:

可信审计者产生审计挑战信息给云服务器，云服务器根据审计挑战信息，计算聚合数据文件以及聚合签名，并选取随机向量作为盲化种子信息，根据原像抽样算法产生此随机向量的数字签名，将聚合数据文件盲化，并发送审计证明响应信息给可信审计者；最后，可信审计者按照格上基于身份的线性同态代理签名算法的验证步骤来验证此审计证明响应信息的有效性。The trusted auditor generates the audit challenge information to the cloud server, and the cloud server calculates the aggregated data file and the aggregated signature according to the audit challenge information, and selects the random vector as the blind seed information, and generates the digital signature of the random vector according to the original image sampling algorithm. The aggregated data file is blinded and the audit proof response information is sent to the trusted auditor. Finally, the trusted auditor verifies the validity of the audit proof response information according to the verification step of the identity-based linear homomorphic proxy signature algorithm. .

进一步的，所述步骤S1的具体方法为：Further, the specific method of the step S1 is:

S11、***首先对数据文件进行分块处理，设置此阶段所需格密码算法的安全参数以及安全的哈希函数：S11. The system first performs block processing on the data file, and sets security parameters and a secure hash function of the required cryptographic algorithm at this stage:

***将预处理文件F分为

个数据块，即

其中

代表F中的第i个数据块，其中

对于安全参数n，设置素数q＝poly(n)，整数m≥2n log q，设置χ为离散高斯噪声分布；为了格基代理算法NewBasisDel，原像抽样算法Sample Pre能够正确运行，***分别设置两个安全的高斯参数s ₁,s ₂； The system divides the preprocessed file F into

Data block, ie

among them

Represents the ith data block in F, where

For the security parameter n, set the prime number q=poly(n), the integer m≥2n log q, set χ to the discrete Gaussian noise distribution; for the lattice-based proxy algorithm NewBasisDel, the original image sampling algorithm Sample Pre can run correctly, and the system sets two respectively. a safe Gaussian parameter s ₁ , s ₂ ;

***运行陷门产生函数产生密钥产生中心KGC的主公钥A，主私钥T _A；设置抗碰撞的安全哈希函数

哈希函数

其中，H ₁和H ₃的输出值在

分布中；则***输出公共参数为Σ＝{A,H ₁,H ₂,H ₃,H ₄,H ₅}； The system runs the trapdoor generation function to generate the master public key A of the key generation center KGC, the master private key T _A ; and sets the anti-collision secure hash function

Hash function

Where the output values of H ₁ and H ₃ are

In the distribution; the system outputs the public parameters as Σ={A, H ₁ , H ₂ , H ₃ , H ₄ , H ₅ };

S12、密钥产生中心KGC调用格基代理算法分别产生原始签名者、代理签名者以及云服务器的公私钥对：S12. The key generation center KGC invokes the lattice-based proxy algorithm to generate the public-private key pair of the original signer, the proxy signer, and the cloud server, respectively:

输入步骤S11中设定的***公共参数Σ＝{A,H ₁,H ₂,H ₃,H ₄,H ₅}，主私钥T _A，原始签名者身份ID _o，密钥产生中心KGC计算原始签名者ID _o的私钥如下： Enter the system common parameters 步骤={A, H ₁ , H ₂ , H ₃ , H ₄ , H ₅ } set in step S11, the primary private key T _A , the original signer ID ₀ , and the key generation center KGC calculation The private key of the original signer ID _o is as follows:

令

计算ID _o的公钥

make

Calculate the public key of ID _o

密钥产生中心KGC运行格基代理算法

产生格

上随机格基

作为ID _o对应的私钥，然后，密钥产生中心KGC发送

给原始签名者；以类似方法，输入代理签名者的身份ID _p，得到代理签名者的私钥

输入云服务器的身份ID _c，得到云服务器私钥

Key Generation Center KGC Runs Glyph Proxy Algorithm

Generate a grid

Random lattice

As the private key corresponding to ID _o , then the key generation center KGC sends

To the original signer; in a similar way, enter the proxy signer's identity ID _p to get the proxy signer's private key

Enter the cloud server's identity ID _c to get the cloud server private key.

进一步的，所述步骤S2中原始签名者为了授权代理签名权利给代理签名者，利用原像抽样算法导出基于代理授权委任书的合法签名的具体方法为：Further, in the step S2, in order to authorize the proxy to sign the right to the proxy signer, the original method of using the original image sampling algorithm to derive the legal signature based on the proxy authorization letter is:

原始签名者ID _o根据代理签名要求产生授权委任书m _ω，该授权委任书m _ω包括明确的代理签名权利和原始签名者的信息，即代理签名者ID _p不能处理或上传原始签名者ID _o的数据，除非代理签名者ID _p的权限满足授权委任书m _ω的内容； The original signer ID _o generates an authorization letter of appointment m _ω according to the proxy signature request, the authorization letter of appointment m _ω includes the explicit proxy signature right and the original signer's information, ie the proxy signer ID _p cannot process or upload the original signer ID _o Data, unless the authority of the proxy signer ID _p satisfies the content of the authorization letter of appointment m _ω ;

原始签名者ID _o选择一个随机的向量

并利用哈希函数H ₂计算：向量

然后运行原像抽样算法

产生m维向量

获得授权委任书的签名信息为(m _ω,v _ω,θ _ω)，原始签名者ID _o发送授权委任书的签名信息(m _ω,v _ω,θ _ω)给代理签名者ID _p；这里，每一个人都能够验证授权委任书m _ω的签名信息的有效性。 The original signer ID _o selects a random vector

And use the hash function H _{2 to} calculate: vector

Then run the original image sampling algorithm

Generate m-dimensional vectors

The signature information of the authorization letter is (m _ω , v _ω , θ _ω ), and the original signer ID _o sends the signature information (m _ω , v _ω , θ _ω ) of the authorization letter to the proxy signer ID _p ; here, Each person is able to verify the validity of the signature information of the authorization letter m _ω .

进一步的，所述步骤S2中代理签名者验证授权委任书签名的有效性，并据此利用格基代理算法产生代理签名私钥的具体方法为：Further, in the step S2, the proxy signer verifies the validity of the signature of the authorization letter, and accordingly, the specific method for generating the proxy signature private key by using the grid-based proxy algorithm is:

代理签名者一旦接收到来自原始签名者ID _o的授权委任书m _ω的签名消息(m _ω,v _ω,θ _ω)，代理签名者ID _p验证方程

和不等式

是否成立，如果二者都成立，则授权委任书m _ω签名是有效的，同时代理签名者ID _p利用哈希函数H ₃计算

运行格基代理算法

产生代理签名者ID _p的代理签名私钥

如果不成立，则验证不成功，代理签名者ID _p拒绝，并通知原始签名者ID _o。 Once the proxy signer receives the signature message (m _ω , v _ω , θ _ω ) of the authorization letter m _ω from the original signer ID _o , the proxy signer ID _p verifies the equation

And inequalities

Whether it is established, if both are established, the authorization letter m _ω signature is valid, and the proxy signer ID _{p is} calculated using the hash function H ₃

Running the lattice algorithm

Generating the proxy signature private key of the proxy signer ID _p

If not, the verification is unsuccessful, the proxy signer ID _p rejects, and the original signer ID _{o is} notified.

进一步的，所述步骤S3的具体方法为：Further, the specific method of the step S3 is:

当代理签名者ID _p满足授权委任书m _ω的代理权利范围，代理签名者ID _p将帮助原始签名者ID _o产生签名并上传数据到云服务器；利用代理签名私钥

代理签名者ID _p产生数据文件

签名步骤如下： When the proxy signer ID _p satisfies the proxy rights scope of the authorization appointment m _ω , the proxy signer ID _p will help the original signer ID _{o to} generate a signature and upload the data to the cloud server;

Proxy signer ID _p generates data files

The signature steps are as follows:

S31、计算代理签名公钥

S31. Calculating a proxy signature public key

利用哈希函数H ₄计算关于数据块

的线性数据块

其中，N _i代表第i个数据块F _i的文件名称，

是云服务器的公钥，运行原像抽样算法

产生

Calculate the data block using the hash function H ₄

Linear data block

Where N _i represents the file name of the i-th data block F _i ,

Is the public key of the cloud server, running the original image sampling algorithm

produce

S32、对于每一个数据块F _i，计算n维向量

以及内直积ρ _i,j＝<η _i,λ _j>∈Z _q，1≤j≤n，

其中向量

设置

最后，代理签名者ID _p运行原像抽样算法SamplePre(Q _pro,T _pro,ρ _i,s ₂)产生向量

定义签名集合

代理签名者ID _p得到所有的数据为

并上传这些数据到公共云服务器； S32. Calculate an n-dimensional vector for each data block F _i

And the inner direct product ρ _i,j =<η _i ,λ _j >∈Z _q ,1≤j≤n,

Where vector

Setting

Finally, the proxy signer ID _p runs the original image sampling algorithm SamplePre(Q _pro , T _pro , ρ _i , s ₂ ) to generate the vector.

Defining signature collection

The proxy signer ID _p gets all the data as

And upload the data to the public cloud server;

S33、云服务器首先验证代理签名者ID _p是否满足授权委任书m _ω的权利范围；如果不满足，云服务器拒绝提供存储服务；如果满足，云服务器再进一步验证授权委任书m _ω的签名信息(m _ω,v _ω,θ _ω)，即验证方程

和不等式

是否成立；如果二者成立，云服务器确定m _ω是有效的，云服务器接收并存储相关数据；否则，云服务器拒绝提供此次存储服务，并通知原始签名者ID _o再次授权代理上传数据。 S33. The cloud server first verifies whether the proxy signer ID _p satisfies the right scope of the authorization appointment m _ω ; if not, the cloud server refuses to provide the storage service; if satisfied, the cloud server further verifies the signature information of the authorization appointment m _ω ( m _ω , v _ω , θ _ω ), ie the verification equation

And inequalities

It is established; If they are set up, the cloud server determines _m ω is effective, the cloud server receives and stores the relevant data; otherwise, the cloud storage server refused to provide the service, and notifies the original signer ID _o again authorized agent to upload data.

进一步的，所述步骤S4中可信审计者产生审计挑战信息给云服务器，云服务器根据审计挑战信息，计算聚合数据文件以及聚合签名，并选取随机向量作为盲化种子信息，根据原像抽样算法产生此随机向量的数字签名，将聚合数据文件盲化，并发送审计证明响应信息给可信审计者的具体方法为：Further, in the step S4, the trusted auditor generates the audit challenge information to the cloud server, and the cloud server calculates the aggregated data file and the aggregated signature according to the audit challenge information, and selects the random vector as the blind seed information according to the original image sampling algorithm. The specific method for generating the digital signature of the random vector, blinding the aggregated data file, and sending the audit certification response information to the trusted auditor is:

S41、假设原始签名者ID _o授权远程数据完整性验证任务给可信的第三方审计者TPA；为了验证数据文件

真实存在于云服务器，可信审计者TPA从集合

中随机选取含有c个元素的子集Ω＝{l ₁,…,l _c}；相应地，可信审计者TPA选取随机比特串

最后可信审计者TPA发送审计挑战信息chal＝{i,β _i} _i∈Ω给云服务器，挑战信息定位了需要被验证的数据块； S41. Suppose the original signer ID _o authorizes the remote data integrity verification task to the trusted third party auditor TPA; in order to verify the data file

Really exists in the cloud server, trusted auditor TPA from the collection

A subset of c elements Ω={l ₁ ,...,l _c } is randomly selected; correspondingly, the trusted auditor TPA selects a random bit string

Finally, the trusted auditor TPA sends the audit challenge information chal={i, β _i } _i∈Ω to the cloud server, and the challenge information locates the data block that needs to be verified;

S42、云服务器接收来自可信审计者TPA的审计挑战信息chal＝{i,β _i} _i∈Ω，云服务器计算聚合数据块

聚合签名

为了进一步盲化聚合数据块f′，云服务器随机选取向量

并运行原像抽样算法

产生向量ξ的签名

最后，云服务器利用哈希函数H ₆计算盲化后的聚合数据块

然后发送审计证明响应信息proof＝(f,e,ξ)给可信审计者TPA作为审计证明响应信息。 S42. The cloud server receives the audit challenge information from the trusted auditor TPA, chal={i, β _i } _i∈Ω , and the cloud server calculates the aggregated data block.

Aggregate signature

In order to further blindly aggregate the data block f', the cloud server randomly selects the vector

And run the original image sampling algorithm

Generate a signature of the vector

Finally, the cloud server uses the hash function H _{6 to} calculate the blinded aggregated data block.

Then send the audit certificate response information proof=(f,e,ξ) to the trusted auditor TPA as the audit certificate response information.

进一步的，所述步骤S4中可信审计者按照格上基于身份的线性同态代理签名算法的验证步骤来验证此审计证明响应信息的有效性的具体方法为：Further, in the step S4, the specific method for the trusted auditor to verify the validity of the audit certification response information according to the verification step of the identity-based linear homomorphic proxy signature algorithm is:

接收到审计证明响应信息后proof＝(f,e,ξ)，可信审计者TPA验证其有效性步骤包括：After receiving the audit certificate response information proof=(f,e,ξ), the trusted auditor TPA verifies its validity steps including:

S43、计算n维向量

利用哈希函数H ₅计算向量

S43, calculating an n-dimensional vector

Calculate the vector using the hash function H ₅

S44、利用η _i和λ _j计算内直积ρ _i,j＝<η _i,λ _j>∈Z _q，其中

1≤j≤n，设置向量

设置矩阵

并计算向量

S44. Calculate the inner direct product ρ _i,j =<η _i ,λ _j >∈Z _q by using η _i and λ _j .

1 ≤ j ≤ n, setting vector

Setting matrix

And calculate the vector

S45、可信审计者TPA通过验证方程Q _proe＝μmod q和不等式

是否成立，若成立，则判断审计证明响应信息有效；若不成立，则则判断审计证明响应信息无效。 S45, the trusted auditor TPA passes the verification equation Q _pro e=μmod q and the inequality

Whether it is established, if it is established, it judges that the audit certificate response information is valid; if it is not established, it judges that the audit certificate response information is invalid.

根据上述的技术方案可知：本发明提供的是具有隐私保护的支持数据代理上传的格上基于身份的云存储数据安全审计方法。该审计方法有助于数据拥有者授权给代理签名者产生数据的代理签名并上传到云服务器，有助于可信的审计者对云存储数据进行完整性审计。在安全性方面，该审计方法基于格上非齐次小整数解困难性问题，能够有效防止恶意云服务器产生伪造的审计证明响应信息欺骗可信审计者通过审计验证过程。同时，该审计方法利用格上原像抽样函数技术实现随机掩饰码的构造，可有效防止可信审计者从数据文件中恢复出原始签名者的原始数据块信息。可信审计者在执行云存储数据的完整性验证过程中，仅需要计算量有限的线性组合，而不需要计算代价更高的双线性对和模指数运算，因此在计算效率方面该审计方法非常有利于可信的审计者。此外，本发明方法是基于身份密码***设计的，有效地避免了公钥基础设施对公钥证书的复杂管理，同时能有效抵抗量子计算机的攻击，在后量子通信安全的云计算环境具有重要的应用价值。According to the above technical solution, the present invention provides a packet-based identity-based cloud storage data security auditing method with privacy protection and data agent uploading. The auditing method helps the data owner to authorize the proxy signer to generate the proxy signature of the data and upload it to the cloud server, which helps the trusted auditor to perform integrity auditing on the cloud storage data. In terms of security, the auditing method is based on the difficulty of solving non-homogeneous small integers on the grid, which can effectively prevent the malicious cloud server from generating fake auditing certificate response information to deceive the trusted auditor through the audit verification process. At the same time, the audit method uses the original image sampling function technology to realize the construction of the random mask code, which can effectively prevent the trusted auditor from recovering the original data block information of the original signer from the data file. In the process of performing integrity verification of cloud storage data, a trusted auditor only needs a linear combination with a limited amount of computation, and does not need to calculate a more expensive bilinear pairwise and modular exponential operation, so the auditing method is in terms of computational efficiency. Very beneficial to credible auditors. In addition, the method of the invention is designed based on an identity cryptosystem, which effectively avoids the complex management of the public key certificate by the public key infrastructure, and can effectively resist the attack of the quantum computer, and has an important cloud computing environment in the post-quantum communication security. Value.

本发明的有益效果为，本发明解决了远程云存储数据完整性验证的问题；本发明方法有助于数据拥有者授权给代理签名者产生数据的代理签名并上传到云服务器，同时有助于可信的审计者对云存储数据进行完整性审计。The invention has the beneficial effects that the invention solves the problem of remote cloud storage data integrity verification; the method of the invention helps the data owner to authorize the proxy signer to generate the proxy signature of the data and upload it to the cloud server, and at the same time A trusted auditor performs an integrity audit of cloud storage data.

具体实施方式detailed description

在发明内容部分已经对本发明的技术方案进行了详尽的描述，在此不再重描述。The technical solutions of the present invention have been described in detail in the Summary of the Invention and will not be described again.

需要补充的是：What needs to be added is:

最后可信审计者TPA验证方程Q _proe＝μmod q和不等式

是否成立，其验证方程正确性推导过程如下： Finally, the trusted auditor TPA verifies the equation Q _pro e=μmod q and inequality

Whether it is established or not, the process of verifying the correctness of the equation is as follows:

这样，验证方程Q _proe＝μmod q成立。此外，由于向量

(模q上的m维向量)是数据块F _i的签名，这样对于任意

因此，

成立。 Thus, the verification equation Q _pro e = μmod q holds. In addition, due to the vector

(the m-dimensional vector on the modulo q) is the signature of the data block F _i , so that

therefore,

Established.

Claims

支持数据代理上传的格基云存储数据安全审计方法，其特征在于，包括以下步骤：A grid security data storage auditing method supporting data agent uploading, characterized in that it comprises the following steps:

S1、***初始化：S1, system initialization:

***首先对数据文件进行分块处理，设置此阶段所需格密码算法的安全参数以及安全的哈希函数；密钥产生中心KGC调用格基代理算法分别产生原始签名者、代理签名者以及云服务器的公私钥对；The system first performs block processing on the data file, sets the security parameters of the required cryptographic algorithm and the secure hash function at this stage; the key generation center KGC calls the lattice-based proxy algorithm to generate the original signer, the proxy signer, and the cloud server respectively. Public-private key pair;

S2、代理签名私钥产生阶段：S2, proxy signature private key generation phase:

原始签名者为了授权代理签名权利给代理签名者，利用原像抽样算法导出基于代理授权委任书的合法签名；所述的授权委任书中有明确的关于原始签名者和代理签名者的执行权利信息描述，验证者将其作为验证信息的组成部分；代理签名者验证授权委任书签名的有效性，并据此利用格基代理算法产生代理签名私钥；In order to authorize the agent to sign the right to the proxy signer, the original signer uses the original image sampling algorithm to derive the legal signature based on the proxy authorization letter; the authorization letter has explicit execution rights information about the original signer and the proxy signer. Describe the verifier as part of the verification information; the proxy signer verifies the validity of the signature of the authorization letter, and accordingly generates a proxy signature private key using the grid-based proxy algorithm;

S3、数据代理签名产生与上传阶段：S3, data agent signature generation and upload phase:

代理签名者利用步骤S2中获得的代理签名私钥，采用格上基于身份的线性同态代理签名算法产生原始签名者的数据文件的代理签名，代理签名者将这些数据文件、文件名称以及数据文件的代理签名的集合上传到公共云服务器，并且在客户端将这些数据删除；The proxy signer uses the proxy signature private key obtained in step S2 to generate the proxy signature of the original signer's data file by using the grid-based identity-based linear homomorphic proxy signature algorithm, and the proxy signer will use these data files, file names, and data files. The set of proxy signatures is uploaded to the public cloud server and the data is deleted at the client;

S4、审计证明产生与验证阶段：S4, the audit certification generation and verification phase:

可信审计者产生审计挑战信息给云服务器，云服务器根据审计挑战信息，计算聚合数据文件以及聚合签名，并选取随机向量作为盲化种子信息，根据原像抽样算法产生此随机向量的数字签名，将聚合数据文件盲化，并发送审计证明响应信息给可信审计者；最后，可信审计者按照格上基于身份的线性同态代理签名算法的验证步骤来验证此审计证明响应信息的有效性。The trusted auditor generates the audit challenge information to the cloud server, and the cloud server calculates the aggregated data file and the aggregated signature according to the audit challenge information, and selects the random vector as the blind seed information, and generates the digital signature of the random vector according to the original image sampling algorithm. The aggregated data file is blinded and the audit proof response information is sent to the trusted auditor. Finally, the trusted auditor verifies the validity of the audit proof response information according to the verification step of the identity-based linear homomorphic proxy signature algorithm. .
根据权利要求1所述的支持数据代理上传的格基云存储数据安全审计方法，其特征在于，所述步骤S1的具体方法为：The method for verifying the security of the data storage by the data base agent according to claim 1, wherein the specific method of the step S1 is:

S11、***首先对数据文件进行分块处理，设置此阶段所需格密码算法的安全参数以及安全的哈希函数：S11. The system first performs block processing on the data file, and sets the security parameters of the required cryptographic algorithm and the secure hash function at this stage:

***将预处理文件F分为
个数据块，即
其中
代表F中的第i个数据块，其中
对于安全参数n，设置素数q＝poly(n)，整数m≥2n log q，设置χ为离散高斯噪声分布；为了格基代理算法NewBasisDel，原像抽样算法Sample Pre能够正确运行，***分别设置两个安全的高斯参数σ ₁,σ ₂； The system divides the preprocessed file F into
Data block, ie
among them
Represents the ith data block in F, where
For the security parameter n, set the prime number q=poly(n), the integer m≥2n log q, set χ to the discrete Gaussian noise distribution; for the lattice-based proxy algorithm NewBasisDel, the original image sampling algorithm Sample Pre can run correctly, and the system sets two respectively. a safe Gaussian parameter σ ₁ , σ ₂ ;

***运行陷门产生函数产生密钥产生中心KGC的主公钥A，主私钥T _A；设置抗碰撞的安全哈希函数
哈希函数

其中，H ₁和H ₃的输出值在
分布中；则***输出公共参数为Σ＝{A,H ₁,H ₂,H ₃,H ₄,H ₅}； The system runs the trapdoor generation function to generate the master public key A of the key generation center KGC, the master private key T _A ; and sets the anti-collision secure hash function
Hash function

Where the output values of H ₁ and H ₃ are
In the distribution; the system outputs the public parameters as Σ={A, H ₁ , H ₂ , H ₃ , H ₄ , H ₅ };

S12、密钥产生中心KGC调用格基代理算法分别产生原始签名者、代理签名者以及云服务器的公私钥对：S12. The key generation center KGC invokes the lattice-based proxy algorithm to generate the public-private key pair of the original signer, the proxy signer, and the cloud server, respectively:

输入步骤S11中设定的***公共参数Σ＝{A,H ₁,H ₂,H ₃,H ₄,H ₅}，主私钥T _A，原始签名者身份ID _o，密钥产生中心KGC计算原始签名者ID _o的私钥如下： Enter the system common parameters 步骤={A, H ₁ , H ₂ , H ₃ , H ₄ , H ₅ } set in step S11, the primary private key T _A , the original signer ID ₀ , and the key generation center KGC calculation The private key of the original signer ID _o is as follows:

令
计算ID _o的公钥
make
Calculate the public key of ID _o

密钥产生中心KGC运行格基代理算法
产生格
上随机格基
作为ID _o对应的私钥，然后，密钥产生中心KGC发送
给原始签名者；以类似方法，输入代理签名者的身份ID _p，得到代理签名者的私钥
输入云服务器的身份ID _c，得到云服务器私钥
Key Generation Center KGC Runs Glyph Proxy Algorithm
Generate a grid
Random lattice
As the private key corresponding to ID _o , then the key generation center KGC sends
To the original signer; in a similar way, enter the proxy signer's identity ID _p to get the proxy signer's private key
Enter the cloud server's identity ID _c to get the cloud server private key.
根据权利要求2所述的支持数据代理上传的格基云存储数据安全审计方法，其特征在于，所述步骤S2中原始签名者为了授权代理签名权利给代理签名者，利用原像抽样算法导出基于代理授权委任书的合法签名的具体方法为：The method for verifying data security of a grid-based cloud storage data according to claim 2, wherein in step S2, the original signer uses the original image sampling algorithm to derive an authorization based on the original image signature algorithm for authorizing the proxy signature right to the proxy signer. The specific method for legal signature of the proxy authorization letter is:

原始签名者ID _o根据代理签名要求产生授权委任书m _ω，该授权委任书m _ω包括明确的代理签名权利和原始签名者的信息，即代理签名者ID _p不能处理或上传原始签名者ID _o的数据，除非代理签名者ID _p的权限满足授权委任书m _ω的内容； The original signer ID _o generates an authorization letter of appointment m _ω according to the proxy signature request, the authorization letter of appointment m _ω includes the explicit proxy signature right and the original signer's information, ie the proxy signer ID _p cannot process or upload the original signer ID _o Data, unless the authority of the proxy signer ID _p satisfies the content of the authorization letter of appointment m _ω ;

原始签名者ID _o选择一个随机的向量
并利用哈希函数H ₂计算：向量
然后运行原像抽样算法
产生m维向量
获得授权委任书的签名信息为(m _ω,v _ω,θ _ω)，原始签名者ID _o发送授权委任书的签名信息(m _ω,v _ω,θ _ω)给代理签名者ID _p；这里，每一个人都能够验证授权委任书m _ω的签名信息的有效性。 The original signer ID _o selects a random vector
And use the hash function H _{2 to} calculate: vector
Then run the original image sampling algorithm
Generate m-dimensional vectors
The signature information of the authorization letter is (m _ω , v _ω , θ _ω ), and the original signer ID _o sends the signature information (m _ω , v _ω , θ _ω ) of the authorization letter to the proxy signer ID _p ; here, Each person is able to verify the validity of the signature information of the authorization letter m _ω .
根据权利要求3所述的支持数据代理上传的格基云存储数据安全审计方法，其特征在于，所述步骤S2中代理签名者验证授权委任书签名的有效性，并据此利用格基代理算法产生代理签名私钥的具体方法为：The method for verifying data security of a grid-based cloud storage data according to claim 3, wherein in step S2, the proxy signer verifies the validity of the signature of the authorization letter, and uses the grid-based proxy algorithm accordingly. The specific method for generating the proxy signature private key is:

代理签名者一旦接收到来自原始签名者ID _o的授权委任书m _ω的签名消息(m _ω,v _ω,θ _ω)，代理签名者ID _p验证方程
和不等式
是否成立，如果二者都成立，则授权委任书m _ω签名是有效的，同时代理签名者ID _p利用哈希函数H ₃计算
运行格基代理算法
产生代理签名者ID _p的代理签名私钥
如果不成立，则验证不成功，代理签名者ID _p拒绝，并通知原始签名者ID _o。 Once the proxy signer receives the signature message (m _ω , v _ω , θ _ω ) of the authorization letter m _ω from the original signer ID _o , the proxy signer ID _p verifies the equation
And inequalities
Whether it is established, if both are established, the authorization letter m _ω signature is valid, and the proxy signer ID _{p is} calculated using the hash function H ₃
Running the lattice algorithm
Generating the proxy signature private key of the proxy signer ID _p
If not, the verification is unsuccessful, the proxy signer ID _p rejects, and the original signer ID _{o is} notified.
根据权利要求4所述的支持数据代理上传的格基云存储数据安全审计方法，其特征在于，所述步骤S3的具体方法为：The method for verifying the security of the data storage by the data base agent according to claim 4, wherein the specific method of the step S3 is:

当代理签名者ID _p满足授权委任书m _ω的代理权利范围，代理签名者ID _p将帮助原始签名者ID _o产生签名并上传数据到云服务器；利用代理签名私钥
代理签名者ID _p产生数据文件
签名步骤如下： When the proxy signer ID _p satisfies the proxy rights scope of the authorization appointment m _ω , the proxy signer ID _p will help the original signer ID _{o to} generate a signature and upload the data to the cloud server;
Proxy signer ID _p generates data files
The signature steps are as follows:

S31、计算代理签名公钥
S31. Calculating a proxy signature public key

利用哈希函数H ₄计算关于数据块
的线性数据块
其中，N _i代表第i个数据块F _i的文件名称，
是云服务器的公钥，运行原像抽样算法
产生
Calculate the data block using the hash function H ₄
Linear data block
Where N _i represents the file name of the i-th data block F _i ,
Is the public key of the cloud server, running the original image sampling algorithm
produce

S32、对于每一个数据块F _i，计算n维向量
以及内直积ρ _i,j＝<η _i,λ _j>∈Z _q，1≤j≤n，
其中向量
设置
最后，代理签名者ID _p运行原像抽样算法SamplePre(Q _pro,T _pro,ρ _i,σ ₂)产生向量
定义签名集合
代理签名者ID _p得到所有的数据为
并上传这些数据到公共云服务器； S32. Calculate an n-dimensional vector for each data block F _i
And the inner direct product ρ _i,j =<η _i ,λ _j >∈Z _q ,1≤j≤n,
Where vector
Setting
Finally, the proxy signer ID _p runs the original image sampling algorithm SamplePre(Q _pro , T _pro , ρ _i , σ ₂ ) to generate the vector.
Defining signature collection
The proxy signer ID _p gets all the data as
And upload the data to the public cloud server;

S33、云服务器首先验证代理签名者ID _p是否满足授权委任书m _ω的权利范围；如果不满足，云服务器拒绝提供存储服务；如果满足，云服务器再进一步验证授权委任书m _ω的签名信息(m _ω,v _ω,θ _ω)，即验证方程
和不等式
是否成立；如果二者成立，云服务器确定m _ω是有效的，云服务器接收并存储相关数据；否则，云服务器拒绝提供此次存储服务，并通知原始签名者ID _o再次授权代理上传数据。 S33. The cloud server first verifies whether the proxy signer ID _p satisfies the right scope of the authorization appointment m _ω ; if not, the cloud server refuses to provide the storage service; if satisfied, the cloud server further verifies the signature information of the authorization appointment m _ω ( m _ω , v _ω , θ _ω ), ie the verification equation
And inequalities
It is established; If they are set up, the cloud server determines _m ω is effective, the cloud server receives and stores the relevant data; otherwise, the cloud storage server refused to provide the service, and notifies the original signer ID _o again authorized agent to upload data.
根据权利要求5所述的支持数据代理上传的格基云存储数据安全审计方法，其特征在于，所述步骤S4中可信审计者产生审计挑战信息给云服务器，云服务器根据审计挑战信息，计算聚合数据文件以及聚合签名，并选取随机向量作为盲化种子信息，根据原像抽样算法产生此随机向量的数字签名，将聚合数据文件盲化，并发送审计证明响应信息给可信审计者的具体方法为：The method for verifying the security of the data storage by the data base agent according to claim 5, wherein the trusted auditor generates the audit challenge information to the cloud server in step S4, and the cloud server calculates the audit challenge information according to the audit challenge information. Aggregate the data file and the aggregate signature, and select the random vector as the blind seed information, generate the digital signature of the random vector according to the original image sampling algorithm, blind the aggregated data file, and send the audit proof response information to the trusted auditor. The method is:

S41、假设原始签名者ID _o授权远程数据完整性验证任务给可信的第三方审计者TPA；为了验证数据文件
真实存在于云服务器，可信审计者TPA从集合
中随机选取含有c个元素的子集Ω＝{l ₁,…,l _c}；相应地，可信审计者TPA选取随机比特串
最后可信审计者TPA发送审计挑战信息chal＝{i,β _i} _i∈Ω给云服务器，挑战信息定位了需要被验证的数据块； S41. Suppose the original signer ID _o authorizes the remote data integrity verification task to the trusted third party auditor TPA; in order to verify the data file
Really exists in the cloud server, trusted auditor TPA from the collection
A subset of c elements Ω={l ₁ ,...,l _c } is randomly selected; correspondingly, the trusted auditor TPA selects a random bit string
Finally, the trusted auditor TPA sends the audit challenge information chal={i, β _i } _i∈Ω to the cloud server, and the challenge information locates the data block that needs to be verified;

S42、云服务器接收来自可信审计者TPA的审计挑战信息chal＝{i,β _i} _i∈Ω，云服务器计算聚合数据块
聚合签名
为了进一步盲化聚合数据块f′，云服务器随机选取向量
并运行原像抽样算法
产生向量ξ的签名
最后，云服务器利用哈希函数H ₆计算盲化后的聚合数据块
然后发送审计证明响应信息proof＝(f,e,ξ)给可信审计者TPA作为审计证明响应信息。 S42. The cloud server receives the audit challenge information from the trusted auditor TPA, chal={i, β _i } _i∈Ω , and the cloud server calculates the aggregated data block.
Aggregate signature
In order to further blindly aggregate the data block f', the cloud server randomly selects the vector
And run the original image sampling algorithm
Generate a signature of the vector
Finally, the cloud server uses the hash function H _{6 to} calculate the blinded aggregated data block.
Then send the audit certificate response information proof=(f,e,ξ) to the trusted auditor TPA as the audit certificate response information.
根据权利要求6所述的支持数据代理上传的云存储数据安全审计方法，其特征在于，所述步骤S4中可信审计者按照格上基于身份的线性同态代理签名算法的验证步骤来验证此审计证明响应信息的有效性的具体方法为：The cloud storage data security auditing method for supporting data agent uploading according to claim 6, wherein in step S4, the trusted auditor verifies the according to the verification step of the identity-based linear homomorphic proxy signature algorithm. The specific method by which the audit proves the validity of the response information is:

接收到审计证明响应信息后proof＝(f,e,ξ)，可信审计者TPA验证其有效性步骤包括：After receiving the audit certificate response information proof=(f,e,ξ), the trusted auditor TPA verifies its validity steps including:

S43、计算n维向量
利用哈希函数H ₅计算向量
S43, calculating an n-dimensional vector
Calculate the vector using the hash function H ₅

S44、利用η _i和λ _j计算内直积ρ _i,j＝<η _i,λ _j>∈Z _q，其中
1≤j≤n，设置向量
设置矩阵
并计算向量
S44. Calculate the inner direct product ρ _i,j =<η _i ,λ _j >∈Z _q by using η _i and λ _j .
1 ≤ j ≤ n, setting vector
Setting matrix
And calculate the vector

S45、可信审计者TPA通过验证方程Q _proe＝μ mod q和不等式
是否成立，若成立，则判断审计证明响应信息有效；若不成立，则则判断审计证明响应信息无效。 S45, the trusted auditor TPA passes the verification equation Q _pro e=μ mod q and the inequality
Whether it is established, if it is established, it judges that the audit certificate response information is valid; if it is not established, it judges that the audit certificate response information is invalid.