技术领域Technical Field
本发明涉及隐私保护技术领域,尤其涉及一种面向可去重云存储系统的匿名口令认证与加密方案。The present invention relates to the field of privacy protection technology, and in particular to an anonymous password authentication and encryption scheme for a deduplicated cloud storage system.
背景技术Background Art
进入大数据时代,数据量呈现指数级增长,云存储平台成为数据存储、处理与管理的重要媒介。IDC最新发布的Global DataSphere 2023显示,中国数据量规模将从2022的23.88ZB增长至2027年的76.6ZB,年均增长速度达到26.3%,居世界第一位。数据量的剧增为云存储服务提供商带来巨大的压力和考验。通过去重对云上的重复数据进行删除,仅保留一个物理副本,可以极大地节约云存储资源和使用成本。但是,随着隐私泄露事件的频发,用户越来越多地将数据经加密后存入云端,而经传统加密方式加密后的数据难以进行重复性检验。因此,如何在保证数据完整性与保密性的条件下,对云上的加密数据实施跨用户去重成为一个研究热点。Entering the era of big data, the amount of data is growing exponentially, and cloud storage platforms have become an important medium for data storage, processing and management. According to the latest Global DataSphere 2023 released by IDC, the scale of China's data volume will increase from 23.88ZB in 2022 to 76.6ZB in 2027, with an average annual growth rate of 26.3%, ranking first in the world. The sharp increase in data volume has brought tremendous pressure and challenges to cloud storage service providers. By deduplicating the duplicate data on the cloud and retaining only one physical copy, cloud storage resources and usage costs can be greatly saved. However, with the frequent occurrence of privacy leaks, users are increasingly encrypting their data and storing it in the cloud, and it is difficult to verify the repeatability of data encrypted by traditional encryption methods. Therefore, how to implement cross-user deduplication of encrypted data on the cloud while ensuring data integrity and confidentiality has become a research hotspot.
为了实现加密数据去重,Bellare等[Bellare M,Keelveedhi S,RistenpartT.Message-Locked Encryption and Secure Deduplication[C].Johansson T,Nguyen PQ,eds.Advances in Cryptology–EUROCRYPT 2013,2013:296–312.]提出了消息锁加密(Message-Locked Encryption,MLE)方式。MLE是一类特殊的对称加密方式,通过从明文中提取加解密密钥,可以为相同的明文输出相同的密文,实现跨用户重复数据删除的功能。In order to achieve deduplication of encrypted data, Bellare et al. [Bellare M, Keelveedhi S, Ristenpart T. Message-Locked Encryption and Secure Deduplication [C]. Johansson T, Nguyen PQ, eds. Advances in Cryptology–EUROCRYPT 2013, 2013: 296–312.] proposed the Message-Locked Encryption (MLE) method. MLE is a special type of symmetric encryption method that can output the same ciphertext for the same plaintext by extracting encryption and decryption keys from the plaintext, thus achieving the function of deduplication across users.
Zhang等人[文献A:Zhang Y,Xu C,Cheng N,et al.Secure Password-ProtectedEncryption Key for Deduplicated Cloud Storage Systems[J].IEEE Transactions onDependable and Secure Computing,2022,19(4):2789–2806.]在2022年提出一类多服务器辅助的MLE机制,使用一组动态的密钥服务器与明文共同生成MLE密钥,通过门限机制与定期更新机制,有效避免了部分密钥服务器腐坏带来的安全风险,并利用口令进行身份认证与密钥保护,使得用户可以通过云服务器进行密钥管理,而无需在本地设备进行存储和维护任何数据。但是,由于该系统要求使用多台密钥服务器以满足门限方案与定期更新要求,在实践中不可避免的会带来额外的部署和维护成本。此外,该方案缺少对用户静态身份信息的隐私保护,攻击者可能根据用户身份信息跟踪其网络行为和登录历史,利用大数据分析手段获取用户隐私。Zhang et al. [Document A: Zhang Y, Xu C, Cheng N, et al. Secure Password-Protected Encryption Key for Deduplicated Cloud Storage Systems [J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19 (4): 2789–2806.] proposed a multi-server-assisted MLE mechanism in 2022, which uses a set of dynamic key servers and plaintext to jointly generate MLE keys. Through the threshold mechanism and periodic update mechanism, it effectively avoids the security risks brought by the corruption of some key servers, and uses passwords for identity authentication and key protection, so that users can manage keys through cloud servers without storing and maintaining any data on local devices. However, since the system requires the use of multiple key servers to meet the threshold scheme and periodic update requirements, it will inevitably bring additional deployment and maintenance costs in practice. In addition, the scheme lacks privacy protection for users' static identity information. Attackers may track their network behavior and login history based on their identity information and use big data analysis to obtain user privacy.
发明内容Summary of the invention
针对可去重云存储系统中存在的缺少隐私保护等安全性问题,本发明提出了一种匿名口令认证与可去重云数据加密方案。使用服务器辅助的MLE机制对文件进行加密存储,满足了数据去重的要求;通过密钥服务器与云服务器各自持有的秘密与文件共同生成MLE密钥,避免了复杂的系统架构和额外的部署维护成本,同时避免了单一服务器带来的单点故障问题;使用基于口令的身份认证与加密机制提供密钥保护,用户仅需记忆一个低熵口令,即可在云服务器端安全地存储并维护MLE密钥;使用基于代数消息认证码(MessageAuthentication Code,MAC)的零知识证明方案实现匿名认证,提供了对用户身份信息的隐私保护。In response to the security issues such as lack of privacy protection in deduplicated cloud storage systems, the present invention proposes an anonymous password authentication and deduplicated cloud data encryption scheme. The server-assisted MLE mechanism is used to encrypt and store files, which meets the requirements of data deduplication; the MLE key is generated by the secrets and files held by the key server and the cloud server, which avoids complex system architecture and additional deployment and maintenance costs, and at the same time avoids the single point of failure problem caused by a single server; the password-based identity authentication and encryption mechanism is used to provide key protection, and users only need to remember a low-entropy password to safely store and maintain the MLE key on the cloud server; the zero-knowledge proof scheme based on algebraic message authentication code (MAC) is used to implement anonymous authentication, providing privacy protection for user identity information.
为了实现上述目的,本发明采用以下技术方案:In order to achieve the above object, the present invention adopts the following technical solutions:
一种面向可去重云存储系统的匿名口令认证与加密方案,包括:An anonymous password authentication and encryption scheme for a deduplicated cloud storage system, comprising:
步骤1:用户U注册到云服务器CS并获取一个认证凭证σ与相应的非交互式零知识证明π;用户U利用π和公共参数验证σ的有效性,验证通过后,使用密钥服务器KS辅助生成的强化口令spwU对σ加密,并存入KS;Step 1: User U registers with the cloud server CS and obtains an authentication credential σ and a corresponding non-interactive zero-knowledge proof π; User U uses π and public parameters to verify the validity of σ. After the verification is passed, the user encrypts σ using the enhanced password spwU generated by the key server KS and stores it in KS;
步骤2:基于加密后的σ,通过U、CS、KS三方共同生成MLE密钥,并利用MLE密钥对数据文件M进行加密上传,在云存储服务器端为加密数据执行去重操作;Step 2: Based on the encrypted σ, U, CS, and KS jointly generate the MLE key, and use the MLE key to encrypt and upload the data file M, and perform deduplication operations on the encrypted data on the cloud storage server;
步骤3:用户U在密钥服务器KS的辅助下,完成到云服务器CS的认证并恢复数据文件M。Step 3: With the assistance of the key server KS, user U completes the authentication to the cloud server CS and restores the data file M.
进一步地,所述步骤1包括:Furthermore, the step 1 comprises:
步骤1.1:用户U调用IBOPRF(IDU,pwU),得到强化口令spwU;计算消息m=h(IDU),发送至CS进行注册;其中IBOPRF()表示基于身份的不经意伪随机函数,IDU表示用户ID,pwU表示口令,p是一个素数,Z表示整数集;Step 1.1: User U calls IBOPRF(IDU , pwU ) to obtain the enhanced password spwU ; calculates the message m=h(IDU ) and sends it to CS for registration; where IBOPRF() represents an identity-based oblivious pseudo-random function, IDU represents the user ID, pwU represents the password, p is a prime number, Z represents the set of integers;
步骤1.2:CS利用Cert算法为U生成凭证σ与非交互式零知识证明π;Step 1.2: CS uses the Cert algorithm to generate a certificate σ and a non-interactive zero-knowledge proof π for U;
步骤1.3:收到(σ,π)后,用户U利用CertVerify算法对σ进行验证;验证通过后,使用spwU对σ加密,得到加密的凭证将发送至KS存储;Step 1.3: After receiving (σ,π), user U verifies σ using the CertVerify algorithm; after verification, σ is encrypted using spwU to obtain the encrypted certificate Will Send to KS storage;
步骤1.4:若用户U是首次注册到KS,则KS为其创建一个用户凭据列表以存储用户U加密的凭证,同时初始化ρU=0,通过ρU对请求MLE密钥的次数进行计数,否则注册失败。Step 1.4: If user U is registering to KS for the first time, KS creates a user credential list for it To store the encrypted credentials of user U, initialize ρU = 0 and count the number of times the MLE key is requested through ρU , otherwise the registration fails.
进一步地,所述步骤2中,按照以下方式生成MLE密钥:Furthermore, in step 2, the MLE key is generated in the following manner:
步骤2.1:用户U调用IBOPRF(IDU,pwU),得到强化口令spwU,同时从KS存储的用户凭据列表中取回使用spwU对解密,恢复凭证σ;Step 2.1: User U calls IBOPRF(IDU , pwU ) to obtain the enhanced password spwU and the user credential list stored in KS Retrieve Use spwU to Decrypt and recover the certificate σ;
步骤2.2:用户U计算m=h(IDU),利用Show算法对(m,σ)生成证明υ,将υ发送给CS进行身份验证;同时对要加密的文件M进行随机化:将M1,M2分别发送至KS与CS;其中哈希函数是p阶乘法循环群;Step 2.2: User U calculates m = h(IDU ), generates proof υ for (m,σ) using the Show algorithm, and sends υ to CS for identity authentication; at the same time, randomizes the file M to be encrypted: SendM1 andM2 to KS and CS respectively; the hash function is a p-order multiplicative cyclic group;
步骤2.3:收到消息后,CS首先利用ShowVerify算法对υ进行验证,验证通过后利用持有的秘密α2计算同时KS利用α1计算并对请求次数进行计数;CS、KS分别将KM1、KM2发送给U;Step 2.3: After receiving the message, CS first uses the ShowVerify algorithm to verify υ. After verification, it uses the secret α2 to calculate At the same time, KS uses α1 to calculate And count the number of requests; CS and KS send KM1 and KM2 to U respectively;
步骤2.4:用户U计算KM即为MLE密钥。Step 2.4: User U calculation KM is the MLE key.
进一步地,所述步骤2中,所述利用MLE密钥对数据文件M进行加密上传包括:Furthermore, in step 2, encrypting and uploading the data file M using the MLE key includes:
步骤2.5:生成MLE密钥后,用户U在本地利用MLE密钥对文件M进行加密,得到密文CM:CM=E.enc(KM,M),并计算相应的密文标签其中E为选择明文攻击下的不可区分性安全的对称加密函数,E.enc(KM,M)表示使用MLE密钥对明文M加密,H5表示哈希函数;Step 2.5: After generating the MLE key, user U uses the MLE key to encrypt the file M locally, obtains the ciphertext CM : CM = E.enc(KM,M), and calculates the corresponding ciphertext label Where E is a symmetric encryption function that is secure against chosen plaintext attacks, E.enc(KM,M) means using the MLE key to encrypt the plaintext M, and H5 represents a hash function;
步骤2.6:用户U利用spwU计算两个不同的密钥κU,对KM,加密,得到对应密文:CKM=E.enc(κU,KM),其中IDCS表示云服务器ID,IDKS表示密钥服务器ID,表示哈希函数;Step 2.6: User U uses spwU to calculate two different keys κU , To KM, Encrypt and get the corresponding ciphertext: CKM = E.enc(κU ,KM), Where IDCS represents the cloud server ID, and IDKS represents the key server ID. represents a hash function;
步骤2.7:将密文发送至KS,存入将发送至CS进行存储。Step 2.7: Pass the ciphertext Send to KS, deposit Will Sent to CS for storage.
进一步地,所述步骤2中,所述在云存储服务器端为加密数据执行去重操作包括:Furthermore, in step 2, performing a deduplication operation on the encrypted data on the cloud storage server side includes:
步骤2.8:数据上传后,CS检查标签是否已经存在,如果存在,则执行数据去重,继续维护一个列表;否则,创建列表;Step 2.8: After data upload, CS checks the label Does it already exist? If so, perform data deduplication and continue to maintain a list; otherwise, create List;
步骤2.9:对后续上传密文C'的用户,CS检查是否成立,若成立,则执行数据去重,否则,为C'创建一个新的列表。Step 2.9: For users who subsequently upload ciphertext C', CS checks Is it true? If so, perform data deduplication. Otherwise, create a new list for C'.
进一步地,所述步骤3包括:Furthermore, the step 3 comprises:
步骤3.1:用户U调用IBOPRF(IDU,pwU),得到强化口令spwU,同时从列表中取回Step 3.1: User U calls IBOPRF(IDU ,pwU ) to obtain the enhanced password spwU and selects Retrieve
步骤3.2:U使用spwU对解密,恢复凭证σ;计算m并利用Show算法对(m,σ)生成证明υ;使用spwU恢复密钥κU并对CKM解密,恢复标签与KM;将发送给CS进行身份验证和文件检索;Step 3.2: Use spwU to Decrypt and recover the certificate σ; calculate m and use the Show algorithm to generate a proof υ for (m,σ); use spwU to recover the key κU and CKM decryption, recovery tag and KM; Sent to CS for identity verification and document retrieval;
步骤3.3:CS收到后,利用ShowVerify算法验证υ,验证通过则使用标签检索列表取回CM并发送给U;Step 3.3: CS received After that, the ShowVerify algorithm is used to verify υ. If the verification is successful, the tag Search The list retrieves CM and sends it to U;
步骤3.4:U使用KM对CM解密,得到文件M。Step 3.4: U uses KM to decrypt CM and obtain file M.
进一步地,所述步骤1.2包括:Furthermore, the step 1.2 comprises:
首先,通过代数方案生成凭证:表示输入密钥sk和消息算法计算A=g1/γ+m,令σ←A并输出认证标签σ;其中其中表示代数方案;First, through algebra Solution generation credentials: Indicates the input key sk and message The algorithm calculates A = g1/γ + m , sets σ←A and outputs the authentication tag σ; in Representation Algebra plan;
其次,构造非交互式零知识证明方案π←NIZK{(sk):选取计算R1=Ar,R2=gr,c=H6(g,w,m,A,R1,R2),s=r+cγmodp,令π←(c,s),返回(σ,π);其中,π←NIZK{}表示一个非交互式零知识证明;表示对于输入sk=γ,m,σ=A,算法验证Aγ+m=g是否成立,若等式成立,则输出为1,表示认证通过,否则输出为0,表示认证失败;表示输入安全参数λ,算法首先生成群元素其中p是一个2λ比特的安全素数,为p阶乘法群,g是群G的生成元;随机选取计算w=gγ,令sk←γ,输出密钥sk和公共参数H6表示哈希函数。Secondly, construct a non-interactive zero-knowledge proof scheme π←NIZK{(sk): Select Calculate R1 =Ar , R2 =gr , c = H6 (g,w,m,A,R1 ,R2 ), s = r + cγmodp, let π←(c,s), return (σ,π); where π←NIZK{} represents a non-interactive zero-knowledge proof; It means that for input sk=γ,m,σ=A, The algorithm verifies whether Aγ+m =g holds. If so, the output is 1, indicating that the authentication is successful. Otherwise, the output is 0, indicating that the authentication fails. represents the input security parameter λ, The algorithm first generates group elements where p is a 2λ-bit safe prime number, is a p-order multiplicative group, g is a generator of group G; randomly select Calculate w = gγ , let sk←γ, output the key sk and public parameters H6 represents a hash function.
进一步地,所述步骤1.3中,所述用户U利用CertVerify算法对σ进行验证包括:Furthermore, in step 1.3, the user U verifies σ using the CertVerify algorithm, including:
对输入((parmac,m,σ=A),π),构造验证算法VerifyNIZK((parmac,m,σ),π):计算c'=H6(g,w,m,A,As+cmg-c,gsw-c),若满足c'=c,则返回1;否则返回0。For the input ((parmac ,m,σ=A),π), construct the verification algorithm VerifyNIZK ((parmac ,m,σ),π): calculate c'=H6 (g,w,m,A,As+cm g-c ,gs w-c ), if c'=c, return 1; otherwise return 0.
进一步地,所述步骤2.2中,所述利用Show算法对(m,σ)生成证明υ包括:Furthermore, in step 2.2, the use of the Show algorithm to generate a proof υ for (m,σ) includes:
首先构造随机化算法Rerand,对凭证σ进行随机化,(T,a)←Rerand(σ):T←Aa;然后构造SE-NIZK证明方案∑←SPK{(m,a):fp(parmac,T,m,a)=V}:首先选取计算c←H7(g,T,R),sm←rm+cmmodp,sa←ra+camodp;令∑=(c,sm,sa),返回υ=(T,∑);其中∑←SPK{}表示一个SE-NIZK证明,H7表示哈希函数,fp()表示括号中的参数构成一个映射关系。First, construct the randomization algorithm Rerand to randomize the voucher σ, (T, a)←Rerand(σ): T←Aa ; then construct the SE-NIZK proof scheme ∑←SPK{(m,a):fp (parmac ,T,m,a)=V}: First select calculate c←H7 (g,T,R), sm ←rm +cmmodp, sa ←ra +camodp; let ∑=(c,sm ,sa ), return υ=(T,∑); where ∑←SPK{} represents a SE-NIZK proof, H7 represents a hash function, and fp () represents that the parameters in the brackets constitute a mapping relationship.
进一步地,所述步骤2.3中,利用ShowVerify算法对υ进行验证包括:Furthermore, in step 2.3, verifying υ using the ShowVerify algorithm includes:
构造验证算法VerifySPK(fv(parmac,T,sk)=V,∑):首先计算V←Tγ,c'←H7(g,T,R'),若满足T≠1且c=c',则返回1;否则返回0;其中fv()表示括号中的参数构成一个映射关系。Construct verification algorithm VerifySPK (fv (parmac ,T,sk)=V,∑): First calculate V←Tγ , c'←H7 (g,T,R'), if T≠1 and c=c', then 1 is returned; otherwise, 0 is returned; wherein fv () indicates that the parameters in the brackets constitute a mapping relationship.
与现有技术相比,本发明具有的有益效果:Compared with the prior art, the present invention has the following beneficial effects:
(1)面向可去重云存储系统,在密钥服务器-云服务器-用户三方架构下,基于MLE框架构造了一种面向可去重云存储系统的匿名认证与加密方案。通过三方共同生成MLE密钥,实现了对离线字典攻击的抵抗并避免了单点故障问题。(1) Based on the key server-cloud server-user tripartite architecture, an anonymous authentication and encryption scheme for deduplicated cloud storage systems is constructed based on the MLE framework. By jointly generating the MLE key by the three parties, the scheme can resist offline dictionary attacks and avoid single point failure problems.
(2)基于非交互式零知识证明方案构造了用户到云存储服务器的匿名认证,实现了对用户身份信息的隐私保护。(2) An anonymous authentication method for users to cloud storage servers is constructed based on a non-interactive zero-knowledge proof scheme, thus achieving privacy protection for user identity information.
(3)利用基于身份的不经意伪随机函数构造了基于强化口令的密钥保护机制,使得用户可以在远程云服务器端安全地存储、维护密钥,而无需占用本地资源。(3) An enhanced password-based key protection mechanism is constructed using an identity-based oblivious pseudo-random function, which allows users to securely store and maintain keys on a remote cloud server without occupying local resources.
(4)在随机谕示模型下进行了形式化安全性证明,并在实验环境下验证了方案的可行性和有效性。(4) A formal security proof was performed under the random oracle model, and the feasibility and effectiveness of the scheme were verified in an experimental environment.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明实施例中基于身份的不经意伪随机函数示意图;FIG1 is a schematic diagram of an identity-based inadvertent pseudo-random function in an embodiment of the present invention;
图2为本发明实施例一种面向可去重云存储系统的匿名口令认证与加密方案流程图;FIG2 is a flow chart of an anonymous password authentication and encryption scheme for a deduplicated cloud storage system according to an embodiment of the present invention;
图3为本发明实施例中注册阶段流程图;FIG3 is a flow chart of the registration phase in an embodiment of the present invention;
图4为本发明实施例中MLE密钥生成与数据上传阶段流程图;FIG4 is a flow chart of the MLE key generation and data upload phase in an embodiment of the present invention;
图5为本发明实施例中数据下载阶段流程图。FIG5 is a flow chart of the data downloading phase in an embodiment of the present invention.
具体实施方式DETAILED DESCRIPTION
下面结合附图和具体的实施例对本发明做进一步的解释说明:The present invention will be further explained below with reference to the accompanying drawings and specific embodiments:
1安全性假设1 Security Assumptions
设p是一个素数,是p阶乘法循环群,g是群G的生成元。λ是安全参数。Let p be a prime number, is a p-order multiplicative cyclic group, g is a generator of the group G. λ is a security parameter.
DDDH假设。对任意概率多项式时间(Probabilistic Polynomial Time,PPT)攻击者给定两个分布其区分上述两个分布的优势不会超过一个可忽略函数negl(λ)。DDDH Assumption. For any Probabilistic Polynomial Time (PPT) attacker Given two distributions Its advantage in distinguishing the above two distributions is There will not be more than a negligible function negl(λ).
q-SDH假设。对任意PPT攻击者给定其成功计算(c,g1/(x+c))的优势不会超过一个可忽略函数negl(λ),其中q-SDH assumption. For any PPT attacker Given Its advantage in successfully calculating (c,g1/(x+c) ) will not exceed a negligible function negl(λ), where
2基于身份的不经意伪随机函数2 Identity-based oblivious pseudo-random function
基于身份的不经意伪随机函数(Identity-Based Oblivious PseudorandomFunction,IBOPRF)使得持有秘密x的用户通过与持有秘密K的服务器交互,不经意地生成一个与用户ID相关联的伪随机函数值并且满足用户无法获知服务器的密钥K且服务器无法获知用户端秘密x及生成的结果如图1所示。The Identity-Based Oblivious Pseudorandom Function (IBOPRF) allows a user holding a secret x to inadvertently generate a pseudorandom function value associated with the user ID by interacting with a server holding a secret K. And the user cannot know the server's key K and the server cannot know the user's secret x and the generated result As shown in Figure 1.
具体来说,被描述为一个挑战-响应机制,包含四个语句详细描述如下:Specifically, Described as a challenge-response mechanism, consisting of four statements The detailed description is as follows:
输入安全参数λ,语句输出一个λ长度的服务器密钥K以及公共参数其中p为安全素数,为p阶乘法群,为三个不同的哈希函数。 Input security parameter λ, The statement outputs a server key K of length λ and public parameters Where p is a safe prime number, is the p-order multiplicative group, are three different hash functions.
用户端发起挑战,调用语句,根据输入(pp,ID,x)生成内部状态和挑战将r保存在用户端,ch发送给服务器。 The user initiates a challenge and calls Statement, generates internal state according to input (pp, ID, x) and challenges Save r on the client side and send ch to the server.
收到挑战后,服务器调用语句,根据输入(pp,ch,K)计算kid=H2(ID,k)和响应值rp=akid,将rp发回用户端。 After receiving the challenge, the server calls Statement, calculate kid = H2 (ID, k) and response value rp = akid according to input (pp, ch, K), and send rp back to the user end.
收到响应后,用户端读取内部状态r,调用语句,根据输入(pp,rp,r,x),计算y=H3(x,rp1/r),即为最终输出值。 After receiving the response, the client reads the internal state r and calls Statement, based on the input (pp, rp, r, x), calculates y = H3 (x, rp1/r ), which is the final output value.
IBOPRF方案满足以下三种安全性:IBOPRF Program The following three types of security are met:
(1)唯一性:称IBOPRF方案满足唯一性,如果对任意的(ID',x')≠(ID,x),输出的概率是可忽略的。(1) Uniqueness: IBOPRF scheme Satisfies uniqueness. If for any (ID',x')≠(ID,x), output The probability of is negligible.
(2)伪随机性:称IBOPRF方案满足(d,B)-伪随机性,如果对任意PPT攻击者存在一个可忽略函数negl(λ),使得成立:(2) Pseudo-randomness: IBOPRF scheme Satisfying (d, B)-pseudo-randomness, if for any PPT attacker There exists a negligible function negl(λ) such that:
其中表示x的分布,d表示分布的最小熵,S(·,·)表示模拟服务器端的谕示图灵机,对于输入(pp,ch,K),计算同时进行计数,限制对同一个ID*查询次数不超过B次。in represents the distribution of x, and d represents the distribution The minimum entropy of , S(·,·) represents the oracle Turing machine simulating the server side. For the input (pp,ch,K), calculate At the same time, count is performed and the number of queries for the sameID is limited to no more than B times.
(3)不经意性:称IBOPRF方案满足(d,k)-不经意性,如果对任意PPT攻击者存在一个可忽略函数negl(λ),使得成立:(3) Inadvertent: IBOPRF Satisfies (d,k)-casualness, if for any PPT attacker There exists a negligible function negl(λ) such that:
其中表示x的分布,d表示分布的最小熵,k表示攻击者对y进行有限次查询的次数,C(·)表示模拟用户端的谕示图灵机,对每一次查询,输出in represents the distribution of x, and d represents the distribution The minimum entropy of k is the number of finite queries made by the attacker on y, and C(·) is the oracle Turing machine simulating the user end. For each query, the output
3代数MAC3 Algebraic MAC
一个代数MAC(Algebraic Message Authentication Codes)方案通常定义为一个算法三元组其通用构造如下:An Algebraic MAC (Algebraic Message Authentication Codes) Scheme Usually defined as an algorithm triple Its general structure is as follows:
初始化和密钥生成算法,输入安全参数λ,生成公共参数parmac和密钥sk并将parmac(显式或隐式地)传递给后续的算法。 Initialization and key generation algorithm, input security parameter λ, generate public parameter parmac and key sk and pass parmac (explicitly or implicitly) to subsequent algorithms.
MAC算法,输入密钥sk和消息m,输出m在sk下的一个标签σ。 MAC algorithm, input key sk and message m, output a label σ of m under sk.
验证算法,对输入(sk,m,σ),验证标签σ是否为消息m在密钥sk下的一个合法标签,若是,则返回1,否则返回0。 Verification algorithm, for input (sk, m, σ), verifies whether the label σ is a legal label for message m under key sk. If so, it returns 1, otherwise it returns 0.
本发明基于q-SDH假设对方案进行了实例化,具体描述如下:The present invention is based on the q-SDH assumption The scheme is instantiated and described as follows:
输入安全参数λ,算法首先生成群元素其中p是一个2λ比特的安全素数,为p阶乘法群;随机选取计算w=gγ,令sk←γ,输出密钥sk和公共参数 Input security parameter λ, The algorithm first generates group elements where p is a 2λ-bit safe prime number, is a p-order multiplicative group; randomly selected Calculate w = gγ , let sk←γ, output the key sk and public parameters
输入密钥sk和消息算法计算A=g1/γ+m,令σ←A并输出认证标签σ。 Enter the key sk and message The algorithm calculates A=g1/γ+m , sets σ←A and outputs the authentication tag σ.
对于输入(sk=γ,m,σ=A),算法验证Aγ+m=g是否成立,若等式成立,则输出为1,表示认证通过;否则输出为0,表示认证失败。 For input (sk=γ,m,σ=A), The algorithm verifies whether Aγ+m =g holds. If so, the output is 1, indicating that the authentication is successful; otherwise, the output is 0, indicating that the authentication fails.
令表示消息m的分布,Φ表示标签σ的分布。上述方案满足以下性质:make represents the distribution of message m, and Φ represents the distribution of label σ. The scheme satisfies the following properties:
(1)密钥-参数一致性(Key-Parameter Consistency):称密钥生成算法满足密钥-参数一致性,如果对任意的sk≠sk',存在一个可忽略值ε,使得成立:(1) Key-Parameter Consistency: also called key generation algorithm Key-parameter consistency is satisfied if for any sk≠sk', there exists a negligible value ε such that:
(2)(2)
suf-rmva安全性(Strongly Existentially Unforgeable under RandomMessage and Chosen Verification Queries Attack,suf-rmva):称一个方案是suf-rmva安全的,如果对任意PPT攻击者存在一个可忽略函数negl(λ),使得成立:suf-rmva security (Strongly Existentially Unforgeable under RandomMessage and Chosen Verification Queries Attack, suf-rmva): called a The solution is suf-rmva secure, if any PPT attacker There exists a negligible function negl(λ) such that:
其中谕示机MAC(sk,*)对每一次查询,选择计算并将(m,σ)添加至集合Q,其中Q在模拟开始时被初始化为空。谕示机Verify(sk,*,*)对查询(m,σ),输出The oracle MAC (sk, *) selects for each query calculate And add (m,σ) to the set Q, where Q is initialized to empty at the beginning of the simulation. The oracle Verify(sk,*,*) queries (m,σ) and outputs
(3)弱伪随机性(Weak Pseudorandomness):称一个方案具有弱伪随机性,如果对任意PPT攻击者存在一个可忽略函数negl(λ),使得成立:(3) Weak Pseudorandomness: The scheme has weak pseudo-randomness. If any PPT attacker There exists a negligible function negl(λ) such that:
其中谕示机MAC(sk,*)对每一次查询,随机选择并计算The oracle MAC (sk, *) randomly selects And calculate
4非交互式零知识证明4 Non-interactive zero-knowledge proof
语言L∈NP上的一个非交互式零知识(Non-Interactive Zero-Knowledge,NIZK)证明方案通常由一对PPT算法组成,验证双方(称为证明者和验证者)无需进行交互,证明者通过算法产生一个证明发送给验证者,验证者通过算法对证明进行验证,输出一个布尔值表示接受或者拒绝,并且满足以下性质:A non-interactive zero-knowledge (NIZK) proof scheme on a language L∈NP is usually composed of a pair of PPT algorithms: The two parties (called the prover and the verifier) do not need to interact with each other. The prover uses the algorithm Generate a proof and send it to the verifier, who uses the algorithm Verify the proof and output a Boolean value to indicate acceptance or rejection, satisfying the following properties:
(1)完备性(Completeness)。对任意x∈L(|x|=k)及其证据ω,成立:(1) Completeness. For any x∈L(|x|=k) and its evidence ω, it holds:
(2)可靠性(Soundness)。对任意的存在可忽略函数negl(k),成立:(2) Reliability (Soundness). There exists a negligible function negl(k) such that:
(3)零知识性(Zero-knowledge)。存在一个PPT模拟器S,使得对任意的x∈L(|x|=k)及其证据ω,以下两个分布是计算上不可区分的:(3) Zero-knowledge. There exists a PPT simulator S such that for any x∈L(|x|=k) and its evidence ω, the following two distributions are computationally indistinguishable:
{(r,π)←S(x):(r,x,π)}{(r,π)←S(x):(r,x,π)}
其中r表示一个公共随机参考串。Where r represents a public random reference string.
如果一个NIZK证明方案同时满足完备的、可模拟的可抽取性(Simulation-SoundExtractability,SE),称之为SE-NIZK证明方案。If a NIZK proof scheme satisfies both complete and simulable extractability (Simulation-Sound Extractability, SE), it is called a SE-NIZK proof scheme.
本发明基于方案,实例化了一个NIZK证明方案与一个SE-NIZK证明方案,分别用于用户在云服务器端的注册(凭证发放)与身份认证(凭证提交),并沿用相关记号,令∑←SPK{(ω):statement}表示一个SE-NIZK证明,VerifySPK(statement,∑)表示对∑的验证算法;令π←NIZK{(ω):statement}表示一个NIZK证明,VerifyNIZK(statement,π)表示对π的验证算法。具体描述如下:The present invention is based on The scheme instantiates a NIZK proof scheme and a SE-NIZK proof scheme, which are used for user registration (credential issuance) and identity authentication (credential submission) on the cloud server, respectively. The relevant notations are used, and ∑←SPK{(ω):statement} represents a SE-NIZK proof, and VerifySPK (statement, ∑) represents the verification algorithm for ∑; let π←NIZK{(ω):statement} represent a NIZK proof, and VerifyNIZK (statement, π) represents the verification algorithm for π. The specific description is as follows:
凭证发放。凭证发放是指云服务器在不泄露私钥sk的条件下,向注册用户发放一个经私钥sk认证的凭证σ的过程。该过程通过NIZK证明方案实现,由两个算法(Cert,CertVerify)组成:Credential issuance. Credential issuance refers to the process in which the cloud server issues a credential σ authenticated by the private key sk to the registered user without revealing the private key sk. This process is implemented through the NIZK certification scheme, which consists of two algorithms (Cert, CertVerify):
(σ,π)←Cert(parmac,sk,m):首先通过方案生成凭证:其次构造NIZK证明π←NIZK{(sk):选取计算R1=Ar,R2=gr,c=H6(g,w,m,A,R1,R2)(H6表示哈希函数),s=r+cγmodp,令π←(c,s)。返回(σ,π)。(σ,π)←Cert(parmac ,sk,m): First, Solution generation credentials: Next, we construct the NIZK proof π←NIZK{(sk): Select Calculate R1 =Ar , R2 =gr , c = H6 (g,w,m,A,R1 ,R2 ) (H6 represents a hash function), s = r + cγmodp, let π←(c,s). Return (σ,π).
{0,1}←CertVerify((parmac,m,σ),π):对输入((parmac,m,σ=A),π),构造验证算法VerifyNIZK((parmac,m,σ),π):计算c'=H6(g,w,m,A,As+cmg-c,gsw-c),若满足c'=c,则返回1;否则返回0。{0,1}←CertVerify((parmac ,m,σ),π): For the input ((parmac ,m,σ=A),π), construct the verification algorithm VerifyNIZK ((parmac ,m,σ),π): calculate c'=H6 (g,w,m,A,As+cm g-c ,gs w-c ), if c'=c, return 1; otherwise return 0.
凭证提交。凭证提交是指凭证持有者在不泄露凭证信息的条件下,向发放者证明自己持有凭证σ以进行身份合法性验证的过程。该过程通过SE-NIZK证明方案实现,由两个算法(Show,ShowVerify)组成:Credential submission. Credential submission refers to the process in which the credential holder proves to the issuer that he holds the credential σ to verify the legitimacy of his identity without disclosing the credential information. This process is implemented through the SE-NIZK proof scheme, which consists of two algorithms (Show, ShowVerify):
υ←Show(parmac,m,σ):首先构造随机化算法Rerand,对凭证σ进行随机化:(T,a)←Rerand(σ):T←Aa。然后构造SE-NIZK证明∑←SPK{(m,a):fp(parmac,T,m,a)=V}(fp()表示括号中的参数构成一个映射关系):首先选取计算c←H7(g,T,R)(H7表示哈希函数,且H1至H7表示不同种类的哈希函数),sm←rm+cmmodp,sa←ra+camodp;令∑=(c,sm,sa),返回υ=(T,∑)。υ←Show(parmac ,m,σ): First, construct the randomization algorithm Rerand and randomize the credential σ: (T,a)←Rerand(σ): T←Aa . Then construct SE-NIZK proof ∑←SPK{(m,a):fp (parmac ,T,m,a)=V} (fp () indicates that the parameters in the brackets form a mapping relationship): First select calculate c←H7 (g,T,R) (H7 represents a hash function, andH1 toH7 represent different types of hash functions),sm ←rm +cmmodp,sa ←ra +camodp; let ∑=(c,sm ,sa ), return υ=(T,∑).
{0,1}←ShowVerify(parmac,υ,sk):构造验证算法VerifySPK(fv(parmac,T,sk)=V,∑)(fv()表示括号中的参数构成一个映射关系):首先计算V←Tγ,c'←H7(g,T,R'),若满足T≠1且c=c',则返回1;否则返回0。{0, 1}←ShowVerify(parmac ,υ,sk): Construct verification algorithm VerifySPK (fv (parmac ,T,sk)=V,∑)(fv () indicates that the parameters in the brackets form a mapping relationship): First calculate V←Tγ , c'←H7 (g,T,R'), if T≠1 and c=c', then 1 is returned; otherwise, 0 is returned.
称上述标签随机化算法Rerand是可模拟的,如果存在一个模拟器TVSim,对输入parmac,输出(T',V')。其中V'=fv(parmac,T',sk),且T'与随机化算法Rerand输出的T具有相同的分布。与Rerand算法相对应地,存在Derand算法:σ←Derand(T,a)。The label randomization algorithm Rerand is called simulatable if there exists a simulator TVSim that outputs (T', V') for input parmac , where V' = fv (parmac , T', sk), and T' has the same distribution as T output by the randomization algorithm Rerand. Corresponding to the Rerand algorithm, there exists a Derand algorithm: σ←Derand(T, a).
5安全模型5 Security Model
本节对匿名口令认证方案的安全模型进行扩展,定义用于分析面向可去重云存储系统的匿名口令认证与加密(APADE)方案的认证安全性与匿名性的安全模型。This section extends the security model of anonymous password authentication schemes and defines a security model for analyzing the authentication security and anonymity of the Anonymous Password Authentication and Encryption (APADE) scheme for deduplicated cloud storage systems.
5.1认证安全性5.1 Authentication Security
协议参与方。本方案的参与方包括三个集合:用户集密钥服务器集云服务器集为简便起见,通常假设密钥服务器与云服务器集均只包含一个元素,即The participants of this scheme include three sets: user set Key Server Set Cloud Server Set For simplicity, it is usually assumed that the key server and the cloud server set each contain only one element, namely
长期密钥。用户集中的每个用户U各自持有一个口令pwU,密钥服务器KS持有私钥K,云服务器CS持有私钥sk。其中,口令pwU均匀地取自字典空间KS的私钥K是一个高熵随机数;CS的私钥sk由方案生成,其相应的公共参数parmac被公布给所有协议参与方。此外,KS存储用户凭据列表其中creC(U)由包含口令pwU和KS私钥K的强化口令spwU对用户U的凭证σ加密得到。Long-term key. User set Each user U in holds a password pwU , the key server KS holds the private key K, and the cloud server CS holds the private key sk. The password pwU is uniformly taken from the dictionary space KS's private key K is a high entropy random number; CS's private key sk is composed of The scheme is generated and its corresponding public parameters parmac are announced to all protocol participants. In addition, KS stores the list of user credentials Where creC (U) is obtained by encrypting the credential σ of user U with the enhanced password spwU containing the password pwU and the KS private key K.
协议运行模型。假设每个参与方均可以同时运行多个实例,记Ui表示用户U的第i个实例,KSj表示密钥服务器KS的第j个实例,CSk表示云服务器CS的第k个实例,I表示任一类型的实例。用户与CS之间通过TLS安全信道进行通信,因此PPT攻击者无法通过窃听获取用户与CS之间的诚实通信信息,但可以进行主动攻击,如伪造、删除消息等;对于用户与KS之间的通信,攻击者控制整个通信网络,可以窃听、伪造、删除、修改任意通信消息,并获取用户列表。具体来说,攻击者的能力被形式化为以下查询:Protocol operation model. Assume that each participant can run multiple instances at the same time, let Ui represent the i-th instance of user U, KSj represent the j-th instance of key server KS, CSk represent the k-th instance of cloud server CS, and I represent any type of instance. The user and CS communicate through the TLS secure channel, so PPT attackers It is impossible to obtain the honest communication information between the user and CS through eavesdropping, but active attacks can be carried out, such as forging and deleting messages; for the communication between the user and KS, the attacker Control the entire communication network, be able to eavesdrop, forge, delete, modify any communication message, and obtain the user list. Specifically, the attacker's capabilities are formalized as the following query:
Execute(Ui,KSj):模拟攻击者对协议运行的被动窃听能力。对该查询,在用户实例Ui、密钥服务器实例KSj之间发起一次诚实的协议执行,并输出协议过程中交换的所有消息。Execute(Ui ,KSj ): Simulate an attacker Passive eavesdropping capability on the protocol run. For this query, initiate an honest protocol execution between user instance Ui and key server instance KSj and output all messages exchanged during the protocol.
Send(Ii,m):该查询模拟攻击者的主动攻击能力。攻击者向协议参与方Ii发送消息m,输出Ii对消息m的响应消息。Send(Ii ,m): This query simulates an attacker The attacker's active attack capability. Send message m to protocol participant Ii , and output Ii 's response message to message m.
Corrupt(I):该查询模拟攻击者对协议参与方I的腐化能力。对Corrupt(U)查询,输出用户U的口令pwUi;对Corrupt(KS)查询,输出密钥服务器实例KS的私钥K和存储的用户列表对Corrupt(CS)查询,输出云服务器CS的私钥sk。Corrupt(I): This query simulates an attacker The ability to corrupt the protocol participant I. For a Corrupt(U) query, output the password pwUi of user U; for a Corrupt(KS) query, output the private key K of the key server instance KS and the stored user list Query Corrupt(CS) and output the private key sk of the cloud server CS.
定义1(认证安全)。给定方案令事件表示攻击者成功仿冒集合中的某个用户通过云服务器认证并建立会话,表示PPT攻击者破坏方案认证安全性的优势。称方案实现了用户到云服务器的认证安全,如果对任意PPT攻击者存在一个可忽略函数negl(λ),使得成立:Definition 1 (Authentication Security). Given a scheme Order Event Indicates attacker Successful counterfeiting collection A user in the cloud server is authenticated and a session is established. Indicates PPT attacker Destruction plan The advantages of authentication security. The authentication security of users to cloud servers is realized. If any PPT attacker There exists a negligible function negl(λ) such that:
其中qs表示攻击者发起Send查询的次数,表示字典空间的大小。Whereqs represents the attacker The number of times Send queries are initiated. Indicates the size of the dictionary space.
5.2匿名性5.2 Anonymity
协议参与方。本方案的参与方包括三个集合:用户集密钥服务器集云服务器集The participants of this scheme include three sets: user set Key Server Set Cloud Server Set
长期密钥。用户集中的每个用户U各自持有一个口令pwU,密钥服务器KS持有私钥K和用户凭据列表(其中ρU用于对请求MLE密钥的次数进行计数),云服务器CS持有私钥sk。其中,用户凭据列表中的元素creC(U)被初始化为⊥,攻击者可通过调用Reg查询生成并获取creC(U)。允许攻击者获取云服务器私钥sk。Long-term key. User set Each user U in the key server holds a password pwU , and the key server KS holds the private key K and the user credential list (where ρU is used to count the number of times the MLE key is requested), and the cloud server CS holds the private key sk. The element creC (U) in the user credential list is initialized to ⊥, and the attacker can generate and obtain creC (U) by calling Reg query. This allows the attacker to obtain the cloud server private key sk.
协议运行模型。在协议运行之初,随机生成一个比特b←${0,1}。PPT攻击者的能力被形式化为以下查询:Protocol operation model. At the beginning of the protocol operation, a bit b←$ {0,1} is randomly generated. PPT attacker The capability is formalized as the following query:
Reg(U):该查询模拟攻击者调用注册算法的能力。对且creC(U)=⊥,该查询使得用户U调用注册算法,生成并输出加密的凭据creC(U)。Reg(U): This query simulates an attacker The ability to call the registration algorithm. And creC (U) = ⊥, the query enables the user U to call the registration algorithm, generate and output the encrypted credential creC (U).
TestAnonymity(Ui,Uj):该查询用于刻画用户的匿名性。对用户且creC(Ui)≠⊥,creC(Uj)≠⊥,根据预先生成的随机比特b,若b=1,则谕示机返回用户Ui,Uj是同一用户,若b=0,则返回不是同一用户。该查询仅允许发送一次。TestAnonymity(Ui ,Uj ): This query is used to characterize the anonymity of the user. And creC (Ui )≠⊥, creC (Uj )≠⊥, according to the pre-generated random bit b, if b=1, the oracle returns that users Ui and Uj are the same user, if b=0, it returns that they are not the same user. This query is allowed to be sent only once.
定义2(匿名性)。给定方案令事件表示攻击者成功猜对TestAnonymity查询中的随机比特b,表示PPT攻击者破坏方案的匿名性的优势。称方案满足用户到云服务器的匿名性,如果对任意PPT攻击者存在一个可忽略函数negl(λ),使得成立:Definition 2 (Anonymity). Given a scheme Order Event Indicates attacker Successfully guessed the random bit b in the TestAnonymity query, Indicates PPT attacker Destruction plan The anonymity advantage of the scheme is To ensure the anonymity of users to the cloud server, if any PPT attacker There exists a negligible function negl(λ) such that:
6方案构造6. Scheme Structure
本节根据安全性假设和组件构造了一种面向可去重云存储系统的匿名口令认证与加密方案,包括注册、MLE密钥生成与数据上传、数据下载三个阶段,如图2所示,具体包括:This section constructs an anonymous password authentication and encryption scheme for deduplicated cloud storage systems based on security assumptions and components, including registration, MLE key generation and data upload, and data download. As shown in Figure 2, it specifically includes:
步骤S1:用户U注册到云服务器CS并获取一个认证凭证σ与相应的非交互式零知识证明π;用户U利用π和公共参数验证σ的有效性,验证通过后,使用密钥服务器KS辅助生成的强化口令spwU对σ加密,并存入KS;Step S1: User U registers with the cloud server CS and obtains an authentication credential σ and a corresponding non-interactive zero-knowledge proof π; User U uses π and public parameters to verify the validity of σ. After the verification is passed, the user encrypts σ using the enhanced password spwU generated by the key server KS and stores it in KS;
步骤S2:基于加密后的σ,通过U、CS、KS三方共同生成MLE密钥,并利用MLE密钥对数据文件M进行加密上传,在云存储服务器端为加密数据执行去重操作;Step S2: Based on the encrypted σ, U, CS, and KS jointly generate an MLE key, and use the MLE key to encrypt and upload the data file M, and perform deduplication operations on the encrypted data on the cloud storage server;
步骤S3:用户U在密钥服务器KS的辅助下,完成到云服务器CS的认证并恢复数据文件M。Step S3: With the assistance of the key server KS, user U completes the authentication to the cloud server CS and restores the data file M.
在步骤S1之前,还包括:Before step S1, the method further includes:
初始化阶段。设置公共参数λ,其中λ为安全参数,p为λ比特的安全素数,为p阶乘法群,哈希函数H5、表示与H1,H2,H3,H4不同种类的常见哈希函数。E为IND-CPA(选择明文攻击下的不可区分性)安全的对称加密函数,c=E.enc(k,m)表示使用密钥k对明文m加密,输出密文c;m=E.dec(k,c)表示使用密钥k对密文c解密,输出明文m。密钥服务器端持有私钥(K,α1),云服务器端持有私钥(sk,α2),其中K是一个高熵随机数,sk由算法生成,服务器对不同的用户使用同样的私钥。Initialization phase. Set the common parameters λ, Where λ is the security parameter, p is the secure prime number of λ bits, is the p-factorial multiplicative group, the hash functionH5 , represents a common hash function different from H1 , H2 , H3 , H4. E is a symmetric encryption function that is secure under IND-CPA (indistinguishability under chosen plaintext attack), c = E.enc (k, m) means that the plaintext m is encrypted using the key k, and the ciphertext c is output; m = E.dec (k, c) means that the ciphertext c is decrypted using the key k, and the plaintext m is output. The key server holds the private key (K, α1 ), and the cloud server holds the private key (sk, α2 ), where K is a high entropy random number and sk is Algorithm generation, The server uses the same private key for different users.
进一步地,注册阶段包括:Furthermore, the registration phase includes:
用户U注册到云服务器CS并获取一个认证凭证σ与相应的非交互式零知识(NIZK)证明π;用户U利用π和公共参数验证σ的有效性,验证通过后,使用密钥服务器KS辅助生成的强化口令spwU对σ加密,并存入KS,具体步骤如图3所示,包括:User U registers with the cloud server CS and obtains an authentication credential σ and a corresponding non-interactive zero-knowledge (NIZK) proof π; User U uses π and public parameters to verify the validity of σ. After the verification is passed, the user encrypts σ using the enhanced password spwU generated by the key server KS and stores it in KS. The specific steps are shown in Figure 3, including:
S101:用户U调用IBOPRF(IDU,pwU),得到强化口令spwU;计算消息m=h(IDU),发送至CS进行注册;S101: User U calls IBOPRF (IDU , pwU ) to obtain the enhanced password spwU ; calculates the message m=h(IDU ) and sends it to CS for registration;
S102:CS利用Cert算法为U生成凭证σ与证明π;S102: CS generates a certificate σ and a proof π for U using the Cert algorithm;
S103:收到(σ,π)后,用户U利用CertVerify算法对σ进行验证;验证通过后,使用spwU对σ加密,得到将发送至KS存储;S103: After receiving (σ,π), user U verifies σ using the CertVerify algorithm; after verification, spwU is used to encrypt σ, and the result is Will Send to KS storage;
S104:若用户U是首次注册到KS,则KS为其创建一个列表以存储用户U加密的凭证,同时初始化ρU=0,通过ρU对请求MLE密钥的次数进行计数,否则注册失败。S104: If user U registers to KS for the first time, KS creates a list for him To store the encrypted credentials of user U, initialize ρU = 0 and count the number of times the MLE key is requested through ρU , otherwise the registration fails.
进一步地,MLE密钥生成与数据上传阶段包括:Furthermore, the MLE key generation and data upload phase includes:
此阶段分为MLE密钥生成、数据上传两个部分。在数据上传后,可在云存储服务器端为加密数据执行去重操作。具体步骤如图4所示。This phase is divided into two parts: MLE key generation and data upload. After the data is uploaded, deduplication can be performed on the encrypted data on the cloud storage server. The specific steps are shown in Figure 4.
进一步地,MLE密钥生成部分包括:Furthermore, the MLE key generation part includes:
S201:用户U调用IBOPRF(IDU,pwU),得到强化口令spwU,同时从KS存储的用户列表中取回使用spwU对解密,恢复凭据σ;S201: User U calls IBOPRF (IDU , pwU ) to obtain the enhanced password spwU , and at the same time obtains the user list stored in KS Retrieve Use spwU to Decrypt and recover credentials σ;
S202:用户U计算m=h(IDU),利用Show算法对(m,σ)生成证明υ,将υ发送给CS进行身份验证;同时对要加密的文件M进行随机化:将M1,M2分别发送至KS与CS;S202: User U calculates m=h(IDU ), generates a proof υ for (m,σ) using the Show algorithm, and sends υ to CS for identity authentication; at the same time, the file M to be encrypted is randomized: Send M1 and M2 to KS and CS respectively;
S203:收到消息后,CS首先利用ShowVerify算法对υ进行验证。验证通过后利用持有的秘密α2计算同时KS利用α1计算并对请求次数进行计数;CS、KS分别将KM1、KM2发送给U;S203: After receiving the message, CS first uses the ShowVerify algorithm to verify υ. After verification, it uses the secret α2 held to calculate At the same time, KS uses α1 to calculate And count the number of requests; CS and KS send KM1 and KM2 to U respectively;
S204:用户U计算即为MLE密钥。S204: User U calculation This is the MLE key.
进一步地,数据上传部分包括:Furthermore, the data upload part includes:
S205:生成MLE密钥后,用户U在本地利用MLE密钥对文件M进行加密:CM=E.enc(KM,M),并计算相应的密文标签S205: After generating the MLE key, user U locally encrypts the file M using the MLE key: CM = E.enc(KM,M), and calculates the corresponding ciphertext label
S206:用户U利用spwU计算两个不同的密钥κU,对KM,加密:CKM=E.enc(κU,KM),S206: User U uses spwU to calculate two different keys κU , To KM, Encryption: CKM =E.enc(κU ,KM),
S207:将发送至KS,存入将发送至CS进行存储,其中作为存储标签,用于后续的检索和去重。S207: Send to KS, deposit Will Sent to CS for storage, where As a storage tag, it is used for subsequent retrieval and deduplication.
进一步地,数据去重部分包括:Furthermore, the data deduplication part includes:
S208:数据上传后,CS检查标签是否已经存在,如果存在,则执行数据去重,继续维护一个列表;否则,创建列表;S208: After data is uploaded, CS checks the label Does it already exist? If so, perform data deduplication and continue to maintain a list; otherwise, create List;
S209:对后续上传密文C'的用户,CS检查是否成立,若成立,则执行数据去重,否则,为C'创建一个新的列表。S209: CS checks the user who subsequently uploads the ciphertext C' Is it true? If so, perform data deduplication. Otherwise, create a new list for C'.
进一步地,数据下载阶段包括:Furthermore, the data downloading phase includes:
此阶段,用户在密钥服务器KS的辅助下,完成到云服务器CS的认证并恢复数据文件M。具体步骤如图5所示,包括:In this stage, the user completes the authentication to the cloud server CS and restores the data file M with the assistance of the key server KS. The specific steps are shown in Figure 5, including:
S301:用户U调用IBOPRF(IDU,pwU),得到强化口令spwU,同时从列表中取回S301: User U calls IBOPRF (IDU , pwU ) to obtain the enhanced password spwU , and at the same time selects Retrieve
S302:U使用spwU对解密,恢复凭据σ;计算m并利用Show算法对(m,σ)生成证明υ;使用spwU恢复密钥κU并对CKM解密,恢复标签与KM;将发送给CS进行身份验证和文件检索;S302: U uses spwU to Decrypt and recover the credential σ; calculate m and use the Show algorithm to generate a proof υ for (m,σ); use spwU to recover the key κU and CKM decryption, recovery tag and KM; Sent to CS for identity verification and document retrieval;
S303:CS收到后,利用ShowVerify算法验证υ,验证通过则使用标签检索列表取回CM并发送给U;S303: CS received After that, the ShowVerify algorithm is used to verify υ. If the verification is successful, the tag Search The list retrieves CM and sends it to U;
S304:U使用KM对CM解密,得到文件M。S304: U uses KM to decrypt CM and obtain file M.
7安全性证明7 Safety Proof
本节给出所提方案(以下称为方案)的安全性证明。主要考虑两种类型的攻击者:腐化的密钥服务器恶意但理性的云服务器其中的攻击目标主要是获取文件信息、猜测用户口令等。对的安全性主要通过MLE的保密性及认证安全性进行刻画。的攻击目标主要是侵犯用户隐私,包括获取用户外包文件数据、破坏用户的匿名性等,但不会破坏协议的正常执行和所存数据的完整性。对的安全性主要通过MLE的保密性及认证的匿名性进行刻画。定理1,2,3分别给出了保密性、认证安全性及匿名性的证明。This section presents the proposed scheme (hereinafter referred to as the scheme ) security proof. Two main types of attackers are considered: corrupt key servers Malicious but rational cloud server in The main attack targets are to obtain file information, guess user passwords, etc. The security of MLE is mainly characterized by the confidentiality and authentication security of MLE. The main goal of the attack is to infringe on user privacy, including obtaining user outsourced file data and destroying user anonymity, but it will not destroy the normal execution of the protocol and the integrity of the stored data. The security of is mainly characterized by the confidentiality of MLE and the anonymity of authentication. Theorems 1, 2, and 3 give proofs of confidentiality, authentication security, and anonymity, respectively.
定理1(保密性)。若DDDH假设在循环群中成立,本发明构造的IBOPRF机制满足伪随机性与不经意性,则方案满足对云服务器和密钥服务器的保密性。并满足:Theorem 1 (Confidentiality). If the DDDH hypothesis is in the cyclic group The IBOPRF mechanism constructed by the present invention satisfies pseudo-randomness and inadvertence, so the scheme Meet the cloud server and key servers Confidentiality. And meet:
其中表示PPT攻击者破坏方案的保密性的优势,qs表示发起在线攻击的次数,表示文件M的分布,ε是一个可忽略的值。in Indicates PPT attacker Destruction plan The advantage of confidentiality, qs represents The number of online attacks launched, represents the distribution of file M, and ε is a negligible value.
证明:首先通过基于不可区分性的模拟游戏证明方案具备对云服务器的保密性。Proof: First, the scheme is proved by a simulation game based on indistinguishability. Cloud server confidentiality.
令事件表示赢得以下不可区分性游戏。游戏参与方包括环境ε以及模拟器Sim,游戏执行过程如下:Order Event express Win the following indistinguishability game. The game participants include Environment ε and simulator Sim, the game execution process is as follows:
1)ε调用方案并进行初始化,生成公共参数及α1,α2,将α2发送给1)ε calling scheme Initialize and generate common parameters and α1 , α2 , and send α2 to
2)随机选取文件将M*发送给Sim,Sim将M*发送给ε。2) Randomly select files Send M* to Sim, Sim sends M* to ε.
3)ε随机选取计算将M2*发送给Sim,Sim将其发送给3)ε is randomly selected calculate Send M2* to Sim, who sends it to
4)计算并将KM2*发送给Sim,Sim将其发送给ε。4) calculate And send KM2* to Sim, Sim sends it to ε.
5)ε计算将KM*发送给Sim,Sim将其发送给5) ε calculation Send KM* to Sim, Sim sends it to
6)重复步骤2)至5)至多多项式次。然后随机选取并发送给Sim,Sim将其发送给ε。6) Repeat steps 2) to 5) at most polynomial times. Then Random Selection And send it to Sim, Sim sends it to ε.
7)ε随机选取b←{0,1},若b=0,则ε计算否则,ε随机选取其中表示与长度相同的随机比特串空间。然后将发送给Sim,Sim将其发送给7)ε randomly selects b←{0,1}, If b = 0, then ε is calculated Otherwise, ε is randomly selected in Representation and The same length of random bit string space. Then Send to Sim, Sim sends it to
8)选择b'←{0,1},当且仅当b'=b时,称赢得上述不可区分性游戏。8) Choose b'←{0,1}, if and only if b'=b, it is called Win the indistinguishability game above.
假设以概率赢得上述不可区分性游戏,那么这意味着以的优势破坏了DDDH假设的正确性。因此,存在一个可忽略的值ε,使得从而:因此,云服务器无法通过MLE密钥生成过程获得文件M相关的信息。只能对文件M发起在线字典攻击,其优势至多比大一个可忽略的量。Assumptions By probability Winning the above indistinguishability game means that by The advantage of undermines the correctness of the DDDH assumption. Therefore, there exists a negligible value of ε such that thereby: Therefore, cloud servers It is impossible to obtain information about file M through the MLE key generation process. You can only launch an online dictionary attack on file M, which is at most better than A negligible amount.
同理,密钥服务器也无法通过MLE密钥生成过程获得文件M相关的信息。并且,根据IBOPRF的不经意性,也无法对强化口令spwU进行正确猜测,从而无法通过存储在的CKM获取KM。因此,方案也具备对密钥服务器的保密性。Similarly, the key server It is also impossible to obtain information related to file M through the MLE key generation process. And, according to the inadvertent nature of IBOPRF, It is also impossible to correctly guess the enhanced password spwU , thus failing to pass the Therefore, thescheme Key Server confidentiality.
证毕。The proof is complete.
定理2(认证安全性)。若IBOPRF机制满足伪随机性与不经意性,本发明构造的方案满足suf-rmva安全性与弱伪随机性,本发明构造的SPK证明是SE-NIZK证明,加密算法E1是CPA安全的,h(·)是一个随机谕示机,并且PPT攻击者至多发起qs次Send查询,那么方案满足用户到云服务器的认证安全。并且满足:Theorem 2 (Authentication Security). If the IBOPRF mechanism satisfies pseudo-randomness and inadvertence, the The scheme satisfies suf-rmva security and weak pseudo-randomness. The SPK proof constructed by the present invention is a SE-NIZK proof. The encryption algorithmE1 is CPA-secure. h(·) is a random oracle and the PPT attacker At most qs Send queries are initiated, so the solution Satisfy the authentication security of users to cloud servers. And meet:
其中表示攻击者破坏用户到云服务器的认证安全的优势。in Indicates attacker This undermines the authentication security of users to cloud servers.
证明:下面通过一系列模拟游戏G0,G1,…,G6给出定理2的证明。游戏G0模拟真实环境下的攻击,从而有在G0中,攻击者被赋予获得存储在密钥服务器KS中的列表的能力。Proof: The proof of Theorem 2 is given below through a series of simulated games G0 , G1 ,…, G6. Game G0 simulates attacks in a real environment, so we have In G0 , the attacker is given access to the list stored in the key server KS ability.
游戏G1:修改凭证υ的生成方式,通过定义一个模拟器Sim和一个抽取器Ext实现。由于SPK证明具有完备、可模拟的可抽取性(SE),因此可以定义模拟器Sim,利用提到的模拟器TVSim,对输入parmac,输出:(T',V')←TVSim(parmac),其中T'与随机化算法Rerand输出的T具有相同的分布。根据(T',V'),模拟器Sim生成证明∑'←Sim(parmac,T',V'),输出凭证υ=(T',∑')。然后定义抽取器Ext,首先从凭证υ中抽取出相应的证据(witness)(m',a'),然后通过Derand算法计算:σ'←Derand(T',a'),输出(m',σ')←Ext(parmac,υ)。若T'不满足与T分布一致,则Ext返回invalid。Game G1 : Modify the way the credential υ is generated, and this is achieved by defining a simulator Sim and an extractor Ext. Since the SPK proof has complete and simulatable extractability (SE), a simulator Sim can be defined. Using the simulator TVSim mentioned above, for the input parmac , the output is: (T', V')←TVSim(parmac ), where T' has the same distribution as T output by the randomized algorithm Rerand. According to (T', V'), the simulator Sim generates the proof ∑'←Sim(parmac ,T', V'), and outputs the credential υ=(T',∑'). Then define the extractor Ext, first extract the corresponding evidence (witness) (m', a') from the credential υ, and then calculate it through the Derand algorithm: σ'←Derand(T', a'), and output (m', σ')←Ext(parmac ,υ). If T' does not satisfy the distribution consistency with T, Ext returns invalid.
在G1中,若出现以下情形之一则拒绝认证并终止游戏:或Ext返回invalid。因此,除非SPK证明方案的可抽取性或可模拟性被破坏,否则G1与G0是不可区分的。从而有:其中表示算法破坏SPK证明方案的零知识性的优势,表示算法破坏SPK证明方案的可抽取性的优势。InG1 , if any of the following situations occurs, authentication will be rejected and the game will be terminated: Or Ext returns invalid. Therefore, unless the extractability or simulatability of the SPK proof scheme is violated, G1 is indistinguishable from G0. Thus: in Representation Algorithm Destroy the zero-knowledge advantage of the SPK proof scheme, Representation Algorithm This destroys the extractability advantage of the SPK proof scheme.
游戏G2:在G1的基础上做以下修改:GameG2 : Based onG1, make the following changes:
(1)将哈希函数h(·)模拟为一个随机谕示机规则如下:初始化一个列表对任意哈希查询若列表中存在记录(id,m),则返回m;否则随机选取返回m并将(id,m)添加至列表(1) Simulate the hash function h(·) as a random oracle The rules are as follows: Initialize a list Query any hash If the list If there is a record (id, m) in the table, return m; otherwise, randomly select Returns m and adds (id,m) to the list
(2)在以下情形发生时,拒绝认证并终止游戏:对于提交的凭证υ,抽取器Ext(parmac,υ)输出的其中集合Q通过以下方式得到:(2) Refuse authentication and terminate the game when the following situation occurs: For the submitted credential υ, the extractor Ext(parmac ,υ) outputs The set Q is obtained in the following way:
令算法模拟攻击者在G1中的执行过程,同时向谕示机MAC(sk,*),Verify(sk,*,*)发起查询,方式如下:Order Algorithm Simulating an attacker During the execution process inG1 , queries are simultaneously sent to the oracle MAC(sk,*) and Verify(sk,*,*) in the following manner:
(1)对i∈[N],查询得到mi;然后向谕示机MAC(sk,*)查询mi,对每一次查询,MAC(sk,*)计算并将(mi,σi)添加至集合Q。(1) For i∈[N], Query Getmi ; then querymi to the oracle MAC(sk,*). For each query, MAC(sk,*) is calculated And add (mi ,σi ) to the set Q.
(2)对抽取器Ext在输入(parmac,υ)下输出的任意(m',σ')对,向谕示机Verify(sk,*,*)发起查询(m',σ')。当且仅当返回时,接受υ,否则拒绝。(2) For any (m',σ') pair output by the extractor Ext under the input (parmac ,υ), Send a query (m',σ') to the oracle Verify(sk,*,*). If and only if it returns hour, Accept υ, otherwise reject.
由于h(·)可以视为一个随机谕示机,因此改动(1)不会改变攻击者的优势;方案满足suf-rmva安全性,因此除非suf-rmva安全性被破坏,否则G2与G1没有差异,从而有:Since h(·) can be considered a random oracle, changing (1) does not change the attacker Advantages: The scheme satisfies suf-rmva security, so unless suf-rmva security is violated, G2 is no different from G1 , so:
游戏G3:与G2相同,除了在以下碰撞发生时终止游戏:对于i,j∈[N],若i≠j,但成立mi=mj。从而有:Game G3 : Same as G2 , except that the game terminates when the following collision occurs: for i, j∈[N], if i≠j, but mi =mj . Thus:
游戏G4:在G3的基础上,对i∈[N],将中的σi修改为随机值ri←$Φ。对(m,σ)←Ext(parmac,υ),若m=mi,i∈[N],当且仅当σ=ri时接受υ,否则拒绝认证并终止游戏。GameG4 : Based onG3 , for i∈[N], σi in is modified to a random valueri ←$ Φ. For (m,σ)←Ext(parmac ,υ), if m=mi , i∈[N], accept υ if and only if σ=ri , otherwise reject authentication and terminate the game.
根据方案的弱伪随机性:其中表示算法破坏方案的弱伪随机性的优势。according to Weak pseudo-randomness of the scheme: in Representation Algorithm destroy The advantage of the weak pseudo-randomness of the scheme.
游戏G5:在G4的基础上,做以下修改:Game G5 : Based on G4 , make the following changes:
(1)将IBORPF机制模拟为一个随机谕示机规则如下:初始化一个列表对查询若列表中存在(id,x,y),则返回y;否则随机选取y←$Γ,返回y并将(id,x,y)添加至列表其中Γ表示spwU的分布。(1) Simulate the IBORPF mechanism as a random oracle The rules are as follows: Initialize a list For Query If the list If (id,x,y) exists in the list, return y; otherwise, randomly select y←$ Γ, return y and add (id,x,y) to the list where Γ represents the distribution of spwU.
(2)对i∈[N],攻击者可以查询得到yi。在以下情形发生时,拒绝认证并终止游戏:对i,j∈[N],若i≠j,但yi=yj。(2) For i∈[N], the attacker You can query Getyi . In the following situation, reject authentication and terminate the game: for i,j∈[N], if i≠j, butyi =yj .
上述情形的发生意味着IBOPRF机制的伪随机性与不经意性被破坏。从而有The occurrence of the above situation means that the pseudo-randomness and randomness of the IBOPRF mechanism are destroyed.
其中分别表示算法破坏IBOPRF机制的伪随机性与不经意性的优势。in Respectively represent the algorithm This destroys the pseudo-randomness and randomness of the IBOPRF mechanism.
游戏G6:在G5的基础上,对i∈[N],将修改为随机值其中表示密文空间,并拒绝攻击者仿冒任意合法用户发起的认证请求。由于加密算法E满足CPA安全性,因此G5与G6具有相同的分布,除非加密算法E的CPA安全性被破坏。从而有:Game G6 : Based on G5 , for i∈[N], Modify to random value in Represents the ciphertext space and rejects attackers Impersonate any authentication request initiated by a legitimate user. Since encryption algorithm E satisfies CPA security, G5 and G6 have the same distribution unless the CPA security of encryption algorithm E is compromised. Thus:
其中表示算法破坏加密算法E1的CPA安全性的优势。in Representation Algorithm This undermines the CPA security advantage of encryption algorithmE1 .
至此,与凭证υ相关的信息已全部替换为随机值,用户无法通过被动攻击获取任何有用的信息,只能通过Send查询发起在线字典攻击对口令进行猜测。因此At this point, all information related to the credential υ has been replaced with random values. The user cannot obtain any useful information through passive attacks and can only guess the password by launching an online dictionary attack through Send query.
综上,In summary,
证毕。The proof is complete.
定理3(匿名性)。若本发明构造的NIZK证明方案满足可靠性,SPK证明方案满足零知识性,标签随机化算法Rerand满足可模拟性,密钥生成算法满足一致性,则方案满足用户到密钥服务器的匿名性,并且满足:Theorem 3 (anonymity). If the NIZK proof scheme constructed by the present invention satisfies reliability, the SPK proof scheme satisfies zero knowledge, the label randomization algorithm Rerand satisfies simulatability, and the key generation algorithm If consistency is satisfied, then the solution The anonymity of the user to the key server is satisfied, and:
其中表示PPT攻击者破坏方案中用户到云服务器的认证匿名性的优势。in Indicates PPT attacker Destruction plan The advantage of anonymity in authentication from users to cloud servers.
证明:下面通过一系列模拟游戏G0,…,G3给出定理3的证明。令事件表示PPT攻击者在游戏Gi中成功猜对TestAnonymity查询中的随机比特b。游戏G0模拟真实环境下的攻击,从而有Proof: The proof of Theorem 3 is given below through a series of simulation games G0 ,…,G3. Let the event Indicates PPT attacker Successfully guess the random bit b in the TestAnonymity query in game Gi . Game G0 simulates an attack in a real environment, so there is
游戏G1:与G0相同,除了在以下情形发生时终止游戏:在凭证发放过程中,若某个用户接受了消息m上的标签σ以及相应的凭证π*,即VerifyNIZK((parmac,m,σ),π*)=1,但此时,除非NIZK证明方案的可靠性被破坏,否则G1与G0没有差别。从而有其中表示算法破坏NIZK证明方案可靠性的优势。GameG1 : Same asG0 , except that the game is terminated when the following occurs: During the credential issuance process, if a user accepts the tag σ on the message m and the corresponding credential π* , that is, VerifyNIZK ((parmac , m, σ), π* ) = 1, but At this point, unless the reliability of the NIZK proof scheme is violated,G1 is no different fromG0 . in Representation Algorithm Destroy the reliability advantage of NIZK proof scheme.
游戏G2:在G1的基础上,做以下修改:使用PPT模拟器S,对任意输入,输出∑',用∑'替换协议进程中的∑。除非SPK证明方案的零知识性被破坏,否则∑'与∑的分布是计算上不可区分的。从而有其中表示算法破坏SPK证明方案的零知识性的优势。Game G2 : Based on G1 , make the following modifications: Use the PPT simulator S, output ∑' for any input, and replace ∑ in the protocol process with ∑'. Unless the zero-knowledge property of the SPK proof scheme is destroyed, the distribution of ∑' is computationally indistinguishable from ∑. Thus, in Representation Algorithm This destroys the zero-knowledge advantage of the SPK proof scheme.
游戏G3:在G2的基础上,做以下修改:使用模拟器TVSim,对输入parmac,输出(T',V'),用(T',V')替换协议进程中的(T,V)。由于SPK证明方案是可模拟的,因此T'与T具有相同的分布。从而有Game G3 : Based on G2 , make the following modifications: Use the simulator TVSim to input parmac , output (T', V'), and replace (T', V') in the protocol process. Since the SPK proof scheme is simulatable, T' has the same distribution as T. Thus,
至此,凭据υ计算过程中所有与用户相关的信息已全部替换为随机值,云服务器无法从中区分是否来自不同用户,即存在一个可忽略函数negl(λ),使得其中λ是安全参数。At this point, all user-related information in the credential υ calculation process has been replaced by random values, and the cloud server cannot distinguish whether it comes from different users, that is, there is a negligible function negl(λ) such that where λ is a security parameter.
综上所述:In summary:
证毕。The proof is complete.
8实验仿真与效率分析8 Experimental simulation and efficiency analysis
本节在仿真实验环境下验证了所提方案的有效性,并进一步从计算效率、通信效率、安全性等方面对所提方案与Zhang等的SPADE方案[文献2]进行了对比分析。仿真实验环境为VMware,CoreTMi7-9700CPU@3.00GHz,15.6GiB内存,Ubuntu 18.04.6LTS 64位操作系统,实验代码使用Python语言编写,并基于Charm,Crypto等库设计完成。This section verifies the effectiveness of the proposed scheme in a simulation experiment environment, and further compares the proposed scheme with the SPADE scheme of Zhang et al. [Reference 2] in terms of computational efficiency, communication efficiency, and security. The simulation experiment environment is VMware. CoreTM i7-9700CPU@3.00GHz, 15.6GiB memory, Ubuntu 18.04.6LTS 64-bit operating system. The experimental code is written in Python and is designed based on libraries such as Charm and Crypto.
8.1计算及通信效率等对比8.1 Comparison of Computation and Communication Efficiency
表1展示了APADE方案与SPADE方案在计算复杂度方面的对比情况,其中数字表示使用相应运算或算法的次数,“-”表示未使用此项运算或算法,n表示密钥服务器的数量。表2展示了仿真实验中的计算时延、通信开销、存储开销等方面的对比情况,通信开销一项中R表示注册阶段,KG&DU表示MLE密钥生成与数据上传阶段,DA表示数据下载阶段各自对应的通信开销情况。参数设置为安全参数为1024,文件大小为10M,用户ID为10字节的随机串,加密密钥(包括MLE密钥)长度均设置为256bits。为了更直观的展示通信与存储开销对比情况,加密文件的通信与存储开销未计入内。此外,据文献A,SPADE方案中的密钥服务器数量通常设置为n=30。Table 1 shows the comparison of the computational complexity between the APADE scheme and the SPADE scheme, where the number indicates the number of times the corresponding operation or algorithm is used, "-" indicates that the operation or algorithm is not used, and n indicates the number of key servers. Table 2 shows the comparison of the computational delay, communication overhead, storage overhead, etc. in the simulation experiment. In the communication overhead, R represents the registration phase, KG&DU represents the MLE key generation and data upload phase, and DA represents the corresponding communication overhead of the data download phase. The parameters are set to 1024 for security parameters, 10M for file size, 10-byte random string for user ID, and 256 bits for encryption keys (including MLE keys). In order to more intuitively show the comparison of communication and storage overhead, the communication and storage overhead of encrypted files are not included. In addition, according to reference A, the number of key servers in the SPADE scheme is usually set to n = 30.
根据表1、表2的对比结果,APADE方案的计算时延低于SPADE方案,这是因为APADE方案避免了使用门限方案带来的多次签名/验签、对称加解密运算和秘密共享算法,虽然使用了模幂运算和NIZK证明,但其计算效率仍然得到了一定的提高。According to the comparison results in Table 1 and Table 2, the computational delay of the APADE scheme is lower than that of the SPADE scheme. This is because the APADE scheme avoids the multiple signatures/verifications, symmetric encryption and decryption operations, and secret sharing algorithms brought about by the threshold scheme. Although modular exponentiation and NIZK proof are used, its computational efficiency is still improved to a certain extent.
通信效率方面,据表2,在n≥2时,SPADE方案的通信轮次及通信开销均始终大于APADE方案。因此在通信效率方面,APADE方案具有明显的优势。In terms of communication efficiency, according to Table 2, when n ≥ 2, the communication rounds and communication overhead of the SPADE scheme are always greater than those of the APADE scheme. Therefore, in terms of communication efficiency, the APADE scheme has obvious advantages.
存储开销方面,据表2,APADE方案在云服务器上的存储开销更低而在密钥服务器端的开销更高,这是由于APADE方案在密钥服务器端存储了登录凭据和MLE密钥,而在SPADE方案中,MLE密钥被存储在云服务器端,因此APADE方案在云端的存储开销更低。总体而言,以单个密钥服务器和云服务器的存储开销来看,两种方案基本相当。In terms of storage overhead, according to Table 2, the APADE solution has lower storage overhead on the cloud server and higher overhead on the key server. This is because the APADE solution stores login credentials and MLE keys on the key server, while in the SPADE solution, the MLE keys are stored on the cloud server. Therefore, the APADE solution has lower storage overhead on the cloud. In general, the two solutions are basically equivalent in terms of storage overhead of a single key server and cloud server.
表1与SPADE方案的计算复杂度对比Table 1 Comparison of computational complexity with SPADE solution
表2与SPADE方案的计算时延、通信开销、存储开销对比Table 2 Comparison of computational latency, communication overhead, and storage overhead with the SPADE solution
8.2安全性对比8.2 Security Comparison
表3从安全性方面对MLE方案、DupLESS方案[Keelveedhi S,Bellare M,Ristenpart T.DupLESS:Server-Aided Encryption for Deduplicated Storage[C].22ndUSENIX Security Symposium(USENIX Security 13),2013:179-194.]、SPADE方案与本发明所提的APADE方案进行对比。主要考虑五个方面:方案是否抗暴力攻击、是否解决单点故障问题、是否存在密钥管理问题、是否提供匿名认证、是否具有可证明安全性。“-”表示不存在此类安全性问题。Table 3 compares the MLE solution, the DupLESS solution [Keelveedhi S, Bellare M, Ristenpart T. DupLESS: Server-Aided Encryption for Deduplicated Storage [C]. 22nd USENIX Security Symposium (USENIX Security 13), 2013: 179-194.], the SPADE solution and the APADE solution proposed in the present invention from the perspective of security. Five aspects are mainly considered: whether the solution is resistant to brute force attacks, whether it solves the single point failure problem, whether there is a key management problem, whether it provides anonymous authentication, and whether it has provable security. "-" means that there is no such security problem.
据表3,APADE方案与SPADE方案一样提供了抗暴力攻击、单点故障等方面的安全性,且避免了用户本地的密钥管理问题。同时较SPADE方案增加了匿名认证,并在随机谕示模型下证明了其安全性。因此较SPADE等同类型方案具有更高的安全性。According to Table 3, the APADE scheme provides the same security as the SPADE scheme in terms of anti-brute force attacks and single point failures, and avoids the user's local key management problem. At the same time, compared with the SPADE scheme, it adds anonymous authentication and proves its security under the random oracle model. Therefore, it has higher security than similar schemes such as SPADE.
表3与同类型方案的安全性对比Table 3 Security comparison with similar solutions
综上,针对可去重云存储系统中存在的易受暴力攻击、单点故障、缺少隐私保护等安全性问题,本发明提出了一种匿名口令认证与可去重云数据加密方案。使用双服务器辅助的消息锁加密,实现了对暴力攻击和单点故障问题的抵抗,且无需复杂系统架构和部署成本;使用基于非交互式零知识证明方案的匿名认证,实现了对用户身份信息的隐私保护;在随机谕示模型下证明了本方案的保密性、认证安全性与匿名性;在仿真实验环境下证明了本方案的有效性。实验与对比分析结果表明,与同类型方案相比,本方案以更高的计算和通信效率实现了更高的安全性,并降低了部署和维护成本。In summary, in order to address the security issues in deduplicated cloud storage systems, such as vulnerability to brute force attacks, single point failures, and lack of privacy protection, the present invention proposes an anonymous password authentication and deduplicated cloud data encryption scheme. The use of dual-server-assisted message lock encryption achieves resistance to brute force attacks and single point failures without the need for complex system architecture and deployment costs; anonymous authentication based on a non-interactive zero-knowledge proof scheme is used to achieve privacy protection of user identity information; the confidentiality, authentication security, and anonymity of this scheme are proven under a random oracle model; and the effectiveness of this scheme is proven in a simulation experimental environment. Experimental and comparative analysis results show that compared with similar schemes, this scheme achieves higher security with higher computing and communication efficiency, and reduces deployment and maintenance costs.
以上所示仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention. It should be pointed out that a person skilled in the art can make several improvements and modifications without departing from the principle of the present invention. These improvements and modifications should also be regarded as within the scope of protection of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410408446.1ACN118200005A (en) | 2024-04-07 | 2024-04-07 | Anonymous password authentication and encryption scheme for deduplication cloud storage system |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410408446.1ACN118200005A (en) | 2024-04-07 | 2024-04-07 | Anonymous password authentication and encryption scheme for deduplication cloud storage system |
| Publication Number | Publication Date |
|---|---|
| CN118200005Atrue CN118200005A (en) | 2024-06-14 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410408446.1APendingCN118200005A (en) | 2024-04-07 | 2024-04-07 | Anonymous password authentication and encryption scheme for deduplication cloud storage system |
| Country | Link |
|---|---|
| CN (1) | CN118200005A (en) |
| Publication | Publication Date | Title |
|---|---|---|
| CN111639361B (en) | A block chain key management method, multi-person co-signature method and electronic device | |
| Roy et al. | Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing Internet of Things | |
| Wazid et al. | Design of an efficient and provably secure anonymity preserving three‐factor user authentication and key agreement scheme for TMIS | |
| CN105939191B (en) | The client secure De-weight method of ciphertext data in a kind of cloud storage | |
| CN106797313B (en) | Network authentication system using dynamic key generation | |
| Wu et al. | Robust smart‐cards‐based user authentication scheme with user anonymity | |
| TWI233739B (en) | Systems, methods and computer readable recording medium for remote password authentication using multiple servers | |
| Kumari et al. | A provably secure biometrics-based authenticated key agreement scheme for multi-server environments | |
| US6987853B2 (en) | Method and apparatus for generating a group of character sets that are both never repeating within certain period of time and difficult to guess | |
| Fan et al. | A secure privacy preserving deduplication scheme for cloud computing | |
| Zhou et al. | Searchable public-key encryption with cryptographic reverse firewalls for cloud storage | |
| EP3069249A2 (en) | Authenticatable device | |
| Yang et al. | A novel authenticated key agreement protocol with dynamic credential for WSNs | |
| CN119783138B (en) | Blockchain-driven distributed privacy data storage and access control method and system | |
| Jiang et al. | An anonymous and efficient remote biometrics user authentication scheme in a multi server environment | |
| CN109379176B (en) | Password leakage resistant authentication and key agreement method | |
| Irshad et al. | A low-cost privacy preserving user access in mobile edge computing framework | |
| Kumar et al. | A construction of post quantum secure and signal leakage resistant authenticated key agreement protocol for mobile communication | |
| Wu et al. | A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof | |
| Seyhan et al. | A new lattice-based password authenticated key exchange scheme with anonymity and reusable key | |
| Kumar et al. | Design and analysis of a post-quantum secure three party authenticated key agreement protocol based on ring learning with error for mobile device | |
| Truong et al. | Improved Chebyshev Polynomials‐Based Authentication Scheme in Client‐Server Environment | |
| Kumar et al. | Development and analysis of attack-resilient three party authenticated key agreement scheme based on chaotic maps for secure communication | |
| Huang et al. | Continuous identity authentication protocol against quantum attacks in satellite integrated smart grid | |
| Tan | Privacy‐Preserving Two‐Factor Key Agreement Protocol Based on Chebyshev Polynomials |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | Country or region after:China Address after:450000 Science Avenue 62, Zhengzhou High-tech Zone, Henan Province Applicant after:Information Engineering University of the Chinese People's Liberation Army Cyberspace Force Address before:No. 62 Science Avenue, High tech Zone, Zhengzhou City, Henan Province Applicant before:Information Engineering University of Strategic Support Force,PLA Country or region before:China | |
| CB02 | Change of applicant information |