A Double-Efficient Integrity Verification Scheme to Cloud
advertisement
A Double-Efficient Integrity
Verification Scheme to
Cloud Storage Data
Deng Hongyao, Song Xiuli, Tao jingsong
2014 TELKOMNIKA Indonesian Journal of Electrical
Engineering
Presenter : 陳昱安
Date : 2014/10/6
Outline
• Introduction
• Schnorr Signature Scheme
• Safety Integrity Verification Scheme Based on Schnorr Signature
• Efficient Integrity Verification Scheme Based on Schnorr Signature
• Security and Performance Analysis
• Conclusion
2
Outline
• Introduction
• Schnorr Signature Scheme
• Safety Integrity Verification Scheme Based on Schnorr Signature
• Efficient Integrity Verification Scheme Based on Schnorr Signature
• Security and Performance Analysis
• Conclusion
3
Introduction
This paper proposed two integrity verification schemes
based on Schnorr Signature Scheme.
Safety integrity verification scheme (SIVS).
Efficient integrity verification scheme (EIVS).
4
Outline
• Introduction
• Schnorr Signature Scheme
• Safety Integrity Verification Scheme Based on Schnorr Signature
• Efficient Integrity Verification Scheme Based on Schnorr Signature
• Security and Performance Analysis
• Conclusion
5
Schnorr Signature Scheme (1/3)
Supposed 𝑝 and 𝑞 are two big prime, and 𝑝 − 1 is a multiple
of 𝑞; 𝑔 is a generator of 𝑍𝑝∗ , and 𝑔𝑞 = 1 mod 𝑝.
𝑥 is private key of 𝑍𝑞∗ .
𝑦 is a public key and 𝑦 = 𝑔 𝑥 mod 𝑝.
ℎ(∙) is an approved cryptographic hash function.
6
Schnorr Signature Scheme (2/3)
If a signer signs the message 𝑚, then he chooses randomly
a secret number 𝑟 ∈ 𝑍𝑞∗ and computes
𝑢 = 𝑔𝑟 (mod 𝑝)
𝑒 = ℎ(𝑚||𝑢)
𝑠 = 𝑥𝑒 + 𝑟 (mod 𝑞)
The signer sends the message 𝑚 and the signatures (𝑒, 𝑠) to
the receiver.
7
Schnorr Signature Scheme (3/3)
If the receiver has received 𝑚 and (𝑒, 𝑠), then he first
Computes
𝑢′ = 𝑔 𝑠 𝑦 −𝑒 (mod 𝑝)
And checks the following equation:
?
𝑒 = ℎ(𝑚||𝑢′ )
If the equation is true, then the signature is valid. Otherwise,
the signature is invalid.
8
Outline
• Introduction
• Schnorr Signature Scheme
• Safety Integrity Verification Scheme Based on Schnorr Signature
• Efficient Integrity Verification Scheme Based on Schnorr Signature
• Security and Performance Analysis
• Conclusion
9
Safety Integrity Verification Scheme
Based on Schnorr Signature
𝑚1
USER
message
𝑚2 ∙∙∙ 𝑚𝑛
Safety Integrity Verification Scheme
Based on Schnorr Signature
Challenge
Response
USER
Safety Integrity Verification Scheme
Based on Schnorr Signature
Request
Response
USER
Safety Integrity Verification Scheme
Based on Schnorr Signature (1/8)
Notation
𝑝 is 1024-bit prime; 𝑞 is 160-bit prime
𝑥 is private key of 𝑍𝑞∗ .
𝑦 is a public key and 𝑦 = 𝑔 𝑥 mod 𝑝.
ℎ(∙) is an approved cryptographic hash function.
𝑓(∙) is a pseudo-random function.
∅(∙) is a pseudo-random permutation
𝑘1 , 𝑘2 , 𝑘3 ← {0,1}𝑘 are three keys, where k is the length of the
three keys.
13
Safety Integrity Verification Scheme
Based on Schnorr Signature (2/8)
Pro-processing Phase
𝐹 = (𝑚1 , 𝑚2 , … , 𝑚𝑛 )
𝑟𝑖 = 𝑓𝑘1 𝑟 + 𝑖
, (1 ≤ 𝑖 ≤ 𝑛)
𝑢𝑖 = 𝑔𝑟𝑖 (mod 𝑝)
𝑠𝑖 = 𝑥𝑚𝑖 + 𝑟𝑖 (mod 𝑞) , (1 ≤ 𝑖 ≤ 𝑛)
𝐸 = ℎ(𝑚1 | 𝑚2 | … ||𝑚𝑛 )
The user sends 𝐹 = (𝑚1 , 𝑚2 , … , 𝑚𝑛 ) and 𝑈 = (𝑢1 , 𝑢2 , … , 𝑢𝑛 )
to the cloud storage server.
The user stores S = (𝑠1 , 𝑠2 , … , 𝑠𝑛 ) and hash value 𝐸 on the local.
14
Safety Integrity Verification Scheme
Based on Schnorr Signature (3/8)
Challenge Phase
The user‘s challenge values are 𝐶ℎ𝑎𝑙(𝑓𝐼𝐷, 𝑐, 𝑘2 , 𝑘3 , 𝑦),
where 𝑓𝐼𝐷 is identity number of the file 𝐹;
𝑐 is the number of challenged blocks, 1 ≤ 𝑐 ≤ 𝑛 ;
𝑘2 and 𝑘3 re chosen randomly for each challenge;
𝑦 is the user’s public key.
15
Safety Integrity Verification Scheme
Based on Schnorr Signature (4/8)
Response Phase
After the cloud storage server has received the challenge values
𝐶ℎ𝑎𝑙(𝑓𝐼𝐷, 𝑐, 𝑘2 , 𝑘3 , 𝑦), he uses pseudo-random permutation
to generate indices of challenged blocks
𝑖𝑗 = ∅𝑘2 (𝑗) , (1 ≤ 𝑗 ≤ 𝑐, 1 ≤ 𝑖𝑗 ≤ 𝑛).
Also, he uses pseudo-random function to derive coefficients
𝛼𝑗 = 𝑓𝑘3 (𝑗) , (1 ≤ 𝑗 ≤ 𝑐, 𝛼𝑗 ∈ 𝑍𝑞∗ ).
16
Safety Integrity Verification Scheme
Based on Schnorr Signature (5/8)
In pro-processing phase, the cloud storage server holds the set of
file blocks 𝐹 = (𝑚1 , 𝑚2 , … , 𝑚𝑛 ) and the set of verification blocks
𝑈 = (𝑢1 , 𝑢2 , … , 𝑢𝑛 ) .
Grounded on the block indices 𝑖𝑗 (1 ≤ 𝑗 ≤ 𝑐), he chooses the
subset of file blocks 𝐹 = (𝑚𝑖1 , 𝑚𝑖2 , … , 𝑚𝑖𝑐 ) and the subset of
verification blocks 𝑈 = (𝑢𝑖1 , 𝑢𝑖2 , … , 𝑢𝑖𝑐 ) , then computes:
The cloud storage server sends response values (𝑇, σ) to the
user, and takes them as the proofs of possessing file 𝐹.
17
Safety Integrity Verification Scheme
Based on Schnorr Signature (6/8)
Verification Phase
The user computes indices of challenged blocks 𝑖𝑗 = ∅𝑘2 (𝑗) and
random coefficients 𝛼𝑗 = 𝑓𝑘3 (𝑗) , (1 ≤ 𝑗 ≤ 𝑐).
Then the user chooses the subset of the signatures
𝑆 = (𝑠𝑖1 , 𝑠𝑖2 , … , 𝑠𝑖𝑐 ) from 𝑆 = (𝑠1 , 𝑠2 , … , 𝑠𝑛 ) which has been
saved previously on the local.
Further, the user computes
?
Then he checks the following equation: 𝜎 = 𝑔𝑤 𝑇 (mod 𝑝).
18
Safety Integrity Verification Scheme
Based on Schnorr Signature (7/8)
19
Safety Integrity Verification Scheme
Based on Schnorr Signature (8/8)
Retrieve File Phase
At a later time, when the user needs his file 𝐹 , he sends a
request message 𝑟𝑒𝑞(𝑓𝐼𝐷) to the cloud storage server.
Then the cloud server sends back file blocks
𝐹 ′ = (𝑚1 ′ , 𝑚2 ′ , … , 𝑚𝑛 ′ ) to the user.
The user uses hash function to compute
𝐸 ′ = ℎ(𝑚1 ′ | 𝑚2 ′ | … ||𝑚𝑛 ′ ) to check.
20
Outline
• Introduction
• Schnorr Signature Scheme
• Safety Integrity Verification Scheme Based on Schnorr Signature
• Efficient Integrity Verification Scheme Based on Schnorr Signature
• Security and Performance Analysis
• Conclusion
21
Efficient Integrity Verification Scheme
Based on Schnorr Signature (1/3)
Pro-processing Phase
𝑢𝑖 = 𝑔𝑟𝑖 (mod 𝑝)
𝑒𝑖 = ℎ 𝑚𝑖 ||𝑢𝑖
𝑠𝑖 = 𝑥𝑒𝑖 + 𝑟𝑖 (mod 𝑞) , (1 ≤ 𝑖 ≤ 𝑛)
𝐸 = 𝑒1 | 𝑒2 | … ||𝑒𝑛
Here, EIVS doesn't use file blocks 𝑚𝑖 (1 ≤ 𝑖 ≤ 𝑛) to compute
signatures 𝑠𝑖 (1 ≤ 𝑖 ≤ 𝑛) , but uses hash values 𝑒𝑖 to
compute signatures.
22
Efficient Integrity Verification Scheme
Based on Schnorr Signature (2/3)
Response Phase
In response phase, all values of 𝛼𝑗 (1 ≤ 𝑗 ≤ 𝑐) are set to 1,
here, the cloud storage server computes:
Now, the scheme doesn't add all file blocks 𝑚𝑖 (1 ≤ 𝑖 ≤ 𝑛)
to generate 𝑣, but add all hash values 𝑒𝑖 1 ≤ 𝑖 ≤ 𝑛 to
generate it.
23
Efficient Integrity Verification Scheme
Based on Schnorr Signature (3/3)
Verification Phase
In verification phase, all values of 𝛼𝑗 (1 ≤ 𝑗 ≤ 𝑐) are set to
1 , then the user computes:
Here, the user checks if below equation holds:
24
Outline
• Introduction
• Schnorr Signature Scheme
• Safety Integrity Verification Scheme Based on Schnorr Signature
• Efficient Integrity Verification Scheme Based on Schnorr Signature
• Security and Performance Analysis
• Conclusion
25
Security and Performance Analysis
EIVS scheme substitutes hash values 𝑒𝑖 for file blocks 𝑚𝑖 to
generate signatures 𝑠𝑖 and 𝑣 also, all values of coefficients
𝛼𝑗 (1 ≤ 𝑗 ≤ 𝑐) are set to 1, so it improves operation speed
and reduces computational costs.
But EIVS scheme can only verify the cloud storage server
stores well the sum of hash values, and cannot guarantee
that the cloud storage server preserves intact all file blocks.
26
Security Analysis (1/4)
SIVS scheme gives double integrity verification guarantee to
cloud storage data.
1. in response and verification phase, the user checks
response values (𝑇, σ) to judge whether all file blocks
are preserved intact in the cloud storage server.
2. In retrieve file phase, the user compares hash values 𝐸 ′
with 𝐸 to judge whether some file blocks have been
altered in network transmitting or on cloud storage.
27
Security Analysis (2/4)
If the user and the cloud storage server chooses the subset
of file blocks 𝐹 = (𝑚𝑖1 , 𝑚𝑖2 , … , 𝑚𝑖𝑐 ) as challenged blocks,
but the cloud storage server has lost file blocks
(𝑚𝑖𝑗 , … , 𝑚𝑖𝑘 ), where {𝑖𝑗 , … , 𝑖𝑘 } ⊆ {𝑖1 , … , 𝑖𝑐 }.
Accordingly, the cloud storage server falsifies file blocks
(𝑏𝑖𝑗 , … , 𝑏𝑖𝑘 ) with (𝑚𝑖𝑗 , … , 𝑚𝑖𝑘 ) replacement, then he
computes:
28
Security Analysis (3/4)
After the user has received response values (𝑇 ′ , σ) , he
computes the value of 𝑤 , and verifies the relation :
If the relation is true, then 𝑇 = 𝑇 ′ (mod 𝑝), this means
.
If we could find out 𝐴 ≠ 𝐵 ∈ 𝑍𝑞∗ to let 𝑦 −𝐴 = 𝑦 −𝐵 (mod 𝑝),
′
Then 𝑦 −𝑣 = 𝑦 −𝑣 (mod 𝑝), but this is impossible.
29
Security Analysis (4/4)
In retrieve file phase, we suppose the cloud storage server
has lost original file blocks (𝑚𝑙 , … , 𝑚𝑡 ).
The cloud storage server substitutes fake file blocks
(𝑏𝑙 , … , 𝑏𝑡 ) for file blocks (𝑚𝑙 , … , 𝑚𝑡 ) and send them to the
user.
The user first computes hash value
and check equation :
30
Performance Analysis
In the four schemes, if we suppose the size of each file block
|𝑚𝑖 | is the same, and total number of file blocks 𝑛 is also
the same. Moreover, the number of challenged file blocks 𝑐
is also the same.
31
Outline
• Introduction
• Schnorr Signature Scheme
• Safety Integrity Verification Scheme Based on Schnorr Signature
• Efficient Integrity Verification Scheme Based on Schnorr Signature
• Security and Performance Analysis
• Conclusion
32
Conclusion
In view of communication costs and computation costs of
current integrity verification schemes are too high, this
paper proposes two integrity verification schemes SIVS and
EIVS based on Schnorr Signature.
If the files need to be stored in cloud for a long time, SIVS
scheme will be used to verify the integrity of the file. But in
short term, EIVS scheme will be used.
33
