CN-122027160-A - Cloud data sharing method and system supporting dynamic change of user

Abstract

The invention discloses a cloud data sharing method and a cloud data sharing system supporting dynamic change of a user. According to the invention, a prefix tree based on chameleon hash is constructed, a user authorization information barrel is mounted on leaf nodes, and a barrel size threshold is set, so that dynamic insertion, deletion and updating of user entries are realized. The data owner holds the chameleon Hash trapdoor and generates collision parameters in the authorized change and structure adjustment processes, so that affected nodes and even root index values are kept unchanged, and efficient verifiable dynamic maintenance is realized. When the cloud service receives the access request, the user item is quickly searched through prefix positioning, and authority control is completed by combining signature verification and aging check. The invention does not need to rely on a block chain account book, not only ensures the authenticity and traceability of the authorization information, but also obviously reduces the tree structure recalculation cost caused by frequent addition or withdrawal of users, improves the expandability and the safety of the system in a dynamic environment, and is suitable for a multi-user cloud data sharing scene.

Inventors

• LIU LIMIN
• Yu Wangdong
• JING JIWU
• Kou Chunjing

Assignees

• 中国科学院大学

Dates

Publication Date

20260512

Application Date

20251111

Claims (10)

1. 1. A cloud data sharing method supporting dynamic change of users comprises the following steps: 1) Cloud service initialized chameleon hash prefix tree And bucket maximum capacity threshold Bucket minimum capacity threshold Prefix tree Depth of (2) The data owner holds the public and private key pair of the data owner Prefix tree Limited private key And publicly release its own public key ; 2) Data owner selected user set Wherein For users For each user in the set of users U Generating authorization information Authorization information signature And the authorization information triples of the user set U N is the total number of users in the user set U; 3) Cloud service calculates each user User entry of (a) Prefix of (2) And according to the prefix Locating prefix trees Leaf node barrel corresponding to the middle part Entry of user And is inserted into the barrel If the barrel size is Then trigger splitting if bucket size Triggering merging; , Is that Front of (2) A bit; 4) Data requester Sending an access request to a cloud service, which traverses a prefix tree Based on user identification in access request Prefix of (2) Positioned to the barrel Find user entries Checking aging after signature verification and hash verification are performed, if verification is passed and not expired, allowing the access request to be performed, otherwise rejecting the access request.
2. 2. The method of claim 1, wherein when a new user is required When authorizing, the data owner is the new user Generating authorization information Authorization information signature Cloud service calculates the new user Corresponding user entry And according to Prefix positioning prefix tree of (c) Leaf node barrel corresponding to the middle part Then will Insert corresponding barrel Data owners utilize limited-gate private keys Holding bucket hashes Index value of leaf node And (3) stability.
3. 3. The method of claim 1, wherein when an authorized user is required When the right is changed, the data owner is the user Generating new authorization information Authorization information signature For users Generating new user entries And inserted into the barrel Data owners utilize limited-gate private keys Holding bucket hashes Unchanged when the authorized user needs to be treated Cloud service positioning barrel when right is revoked And delete the user entry therein Data owner uses a limited-gate private key Guarantee barrel Corresponding leaf node index value Is unchanged.
4. 4. A method according to claim 1 or 2 or 3, wherein the prefix tree of the chameleon hash The method comprises three types of nodes, namely a root node, an internal node and a leaf node, wherein the root node maintains global hash root planting, the internal node stores path prefixes and child node hash indexes, the leaf node points to a bucket, and each node is logically expressed as a seven-tuple , wherein, Is the binary prefix identification of the node on the path, Is the level at which the node is located, 、 Pointers to the left and right child nodes respectively, Index value of root node or internal node as hash index value of current node Index value of leaf node Wherein In order to make the chameleon hash function, The hash index value for the left child node of the current node, The hash index value for the right child node of the current node, As the random number of the current node, Is the type of node that is to be used, Bucket pointed to by leaf node Is added to the hash aggregate value of (a).
5. 5. The method of claim 4, wherein the bucket Wherein Is a barrel Number of user entries in a bucket Is a hash aggregate value of (2) Wherein Cloud service initializing a prefix tree of chameleon hash for a hash function Comprising only one root node pointing to an empty bucket Its prefix value The level at which the node is located Left pointer Directional barrel Right pointer Index value The root node random number is Type (I) of (II) Wherein, the method comprises the steps of, Bucket pointed to by root node for initialization Hash aggregate value of (2) of the value is 。
6. 6. The method according to claim 4 or 5, wherein cloud services are based on prefixes Locating prefix trees Leaf node barrel corresponding to the middle part The method of (1) setting the current node as the root node, and layer counting 32) Reading the first Target bit of layer If (if) Then address to prefix tree First, the The left child node of the current node of the layer is taken as the target child node, if Then address to prefix tree First, the The right child node of the current node of the layer is used as a target child node, if the target child node is empty and the layer counts Then a new internal node is created if the target child node is empty and Creating new leaf node, if the target child node is leaf node, jumping out of circulation, making target child node be current node, layer counting And loops through step 32), 33) reading the bucket pointed to by the pointer at the leaf node And returns.
7. 7. The method of claim 6, wherein the method of creating the internal node is 32a 1) setting up seven tuples of the internal node Values of (2), prefix values The level at which the node is located Left pointer Right pointer Generating internal node random number as Calculating an index value Type (I) of (II) 32A 2) if Setting the internal node as the left pointer of the father node Domain, if Setting the internal node as the right pointer of the father node Domain, recalculating index value of parent node of the internal node The index value of the parent node of the internal node is updated from bottom to top until the root node.
8. 8. The method of claim 6, wherein the method of creating the leaf node is 32b 1) creating a bucket 32B 2) seven-tuple with leaf node Values of (2), prefix values The level at which the node is located Left pointer Pointing to the corresponding barrel Right pointer Generating leaf node random number as Calculating an index value Type (I) of (II) 32B 3) if Setting the leaf node as the left pointer of its parent node Domain, if Setting the leaf node as the right pointer of the parent node Domain, recalculating index value of parent node The index value of its parent node is updated from bottom to top until the root node.
9. 9. The method according to claim 1, wherein the cloud service performs signature verification, hash verification and checking aging by: 41 Cloud service finds a corresponding user entry ; 42 Cloud service checks correctness of signed message, i.e. calculates authorization information hash value Using the public key of the data owner Verifying signatures Obtaining hash value after signature verification And comparing the hash values after signature verification Hash value with authorization information Whether or not they are equal to each other, if equal, then complete signature verification and hash verification; 43 Cloud service checking user authorization information Whether the user authority in the system is matched with the access request submitted by the user or not, and user authorization information Whether the authority timeliness of the system meets the requirement.
10. 10. The cloud data sharing system supporting the dynamic change of the user is characterized by comprising a data owner, a cloud service end and a data sharing user; The data owner holds self-signed public-private key pair Chameleon hash prefix tree Limited private key And discloses its public key And for each user in the selected set of users U Generating authorization information Authorization information signature And the authorization information triples of the user set U N is the total number of users in the user set U; the data sharing user has a unique user identification, and is granted with the corresponding authority and validity period by the data owner; the cloud server is used for initializing a prefix tree of the chameleon hash And bucket maximum capacity threshold Bucket minimum capacity threshold Prefix tree Depth of (2) Calculating each user User entry of (a) Prefix of (2) And according to the prefix Locating prefix trees Leaf node barrel corresponding to the middle part Entry of user And is inserted into the barrel If the barrel size is Then trigger splitting if bucket size Triggering merging; , Is that Front of (2) Bit and traversing the prefix tree based on the received access request Based on user identification in access request Prefix of (2) Positioned to the barrel Find user entries Checking aging after signature verification and hash verification are performed, if verification is passed and not expired, allowing the access request to be performed, otherwise rejecting the access request.

Description

Cloud data sharing method and system supporting dynamic change of user Technical Field The invention relates to the field of cloud computing data sharing security, in particular to a cloud data security sharing method and system for dynamic change of a user, which can realize an efficient and safe data sharing mechanism. Background With the popularization of cloud computing and data services, more and more enterprises and personal users host data resources on a cloud platform, and cross-organization data sharing and collaboration are realized through a network. The openness and expandability of cloud storage bring great convenience, but also cause problems of access control, security audit, privacy protection and the like. Conventional cloud data sharing models typically rely on cloud service providers to maintain access control lists (Access Control List, ACLs) or identity-based authorization mechanisms, which users can access specific data determined by the cloud. However, in an actual large-scale cloud environment, the cloud end is often regarded as a semi-trusted entity, and there is a potential risk of malicious tampering or unauthorized access, so that the authenticity and traceability of data access cannot be guaranteed by only relying on cloud end control. The existing access control technology mainly comprises three types, namely a centralized management mechanism Based on an Access Control List (ACL), an Encryption control mechanism Based on Attribute-Based Encryption (ABE), and a verifiable index structure Based on a Merkle tree or a blockchain. The ACL scheme is simple to realize, the maintenance and update cost of the ACL scheme is increased sharply when the number of users is huge and the authority is changed frequently, the ABE scheme can refine the access strategy at the encryption level, encryption calculation is complex, the users are required to be redistributed to be revoked, the real-time requirement is difficult to meet, and structures such as Merkle trees can verify the data integrity and cannot directly support dynamic authorization and revocation operation. When the methods face the sharing requirement of multi-user, multi-level authority and dynamic change, the problems of low authorization efficiency, high revocation cost, lack of fine granularity tracking capability and the like are commonly existed. On the other hand, the quantity of user authorization information stored in the cloud platform is huge, and the organization structure of the user authorization information has a significant influence on the system performance. If a simple linear storage or single-stage hash table structure is adopted, the searching speed is high, but efficient batch authorization, hierarchical management and dynamic expansion are difficult to support. While the adoption of the balanced tree or the B+ tree structure can optimize the searching performance to a certain extent, the safety and the traceability are difficult to be simultaneously considered. Therefore, how to design an index structure which can support efficient retrieval and ensure verifiable and revocable data authorization in the cloud end becomes a key problem of current research. Chameleon Hash (Chameleon Hash) is a Hash function with a "trapdoor modifiable" feature, where a body with a trapdoor can modify an original message while maintaining the Hash value unchanged. This feature makes it well suited for implementing a traceable revocable mechanism. By binding the authorization information with the chameleon hash, the data owner can modify or revoke the user authorization as necessary without breaking the hash consistency of the overall structure, ensuring that the system can verify and continuity. However, conventional chameleon hash applications are commonly used in blockchain trackable transaction or electronic signature systems, and have not been effectively introduced into cloud data authorization and index management scenarios. Therefore, a new cloud data secure sharing method and system are needed, which can effectively support dynamic change of users and reduce interaction cost of data owners while ensuring secure data sharing. For convenience in description of the present application, some techniques for color shifting Long Ha will be described below in connection with the present application. The chameleon hash is a limited-gate hash function, assuming a public-private key pair,Is a public key of a chameleon hash function,Is a limited door private key held by the constructor. For any messageRandom numberA hash value can be calculatedWithout knowing the limited private keyIs difficult to find under the condition of (1)So that. And has a limited-door private keyCan be efficiently foundSo as to match with the existingCollision, i.e. That is, the chameleon hash exhibits the same characteristics as a general hash without the limited-door private key, and in the case of having the limited-door private key, a collision can be arb