#### Abstract

How to verify the integrity of outsourced data is an important problem in cloud storage. Most of previous work focuses on three aspects, which are providing data dynamics, public verifiability, and privacy against verifiers with the help of a third party auditor. In this paper, we propose an identity-based data storage and integrity verification protocol on untrusted cloud. And the proposed protocol can guarantee fair results without any third verifying auditor. The theoretical analysis and simulation results show that our protocols are secure and efficient.

#### 1. Introduction

With the growing popularity of clouds, the tools and technologies for hybrid clouds have been emerging recently; cloud storage has become a hot research topic that aims to provide a comparably low cost, scalable, position-independent platform for data owners data [1]. However, this new paradigm of data hosting service also introduces new security challenges [2]. A list of security threats to cloud computing is presented in [3]. These issues range from the required trust in the cloud server for storage and attacks on cloud interfaces to misusing the cloud services for attacks in the complex systems. When considering using the complex cloud service, the data owner must be aware of the fact that all data given to the cloud server leave the owner control protection sphere [4]. Huge measurement data, huge environment monitoring data, hydrological data, marine biological data, and GIS information are provided by the complex multicloud. In this situation, it is a strong demand that the data owners can check the data integrity confidentially, dynamically, and publicly; besides, the anonymous is also demanded for smart phone users.

In the past few years, some work has been done on insuring remote data integrity checking, which allows data integrity to be checked without completely downloading the data. Prior studies were based on two-party storage checking protocols that the data owner can check the data integrity [4–12]. Deswarte et al. [5] and Filho and Barreto [9] introduced RSA-based methods for solving remote data integrity checking. After that Shah et al. [12] proposed a remote storage auditing method based on precomputed challenge-response pairs. In practical application, to guarantee fair results, neither the cloud service provider nor the data owner should be the auditor in a cloud storage system. In this case, the protocols [13–15] employed the third party audit (TPA) performing the verification. However, none of them provided privacy against third party verifiers under the condition of introducing TPA. Wang et al. [14, 16] recognized the need of privacy against third party verifiers and proposed a random masking technique to cope with this problem. Scheme [17–21] required an additional trusted organizer to send a commitment to the auditor to ensure data privacy during auditing. The auditing protocol may make a performance bottleneck for the auditor. On some cases, without requiring any trusted organizer during the batch auditing for multiple clouds the client may delegate the remote data integrity checking task to the third party. It results in the untrusted third party auditing in cloud computing [22, 23]. Yang and Jia [22] introduced an index table (ITable) to record the abstract information of the data; they proposed that the cloud server could be dishonest and may launch attacks just like replay attack, forge attack, and replace attack but only used ITable with time stamps to solve the problems. Wang [23] introduced identity-based distributed provable data possession in multicloud storage to check the certificate when it checks the remote data integrity. Chen et al. [24] also propose a new secure outsourcing algorithm for (variable-exponent, variable-base) exponentiation modulo a prime in the two untrusted program models.

However, one of benefits of cloud storage is to enable universal data access with independent geographical locations. This implies that the end devices may be mobile and limited in computation and storage. Efficient integrity checking protocols are more suitable for cloud clients equipped with mobile end devices. Meanwhile, when a mobile user remotes into a foreign network, mutual authentication must first be solved to prevent illegal use from accessing services and to ensure that mobile users are connected to trusted networks [25]. Both Zhao and Liu used smart-card to resolve the authentication. To compensate for these shortcomings, our construction can be observed as an adaptation of the protocol of [20, 22, 23, 25, 26].

This paper aims to fill the gap on a secure and effective anonymous authentication protocol for remote verification protocol in multicloud storage based on complex system. To the best of our knowledge, our scheme is the first to provide the authentication and establishment of remote verification scheme when mobile user is located in his/her home network; therefore it is more practical and universal for complex multicloud storage system. The scheme does not use timestamp; thus it avoids the clock synchronization problem. Additionally, the performance and cost analysis also show that our scheme is more suitable for low-power and resource-limited mobile devices and thus availability for real implementation.

The rest of the paper is organized as follows. The layered security architecture and definitions are present in Section 2. In Section 3, a novel anonymous authentication protocol for remote verification user authentication scheme is proposed in multicloud storage. In Section 4, we analyze the security of our proposed scheme. Next, we analyze the functionality and performance of our proposed scheme and make comparisons with other related schemes in Section 5. Finally, Section 6 gives the concluding remark of the whole paper.

#### 2. Definitions and Preliminiaries

In this section, we present our system model and briefly introduce the elliptic curve cryptosystem and some related mathematical assumptions.

##### 2.1. Definitions of System Model

A representative network architecture for a secure and effective anonymous dynamics integrity checking protocol for data storage in multicloud (SA-DVCP) in global mobility networks is illustrated in Figure 1. Three different network entities can be identified as follows.(1)The data owner, that has massive data to be stored on the multicloud for maintenance and computation, can be either individual consumer or corporation who has large amount of data files to be stored in the cloud. DO has the ability to check the storage integrity of their outsourced data, while hoping to keep their data private from any entity which is untrusted. The checking devices may be mobile and limited in computation and storage, which need a secure and effective anonymous integrity checking protocol.(2)The data user/client/requested (DU), who accesses the CS or downloads the data from CS, has capabilities to check the integrity of data.(3)Data stakeholder (DS): we define both DO and DU as data stakeholder.(4)The multicloud server (MCS), which has significant storage space and computation resources to store the owners data and provides the data access to data users (data client/requesters), stores its whole data on the different cloud servers according to their importance and sensitivity.(5)The HV (Home Verifier) is a home third party that has expertise and capabilities to provide data storage auditing service for both the DS and DU. The HV can provide unbiased result for both the DO and the CS.

##### 2.2. Notation and Preliminaries

Let be a pseudorandom function and let be a pseudorandom permutation. They can be described in detail as follows: , ,

in which and are two security parameters. Furthermore, denote the length of in bits by . We now introduce some necessary cryptographic background for our proposed scheme.

*Bilinear Map.* Let be a cyclic additive group generated by and let be a cyclic multiplicative group generated by with a bilinear map .(a), , .(b)Nondegenerate: there exists , such that , where denotes the identity element of the group .(c)Computational discrete logarithm (CDL) problem: given , where . It is easy to calculate given and , but it is hard to determine given and .(d)Computational co-Diffie-Hellman: given , , and , compute .

For providing high insecurity level of the proposed scheme, some important mathematical assumptions are introduced for bilinear pairings defined on elliptic curves.(e)Define , , and ; the computational bilinear Diffie-Hellman (CBDH) problem is computing the value given randomly. The CBDH assumption asserts that the CBDH problem is hard that is for all PPT algorithms .(f)Decision co-Diffie-Hellman: given , , and , , output is yes if and no otherwise. When the answer is yes we say that it is a co-Diffie-Hellman tuple.

#### 3. The Proposed Schemes

In this section, we propose a novel anonymous dynamics integrity checking protocol for data storage in multicloud (SA-DVCP), using elliptic curve cryptosystem to not only protect the scheme from security breaches but also emphasize the efficient features. Before describing the auditing protocol definition, some notations are defined as in Notations and Descriptions section.

Suppose a file has data components as . Each data component has its physical meanings and can be updated dynamically by the data owners. For public data components, the data owner does not need to encrypt it, but for private data component, the DO needs to encrypt it with its corresponding key.

For simplicity, we only consider one data component in our construction and constant number of sectors for each data block. Suppose there is a data component , which is divided into data blocks, and each data block is further split into sectors. For data blocks with different sector number. Then for , each block is split into sectors; that is, . Our storage auditing protocol consists of the following algorithms.

*Setup *. Input the security parameter and the bilinear map . Let be multiplicative cyclic groups of prime order , , , and . Let , , and ; is the public key and is the private key. Let be a keyed secure hash function that maps the to a point in .

*TagGen* . The tag generation algorithm takes as inputs each data component and a set of , the private key sk. For each data block , it computes a data tag as .

Where and name is chosen by the DO uniformly at random from as the identifier of file and represents the block number of . It outputs the set of data tags . Without loss of generality, we suppose that every block has its uniqueness. After finishing computing all the block tags, the DO sends the file to MCS and releases to be publicly known to everyone.

*Proof (P, C (MCS), V (Home Verifier)).* SA-DVCP is a protocol among , , and . At the end of the interactive protocol, HV outputs the auditing result as 0 or 1. If DS delegates the verification task to HV, it needs to register himself/herself to his/her HV.

*(1) Registration*. The details of DS registration phase are shown in Figure 2.

The interaction protocol can be given in detail as follows.

*Step R1*. DS freely chooses his/her identity and password and generates a random number . Then DS submits to HV for registration via a secure channel.

*Step R2*. When receiving the message HV computes and , , where is a secret number of HV, and picks the challenge , , . Then HV submits to DS through a secure channel.

*(2) The Authentication and Proof*. The details of the authentication and proof DS registration phase are shown in Figure 3. When roaming into a foreign network MCS, DS needs to verify the validity of MCS and proves to DS that he is a legitimate user. The authentication and proof phase used to solve the above issue in our proposed scheme is described as follows.

*Step P1*. DS generates a random number and computes , , , , and and DS sends the request message to MCS over a public channel.

*Step P2*. After receiving the message , MCS generates a random number and computes and and and . Here, is the private key of MCS, and is MCSs certificate. Next, the MCS calculates , and looks up the table to get the records that correspond to denoting the index set where the corresponding block-tag pair is stored in . Then, sends to .

*Response 1 *. For , it performs the following procedures.(a)For , splits into sectors and .(b) calculates , , and .(c)For , calculates denoting .(d) sends to .

*Response 2 *. After receiving all the responses from , the combiner aggregates into the final response as denote . The MCS generates the data proof as . Then MCS sends to HV.

*Step P3*. When receiving , HV first computes and decrypts to reveal and . Then, HV verifies the MCSs signature by using the MCSs certificate . If they are valid, MCS is authenticated. After that, HV computes the following: , .

Then HV checks whether . If they are equal, DS is authenticated by HV. Next, HV calculates , , .

Then, it verifies whether the following formula holds: .

If the formula holds, then the verifier outputs . Otherwise, the verifier outputs . Next compute ; at last, HV sends to DS.

*Step P4*. DS decrypts to reveal . Then, the MU compare with . If it is valid, HV and MCS are all authenticated by DS.

#### 4. Security Analysis of the Proposed Scheme

In this section, we show that the proposed scheme can withstand all possible security attacks.

##### 4.1. Storage Correctness Guarantee

Theorem 1. *A SA-DVCP protocol must be workable and correct. That is, if the DS, MCS, and HV are honest and follow the specified procedures, the response can pass HV’s checking. The correctness follows from**This completes the proof.*

##### 4.2. Privacy-Preserving Guarantee

Theorem 2. *The proposed protocol can provide users privacy-preserving.*

*Proof. *In our proposed scheme, the DS sends the login request message to MCS, where is used to protect the real identity of DS. Based on the CDL problem, any attacker cannot obtain the random number a from and thus cannot retrieve from At the same time, the attacker cannot trace the moving history and current location of DS according to the login request message since , , and are dynamically changed in different login request messages of DS. Therefore, the proposed scheme can provide privacy-preserving of DS.

##### 4.3. Resist Impersonation Attack

Our proposed protocol can efficiently prevent impersonation attacks by considering the following scenarios.

*Proof. *Our proposed scheme can efficiently prevent impersonation attacks by considering the following scenarios.(1)Any attacker cannot impersonate DS to cheat MCS and HV. In the proposed scheme, whether DS is located in a foreign network or in his/her home network, the HV authenticates DS by verifying the computed with the received . Since the attacker does not possess DSs password , he/she cannot compute the correct and thus cannot cheat HV by forging a login request message. At the same time, since a is a one-time random number and only possessed by DS, is dynamically changed in each login request message. Therefore, the attacker cannot cheat the HV by replaying a previous login request message. Besides, when DS is located in a foreign network, the authentication of MCS to DS is completely dependent on the authentication of HV to DS. If an attacker cannot successfully cheat HV by masquerading as DS, he/she cannot cheat MCS successfully.(2)Any attacker cannot impersonate MCS to cheat HV and DS. In the proposed scheme, the HV authenticates MCS by checking whether equals , where is MCSs digital signature. Obviously, the attacker cannot compute the correct MCSs digital signature without knowing MCSs private key §_{MCS}. Therefore, the attacker cannot cheat HV successfully by masquerading as MCS. At the same time, the authentication of DS to MCS is completely dependent on the authentication of HV to MCS. If an attacker cannot successfully cheat HV by masquerading as MCS, he/she cannot cheat DS successfully.(3)Any attacker cannot impersonate HV to cheat DS. In the proposed scheme, the DS authenticates HV by verifying with the received . Obviously, any attacker cannot compute the correct without knowing and , and the attacker cannot cheat DS successfully.

##### 4.4. Forward Secerecy

Theorem 3. *The proposed protocol meets the security requirement for perfect forward secrecy.*

*Proof. *Perfect forward secrecy means that even if an attacker compromises all the passwords of the entities of the system, he/she still cannot compromise the session key. In the proposed scheme, these three one-time random numbers , , and are only held by the DS, MCS, and HV, respectively, and cannot be retrieved from , , , and based on the security of CDL and CDH problem. Thus, even if an adversary obtains all the passwords of the entities, previous session keys, and all the transmitted messages, he/she still cannot compromise other session keys. Hence, the proposed scheme achieves perfect forward secrecy.

#### 5. Performance Comparison and Functionality Analysis

It is well known that most of the mobile devices have limited energy resources and computing capability. Hence, one of the most important issues in wireless networks is power consumption caused by communication and computation. In fact, the communication cost in the GLOMONET is higher than computation cost in terms of power consumption. In Table 1, we list the numbers of the TagGen, Verify and the phases of our scheme and some related previous schemes.

*Computation*. Suppose there are message blocks which will be stored in cloud servers. The blocks sector number is and the challenged block number is . We will consider the computation overhead in the different phases. On group , bilinear pairings, exponentiation, multiplication, and the hash function contribute most computation cost. Compared with them, the hash function and the operations on and are faster; the hash function can be done once for all. On the DS, the computation cost mainly comes from the procedures of TagGen and verification (i.e., phase 5 in the protocol proof ). In the phase TagGen, the client performs ns multiplication on , , and hash function . At the same time, for every file, the corresponding record is stored by DS and CS. This stored metadata is small. In the phase proof, in order to respond the challenge and generate the response and the MCS perform multiplication on the group , hash function . In the verification of the response, HV performs 2 exponentiations, 2 pairings, and multiplication on the group and hash function . On the other hand, in 2012, Zhu et al. proposed the cooperative provable data possession for integrity in multicloud storage [17]. Almost at the same time, Zhu et al. proposed the dynamic audit services for outsourced storage in clouds [20]. Compared with them, our proposed scheme is more efficient in the computation cost. The computation comparison can be summarized in Table 1.

In Table 1, denotes the time cost of exponentiation on the group ; denotes the time cost of multiplication on the group ; Ce denotes the time cost of bilinear pairing; denotes the time cost of the hash function . In other schemes, the sector must be in . Our scheme only requires the hash function h1s value which lies in . Thus, the hash function can be used to generate less block-tag pairs for the same file. Less block-tag pairs only incur less computation cost. This shows that our protocol can be implemented in mobile devices which have limited computation power.

*Communication.* In the phase proof, the communication overhead mainly comes from the challenge chal and response. The block-tag pairs are uploaded once and for all. After that, the phase proof will be performed periodically. Thus, the communication overheads mainly come from the Chal and responses. Suppose there are message blocks stored in the CS. and have the same order . In chal, the verifier sends the challenge to MCS. That is, the communication overhead is . On the other hand, Zhu et al. [17], Zhu et al. [20], and Wang [23] proposed three different provable data possession schemes. We do the comparison under the same probability of detection. Our scheme and Wang’s ID-PDP have the same total communication cost during the challenge phase. During the proof phase, the communication cost of the proof incurs less communication cost than Wang’s ID-PDP. Compared with these three schemes, our scheme is more efficient in the communication cost. The communication comparison can be summarized in Table 2. In Table 2, denotes one element of and denotes one element of .

#### 6. Conclusion

In this paper, we propose a novel anonymous authentication scheme for roaming service in global mobility networks. Security and performance analysis show that the proposed scheme is more suitable for the low-power and resource-limited mobile devices and is secure against various attacks and has many excellent features.

#### Notations and Descriptions

: | Cyclic multiplicative group with generator |

: | Cyclic multiplicative group with generator |

: | |

: | Three cryptographic hash functions |

: | Pseudorandom function |

: | Pseudorandom permutation |

: | The block number |

: | The sector number |

: | The stored file is split into blocks |

: | The block is split into blocks |

: | The cloud server number |

: | The index of the CS which stores the th block-tag pair |

: | The CS which stores the th block |

: | The record where denotes the th block |

: | The computation of exponentiation |

: | The computation of hash function |

: | The computation of multiplications in group |

: | The computation of bilinear pairings |

DO: | Data owner |

DU: | The data user/client/requested |

DS: | Data stakeholder used to define both DO and DU |

MCS: | The multicloud server |

HV: | Home Verifier |

: | The permutated index of . |

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This work was supported in part by Digital Right Management Technology Research and Development Project (1681300000119), Beijing Higher Education Young Elite Teacher Project (YETP0448), Specialized Research Fund for the Doctoral Program of Higher Education (2013114), Fundamental Research Funds for the Central Universities (2013RC0310), National Key Technology Research and Development Program (2012BAH08B02), National Natural Science Foundation of China (U1433105), and National 863 Program (2012AA012606).