Security and Communication Networks

Volume 2017 (2017), Article ID 6758618, 14 pages

https://doi.org/10.1155/2017/6758618

## Certificateless Public Auditing Protocol with* Constant* Verification Time

Center for Information Security Technologies (CIST), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Korea

Correspondence should be addressed to Ik Rae Jeong

Received 18 August 2016; Accepted 7 November 2016; Published 30 January 2017

Academic Editor: Muhammad Khurram Khan

Copyright © 2017 Dongmin Kim and Ik Rae Jeong. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

To provide the integrity of outsourced data in the cloud storage services, many public auditing schemes which allow a user to check the integrity of the outsourced data have been proposed. Since most of the schemes are constructed on Public Key Infrastructure (PKI), they suffer from several concerns like management of certificates. To resolve the problems,* certificateless* public auditing schemes also have been studied in recent years. In this paper, we propose a certificateless public auditing scheme which has the* constant*-time verification algorithm. Therefore, our scheme is more efficient than previous certificateless public auditing schemes. To prove the security of our certificateless public auditing scheme, we first define three formal security models and prove the security of our scheme under the three security models.

#### 1. Introduction

Cloud storage is an essential service of cloud computing, which allows users to outsource their data to a cloud server. It is an easy and reliable way to handle a large amount of data due to the characteristics of cloud computing such as ubiquitous network access, location-independent resource pooling, and elasticity [1]. However, there exist challenging security threats with respect to the outsourced data. An untrusted server might discard the data to save a disk space or modify the data for personal gains. Therefore, the users need to be convinced that their data are stored in the cloud server without any loss or modification. That is, the cloud server should ensure the data integrity to the users.

To check the integrity of the outsourced files efficiently, many solutions have been proposed in recent years. When the user wishes to check the integrity, the third-party auditor (TPA) executes auditing algorithms in place of the user without downloading the whole files. If the TPA performs auditing process without any secret values delegated from the user, we called it* public auditing*. Most of the public auditing schemes are based on Public Key Infrastructure (PKI) [2–10]. In traditional PKI, Certificate Authority (CA) issues the private/public keys for the users and certificates to bind the users with their public keys. These certificates are generated and managed by the CA. Even though PKI has been widely used in public key cryptography (PKC), it has some security issues related to the management of the certificates, such as revocation, distribution, storage, and the computational cost of the certificates verification as described in [11, 12].

Identity-based public key cryptography was introduced to overcome the above issues of PKI by Shamir in [13]. In the identity-based public key cryptography, the users use identity as their public key (e.g., e-mail address) which is assumed to be publicly known, so there is no need to consider the management of the certificates [13–17]. A trusted third party called Key Generation Center (KGC) generates a master secret key and publishes a master public key corresponding to the master secret key. Then the KGC issues users’ private key corresponding to the identity (public keys) using the master secret key. Unfortunately, this approach causes a new inherent problem known as key escrow. Since the users’ private key is entirely generated by the KGC and it is not fully trusted, it can impersonate any valid user whenever it wants. The condition that the KGC is fully trusted has to be assumed to resolve the above inherent problem. The problem also should be considered for the identity-based public auditing schemes [18–20].

Al-Riyami and Paterson proposed* certificateless* cryptosystem that preserves the advantages of the identity-based public key cryptography and eliminates the vulnerability of it [21]. In other words, certificateless public key cryptography does not require certificates to authenticate the users’ public key and the strong assumption. In the certificateless public cryptography, the KGC cannot know the user’s full secret key unlike the ID-PKC, because the user’s full secret key is generated by combining a partial private key generated by the KGC with a secret value chosen by the user [21–23]. As the related works, many certificateless signature schemes are also proposed [24–27].

In [28], the authors proposed the secure certificateless public auditing scheme based on a new certificateless signature scheme constructed by them. However, He et al. pointed out that the certificateless signature scheme cannot withstand the public key replacement attack, where the adversary can replace user’s public key with a manipulated public key [29]. They also proposed the certificateless public auditing scheme suitable for a cloud-assisted Wireless Body Area Networks (WBAN). Even though many authentication schemes are proposed, they are not suitable because they suffer from the certificate management and key escrow problem [30–35]. The certificateless public auditing scheme is constructed to withstand the attack and also ensures the integrity of stored data which is an important issue for the cloud-assisted WBAN, therefore the certificateless public auditing scheme is an essential technology to construct WBAN.

##### 1.1. Our Contributions

(1)We first design a certificateless public auditing (CL-PA) scheme which has the constant computation cost in verification. The previous certificateless public auditing schemes require the linearly increasing verification time with respect to the number of the challenged message blocks.(2)We define the three formal security models which ensures the security against the public key replacement attack, malicious-but-passive-KGC attack, and proof-forgery.(3)We show that our certificateless scheme is secure against existential forgery by proving the security under the models.

The rest of paper is organized as follows. In Section 2, we describe the formal security models and we review some preliminaries in Section 3. We construct our scheme and prove the securities in Section 4. We conclude the paper in Section 5.

#### 2. Preliminaries

##### 2.1. Bilinear Group

Let groups and be multiplicative cyclic groups with prime order . A function is a bilinear map, if it satisfies the following:(1)We have for all , .(2)If is a generator of group is a generator of group .(3)It is easy to compute for all .

##### 2.2. Complexity Assumptions

*Computational Diffie-Hellman (CDH) Assumption*. Given a tuple , an algorithm tries to compute . We assume that there is no algorithm with a nonnegligible probability such that where the probability is over the random choice of , the random choice of , and the random bits of .

*Divisible Computational Diffie-Hellman (DCDH) Assumption [36]*. Given a tuple , an algorithm tries to compute . We assume that there is no algorithm with a nonnegligible probability such that where the probability is over the random choice of , the random choice of , and the random bits of .

#### 3. Models

##### 3.1. System Model

We consider a system model that has four entities, KGC (Key Generation Center), a user, a cloud server, and a third-party auditor (TPA) as shown Figure 1. The KGC is responsible for the generation of a master key and a set of public keys for the system and issuing the partial private key for an identity (ID). Unlike the PKG in identity-based system, the KGC cannot issue the user’s full secret key that will be used in the system. The full secret key is generated by combining the partial private key with some random secret values chosen from the user. With this key, the user generates authenticated tags for the file blocks and uploads them to the cloud server. When the user wishes to check the integrity of the stored files, TPA performs it on behalf of the user. For checking the integrity of the stored files, TPA sends a challenge message to the cloud server, and then the server responds with the proof corresponding to the challenge message. TPA is able to check the integrity of them by verifying the validity of the received proof.