Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2017, Article ID 6758618, 14 pages
https://doi.org/10.1155/2017/6758618
Research Article

Certificateless Public Auditing Protocol with Constant Verification Time

Center for Information Security Technologies (CIST), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Korea

Correspondence should be addressed to Ik Rae Jeong; rk.ca.aerok@gnoejri

Received 18 August 2016; Accepted 7 November 2016; Published 30 January 2017

Academic Editor: Muhammad Khurram Khan

Copyright © 2017 Dongmin Kim and Ik Rae Jeong. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

To provide the integrity of outsourced data in the cloud storage services, many public auditing schemes which allow a user to check the integrity of the outsourced data have been proposed. Since most of the schemes are constructed on Public Key Infrastructure (PKI), they suffer from several concerns like management of certificates. To resolve the problems, certificateless public auditing schemes also have been studied in recent years. In this paper, we propose a certificateless public auditing scheme which has the constant-time verification algorithm. Therefore, our scheme is more efficient than previous certificateless public auditing schemes. To prove the security of our certificateless public auditing scheme, we first define three formal security models and prove the security of our scheme under the three security models.

1. Introduction

Cloud storage is an essential service of cloud computing, which allows users to outsource their data to a cloud server. It is an easy and reliable way to handle a large amount of data due to the characteristics of cloud computing such as ubiquitous network access, location-independent resource pooling, and elasticity [1]. However, there exist challenging security threats with respect to the outsourced data. An untrusted server might discard the data to save a disk space or modify the data for personal gains. Therefore, the users need to be convinced that their data are stored in the cloud server without any loss or modification. That is, the cloud server should ensure the data integrity to the users.

To check the integrity of the outsourced files efficiently, many solutions have been proposed in recent years. When the user wishes to check the integrity, the third-party auditor (TPA) executes auditing algorithms in place of the user without downloading the whole files. If the TPA performs auditing process without any secret values delegated from the user, we called it public auditing. Most of the public auditing schemes are based on Public Key Infrastructure (PKI) [210]. In traditional PKI, Certificate Authority (CA) issues the private/public keys for the users and certificates to bind the users with their public keys. These certificates are generated and managed by the CA. Even though PKI has been widely used in public key cryptography (PKC), it has some security issues related to the management of the certificates, such as revocation, distribution, storage, and the computational cost of the certificates verification as described in [11, 12].

Identity-based public key cryptography was introduced to overcome the above issues of PKI by Shamir in [13]. In the identity-based public key cryptography, the users use identity as their public key (e.g., e-mail address) which is assumed to be publicly known, so there is no need to consider the management of the certificates [1317]. A trusted third party called Key Generation Center (KGC) generates a master secret key and publishes a master public key corresponding to the master secret key. Then the KGC issues users’ private key corresponding to the identity (public keys) using the master secret key. Unfortunately, this approach causes a new inherent problem known as key escrow. Since the users’ private key is entirely generated by the KGC and it is not fully trusted, it can impersonate any valid user whenever it wants. The condition that the KGC is fully trusted has to be assumed to resolve the above inherent problem. The problem also should be considered for the identity-based public auditing schemes [1820].

Al-Riyami and Paterson proposed certificateless cryptosystem that preserves the advantages of the identity-based public key cryptography and eliminates the vulnerability of it [21]. In other words, certificateless public key cryptography does not require certificates to authenticate the users’ public key and the strong assumption. In the certificateless public cryptography, the KGC cannot know the user’s full secret key unlike the ID-PKC, because the user’s full secret key is generated by combining a partial private key generated by the KGC with a secret value chosen by the user [2123]. As the related works, many certificateless signature schemes are also proposed [2427].

In [28], the authors proposed the secure certificateless public auditing scheme based on a new certificateless signature scheme constructed by them. However, He et al. pointed out that the certificateless signature scheme cannot withstand the public key replacement attack, where the adversary can replace user’s public key with a manipulated public key [29]. They also proposed the certificateless public auditing scheme suitable for a cloud-assisted Wireless Body Area Networks (WBAN). Even though many authentication schemes are proposed, they are not suitable because they suffer from the certificate management and key escrow problem [3035]. The certificateless public auditing scheme is constructed to withstand the attack and also ensures the integrity of stored data which is an important issue for the cloud-assisted WBAN, therefore the certificateless public auditing scheme is an essential technology to construct WBAN.

1.1. Our Contributions

(1)We first design a certificateless public auditing (CL-PA) scheme which has the constant computation cost in verification. The previous certificateless public auditing schemes require the linearly increasing verification time with respect to the number of the challenged message blocks.(2)We define the three formal security models which ensures the security against the public key replacement attack, malicious-but-passive-KGC attack, and proof-forgery.(3)We show that our certificateless scheme is secure against existential forgery by proving the security under the models.

The rest of paper is organized as follows. In Section 2, we describe the formal security models and we review some preliminaries in Section 3. We construct our scheme and prove the securities in Section 4. We conclude the paper in Section 5.

2. Preliminaries

2.1. Bilinear Group

Let groups and be multiplicative cyclic groups with prime order . A function is a bilinear map, if it satisfies the following:(1)We have for all , .(2)If is a generator of group is a generator of group .(3)It is easy to compute for all .

2.2. Complexity Assumptions

Computational Diffie-Hellman (CDH) Assumption. Given a tuple , an algorithm tries to compute . We assume that there is no algorithm with a nonnegligible probability such that where the probability is over the random choice of , the random choice of , and the random bits of .

Divisible Computational Diffie-Hellman (DCDH) Assumption [36]. Given a tuple , an algorithm tries to compute . We assume that there is no algorithm with a nonnegligible probability such that where the probability is over the random choice of , the random choice of , and the random bits of .

3. Models

3.1. System Model

We consider a system model that has four entities, KGC (Key Generation Center), a user, a cloud server, and a third-party auditor (TPA) as shown Figure 1. The KGC is responsible for the generation of a master key and a set of public keys for the system and issuing the partial private key for an identity (ID). Unlike the PKG in identity-based system, the KGC cannot issue the user’s full secret key that will be used in the system. The full secret key is generated by combining the partial private key with some random secret values chosen from the user. With this key, the user generates authenticated tags for the file blocks and uploads them to the cloud server. When the user wishes to check the integrity of the stored files, TPA performs it on behalf of the user. For checking the integrity of the stored files, TPA sends a challenge message to the cloud server, and then the server responds with the proof corresponding to the challenge message. TPA is able to check the integrity of them by verifying the validity of the received proof.

Figure 1: System model for our CL-PA protocol.

We define the algorithms for our certificateless public auditing scheme as follows:(i)Setup takes a security parameter and returns a master key (MK) and a public parameter (PP).(ii)Partial-Private-Key-Extract takes an identity (ID), the master key (MK), and the public parameter (PP). It outputs a partial private key (ppk) for the identity (ID).(iii)KeyGen takes an identity (ID), the public parameter (PP), and the partial private key (psk). It outputs a set of public keys (PK) and a secret key (sk) of the identity (ID).(iv)TagGen takes as an input the public parameter (PP), a secret key (sk) of a user, and a file , where is the number of the file blocks. It outputs tags for the file blocks.(v)Challenge takes as an input the public parameters pp and returns a challenge message .(vi)Prove takes as an input the public parameter (PP) and the challenge message and the pairs of message and tag . It outputs a proof (Prf) for the challenge message .(vii)Verify takes as an input the public parameter (PP), the set of public keys (PK), the challenge message , and the proof (Prf). It outputs Accept or Reject.

3.2. Security Models

We assume that three types of adversaries in our certificateless public auditing scheme, that is, Type I adversary , Type II adversary , and Type III adversary , and define the adversaries as follows:(i)Type I adversary cannot access the master key, but he can replace user’s public key with a manipulated public key and generate a forged pair of message and tag.(ii)Type II adversary , which represents a malicious KGC, can access the master key and generate a forged pair of message and tag, but he cannot replace user’s public key.(iii)Type III adversary , which represents a malicious server, can forge a proof for the challenge message without knowing any secret values.Type I adversary and Type II adversary aim to forge the pair of message and tag and are classed as the normal, strong, and super adversaries (ordered by the capability of the adversaries). If the scheme is secure against the super adversary, it is also secure against the normal and strong adversaries. Therefore, we just consider the super Type I adversary and the super Type II adversary in Game I and Game II, respectively. We define three security models using the following games between a challenger and the defined adversaries.

Game I. If Type I adversary cannot forge a pair of message and tag, then we consider that a certificateless public auditing scheme is secure against a tag-forgery by the public key replacement attack. It is defined using the following game between a challenger and Type I adversary :(1)Type I adversary outputs an identity where it wishes to be forged.(2)The challenger runs algorithm SETUP to generate a public parameter (PP) and the master key (MK) and sends PP to Type I adversary .(3)Type I adversary is allowed to access the hash oracles, KEYGEN, PARTIAL-PRIVATE-KEY-EXTRACT, PUBLIC-KEY-REPLACEMENT, SECRET-VALUE-EXTRACT, and TAGGEN oracle, adaptively. For KEYGEN oracle, Type I adversary sends to the challenger , and then the public key is returned. For PARTIAL-PRIVATE-KEY-EXTRACT oracle, Type I adversary sends to the challenger , and then the partial private key is returned. For PUBLIC-KEY-REPLACEMENT oracle, Type I adversary sends to the challenger . For SECRET-VALUE-EXTRACT oracle, Type I adversary sends to the challenger , and then the secret value is returned. For TAGGEN oracle, Type I adversary sends , where is the block identifier, to the challenger . The challenger responds with a pair of message and tag , where = TAGGEN.(4)Finally, Type I adversary outputs a forged pair of message and tag for an identity .

If the pair is valid pair of message and tag and has not queried TAGGEN oracle, then Type I adversary wins the game.

Definition 1. Type I adversary ()-breaks a certificateless public auditing scheme, if runs in time at most , makes at most hash queries, KEYGEN queries, PARTIAL-PRIVATE-KEY-EXTRACT queries, PUBLIC-KEY-REPLACEMENT queries, SECRET-VALUE-EXTRACT queries, and TAGGEN queries, and wins the game with the probability . A certificateless public auditing scheme is secure against a tag-forgery by the public key replacement attack, if there is no tag-forger which -breaks the scheme with a nonnegligible probability .
Game II. If Type II adversary cannot forge a pair of message and tag, then we consider that a certificateless public auditing scheme is secure against a tag-forgery by the malicious-but-passive-KGC attack. It is defined using the following game between a challenger and Type II adversary .(1)Type II adversary outputs an identity where it wishes to be forged.(2)The challenger runs algorithm SETUP to generate a public parameter (PP) and the master key (MK) and sends “PP and MK” to Type II adversary .(3)Type II adversary is allowed to access the hash oracles, KEYGEN, PARTIAL-PRIVATE-KEY-EXTRACT, SECRET-VALUE-EXTRACT, and TAGGEN oracle, adaptively. For KEYGEN oracle, Type II adversary sends to the challenger , and then the public key is returned. For PARTIAL-PRIVATE-KEY-EXTRACT oracle, Type II adversary sends to the challenger , and then the partial private key is returned. For SECRET-VALUE-EXTRACT oracle, Type II adversary sends to the challenger , and then the secret value is returned. For TAGGEN oracle, Type II adversary sends , where is the block identifier, to the challenger . The challenger responds with a pair of message and tag , where = TAGGEN.(4)Finally, Type II adversary outputs a forged pair of message and tag for an identity .If the pair is valid pair of message and tag and has not queried TAGGEN oracle, then Type II adversary wins the game.

Definition 2. Type II adversary ()-breaks a certificateless public auditing scheme, if runs in time at most , makes at most hash queries, KEYGEN queries, PARTIAL-PRIVATE-KEY-EXTRACT queries, SECRET-VALUE-EXTRACT queries, and TAGGEN queries, and wins the game with the probability . A certificateless public auditing scheme is secure against a tag-forgery by the malicious-but-passive-KGC attack, if there is no tag-forger which -breaks the scheme with a nonnegligible probability .
Game III. Type III adversary cannot generate a valid proof for the blocks modified or deleted by Type III adversary , and then we say that a public auditing scheme satisfies a proof-unforgeability (soundness). It is defined using the following game between a challenger and Type III adversary :(1)The challenger runs algorithm SETUP to generate a public parameter (PP) and the master key (MK) and sends PP to Type III adversary .(2)Type III adversary is allowed to access the hash oracles, KEYGEN, PARTIAL-PRIVATE-KEY-EXTRACT, SECRET-VALUE-EXTRACT, and TAGGEN oracle, adaptively. For KEYGEN oracle, Type III adversary sends to the challenger , and then the public key is returned. For PARTIAL-PRIVATE-KEY-EXTRACT oracle, Type III adversary sends to the challenger , and then the partial private key is returned. For SECRET-VALUE-EXTRACT oracle, Type III adversary sends to the challenger , and then the secret value is returned. For TAGGEN oracle, Type III adversary sends , where is the block identifier, to the challenger . The challenger responds with a pair of message and tag , where = TAGGEN.(3)The challenger generates the challenge message = CHALLENGE(PP) and sends it to Type III adversary .(4)Finally, Type III adversary outputs a forged proof .If the equation VERIFY holds and the challenge message includes the index which is not queried in TAGGEN queries, then Type III adversary wins the game.

Definition 3. Type III adversary ()-breaks a certificateless public auditing scheme, if runs in time at most , makes at most hash queries, KEYGEN queries, PARTIAL-PRIVATE-KEY-EXTRACT queries, SECRET-VALUE-EXTRACT queries, and TAGGEN queries, and wins the game with the probability . A certificateless public auditing scheme is proof-unforgeable (sound), if there is no proof-forger which -breaks the scheme with a nonnegligible probability .

4. Our Certificateless Public Auditing (CL-PA) Scheme

In this section, we propose a provably secure certificateless public auditing scheme. Our scheme consists of the seven algorithms, SETUP, PARTIAL-PRIVATE-KEY-EXTRACT, KEYGEN, TAGGEN, CHALLENGE, PROVE, and VERIFY. The details of the algorithms are as follows.

SETUP: let and be multiplicative cyclic groups of prime order and be a bilinear map. Let , and be generators of . , , and are collision resistant hash functions. KGC randomly chooses and computes and as system parameters. A set of master keys is and the public parameters are .

PARTIAL-PRIVATE-KEY-EXTRACT: for each identity , KGC picks the random number and computes , , and . KGC sends to the user as the partial private keys for the identity .

KEYGEN: given the public parameters and the partial private keys, the user generates his/her secret keys and public keys. The user chooses and computes , , , , and . The user sets as a set of secret keys and as a set of public keys.

TAGGEN: let be a file. The user computes an authenticated tag for each block as where is block identifier of , is the file name, , , , and is a polynomial with a coefficient vector . Then the user uploads the file with the corresponding authenticated tags to the server. The validity of the pair of message and tag could be checked by the equation

CHALLENGE: to check the integrity of , TPA randomly chooses random number and -elements subset of . Then, TPA sends the challenge messages to the server.

PROVE: when the server receives the challenge message , the server first computes for all and , where .

The server computes the quotient polynomial , where is the coefficient vector resulting in the quotient polynomial, and . Finally, the server computes and and then sends the proof to TPA.

VERIFY: upon receiving the proof , TPA checks the validity of the proof. TPA computes and checks the equationwhere and . If the equation holds, TPA outputs Accept; otherwise it outputs Reject.

The correctness of our scheme can be proved as follows:

4.1. Security Analyses

In this section, we analyze the security of our certificateless public auditing scheme. If the scheme is secure against the tag-forgery by Type I adversary and Type II adversary and the proof-forgery by Type III adversary under adaptive chosen message attacks, then we consider that the scheme is secure against existential forgery.

Theorem 4. The proposed certificateless public auditing scheme is secure against the tag-forgery by Type I adversary under chosen message attacks in the random oracle model, if the CDH assumption holds in .

Proof of Theorem 4. Suppose Type I adversary is the forger that could break the scheme by generating a valid pair of message and tag under user’s secret key with a probability . Then we can construct an algorithm that solves the CDH problem on .
Given an instance of the CDH problem, the algorithm simulates the challenger and interacts with the forger in Game I.(1)The forger outputs an identity where it wishes to be forged.(2)The algorithm chooses random numbers and computes , where . The algorithm sets and and sends PP to the forger .(3) For KEYGEN oracle, at any time the forger can query the KEYGEN oracle for an identity . The algorithm stores , where Tab1 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm chooses random number and calculates , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates .(b)If , the algorithm chooses random number and calculates , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(4)The algorithm simulates the hash oracles as follows:For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm retrieves the tuple which includes the queried identity in . Then the algorithm returns in to the forger .For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab2 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and sets the hash value . Then the algorithm stores the tuple and responds with to the forger .(b)If , the algorithm returns in to the forger .For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab3 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm flips a random coin with a probability , where is the maximum number of TAGGEN queries. The algorithm picks a random number and computes . Then the algorithm stores the tuple and returns to the forger .(b)If , the algorithm responds with in .(5)The algorithm simulates PARTIAL-PRIVATE-KEY-EXTRACT oracle, PUBLIC-KEY-REPLACEMENT oracle, SECRET-VALUE-EXTRACT oracle, and TAGGEN oracle as follows.For PARTIAL-PRIVATE-KEY-EXTRACT Oracle. At any time the forger can request a partial private key for to the oracle. When the forger queries to the oracle, the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure.For PUBLIC-KEY-REPLACEMENT Oracle. At any time the forger can replace a set of public keys for . Upon receiving a public key replacement query , retrieves the tuple which contains in Tab1 and replaces with .For SECRET-VALUE-EXTRACT Oracle. At any time the forger is able to request a secret value for to the oracle. When the forger queries to the oracle, retrieves the tuple which contains in Tab1 and responds with .For TAGGEN Oracle. At any time the forger can query the oracle for the tuple . The algorithm stores , where Tab is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which is corresponding to the queried tuple and computes the tag for the queried message , where . The algorithm responds with and updates Tab.(b)If , the algorithm retrieves the tuple which is corresponding to the queried tuple . If , the algorithm computes the tag for the queried message , where . The algorithm responds with and updates Tab. Otherwise, the algorithm reports failure.(6)Finally, the forger outputs the forged pair of message and tag such that no TAGGEN query was issued for . If , , and , satisfies the following equation: By using the oracle-replay technique [37] on hash function , the algorithm can obtain another forged tag for the same message . The forged tag also satisfies the following equation: With the above equations, the algorithm could compute From the right-hand-side of the above equation, the algorithm could getThen the algorithm outputs where .
From now on, we define three events related to the success probability of and analyze it as follows:(i): the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and TAGGEN queries.(ii): the forger outputs a valid pair of message and tag , which has not been queried before.(iii): event occurs and for the tuple containing on Tab3.In the case that the all events happen, the algorithm can solve the CDH problem. Thus, the probability of success is , and we can compute it as We analyze the lower bounds of , , and in the following claims.
Claim 1. The probability that the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and the TAGGEN queries by the forger is at least .
Proof of Claim 1. We assume that the forger does not query for the same index twice. At first, in the PARTIAL-PRIVATE-KEY-EXTRACT oracle the algorithm cannot respond to the forger ’s query, if . This probability is equal to , where is the number of KEYGEN queries. Therefore, the probability that the algorithm does not abort is for each PARTIAL-PRIVATE-KEY-EXTRACT query. Since the PARTIAL-PRIVATE-KEY-EXTRACT queries are issued at most times, the probability that the algorithm does not abort is at least . In the TAGGEN oracle, the algorithm only aborts if , where is the random value with the probability corresponding to the TAGGEN query in Tab3. By the probability of , the probability that the algorithm does not abort is . Similarly, the probability that the algorithm does not abort in the TAGGEN oracle is at least . Thus, the probability that the algorithm does not abort in the forger ’s PARTIAL-PRIVATE-KEY-EXTRACT queries and TAGGEN queries is at least .
Claim 2. The probability that the forger outputs a valid pair of message and tag under the condition that the event has occurred is at least .
Proof of Claim 2. When the event has occurred, the probability depends on the information gathered by the forger . The views of in the simulation and the real game are identical as follows:(i)The distribution of PK given to the forger in the simulation is identical with the distribution of PK given to the forger in the real game.(ii)The distribution of the hash values of the hash function in the simulation is identical with the distributions of the hash values of the hash function in the real game.(iii)The distribution of the responses to the TAGGEN oracle in the simulation is identical with the distribution of the responses to the TAGGEN oracle in the real game under the conditional probability.Thus, the forger will generate a valid pair of message and tag with a probability at least .
Claim 3. The probability that the algorithm does not abort after the forger outputs a valid pair of message and tag is at least .
Proof of Claim 3. When the events and have occurred, the algorithm will abort only in the case that for the tuple containing corresponding to a forged pair of message and tag in Tab1. Since the value is randomly chosen with the probability , the probability is at least .
With the above claims, the success probability of is . Thus we can conclude that if the CDH assumption holds in , there exists no algorithm which breaks the tag-unforgeability of our scheme by the public key replacement attack with a nonnegligible probability.

Theorem 5. The proposed certificateless public auditing scheme is secure against the tag-forgery by Type II adversary under chosen message attacks in the random oracle model, if the CDH assumption holds in .

Proof of Theorem 5. Suppose Type II adversary is the tag-forger that could break the scheme by generating a valid pair of message and tag under user’s secret key with a probability . Then we can construct an algorithm that solves the CDH problem on .
Given an instance of the CDH problem, the algorithm simulates the challenger and interacts with the forger in Game II.(1)The forger outputs an identity where it wishes to be forged.(2)The algorithm chooses random numbers and computes , where . The algorithm sets and and sends “PP and MK” to the forger .(3)For KEYGEN oracle, at any time the forger can query the KEYGEN oracle for an identity . The algorithm stores , where Tab1 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm chooses random number and calculates , , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(b)If , the algorithm chooses random number and calculates , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(4)The algorithm simulates the hash oracles as follows.For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm retrieves the tuple which includes the queried identity in Tab1. Then the algorithm returns in Tab1 to the forger .For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab2 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and sets the hash value . Then the algorithm stores the tuple and responds with to the forger .(b)If , the algorithm returns in Tab2 to the forger .For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab3 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm flips a random coin with a probability , where is the maximum number of TAGGEN queries. The algorithm picks a random number and computes . Then the algorithm stores the tuple and returns to the forger .(b)If , the algorithm responds with in Tab3.(5)The algorithm simulates the PARTIAL-PRIVATE-KEY-EXTRACT oracle, SECRET-VALUE-EXTRACT oracle, and TAGGEN oracle as follows.For PARTIAL-PRIVATE-KEY-EXTRACT Oracle. At any time the forger can request a partial private key for to the oracle. When the forger queries to the oracle, retrieves the tuple which contains in Tab1 and responds with .For SECRET-VALUE-EXTRACT Oracle. At any time the forger is able to request a secret value for to the oracle. When the forger queries to the oracle, responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure.For TAGGEN Oracle. At any time the forger can query the oracle for the tuple . The algorithm stores , where Tab is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which is corresponding to the queried tuple and computes the tag for the queried message , where . The algorithm responds with and updates Tab.(b)If , the algorithm retrieves the tuple which is corresponding to the queried tuple . If , the algorithm computes the tag for the queried message , where . The algorithm responds with and updates Tab. Otherwise, the algorithm reports failure.(6)Finally, the forger outputs the forged pair of message and tag such that no TAGGEN query was issued for . If , , and , satisfies the equation From the right-hand-side of the above equation, the algorithm could compute Then the algorithm outputswhere , , and .
From now on, we define three events related to the success probability of and analyze it as follows:(i): the algorithm does not abort in the SECRET-VALUE-EXTRACT queries and TAGGEN queries.(ii): the forger outputs a valid pair of message and tag , which has not been queried before.(iii): event occurs and for the tuple containing on Tab3.In the case that the all events happen, the algorithm can solve the CDH problem. Thus, the probability of success is , and we can compute it as We analyze the lower bounds of , , and in the following claims.
Claim 4. The probability that the algorithm does not abort in the SECRET-VALUE-EXTRACT queries and the TAGGEN queries by the forger is at least .
Claim 5. The probability that the forger outputs a valid pair of message and tag under the condition that the event has occurred is at least .
Claim 6. The probability that the algorithm does not abort after the forger outputs a valid pair of message and tag is at least .
By the similar analysis method in Theorem 4, we can easily compute ’s success probability, thus we omit the detailed probability analyses. With the above claims, the success probability of is . Thus we can conclude that if the CDH assumption holds in , there exists no algorithm which breaks the tag-unforgeability of our scheme by the malicious-but-passive-KGC attack with a nonnegligible probability.

Theorem 6. The proposed certificateless public auditing scheme is secure against the proof-forgery by Type III adversary under chosen message attacks in the random oracle model, if the DCDH assumption holds in .

Proof of Theorem 6. Suppose Type III adversary is the proof-forger that could break the scheme by generating a fake proof for an arbitrary challenge message with a probability . We does not consider the case that the fake proof was generated by the forged tags, since we proved it in the above theorems (even though the theorems ensure the security against the tag-forgery by Type I adversary and Type II adversary , it can be easily applied to Type III adversary by eliminating the oracles related to the key extraction in the proof of Theorems 4 and 5). Using the proof-forger, we can construct an algorithm that solves the DCDH problem on .
Given an instance of the DCDH problem, the algorithm simulates the challenger and interacts with the forger in Game III.(1)The forger outputs an identity where it wishes to be forged.(2)The algorithm chooses random numbers and computes , where . The algorithm sets and and sends PP to the forger .(3)For KEYGEN oracle, at any time the forger can query the KEYGEN oracle for an identity . The algorithm stores , where Tab1 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm chooses random number and calculates , , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(b)If , the algorithm chooses random number and calculates , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(4)The algorithm simulates the hash oracles as follows.For Hash Oracle . At any time the forger can query the random oracle for . The algorithm retrieves the tuple which includes the queried identity in Tab1. Then the algorithm returns in Tab1 to the forger .For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab2 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and sets the hash value . Then the algorithm stores the tuple and responds with to the forger .(b)If , the algorithm returns in Tab2 to the forger .For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab3 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and computes . Then the algorithm stores the tuple and returns to the forger .(b)If , the algorithm responds with in Tab3.(5)The algorithm simulates the PARTIAL-PRIVATE-KEY-EXTRACT oracle, SECRET-VALUE-EXTRACT oracle, and TAGGEN oracle as follows.For PARTIAL-PRIVATE-KEY-EXTRACT Oracle. At any time the forger can request a partial private key for to the oracle. When the forger queries to the oracle, responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure.For SECRET-VALUE-EXTRACT Oracle. At any time the forger is able to request a secret value for to the oracle. When the forger queries to the oracle, responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure.For TAGGEN Oracle. At any time the forger can query the oracle for the tuple . The algorithm stores , where Tab is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which is corresponding to the queried tuple and computes the tag for the queried message , where . The algorithm responds with and updates Tab.(b)If , the algorithm retrieves the tuple which is corresponding to the queried tuple . The algorithm computes the tag for the queried message , where .(6)The algorithm chooses random number and a random -elements subset . In this process, should choose a random subset which contains at least an index , where is not queried before in TAGGEN oracle. Let be a subset of , and it is composed of indices which are not queried in TAGGEN oracle. Then the algorithm sends as the challenge message.(7)Finally, the forger outputs a forged proof for the challenge message . We assume that is not able to be forged by the forger , since we proved the tag-unforgeability in the previous theorems. Then the algorithm checks the validity of the forged proof by the following equation: The algorithm could compute the right-hand-side of the above equation as To satisfy (18), the value should contain , where . Thus, we can compute as where .
From now on, we define two events related to the success probability of and analyze it as follows:(i): the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and SECRET-VALUE-EXTRACT queries.(ii): the forger outputs a valid proof , which has not been queried before.In the case that the both events happen, the algorithm can solve the DCDH problem. Thus, the probability of success is . We analyze the lower bounds of in the following claim.
Claim 7. The probability that the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and the SECRET-VALUE-EXTRACT queries by the forger is at least .
Proof of Claim 7. We assume that the forger does not query for the same index twice. In the PARTIAL-PRIVATE-KEY-EXTRACT oracle, the algorithm aborts only if . This probability is equal to , where is the number of PARTIAL-PRIVATE-KEY-EXTRACT queries. Therefore, the probability that the algorithm does not abort is for each PARTIAL-PRIVATE-KEY-EXTRACT query. Since the PARTIAL-PRIVATE-KEY-EXTRACT queries are issued at most times, the probability that the algorithm does not abort is at least . In the SECRET-VALUE-EXTRACT oracle, the algorithm only aborts if . The probability that the algorithm does not abort is . Similarly, the probability that the algorithm does not abort in the SECRET-VALUE-EXTRACT oracle is at least . Thus, the probability that the algorithm does not abort in the forger ’s PARTIAL-PRIVATE-KEY-EXTRACT queries and SECRET-VALUE-EXTRACT queries is at least .
With the above claim, the success probability of is