Certificateless Public Auditing Protocol with<i> Constant</i> Verification Time

Kim, Dongmin; Jeong, Ik Rae

doi:https://doi.org/10.1155/2017/6758618

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 6758618 | https://doi.org/10.1155/2017/6758618

Certificateless Public Auditing Protocol with Constant Verification Time

Dongmin Kim¹and Ik Rae Jeong¹

Academic Editor: Muhammad Khurram Khan

Received18 Aug 2016

Accepted07 Nov 2016

Published30 Jan 2017

Abstract

To provide the integrity of outsourced data in the cloud storage services, many public auditing schemes which allow a user to check the integrity of the outsourced data have been proposed. Since most of the schemes are constructed on Public Key Infrastructure (PKI), they suffer from several concerns like management of certificates. To resolve the problems, certificateless public auditing schemes also have been studied in recent years. In this paper, we propose a certificateless public auditing scheme which has the constant-time verification algorithm. Therefore, our scheme is more efficient than previous certificateless public auditing schemes. To prove the security of our certificateless public auditing scheme, we first define three formal security models and prove the security of our scheme under the three security models.

1. Introduction

Cloud storage is an essential service of cloud computing, which allows users to outsource their data to a cloud server. It is an easy and reliable way to handle a large amount of data due to the characteristics of cloud computing such as ubiquitous network access, location-independent resource pooling, and elasticity [1]. However, there exist challenging security threats with respect to the outsourced data. An untrusted server might discard the data to save a disk space or modify the data for personal gains. Therefore, the users need to be convinced that their data are stored in the cloud server without any loss or modification. That is, the cloud server should ensure the data integrity to the users.

To check the integrity of the outsourced files efficiently, many solutions have been proposed in recent years. When the user wishes to check the integrity, the third-party auditor (TPA) executes auditing algorithms in place of the user without downloading the whole files. If the TPA performs auditing process without any secret values delegated from the user, we called it public auditing. Most of the public auditing schemes are based on Public Key Infrastructure (PKI) [2–10]. In traditional PKI, Certificate Authority (CA) issues the private/public keys for the users and certificates to bind the users with their public keys. These certificates are generated and managed by the CA. Even though PKI has been widely used in public key cryptography (PKC), it has some security issues related to the management of the certificates, such as revocation, distribution, storage, and the computational cost of the certificates verification as described in [11, 12].

Identity-based public key cryptography was introduced to overcome the above issues of PKI by Shamir in [13]. In the identity-based public key cryptography, the users use identity as their public key (e.g., e-mail address) which is assumed to be publicly known, so there is no need to consider the management of the certificates [13–17]. A trusted third party called Key Generation Center (KGC) generates a master secret key and publishes a master public key corresponding to the master secret key. Then the KGC issues users’ private key corresponding to the identity (public keys) using the master secret key. Unfortunately, this approach causes a new inherent problem known as key escrow. Since the users’ private key is entirely generated by the KGC and it is not fully trusted, it can impersonate any valid user whenever it wants. The condition that the KGC is fully trusted has to be assumed to resolve the above inherent problem. The problem also should be considered for the identity-based public auditing schemes [18–20].

Al-Riyami and Paterson proposed certificateless cryptosystem that preserves the advantages of the identity-based public key cryptography and eliminates the vulnerability of it [21]. In other words, certificateless public key cryptography does not require certificates to authenticate the users’ public key and the strong assumption. In the certificateless public cryptography, the KGC cannot know the user’s full secret key unlike the ID-PKC, because the user’s full secret key is generated by combining a partial private key generated by the KGC with a secret value chosen by the user [21–23]. As the related works, many certificateless signature schemes are also proposed [24–27].

In [28], the authors proposed the secure certificateless public auditing scheme based on a new certificateless signature scheme constructed by them. However, He et al. pointed out that the certificateless signature scheme cannot withstand the public key replacement attack, where the adversary can replace user’s public key with a manipulated public key [29]. They also proposed the certificateless public auditing scheme suitable for a cloud-assisted Wireless Body Area Networks (WBAN). Even though many authentication schemes are proposed, they are not suitable because they suffer from the certificate management and key escrow problem [30–35]. The certificateless public auditing scheme is constructed to withstand the attack and also ensures the integrity of stored data which is an important issue for the cloud-assisted WBAN, therefore the certificateless public auditing scheme is an essential technology to construct WBAN.

1.1. Our Contributions

(1)We first design a certificateless public auditing (CL-PA) scheme which has the constant computation cost in verification. The previous certificateless public auditing schemes require the linearly increasing verification time with respect to the number of the challenged message blocks.(2)We define the three formal security models which ensures the security against the public key replacement attack, malicious-but-passive-KGC attack, and proof-forgery.(3)We show that our certificateless scheme is secure against existential forgery by proving the security under the models.

The rest of paper is organized as follows. In Section 2, we describe the formal security models and we review some preliminaries in Section 3. We construct our scheme and prove the securities in Section 4. We conclude the paper in Section 5.

2. Preliminaries

2.1. Bilinear Group

Let groups and be multiplicative cyclic groups with prime order . A function is a bilinear map, if it satisfies the following:(1)We have for all , .(2)If is a generator of group is a generator of group .(3)It is easy to compute for all .

2.2. Complexity Assumptions

Computational Diffie-Hellman (CDH) Assumption. Given a tuple , an algorithm tries to compute . We assume that there is no algorithm with a nonnegligible probability such that where the probability is over the random choice of , the random choice of , and the random bits of .

Divisible Computational Diffie-Hellman (DCDH) Assumption [36]. Given a tuple , an algorithm tries to compute . We assume that there is no algorithm with a nonnegligible probability such that where the probability is over the random choice of , the random choice of , and the random bits of .

3. Models

3.1. System Model

We consider a system model that has four entities, KGC (Key Generation Center), a user, a cloud server, and a third-party auditor (TPA) as shown Figure 1. The KGC is responsible for the generation of a master key and a set of public keys for the system and issuing the partial private key for an identity (ID). Unlike the PKG in identity-based system, the KGC cannot issue the user’s full secret key that will be used in the system. The full secret key is generated by combining the partial private key with some random secret values chosen from the user. With this key, the user generates authenticated tags for the file blocks and uploads them to the cloud server. When the user wishes to check the integrity of the stored files, TPA performs it on behalf of the user. For checking the integrity of the stored files, TPA sends a challenge message to the cloud server, and then the server responds with the proof corresponding to the challenge message. TPA is able to check the integrity of them by verifying the validity of the received proof.

We define the algorithms for our certificateless public auditing scheme as follows:(i)Setup takes a security parameter and returns a master key (MK) and a public parameter (PP).(ii)Partial-Private-Key-Extract takes an identity (ID), the master key (MK), and the public parameter (PP). It outputs a partial private key (ppk) for the identity (ID).(iii)KeyGen takes an identity (ID), the public parameter (PP), and the partial private key (psk). It outputs a set of public keys (PK) and a secret key (sk) of the identity (ID).(iv)TagGen takes as an input the public parameter (PP), a secret key (sk) of a user, and a file , where is the number of the file blocks. It outputs tags for the file blocks.(v)Challenge takes as an input the public parameters pp and returns a challenge message .(vi)Prove takes as an input the public parameter (PP) and the challenge message and the pairs of message and tag . It outputs a proof (Prf) for the challenge message .(vii)Verify takes as an input the public parameter (PP), the set of public keys (PK), the challenge message , and the proof (Prf). It outputs Accept or Reject.

3.2. Security Models

We assume that three types of adversaries in our certificateless public auditing scheme, that is, Type I adversary , Type II adversary , and Type III adversary , and define the adversaries as follows:(i)Type I adversary cannot access the master key, but he can replace user’s public key with a manipulated public key and generate a forged pair of message and tag.(ii)Type II adversary , which represents a malicious KGC, can access the master key and generate a forged pair of message and tag, but he cannot replace user’s public key.(iii)Type III adversary , which represents a malicious server, can forge a proof for the challenge message without knowing any secret values.Type I adversary and Type II adversary aim to forge the pair of message and tag and are classed as the normal, strong, and super adversaries (ordered by the capability of the adversaries). If the scheme is secure against the super adversary, it is also secure against the normal and strong adversaries. Therefore, we just consider the super Type I adversary and the super Type II adversary in Game I and Game II, respectively. We define three security models using the following games between a challenger and the defined adversaries.

Game I. If Type I adversary cannot forge a pair of message and tag, then we consider that a certificateless public auditing scheme is secure against a tag-forgery by the public key replacement attack. It is defined using the following game between a challenger and Type I adversary :(1)Type I adversary outputs an identity where it wishes to be forged.(2)The challenger runs algorithm SETUP to generate a public parameter (PP) and the master key (MK) and sends PP to Type I adversary .(3)Type I adversary is allowed to access the hash oracles, KEYGEN, PARTIAL-PRIVATE-KEY-EXTRACT, PUBLIC-KEY-REPLACEMENT, SECRET-VALUE-EXTRACT, and TAGGEN oracle, adaptively. For KEYGEN oracle, Type I adversary sends to the challenger , and then the public key is returned. For PARTIAL-PRIVATE-KEY-EXTRACT oracle, Type I adversary sends to the challenger , and then the partial private key is returned. For PUBLIC-KEY-REPLACEMENT oracle, Type I adversary sends to the challenger . For SECRET-VALUE-EXTRACT oracle, Type I adversary sends to the challenger , and then the secret value is returned. For TAGGEN oracle, Type I adversary sends , where is the block identifier, to the challenger . The challenger responds with a pair of message and tag , where = TAGGEN.(4)Finally, Type I adversary outputs a forged pair of message and tag for an identity .

If the pair is valid pair of message and tag and has not queried TAGGEN oracle, then Type I adversary wins the game.

Definition 1. Type I adversary ()-breaks a certificateless public auditing scheme, if runs in time at most , makes at most hash queries, KEYGEN queries, PARTIAL-PRIVATE-KEY-EXTRACT queries, PUBLIC-KEY-REPLACEMENT queries, SECRET-VALUE-EXTRACT queries, and TAGGEN queries, and wins the game with the probability . A certificateless public auditing scheme is secure against a tag-forgery by the public key replacement attack, if there is no tag-forger which -breaks the scheme with a nonnegligible probability .
Game II. If Type II adversary cannot forge a pair of message and tag, then we consider that a certificateless public auditing scheme is secure against a tag-forgery by the malicious-but-passive-KGC attack. It is defined using the following game between a challenger and Type II adversary .(1)Type II adversary outputs an identity where it wishes to be forged.(2)The challenger runs algorithm SETUP to generate a public parameter (PP) and the master key (MK) and sends “PP and MK” to Type II adversary .(3)Type II adversary is allowed to access the hash oracles, KEYGEN, PARTIAL-PRIVATE-KEY-EXTRACT, SECRET-VALUE-EXTRACT, and TAGGEN oracle, adaptively. For KEYGEN oracle, Type II adversary sends to the challenger , and then the public key is returned. For PARTIAL-PRIVATE-KEY-EXTRACT oracle, Type II adversary sends to the challenger , and then the partial private key is returned. For SECRET-VALUE-EXTRACT oracle, Type II adversary sends to the challenger , and then the secret value is returned. For TAGGEN oracle, Type II adversary sends , where is the block identifier, to the challenger . The challenger responds with a pair of message and tag , where = TAGGEN.(4)Finally, Type II adversary outputs a forged pair of message and tag for an identity .If the pair is valid pair of message and tag and has not queried TAGGEN oracle, then Type II adversary wins the game.

Definition 2. Type II adversary ()-breaks a certificateless public auditing scheme, if runs in time at most , makes at most hash queries, KEYGEN queries, PARTIAL-PRIVATE-KEY-EXTRACT queries, SECRET-VALUE-EXTRACT queries, and TAGGEN queries, and wins the game with the probability . A certificateless public auditing scheme is secure against a tag-forgery by the malicious-but-passive-KGC attack, if there is no tag-forger which -breaks the scheme with a nonnegligible probability .
Game III. Type III adversary cannot generate a valid proof for the blocks modified or deleted by Type III adversary , and then we say that a public auditing scheme satisfies a proof-unforgeability (soundness). It is defined using the following game between a challenger and Type III adversary :(1)The challenger runs algorithm SETUP to generate a public parameter (PP) and the master key (MK) and sends PP to Type III adversary .(2)Type III adversary is allowed to access the hash oracles, KEYGEN, PARTIAL-PRIVATE-KEY-EXTRACT, SECRET-VALUE-EXTRACT, and TAGGEN oracle, adaptively. For KEYGEN oracle, Type III adversary sends to the challenger , and then the public key is returned. For PARTIAL-PRIVATE-KEY-EXTRACT oracle, Type III adversary sends to the challenger , and then the partial private key is returned. For SECRET-VALUE-EXTRACT oracle, Type III adversary sends to the challenger , and then the secret value is returned. For TAGGEN oracle, Type III adversary sends , where is the block identifier, to the challenger . The challenger responds with a pair of message and tag , where = TAGGEN.(3)The challenger generates the challenge message = CHALLENGE(PP) and sends it to Type III adversary .(4)Finally, Type III adversary outputs a forged proof .If the equation VERIFY holds and the challenge message includes the index which is not queried in TAGGEN queries, then Type III adversary wins the game.

Definition 3. Type III adversary ()-breaks a certificateless public auditing scheme, if runs in time at most , makes at most hash queries, KEYGEN queries, PARTIAL-PRIVATE-KEY-EXTRACT queries, SECRET-VALUE-EXTRACT queries, and TAGGEN queries, and wins the game with the probability . A certificateless public auditing scheme is proof-unforgeable (sound), if there is no proof-forger which -breaks the scheme with a nonnegligible probability .

4. Our Certificateless Public Auditing (CL-PA) Scheme

In this section, we propose a provably secure certificateless public auditing scheme. Our scheme consists of the seven algorithms, SETUP, PARTIAL-PRIVATE-KEY-EXTRACT, KEYGEN, TAGGEN, CHALLENGE, PROVE, and VERIFY. The details of the algorithms are as follows.

SETUP: let and be multiplicative cyclic groups of prime order and be a bilinear map. Let , and be generators of . , , and are collision resistant hash functions. KGC randomly chooses and computes and as system parameters. A set of master keys is and the public parameters are .

PARTIAL-PRIVATE-KEY-EXTRACT: for each identity , KGC picks the random number and computes , , and . KGC sends to the user as the partial private keys for the identity .

KEYGEN: given the public parameters and the partial private keys, the user generates his/her secret keys and public keys. The user chooses and computes , , , , and . The user sets as a set of secret keys and as a set of public keys.

TAGGEN: let be a file. The user computes an authenticated tag for each block as where is block identifier of , is the file name, , , , and is a polynomial with a coefficient vector . Then the user uploads the file with the corresponding authenticated tags to the server. The validity of the pair of message and tag could be checked by the equation

CHALLENGE: to check the integrity of , TPA randomly chooses random number and -elements subset of . Then, TPA sends the challenge messages to the server.

PROVE: when the server receives the challenge message , the server first computes for all and , where .

The server computes the quotient polynomial , where is the coefficient vector resulting in the quotient polynomial, and . Finally, the server computes and and then sends the proof to TPA.

VERIFY: upon receiving the proof , TPA checks the validity of the proof. TPA computes and checks the equationwhere and . If the equation holds, TPA outputs Accept; otherwise it outputs Reject.

The correctness of our scheme can be proved as follows:

4.1. Security Analyses

In this section, we analyze the security of our certificateless public auditing scheme. If the scheme is secure against the tag-forgery by Type I adversary and Type II adversary and the proof-forgery by Type III adversary under adaptive chosen message attacks, then we consider that the scheme is secure against existential forgery.

Theorem 4. The proposed certificateless public auditing scheme is secure against the tag-forgery by Type I adversary under chosen message attacks in the random oracle model, if the CDH assumption holds in .

Proof of Theorem 4. Suppose Type I adversary is the forger that could break the scheme by generating a valid pair of message and tag under user’s secret key with a probability . Then we can construct an algorithm that solves the CDH problem on .
Given an instance of the CDH problem, the algorithm simulates the challenger and interacts with the forger in Game I.(1)The forger outputs an identity where it wishes to be forged.(2)The algorithm chooses random numbers and computes , where . The algorithm sets and and sends PP to the forger .(3) For KEYGEN oracle, at any time the forger can query the KEYGEN oracle for an identity . The algorithm stores , where Tab1 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm chooses random number and calculates , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates .(b)If , the algorithm chooses random number and calculates , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(4)The algorithm simulates the hash oracles as follows: For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm retrieves the tuple which includes the queried identity in . Then the algorithm returns in to the forger . For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab2 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and sets the hash value . Then the algorithm stores the tuple and responds with to the forger .(b)If , the algorithm returns in to the forger . For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab3 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm flips a random coin with a probability , where is the maximum number of TAGGEN queries. The algorithm picks a random number and computes . Then the algorithm stores the tuple and returns to the forger .(b)If , the algorithm responds with in .(5)The algorithm simulates PARTIAL-PRIVATE-KEY-EXTRACT oracle, PUBLIC-KEY-REPLACEMENT oracle, SECRET-VALUE-EXTRACT oracle, and TAGGEN oracle as follows. For PARTIAL-PRIVATE-KEY-EXTRACT Oracle. At any time the forger can request a partial private key for to the oracle. When the forger queries to the oracle, the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure. For PUBLIC-KEY-REPLACEMENT Oracle. At any time the forger can replace a set of public keys for . Upon receiving a public key replacement query , retrieves the tuple which contains in Tab1 and replaces with . For SECRET-VALUE-EXTRACT Oracle. At any time the forger is able to request a secret value for to the oracle. When the forger queries to the oracle, retrieves the tuple which contains in Tab1 and responds with . For TAGGEN Oracle. At any time the forger can query the oracle for the tuple . The algorithm stores , where Tab is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which is corresponding to the queried tuple and computes the tag for the queried message , where . The algorithm responds with and updates Tab.(b)If , the algorithm retrieves the tuple which is corresponding to the queried tuple . If , the algorithm computes the tag for the queried message , where . The algorithm responds with and updates Tab. Otherwise, the algorithm reports failure.(6)Finally, the forger outputs the forged pair of message and tag such that no TAGGEN query was issued for . If , , and , satisfies the following equation: By using the oracle-replay technique [37] on hash function , the algorithm can obtain another forged tag for the same message . The forged tag also satisfies the following equation: With the above equations, the algorithm could compute From the right-hand-side of the above equation, the algorithm could getThen the algorithm outputs where .
From now on, we define three events related to the success probability of and analyze it as follows:(i): the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and TAGGEN queries.(ii): the forger outputs a valid pair of message and tag , which has not been queried before.(iii): event occurs and for the tuple containing on Tab3.In the case that the all events happen, the algorithm can solve the CDH problem. Thus, the probability of success is , and we can compute it as We analyze the lower bounds of , , and in the following claims.
Claim 1. The probability that the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and the TAGGEN queries by the forger is at least .
Proof of Claim 1. We assume that the forger does not query for the same index twice. At first, in the PARTIAL-PRIVATE-KEY-EXTRACT oracle the algorithm cannot respond to the forger ’s query, if . This probability is equal to , where is the number of KEYGEN queries. Therefore, the probability that the algorithm does not abort is for each PARTIAL-PRIVATE-KEY-EXTRACT query. Since the PARTIAL-PRIVATE-KEY-EXTRACT queries are issued at most times, the probability that the algorithm does not abort is at least . In the TAGGEN oracle, the algorithm only aborts if , where is the random value with the probability corresponding to the TAGGEN query in Tab3. By the probability of , the probability that the algorithm does not abort is . Similarly, the probability that the algorithm does not abort in the TAGGEN oracle is at least . Thus, the probability that the algorithm does not abort in the forger ’s PARTIAL-PRIVATE-KEY-EXTRACT queries and TAGGEN queries is at least .
Claim 2. The probability that the forger outputs a valid pair of message and tag under the condition that the event has occurred is at least .
Proof of Claim 2. When the event has occurred, the probability depends on the information gathered by the forger . The views of in the simulation and the real game are identical as follows:(i)The distribution of PK given to the forger in the simulation is identical with the distribution of PK given to the forger in the real game.(ii)The distribution of the hash values of the hash function in the simulation is identical with the distributions of the hash values of the hash function in the real game.(iii)The distribution of the responses to the TAGGEN oracle in the simulation is identical with the distribution of the responses to the TAGGEN oracle in the real game under the conditional probability.Thus, the forger will generate a valid pair of message and tag with a probability at least .
Claim 3. The probability that the algorithm does not abort after the forger outputs a valid pair of message and tag is at least .
Proof of Claim 3. When the events and have occurred, the algorithm will abort only in the case that for the tuple containing corresponding to a forged pair of message and tag in Tab1. Since the value is randomly chosen with the probability , the probability is at least .
With the above claims, the success probability of is . Thus we can conclude that if the CDH assumption holds in , there exists no algorithm which breaks the tag-unforgeability of our scheme by the public key replacement attack with a nonnegligible probability.

Theorem 5. The proposed certificateless public auditing scheme is secure against the tag-forgery by Type II adversary under chosen message attacks in the random oracle model, if the CDH assumption holds in .

Proof of Theorem 5. Suppose Type II adversary is the tag-forger that could break the scheme by generating a valid pair of message and tag under user’s secret key with a probability . Then we can construct an algorithm that solves the CDH problem on .
Given an instance of the CDH problem, the algorithm simulates the challenger and interacts with the forger in Game II.(1)The forger outputs an identity where it wishes to be forged.(2)The algorithm chooses random numbers and computes , where . The algorithm sets and and sends “PP and MK” to the forger .(3)For KEYGEN oracle, at any time the forger can query the KEYGEN oracle for an identity . The algorithm stores , where Tab1 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm chooses random number and calculates , , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(b)If , the algorithm chooses random number and calculates , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(4)The algorithm simulates the hash oracles as follows. For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm retrieves the tuple which includes the queried identity in Tab1. Then the algorithm returns in Tab1 to the forger . For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab2 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and sets the hash value . Then the algorithm stores the tuple and responds with to the forger .(b)If , the algorithm returns in Tab2 to the forger . For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab3 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm flips a random coin with a probability , where is the maximum number of TAGGEN queries. The algorithm picks a random number and computes . Then the algorithm stores the tuple and returns to the forger .(b)If , the algorithm responds with in Tab3.(5)The algorithm simulates the PARTIAL-PRIVATE-KEY-EXTRACT oracle, SECRET-VALUE-EXTRACT oracle, and TAGGEN oracle as follows. For PARTIAL-PRIVATE-KEY-EXTRACT Oracle. At any time the forger can request a partial private key for to the oracle. When the forger queries to the oracle, retrieves the tuple which contains in Tab1 and responds with . For SECRET-VALUE-EXTRACT Oracle. At any time the forger is able to request a secret value for to the oracle. When the forger queries to the oracle, responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure. For TAGGEN Oracle. At any time the forger can query the oracle for the tuple . The algorithm stores , where Tab is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which is corresponding to the queried tuple and computes the tag for the queried message , where . The algorithm responds with and updates Tab.(b)If , the algorithm retrieves the tuple which is corresponding to the queried tuple . If , the algorithm computes the tag for the queried message , where . The algorithm responds with and updates Tab. Otherwise, the algorithm reports failure.(6)Finally, the forger outputs the forged pair of message and tag such that no TAGGEN query was issued for . If , , and , satisfies the equation From the right-hand-side of the above equation, the algorithm could compute Then the algorithm outputswhere , , and .
From now on, we define three events related to the success probability of and analyze it as follows:(i): the algorithm does not abort in the SECRET-VALUE-EXTRACT queries and TAGGEN queries.(ii): the forger outputs a valid pair of message and tag , which has not been queried before.(iii): event occurs and for the tuple containing on Tab3.In the case that the all events happen, the algorithm can solve the CDH problem. Thus, the probability of success is , and we can compute it as We analyze the lower bounds of , , and in the following claims.
Claim 4. The probability that the algorithm does not abort in the SECRET-VALUE-EXTRACT queries and the TAGGEN queries by the forger is at least .
Claim 5. The probability that the forger outputs a valid pair of message and tag under the condition that the event has occurred is at least .
Claim 6. The probability that the algorithm does not abort after the forger outputs a valid pair of message and tag is at least .
By the similar analysis method in Theorem 4, we can easily compute ’s success probability, thus we omit the detailed probability analyses. With the above claims, the success probability of is . Thus we can conclude that if the CDH assumption holds in , there exists no algorithm which breaks the tag-unforgeability of our scheme by the malicious-but-passive-KGC attack with a nonnegligible probability.

Theorem 6. The proposed certificateless public auditing scheme is secure against the proof-forgery by Type III adversary under chosen message attacks in the random oracle model, if the DCDH assumption holds in .

Proof of Theorem 6. Suppose Type III adversary is the proof-forger that could break the scheme by generating a fake proof for an arbitrary challenge message with a probability . We does not consider the case that the fake proof was generated by the forged tags, since we proved it in the above theorems (even though the theorems ensure the security against the tag-forgery by Type I adversary and Type II adversary , it can be easily applied to Type III adversary by eliminating the oracles related to the key extraction in the proof of Theorems 4 and 5). Using the proof-forger, we can construct an algorithm that solves the DCDH problem on .
Given an instance of the DCDH problem, the algorithm simulates the challenger and interacts with the forger in Game III.(1)The forger outputs an identity where it wishes to be forged.(2)The algorithm chooses random numbers and computes , where . The algorithm sets and and sends PP to the forger .(3)For KEYGEN oracle, at any time the forger can query the KEYGEN oracle for an identity . The algorithm stores , where Tab1 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm chooses random number and calculates , , , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(b)If , the algorithm chooses random number and calculates , , , , , and . The algorithm sends to the forger as the set of public keys for the identity and updates Tab1.(4)The algorithm simulates the hash oracles as follows. For Hash Oracle . At any time the forger can query the random oracle for . The algorithm retrieves the tuple which includes the queried identity in Tab1. Then the algorithm returns in Tab1 to the forger . For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab2 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and sets the hash value . Then the algorithm stores the tuple and responds with to the forger .(b)If , the algorithm returns in Tab2 to the forger . For Hash Oracle . At any time the forger can query the random oracle for . To respond to the hash queries, the algorithm maintains a table , where Tab3 is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm picks a random number and computes . Then the algorithm stores the tuple and returns to the forger .(b)If , the algorithm responds with in Tab3.(5)The algorithm simulates the PARTIAL-PRIVATE-KEY-EXTRACT oracle, SECRET-VALUE-EXTRACT oracle, and TAGGEN oracle as follows. For PARTIAL-PRIVATE-KEY-EXTRACT Oracle. At any time the forger can request a partial private key for to the oracle. When the forger queries to the oracle, responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure. For SECRET-VALUE-EXTRACT Oracle. At any time the forger is able to request a secret value for to the oracle. When the forger queries to the oracle, responds as follows:(a)If , the algorithm retrieves the tuple which contains the queried in Tab1 and returns to the forger .(b)If , the algorithm reports failure. For TAGGEN Oracle. At any time the forger can query the oracle for the tuple . The algorithm stores , where Tab is initially empty. When the forger queries , the algorithm responds as follows:(a)If , the algorithm retrieves the tuple which is corresponding to the queried tuple and computes the tag for the queried message , where . The algorithm responds with and updates Tab.(b)If , the algorithm retrieves the tuple which is corresponding to the queried tuple . The algorithm computes the tag for the queried message , where .(6)The algorithm chooses random number and a random -elements subset . In this process, should choose a random subset which contains at least an index , where is not queried before in TAGGEN oracle. Let be a subset of , and it is composed of indices which are not queried in TAGGEN oracle. Then the algorithm sends as the challenge message.(7)Finally, the forger outputs a forged proof for the challenge message . We assume that is not able to be forged by the forger , since we proved the tag-unforgeability in the previous theorems. Then the algorithm checks the validity of the forged proof by the following equation: The algorithm could compute the right-hand-side of the above equation as To satisfy (18), the value should contain , where . Thus, we can compute as where .
From now on, we define two events related to the success probability of and analyze it as follows:(i): the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and SECRET-VALUE-EXTRACT queries.(ii): the forger outputs a valid proof , which has not been queried before.In the case that the both events happen, the algorithm can solve the DCDH problem. Thus, the probability of success is . We analyze the lower bounds of in the following claim.
Claim 7. The probability that the algorithm does not abort in the PARTIAL-PRIVATE-KEY-EXTRACT queries and the SECRET-VALUE-EXTRACT queries by the forger is at least .
Proof of Claim 7. We assume that the forger does not query for the same index twice. In the PARTIAL-PRIVATE-KEY-EXTRACT oracle, the algorithm aborts only if . This probability is equal to , where is the number of PARTIAL-PRIVATE-KEY-EXTRACT queries. Therefore, the probability that the algorithm does not abort is for each PARTIAL-PRIVATE-KEY-EXTRACT query. Since the PARTIAL-PRIVATE-KEY-EXTRACT queries are issued at most times, the probability that the algorithm does not abort is at least . In the SECRET-VALUE-EXTRACT oracle, the algorithm only aborts if . The probability that the algorithm does not abort is . Similarly, the probability that the algorithm does not abort in the SECRET-VALUE-EXTRACT oracle is at least . Thus, the probability that the algorithm does not abort in the forger ’s PARTIAL-PRIVATE-KEY-EXTRACT queries and SECRET-VALUE-EXTRACT queries is at least .
With the above claim, the success probability of is , since the probability . Thus we can conclude that if the DCDH assumption holds in , there exists no algorithm which breaks the proof-unforgeability of our scheme with a nonnegligible probability.

According to Theorems 4, 5, and 6, we can get Theorem 7 for the security of our proposed scheme. The comparison of the security levels for the certificateless public auditing schemes are explained in Table 1.

Theorem 7. The proposed certificateless public auditing scheme is secure against the existential forgery under chosen message attack in the random oracle model, if the CDH and DCDH assumption hold in .

Proof of Theorem 7. By proving Theorems 4, 5, and 6, we have proved that our certificateless public auditing scheme is secure against Type I, Type II, and Type III adversaries, respectively. Thus, our certificateless public auditing scheme is secure against the existential forgery attacks defined in Section 3.2.

4.2. Efficiency Analysis

In this section, we compare the computation cost of our scheme with two certificateless public auditing schemes in [28, 29], when TPA performs the auditing in the verification algorithm. Since we aim to construct the scheme which can efficiently verify the proof for the challenge message, we just compare the verification time of the proof in Table 3 (in reality, the computing power of the server is sufficiently larger than that of the TPA (user), so we made an effort to reduce the TPA’s computational cost).

Let be the bilinear pairing computation and be the multiplication in group . Let and be the hash-to-point computation and the exponentiation in group , respectively. Scott et al. released implementation results for the operations with 3 GHz-Pentium IV using the MIRACL multiprecision library (ver.5.01) [38]. Their results are shown in Table 2.

In [2], Ateniese et al. proved that TPA is able to detect any modification of the outsourced data with or probability by selecting 300 or 460 challenge blocks, respectively. In Table 3, we computed the execution time of the verification algorithm in the case of and . Note that the computational cost of TPA in [28, 29] is linearly increasing by the number of challenged blocks . On the other hand, the computational cost of TPA in our scheme is constant with respect to the number of challenged blocks . In the case of , our scheme is approximately 57.8 times and 35.4 times faster than the schemes in [28] and [29], respectively. In the case of , our scheme is approximately 88.5 times and 54.1 times faster than the schemes in [28] and [29], respectively.

5. Conclusions

In the paper, we proposed a provably secure certificateless public auditing scheme with the constant verification time. We also defined the three security models and proved the security of our scheme under the security models.

To the best of our knowledge, no certificateless public auditing scheme for shared data with the constant verification time has been proposed. The shared data system means that the authorized users can share their data in the cloud storage systems. Thus, it would be interesting to construct a certificateless public auditing scheme with the constant verification time for shared data.

Notations in Our Scheme

:	A prime order
:	Multiplicative cyclic groups of prime order
:	A bilinear map
:	Generators of group
:	A user identity
:	A set of partial private keys for the identity
:	A set of secret keys for the identity
:	A set of public keys for the identity
:	A file
:	An th block of the file
:	A block identifier of the block
:	A file name
:	A polynomial with a coefficient vector
:	An authenticated tag for the block
:	The numbers in a range
:	-element subset of
:	A random number.

Competing Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (NRF-2013R1A2A2A01068200).

References

P. Mell and T. Grance, The NIST Definition of Cloud Computing, 2011, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
G. Ateniese, R. Burns, R. Curtmola et al., “Provable data possession at untrusted stores,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 598–610, November 2007.
View at: Publisher Site | Google Scholar
A. Juels and B. S. Kaliski Jr., “PORs: proofs of retrievability for large files,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 584–597, Alexandria, Va, USA, November 2007.
View at: Publisher Site | Google Scholar
H. Shacham and B. Waters, “Compact proofs of retrievability,” in International Conference on the Theory and Application of Cryptology and Information Security: ASIACRYPT 2008: Advances in Cryptology—ASIACRYPT, vol. 5350 of Lecture Notes in Computer Science, pp. 90–107, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar
C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, “Dynamic provable data possession,” in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09), pp. 213–222, Chicago, Ill, USA, November 2009.
View at: Publisher Site | Google Scholar
B. Wang, B. Li, and H. Li, “Oruta: privacy-preserving public auditing for shared data in the cloud,” in Proceedings of the IEEE 5th International Conference on Cloud Computing (CLOUD '12), pp. 295–302, June 2012.
View at: Publisher Site | Google Scholar
C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public auditing for secure cloud storage,” IEEE Transactions on Computers, vol. 62, no. 2, pp. 362–375, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
B. Wang, B. Li, and H. Li, “Public auditing for shared data with efficient user revocation in the cloud,” in Proceedings of the 32nd IEEE Conference on Computer Communications (INFOCOM '13), pp. 2904–2912, April 2013.
View at: Publisher Site | Google Scholar
S. G. Worku, C. Xu, J. Zhao, and X. He, “Secure and efficient privacy-preserving public auditing scheme for cloud storage,” Computers & Electrical Engineering, vol. 40, no. 5, pp. 1703–1713, 2014.
View at: Google Scholar
T. Jiang, X. Chen, and J. Ma, “Public integrity auditing for shared dynamic cloud data with group user revocation,” IEEE Transactions on Computers, vol. 65, no. 8, pp. 2363–2373, 2016.
View at: Publisher Site | Google Scholar
C. Ellison and B. Schneier, “Ten risks of PKI: what you're not being told about public key infrastructure,” Computer Security Journal, vol. 16, no. 1, pp. 1–7, 2000.
View at: Google Scholar
P. Gutmann, “PKI: it's not dead, just resting,” Computer, vol. 35, no. 8, pp. 41–49, 2002.
View at: Publisher Site | Google Scholar
A. Shamir, “Identity-based Cryptosystems and Signature Schemes,” in Proceedings of the CRYPTO: Advances in Cryptology, pp. 47–53, 1984.
View at: Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Annual International Cryptology Conference: CRYPTO 2001: Advances in Cryptology—CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 213–229, Springer, Berlin, Germany, 2001.
View at: Google Scholar
D. Boneh, R. Canetti, and S. Halevi, “Chosen-Ciphertext Security from Identity-Based Encryption,” in EUROCRYPT 2004: Advances in Cryptology, vol. 3027 of Lecture Notes in Computer Science, pp. 207–222, 2004.
View at: Publisher Site | Google Scholar
D. Boneh and X. Boyen, “Efficient selective-id secure identity based encryption without random oracles,” in International Conference on the Theory and Applications of Cryptographic Techniques EUROCRYPT 2004: Advances in Cryptology—EUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 223–238, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
B. Waters, “Efficient identity based encryption without random oracles,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques: UROCRYPT 2005: Advances in Cryptology—EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 114–127, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar
H. Wang, J. Domingo-Ferrer, Q. Wu, and B. Qin, “Identity-based remote data possession checking in public clouds,” IET Information Security, vol. 8, no. 2, pp. 114–121, 2014.
View at: Publisher Site | Google Scholar
H. Wang, “Identity-based distributed provable data possession in multicloud storage,” IEEE Transactions on Services Computing, vol. 8, no. 2, pp. 328–340, 2015.
View at: Publisher Site | Google Scholar
Y. Yu, Y. Zhang, Y. Mu, W. Susilo, and H. Liu, “Provably secure identity based provable data possession,” in Provable Security: 9th International Conference, ProvSec 2015, Kanazawa, Japan, November 24–26, 2015, Proceedings, vol. 9451 of Lecture Notes in Computer Science, pp. 310–325, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology—ASIACRYPT 2003, C.-S. Laih, Ed., vol. 2894 of Lecture Notes in Computer Science, pp. 452–473, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar
B. Libert and J.-J. Quisquater, “On constructing certificateless cryptosystems from the identity based encryption,” in International Workshop on Public Key Cryptography PKC 2006: Public Key Cryptography—PKC 2006, vol. 3958 of Lecture Notes in Computer Science, pp. 474–490, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
A. Dent, B. W. Libert, and K. Paterson, “Certificateless encryption schemes storngly secure in the standard model,” in Proceedings of the International Conference on the Theory and Practice of Public-Key Cryptography (PKC '08), vol. 4939 of Lecture Notes in Computer Science, pp. 344–359, 2008.
View at: Google Scholar
X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, “Certificateless signature revisited,” in Information Security and Privacy, J. Pieprzyk, H. Ghodosi, and E. Dawson, Eds., vol. 4586 of Lecture Notes in Computer Science, pp. 308–322, Springer, Berlin, Germany, 2007.
View at: Publisher Site | Google Scholar
D. He, J. Chen, and R. Zhang, “An efficient and provably-secure certificateless signature scheme without bilinear pairings,” International Journal of Communication Systems, vol. 25, no. 11, pp. 1432–1442, 2012.
View at: Publisher Site | Google Scholar
D. He, Y. Chen, and J. Chen, “An efficient certificateless proxy signature scheme without pairing,” Mathematical and Computer Modelling, vol. 57, no. 9-10, pp. 2510–2518, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
D. He, B. Huang, and J. Chen, “New certificateless short signature scheme,” IET Information Security, vol. 7, no. 2, pp. 113–117, 2013.
View at: Publisher Site | Google Scholar
B. Wang, B. Li, H. Li, and F. Li, “Certificateless public auditing for data integrity in the cloud,” in Proceedings of the 1st IEEE International Conference on Communications and Network Security (CNS '13), pp. 136–144, National Harbo, Md, USA, October 2013.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, and L. Wu, “Certificateless public auditing scheme for cloud-assisted wireless body area networks,” IEEE Systems Journal, no. 99, pp. 1–10, 2015.
View at: Publisher Site | Google Scholar
J. Liu, Z. Zhang, X. Chen, and K. S. Kwak, “Certificateless remote anonymous authentication schemes for wirelessbody area networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 332–342, 2014.
View at: Publisher Site | Google Scholar
Z. Zhao, “An efficient anonymous authentication scheme for wireless body area networks using elliptic curve cryptosystem,” Journal of Medical Systems, vol. 38, no. 2, article 13, 2014.
View at: Publisher Site | Google Scholar
X. Hu, “Cost-effective scalable and anonymous certificateless remote authentication protocol,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 2, pp. 2327–2339, 2014.
View at: Google Scholar
S. Chatterjee, A. K. Das, and J. K. Sing, “A novel and efficient user access control scheme for wireless body area sensor networks,” Journal of King Saud University—Computer and Information Sciences, vol. 26, no. 2, pp. 181–201, 2014.
View at: Publisher Site | Google Scholar
A. K. Das, S. Chatterjee, and J. K. Sing, “A new biometric-based remote user authentication scheme in hierarchical wireless body area sensor networks,” Ad-Hoc and Sensor Wireless Networks, vol. 28, no. 3-4, pp. 221–256, 2015.
View at: Google Scholar
M. H. Ibrahim, S. Kumari, A. K. Das, M. Wazid, and V. Odelu, “Secure anonymous mutual authentication for star two-tier wireless body area networks,” Computer Methods and Programs in Biomedicine, vol. 135, pp. 37–50, 2016.
View at: Publisher Site | Google Scholar
F. Bao, R. H. Deng, and H. Zhu, “Variations of diffie-hellman problem,” in Proceedings of the 5th International Conference of Information and Communications Security (ICICS '03), pp. 301–312, 2003.
View at: Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar
M. Scott, N. Costigan, and W. Abdulwahab, “Implementing cryptographic pairings on smartcards,” in International Workshop on Cryptographic Hardware and Embedded Systems: CHES 2006: Cryptographic Hardware and Embedded Systems—CHES 2006, Lecture Notes in Computer Science, pp. 134–147, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2017 Dongmin Kim and Ik Rae Jeong. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

916

Downloads

874

Citations