#### Abstract

Cloud computing is a fast-growing technology which supplies scalable, innovative, and efficient business models. However, cloud computing is not fully trusted, and the security of the data outsourced in cloud storage needs to be guaranteed. One of the hottest issues is how to ensure the integrity of the data in cloud storage. Until now, many researchers have proposed lots of provable data possession (PDP) schemes to deal with the problem of data integrity audition. Nevertheless, very little effort has been devoted to preserve the data uploader’s privacy while auditing the integrity of data shared in a group. To overcome the shortcoming, we propose a novel certificateless PDP protocol to efficiently audit the integrity of data shared in a workgroup with user privacy preserving. Due to the inherent structural advantage of the certificateless crypto mechanism, our PDP scheme eliminates the key escrow problem and the certificate management problem simultaneously. Moreover, the audition process in our scheme does not need any user’s identity which helps to keep the anonymity of data uploader. We give for our scheme a detailed security proof and efficiency analysis. Experiment results of performance evaluation demonstrate that our new scheme is very efficient and feasible.

#### 1. Introduction

Recently, cloud computing has continued to provide scalable and low-cost services to user. The core advantage of cloud storage is dynamic scalability that allows the cloud storage services to deal with increasing amounts of data. Therefore, a vast number of organizations and people would like to buy cloud storage service for data maintenance and management as one of fundamental investments. Moreover, with cloud storage platform, users are easy to work together in one team [1–4], in which they share data with each other. However, cloud service provider (CSP) is not fully trustworthy. The data stored in CSP might be corrupted or deleted because of accidental hardware errors, network exceptions, software bugs, or human mistakes [5–8]. Furthermore, the untrusted CSP can tamper the user’s data easily by either deleting or modifying them. To escape economic compensation and keep good reputation, CSP would not tell the truth to user. Additionally, with no audition mechanism, untrusted CSP can never be detected. Therefore, cloud users need to periodically audit whether the data outsourced in cloud storage server is kept well.

The PDP model supplies the user an efficient method to audit the integrity of the remote data in cloud storage. The audition process of PDP is conducted by a challenge-response mechanism. In PDP schemes, the data owner divides their data to many small data blocks and binds one tag to each data block. Since the tag contains the information of data block, user can get the integrity status of data block through checking the validity of the corresponding tag. Until now, many articles have proposed several types of PDP schemes [9–39] for different application scenarios. However, most PDP protocols are just suitable for checking the integrity of single data that belong to only one user.

In real applications, sharing data among multiple users is a common situation, in which the shared data can be used by any one of the workgroup. Therefore, auditing the integrity of data shared in a workgroup is an essential task which should be solved by PDP scheme. When auditing shared data, user anonymity against third party auditor (TPA) is an important security requirement. In practice, TPA is usually assumed to be honest-but-curious, which means TPA tries to guess the identity of data uploader when auditing the data integrity. If the identity is exposed, the data uploader may face great security threats especially when the data are sensitive. For example, every person can report to the government about criminal behaviors through open complaint platform. If the criminal knows who reported his behavior, he may revenge the reporter. To prevent criminal from revenging the reporter, it is necessary to preserve reporter’s identity privacy. Therefore, PDP scheme should keep confidential of uploader’s identity to TPA. Aim to this goal, Wang et al. [23] proposed a concrete PDP protocol with the notion of user privacy preserving for shared data. Following, several schemes [24–29] with user privacy preserving are proposed. However, most previous PDP schemes are constructed by the PKI technique which suffers from certificate management problems such as generation, distribution, renew, revocation, update, and verification. To avoid certificate management, some PDP schemes are designed based on identity-based public cryptography (IBC) [40]. However, IBC also has the natural drawback of “key escrow.” To address these shortcomings, certificateless cryptography (CLC) [41] is introduced as a cryptography primitive. In CLC, user’s private key is consisted of two components: the first is the partial key and the second is the secret value. User’s partial key is computed by the key generation center (KGC), but the secret value is computed by the user himself/herself which is unknown to KGC. Therefore, CLC overcomes the drawbacks of PKI and IBC simultaneously. Because of these advantages, some researchers utilize CLC to construct PDP schemes [31–39]. Nevertheless, these schemes also have other shortcomings such as no user privacy preserving, heavy computationally cost, or existing security flaws which reduce the practicability of the schemes. Thus, it is necessary and urgent to present more efficient and secure PDP scheme based on CLC with user privacy preserving.

##### 1.1. Our Contributions

Most previous PDP schemes only concentrate on verifying the integrity of personal data. However, to share data with multiple users based on cloud platform is a development trend and is becoming popular. Because any user can upload data to the cloud, the privacy of data uploader’s identity should be guaranteed. That is to say, TPA can audit data integrity with the help of CSP but cannot distinguish the exact data uploader.

In this manuscript, we mainly consider to verify the integrity of data shared in a group with user privacy preserving. Our primary contributions in this study are summarized as following.(1)We present the security model of certificateless-based PDP scheme for group shared data with user privacy protection. It defines the abilities of adversaries and the requirement of user privacy preserving.(2)We propose the concrete PDP scheme based on CLC for group shared data with user privacy preserving. The proposal can resist the attacks of two types of adversaries and keep user privacy against TPA.(3)We give rigorous secure proofs to prove the security of the proposed scheme in a random oracle model. We also demonstrate the performance evaluation results of our scheme and make comprehensive comparisons with several existing schemes.

##### 1.2. Related Work

The initial PDP model is proposed by Ateniese et al. [9], which tried to provide a method to verify the integrity of client’s data stored in a remote server without downloading the data. To get better efficiency, they realized blockless verification by using homomorphic verifiable tags. Furthermore, they proposed two concrete schemes based on the RSA algorithm. However, the schemes were only available for static data with no support for dynamic operations. With the aim to enhance the scalability, Ateniese et al. [10] extended their initial PDP schemes and proposed an improved one based on symmetric key encryption. Although the improved scheme realized dynamic data operations as appending, updating, and deleting, the drawbacks still existed that the challenge number of the scheme was limited and did not support data inserting. Subsequently, Juels and Kaliski [11] proposed a similar model called proof of retrievability (POR) which had error-correcting capabilities besides data integrity audition. To improve efficiency, Shacham and Waters [12] developed a compact PoR scheme with a shorter authentication tag.

Later, Erway et al. [13] presented a PDP scheme which supported public integrity audition and fully data dynamic operations. To improve the efficiency of dynamic operation, Yan et al. [14] realized a PDP scheme with a new data structure that stored all blocks operation records. To increase data durability, Liu et al. [15] presented a multireplicas data integrity checking scheme, which supported fully dynamic data updates. Li et al. [16] further considered a more complex environment that multicopies were stored in multi-CSPs, and they constructed a concrete scheme to check the integrity of all copies for one time. In other works, Wang [17] proposed a proxy PDP scheme in which a commitment was used to authenticate the validity of the auditor. Yan et al. [18] strengthened the restriction for the verifier and proposed a verifier-designated PDP protocol. Wang et al. [19] presented a notion of data privacy protection and designed a public auditable PDP scheme. Shen et al. [20] designed a PDP protocol to guarantee the privacy of authenticators.

In recent years, many cloud applications supported users to work in coordination with shared data. Therefore, how to audit the data shared among multiusers attracted many attentions. Wang et al. [21] designed the first PDP scheme by a ring signature technique to verify the integrity of data shared in a group with multiusers. The scheme also supported public auditing and user privacy preserving. Later, Yang et al. [22] proposed a PDP protocol for group data with user identity privacy and traceability. Wang et al. [23] designed a new PDP scheme to support dynamic groups which allowed group members to join or leave the group at any time. Wu et al. [24] developed a PDP scheme for auditing the integrity of data shared within multiple uploaders. Subsequently, Wang et al. [25] presented a PDP protocol based on the proxy resignature technique to address the problem of user revocation. Nonetheless, all these PDP schemes were designed by the traditional PKI mechanism which bears heavy cost of certificate management.

To eliminate certificate management, the identity-based cryptography (IBC) mechanism is used by many researchers to construct PDP schemes. Until now, several IBC-based PDP schemes have been proposed. For instance, Wang et al. [26] designed the first IBC-based data integrity checking scheme and proved its security under the defined security model. Yu et al. [27] presented an IBC-based PDP scheme which supported the dynamic group and data privacy protection. Tan and Jia [28] relied on an IBC-based signature scheme to propose a PDP scheme which also alleviated the users’ fear of losing their keys. To improve the applicability of cloud storage, Zhang et al. [29] proposed a proxy-oriented identity-based encryption with a keyword search scheme from lattices for cloud storage, which was postquantum secure. Furthermore, Zhang et al. [29] proposed a scheme CIPPPA to check the integrity of medical data generated by wireless body area networks (WBANs). CIPPPA can not only achieve conditional identity privacy of patients in WBANs but also validate malicious auditing behaviors with the help of ethereum blockchain.

Unfortunately, IBC also has its own inherent drawback named “key escrow.” To address this problem, PDP schemes based on CLC were proposed in many articles. Wang et al. [31] first presented a CLC-based PDP scheme for auditing cloud data. In this scheme, KGC computed the partial key for each user, but KGC did not know the user’s secret value, so the user’s private key was protected against KGC which avoided the key escrow problem. However, He et al. [32] thought the scheme in [31] is insecure because it did not give the formal security model. Subsequently, they proposed a CLC-based PDP scheme for checking the data of WBANs. Nevertheless, this scheme is proved insecure [33] either. To improve verification efficiency, Kim and Jeong [34] proposed a CLC-based PDP scheme with constant verification time. Similarly, Yang et al. [35] presented a PDP scheme for shared data integrity audition based on certificateless cryptography. The scheme claimed that it was able to guarantee user identity, but in the verification phase, TPA got the relationship between data and the public keys. Thus, it did not really realize user privacy preserving. Li et al. [36] presented a PDP protocol of group shared data based on certificateless cryptography, but the scheme lost the user privacy preservation feature. Kang et al. [37] proposed a certificateless public auditing scheme with privacy preserving for cloud-assisted WBANs which protected the data from being directly exposed to the TPA. Ming and Shi [38] proposed an efficient CLC-based PDP scheme with user privacy protection. Wu et al. [39] also designed a PDP scheme for multiusers setting with user privacy preserving, but the overheads of both communication and computation were too heavy especially in the challenge phase.

#### 2. Preliminaries

We first review some preliminary cryptography knowledge throughout this study.

##### 2.1. Bilinear Maps

Assume that two multiplicative cyclic groups and have large prime order . Let to be one generator of . Define is a bilinear map with the following properties.(a)Computability: for any , and there exist efficient algorithms to calculate the value of .(b)Bilinearity: for any and , and it has .(c)Nondegeneracy: , so that .

##### 2.2. Assumption

*Definition 1. *Computational Diffie–Hellman assumption: is a generator of the multiplicative cyclic group . Given , to get is computationally intractable with unknown . For any adversary , the probability for to solve this problem is negligible. We define the CDH problem as

#### 3. System Model and Security Model

##### 3.1. System Model

There are four participants in our scheme: KGC, CSP, user group, and TPA.(1)KGC is a trusted organization which generates the partial key for user. We assume the partial key is transmitted by secure channels.(2)CSP is the cloud storage service provider who maintains user’s data and generates integrity proofs to prove the data integrity when received the challenge from TPA.(3)A user group has several users, and every user can upload data blocks to CSP by which all users share their data to each other.(4)TPA is responsible for auditing the integrity of data shared in a group. TPA sends an integrity challenge to CSP and gets a proof from CSP. Then, TPA validates the rightness of the proof and informs the checking result to users.

The system model of the proposed scheme is shown in Figure 1. It assumed that CSP is semitrusted. Namely, it can execute audition protocol honestly, but lies to TPA when data are broken. TPA is honest-but-curious, that is, TPA audits the data integrity honestly and responds the real audition result to data user, but it is curious about the identity of data uploader.

Our certificateless auditing scheme for group shared data with user privacy preserving consisted of seven algorithms: , , , , , , , and . : with the security parameter , this algorithm generates public parameters and master private key . : KGC runs this algorithm to compute user’s partial key. It inputs the identity of the user and outputs ’s partial key . : each user performs this algorithm to compute the secret value : each user performs this algorithm to compute the public key : this algorithm generates an authentication tag for each data block. It inputs user ’s secret key , and the block outputs its tag . : this algorithm is performed by TPA to select a data integrity challenge : the algorithm generates the data integrity proof for each challenge . It takes the inputs of shared data , tags collection , and the challenge . : this algorithm is used to audit the rightness of integrity proof. It takes the inputs of the challenge , proof , and data identity . If passes the verification, the algorithm returns “;” otherwise, it returns “.”

##### 3.2. Security Model

Referring to [32, 42], the security model of our proposed scheme contains two types of adversaries. The first one denoted by cannot access the master key but can replace the user’s public key. The second one denoted by knows the master key but cannot replace the user’s public key. We utilize a game to cover the security characters of our scheme; the game involves a super adversary and a challenger . Setup phase: calls to generate the master private key and the public parameter . If is the first type adversary , gives to . If is the second type adversary , gives both the and to . Queries phase: makes four types of query to for polynomial times. returns the results to .(a)Hash query. Adversary queries about hash values of any hash function in the scheme. replies the hash value to .(b)Partial key query. Adversary can query any user’s partial key with the identity . calculates the partial key by the algorithm and returns to (this step is executed only by the first type adversary ).(c)Secret value query. can query any user’s secret value with any identity . computes the secret value by the algorithm and returns to .(d)Tag query. Adversary can randomly select blocks and query their tags generated by any user in the group. generates the tag of the queried block and sends the tag back to . If does not have user’s private key in this step, he can compute the key by and algorithms. Public key replacement: can change any user’s public key to any other value (this step is executed only by ) Forge phase: finally, submits to a forged proof for any with the public key . If the proof satisfies the following three conditions, wins this game.(1) passes the audition with and (2)If is the first type adversary , the partial key and secret value of have not been queried. If is the second type adversary , the secret value of has never been queried.(3) has never been performed the tag query with user identity and

*Definition 2. *A public certificateless PDP scheme for group shared data with user privacy preserving is secure, if for any adversary , to win the game above only with negligible probability.

User privacy preserving is another security feature of the scheme. Since multiple users share data with each other in a group, each one can upload data to the group. In many cases, users prefer to keep anonymous against TPA. An honest-but-curious TPA tries to distinguish the identity of data uploader during the data verification process. If the user information is revealed and leaked by TPA, the data uploader may face potential security threats. Thus, the scheme should guarantee user’s anonymity against TPA.

*Definition 3. *A public certificateless PDP scheme for group shared data is user privacy preserving, if no information about the user identity is revealed by TPA within the procedure of data audition.

#### 4. Construction of Our Scheme

We show the detailed construction of our certificateless PDP scheme for group shared data, which realizes public verification and user privacy protection.

Suppose the data is shared in a group with users denoted as . is split into blocks, and each block is denoted by , where is the block index. Different blocks may be uploaded by different users. The algorithms in our scheme are defined as follows. : KGC first sets the value of security parameter and selects a big random prime number with . Select cyclic multiplicative groups and with order and a bilinear map . KGC selects a generator of and three different hash functions: , , and . Then, KGC randomly selects and sets the master private key , so the master public key is . The system parameter is . : on receiving the identity of the , KGC computes as ’s partial key and sends it to by a secure channel : randomly selects a value and sets the secret value : with secret value , computes the public key : computes the value and generates the tag for the block by the following equation. Here, is the unique identification of the data . Finally, uploads to CSP. CSP validates the rightness of the tag by the following equation: It can be confirmed as follows: : to challenge the integrity of the data named , TPA randomly chooses numbers from the set to get a subset , where . For each number , CSP randomly selects a value and sets the . TPA submits to CSP. : with , CSP finds out all the challenged tuples . Then, CSP randomly selects a value and computes Finally, CSP sends the proof to TPA : when receiving returned from CSP, TPA computes and checks the following equation: If equation (6) holds, returns 1; otherwise, returns 0. The equation (6) can be confirmed as follows:

#### 5. Security Proof

In this section, we show the security proof of our new scheme under the security model defined in Section 3.2. In our proof, three hash functions used in our scheme are all random oracles.

Lemma 1. *If the CDH problem is hard for the group , our scheme is secure against .*

*Proof. *If the adversary wins the game, a simulator can be designed to solve the CDH hard problem resorting to . Let to be one CDH instance, and computes by following steps. Setup: sets the master public key , where is unknown to . randomly selects public parameters and gives them to . *h*_{1} query: adaptively queries the hash value of any identity . keeps a table for the *h*_{1} query. If contains the row , gets the row from and returns to . Otherwise, selects a random number and tosses a coin . Suppose the probability of is and the probability of is . If , computes . Otherwise, computes . responds to and appends a new row in table . Partial key query: sends any identity to for querying the partial key. maintains a table and searches the row . If the row exists, returns to . If the row does not exist, first gets from . If , aborts and exits the game, and if , sets and inserts the new row to . Secret value query: with the query , searches the row . If the row exists, sends to . Otherwise, randomly chooses a value , returns to , and inserts the row to . Public key query: for the queried , searches the row ; if it exists, returns to . Otherwise, selects a random value , sends to , and inserts the row to . Public key replacement: sends to to replace user’s public key with new value . searches the row ; if it exists, returns and update the row to . If the row does not exist, insert a new row to . *h*_{2} query: can query the hash value of at any time. For this query, keeps a list with tuple . If the row exists in , retrieves and returns it to . Otherwise, randomly chooses a value and returns to . inserts a new row into . *h*_{3} query: can query the hash value of at any time. For this query, keeps a list with tuple . If the row exists in , retrieves and returns it to . Otherwise, randomly chooses and returns to . Then, inserts a new row into . Tag query: for the tag query , gets the row from . If , aborts and exits. Otherwise, searches , , and from , , and , respectively. computes the tag: and returns it to . Forge: at last, gives a forged tag for block with the identity , block number , and . It is restricted that has not executed the tag query under such conditions before. Analysis: it is not difficult to see that if wins the game, the equation must hold according to equation (3). Then, gets the row from . If , aborts and exits. Otherwise, continues to find the row from , from , and from . Thus, the equation above can be changed to . We can compute the result of given CDH instance: .We can see that if , the game is perfect. Assume makes times partial key query and times tag query; the game is performed successfully with the probability of . Therefore, if wins the game with the probability , can successfully output the result of with the probability . As known, CDH problem is hard for the group , so our proposal is secure against .

Lemma 2. *If the CDH problem is hard for the group , our scheme is secure against .*

*Proof. *If the adversary wins the game, a simulator can be designed to solve the CDH hard problem resorting to . Let to be one CDH instance, and computes by following steps. Setup: picks a random number as the master private key. gives all the public parameters as well as the master private key . *h*_{1} query: makes a list for the *h*_{1} query. If the user identity queried exists in , retrieves the row and responds the value to . Otherwise, selects a random number of , responds to , and inserts to . Secret value query: can query the secret value for any user identity . makes a list to trace the results for this query. If existing in , returns to . Otherwise, selects a random number and computes . inserts the row to and returns to . Public key query: can query the public key for any user identity . searches from **.** If existing in , responds to . Otherwise, chooses a random value and computes . inserts the row to and returns to . *h*_{2} query: can query the hash value of at any time. For this query, keeps a list with tuple . If the row exists in , retrieves and returns to . Otherwise, randomly chooses and returns to . inserts a new row into . *h*_{3} query: can query the hash value of at any time. For this query, keeps a list with tuple and presets a special row . If the row exists in , retrieves and returns it to . Otherwise, randomly chooses and sets . inserts a new row into . Tag query: for the tag query , gets the rows , , , and from , , , and , respectively. Then, computes the tag and returns it to . Forge: at last, gives a forged tag for block with the identity .and total block number . The block has not be executed the tag query under such conditions before. Analysis: if wins the game, the following equation must hold according to equation (3). Then, gets the row , , , and from , , , and . If , aborts and exits. Otherwise, changes the equation above to . We can compute that the result of given CDH instance is .According to the analysis, if , can successfully output the result of . Assume makes times h_{3} query, and also, there are rows in the . Thus, if wins the game with the probability , can get the value of with the probability . Because CDH problem is hard for the group , our proposal is secure against for .

According to the Lemmas 1 and 2, our proposed scheme can resist both the adversaries of and . Therefore, we can give Theorem 1 as

Theorem 1. *If the CDH problem is hard for the group , our proposed data integrity auditing scheme is secure in the random oracle model.*

Theorem 2. *TPA cannot reveal the identity of data uploader within the process of data auditing.*

*Proof. *From the audition algorithm of our scheme, it is not difficult to prove that TPA cannot know the data uploader of challenged data. First, the user’s identity is stored by CSP privately, and no one knows the relation between data and user identity except CSP and users themselves. In the verification phase, TPA checks the proof by equation (6) without any information about user identity. Moreover, CSP also hides the user identity in the proof by random value . Therefore, our scheme can guarantee the user privacy against TPA.

#### 6. Performance Analysis

##### 6.1. Performance Evaluation

We summary the performance of our protocol from aspects of computational and communicational cost, which are shown as follows (Table 1 ). Computational cost: let , , and represent the computational cost of pairing, exponentiation on , and exponentiation on , respectively. Others like hash function, addition, and multiplication on are omitted because they only incur negligible cost. It is easy to see that the algorithms such as , , , , and only need negligible cost, so we omit the performance analysis about these algorithms. The algorithm needs for generating one tag. Thus, the computational cost for generating all tags is . algorithm is performed by CSP to generate proof which needs cost of . The algorithm is run by TPA, and it costs . Moreover, we compare the computational cost of our scheme with that in other three similar schemes in Table 1, in which is the count of group users. From Table 1, we can get that the tag generation cost of our scheme is almost the same as that in [31, 36], which is much lower than that of [37]. In the proof generation step, our scheme has the highest cost than that of other three, that is, because our scheme does more work to hide the relationship of data and data uploader, so as to realize the user privacy preserving. We can see that only our scheme can preserve user privacy against TPA, while other three cannot. In the proof audition step, our scheme is the most efficient one compared with other three schemes. In summary, our scheme is computationally efficient. Communicational cost: in our scheme, a tag is one element of , so the communication cost for data transfer form is , where denotes the size of outsourced data and is the size of user identity. The size of each challenge is bounded of , and the proof size is .

##### 6.2. Experiment Results

We implemented a prototype of our scheme with PBC library [43], which is based on the library of GMP [44]. Our experiments are executed in the Ubuntu Kylin-15.10 operating system with VMware workstation. We give 1 CPU and 1G Ram to the virtual machine and use the Lenovo laptop X270 as the host which installs the Win10 operation system with Core i5 CPU and 8G Ram. We choose the typical “Type A” elliptic curve supplied by PBC in our experiments. In order to accurately show the advantage of our scheme, we implement schemes in [31], [36], and [37] simultaneously.

We first make experiments to evaluate the efficiency of tag generation. We prepare 1000 randomly selected data blocks and run ten experiments with different number of tags. The results are shown in Figure 2. We can see that the computation cost increases linearly with the number of tags rising, which is consistent with the theoretical analysis. However, computing 1000 tags only costs about 9.8 seconds which is feasible.

Second, we make experiments to test the performance of proof generation. In this experiment, we simulate 100 different users and change the number of challenged blocks from 100 to 500 with total 1000 blocks. The experiment data are shown in Figure 3. From Figure 3, we can see that our scheme costs much more time than that of other three. The reason for this situation is analyzed before; specifically, we embed the relationship of challenged data and data uploader into the proof while other three schemes compute the proof only with data and tags without hiding the relationship. When checking the proof, TPA in other three schemes should use the data owner’s public key which exposes the relationship of challenged data and the data owner.

The cost of proof audition is shown in Figure 4. The schemes in [31, 37] have the similar cost, the gap of which is very small. The cost of scheme in [36] is associated with the number of group users, so it has the most cost in the beginning. However, with the number of challenged blocks increasing, the audition cost of [31, 37] exceeds that of the scheme [36]. Overall, our scheme is the most efficient, one in this step, which needs only 2.5 seconds for 500 challenged blocks.

It is well known that CSP has great computation ability, but TPA is usually a normal workstation or personal computer. Although our scheme costs more time when generating the proof in the experiments, it is done by CSP which makes the gap be negligible in real environment. However, the different of TPA in our experiments and in real environment is very small, so the advantage of proof audition in our scheme is the very important.

To improve the efficiency of the data integrity audition scheme, we can assign more workload to CSP but less to TPA. We summary the computation cost of CSP and TPA in the four schemes with 500 challenged blocks. The results are shown in Figure 5, from which we can see that our scheme assigns the most workload to CSP but the lightest workload to TPA. Thus, compared with recent researches, our scheme is efficient especially for TPA.

#### 7. Conclusion

In this article, we propose a public certificateless PDP scheme for cloud storage. Our scheme not only inherits the advantages of certificateless cryptography but also has the merit of user identity privacy protection. With our scheme, TPA can audit the integrity of group shared data rightly without revealing the data uploader so as to preserve user’s privacy. We formalize the security model of our scheme with two types of adversaries and prove its security in the random oracle model. Experimental result demonstrates that our proposal is efficient.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported by Program for Scientific Research Foundation for Talented Scholars of Jinling Institute of Technology (JIT-B-202031), the Opening Foundation of Fujian Provincial Key Laboratory of Network Security and Cryptology Research Fund, Fujian Normal University (NSCL-KF2021-02), the National Natural Science Foundation of China (61902163), and the Key Program of National Key Research and Development Project “Cybersecurity” (2017YFB0802800).