Public Integrity Auditing of Shared Encrypted Data within Cloud Storage Group

Han, Chunxia; Wang, Linjie

doi:https://doi.org/10.1155/2022/1493768

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Related Work Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Service-Oriented Management and Computing in Edge-Cloud IoT

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 1493768 | https://doi.org/10.1155/2022/1493768

Public Integrity Auditing of Shared Encrypted Data within Cloud Storage Group

Chunxia Han¹and Linjie Wang¹

Academic Editor: Yingjie Wang

Received01 Nov 2021

Revised26 Nov 2021

Accepted25 Jan 2022

Published25 Feb 2022

Abstract

The pandemic of COVID-19 has posed a severe challenge to the traditional on-site centralized development projects; people therefore have to share data in a group by the cloud storage server and develop projects at home. The cloud server is untrustworthy, although it supplies the powerful computing capability and abundant storage space; so far wide research has been proposed to verify data integrity. Therefore, how to leverage the cloud server and ensure the integrity of the data (especially the encrypted data) stored on the remote cloud devices remains an issue for the clients. To address this issue, we utilize the technique of homomorphic hash function to implement reencryption ciphertext blocks and introduce a certificateless signature scheme for the integrity verification of encrypted data shared within a group. A detailed challenge-and-response game represents that the proposed scheme can preserve encrypted data blocks integrity against the internal/external attacker and malicious cloud service servers. We give the theoretical and experimental performance analysis of the scheme and exhibit that the scheme is efficient and practical.

1. Introduction

To date, cloud storage service has been an efficient paradigm for storing and sharing data information and a cooperation platform for staff to collaborate in many companies. Once a project manager can upload tasks to the server, each project participant can access, download, and modify the corresponding files through the network without any geographical restriction. Especially with the travel restrictions caused by the COVID-19 pandemic, people can only stay in their own homes and work through the Internet; thereby the use of cloud services for task cooperation and sharing has become particularly important. In the real world, Dropbox for Business [1], TortoiseSVN [2], and Google Drive already have become cloud service platforms for employees to share and collaborate online.

However, the prerequisite for this type of application to facilitate many company staff to work together is whether the cloud server provider (CSP) can make sure that the data is retained intact. In the field of cloud services, there is a multitude of inevitable internal and external attacks [3], as a slice of examples, the failure of software or hardware, illegal access, and deliberate deletion or corruption of the outsourced data, resulting in unreliable cloud services. Owing to the existence of these above attacks, the integrity of data is destroyed, which will inevitably reduce the availability and storage significance of data. This paper focuses on the integrity of data stored in the cloud.

For decades, to address the integrity verification of data, an army of studies on remote data integrity checking have been proposed by papers [4–16], and these schemes give efficient approaches to verify the integrity of outsourced data on cloud server without downloading them. However, all the above solutions are focused on the integrity auditing for individual data without involving the situation of sharing data in a group. How to verify the integrity of the shared data in a group is an interesting and essential task in the cloud server, which is also another item for the cloud service.

Remote data integrity verification is a technology that, for the data stored in the virtual cloud server, there is no need to download the entire file locally to check the integrity of data. When a project with data attached to it is uploaded to a cloud server and shared among multiple engineers, some new challenges emerge and these challenges cannot be solved well with existing individual data integrity verification solutions. According to the above scenario, the project with data attached is divided into blocks and sent to the engineers of the project group, and different engineers will output different block tags in the same block. When a block is modified by the engineers of the project group, the new block tags will be regenerated. In a project group, all engineers will either online or offline compile their tasks, but no matter which kind they are required to store the results of the day’s tasks in the cloud server and generate block tags for checking. To ensure that each engineer is honest to compile the project with the given data, the project manager must act as a verifier to verify the integrity of the data from time to time. When the verifier wants to audit the integrity of raw data, it needs to aggregate all tags with the engineer’s identity information. The process of verification is more complicated and brings a significant volume of calculation [17–24]; these protocols thereby are not valid for the case of data sharing in a group.

When the data is shared among the engineers in the project group, also other challenges appear where some engineers in the group maybe withdraw from the group due to some special circumstances, such as being transferred to another project group or misbehaving. As a result of the above situations, the tags generated by the revoked user are invalid and need to be renewed by the other legitimate members. In addition, the data in the shared group also needs to be updated frequently, which also leads the tags to be changed constantly. For security reasons, if the identity of an engineer is revoked, all data as well as the corresponding tags, which belong to the revoked members previously, still have to be renewed by the existing user in the group. According to common sense, when an engineer exits the project, then its task will be transferred to other engineers, and its identity information in the project will be revoked; that is, its public/private key for participating in the project will become invalid. Considering the fact that the shared data is not stored on local devices, the traditional way is to download all data previously generated by the revoked engineer and ask an existing engineer to renew the tags and finally upload the new tags to the cloud server again. This operation can safely transfer the task to the engineer existing in the task, but it may significantly increase the existing engineer communication cost and calculation resources, especially when a considerable volume of the blocks needs to frequently change and update. To overcome the above drawbacks, the execution of the verification operations should be outsourced to CSP instead of execution by the existing engineers. Besides, integrity verification of shared data can be verified not only by the members of the shared data group but also by everyone who wants to leverage the data blocks in the cloud service. As a result, it is of tremendous significance that the scheme to be proposed can meet the public verification with the help of CSP.

At present, plenty of integrity verification schemes for shared data in this group have been put forward. Most of them [25–29] focus on the PKI technology based on the trustworthiness of certificate authority (CA), where it is difficult to find a trusted CA. Others are identity-based [28, 30] remote data integrity verification protocols, which rely on the private key generator (PKG) to generate all private keys. However, this approach suffers from a key escrow problem. Therefore, how to efficiently verify the integrity of outsourced data in a shared group by a public verifier and transfer the revoked members’ data to existing members without downloading the data from the cloud service, as well as solving the key escrow and certificate management issues, is a challenging task.

Reviewing the existing protocol solutions, we mainly focus on the integrity verification for the encrypted shared data in a group. In this paper, we assume that there is an encrypted business project, which is divided into numerous encrypted subprojects, and it needs plenty of engineers to participate in development. A project manager, who invites the engineers to a temporary project group, takes charge of the system parameters and encrypts the raw project. Then the project blocks encrypted with public keys of specified members in the group are uploaded to the cloud service so that the engineers within the group can modify and upload subprojects compiled online or offline. If this is a big project with plenty of engineers in the project group, there are some issues to be addressed efficiently, for example, the integrity verification after legitimate changes to subprojects under development, the members revocation problem, and the entry of new members.

1.1. Contributions

To overcome the disadvantages of previous schemes and address the aforementioned issues, we propose a new remote data possession checking scheme for encrypted shared data group. The contributions of the proposed scheme are presented as follows:(i)We propose a new remote data possession checking scheme to audit encrypted shared data in each group, in which the certificateless public key system is utilized as an underlying encryption mechanism, and the homomorphism hash approach is used to regenerate the ciphertext to improve the efficiency of member revocation scheme.(ii)We then construct a public auditing scheme for verifying the integrity of encrypted data in the cloud service provider based on the corresponding certificateless authentication tag aggregation.(iii)We design a ciphertext conversion scheme which leverages a homomorphic hash function to convert the ciphertext of the revoked member into the ciphertext of the existing member. The scheme has been implemented and the results are more efficient compared to state-of-the-art protocols.(iv)We have proven the security of the proposed scheme which is based on the stability of CDH and DL assumptions by simulating a challenge-and-response game involving two players: a challenger and an adversary.

1.2. Organization

The rest of this paper is organized as follows. Section 2 discusses the prior work done in verifying the integrity of group shared data. Section 3 introduces the preliminaries and Section 4 defines the problem statement which includes system model, design goals, outline of the scheme, and the secure model. The detailed construction of our scheme is presented in Section 5. The proposed scheme is simulated and a challenge-and-response secure model is formalized in Section 6, and we assess the efficiency of the proposed scheme in Section 7 based on the computation cost of tag generation and verification, communication cost analysis, and vocation analysis compared with the existing schemes. The conclusion of this paper is presented in Section 8.

Since Deswarte et al. [4] first proposed a scheme for checking the integrity of data stored on remote virtual cloud servers; so far, a number of auditing schemes have been proposed. Among the proposed schemes, they can be generally divided into two directions: Provable Data Possession (PDP) [5] and Proofs of Retrievability (POR) [23].

The PDP scheme is proposed by Ateniese et al. [5] based on RSA signature and sampling strategies to improve the efficiency of integrity checking without retrieving the whole file. However, there is a limitation for this scheme; that is, it is only suitable for the auditing of static data files. To overcome this limitation, Ateniese et al. [31] presented the revised version of PDP based on symmetric encryption to efficiently address the dynamic checking issues instead of handling the insertion operation. Erway et al. [18] gave a dynamic provable data possession (DPDP) scheme, which supports full data dynamic operations to solve the insertion operation and improve the verification efficiency by leveraging the authenticated skip list.

To support fully dynamic data, Wang et al. [32], Erway et al. [18], and Zhu et al. [33] successively proposed schemes to construct auditing mechanisms supporting fully dynamic data, respectively. To realize public verification and dynamic data operation, Liu et al. [34] gave a dynamic public auditing scheme based on the Merkle Hash Tree (MHT), in which the block tags are generated by the data owners, and this incurs the increase of communication and calculation cost. To overcome this drawback, a scheme [35] to solve the heavy calculation burden on the data owner side at the expense of data owner’s privacy has been proposed, in which both tag generation and integrity verification are implemented by the cloud server. The issue of privacy-preserving in public auditing has been addressed, in which the data blocks are blinded by a data owner before generating signatures by the third party [36]. In another related research, to avoid the certificate management problem of PKI, some PDP schemes based on Identity-Based Signature (IBS) [37, 38] were proposed. The major problem of IBS is the key escrow, which is solved by a certificateless-based signatures PDP scheme [39].

Similar to PDP, the POR is another approach introduced by Juels et al. [23] to audit the integrity of remote data stored on the cloud service. An improved POR scheme is given by Wang et al. [10] to authenticate block tags, in which a security proof is revised in their previous work. Based on the previous works of Erway et al. [18] and Ateniese et al. [5], a generic framework DPOR is proposed by Etemad et al. [40] to store call updated information in the logs. Apart from the aforementioned protocols, some other publicly verifiable protocols are published. Hao et al. [41] gave a public verification without including a TPA, and Shen et al. [42] solved the loss of private key for auditing issue. Wu et al. [43] introduced a time encapsulated POR protocol that could check the integrity of data and timestamp by verifier.

All schemes mentioned above mainly devote themselves to verifying the integrity of individual data. Since Wang et al. [44] proposed a scheme for auditing the integrity of data shared in a group in 2012, a succession of verification schemes for sharing data in a group have been proposed [7, 26–29, 45]. Among these schemes, [26, 27, 29, 45] represented PDP schemes for group data based on the signatures, respectively, and all of these schemes are more or less deficient in efficiency and revocation. To solve the multiuser modification problem of blocks, [28] based on PKI mechanism proposed a PDP scheme of polynomial authentication tags, which led to a heavy burden of certificate management. Recently, Li et al. [7] based on certificateless mechanism proposed a public integrity checking of group shared data on cloud storage, which changes the data tags of the revoked member into the existing member’s tags. However, the data within the group in the scheme is all plaintext, which cannot satisfy the situation that the shared data in the group is ciphertext. According to all references mentioned above, although there are numerous schemes that can solve the problems of user adding and revocation in a shared group, on the premise of integrity auditing, there is no verification research on the integrity of encrypted data in a shared group. Therefore, we devote to designing a scheme for the integrity verification of encrypted data group in cloud service, which not only satisfies the member addition and revocation but also decreases the computational burden of challenge proof on the client side with the help of CSP.

3. Preliminaries

3.1. Bilinear Maps

Let and be two multiplicative cyclic groups of prime order , and let be a generator of . A bilinear map has the following properties:(1)Computability: there exists an efficient algorithm to compute map .(2)Bilinearity: for all and , .(3)Nondegeneracy: there exists a point such that .

3.2. Complexity Assumptions

In our scheme, the security is based on the following security assumptions.

Definition 1. (Computational Diffie-Hellman (CHE) Problem). Let ; given the tuple as input, output .

Assumption 2. (Computational Diffie-Hellman (CHE)). For any probabilistic polynomial time () algorithm, is negligible, where .

Definition 3. (Discrete Logarithm (DL) Problem). Let be a generator of ; given the tuple as input, output .

Assumption 4. (Discrete Logarithm (DL)). For any probabilistic polynomial time () algorithm, is negligible, where.

3.3. Homomorphic Hash Function

For a finite field and a multiplicative group of order, a family of homomorphic hash functions are a collection , where is the index yielded by an efficient algorithm. A homomorphic hash function [46] consists of the following properties:(1)One way: given and an index , there is no polynomial time adversary which can find a .(2)Collision resistance: given an index , it is hard (computationally infeasible) to find two vectors for which .(3)Homomorphism: given an index and any , “” is either a “” or a “+.”

4. Problem Statement

In this section, we show the system model and secure model and illustrate the design goals and the outline of our proposed scheme.

4.1. System Model

Similar to [7, 27, 29], we combine the cloud architecture with an example of sharing and developing encrypted files by the staffs of a company that are in the same group or department. The system model consists of three major entities: project group (i.e., members involved in the project), cloud service provider (CSP), and public verifier, and the relationship and the interaction situation among them are represented in Figure 1.

Project group consists of a volume of project members and a project manager that rents the cloud service platform. In the given example, a project manager is the original owner of the project file and takes charge of dividing the file into encrypted blocks, system parameters generation, member joining/revocation, and sharing the blocks in the project group through a cloud service provider. All project members can access, download, and modify the specified, encrypted data blocks.

Cloud service provider offers a wealth of storage services and powerful computing abilities by charging a certain fee. Referring to the research in [7], CSP can honestly implement the scheme but may try to gain the content of stored files and return an incorrect result to the verifier to get some extra benefits. Therefore, we assume that the CSP is semitrusted, encrypting all file blocks stored in the CSP, and generate tags corresponding to the project members.

The verifier can be any member of the project group that checks the integrity of encrypted data blocks kept in the CSP. Once a verifier sends an integrity auditing request, the CSP generates and returns the verification information. The verifier then checks the correctness of the auditing proof and reports the verification result.

4.2. Design Goals

To efficiently and securely verify shared encrypted data with a volume of members in a project group, our proposed scheme should be designed to achieve the following properties:(i)Correctness: Based on the challenged proof generation, the verifier is able to correctly detect the integrity of challenging blocks.(ii)Unforgeability: Only the specified member in the project group can yield valid verification information on the encrypted data blocks.(iii)Identity privacy: During the integrity of auditing, the CSP cannot distinguish the identity of tag generator on each randomly picked block in the shared project group.(iv)Tag-updating: When the identity of some members in the project group is revoked or new members are added, the corresponding ciphertext tags should be updated efficiently and securely.(v)Verifiability: Random verifier is able to verify the integrity of ciphertext attached tags by the challenged proof calculated by the CSP.

4.3. Outline of the Scheme

The scheme consists of eight steps:(1): Taking a security parameter as input, the project manager implements this step and outputs the master key and all system parameters .(2): Taking the member’s identity , the master key , and the parameters as input, the project manager executes this step and outputs member ’s partial key .(3): Taking the member’s partial key and the parameters as input, the project member runs this step and returns pairing private/public key .(4): Taking the file blocks and member’s public key as input, the project manager executes this step and generates a ciphertext .(5): Taking the ciphertext and a private as input, the project member leverages this step to generate a tag attached to the ciphertext block when uploading to CSP.(6): Taking the count of challenged block as input, the verifier runs this step to output a challenge information appending the block name for the integrity querying of the data file.(7): Taking the challenge information , the challenged encrypted block set , and tag set as input, CSP runs this step and responds with the integrity proof .(8): Taking the integrity proof , the challenge information , and the public parameters as input, the verifier implements this step and returns if result passes the verification; otherwise, it returns .

Note that, in addition to the above steps, there are two other steps: and. Step is executed by the project members, which invites some other members who are not in the project group, and step is also implemented by the project members, and the procedure is divided into two scenarios depending on whether the revoked member has invited members to participate in the project group.

4.4. Secure Model

Since the certificateless cryptography [47] is the underlay of our new scheme, and referring to the security model of data integrity auditing protocols represented in papers [30, 39, 48], we consider the security requirement and adversary model of the encrypted shared scheme against a fully-adaptive chosen ciphertext attacker (IND-CCA) [47, 49] which involves a challenger and four types of adversaries, namely ,, , , and. Among the four adversary types, although adversaries and both execute the tag-forge attacks, they have different attack capabilities. Type implements the ciphertext integrity proof attack to cheat the verifier, and type tries to generate a forgery of regenerated ciphertext and passes the verification of ciphertext receiver. We give the four following games to illustrate the security model in detail.

4.4.1. Setup

There are two parties, adversary for and challenger that keeps the private keys and the master key security and sends the public system parameters to. Challenger interacts with adversary for in this game. In order to generate a forgery of tag in a security game, needs to execute the following different queries: hash query, key query, public key query, public key replacement, encryption query, and tag query.

4.4.2. Common Queries

gives the polynomial times different queries to which responds to the following queries:(1)Hash query is adaptively made by and the hash values are responded by .(2)Key query is adaptively run by to submit different target identity (first running the step by for if necessary) to for querying the key, and then a key pairing for is responded to by performing the step .(3)Encrypt query is adaptively implemented by to submit different plaintext to , and then a ciphertext with both the randomly picked value and the public key is responded to by .(4)Tag query is adaptively executed by to query the tag of any ciphertext block with the corresponding member’s identity , and then a tag is returned by running the step .

4.4.3. Game1

In this game, adversary not only executes the above but also runs the following specialized queries:(1)Partial key query: is adaptively implemented by to submit different target identity to , and then the partial key for the is responded to by running the step .(2)Public key replacement: According to the assumed capability of , it can replace the public key of any with random value multiple times if necessary.

4.4.4. Forgery

Eventually, there are two scenarios on the forgery tag output by adversary . One is that outputs a forgery tag for the ciphertext block encrypted by the public key, and the tag is generated with the public key and the identity . The other one is that outputs a forgery tag for ciphertext block encrypted by public key , and the tag is generated with the public key and the identity . In both scenarios, such adversary does not have access to the master key of system, but it can request the public key and has the capability to replace the member’s public key and make the tag queries for all identities of its random choice. However, if wants to win the game, there are several natural restrictions on adversary as discussed below:(1) cannot request a query on the private key for identity at any time.(2) cannot both query the partial key for and substitute the public key of identity at the same time.(3) cannot make a tag query for the encrypted target data block with the identity and the public key .(4)In addition to the above limitations, can forge a valid tag for the encrypted data block with the identity and the public key , and it also can forge a valid tag for the ciphertext block encrypted with the legitimate public key , where the tag is generated by the replaced public key and the identity .

4.4.5. Game2

In this game, adversary only executes the above and then forges the tag for the ciphertext with the identity .

4.4.6. Forgery

In this process of forgery, adversary is unable to replace the member’s public key, but it has the capability to access the master key of system. However, there are also two scenarios on the forgery tag output by adversary . One is that outputs a forgery tag for ciphertext block encrypted by the public key , and the tag is generated with the public key and the identity . The other one is that outputs a forgery tag for ciphertext block encrypted by public key , and the tag is generated with the public key and the identity . In addition, if wants to win the game, it is subject to the following restrictions:(1) can neither query the private key nor replace the public key for at any point.(2) cannot make a tag query for the encrypted target data block with the identity .(3)In addition to the above limitations, can forge a valid tag for the encrypted data block with the identity, as well as the legitimate public key .

Definition 5. The scheme is semantically secure against the single tag forged attack of the ciphertext block if adversary or in polynomial probability time has a negligible advantage to win and .

4.4.7. Game3

In terms of Definition 5, an adversary cannot forge a legitimate label for a single ciphertext block without accessing the right private key. In this game, we consider that adversary that acts as the untrusted CSP in the system attempts to persuade the verifier to pass the integrity verification of corrupted data. Inspired by [7], challenger plays two roles, that is, the honest CSP and an integrity checker, and the operation of is executed as follows:

Tag query: The target tuple is adaptively selected by and sent to , which responds with the querying tag which is generated with the ciphertext and the identity by the step .

Challenge: Challenger , which acts as the verifier, generates and sends a random challenge information to , which is requested to respond with the corresponding data possession proof for .

: Once receiving the challenge information , acts as the CSP, generates a proof , and responds to. The premise for to win the game is that the miscalculated block information in proof can pass the integrity verification successfully.

Definition 6. The scheme is semantically secure against forging the integrity proof on incorrect data if adversary in polynomial probability time has a negligible advantage to win .

4.4.8. Game4

In this game, the specified member acts as adversary that interacts with challenger . Here, the revoked member and CSP are regarded as the trusted parties. If the reencrypted data has been corrupted, tries to cheat the verifier that the tag generated by reencrypted data can pass the integrity verification. In terms of Definitions 5 and 6, we know that any adversary cannot pass the tag verification on a single block without accessing the private key and correct data. Therefore, the focus of this game is on whether adversary can forge the integrity proof of reencrypted data to pass the verification. Inspired by [7, 29], challenger plays two roles, that is, the honest CSP and a revoked member, and the operation of is executed as follows:

Reencrypt key query: adaptively picks an identity and submits it to challenger for querying the reencrypting key of . runs the reencrypting key subroutine in step and returns the reencrypting key .

Tag query: The target tuple is adaptively selected by and sent to for querying the tag for the reencrypting ciphertext . According to the step , responds the tag generated by ciphertext and to adversary.

4.4.9. Forgery

Eventually, outputs a forgery tag for the target ciphertext with the identity .

Definition 7. The scheme is semantically secure against forging the integrity proof without both correct identity and reencryption key if adversary in polynomial probability time has a negligible advantage to win the aforementioned .

5. Our Scheme

Without loss of generality, there is a project manager named in the group which is in charge of the generation of system parameters and other engineers’ partial secret keys. Suppose that the project is divided into project blocks as the following . invites engineers in one group to execute this project, and each engineer has a unique identity represented as for . In order to keep the security of each block, all project blocks stored on the CSP should be encrypted by the public key of the corresponding developing engineer; namely, , in which represents the ciphertext of subproject . The scheme consists of the following steps:

: takes as input a security parameter and outputs the public parameters including two multiplicative cyclic groups and and a bilinear map , where the orders of and are both the big prime and is a generator of . It sets two collision-resistant hash functions and. Two pseudorandom generators and are selected, where and are used to generate the pseudorandom value and pseudorandom permutation, respectively. selects a master key and calculates the public key . All the parameters are published.

: When receiving the identity of the participant engineer , the project manager returns by secure channel as the partial private key of .

: randomly selects secret value as a partial private key and constructs ’s private/public key pairs as and , where and .

: The project manager randomly picks a value and encrypts project blocks (engineer could be assigned project blocks) into leveraging ’s public key and uploads them to the CSP, where , for, and. Note that only executes this step once, encrypting the corresponding project blocks by utilizing every engineer’s public key, and later this step is mainly implemented by the engineers involved in the project.

: Since each block has a unique file name , a tag will be generated for all the encrypting blocks of file . Suppose that the project engineer wants to generate tags for each uploaded encrypted block . It randomly picks a parameter , first encrypts its developed project blocks into , and then generates tags for the ciphertexts, where. Then, project engineer uploads to the CSP. Then, the CSP utilizes the public parameters and the data provided by the user to construct an (1) to check the correctness of all ’s tags:where .

: Anyone as a verifier can check the integrity of group data stored in CSP. The verifier randomly picks the challenged block count and two values. Then the challenged information appending the file name is sent to CSP.

: Once the CSP receives , the challenge information set is calculated, in which is the regenerated parameter by the pseudorandom generator, and the subset (for ) of is a new index permutation of challenge block regenerated by the pseudorandom generator. Without loss of generality, suppose that the challenge block set consists of encrypted blocks and let denote . Let the challenge block subsets , , belong to engineers , , , , respectively, where the permutation is the rearrangement of permutation . We can obtain and for , where the set is the subset of permutation and . The CSP calculates two sets and , where and . Finally, the proof is sent to the verifier.

: Upon receiving proof , the verifier utilizes the precalculated values set to generate a set of challenge blocks. According to the tag generation rules, the verifier obtains to generate all the tags of participating challenge blocks. Then it takes all above proof information as input to check whether (2) holds, where :

If this equation holds, it outputs either (”“) or 0 (”“). The correctness of this scheme can be checked by the following equality:

5.1. Invite to Join

If engineer invites another engineer to participate in its subproject, first sends an identity concatenation to , and then responds a partial private key to by secure channel. randomly chooses to generate its secure key and public key , where and .

While successfully joins the project and wants to edit’s some block (named ), the specified file ciphertext block needs to converted to a block encrypted by ’s public key. The reencryption key is generated and the ciphertext turns into which is encrypted by ’s private key and parameter randomly picked by . Note that the reencryption key is bidirectional; that is, it can be utilized to transfer the ciphertext from to and vice versa.

: When receiving the identity , calculates the reencryption key and sends it to. Then calculates ciphertext for block as .

5.2. Revoke a Participant

Once an engineer leaves the project, the project manager should claim the private/public key pairings of to be invalid. At the same time, the contents consisting of the ciphertext, tags, and so forth of the file block associated with the revoked engineer are also changed. Otherwise, there are some secure risks on the ciphertext and tags which are executed by ; thereby the integrity of the ciphertext cannot be checked either. In this process, there are two situations to be considered: one is that the revoked user has invited engineers in the project, and, in this case, any inviter (named ) can be required to replace the tag and ciphertext of the revoked user. In the other case, does not invite any users to participate in the project, so the project manager needs to convert the ciphertext and tags for . We represent the detailed implementation as follows:

: Assume that is the revoked project member, and is the member who continues the project in place of . In this section, CSP is used to check the correctness of regenerated tags by . In addition, suppose that , , and CSP are all online simultaneously during this procedure.

Without loss of generality, let member as a specified recipient take charge of all blocks of the revoked engineer. utilizes the step to regenerate the ciphertext of , and the block tag is yielded by .(1) calculates and sends it to , where .(2)Leveraging the key , calculates and and publishes the regenerated ciphertext of block for . Then, calculates the tag to CSP for.(3)While receiving the tuple , CSP verifies (1) to ensure the validity of the tags.

6. Security Proof

In this section, we give the secure proof of the proposed scheme via the following properties.

6.1. Security Analysis

Theorem 1. If a polynomial probability time adversary has an advantage to win described in Section 4.4 within time after executing the most Hash-1 queries, key queries, Public Key Replace, encryption queries, and Hash-2 queries and requesting at most times tag queries, then there exists a -simulator that can address the CDH problem with , where one exponentiation costs time on, one scalar multiplication operation costs time in, and is the base of natural logarithm.

Proof. On input in , if adversary is able to forge a tag with the identity and the replaced public key in , then algorithm has capability to address CDH problem; that is, it can calculate. Given , and , simulator simulates each step of interaction with as follows:
Setup. launches a query-respond game. sets with the master key which is security picked and then outputs and returns the system parameters to .
Hash-1 Query. adaptively requests the Hash-1 query results for any identity in terms of its capability. In order to facilitate the management of all the query results, establishes a tuple list to record all query data. If a certain has been recorded in the list, directly returns its corresponding tuple to . Otherwise, selects a random value and tosses a coin . Assume that the coin represents 1 with a probability of , and vice versa, . If shows 0, sets ; if shows 1, sets. Then the result is returned to and the tuple is inserted to list , where the symbol indicates that the position is empty and has no value, which may be generated in a subsequent query.
Partial key query. In order to obtain the partial key of any identity , adaptively implements partial key query. firstly checks whether corresponding tuple exists in . If not, executes the Hash-1 query and inserts the result in . Notably, another new tuple list is established by to manage the newly queried data during this process, where . If shows 1 in , returns for and then records the tuple value in . Otherwise, responds the partial key query as follows.(1)If is stored in list, checks whether the location of is a symbol or not. If it is not , returns it directly to . Otherwise, reexecutes the coin tossing step in Hash-1 query. When the coin tosses , returns the value to and then updates the values , in , and in on the corresponding identity , respectively; otherwise, , and aborts.(2)If is not stored in list , determines the value of according to in list . If , returns to ; otherwise, , and aborts.Note that the tuple in and has such a characteristic: the value of in the tuple of corresponding to the tuple of is 1; the value of in the tuple of corresponding to the tuple in is 0.
Key query. adaptively requests the key query for any identity. searches list for the tuple .(1)If the tuple is stored in , first checks whether the position of is or not. If, turns to execute Hash-1 query and partial key query in turn. Otherwise, checks whether the position of in this tuple is the symbol . If , selects at random and sets and . updates the tuple into and sends the key pairing to .(2)If the tuple is not stored in , turns to execute Hash-1 query and partial key query in turn. Once the value of has been obtained after the Hash-1 query and partial key query, randomly selects and sets and . inserts the tuple into and returns to . On the other hand, if , the tuple is inserted into, and aborts.Public Key Replace. According to the assumption, adversary has capability to replace the public key. adaptively implements the Public Key Replace for the target member with the substitution public key .(1)If the tuple is stored in, modifies the tuple as in terms of ’s request, where .(2)If the tuple is not contained in, adds the tuple to in terms of’s request, where .Hash-2 query. In order to facilitate the management of Hash-2 query, a list is still established by to record the participating tuple. As required, runs the Hash-2 query on the identity , partial public key , and Hash-1 query . randomly picks a tuple value and calculates , , and and then sends and to . The new tuple is added in .
Encrypt query. For any plaintext , adaptively requests the encrypt query with identity. searches list for the tuple. If the tuple is stored in , returns directly to. Otherwise, whether the tuple is or , calculates the ciphertext with the replaced key , in which and. Then, updates the tuple and in , respectively.
Tag query. adaptively requests the tag on any identity and plaintext block by submitting the result of. Based on the result of tossing the coin in ; if , aborts. Otherwise, based on the values of in and both and in, generates the tag for the tuple by step and returns it to .
Forgery. Eventually, a forgery tag , which is relevant to plaintext on the identity with the public key , is forged by . If , aborts. Otherwise, based on the aforementioned operations, holds the following values: , , , and , , and, and then it can output solving the proposed CDH problem.
Analysis. Now, we analyze the probability that can guess the correct query of the target data block by simulating operation. Similar to the analysis and proof of [48, 50], only halts two queries on partial key query and tag query; therefore the probability of implementing the queries is higher than . Assume that the probability of occurrence of output of the right value of for is .
LetIn order to find the minimum value of , let us take the derivatives of both sides of (4) with respect to :Replace ; that is,We can obtain . Thereby (4) becomesAccording to the formula for , equation (7) becomesFurther, simulator can solve the CDH problem in polynomial time which satisfies .

Theorem 2. If a PPT adversary has an advantage to win described in Section 4.4 within time after implementing the most Hash-1 queries, key queries, encryption queries, and Hash-2 queries and requesting at most times tag queries, then there exists a -simulator that can address the CDH problem with, where one exponentiation costs time on, one scalar multiplication operation costs time in , and is base of natural logarithm.

Proof. On input in , the CDH algorithm has capability to simulate a data-integrity-verifying security game and output by interacting with adversary as follows:
Setup. chooses the master key at random and outputs the system parameters. Then, both and are returned to by .
Hash-1 query. requests the Hash-1 query results for any identity in terms of its capability. A tuple list is established to record all query data by . If a certain has been stored in , returns to . Otherwise, selects a random value and responds to with and then stores in .
Key query. According to the assumption that adversary has an ability to access the master key, it directly initiates the key query of the public/private key pairing . A list is established by for recording the results of key query.(1)If is not stored in list , picks a value of at random and tosses a coin. Let denote the probability of ; thus represents the probability of . If , sets and and inserts into but halts and returns . If , sets and and records into and then returns to .(2)If is stored in list, checks whether the value of is 1 or 0. If , halts and returns. Otherwise, assuming that is already in, directly returns it to .Notably, since can access the master key to get the private key, there is no partial key query.
Hash-2 query. As required, runs the Hash-2 query for the target value . In order to record the participating tuple, establishes a list for Hash-2 query. If is stored in , returns the value to . Otherwise, randomly picks a tuple value and calculates , , and and then returns to . The new tuple is added in.
Encrypt query. For any plaintext , adaptively requests the encrypt query with identity. searches list for the tuple.(1)If the tuple cannot be found in list, first requests the Hash-1 query and key query until the tuple and the tossing coin value become existent in and , respectively. Then calculates the ciphertext and updates the tuple in , where . If , halts and returns; otherwise, outputs to .(2)If the tuple is stored in and , then directly returns to ; otherwise, halts and returns.Tag query. For ciphertext associated with plaintext , adversary adaptively performs the tag query with . first checks the value of in ; if , halts and outputs. Otherwise, based on the values of in and in , calculates to generate the tag for the tuple by step and then returns it to .
Forgery. Eventually, a forgery tag , which is relevant to plaintext on identity with the private key, is forged by . If , halts and outputs. Otherwise, based on the aforementioned operations, holds the following values: , , , , and , , and then it can output solving the proposed CDH problem.
Analysis. In this game, there are three times of aborting for on key query, encrypt query, and tag query. Thereby, the probability of implementing the queries for without abortion is higher than . Thus, the probability of occurrence of output of the right value of for is . Running time of algorithm generating the forgery tag is.

Theorem 3. As long as the DL assumption holds, the probability that adversary wins Game3, that is, to forge the tag and pass the verification in the scheme, is computationally negligible.

Proof. If wants to win the game, it has to generate the forged integrity proof according to the challenge information and satisfy the following equations with the nonnegligible probability:where denotes the count of the group member participating in the challenge and represents the number of encrypted data blocks participating in the challenge.
On the other hand, assuming that is also a set of legitimate integrity proofs generated according to challenge information, tuple is also verified using the above equation; that is, . According to the rules of Game3, the two different integrity proofs and generated, respectively, by adversary and the legitimate member on the same challenge information have the following relationship: and . According to the above inequality, we can get the same formula as that in [29]: . Then we can get .
Randomly given and a generator of, can be denoted as. Then we can get an approach to solve the DL problem by turning above formula into ; that is, . In terms of the assumption in the game, there must be at least one tuple that satisfies , and therefore at least one of the corresponding is 0. Based on the analysis of , there is at least one component in the vector , so the count of vectors satisfying the condition is at most . Clearly, we can find that the probability of is less than , which is negligible for a large prime . We can find that the probability of solving the DL problem is a nonnegligible probability ; thereby adversary wins Game3 at the negligible probability.

Theorem 4. The adversary cannot pass the integrity proof by leveraging forged ciphertext.

Proof: . If wants to win the game, it tries to generate the forged ciphertext with the forgery identity and legitimate ciphertext in the revoke a participant phase. Suppose that adversary generates its parameters for its identity through the aforementioned games, for example, , the private key , the public key , and. If the tag generating by utilizing these parameters still passes the integrity proof by CSP, then adversary wins this game. Otherwise, it fails.(1)Assume that the revoked member calculates the reencryption key with’s identity and its public key and then returns to .(2) calculates reencrypted ciphertext , where and. Then randomly picks as the partial key and outputs the forgery tag .Through the aforementioned operations, the forgery tag is generated by attacker . If the tag passes the integrity proof, the equation holds. However, Theorems 1 and 2 have pointed that the tag with the forged private/public key pairing has a negligible probability to win Game1 and Game2; thereby, without the real ciphertext reencrypted by the legitimate private key, the adversary could output the correct integrity proof only with negligible probability.

7. Performance Analysis

In this section, we first show the computation and communication cost of our scheme by theory and then represent the experiment results of the scheme.

7.1. Computation Cost

In our scheme, the computation cost is mainly concentrated on those operations that are computationally complex and time-consuming, such as pairing operation, exponentiation operation, and multiplication operations. For the simplicity of presentation, we use symbols , , , and to represent the cost of one pairing operation in , one exponentiation operation in , one multiplication in group , and one multiplication in group, respectively. In addition, the computational overhead of some other operations (such as pseudorandom parameter selection, hash operation, addition, and pseudorandom permutation) is negligible, so these operations are not analyzed. Continue to leverage the above symbols, and let , , , and denote the number of projects divided into subprojects, members participating in the project, the challenge subprojects, and the members involved in the challenge, respectively. According to the processes of and , the computation costs for data blocks are and , respectively.

In the process of , we ignore the generation operation cost of challenge information and focus on the proof information, so the computation cost of this procedure is. In this scheme, we also give the computation cost on the revocation step for a member of the project, in which the revoked member costs , the specified recipient costs , and the verification computation cost for the CSP is . Table 1 shows the detailed comparison of computation cost and data blocks types among the scheme of papers [7, 39] and ours. As can be seen from Table 1, in step , our scheme is one more than [7] and much less than [39]. After all, the cost of [39] is related to the number of participants . The cost amount of the step is the same as that of [7] but is less than that of paper [39]. In addition, the step is used to verify the correctness of proof information and its computation cost is, and the costs of [7, 39] are and , respectively. Compared with the schemes in [7, 39], the cost of our scheme is slightly higher. The reason is that our scheme performs tag generation, verification, and update of ciphertext, and the computational cost is obviously higher than that in literature.

7.2. Communication Cost

In this scheme, the communication cost mainly arises from the challenge information generation phase and proof generation phase. To audit the integrity of the data stored in the cloud service, a verifier sends the challenge information to the CSP, and then proof is returned to the verifier by CSP. The communication cost for an integrity proof challenge is bits, and the communication cost of proof information response is bits, where is the element length in and is the length of the element in set . In addition, the communication cost for the revocation phase is , where is denotes the number of ciphertext data blocks owned by the revoked member.

7.3. Experimental Results

In this experiment, we utilized the Ubuntu Kylin 16.04 LTS (64-bit) operation system equipped with the VMware Workstation 10 with Intel Core i7-8700 3.2 GHz processor and 16 G RAM of the host computer with Win10 operation system using C language to simulate the scheme implementation environment. The Pairing Based Cryptography (PBC) [51] library (version 0.5.14) has been used to execute pairing steps and the Openssl library [52] (version 1.1.1k) is deployed to implement two hash (SHA 256) operations. For the choice of experimental parameters, we used the file params/a.param provided by PBC for type A pairing and constructed a 256-bit order elliptic curve [53] group of type A. To obtain more accurate results,all experiments were run 50 times to get an average.

The step needs to execute two time-consuming calculations, namely, pairing operation and exponentiation on group , totally costing almost 602.024 ms for 100 members. We utilize the file with the size of 32 M for experimental demonstration, so the total number of blocks is 10⁶ which is bounded by the order of the 256-bit group. Suppose that all blocks are averagely distributed to project members; thereby the number of members getting the blocks is 10⁴. Figure 2 depicts the time cost result for the members varying from 1 to 100 to generate all ciphertext blocks. Through observation, it is found that the time consumption of encrypting operation is proportional to the number of users. It takes 5.83 ms for a single member to encrypt all its data blocks, while all members can accept the fact that it takes 602.02 ms to encrypt all data blocks. Moreover, the operation that all data blocks are clustered together and encrypted only occurs at the beginning of the project, in the distribution phase of the subproject.

Based on the cost of ciphertext generation, we now evaluate the cost of tag generation experimentally. We still leverage the 10⁶ ciphertext blocks for the experiment. To carry out the experiment demonstration, we utilize the participant ciphertext number ranging from 10⁵ to 10⁶ with an increment of 10⁵ for each test. From the experimental results in Figure 3, we can observe that the time consumption for tag generation is linear with the increase of the number of blocks, and it takes about 173.9 s to generate tags for all 10⁶ blocks. As observing the proposed scheme, the entire and processes are executed by only the project manager; thereby the project members just need to download the ciphertext and tags within the appointed time.

We set bits, bits, and as in previous work [39]. Based on the previous conclusions [5, 7, 39], if 1% of all blocks are corrupted, 460 challenge blocks picked randomly can achieve 99% error detection probability and 300 challenge blocks chosen at random can successfully achieve 95% malpractice detection probability. In Figure 4, we can see that when the size of project group varies from 500 to 1000 and the number of challenge members ranges from 0 to 200, our scheme can achieve an auditing task with the maximum verification time of 14.664 s and 42 KB by choosing c = 460.

(a)

(b)

8. Conclusion

In this paper, a remote encrypted data integrity auditing scheme stored on a cloud service provider is presented. This scheme addresses the integrity auditing issue for the encrypted data which is shared with numerous members of a group. In our scheme, the sponsor of a shared data group is the project manager who is responsible for the initialization of system parameters, the selection of partial private keys for project members, and the generation of original ciphertext blocks for subprojects. Meanwhile, with the help of certificateless signature idea, the synchronization change between the ciphertext block and the tag is realized, and the problem of auditing the integrity of the ciphertext block is transformed into an equation verification related to the tag. Therefore, based on the above two measures, the key escrow and certificate management in PKI naturally do not exist. With regard to the revocation of the member, our scheme utilizes the homomorphic hash function to transform the ciphertexts of the revoked members into the ciphertexts of the existing members without leaking the information of ciphertext. Finally, the protocol has been proven secure to satisfy adaptively selective the ciphertext attack assuming the stability of CDH and DL in bilinear pairing. From the results of the experiment, our scheme is efficient in both computation and communication cost and more secure in a shared group in cloud storage.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Natural Science Foundation of China under Grant 61772008, in part by the Science and Technology Major Support Program of Guizhou Province, China, under Grant 20183001, in part by the Key Program of the National Natural Science Union Foundation of China under Grant U1836205, in part by the Science and Technology Program of Guizhou Province under Grant ZK[2021]325, in part by the Science and Technology Program of Guiyang under Grant [2021]1–5, and in part by the Science and Technology Planning Project of Tongren Municipality under Grant [2020]78.

References

Dropbox for business. [Online]. Available: https://www.dropbox.com/business.
Tortoisesvn. [Online]. Available: https://tortoisesvn.net/.
L. Shuib and E. Yadegaridehkordi, “Big data adoption: state of the art and research challenges,” Information Processing & Management, vol. 56, no. 6, 2019.
View at: Google Scholar
Y. Deswarte and A. Sa¨ıdane, “Remote integrity checking-how to trust files stored on untrusted servers,” in Integrity and Internal Control in Information Systems VI - IFIP TC11/WG11.5, Springer, Lausanne, Switzerland, 2003.
View at: Google Scholar
Giuseppe Ateniese, R. C. Burns, R. Curtmola et al., “Provable data possession at untrusted stores,” in Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, P. F. Syverson, Ed., Alexandria, USA, October 2007.
View at: Publisher Site | Google Scholar
K. Yang and X. Jia, “An efficient and secure dynamic auditing protocol for data storage in cloud computing,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 9, pp. 1717–1726, 2013.
View at: Publisher Site | Google Scholar
J. Li, H. Yan, and Y. Zhang, “Certificateless public integrity checking of group shared data on cloud storage,” IEEE Transactions on Services Computing, vol. 14, no. 1, pp. 71–81, 2021.
View at: Google Scholar
H. Wang, D. He, and S. Tang, “Identity-based proxy-oriented data uploading and remote data integrity checking in public cloud,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 6, pp. 1165–1176, 2016.
View at: Publisher Site | Google Scholar
J. Li, W. Yao, Y. Zhang, H. Qian, and J. Han, “Flexible and fine-grained attribute-based data storage in cloud computing,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 785–796, 2017.
View at: Publisher Site | Google Scholar
Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, “Enabling public auditability and data dynamics for storage security in cloud computing,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 5, pp. 847–859, 2011.
View at: Publisher Site | Google Scholar
H. Yan, J. Li, J. Han, and Y. Zhang, “A novel efficient remote data possession checking protocol in cloud storage,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 1, pp. 78–88, 2017.
View at: Publisher Site | Google Scholar
J. Li, Y. Wang, Y. Zhang, and J. Han, “Full verifiability for outsourced decryption in attribute based encryption,” IEEE Transactions on Services Computing, vol. 13, no. 3, pp. 478–487, 2020.
View at: Publisher Site | Google Scholar
J. Li, X. Lin, Y. Zhang, and J. Han, “Ksf-oabe: outsourced attribute-based encryption with keyword search function for cloud storage,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 715–725, 2016.
View at: Google Scholar
Y. Yu, M. H. Au, G. Ateniese et al., “Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 4, pp. 767–778, 2017.
View at: Publisher Site | Google Scholar
Y. Zhang, C. Xu, X. Liang, H. Li, Y. Mu, and X. Zhang, “Efficient public verification of data integrity for cloud storage systems from indistinguishability obfuscation,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 3, pp. 676–688, 2017.
View at: Publisher Site | Google Scholar
H. Wang, Q. Wu, B. Qin, and J. Domingo‐Ferrer, “Identity‐based remote data possession checking in public clouds,” IET Information Security, vol. 8, no. 2, pp. 114–121, 2014.
View at: Publisher Site | Google Scholar
F. Sebé, J. Domingo-Ferrer, A. Mart´ınez-Ballesté, Y. Deswarte, and J. J. Quisquater, “Efficient remote data possession checking in critical information infrastructures,” IEEE Transactions on Knowledge and Data Engineering, vol. 20, no. 8, pp. 1034–1038, 2008.
View at: Google Scholar
C. Christopher Erway, A. Küpc¸ü, C. Papamanthou, and R. Tamassia, “Dynamic provable data possession,” in Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, E. Al-Shaer, S. Jha, and A. D. Keromytis, Eds., pp. 213–222, Chicago, Illinois, USA, November 2009.
View at: Publisher Site | Google Scholar
C. Wang, S. S. M. Chow, Q. Wang, K. Ren, W. Lou, and W. Lou, “Privacy-preserving public auditing for secure cloud storage,” IEEE Transactions on Computers, vol. 62, no. 2, pp. 362–375, 2013.
View at: Publisher Site | Google Scholar
Y. Yu, Y. Zhang, J. Ni, M. H. Au, L. Chen, and H. Liu, “Remote data possession checking with enhanced security for cloud storage,” Future Generation Computer Systems, vol. 52, pp. 77–85, 2015.
View at: Publisher Site | Google Scholar
Y. Feng, G. Yang, and J. K. Liu, “A new public remote integrity checking scheme with user and data privacy,” International Journal of Applied Cryptography, vol. 3, no. 3, pp. 196–209, 2017.
View at: Publisher Site | Google Scholar
H. Wang, “Identity-based distributed provable data possession in multicloud storage,” IEEE Transactions on Services Computing, vol. 8, no. 2, pp. 328–340, 2015.
View at: Publisher Site | Google Scholar
A. Juels, S. Burton, and J. Kaliski Jr, “Pors: proofs of retrievability for large files,” in Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, P. Ning, S. De Capitani di Vimercati, and P. F. Syverson, Eds., pp. 584–597, Alexandria, Virginia, USA, October 2007.
View at: Google Scholar
K. D. Bowers, A. Juels, and A. Oprea, “HAIL: a high-availability and integrity layer for cloud storage,” in Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, E. Al-Shaer, S. Jha, and A. D. Keromytis, Eds., Chicago, Illinois, USA, November 2009.
View at: Google Scholar
B. Wang, B. Li, and H. Li, “Knox: privacy-preserving auditing for shared data with large groups in the cloud,” Applied Cryptography and Network Security, vol. 7341, pp. 507–525, 2012.
View at: Publisher Site | Google Scholar
B. Wang, H. Li, and M. Li, “Privacy-preserving public auditing for shared cloud data supporting group dynamics,” in Proceedings of the IEEE International Conference on Communications, ICC, Budapest, Hungary, June 2013.
View at: Publisher Site | Google Scholar
X. Liu, Y. Zhang, B. Wang, and J. Yan, “Mona: secure multi-owner data sharing for dynamic groups in the cloud,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 6, pp. 1182–1191, 2013.
View at: Publisher Site | Google Scholar
J. Yuan and S. Yu, “Public integrity auditing for dynamic data sharing with multiuser modification,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 8, pp. 1717–1726, 2015.
View at: Publisher Site | Google Scholar
B. Wang, B. Li, and H. Li, “Panda: public auditing for shared data with efficient user revocation in the cloud,” IEEE Transactions on Services Computing, vol. 8, no. 1, pp. 92–106, 2015.
View at: Publisher Site | Google Scholar
Y. Yu, Y. Mu, J. Ni, J. Deng, and K. Huang, “Identity privacy-preserving public auditing with dynamic group for secure mobile cloud storage,” in Proceedings of the Network and System Security - 8th International Conference, NSS 2014, M. Ho Au, B. Carminati, and C.-C. Jay Kuo, Eds., pp. 28–40, Xi’an, China, October 2014.
View at: Publisher Site | Google Scholar
Giuseppe Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik, “Scalable and efficient provable data possession,” in Proceedings of the 4th International ICST Conference on Security and Privacy in Communication Networks, SECURECOMM 2008, L. Albert, P. Liu, and R. Molva, Eds., ACM, Istanbul, Turkey, September 2008.
View at: Publisher Site | Google Scholar
Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, “Enabling public verifiability and data dynamics for storage security in cloud computing,” in Proceedings of the Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, pp. 355–370, Saint-Malo, France, September 2009.
View at: Publisher Site | Google Scholar
Y. Zhu, H. Wang, Z. Hu et al., “Dynamic audit services for integrity verification of outsourced storages in clouds,” in Proceedings of the 2011 ACM Symposium on Applied Computing (SAC), W. C. Chu, W. Eric Wong, M. J. Palakal, and C.-C. Hung, Eds., TaiChung, Taiwan, March 2011.
View at: Publisher Site | Google Scholar
L. Chang, J. Chen, L. T. Yang et al., “Authorized public auditing of dynamic big data storage on cloud with efficient verifiable fine-grained updates,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 9, pp. 2234–2244, 2014.
View at: Google Scholar
Li Jin, X. Tan, X. Chen, D. S. Wong, and F. X. Opor, “Enabling proof of retrievability in cloud computing with resource-constrained devices,” IEEE Transactions on Cloud Computation, vol. 3, no. 2, pp. 195–205, 2015.
View at: Google Scholar
Z. Yang, W. Wang, Y. Huang, and X. Li, “Privacy‐preserving public auditing scheme for data confidentiality and accountability in cloud storage,” Chinese Journal of Electronics, vol. 28, no. 1, pp. 179–187, 2019.
View at: Publisher Site | Google Scholar
N. Garg and S. Bawa, “Id-papc: identity based public auditing protocol for cloud computing,” in Proceedings of the 2017 IEEE International WIE Conference on Electrical and Computer Engineering (WIECON-ECE), pp. 14–17, IEEE, Dehradun, India, December 2017.
View at: Publisher Site | Google Scholar
R. S. Bali and N. Kumar, “Secure clustering for efficient data dissemination in vehicular cyber-physical systems,” Future Generation Computer Systems, vol. 56, pp. 476–492, 2016.
View at: Publisher Site | Google Scholar
B. Wang, B. Li, H. Li, and F. Li, “Certificateless public auditing for data integrity in the cloud,” in Proceedings of the IEEE Conference on Communications and Network Security, CNS 2013, pp. 136–144, National Harbor, MD, USA, October 2013.
View at: Google Scholar
M. Etemad and A. Küpc¸ü, “Generic efficient dynamic proofs of retrievability,” in Proceedings of the 2016 ACM on Cloud Computing Security Workshop, CCSW 2016, E. R. Weippl, S. Katzenbeisser, M. Payer, S. Mangard, E. Androulaki, and M. K. Reiter, Eds., pp. 85–96, ACM, Vienna, Austria, October 2016.
View at: Google Scholar
H. Zhuo Hao, S. Sheng Zhong, and N. Nenghai Yu, “A privacy-preserving remote data integrity checking protocol with data dynamics and public verifiability,” IEEE Transactions on Knowledge and Data Engineering, vol. 23, no. 9, pp. 1432–1437, 2011.
View at: Publisher Site | Google Scholar
W. Shen, J. Qin, Y. Jia, H. Rong, J. Hu, and J. Ma, “Data integrity auditing without private key storage for secure cloud storage,” IEEE Transactions on Cloud Computing, vol. 19, 2019.
View at: Google Scholar
T. Wu, G. Yang, Y. Mu, F. Guo, R. H. Deng, and Deng, “Privacy-preserving proof of storage for the pay-as-you-go business model,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 2, pp. 563–575, 2021.
View at: Publisher Site | Google Scholar
B. Wang, B. Li, and H. Li, “Knox: privacy-preserving auditing for shared data with large groups in the cloud,” in Applied Cryptography and Network Security, F. Bao, P. Samarati, and J. Zhou, Eds., vol. 7341, pp. 507–525, Springer, 2012.
View at: Publisher Site | Google Scholar
B. Wang, B. Li, and H. Li, “Oruta: privacy-preserving public auditing for shared data in the cloud,” in Proceedings of the 2012 IEEE Fifth International Conference on Cloud Computing, R. Chang, Ed., Honolulu, HI, USA, June 2012.
View at: Publisher Site | Google Scholar
H. Yao, C. Wang, Bo Hai, and S. Zhu, “Homomorphic hash and blockchain based authentication key exchange protocol for strangers,” in Proceedings of the 2018 Sixth International Conference on Advanced Cloud and Big Data (CBD), pp. 243–248, IEEE, Lanzhou, China, August 2018.
View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 452–473, Springer, Daejeon, South Korea, December 2003.
View at: Publisher Site | Google Scholar
J. Li, H. Yan, and Y. Zhang, “Identity-based privacy preserving remote data integrity checking for cloud storage,” IEEE Systems Journal, vol. 15, no. 1, pp. 577–585, 2021.
View at: Publisher Site | Google Scholar
M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations among notions of security for public-key encryption schemes,” in Proceedings of the 18th Annual International Cryptology Conference, H. Krawczyk, Ed., pp. 26–45, Springer, Santa Barbara, California, USA, August 1998.
View at: Google Scholar
N. Garg, S. Bawa, and N. Kumar, “An efficient data integrity auditing protocol for cloud computing,” Future Generation Computer Systems, vol. 109, pp. 306–316, 2020.
View at: Google Scholar
B. Lynn. Pairing-based Cryptography Library. https://crypto.stanford.edu/pbc/download.html.
Toolkit Openssl Project. Openssl library. https://www.openssl.org/docs/manmaster/man7/crypto.html.
D. R. L. Brown, “Sec 2: recommended elliptic curve domain parameters,” Standars for Efficient Cryptography, vol. 20, 2010.
View at: Google Scholar

Copyright

Copyright © 2022 Chunxia Han and Linjie Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

429

Downloads

406

Citations

Wireless Communications and Mobile Computing

Service-Oriented Management and Computing in Edge-Cloud IoT

Public Integrity Auditing of Shared Encrypted Data within Cloud Storage Group

Abstract

1. Introduction

1.1. Contributions

1.2. Organization

2. Related Work

3. Preliminaries

3.1. Bilinear Maps

3.2. Complexity Assumptions

3.3. Homomorphic Hash Function

4. Problem Statement

4.1. System Model

4.2. Design Goals

4.3. Outline of the Scheme

4.4. Secure Model

4.4.1. Setup

4.4.2. Common Queries

4.4.3. Game1

4.4.4. Forgery

4.4.5. Game2

4.4.6. Forgery

4.4.7. Game3

4.4.8. Game4

4.4.9. Forgery

5. Our Scheme

5.1. Invite to Join

5.2. Revoke a Participant

6. Security Proof

6.1. Security Analysis

7. Performance Analysis

7.1. Computation Cost

7.2. Communication Cost

7.3. Experimental Results

8. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright