# Efficient and Secure Identity-Based Public Auditing for Dynamic Outsourced Data with Proxy.

1. IntroductionOver the last few years, cloud storage is widely regarded as a promising technique in cloud computing, which offers massive storage space to its users in an on-demand service model [1]. By leveraging cloud storage, users can access their data from anywhere and avoid affording the expenditure of local storage management. However, cloud storage is a double-edged sword. It brings benefits as well as security threats to users because users cannot take control of their data that stored remotely in the cloud. Thus, the need of keeping users' data intact leads to the research of cloud auditing, which can check the integrity of users' data in the cloud.

Recently, many cloud auditing schemes have been proposed to check the integrity of users' data with high probability. However, because most of them are based on public key infrastructure (PKI), they also have obvious drawbacks. First, PKI leads to complicated certificate management in these schemes such as certificates generation, revocation and distribution. Second, storing private-public key pairs and public key certificates from different key generation authorities causes resource-constrained users plenty of storage overhead. Third, PKI-based schemes require public key certificate verification during communication among entities, which incurs communication and computation cost.

In order to solve the problems mentioned above, identity-based cloud auditing schemes were proposed by introducing identity-based cryptography (IBC) [2]. Compared with PKI, IBC does not need public key certificates, which eliminates the complex certificate management and heavy storage burden. Besides, because of the certificate-free property, IBC has no certificate verification during communication, which can hugely reduce the communication and computation burden in the schemes.

Because of the limited computation and communication capability, users' local systems are always bottlenecks in cloud auditing scheme. The situation is worse when users use mobile devices to access their data. Powerful proxies are desired to help users process and upload their data. Thus, for the sake of improving the performance of cloud auditing scheme, we conduct the research of identity-based cloud auditing scheme with proxy.

1.1 Related Work

Before identity-based cloud auditing schemes, many cloud auditing schemes have been proposed to perform integrity checking of cloud data. Ateniese et al. [3] first proposed the concept of provable data possession (PDP) to check the integrity of remote data. PDP uses RSA-based signature to construct homomorphic verifiable tags and utilizes sampling strategy to check data integrity with high probability. Meanwhile, Juels and Kalisk [4] presented the notion of Proof of Retrievability (POR), which could check the integrity of remote data and retrieve modified data file. Consequently, Ateniese et al. [5] came up with a scalable and efficient PDP scheme which could support all dynamic data operations except data insertion. Then, dynamic PDP schemes [6, 7, 8] were designed to support fully dynamic operations. In order to support integrity checking for multiple replicas storage, multi-replica auditing schemes [9, 10] were proposed to maintain the integrity of all data copies of a cloud user in CSS. Aiming to alleviate users' computation and communication burden during data integrity verification, trusted third party auditor (TPA) was introduced to help users perform data integrity checking [11, 12]. However, in multi-cloud storage systems, with the increase of auditing tasks delegated from multiple users, the performance of TPA will decrease. To solve this problem, batch auditing schemes [12, 13, 14] were proposed to enable TPA to perform multiple auditing tasks from multiple users and multiple clouds simultaneously. In the following years, a number of new cloud auditing schemes [15, 16, 17, 18, 19, 20, 21] were proposed to address various properties in cloud auditing.

However, all schemes mentioned above are based on PKI, which involves not only complex key and certificate management, but plenty of storage space for storing multiple keys and certificates. They also incur huge computation and communication overhead due to the verification of users' public key certificates. To solve these problems, Zhao et al. [22] first introduced IBC into cloud auditing and proposed an ID-based PDP scheme. Wang et al. [23] proposed another identity-based auditing scheme and Wang [24] further extended the scheme to support multi-cloud storage. However, Wang's scheme is not sound since cloud storage server (CSS) can deceive TPA by storing hash code and verification tag of data block and deleting the corresponding data block. Besides, the combiner in the scheme is not practical in reality. Zhang et al. [25] presented an identity-based public auditing scheme in the standard model. In the subsequent work, Zhang et al. [26] proposed an identity-based public auditing scheme which can efficiently support batch auditing for multiple users. But their schemes require security channels in all communication, which increases the system overhead. Yu et al. [27, 28] proposed two schemes which combine the traditional PDP scheme and identity-based signature (IBS). However, their schemes are not efficient in multiple users and CSSs setting. Yu et al. [29] further proposed an ID-based auditing scheme to prevent the information of stored data from being leaked to TPA during auditing.

In cloud auditing, users can be bottlenecks of the systems because most of them use capacity-limited end devices. But none of the identity-based schemes above consider the efficiency of users' side. Wang et al. [30] first proposed an identity-based proxy-oriented cloud auditing scheme to let proxy help users generate tags and upload data. However, outsourcing the task of data processing and uploading to the proxy also has security issues. Users' data may be corrupted before tag generation process because of exception or management fault of proxy and [30] cannot detect the corruption unless users download and check the corresponding data. Besides, [30] cannot be efficiently extended to multiple users and CSSs setting because bilinear pairing operations in verification equations of all users and CSSs cannot be totally combined together.

Generally, the main properties of a cloud auditing scheme are:

Public auditability: a cloud auditing scheme should allow TPA or other entities to check the integrity of users' data in CSS.

Support for data dynamics: users who store data on cloud may perform dynamic operations on data files such as modification, insertion and deletion. An auditing scheme must support these dynamic operations while ensuring the integrity of users' data.

Support for batch auditing: in a real cloud storage environment, TPA may receive auditing requests from a large number of cloud users on multiple CSSs. It is necessary for a cloud auditing scheme to allow TPA to perform multiple auditing tasks simultaneously.

Privacy preservation: a cloud auditing scheme must prevent the content of users' data from being leaked to TPA or other entities in the cloud.

1.2 Our Contributions

To solve the above problems, in this paper, we design an identity-based auditing scheme with proxy. Our contributions in this paper are summarized as follows.

1) Based on identity-based cryptography, we propose a novel and efficient identity-based auditing scheme, which can eliminate complicated key and certificate management and alleviate the burden of user and TPA.

2) By introducing proxy, our auditing scheme can completely relieve the computation burden of tag generation on users. We further improve the efficiency of the proxy by designing a novel homomorphic verifiable tag. Besides, we consider data security in proxy and prevents data corruption happening before tag generation.

3) We extend our auditing scheme to support dynamic data operations, which is practical in real cloud storage systems.

4) By taking the advantage of the property of bilinear pairing, we further extend our scheme to support batch auditing for multiple users and multiple CSSs. In our batch auditing scheme, the cost of computing bilinear pairing operations is independent of the number of users or servers, which greatly improves the auditing performance in large scale systems.

5) Our auditing scheme is provably secure in random oracle model. We show the efficiency of our auditing scheme by developing a prototype implementation and comparing with the state of the art.

1.3 Paper Organization

The rest of this paper is organized as follows. Section 2 introduces the system model and security model. In Section 3, we describe the concrete auditing scheme. The security analysis is given in Section 4. Section 5 presents the performance analysis of our auditing scheme. In the end, we give the conclusion in Section 6.

2. System Model and Security Model

In this section, we first present the system model and give definition of our identity-based auditing scheme. Then we define the security model of our auditing scheme.

2.1 System Model

1) User: it is an entity which has a large number of data files to be uploaded to CSS. It is generally a resource-limited entity.

2) Proxy: it has abundant computation capacity to help user generate tags and upload them to CSS. It is chosen by a user and have to perform the procedure according to the warrant [omega].

3) Cloud storage server (CSS): it is an entity which has significant storage and computation resource to offer cloud storage service for user.

4) Private Key Generator (PKG): It is responsible for generating private key for user according to user's corresponding identity.

5) Third Party Auditor (TPA): it is a trusted entity which has enough capacities and expertise to perform data integrity checking on CSSs for user.

PKG generates private keys for user and proxy according to their identities. CSS enables user to outsource its data to the cloud, but user is worried about the security of their data. Thus it authorizes TPA to perform data auditing task periodically to ensure that its data is stored correctly. For improving efficiency, user delegates computation tasks to proxy.

Definition 1 (Identity-based auditing scheme). An identity-based auditing scheme consists of seven algorithms: Setup, Extract, PSKGen, TagGen, Challenge, Proof, Verify, which are described below.

1) Setup ([1.sup.k]) [right arrow] (params, mpk, msk): The setup algorithm takes security parameter k as input and outputs system public parameters params, master public key mpk and master secret key msk.

2) Extract (mpk, msk, params, ID) [right arrow] [sk.sub.ID]: The algorithm takes master secret key msk, master public key mpk, system parameters params and identity of entity ID as inputs. It outputs the corresponding private key [sk.sub.ID] of the entity ID.

3) PSKGen (params, [ID.sub.u], [ID.sub.p]) [right arrow] u: The algorithm takes system parameters params, identity of user [ID.sub.u] and identity of proxy [ID.sub.p] as inputs. It outputs proxy signature key u.

4) TagGen (F, u) [right arrow] [sigma]: The algorithm takes file F and proxy signature u as inputs. Then it computes and outputs the corresponding tags of data blocks [sigma] = ([sigma].sub.1],[[sigma].sub.2],... ,[[sigma].sub.n]).

5) Challenge ([F.sub.info]) [right arrow] c: The challenge algorithm takes the information of data file F as input and outputs the challenge set C.

6) Proof (F, C, [sigma]) [right arrow] P: The algorithm takes data file F, challenge set C from TPA and verification tags [sigma] as inputs. It outputs a response proof P.

7) Verify (C, P, params, mpk, [F.sub.info]) [right arrow] 0/1: The algorithm takes challenge set C, response proof P, system parameters params, master public key mpk and information of data file [F.sub.info] as inputs. Then, it outputs the auditing result 0 or 1.

2.2 Security Model

In the security model of our auditing scheme, we assume that PKG is a trusted entity and can honestly generate private keys for users and proxies. We consider CSS as an semi-trusted entity like [14]. CSS may hide data corruption caused by attacks or management fault. It may even deliberately discard rarely used data files of users for saving storage space and gaining more profit. TPA is honest but curious. It honestly performs cloud auditing service but may try to obtain information of users' cloud data. Proxy is a semi-trusted entity and may have management fault.

A secure auditing scheme for cloud data should satisfy the properties of unforgeability and privacy-preserving. The detailed definitions of these properties are described below.

Definition 2 (Unforgeability). The proposed auditing scheme is unforgeable if for any (probabilistic polynomial) adversary A, the probability that A wins the cloud storage auditing game is negligible. The cloud storage auditing game performed by a challenger C and an adversary A is illustrated below.

1) Setup: The challenger C runs Setup algorithm and gets system parameters params, master public key mpk and master secret key msk. The challenger C forwards params and mpk to the adversary A and keeps confidential msk.

2) Oracle queries: A adaptively makes a number of KeyGen, TagGen and Hash queries to C.

Extract queries: A sends identity ID to C to query ID's private key. C runs Extract algorithm to generate corresponding private key [sk.sub.ID] and sends it to A. A is restricted to query private key of proxy [ID.sub.p].

PSKGen queries: A sends ([mathematical expression not reproducible]) to C and queries proxy signature key of [mathematical expression not reproducible]. The challenger C runs PSKGen algorithm to compute proxy signature key of [mathematical expression not reproducible] and [mathematical expression not reproducible]. Then C forwards them to A.

TagGen queries: A queries tags of data blocks adaptively. C computes tag [sigma] for the corresponding data block and return it to A.

Hash queries: The adversary makes queries to hash function adaptively. The challenger C sends hash values to A.

3) Output: Finally, the adversary outputs tag [sigma] on a data block m* with identity ID*. The data block m* and identity ID* and [ID.sub.p] should not be queried during Oracle queries phase. The adversary wins the game if tag [sigma] is a valid verification tag on data block m*.

Definition 3 (Privacy-preserving). The proposed auditing scheme satisfies the property of privacy-preserving if TPA cannot retrieve any information of cloud data during the whole auditing procedure.

3. The Proposed Cloud Auditing Scheme

In this section, we present our concrete cloud auditing scheme. We first briefly introduce the properties of bilinear pairings and the definition of Computational Diffie-Hellman (CDH) problem. Then we give the details of our auditing scheme and further extend it to support dynamic auditing and batch auditing.

3.1 Preliminaries

Bilinear Pairings. Let [G.sub.1] and [G.sub.T] be two multiplicative cyclic groups of large prime order q. Denote [g.sub.1] and [g.sub.2] as the generators of [G.sub.1] and [G.sub.T], respectively. Bilinear map is a map e: [G.sub.1] x [G.sub.1] [right arrow] [G.sub.T] which satisfies the following three properties:

1) Bilinearity: For u, v [member of] [G.sub.1] and a, b [member of] [mathematical expression not reproducible], e([u.sup.a],[v.sup.b]) = e[(u,v).sup.ab];

2) Non-degeneracy: [there exists][g.sub.1],[g.sub.2] [member of] [G.sub.1] such that e([g.sub.1],[g.sub.2]) [not equal to] 1;

3) Computability: There exists an efficient algorithm to compute the map e.

A bilinear map e can be constructed by Weil pairings or Tate pairings on super singular elliptic curves.

Definition 4 (CDH problem): Given [g.sup.x],[g.sup.y] [member of] [G.sub.1] (x, y [member of] [mathematical expression not reproducible] are unknown), compute [g.sup.xy]. Denote the probability that adversary A successfully outputs [g.sup.xy] in polynomial time t as Pr[A([g.sup.x],[g.sup.y] = [g.sup.xy]] [less than or equal to] [epsilon]. If [epsilon] is negligible, then CDH problem is (t, [epsilon]) hard.

3.2 The Detailed Auditing Scheme

Suppose that user plans to store file F to the cloud storage. File F is split to n data blocks. The concrete auditing scheme consists of seven algorithms: Setup, Extract, PSKGen, TagGen, Challenge, Proof and Verify, which are given below.

Setup: Let [G.sub.1] and [G.sub.T] be two multiplicative cyclic groups of large prime order q. Let e:[G.sub.1]x[G.sub.1][right arrow][G.sub.T] be a bilinear map and g be a generator of group [G.sub.1]. Define three hash functions:

[mathematical expression not reproducible]

PKG chooses a pseudo-random function f and a pseudo-random permutation [pi]. PKG randomly generates its master secret key Y = [g.sup.x], where x [member of] [Z.sub.q].

PKG publishes system public parameters params = ([G.sub.1], [G.sub.T], q, e, g, [H.sub.0], [H.sub.1], [H.sub.2], f, [pi], Y). It keeps its master secret key x confidentially.

Extract: In order to extract private key from PKG, user sends its identity [ID.sub.u] to PKG for getting its secret key. PKG computes the public key of user [Q.sub.u] = [H.sub.0]([ID.sub.u]) and the private key [d.sub.u] = [mathematical expression not reproducible]. It sends the private key [d.sub.u] to user via secure channel. Similarly, the proxy gets its private key [d.sub.p] by sending its identity [ID.sub.p] to PKG.

PSKGen: User and proxy perform the following procedures to generate proxy signature key u:

1) User randomly generates r [member of] [mathematical expression not reproducible] and creates warrant [omega]. It computes [R.sub.u] = [mathematical expression not reproducible] and [mathematical expression not reproducible], where h = [H.sub.2]([omega]||[R.sub.u]). It then calculates [xi] = [g.sup.r]. User sends U, [xi], [omega] and [R.sub.u] to proxy and CSS.

2) Upon receiving parameters from user, proxy verifies U and warrant [omega] by calculating two equations: e([R.sub.u],g) = e([Q.sub.u],[xi]) and e(U,g) = e([R.sub.u.sup.h],Y). If the equations do not hold, the proxy will terminate the procedure and inform user. Otherwise, it accepts the parameters and further computes the proxy signature key u = U * [d.sub.p.sup.r]' = [([Q.sub.u.sup.rh] *' [Q.sub.p.sup.r]').sup.x] and [R.sub.p] = [Q.sub.p.sup.r]', where r' [member of] [mathematical expression not reproducible] is a random value generated by proxy. TagGen: After creating proxy signature key u, the proxy generates homomorphic verifiable tags for user's data blocks.

1) User first splits F into n data blocks F = ([F.sub.1],[F.sub.2]... ). For each data block [F.sub.i], it computes [F.sub.t] = [H.sub.2]([F.sub.i]) + [F.sub.i]. Then it sends F = ([F.sub.1],[F.sub.2]... [F.sub.n]) to proxy.

2) Proxy calculates verification tag for each data block [F.sub.i] as:

[mathematical expression not reproducible] (1)

where [h.sub.i] = [H.sub.1](i,[Name.sub.i]||[timestamp.sub.i]), [Name.sub.i] denotes the name of [F.sub.i], [timestamp.sub.i] is the time value when proxy generates [t.sub.i].

3) User sends original data blocks F = ([F.sub.1],[F.sub.2]... [F.sub.n]) to CSS. Proxy transmits all tags t = ([t.sub.1], [t.sub.2]... [t.sub.n]) and [R.sub.p] to CSS.

4) CSS first verifies the validity of [omega] from user by verifying e([R.sub.u], g) = e([H.sub.0]([ID.sub.u]), [xi]) and e(U,g) = e([R.sub.u.sup.h],Y). If equations hold, it accepts the warrant [omega]. Otherwise it rejects and informs the user. When CSS receives the data blocks F from user and verification tags from proxy, it checks if they satisfy the warrant [omega]. If data blocks and tags satisfy, CSS accepts them. Otherwise it rejects to store them and informs the user.

Challenge: The TPA picks the number of challenged data blocks z and two random numbers [c.sub.1], [c.sub.2] [member of] [mathematical expression not reproducible]. It outputs the challenge parameters C = (z,[v.sub.1],[v.sub.2]) and sends it to the CSS.

Proof: Once receiving the challenge C from TPA, for 1 [less than or equal to] a [less than or equal to] z, CSS computes the index of each challenged data block [mathematical expression not reproducible] (a) [member of] [delta], where [delta] denotes the set of indices of challenged data blocks. CSS then computes the corresponding coefficient [mathematical expression not reproducible](i) for each i [member of] [delta]. It calculates the aggregated tag T and masked data proof DP as

[mathematical expression not reproducible] (2)

[mathematical expression not reproducible] (3)

where [F.sub.i] = [H.sub.2]([F.sub.i]) + [F.sub.i]. Finally, CSS submits the response proof P = (T, DP) to TPA.

Verify: When TPA receives the response proof, it first computes i = [mathematical expression not reproducible] (a) for 1 [less than or equal to] a [less than or equal to] z to generate the set of indices of challenged data blocks [delta]. Then it calculates the corresponding coefficient [mathematical expression not reproducible] (i). TPA computes h = [H.sub.2]([omega]]||[R.sub.u]) and [theta] = [mathematical expression not reproducible]. [H.sub.1] (i, [Name.sub.i] || timestampi).

TPA verifies the response proof by calculating the following equation:

[mathematical expression not reproducible]. (4)

If Eq.(4) holds, TPA outputs 1 and inform user, otherwise it outputs 0 to user.

3.3 Auditing for Dynamic Operations

When using cloud storage service, users not only need to store data to CSS but also update it. Thus, it is significant for identity-based cloud auditing scheme to support dynamic operations of users on their data.

We introduce index table structure to support dynamic auditing in our scheme. The index table is created by user and then managed by TPA. It has three components: i, [0.sub.i] and [T.sub.i]. i is the current position of data block [F.sub.i] in data files. [O.sub.i] denotes the original position of data block [F.sub.i] and [T.sub.i] denotes the timestamp when the verification tag of data block [F.sub.i] was generated. Table 1 is an example of index table.

Generally, there are three basic dynamic operations that user will perform on their data, which are data modification, insertion and deletion. The detailed dynamic update procedures for three operations are illustrated as follows.

Modification:

1) When user wants to modify data block [F.sub.i], it prepares the new data block [mathematical expression not reproducible] and computes the corresponding tag [mathematical expression not reproducible], where [mathematical expression not reproducible] = [H.sub.1]([O.sub.i],[Name.sub.i]||[mathematical expression not reproducible]) and [mathematical expression not reproducible].

2) User sends ([mathematical expression not reproducible]) to CSS. CSS replaces the original block-tag pairs with new pairs ([mathematical expression not reproducible]).

3) Finally, user sends new record (i, [O.sub.i], [mathematical expression not reproducible]) to TPA. TPA then changes the index table according to the new record. The modification of index table is illustrated in Table 2.

Insertion:

1) When user intends to insert new data block before index i, it prepares a new data block [mathematical expression not reproducible] and computes the corresponding verification tag [mathematical expression not reproducible], where [mathematical expression not reproducible] ([mathematical expression not reproducible],[Name.sub.i]||[mathematical expression not reproducible]) and [mathematical expression not reproducible].

2) User sends ([mathematical expression not reproducible]) to CSS. CSS inserts the new data block [mathematical expression not reproducible] before the original block [P.sub.i].

3) Finally, user sends new record ([mathematical expression not reproducible]) to TPA. TPA then changes the index table according to the new record. The insertion operation of index table is illustrated in Table 3.

Deletion:

1) When user wants to delete data block of index i, it sends index i to CSS to let CSS delete the block-tag pairs ([F.sub.i], [t.sub.i]).

2) Then user sends deletion message to TPA with index i. TPA then deletes record of index i and adjusts the index table according to the deletion operation. The adjustment of index table is shown in Table 4.

3.4 Auditing for Multiple Users and Multiple CSSs

Cloud data auditing is an essential service in cloud computing, which helps users ensure the integrity of their data on CSSs. In real cloud storage system, users may rent multiple cloud storage services from different CSSs. They may request the TPA to audit their data stored separately in different CSSs. Thus, it will be highly efficient for TPA to perform auditing tasks delegated by multiple users on multiple CSSs simultaneously.

We extend our auditing scheme to support batch auditing for multiple users and multiple CSSs, which can combine all auditing parameters into one equation. The concrete auditing scheme can be described as follows.

Let U be the set of users and S be the set of CSSs. We denote the identity of user j [member of] U as [ID.sub.j] and k [member of] S as the number of CSS. [F.sub.ijk] represents the data block [F.sub.i] of user j which is stored in CSS k.

For each user j, the first four algorithms (Setup, Extract, PSKGen and TagGen) in batch auditing scheme are the same as algorithms in Section 3.2, thus we omit them and only illustrate the last three algorithms: Challenge, Proof and Verify.

Batch Challenge: For each user j on each CSS k, TPA picks the number of challenged data blocks [Z.sub.jk] and two random numbers [mathematical expression not reproducible]. It outputs the challenge parameters set [C.sub.k] = [{[C.sub.jk]}.sub.j[member of]u] for each CSS k, where [C.sub.jk] = ([Z.sub.jk],[v.sub.1,jk],[v.sub.2,jk]) and sends each set [C.sub.k] to the corresponding CSS k.

Batch Proof: For each CSS k, it receives a challenge parameters set [C.sub.k] = [{[C.sub.jk]}.sub.j[mmember of]U from TPA. According to each challenge [C.sub.jk], it computes the set of challenged indices [[delta].sub.jk] for each user j [member of] U. For 1 [less than or equal to] [a.sub.jk] [less than or equal to] [Z.sub.jk], CSS computes the index of each challenged data block [mathematical expression not reproducible]. CSS then computes the corresponding coefficient [mathematical expression not reproducible] for each [i.sub.jk] [member of] [S.sub.jk].

It calculates the aggregated tag [T.sub.k] and masked data proof [DP.sub.k] for the set of users U as

[mathematical expression not reproducible] (5)

[mathematical expression not reproducible] (6)

where [mathematical expression not reproducible]. Finally, CSS k submits the response proof [P.sub.k] = ([T.sub.k],[{[DP.sub.jk]}.sub.j[member of]u]) to TPA.

Batch Verify: Upon receiving the response proof, TPA performs the following steps:

1) For each user j on each CSS k, TPA computes [mathematical expression not reproducible] for 1 [less than or equal to] [a.sub.jk] [less than or equal to] [Z.sub.jk] to generate the set of challenged indices [[delta].sub.jk]. It calculates the corresponding coefficient [mathematical expression not reproducible]. It further computes [mathematical expression not reproducible] and [h.sub.j] = [H.sub.2]([[omega].sub.j]||[R.sub.j]) for each user j, where [[bar.h].sub.ijk] = [H.sub.1]([i.sub.jk],[Name.sub.ijk]||[timestamp.sub.ijk]).

2) When TPA receives all response proofs [{[P.sub.k]}.sub.k[member of]s] from all CSSs, it aggregates the tags and the data proofs by calculating:

[mathematical expression not reproducible], (7)

[mathematical expression not reproducible]. (8)

3) Finally, TPA verifies the response proof by calculating the following equation:

[mathematical expression not reproducible]. (9)

If Eq.(9) holds, TPA outputs 1 and inform user, otherwise it outputs 0 to user.

4. Security Analysis

Theorem 1 (Correctness). If all entities are honest and perform correctly in our auditing scheme, the verification equation will hold.

Proof. The correctness of our auditing scheme can be proved as follows:

[mathematical expression not reproducible]. (10)

Theorem 2 (Existentially Unforgeability of Proxy Signature). If there exists probabilistic polynomial time adversary A can forge a valid block-tag pair with non-negligible probability, then the CDH problem can be solved.

Proof. Assume that A can forge a verification tag with non-negligible probability, then we can construct an algorithm C which can solve the CDH problem. Input (g,[g.sup.a],[g.sup.b]) [member of] [G.sub.1], C aims to output [g.sup.ab] by utilizing A.

Setup: Let I = {[ID.sub.1],[ID.sub.2],... ,[ID.sub.n]} be the set of challenged users which includes the identity of proxy [ID.sub.p]. C runs Setup algorithm to generate system parameters. It sets Y = [g.sup.a] the public master key of PKG. It sends ([G.sub.1], [G.sub.T], q, e, g, [H.sub.0], [H.sub.1], [H.sub.2], f, [pi], Y) to the adversary A. Algorithm C randomly selects [x.sub.i] [member of] [mathematical expression not reproducible], i = 1,2,... ,n.

[H.sub.0] queries: A sends identity [ID.sub.i] to C. If record of [ID.sub.i] exists in the list, C returns corresponding value to A. Otherwise, it defines:

[mathematical expression not reproducible] (11)

and then returns [H.sub.0]([ID.sub.i]) to A and add the record to [H.sub.0]-list.

[H.sub.1] queries: A sends (i, [Name.sub.i], [timestamp.sub.i]) to C. If the record exists, C sends the corresponding value of [H.sub.1](i,[Name.sub.i]||[timestamp.sub.i]) to A. Otherwise C randomly generates c [member of] [mathematical expression not reproducible] and return it to A. Then it adds the record to [H.sub.1]-list.

[H.sub.2] queries: A sends ([[omega].sub.i]||[R.sub.i]) to C. If the record exists, C sends the corresponding value of [H.sub.2]([[omega].sub.i]||[R.sub.i]) to A. Otherwise C randomly generates c [member of] [mathematical expression not reproducible] and return it to A. Then it adds the record to [H.sub.2]-list.

Extract queries: A sends identity [ID.sub.i] to C and queries for the private key of identity [ID.sub.i]. If [ID.sub.i] [not equal to] [ID.sub.p], C computes [d.sub.i] = [mathematical expression not reproducible] and return [d.sub.i] to A. Otherwise, C fails and aborts it.

PSKGen queries: A sends ([ID.sub.i],[ID.sub.j],[[omega].sub.i],[U.sub.i]) to C. If [ID.sub.j] = [ID.sub.p], C fails and aborts it. Otherwise, if [H.sub.0]([ID.sub.i]) does not exist, C sends the query [ID.sub.i] to [H.sub.0] queries. And if [H.sub.1](i,[Name.sub.i]||[timestamp.sub.i]) does not exist, C sends the query (i, [Name.sub.i], [timestamp.sub.i]) to [H.sub.1] queries. C randomly picks r [member of] [mathematical expression not reproducible] and computes the proxy signature key u = [U.sub.i] * [Y.sup.x][j.sup.r]. C returns u to A.

TagGen queries: A sends (i, [Name.sub.i], [timestamp.sub.i]) and [F.sub.i] to C to query verification tag of [F.subi. If [H.sub.1](i,[Name.sub.i]||[timestamp.sub.i]) does not exist, C sends the query (i, [Name.sub.i], [timestamp.sub.i]) to [H.sub.1] queries. Let [h.sub.i] = [H.sub.1](i,[Name.sub.i]||[timestamp.sub.i]). C calculates the verification tag as:

[mathematical expression not reproducible] (12)

and sends [t.sub.i] back to the adversary A.

Outputs: Finally, A outputs a verification tag t* on a data block F* with user identity ID* and proxy identity [ID.sub.p]. The adversary A wins the game if it satisfies the following restriction properties.

1) Data block F* and user indentity ID* have not been queried in TagGen.

2) Tag t* is a valid verification tag on F*.

Then, we can obtain the following equation

[mathematical expression not reproducible]

[mathematical expression not reproducible] (13) Thus, the algorithm C can get

[mathematical expression not reproducible] (14)

where h* = [H.sub.1](i*,Name*||timestamp*) and r* [member of] [mathematical expression not reproducible].

Thus, the CDH problem can be solved by adversary A with non-negligible probability in probabilistic polynomial time, which conflicts to the difficulty of solving CDH problem.

Besides, when letting the user be the adversary, Theorem 2 is also correct, which means user cannot forge a valid tag. Thus, the proposed auditing scheme can also support property of proxy-protection.

Theorem 3 (Privacy-Preserving). TPA cannot retrieve any information of user's data blocks in the proposed auditing protocol.

Proof. In auditing procedure, the auditing parameters that TPA can get are the challenge C, index table and response proof P. Information of data blocks are mainly in response proof P.

From Eq.(2) and Eq.(3), it is easy to find that TPA cannot obtain [F.sub.t], [t.sub.i] in one time auditing. Even if TPA collects enough response proofs and obtains [F.sub.i] from DP by solving corresponding linear equations, each [F.sub.i] is just the sum of hash value of [F.sub.i] and [F.sub.i]. TPA cannot retrieve [F.sub.i] from [F.sub.i]. Furthermore, the proposed auditing scheme can even use random mask techniques in generating data proof DP to prevent the [F.sub.i] from being solved, which further improves the security level of the auditing scheme.

Therefore, the TPA cannot extract any information of data blocks during whole auditing procedure.

5. Performance Analysis

We evaluate the performance of our identity-based cloud storage auditing scheme in this section. We compare our scheme with three existing cloud auditing schemes to show the efficiency of our scheme.

Before performance analysis, a qualitative comparison between our scheme and the existing schemes is demonstrated in Table 5.

5.1 Probability Analysis

By applying sampling strategy, our scheme only needs to check a limited number of data blocks to achieve high detection probability. Suppose the corruption probability of each data block is [lambda] in one CSS. We assume that data blocks in each CSS have same corruption probability. z denotes the number of challenged data blocks. k denotes the number of users in the cloud and c denotes the number of CSSs. Then the detection probability of data corruption of TPA can be calculated as

Pr = 1 - [(1 - [lambda]).sup.kcz]. (15)

Suppose that 1% corrupted data blocks are corrupted and the multiplication of number of users and number of CSSs kc is 100. Then we only needs to check 3 data blocks for each user in each CSS to achieve over 95% corruption detection probability of TPA and to check 5 data blocks to get over 99% corruption detection probability.

5.2 Communication Cost Analysis

In cloud auditing schemes, the data files and homomorphic verifiable tags are uploaded once and for all. The communication cost mainly comes from the Challenge algorithm and Proof algorithm, which will be performed periodically. Thus, we analyze the communication overhead in Challenge algorithm and Proof algorithm in the setting of multiple users and multiple CSSs. Suppose each user stores n data blocks on each CSS and TPA challenges z data blocks on each CSS for each user. For simplicity, we assume that each user stores same number of data blocks on each CSS.

In our scheme, TPA sends the number of challenged data blocks and two random elements in [mathematical expression not reproducible] to each CSS for each user in Challenge algorithm. Therefore, the communication cost of Challenge algorithm is kc(|n| + 2|q|). In Proof algorithm, since each CSS needs to return the response proof P = (T, DP) to TPA, the communication cost of our scheme is c|[G.sub.1]| + kc|q|. The communication comparison can be summarized in Table 6.

From the communication comparison, we know that Zhang et al.'s scheme has the most communication cost among four cloud auditing schemes. Our scheme has the same communication cost as Wang et al.'s two schemes in Challenge algorithm. However, our scheme incurs less communication overhead than other three auditing schemes in Proof algorithm. This is because in Proof algorithm of our scheme, each CSS can aggregate all users' tags into one aggregated tag to be sent to TPA. In order to further reduce the communication cost in Proof algorithm, we can move the burden of computing [mathematical expression not reproducible] for each user j from TPA to CSS which has abundant computation resource. Then each CSS can combine all users' data proofs by calculating [mathematical expression not reproducible] and send an aggregated data proof to TPA. In this way, the communication cost can be reduced to c(|[G.sub.1]| + |q|).

5.3 Computation Cost Analysis

In cloud auditing schemes, algorithms for system initialization and key generation can be pre-computed before data processing and can be calculated only once, which refers to first three algorithms (Setup, Extract and PSKGen) in our scheme. Challenge algorithm only generates random values on [mathematical expression not reproducible], which costs negligible computation time. Thus, computation cost of cloud auditing schemes is mainly from algorithms of TagGen, Proof and Verify. Besides, since compared with other operations, multiplication, exponentiation, bilinear pairing and map-to-point hash function on [G.sub.1] are most time-consuming operations, we only consider these four operations in our theoretical analysis.

In our scheme, proxy computes n multiplication and 2n exponentiation on [G.sub.1] for generating verification tags in TagGen. In Proof CSS calculates z exponentiation and z-1 multiplication on [G.sub.1] to generate response proof for each user. In Verify, TPA computes 2 bilinear pairings, 3 exponentiation and 2 multiplication on [G.sub.1] to verify the integrity of data blocks of each user.

We give the theoretical comparison of computation complexity in Table 7. Let M be the multiplication operation on [G.sub.1]. Let E be the exponentiation operation on [G.sub.1]. Let P be the bilinear pairing operation. H denotes the hash function which maps a string to a point on [G.sub.1].

From Table 7, we can see that four schemes have same computation cost in Proof algorithm. This is because all auditing schemes need to aggregate challenged data blocks and the corresponding homomorphic verifiable tags. It also shows that our scheme incurs less computation cost in TagGen and Verify algorithm when compared with other auditing schemes.

To the best of our knowledge, there exists only identity-based proxy-oriented auditing scheme which was proposed by Wang et al. in [30]. According to the comparison in Table 5, only their scheme and our scheme satisfy same properties and have similar system model, which contains five entities: user, PKG, proxy, TPA and CSS. Thus, in order to describe our scheme's computation performance, we compare our scheme with Wang et al.'s scheme in the simulation.

We conduct the experiments using C on an Ubuntu 14.04.4 Linux system with an Intel Core i5 CPU at 3.30GHz, 4GB DDR3 RAM and Western Digital 1T Disk. The code uses The GNU multiple precision arithmetic (GMP) library version 6.1.0 and paring-based cryptography (PBC) library version 0.5.14 to implement our scheme and Wang et al.'s scheme. In our simulation, we use type A pairing parameters to construct the bilinear pairing.

Computation cost of proxy: For user in existing auditing schemes without proxy, the most time-consuming work is tag generation, which is now delegated to the proxy in our scheme. Therefore, computation overhead of user can be neglected and we focus on the computation cost on proxy.

Proxy runs three algorithms in auditing scheme which are Extract, PSKGen and TagGen. As mentioned above, TagGen contains more computation operations compared with other two algorithms. Thus, in order to show the efficiency of our proxy, we compare the computation cost of proxy in TagGen algorithm between our scheme and Wang et al.'s scheme, which is described in Fig. 2.

From Fig. 2, we can see that the computation cost of proxy for tag generation in both schemes grows linearly. However, the computation time of proxy in our scheme is only the half of computation time in Wang et al.'s scheme, which means our scheme is much more efficient than Wang et al.'s scheme in terms of proxy. This is in accordance with the theoretical analysis because Wang et al.'s scheme needs to compute map-to-point hash function in TagGen, which is inefficient and costs more computation time than normal hash function used in our scheme.

Computation cost of CSS: CSS is responsible for running Proof algorithm to generate response proof. To illustrate the performance of CSS of our scheme in single user and single CSS setting, we compare the computation cost on CSS versus the number of challenged data blocks in Fig. 3. The number of user and number of CSS are both set to be 1.

Fig. 3 shows that both our scheme and Wang et al.'s scheme are efficient in CSS. Although the number of challenged data blocks goes to 500, the computation time of CSS is less than 0.8 seconds. Furthermore, the computation time on CSS is almost the same in our scheme and Wang et al.'s scheme since two schemes have similar procedures when generating response proofs.

In multiple users setting, each CSS runs Batch Proof algorithm to generate the aggregated response proof for all users in it. In order to show the efficiency of CSS in batch auditing, Fig. 4 depicts the comparison of computation cost of CSS versus the number of challenged user. The number of challenged data blocks per user is set to be 5.

From the simulation results, it is easy to find that not only in individual auditing, but in batch auditing, our scheme has the same computation cost as Want et al.'s scheme. This is because in Batch Proof algorithm, both our scheme and Wang et al.'s scheme require CSS to calculate aggregated tags [mathematical expression not reproducible] and data proofs [DP.sub.jk] for each user j and then to combine all users' aggregated tags into one tag [T.sub.k].

Computation cost of TPA: TPA runs Challenge and Verify algorithms in single user and CSS case, where Challenge has negligible computation cost compared with Verify. Thus, to demonstrate the efficiency of our scheme in Verify algorithm, we first conduct the comparison on computation time of TPA in individual auditing, which is depicted by Fig. 5.

Fig. 5 shows that our scheme incurs much less computation cost on TPA than Wang et al.'s scheme in individual auditing. Furthermore, the computation time on TPA in our scheme is almost constant and close to 0. However, the computation time grows linearly with the number of challenged data blocks in Wang et al.'s scheme. The simulation results match the theoretical analysis since Verify algorithm in our scheme only contains constant bilinear operations on [G.sub.1].

In multiple users and CSSs case, TPA runs Batch Challenge to generate and send challenge message to each CSS for each user. It runs Batch Verify to verify response proofs of all users from multiple CSSs simultaneously. To illustrate the efficiency of batch auditing in our scheme, we make comparison on computation cost of TPA with multiple users and multiple CSSs in Fig. 6 and Fig. 7 respectively.

Fig. 6 depicts the linear relationship between the computation time of TPA versus the number of challenged users. It demonstrates that our scheme can greatly reduce the computation cost and save 86% computation time of TPA in Wang et al.'s scheme. This is because our scheme can combine all users' verification equations into one verification equation, which eliminates a large number of bilinear pairing operations. Therefore our scheme is more efficient than Wang et al.'s scheme in multiple users setting.

Fig. 7 describes the computation cost of TPA versus the number of challenged CSSs. In this figure, we know that compared with Wang et al.'s scheme, our scheme can hugely reduce the computation cost as the number of challenged CSSs increases. The computation time in our scheme is close to 0 and almost independent of the number of challenged CSSs, but the computation time in Wang et al.'s scheme is linear to the number of challenged CSSs. Thus our auditing scheme is more suitable to multiple CSSs setting than Wang et al.'s scheme.

6. Conclusion

In this paper, we propose an efficient identity-based cloud auditing scheme with proxy. Based on homomorphic verifiable tag and identity-based cryptography, we construct an auditing scheme to eliminate complex certificate management and heavy load of certificate verification. We introduce a proxy into our auditing scheme to help user compute and send verification tags, which relieves the computation burden of user in generating tags. By using index table, we extend our scheme to support dynamic auditing for data update operations. We further extend our auditing scheme to support batch auditing in multiple users and CSSs setting. It enables TPA to perform multiple auditing tasks simultaneously by combining multiple bilinear pairing operations into one, which greatly improves the auditing performance. Security analysis proves that our auditing scheme is secure in the random oracle model under the hardness of CDH problem. Theoretical analysis and experiments clearly show that our auditing scheme is highly efficient and suitable for large scale cloud storage system.

Acknowledgements

This work was supported by the National Natural Science Foundation of China under grant 61170221.

References

[1] M. Sookhak, A. Gani, H. Talebian, A. Akhunzada, S. U. Khan, R. Buyya and A. Y. Zomaya, "Remote data auditing in cloud computing environments: A survey, taxonomy, and open issues," ACM Computing Surveys (CSUR), vol. 47, no. 4, Article 65, 2015. Article (CrossRef Link)

[2] A. Shamir, "Identity-based cryptosystems and signature schemes," in Proc. of Workshop on the Theory and Application of Cryptographic Techniques, pp. 47-53, 1984. Article (CrossRef Link)

[3] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson and D. Song, "Provable data possession at untrusted stores," in Proc. of the 14th ACM Conference on Computer and Communications Security, pp. 598-609, 2007. Article (CrossRef Link)

[4] A. Juels and B. S. Kaliski Jr, "PORs: Proofs of retrievability for large files," in Proc. of the 14th ACM Conference on Computer and Communications Security, pp. 584-597, 2007. Article (CrossRef Link)

[5] G. Ateniese, R. Di Pietro, L. V. Mancini and G. Tsudik, "Scalable and efficient provable data possession," in Proc. of the 4th International Conference on Security and Privacy in Communication Netowrks. pp. 1-10, 2008. Article (CrossRef Link)

[6] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu and S. S. Yau, "Dynamic audit services for integrity verication of outsourced storages in clouds," in Proc. of the 2011 ACM Symposium on Applied Computing, pp. 1550-1557, 2011. Article (CrossRef Link)

[7] C. C. Erway, A. Kupcu, C. Papamanthou and R. Tamassia, "Dynamic provable data possession," ACM Transactions on Information and System Security (TISSEC), vol. 17, no. 4, 2015. Article (CrossRef Link)

[8] Q. Wang, C. Wang, J. Li, K. Ren and W. Lou, "Enabling public verifiability and data dynamics for storage security in cloud computing," in Proc. of European Symposium on Research in Computer Security. pp. 355-370, 2009. Article (CrossRef Link)

[9] R. Curtmola, O. Khan, R. Burns and G. Ateniese. "MR-PDP: Multiple-replica provable data possession," in Proc. of the 28th International Conference on Distributed Computing Systems, pp. 411-420, 2008. Article (CrossRef Link)

[10] A. F. Barsoum and M. A. Hasan, "On Verifying Dynamic Multiple Data Copies over Cloud Servers," IACR Cryptology ePrint Archive, vol.1, no. 1, pp. 447-455, 2011.

[11] C. Wang, K. Ren, W. Lou and J. Li, "Toward publicly auditable secure cloud data storage services," IEEE Network, vol. 24, no. 4, pp. 19-24, 2010. Article (CrossRef Link)

[12] Y. Zhu, H. Hu, G.-J. Ahn and M. Yu, "Cooperative provable data possession for integrity verification in multicloud storage," IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 12, pp. 2231-2244, 2012. Article (CrossRef Link)

[13] K. Yang and X. Jia, "An efficient and secure dynamic auditing protocol for data storage in cloud computing," IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 9, pp. 1717-1726, 2013. Article (CrossRef Link)

[14] C. Wang, S. S. Chow, Q. Wang, K. Ren and W. Lou, "Privacy-preserving public auditing for secure cloud storage," IEEE Transactions on Computers, vol. 62, no. 2, pp. 362-375, 2013. Article (CrossRef Link)

[15] M. Sookhak, A. Akhunzada, A. Gani, M. Khurram Khan and N. B. Anuar, "Towards dynamic remote data auditing in computational clouds," The Scientific World Journal 2014, vol. 12, 2014. Article (CrossRef Link)

[16] W. Shen, J. Yu, G. Yang, Y. Zhang, Z. Fu, and R. Hao, "Access-authorizing and privacy-preserving auditing with group dynamic for shared cloud data," KSII Transactions on Internet and Information Systems, vol. 10, no. 7, 2016. Article (CrossRef Link)

[17] J. Wang, X. Chen, X. Huang, I. You and Y. Xiang, "Verifiable auditing for outsourced database in cloud computing," IEEE Transactions on Computers, vol. 64, no. 11, pp. 3293-3303, 2015. Article (CrossRef Link)

[18] Y. Yu, M. H. Au, Y. Mu, S. Tang, J. Ren, W. Susilo and L. Dong, "Enhanced privacy of a remote data integrity-checking protocol for secure cloud storage," International Journal of Information Security, vol. 14, no. 4, pp. 307-318, 2015. Article (CrossRef Link)

[19] C. Xu, Y. Zhang, Y. Yu, X. Zhang and J. Wen, "An efficient provable secure public auditing scheme for cloud storage," KSII Transactions on Internet and Information Systems, vol. 8, no. 11, pp. 4226-4241, 2014. Article (CrossRef Link)

[20] T. Jiang, X. Chen and J. Ma, "Public integrity auditing for shared dynamic cloud data with group user revocation," IEEE Transactions on Computers, vol. 65, no. 8, pp. 2363-2373, 2015. Article (CrossRef Link)

[21] A. F. Barsoum and M. A. Hasan, "Provable multicopy dynamic data possession in cloud computing systems," IEEE Transactions on Information Forensics and Security, vol.10, no. 3, pp. 485-497, 2015. Article (CrossRef Link)

[22] J. Zhao, C. Xu, F. Li, and W. Zhang, "Identity-based public verification with privacy-preserving for data storage security in cloud computing," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 96, no. 12, pp. 2709-2716, 2013. Article (CrossRef Link)

[23] H. Wang, Q. Wu, B. Qin and J. Domingo-Ferrer, "Identity-based remote data possession checking in public clouds," IET Information Security, vol. 8, no. 2, pp. 114-121, 2014. Article (CrossRef Link)

[24] H Wang, "Identity-based distributed provable data possession in multicloud storage," IEEE Transactions on Services Computing, vol. 8, no. 2, pp. 328-340, 2015. Article (CrossRef Link)

[25] J. Zhang, P. Li and J. Mao, "IPad: ID-based public auditing for the outsourced data in the standard model," Cluster Computing, vol. 19, no. 1, pp. 127-138, 2016. Article (CrossRef Link)

[26] J. Zhang and Q. Dong, "Efficient ID-based public auditing for the outsourced data in cloud storage," Information Sciences, vol.343, pp. 1-14, 2016. Article (CrossRef Link)

[27] Y. Yu, Y. Zhang, Y. Mu, W. Susilo and H. Liu, "Provably secure identity based provable data possession," in Proc. of International Conference on Provable Security, pp. 310-325, 2015. Article (CrossRef Link)

[28] Y. Yu, L. Xue, M. H. Au, W. Susilo, J. Ni, Y. Zhang, A. V. Vasilakos and J. Shen, "Cloud data integrity checking with an identity-based auditing mechanism from RSA," Future Generation Computer Systems, vol. 62, pp. 85-91, 2016. Article (CrossRef Link)

[29] Y. Yu, M. H. Au, G. Ateniese, X. Huang, W. Susilo, Y. Dai and G. Min, "Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage," IEEE Transactions on Information Forensics and Security, vol. 12, no. 4, pp. 767-778, 2016. Article (CrossRef Link)

[30] H. Wang, D. He and S. Tang, "Identity-based proxy-oriented data uploading and remote data integrity checking in public cloud," IEEE Transactions on Information Forensics and Security, vol. 11, no. 6, pp. 1165-1176, 2016. Article (CrossRef Link)

[31] J. Zhang, W. Tang and J. Mao, "Efficient public verification proof of retrievability scheme in cloud," Cluster computing, vol. 17, no. 4, pp. 1401-1411, 2014. Article (CrossRef Link)

Haiyang Yu (1), Yongquan Cai (1), Shanshan Kong (1), Zhenhu Ning (1), Fei Xue (2) and Han Zhong (3)

(1) Faculty of Information, Beijing University of Technology Beijing, 100022, P. R. China

[e-mail: billyukiwi@163.com; cyq@bjut.edu.cn; kongss27@163.com; nzh41034@163.com]

(2) College of Information, Beijing Wuzi University Beijing, 100149, P. R. China

[e-mail: xuefei2004@126.com]

(3) College of Information Technology and Network Security, Peoples Public Security University of China Beijing, 100038, P. R. China

[e-mail: z.h0912@163.com]

(*) Corresponding author: Haiyang Yu

Haiyang Yu was born in 1991. He is currently a PhD candidate at the College of Computer Science, Beijing University of Technology. He received his BEng degree from Beijing University of Technology, China, in 2013. His research interests are in the area of Information Security and Cloud Computing.

Yongquan Cai is a Professor and PhD supervisor of College of Computer Science, Beijing University of Technology. His research interests include Information Security, Computer Network and Cryptographic Protocols Analysis.

Shanshan Kong is a PhD candidate at the College of Computer Science, Beijing University of Technology. Her research interests are in the area of Information Security and Cloud Computing.

Zhenhu Ning received his PhD degree from Beijing University of Technology, China, in 2016. His research interests include Information Security and Trusted Computing.

Fei Xue received his PhD degree from Beijing University of Technology, China, in 2016. His research interests include computational intelligence and complex systems.

Han Zhong received her PhD degree from Beijing University of Technology. Her research interests include Big Data and Information Security.

Received December 9, 2016; revised May 14, 2017; accepted June 27, 2017; published October 31, 2017

https://doi.org/10.3837/tiis.2017.10.019

Table 1. Index table of data file i [O.sub.i] [T.sub.i] 1 1 [T.sub.1] 2 2 [T.sub.2] 3 3 [T.sub.3] [??] [??] [??] n n [T.sub.n] Table 2. Index table update after modifying data block [F.sub.1] i [O.sub.t] [T.sub.i] 1 1 [mathematical expression not reproducible] 2 2 [T.sub.2] 3 3 [T.sub.3] [??] [??] [??] n n [T.sub.n] Table 3. Index table update after inserting new data block [mathematical expression not reproducible] i [O.sub.i] [T.sub.i] 1 1 [T.sub.1] 2 n + 1 [T.sub.n+1] 3 2 [T.sub.2] [??] [??] [??] n + 1 n [T.sub.n] Table 4. Index table update after deleting data block [F.sub.3] i [O.sub.i] [T.sub.i] 1 1 [T.sub.1] 2 2 [T.sub.2] 3 4 [T.sub.4] [??] [??] [??] n - 1 n [T.sub.n] Table 5. Comparison of existing cloud auditing schemes ID-base d Dynamic Proxy Data Batch Auditing Processing Auditing Wang[23] Yes No No N/A Zhang[31] No No No N/A Wang[30] Yes No Yes N/A Our scheme Yes Yes Yes Yes Table 6. Comparison of communication cost Challeng e Proof Certificate Management Wang[23] kc(|z|+2|q|) kc(|[G.sub.1]| + |q|) No Zhang[31] kc(2z+1)|q| kc(3|[G.sub.1] + |q|) Yes Wang[30] kc(|z|+2|q|) kc(|[C.sub.1] + |q|) No Our scheme kc(|z|+2|q|) c|[G.sub.1]| + kc|q| No Table 7. Comparison of computation cost TagGe n Proof Verify Certificate Verify Wang[23] n(M+2E+H) zE+(z-1)M 2P+(z+2)E+(z+1)M+zH No Zhang[31] n(M+2E+2H) zE+(z-1)M 3P+(z+2)E+zM+zH Yes Wang[30] n(M+2E+H) zE+(z-1)M 2P+(z+1)E+zM+zH No Our scheme n(M+2E) zE+(z-1)M 2P+3E+2M No

Printer friendly Cite/link Email Feedback | |

Author: | Yu, Haiyang; Cai, Yongquan; Kong, Shanshan; Ning, Zhenhu; Xue, Fei; Zhong, Han |
---|---|

Publication: | KSII Transactions on Internet and Information Systems |

Article Type: | Report |

Date: | Oct 1, 2017 |

Words: | 9318 |

Previous Article: | Sequential Pattern Mining for Intrusion Detection System with Feature Selection on Big Data. |

Next Article: | Indicator-based Behavior Ontology for Detecting Insider Threats in Network Systems. |

Topics: |