Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

A Secure Group Data Access Protocol with Provable Data Possession

for Cloud Environment
Nai-Wei Lo1, Che-Wei Chuang2 and Tzong-Chen Wu3
Department of Information Management
National Taiwan University of Science and Technology
Taipei, Taiwan
1
nwlo@cs.ntust.edu.tw , M10109106@mail.ntust.edu.tw2, tcwu@cs.ntust.edu.tw3
ABSTRACT
Cloud-based data storage service has provided a
lucrative option for organizations and individual
users to store and manipulate their data with a
relatively lower cost than traditional data storage
approach. However, data stored in a cloud are
vulnerable to loss and corruption caused by hardware
and software failures, and human errors through
interactive online data handling activities. Therefore,
authenticity verification on users before granting
data access rights has emerged as a critical process
for cloud-based data storage service. Current
approaches focus only on data owned by individual
users. To address access security on cloud-based data
shared within a group of users, a data access
verification protocol for group users is proposed in
this paper. In addition, security analysis is conducted
for the proposed protocol to evaluate its security
strength.

KEYWORDS
Authenticated group key agreement protocol, Data
integrity, Provable data possession, Secure cloud
storage service, Data storage outsourcing.

1 INTRODUCTION
In recent years, a lot of cloud service providers,
such as Amazon, Yahoo!, Google, Dropbox, and
Apple, have provided efficient and scalable data
storage services at a considerably lower
marginal cost in comparison with traditional
data storage providers [1]. Applications for
cloud-based data storage services include online
data backup, photo storage and sharing, email
access and documents sharing. However, data

ISBN: 978-1-941968-16-1 2015 SDIWC

stored in a cloud environment are vulnerable to

loss and corruption caused by hardware and
software failures, and human errors through
interactive online data handling activities [2], [3].
Thus, authenticity verification on users before

granting data access rights has emerged as a critical

process for cloud-based data storage service.

Traditional approach for ensuring data integrity

involves retrieving an entire data set from the
cloud and verifying its integrity by validating
associated signatures or hash values. Since the
amount of data stored in a cloud is generally
huge and diversified in terms of data types,
downloading all stored data to verify data
integrity before accessing part of them creates
temporary data storage problem and time
consumption problem for users. In other words,
valuable computing and storage resources at the
client side are generally wasted under such
approach. To conquer this problem, many new
approaches have been proposed [4][13]. In
2007, Ateniese et al. [4] proposed the provable
data possession (PDP) model, which is used to
ensure the possession of files in a cloud. This
model, based on homomorphic tags, employs a
data audition model to audit files. Their
technique requires a substantial amount of
computation cost. In the same year, Juels and
Kaliski [5] proposed a proof of retrievability
(POR) model for ensuring the possession and
retrievability of les. This model represents a
complementary approach to the PDP model. A
POR model involves a challenge-response
protocol that enables a remote server to provide
evidence to a verier, which can retrieve or
reconstruct the entire data le from the responses
reliably transmitted by the remote server.

221

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

These approaches enable data owners and public

data verifiers to ensure data correctness
efficiently without downloading all data from
the cloud. In addition, privacy-preserving PDP
protocols [14], [15] rely on a third-party auditor
(TPA) to verify the correctness of data by using
metadata files and to preserve user privacy at the
same time since the TPA does not have sufficient
information and authenticity to retrieve
complete data files.
We observed that the majority of relevant studies
have focused on data owned by individual users.
In this study, a data access verification protocol
for group users to access important and shared
data such as testaments, contracts, legal
documents, data of crime evidence, and so on is
proposed. The proposed protocol is based on
cloud access data model, which consists of four

main roles as shown in Fig. 1: (1) the group

initiator a group leader who requests specific
data to be stored in the cloud; (2) group members
each member of the group is identified by the
group initiator and he/she has access rights and
validation permissions to the same specific data;
(3) a trusted third party (TTP) a trusted user
role, such as a lawyer, who must sign those
digital data (or files) before them storing in a
cloud to prevent files from being corrupted by
unauthorized users or attackers; (4) cloud
servers servers which are located in a cloud
environment to provide data storage space and
are managed by a cloud service provider (CSP).
To enhance data access security and ensure the
validity of accessed files, the short signature
scheme developed by Zhang et al. [16] and the
authenticated group key agreement (GKA)

Figure 1. Cloud Computing Data Storage System Model

ISBN: 978-1-941968-16-1 2015 SDIWC

222

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

protocol developed by Tsai [17] were adopted

into our protocol. In addition, security analysis is

conducted for the proposed protocol to evaluate its

security strength.

2 PRELIMINARIES
2.1 Bilinear Pairings
Let
and
be a cyclic additive group and a
cyclic multiplicative group of the same order ,
and let e:

be a pairing operation
satisfying the following properties:
, , ,
,
,
Bilinear:

,
,
=
,
= (
, )=
),
( ,
+ ,
= ( , )
,
,
,
+
= ( , )
( , )
Non-degenerate:

( , )1
Computable:
, , ,
,
( , )
2.2 Bilinear Maps
be three multiplicative cyclic
Let , , and
groups of prime order . Let
and
be
generators of
and , respectively. A bilinear
map is a map :

with the
following properties:
,
,
Bilinear:

, ( ,
) = ( , )
Non-degenerate: ( ,
) 1
Computable: There exists an ecient
algorithm for computing .
2.3 Short Signature Model
Zhang et al. [16] proposed the short signature
model in 2004. This model has been proved to
be secure against the adaptive chosen-message
attacks in the random oracle model. The protocol
can be divided into three phases: key generation,
signing, and verification. The procedures of the
execution of Zhangs short signature protocol
are described as follows:

ISBN: 978-1-941968-16-1 2015 SDIWC

Key generation: Each signatory must

choose s as a private key and then
computes a public key PK = sP and e(P, P).
The signatory then publishes { , , , ,
, (.), (P, P)}, where P is a generator of
, and : {0, 1}* is a MapToPoint
one-way hash function.
Signing: When signing a message m {0,
1}*, the signatory must compute the
for the message m.
signature = ( )
The signatory then submits the signature S
and the message m to the verifier.
Verification: Upon receiving the signature
S, the verifier validates the signature by
determining whether e(H(m)P+PK , S) =
e(P, P). If the signature S is validated, then
the verifier assumes it to be valid.
Otherwise, the signature S is rejected.

2.4 Authenticated Group Key Agreement

Protocol
The authenticated GKA protocol was proposed
by Tsai in 2010 [17] and has been proved that it
satisfied group key security requirements. Table
1 shows the notation used for the authenticated
GKA protocol in [17].
Assume a group has n users U = {U1, U2, , Un }.
Let {U1, U2, , Un 1 } be a set of ordinary users
and let Un be the powerful user. Before
determining the group key, each ordinary user Ui
(1 1) and the powerful user Un have
their private key Xi and public key Yi = XiP. Fig.
2 shows the authenticated GKA protocol of Tsai.
The procedures of Tsais authenticated GKA
protocol are described as follows:
Table 1. Notations for the authenticated GKA protocol of
Tsai
Notations
p, q

G1,G2

Description
A prime number and the order of the
elliptic curve
A cyclic additive group and a cyclic
multiplicative group of the same order q

223

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

Public point

The number of the participants

H(.)

One-way hash function

Xi, x1, x2 . . .
computes the group key K = H (
xn, Sn) = H( P,
P,
P, . . . ,
P,
Sn).

The private key of the ordinary user and

Table 2. Notations for the proposed protocol

Xi
Yi

powerful user
The public key of the ordinary user and
powerful user

Notation

Description

A data file to be outsourced.

key (.)

Step 1. First, each ordinary user Ui (1

1) computes
, and Ai =
P, where
is a random number. Each ordinary
user Ui then computes the signature
=
and then submits (Ui, Ai, Si) to the
( )

powerful user .
Step 2. Once the powerful user
receives (Ui,
(1
A i, S i)
1), the powerful user Un
evaluates the following verification equation to
decide whether the computed values from both
side of assignment symbol are equivalent:
( (Ai) + Yi, Si)? = ( , ), where 1
1.
If the signature is verified, i.e., two computed
values are equivalent to each other, then each
ordinary user Ui becomes a legal user. After all
(Ui, Ai, Si) (1 1) are verified, the
powerful user
computes xi = Ai, where an
Z*q is a random number. Subsequently, Un
computes = H(Un,
,
, ,
), the
, and the group key GK =
signature =
, , ,. . . , , ) = (
,
,
,...,
P, Sn). The powerful user Un
then distributes (Un, x1, x2, , xn-1, Sn) to each
ordinary user Ui (1 1).
Step 3. Upon receiving the distributed
information (Un, x1, x2, , xn-1, Sn) from the
powerful user Un, each ordinary user Ui
(1 1) must compute C = H(Un , x1 ,
x2 , , xn-1 ) and then evaluate the following
verification equation: e(CP + Yn, Sn ) ? = e(P, P).
If the distributed information is validated, then
the powerful user Un becomes a legal user. Once
the identity of the powerful user is confirmed,
each ordinary user Ui (1 1)
(

ISBN: 978-1-941968-16-1 2015 SDIWC

G3, G4

A Pseudo-Random Function (PRF): key

X {0,1}* ->Zp
multiplicative cyclic groups of prime
order p
A bilinear map : G3 G4 GT

u,

Are two generators for G3 and G4

respectively

x Z*q

The TTP private key

g G4

The TTP public key

A group key

Signature of the group initiator

H(.)

One-way hash function

A unique le identier for each owners

le. The Fm is constructed as Filename ||
Fm

u, i.e., the Fm is a unique ngerprint for

each le comprising the le name and
the generator u

EK

The number of blocks in the encrypted

le
An encryption algorithm with strong
diffusion property

A encrypted file block

The set of tags { i } 1 i m

A evidence E which guarantees that the

CSP is actually storing file. And E={,

} where =

G3 , =

b Zp

3 THE PROPOSED PROTOCOL

3.1 Assumptions and Protocol Description

224

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

Figure 2. The authenticated GKA protocol of Jia-Lun Tsai [17]

This section introduces the proposed protocol,

which consists of four phases: initialization, data
storing, data querying, and data integrity
verification.
There are two assumptions for the proposed
protocol:
The CSP and the group initiator are
potentially untrustworthy. Only the TTP is
trusted.
The group initiator and the TTP cannot be
the same user physically. If the TTP is
identical with the group initiator, then he or
she cannot participate in the process of
determining the group key.

ISBN: 978-1-941968-16-1 2015 SDIWC

In the proposed protocol, to prevent the group

initiator from replacing stored files in the cloud
with other files, the TTP role generates another
signature for files to be stored in the cloud.
Notice that the notations used for the proposed
protocol is shown in Table 2.
We briefly describe main operations of each
protocol phase in the following.
(1) Initialization: In this phase, the group
initiator acts through six steps:
Choose the file to be submitted to the
CSP for storage and generate a unique
ngerprint for each le Fm.

225

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

Generate a signature S for the file by

using the short signature scheme
proposed by Zhang et al. [16].
Determine the group key K by using
the authenticated GKA protocol
proposed by Tsai [17].
Encrypt the signature S by using the
group key K.
Encrypt the file by using the group
key and dividing it into m blocks.
Encrypt the block value m by using
the group key K.
(2) Data storing: In this phase, the group
initiator sends the encrypted signature
EK(S), identity of the file Fm, encrypted file
EK(F), encrypted block value EK(m), and
block value m to the TTP before deleting all
locally stored metadata. When the TTP
receives the metadata regarding the file
from the group initiator, he or she
calculates the block tags of the reference
block value m. The TTP then submits the
encrypted signature EK(S), identity of the
file Fm, encrypted file EK(F), encrypted
block value EK(m), and the block tags to
the CSP. Finally, the TTP deletes all locally
stored metadata. Details of this phase are
described in Section 3.2.
(3) Data querying: In this phase, the verifier,
who belongs to the same group as the
initiator, is required to query the file
metadata from the CSP. The metadata
include the identity of file Fm and the
encrypted block value EK(m). Details are
addressed in Section 3.3.
(4) Data integrity verification: In this phase,
the verifier obtains the identity of the file
Fm and the encrypted block value EK(m)
from the CSP through a query. After EK(m)
is obtained, the verifier can decrypt EK(m)
by using the group key K and then choses a
new key k to generate m random values by
using a pseudorandom function (PRF). The
verifier then submits the identity of the file
Fm and the new key k, which is chosen by
the verifier, to the CSP. When the CSP
receives the identity of the file Fm and the

ISBN: 978-1-941968-16-1 2015 SDIWC

new key k from the TTP, he or she then uses

the new key k to generate m random values
by using PRF. Subsequently, the CSP
generates evidence that it continues to
possess the correct file. The CSP submits a
proof to the verifier. Once the verifier
receives proof from the CSP, the verifier
validates the proof. After determining that
the CSP still possesses the correct file, the
user, who is in the same group as the
initiator, submits the data request to the
CSP. When the CSP receives the data
request, the CSP sends an encrypted
signature EK(S) and an encrypted file EK(F).
The user can then decrypt EK(S) and EK(F)
by using the group key K. When the user
obtains the original file and the signature S
of the group initiator, the group member
can verify the file that the group initiator
had sent to the CSP. Upon successful
verification, the user is assured that the file
is valid. Details are addressed in Section 3.4.
3.2 Data Storing Procedure
The CSP stores a users data (or files) according
to the following steps, as shown in Fig. 3:
(1) The initiator generates Fm, EK(S), EK(F),
EK(m),m.
The initiator chooses the file that is to be
stored by the CSP and generates Fm as well
as the signature S for the file by using the
short signature protocol proposed by Zhang
et al. [16]. The group member determines
the group key K by using the authenticated
GKA protocol of Tsai and then encrypts the
signature S by using the group key K (i.e.,
EK (S)) and encrypts the file by using the
group key K (i.e., EK(F)); the file is then
divided into m blocks. Finally, the group
member encrypts the block value m by
using the group key K (i.e., EK(m)) and
submits { Fm, EK(S), EK(F), EK(m),m } to
the TTP.
(2) Initiator TTP: Fm, EK(S), EK(F), EK(m),m
The TTP receives Fm, EK(S), EK(F), and
EK(m),m from the group initiator; EK(F) is

226

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

an ordered collection of blocks {bi|1 i

m }. The TTP then calculates the block tags
= { i|1 i m} , where i = (H(Fm)
ubi )x G3 and submits Fm, , EK(S), EK(F),
and EK(m) to the CSP.
3.3 Data Querying Procedure
A group member receives the metadata on a file
from the CSP by submitting a query according
to the following steps as shown in Fig. 4.
(1) Group member CSP: query request, Fm
The CSP receives the query request and Fm
from a group member.
(2) CSP group member: {Fm, EK(m)}
The CSP submits EK(m) and Fm to the group
member.
3.4 Data Integrity Verification Procedure
The data integrity verification procedure
comprises the following steps, which are
illustrated in Figs. 5 and 6.
(1) A group member decrypts ( ) with the
group key and selects a new key to
generate m random values { } =
(l),

where 1 l, i m. The group member then

submits Fm, , and to the CSP.
(2) Group member CSP: Fm, k, m
When the CSP receives
, , and m from
the group member, it generates m random
values, as the verifier did. The CSP then
G3 and =
computes =

Zp. Finally, the CSP submits

and to the group member to prove that it
possesses the file.
(3) When the group member receives and
from the CSP, he or she validates the
evidence E by determining whether
(, g) = (H(Fm)R u, y), where R =

. If the verification equation is

passed, then the group member is assured
that the file possessed by the CSP is valid.
The correctness of this verification
equation can be illustrated as follows:
, )
(, g) = (

( )
, )
= (

( )
, )
= (

, y)
= ( ( )
= (H(Fm)Ru, y)

Figure 3. Storing file from user to CSP.

ISBN: 978-1-941968-16-1 2015 SDIWC

227

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

Figure 4. A group member queries the file metadata from CSP.

Figure 5. Data integrity verification on CSP.

ISBN: 978-1-941968-16-1 2015 SDIWC

228

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

Figure 6. Data integrity verification on the group initiator.

(4) When the group member receives and

from the CSP, he or she validates the
evidence E by determining whether
(, g) = (H(Fm)R u, y), where R =

. If the verification equation is

passed, then the group member is assured
that the file possessed by the CSP is valid.
The correctness of this verification
equation can be illustrated as follows:
, )
(, g) = (

( )
, )
= (

( )
, )
= (

, y)
= ( ( )
R

= (H(Fm) u , y)
After determining that the CSP still possesses
the correct file, the group member can again
verify this possession, as shown in Fig. 6.
(1) Group member CSP: data request, Fm
The CSP receives the data request and Fm
from a group member
(2) CSP group member: EK(S), EK(F)
The CSP submits EK(S) and EK(F) to the
group member. Once the group member

ISBN: 978-1-941968-16-1 2015 SDIWC

receives EK(S) and EK(F), he or she

decrypts EK(S) and EK(F). The group
member then obtains the original file and
signature S of the initiator and validates the
file F by determining whether e(H(F)P+ PK,
S) = e(P, P). If the file is validated, then the
user is assured that the file is valid.
4 SECURITY ANALYSIS
This section presents security analysis for the
proposed protocol based on the difficulty of the
elliptic curve discrete logarithm (ECDL)
problem, the bilinear computational Diffie
Hellman (BCDH) problem, and the one-way
hash (OWH) function.
4.1 Definitions
1.
2.

,
ECDL problem: Given P, Q
identifying an integer n Zq such that P =
nQ is difficult.
BCDH problem: Given P, aP, bP, cP ,
it is difficult to compute e(P,P)abc without
the knowledge of a, b, or c, where a, b, and
c Z*q.

229

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

3.

OWH function: Given h(x) and h( ), x

cannot be derived from h(x) and two
different values x and such that h(x) =
h( ) cannot be identified.

4.2 Security Analysis

Theorem 1: An attacker cannot obtain the group
key by eavesdropping on messages transmitted
among all group members and the group initiator
U n.
Proof: Assume an attacker A who attempts to
obtain the group key by eavesdropping on
messages (Ai, xi ) , where 1 i n1, and (Un,
x1, x2, , xn-1, Sn ) transmitted among all group
members Ui, where 1 i n1, and the group
initiator Un. In the BCDHP and ECDLP, the
attacker A cannot retrieve the ai , where 1 i
n1, from the intercepted message (Ai , xi ),
where 1 i n1, and (Un, x1, x2, , xn-1, Sn).
Without knowledge of , where 1 i n1,
the attacker A cannot obtain the group key K =
P,
P, . . . ,
P, Sn).
H( P,
Theorem 2: The attacker cannot act as a legal
user to generate a group key with the other users
and the group initiator.
Proof: The authenticated GKA protocol
developed by Tsai involves adopting the short
signature model proposed by Zhang et al. to
withstand the impersonation attack. Assume an
attacker poses as a legal user U1 to generate a
group key K with the other users Ui (2
1) and the group initiator Un. According to
the authenticated GKA protocol, the attacker is
.
required to compute the signature = ( )
Because the GKA protocol entails adopting the
short signature scheme of Zhang et al. and the
attacker has no knowledge of the private key Xi,
the attacker A cannot compute the signature
. The attacker cannot
equation = ( )

plot an impersonation attack without knowledge

of the private key Xi.
Theorem 3: The proposed protocol provides
known-key security.

ISBN: 978-1-941968-16-1 2015 SDIWC

Proof: In a protocol that provides known-key

security, the group key is unique and secret in
each session; thus, even when an attacker
compromises a previous group key, he or she
cannot use this to compromise the other group
keys. In the authenticated GKA protocol, the
,
,
, . . . ,
group key = (
,
) is generated independently in
each protocol session Thus, even if an attacker A
compromises a key from the previous session,
,
,
the compromised group key = (
,...,
, ) cannot be used to
compromise the other group keys K= H( P,
P, P, . . . ,
P, Sn). For
example, assume an attacker A compromises a
P,
P, . . . ,
group key K = H( P,
P, Sn) and uses it to compromise the
other group key K = H( P,
P,
P, . . . ,
P, Sn ). The attacker
cannot retrieve the known group key, because
P,
P...
the group key K = H ( P,
P, Sn) is determined according to each
users temporary key , where (1 1).
The transmitted messages (Ui, Ai, Si), where
(1 1) , and (Un, x1, x2, , xn-1, Sn) are
publicly transmitted to establish the group key K
P,
P, . . . ,
P, Sn). In
= H( P,
the ECDL and BCDH problems, the attacker
cannot retrieve , where 1 i n1, from the
public transmitted messages (Ui , Ai , Si ) , where
1 i n 1 , and (Un, x1, x2, , xn-1, Sn).
Moreover, the attacker cannot retrieve P from
P,
P,
P...
the group key K = H (
P, Sn) in the OWH function. Thus, the
proposed protocol provides known-key security.
Theorem 4: The proposed protocol provides
forward secrecy.
Proof: In a protocol that provides forward
secrecy, even if an attacker compromises all
long-term private keys Xi, he or she cannot use
them to compromise previously established
P,
P, . . . ,
group keys K = H ( P,
P, Sn). As stated in the protocol proposed
by Tsai, each user holds the random number ,
which is only used once. Assume an attacker A

230

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

holds all long-term private keys Xi and attempts

to use them to retrieve the previous group key K
= H ( P,
P,
P...
P, Sn). The
attacker may attempt to obtain the random
number from the Ai, because the group key K
= H ( P,
P,
P . . .
P, Sn)
consists of the random number (1
1) . However, the long-term private keys Xi
(1 1)
are
only
used
for
authentication and not for computing the group
key K = H ( P,
P,
P...
P,
Sn); therefore, the compromised private keys Xi
cannot be used to retrieve each users random
number (1 1) from Ai = P(1
1). In the ECDL problem, the attacker
cannot retrieve each users random number
(1 i 1) from Ai = P (1 1)
directly. For the same reason, the attacker A
cannot retrieve the value of n from (x1, x2, xn-1).
In the ECDL problem and BCDH problem, the
attacker cannot retrieve the group initiators
to compromise the previous key K= H ( P,
P,
P . . .
P, Sn) without
knowledge
of
the
temporary
key
(
,
,
). Thus, the protocol
proposed by Tsai [17] provides forward secrecy.
Theorem 5: The CSP cannot deceive the verifier
by using different files to generate the evidence
E.
Proof: In the proposed protocol, Fm is a unique
file identifier for the file of each owner and is
embedded into each block tag. Assume the CSP
intends to deceive the verifier by using blocks
from different files to generate the evidence E.
However, Fm is embedded into the each block
tag and evidence E, indicating that the CSP is not
storing the file. In addition, each file must be
signed by the TTP before the group initiator
submits it to the CSP for storage. Thus, the CSP
cannot use blocks from different files to pass the
auditing procedures. Moreover, the CSP cannot
forge the signature without knowledge of the
private key of the TTP x.
4.3 Discussion

ISBN: 978-1-941968-16-1 2015 SDIWC

In the following, two scenarios regarding the

proposed protocol are discussed.
In the first scenario, we assume that the group
initiator and the TTP cannot be identical. The
group initiator cannot override the file stored in
the cloud. We want to show that the group
initiator cannot replace stored data (or files) by
overriding the file stored in the cloud by
resending a new encrypted file and group
initiators signature. According to the proposed
protocol, the TTP must sign the file before any
data file is outsourced. Thus, the group initiator
cannot override the same file in the cloud
directly. The group initiator might try to resend
the modified file and same file identifier to the
cloud, but the TTP has the unique file identifier
Fm for each file. Thus, the TTP detects the
override by determining whether Fm = Fm. If
this equality holds, the TTP detects the group
initiators attempt to override the file stored in
the cloud and rejects the generated signature for
the file. Thus, the group initiator cannot override
the stored file in the cloud.
In the second scenario, we want to show that the
TTP cannot retrieve the original file by using the
metadata on the file. Assume the TTP tries to
retrieve the original file by using the metadata on
the file. In the proposed protocol, all metadata on
the file must be encrypted before the group
initiator submits them to the TTP. Thus, all
metadata on the file are encrypted by the group
key. The TTP is responsible for generating a
second signature, but the TTP does not
participating in determining the group key.
Hence, the TTP cannot retrieve the original file
without knowledge of the group key.
5 CONCLUSIONS
Recent literatures have proposed numerous
approaches for determining the integrity of
personal data; however, few studies have
addressed data integrity problem on groupsharing data in cloud-based storage services.
Thus, this study proposes a secure group data
access protocol based on PDP model for cloud
environments. This protocol supports a secure

231

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

data storing procedure, a data querying

procedure, and an effective data integrity
verification procedure. Since this protocol
focuses on group data, the security requirements
for group keys must be considered. In our
protocol, the authenticated group key agreement
protocol proposed by Tsai [17] was adopted to
generate a group key. In addition, the short
signature scheme developed by Zhang et al. [16]
was adopted in our protocol to prevent
impersonation attacks. The TTP user is
requested to generate the second signature
associated with the group data to prevent the
group initiator from attempting to override the
stored data in the cloud by resending a new file
with its signature. Finally, the proposed protocol
was evaluated through security analysis process
and proved to be secure based on the ECDL and
the BCDH problems, and the OWH function.

[6]

H. Shacham and B. Waters, Compact proofs of

retrievability,
Advances
in
CryptologyASIACRYPT 2008, Lecture Notes in Computer
Science vol. 5350, pp. 90-107, 2008.

[7]

C. Erway, A. Kp, C. Papamanthou, and R.

Tamassia, Dynamic provable data possession, in
Proceedings of the 16th ACM Conference on
Computer and Communications Security, Chicago, IL,
USA, pp. 213-222, 2009.

[8]

Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou,

Enabling public verifiability and data dynamics for
storage security in cloud computing, Computer
SecurityESORICS 2009, Lecture Notes in Computer
Science, vol. 5789, pp. 355-370, 2009.

[9]

S. Azhad and S. Rao, Ensuring data storage security

in cloud computing, in Proceedings of National
Conference on Computing Concepts in Current
Trends, India, pp. 310-313, 2011.

[10]

B. Chen, R. Curtmola, G. Ateniese, and R. Burns,

Remote data checking for network coding-based
distributed storage systems, in Proceedings of the
2010 ACM Workshop on Cloud Computing Security,
Chicago, IL, USA, pp. 31-42, 2010.

[11]

Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S.S.

Yau, Dynamic audit services for integrity
verification of outsourced storages in clouds, in
Proceedings of the 2011 ACM Symposium on
Applied Computing, Taiwan, pp. 1550-1557, 2011.

[12]

N. Cao, S. Yu, Z. Yang, W. Lou, and Y.T. Hou, LT

codes-based secure and reliable cloud storage service,
in Proceedings of IEEE INFOCOM 2012, Orlando,
FL, USA, pp. 693-701, 2012.

[13]

K. Ren, C. Wang, and Q. Wang, Security challenges

for the public cloud, IEEE Internet Computing, vol.
16, issue 1, pp. 69-73, 2012.

Y. Deswarte, J.-J. Quisquater, and A. Sadane,

Remote integrity checking, Integrity and Internal
Control in Information Systems VI, IFIP International
Federation for Information Processing, vol. 140, pp.
1-11, 2004.

[14]

D. Song, E. Shi, I. Fischer, and U. Shankar, Cloud

data protection for the masses, IEEE Computer, vol.
45, issue 1, pp. 39-45, 2012.

M.A. Shah, M. Baker, J.C. Mogul, and R.

Swaminathan, Auditing to keep online storage
services honest, HotOS, 2007.

[15]

M.A. Shah, R. Swaminathan, and M. Baker,

Privacy-preserving audit and extraction of digital
contents, IACR Cryptology ePrint Archive, 2008,
(2008): 186.

[16]

F. Zhang, R. Safavi-Naini, and W. Susilo, An

efficient signature scheme from bilinear pairings and
its applications, Public Key CryptographyPKC
2004, Lecture Notes in Computer Science, vol.
2947, pp. 277-290, 2004.

[17]

J.-L. Tsai, A novel authenticated group key

agreement protocol for mobile environment, Annals

ACKNOWLEDGMENT
The authors gratefully acknowledge the support
from Ministry of Science and Technology,
Taiwan, under the grant numbers MOST 1032221-E-011-091-MY2 and MOST 103-2221-E011-090-MY2.
REFERENCES
[1]

[2]

[3]

[4]

[5]

Communications Security, Alexandria, VA, USA, pp.

584-597, 2007.

M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R.

Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin,
I. Stoica, and M. Zaharia, A view of cloud
computing, Communications of the ACM, vol. 53,
no. 4, pp. 50-58, 2010.

G. Ateniese, R. Burns, R. Curtmola, J. Herring, L.

Kissner, Z. Peterson, and D. Song, Provable data
possession at untrusted stores, in Proceedings of
14th ACM Conference on Computer and
Communications Security, Alexandria, VA, USA, pp.
598609, 2007.
A. Juels, and B.S. Kaliski Jr., PORs: proofs of
retrievability for large files, in Proceedings of the
14th ACM Conference on Computer and

ISBN: 978-1-941968-16-1 2015 SDIWC

232

Proceedings of The Fourth International Conference on Informatics & Applications, Takamatsu, Japan, 2015

of Telecommunications, vol. 66, issue 11-12, pp. 663669, 2011.

ISBN: 978-1-941968-16-1 2015 SDIWC

233