Beruflich Dokumente
Kultur Dokumente
Abstract— Cloud storage provides tremendous storage recent years. Compared with personal local storage, cloud stor-
resources for both individual and enterprise users. In a cloud age has massive advantages. Especially, cloud storage releases
storage system, the data owned by a user are no longer possessed users from the burden of local massive data processing.
locally. Hence, it is not competent to ensure the integrity of
the outsourced data using traditional data integrity checking In bringing the massive benefits, cloud storage also puts
methods. A privacy-preserving public auditing protocol allows a the data at a new risk: the integrity of the data is hard
third party auditor to check the integrity of the outsourced data to guarantee. Indeed, cloud service providers (CSPs) usually
on behalf of the users without violating the privacy of the data. claim to provide much more reliable infrastructures than
However, existing privacy-preserving public auditing protocols personal storage devices, whereas, the cases of outages and
assume that the end devices of users are powerful enough to
compute all costly operations in real time when the data to be security breaches of cloud services occur frequently [18], [25].
outsourced are given. In fact, the end devices may also be those Hence, the risk of data loss still exists in cloud storage.
with low computation capabilities. In this paper, we propose On the other side, a CSP may delete (or modify) users’ data
two lightweight privacy-preserving public auditing protocols. for its own profile (e.g., delete the rarely accessed data for
Our protocols are based on online/offline signatures, by which monetary cost consideration). Since users no longer possess
an end device only needs to perform lightweight computations
when a file to be outsourced is available. Besides, our proposals their data physically after they have uploaded their data to
support batch auditing and data dynamics. Experiments show the cloud, the integrity of the data is a major concern of
that our protocols are hundreds of times more efficient than users [10]. Generally, it is a critical issue for users to check the
a recent proposal regarding to the computational overhead on integrity of their outsourced data with reasonable computation
user side. and communication cost in the cloud environment.
Index Terms— Cloud storage, privacy-preserving, public
auditing, online/offline signature. A. Related Work
Traditional data integrity checking methods are no longer
I. I NTRODUCTION
suitable for the cloud storage environment, since it is impracti-
masking technique. In their proposed protocol, a third party two privacy-preserving public auditing protocols for low per-
auditor (TPA) is employed to perform the public auditing formance end device: the basic one and the improved one.
tasks on behalf of the users. As a result, a user gets rid of The basic protocol assumes users only upload short data
the heavy burden of the data integrity checking. Furthermore, (e.g., telephone numbers) to the cloud. In the basic protocol,
the TPA cannot extract the original data of a user during the the TPA is employed to perform the auditing task to check
auditing process. Besides, their protocol also supports batch the data integrity on behalf of users. Privacy is preserved
auditing which allows multiple auditing tasks to be handled in the proposed protocol. Hence users’ data will not be
simultaneously and efficiently. The security of the protocol revealed to the TPA during the auditing procedure. Besides,
in [27] is revisited in [29] and [30]. The original protocol our protocol also supports fully data dynamics and fast audit-
in [27] was shown to be vulnerable to attacks from a malicious ing (see Section II-B). Especially, the proposed protocol is
CSP and an outside attacker. The root cause for the insecurity low performance end device friendly. This is achieved by
of this scheme is the inappropriate definition and the use of using our online/offline signatures (see Section II-C). Unlike
private/public parameters during signature generation. In [29], other existing privacy-preserving public auditing protocols, our
Worku et al. proposed a scheme which is more efficient than protocol allows all costly computations to be carried out in the
the protocol in [27]. However, it was shown in [15] that even offline phase before the outsourced file is available. A user
deleting all files of a data owner, a malicious CSP is still able only needs to perform lightweight computations to construct
to generate a response to a challenge without being caught by the final data to be outsourced in the online phase, i.e., when
TPA. We note that a privacy enhanced protocol was introduced the outsourced file is given.
in [9], in which an adversary could not even distinguish which In the basic protocol, the TPA needs to store the partial
file was checked. Nevertheless, the computational overheads signatures corresponding to the data blocks of the whole date.
of all the entities in the system are greatly increased. If the data to be outsourced is huge, it’s a challenge of the
In the real world, users may not only access but also TPA’s storage capacity. Hence, the basic protocol is only
update (e.g., modify, insert or delete) their data. Hence, public practical for situations where users only upload short data.
auditing protocols should also support data dynamics. Usually, Our improved protocol removes this restriction and achieves
we expect that a user only needs to perform several lightweight all the requirements which are achieved in the basic protocol,
operations when he wants to update his outsourced data. i.e., public auditability, privacy-preserving, fully data dynam-
To address this issue, several protocols [4], [8], [26] have ics, fast auditing and low performance end device friendliness.
been proposed. However, in these protocols, the insertion This is achieved by using the Merkle Hash Tree authentication
operations are not well supported.1 Later, Wang et al. [28] structure which is utilized to guarantee the correctness of the
utilized Merkle Hash Tree (see Section II-D) to enable fully partial signatures in the improved protocol. In this way, the
data dynamics. That is, users can proceed all update operations storage space of the TPA is greatly saved. Experiment results
(i.e., modification, deletion and insertion) with several light- show that both of our protocols are about 300 times more
weight operations. On the other side, this protocol does not efficient than the protocols in [25] on user side. Therefore,
consider the privacy of users’ data against external auditors. our protocols are more practical for the users with low
In [25], based on the protocol in [27], Wang et al. proposed performance end devices.
an improved privacy-preserving public auditing protocol which
supports fully data dynamics and batch auditing. Besides, the C. Organization
protocol is proven in a stronger security paradigm defined The rest of the paper is organized as follows. Section II
in [23]. In [13], a privacy-preserving public auditing protocol is the background. We propose our basic protocol and the
is also proposed, although batch auditing is not discussed improved protocol in Section III. Section IV analyzes the
in that protocol. We note that a file may be sometimes security of the proposed protocols. Section V evaluates the
shared and modified by more than one users in a cloud performance of our protocols. We conclude the paper in
storage system. In [33], a public auditing protocol supporting Section VI.
multiuser modification and user revocation is proposed. But
II. BACKGROUND
given the fact that a file is owned by a single user in most
cases, we only consider the single user case in this paper. A. System Architecture
As shown in Fig. 1, the system architecture of our proposals
B. Our Work consists of the following entities:
Existing privacy-preserving public auditing protocols • Trusted Authority (TA): TA is a fully trusted authority.
assume the users’ end devices are powerful enough to cal- It generates the system global parameter and issues cer-
culate all costly computations efficiently when a file is to tificates for entities in the system.
be outsourced. However, in the real world, the users’ end • Cloud Service Provider (CSP): CSP provides data stor-
devices may be those with low computation capabilities (e.g., age service. It has abundant storage and computation
PDAs and mobile phones). Observing this fact, we propose resources.
• Users: Users have their files to be uploaded to the CSP.
1 We note that data append operation [2], i.e., adding a block after the last
In a cloud storage system, users’ end devices may be the
block of a file, is a special case of data insert operation. To append a new
data block, a user just needs to insert the block after the last block of the devices with low computation capacities, e.g., PDAs and
original data. Hence, we do not discuss this operation independently. mobile phones.
2574 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 11, NOVEMBER 2016
task to check the data integrity on behalf of users. and lightweight defined in [25].
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL 2575
TABLE I
N OTATIONS IN O UR P ROPOSALS
• OnTagGen: Given a file Fl with filename namel , sim- • Batch Audit: The above Audit algorithm only allows
ilar to [25], we split Fl into nl blocks {m j } j ∈{1,...,nl } , the TPA to perform the auditing tasks from different
where m j ∈ Z p . The user Ul retrieves nl unused tuples users independently. However, since the TPA will receive
of f
from {wi,l , ri,l , Ti,l }i∈{1,...,Bl } from his local storage. huge requests from different users, it is inefficient for
of f
Assume those tuples are {w j,l , r j,l , T j,l } j ∈{1,...,nl } , Ul the TPA to perform the auditing tasks independently.
computes the online tags T j,l = (w j,l − m j )yl +
on Here, we propose a batch auditing technique, i.e., the
r j,l , j ∈ {1, . . . , nl }. The final tag of the file is Tl = TPA may perform the auditing tasks simultaneously.
of f Assume that there exist K auditing tasks requested by
{T j,l , T j,lon }
j ∈{1,...,nl } . Finally, the user sends (Fl , Tl ) to
K users {Ul }l∈{1,...,K } on K data files. For simplicity,
the CSP and t = t0 Sigsskl (t0 ) to the TPA, where
we assume that all the K files have the same number
t0 = namel nl T1,l on · · · T on and Sig
nl ,l sskl (t0 )
of n blocks. Let the private-public key pair of Ul be
is the signature on t0 under spkl . On receiving the file
((xl , yl , sskl ), (ql , dl , spkl )), where xl , yl ∈ Z p , ql = g yl
and tags, the TPA checks whether Sigsskl (t0 ) is a valid
and dl = h xl , (sskl , spkl ) is a private-public key pair cor-
signature on t0 under spkl using the V erspkl algorithm.
on ? of f responding to Sig privat e key ()/V er public key (). Assume
Besides, the CSP checks e(ql m j g T j,l , dl ) = e(T j,l , h) Ul ’s file is Fl and the corresponding filename is namel ;
for all j ∈ {1, . . . , nl } to verify whether Tl is a valid the offline tags corresponding to file Fl are T j,l =
of f
online/offline signature on Fl . W
• Audit: In this phase, the TPA launches the auditing ql j,l g R j,l , where {W j,l = w j,l xl , R j,l = r j,l xl } j ∈{1,...,n} ,
task. Assume the filename that the TPA wants to chal- {w j,l , r j,l } j ∈{1,...,n} ∈ Z p ; the online tags corresponding
lenge is namel and the corresponding online tags are to file Fl are T j,l on
= (w j,l − m j,l )yl + r j,l . The batch
{T j,l
on
} j ∈{1,...,nl } . As shown in [25], the TPA only needs auditing technique works as follows:
to check c file blocks of the whole file and the detection 1) The TPA chooses the indices of the chosen
probability is P = 1−(1−κ)c , where κ is the fraction of blocks J = {s1 , . . . sc } and random values
data corrupted. When κ = 1%, P is over 95% if c = 300, V = {v s1 , . . . , v sc }, where v si ∈ Z p . Then
and 99% if c = 460. The concrete procedure comes as the TPA sends the challenge message chal =
follows: ({namel }l∈{1,...,K } , J, V) to the CSP for the K users.
1) Let the indices of the chosen blocks be J = 2) On receiving chal from the TPA, for l ∈ {1, . . . , K },
{s1 , . . . , sc }. The TPA chooses V = {v s1 , . . . , v sc }, the CSP calculates μl = v j m j,l and σl =
j ∈J
where v si ∈ Z p , si ∈ J. The TPA sends the
(T j,l )v j . To blind μl , the CSP chooses a blind
of f
challenge message chal = (namel , {( j, v j )} j ∈J ) to
j ∈J
the CSP.
K
2) On receiving chal,the o fCSP calculates μ = factor u l ∈ Z p , sets Ul = e(ql , dl )ul , U = Ul .
f vj
v j m j and σ = (T j,l ) . Similarly to [25], l=1
j ∈J j ∈J Further the CSP computes μl = u l + H2
we have to blind μ .
Otherwise, the TPA may (U dl V)μl and sends {{μl , σl }l∈{1,...,K } , U } to
learn m j . To do this, the CSP chooses a blind the TPA.
factor u ∈ Z p , computes U = e(ql , dl )u and μ = 3) When the TPA receives {{μl , σl }l∈{1,...,K } , U }, it
u + H2(U )μ . Finally, {μ, σ, U } is sent to the TPA. computes γl = H2(U dl V), l = γl · v j T j,l
on
j ∈J
3) When the TPA receives {μ, σ, U }, it computes
K
γ
K
μ
γ = H2(U ), = γ · v j T j,l
on
and verifies: and verifies: U · e(
?
σl l , h) = e(g l · ql l , dl ).
j ∈J l=1 l=1
? μ If the above equation holds, the TPA outputs 1
U · e(σ γ , h) = e(g · ql , dl ). If the equation holds,
the TPA outputs 1, which implies the data retains which implies the data retains intact; otherwise,
intact; otherwise, it outputs 0, which means that the it outputs 0 which means at least one of the K users’
data is modified. Notice thaton the chameleon hash data is not kept intact.
w m T • Modification: Assume the file block m j,l is modified
satisfies ql j,l gr j,l = ql j g j,l . The correctness of
the equation is shown below: to m j,l . The concrete procedure comes as follows:
of f
U · e(σ γ , h) 1) Ul chooses an unused offline tag T j,l from his
of f local storage and generates the corresponding online
= e(ql , dl )u · e(( (T j,l )v j )γ , h) tag T j,l on the same way as it is generated in
j ∈J OnTagGen. Ul sends the request = (
=
v j w j,l on of f
j ∈J
v j r j,l (M, namel , τ, j, T j,l ), m j,l , T j,l , Sigsskl (
)) to
= e(qlu , dl ) · e((ql g j ∈J
)γ , h x l ) the CSP, where M denotes modification, τ is a
vjmj v j T j,l
on
timestamp.
j ∈J
= e(qlu , dl ) · e((ql g j ∈J )γ , h x l ) 2) When the CSP receives , it verifies whether
γ μ
γ v j T j,l
on
Sigsskl (
) is a valid signature on
and
= e(qlu , dl ) · e((ql g j ∈J
), h xl ) of f on ) is a valid online/offline signature
(T j,l , T j,l
μ
= e(g · ql , dl ).
on m j,l . If they are valid, the CSP retrieves
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL 2577
TABLE II
D ATA M ODIFICATION
TABLE III
D ATA I NSERTION
it sends F AL S E to the CSP. Moreover, Ul also sends Theorem 2: Our protocols satisfy the storage correctness
σrootl and r ootl to the TPA. property, i.e., the CSP cannot pass the Audit procedure if the
4) On receiving σrootl and r ootl , the TPA checks if σrootl data stored is not intact.
is a valid signature on r ootl , if so, it replaces r ootl with Proof: In the following, we show that if an attacker can
r ootl ; otherwise, it outputs F AL S E. break the storage correctness property, then there exists an
5) If the CSP receives F L AS E, it revokes the insertion, extractor who can generate a μ such that {σ, μ } is a valid
i.e., it deletes m # . response of the proof of storage system [23] in the random
Deletion: For the file block m j,l to be deleted, the user oracle model which is proven to be hard.
sends (D, j ) to the CSP, where D denotes deletion. The CSP We treat the CSP as an adversary. It will make hash queries
will delete m j,l and the corresponding leaf node in the MHT. to the extractor who controls the random oracle H2 . When the
The CSP also needs to generate the new MHT root r oot . The extractor returns the challenge γ = H2 (U ), the CSP outputs
procedure is similar to that of the data modification and data {μ, σ, U } which satisfies:
insertion. Thus we omit it here. U · e(σ γ , h) = e(g · q μ , d). (1)
IV. S ECURITY A NALYSIS Following the technique in [25], an attacker may output
another response {μ∗ , σ, U }, but the extractor returns
As a public auditing protocol supports fully data dynamics, γ ∗ = H2(U ) with γ ∗ = γ . We note {μ∗ , σ, U } satisfies:
it is required that the data modification, deletion and insertion ∗ ∗ ∗
algorithms are secure, i.e., an attacker cannot change a user’s U · e(σ γ , h) = e(g · q μ , d). (2)
data without the permission of the user. We have the following
Divide equation (1) by (2), we have
theorem.
∗ ∗ ∗
Theorem 1: The algorithms for data modification, deletion e(σ γ −γ , h) = e(g − · q μ−μ , d)
and insertion in our protocols are secure. ∗
(γ −γ ∗ ) v j T jon ∗
Proof: In those algorithms, a secure signature scheme e(σ γ −γ , h) = e(g j ∈J
, h x )e(q μ−μ , h x )
and/or MHT are chosen. A secure signature scheme states ∗
x·(γ −γ ∗ ) v j T jon ∗)
that any entity cannot forge a valid signature of a user without σ γ −γ = g j ∈J
· q x·(μ−μ
the knowledge of the user’s private key [35], [37]. A secure
sc
o f f v j γ −γ ∗
x·(γ −γ ∗ ) v j T jon ∗)
( (T j ) ) =g j ∈J
· q x·(μ−μ
MHT implies that an attacker cannot find two MHTs T and T
j =s1
such that their root nodes have the same value but ∗) on ∗
/g x·T j )v j )γ −γ .
of f
with T = T . q x·(μ−μ =( (T j
It is easy to prove that the data modification, deletion and j∈J
insertion algorithms in our basic protocol are secure, since Notice that:
they are essentially the OnTagGen of our basic protocol.
x·T jon
= q w j x gr j x /g x·((w j −m j )y+r j )
of f
In our improved protocol, when a data modification or deletion Tj /g
or insertion operation is performed, the values of some nodes, = q w j x g x ym j −x yw j
including the root node r oot, of the MHT T will be updated
= q xm j .
to the new values. The value of the updated root node has
to be signed by the user. It is easy to see that, if an attacker We have
wants to break our scheme (i.e., change a user’s data without ∗) ∗
the permission of the user), he must find another MHT T with q x·(μ−μ =( (q xm j )v j )γ −γ
the root node r oot such that r oot = r oot , or forge the user’s j∈J
signature on r oot . Since our MHT and underlying signature μ−μ = ( ∗
v j m j )(γ − γ ∗ )
scheme are secure, the probability for the attacker to find such j∈J
an MHT or generate a forgery is negligible. Therefore, our μ = (μ − μ∗ )/(γ − γ ∗ ).
modification, deletion and insertion algorithms in the improved
protocol are secure. The extractor gets the valid response {σ, μ = (μ − μ∗ )/
As discussed in Section II-B, we need to prove that our (γ − γ ∗ )}.
protocols satisfy the storage correctness and the privacy- Theorem 3: Our protocols satisfy the privacy-preserving
preserving properties. The first property requires that the CSP property, i.e., the TPA cannot extract the original data of a
cannot pass the Audit phase if the data stored in the CSP user during the Audit phase.
has been modified. The second property guarantees that the Proof: Essentially, we have to prove that the TPA cannot
TPA cannot extract the original data of a user during the learn any information of μ from the CSP’s response {μ, σ, U }.
entire auditing process. We note that Audit and Batch Audit Similar to [27], we prove this theorem in three steps.
in both of our protocols are essentially the same. The main Firstly, we prove that μ will not reveal any information
difference is that the online-tags are not stored by the TPA of μ . This is because that μ is blinded by u and u is kept
in the improved protocol. The following theorems show that secret by the CSP. It is an unknown value to the TPA. Even
both of our protocols achieve storage correctness and privacy- with U = e(q, d)u , the value u is still hidden due to the
preserving. discrete-log assumption. Secondly, we show that μ cannot
2580 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 11, NOVEMBER 2016
TABLE IV TABLE V
N OTATIONS IN E VALUATIONS C OMPARISON OF C OMPUTING C OST
of f v j TABLE VI
be learnt from σ . It is obvious, since σ = (T j ) and RUNNING T IME C OMPARISON
j ∈J
of f
the offline tag T j is independent of a data file. Finally, we
need to prove that μ cannot be learnt from {μ, σ, U }. In fact,
U = e(q, d)u and μ = u + H2 (U )μ have the same structure
as the Schnorr signature. We can view u as a random element
and μ as a secret key. The Audit phase in our protocol can
be regarded as a honest verifier zero-knowledge identification
protocol. Under [20, Th. 10], the secret μ will not reveal to
the TPA. Therefore, Theorem 3 is proven.
Theorem 4: Our protocols satisfy the same storage
correctness and privacy-preserving properties in batch audit
phase.
Since the storage correctness and privacy-preserving prop-
erties in multi-user situation for batch audit can be
reduced to the single-user case [25], we omit the proof
Fig. 3. Comparison of computational overhead for a user to generate the
here. final tag after a file is given.
V. P ERFORMANCE E VALUATION
In this section, we evaluate the efficiency of our protocols.
and two Add operations to generate the final tag. However,
Since the protocol in [25] is the only privacy-preserving
one H , two E x p and one Mul G operations are needed in the
public auditing protocol which enables data dynamics and
protocol in [25]. We note that, E x p and H operations are much
batch auditing, we compare our protocols with it. In par-
more expensive than Mul Z and Add operations. According to
ticular, we perform several simulations to evaluate the effi-
our simulation, the time cost of one H , E x p, Mul Z , and Add
ciency of our protocols. The simulations were run on a
operations are 0.028860 ms, 0.068310 ms, 0.000139 ms and
Linux machine using AMD FX-8120 at 3.1GHz. The cryp-
0.000096 ms respectively. The cost of an E x p operation is
tographic algorithms are implemented using the pairing-based
about 490 times more expensive than a Mul Z operation and
cryptography (PBC) library. For better comparability, in our
710 times more expensive than an Add operation. While the
simulation, we choose the same security setting as that in [25].
cost of an H operation is about 208 times more expensive
In particular, a type D curve is chosen, and the size of a group
than a Mul Z operation and 300 times more expensive than an
element in G1 is about 21 bytes. Table IV lists the notations
Add operation.
that will be used in our evaluations.
The simulation result is shown in Table VI and Figure 3.
In the following, for easy reading, we omit the com-
In our simulation, the number of blocks of a file is ranging
putational cost for a user to generate the signature using
from 10 thousand to 80 thousand. It is easy to see that the
Sig privat e key ()/V er public key () and the MHT, since both the
time cost grows linearly as the number of blocks increases
protocols in this paper and [25] need to do those operations.
in our protocols and the protocol in [25]. In our protocols,
Besides, to modify, insert or delete a file block, a user
it takes about 5.63 ms for a user to generate the final tag
only needs to perform lightweight operations. Hence, in the
(or online tags) for a file with 10 thousand blocks and about
following, we do not compare the computational cost of these
52.07 ms for a file with 80 thousand blocks. However, the
phases.
protocol in [25] requires 1,851.28 ms and 24,566.81 ms to
generate the final tag for a file with 10 thousand blocks
A. Computational Cost on User Side and 80 thousand blocks respectively. Our protocols are over
We compare the computational cost of our protocols on user 300 times more efficient than the protocol in [25] to generate
side with that of the protocol in [25] in this section. the final tag when a file is given.
Table V shows the theoretical comparison result between In the real world application, there exists the scenario that
our protocols and the protocol in [25]. When a file is given, the pre-generated offline tags are not enough for a user to
since the most complex part is computed as a background generate all tags of a file. In this situation, the user should
computation, our protocols only need to compute one Mul Z run the OffTagGen from scratch to replenish the offline
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL 2581
TABLE VII
RUNNING T IME C OMPARISON W ITH OffTagGen
Fig. 5. Comparison of the total time between the batch audit and audit for
the 99% assurance(c=460).
TABLE VIII
E FFICIENCY IN AUDIT P HASE W ITH 95% AND 99%
A SSURANCE ON THE TPA S IDE
Fig. 6. Time per task in Batch Audit phase with 99% assurance on the
TPA side.
TABLE IX
C OMPARISON OF THE T RANSMISSION OVERHEADS OF O UR P ROTOCOLS AND THE P ROTOCOLS IN [25]
As defined in our protocols, c is the number of challenged file [13] Z. Hao, S. Zhong, and N. Yu, “A privacy-preserving remote data integrity
blocks, K is the number of auditing tasks in a batch auditing checking protocol with data dynamics and public verifiability,” IEEE
Trans. Knowl. Data Eng., vol. 23, no. 9, pp. 1432–1437, Mar. 2011.
procedure, n is the number of file blocks and ln is the bit [14] A. Juels and B. S. Kaliski, Jr., “PORs: Proofs of retrievability for large
length of n. Table IX shows that, the transmission overhead files,” in Proc. 14th ACM Conf. Comput. Commun. Secur. (CCS), 2007,
of our basic/improved protocol is comparable with that of the pp. 584–597.
[15] H. Liu, L. Chen, Z. Davar, and M. Pour, “Insecurity of an efficient
basic/improved protocol in [25]. privacy-preserving public auditing scheme for cloud data storage,”
J. Universal Comput. Sci., vol. 21, no. 3, pp. 473–482, 2015.
VI. C ONCLUSION [16] J. K. Liu, M. H. Au, X. Huang, R. Lu, and J. Li, “Fine-grained two-
factor access control for Web-based cloud computing services,” IEEE
In this paper, we have proposed two privacy-preserving pub- Trans. Inf. Forensics Security, vol. 11, no. 3, pp. 484–497, Mar. 2016.
lic auditing protocols for secure storage in cloud environment. [17] J. K. Liu, J. Baek, J. Zhou, Y. Yang, and J. W. Wong, “Efficient
online/offline identity-based signature for wireless sensor network,” Int.
Our protocols are based on online/offline signatures, by which J. Inf. Secur., vol. 9, no. 4, pp. 287–296, 2010.
a user only needs to perform lightweight computing when [18] J. K. Liu, K. Liang, W. Susilo, J. Liu, and Y. Xiang, “Two-factor data
a data file to be outsourced is given. Further, our protocols security protection mechanism for cloud storage system,” IEEE Trans.
also support batch auditing and data dynamics. Simulation Comput., vol. 65, no. 6, pp. 1992–2004, Jun. 2016.
[19] R. Di Pietro, L. V. Mancini, A. Durante, and V. Patil, “Addressing the
shows that our protocol is much more efficient than a recent shortcomings of one-way chains,” in Proc. ACM Symp. Inf., Comput.
privacy-preserving public auditing protocol. Thus, we believe Commun. Secur. (ASIACCS), 2006, pp. 289–296.
that our protocols are practical for those end devices with low [20] D. Pointcheval and J. Stern, “Security proofs for signature schemes,” in
Proc. Advances in Cryptology (EUROCRYPT 1996), 1996, pp. 387–398.
computation capabilities. [21] Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, “Mutual verifiable provable
data auditing in public cloud storage,” J. Internet Technol., vol. 16, no. 2,
R EFERENCES pp. 317–323, 2015.
[22] F. Sebe, J. Domingo-Ferrer, A. Martinez-Balleste, Y. Deswarte, and
[1] I. Agudo, D. Nuñez, G. Giammatteo, P. Rizomiliotis, and J.-J. Quisquater, “Efficient remote data possession checking in critical
C. Lambrinoudakis, “Cryptography goes to the cloud,” in Proc. information infrastructures,” IEEE Trans. Knowl. Data Eng., vol. 20,
Secure and Trust Computing, Data Management, and Applicat. no. 8, pp. 1034–1038, Aug. 2008.
(STA 2011 Workshops), 2011, pp. 190–197. [23] H. Shacham and B. Waters, “Compact proofs of retrievability,” in Proc.
[2] G. Ateniese et al., “Provable data possession at untrusted stores,” 14th Int. Conf. Theory Appl. Cryptol. Inf. Secur. (ASIACRYPT), 2008,
in Proc. 14th ACM conf. Comput. Commun. Secur. (CCS), 2007, pp. 90–107.
pp. 598–609. [24] A. Shamir and Y. Tauman, “Improved online/offline signature schemes,”
[3] G. Ateniese, A. Faonio, and S. Kamara, “Leakage-resilient identification in Proc. 21st Annu. Int. Cryptol. Conf., 2001, pp. 355–367.
schemes from zero-knowledge proofs of storage,” in Proc. IMA Int. Conf. [25] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy-
Cryptogr. Coding, 2015, pp. 311–328. preserving public auditing for secure cloud storage,” IEEE Trans.
[4] G. Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik, “Scalable and Comput., vol. 62, no. 2, pp. 362–375, Feb. 2013.
efficient provable data possession,” in Proc. 4th Int. Conf. Secure Privacy
[26] C. Wang, Q. Wang, K. Ren, and W. Lou, “Ensuring data storage
Commun. Netw. (SecureComm), 2008, pp. 1–10.
security in cloud computing,” in Proc. 17th Int. Workshop Quality
[5] K. D. Bowers, A. Juels, and A. Oprea, “Proofs of retrievability:
Service (IWQoS), 2009, pp. 1–9.
Theory and implementation,” in Proc. ACM Workshop Cloud Comput.
[27] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public
Secur. (CCSW), 2009, pp. 43–54.
auditing for data storage security in cloud computing,” in Proc. IEEE
[6] L. Chen, “Using algebraic signatures to check data possession in cloud
Int. Conf. Comput. Commun. (INFOCOM), Mar. 2010, pp. 1–9.
storage,” Future Generat. Comput. Syst., vol. 29, no. 7, pp. 1709–1715,
2013. [28] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, “Enabling public
[7] Y. Dodis, S. Vadhan, and D. Wichs, “Proofs of retrievability via verifiability and data dynamics for storage security in cloud computing,”
hardness amplification,” in Proc. Theory Cryptogr. Conf. (TCC), 2009, IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 5, pp. 847–859,
pp. 109–127. May 2011.
[8] C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, “Dynamic [29] S. Worku, C. Xu, J. Zhao, and X. He, “Secure and efficient privacy-
provable data possession,” in Proc. 16th ACM Conf. Comput. Commun. preserving public auditing scheme for cloud storage,” Comput. Elect.
Secur. (CCS), 2009, pp. 213–222. Eng., vol. 40, no. 5, pp. 1703–1713, 2014.
[9] X. Fan, G. Yang, Y. Mu, and Y. Yu, “On indistinguishability in remote [30] C. Xu, X. He, and D. Abraha-Weldemariam, “Cryptanalysis of Wang’s
data integrity checking,” Comput. J., vol. 58, no. 4, pp. 823–830, 2015. auditing protocol for data storage security in cloud computing,” in Proc.
[10] Y. Feng, Y. Mu, G. Yang, and J. K. Liu, “A new public remote integrity Inform. Computing and Applicat. (ICICA 2012), 2012, pp. 422–428.
checking scheme with user privacy,” in Proc. 20th Austral. Conf. Inf. [31] Z. Xia, X. Wang, X. Sun, and Q. Wang, “A secure and dynamic multi-
Secur. Privacy (ACISP), 2015, pp. 377–394. keyword ranked search scheme over encrypted cloud data,” IEEE Trans.
[11] Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enabling personal- Parallel Distrib. Syst., vol. 27, no. 2, pp. 340–352, Feb. 2016.
ized search over encrypted outsourced data with efficiency improve- [32] Y. Yang, J. K. Liu, K. Liang, K. Y. Choo, and J. Zhou, “Extended proxy-
ment,” IEEE Trans. Parallel Distrib. Syst., to be published, doi: assisted approach: Achieving revocable fine-grained encryption of cloud
10.1109/TPDS.2015.2506573. data,” in Proc. 20th Eur. Symp. Res. Comput. Secur. (ESORICS), 2015,
[12] Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving efficient cloud pp. 146–166.
search services: Multi-keyword ranked search over encrypted cloud data [33] J. Yuan and S. Yu, “Public integrity auditing for dynamic data shar-
supporting parallel computing,” IEICE Trans. Commun., vol. E98-B, ing with multiuser modification,” IEEE Trans. Inf. Forensics Security,
no. 1, pp. 190–200, 2015. vol. 10, no. 8, pp. 1717–1726, Aug. 2015.
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL 2583
[34] L. Zhang, “Certificateless one-pass and two-party authenticated key Joseph K. Liu received the Ph.D. degree in infor-
agreement protocol and its extensions,” Inf. Sci., vol. 293, pp. 182–195, mation engineering from the Chinese University of
Feb. 2015. Hong Kong in 2004 with a focus on cyber secu-
[35] L. Zhang, C. Hu, Q. Wu, J. Domingo-Ferrer, and B. Qin, “Privacy- rity, protocols for securing wireless networks, pri-
preserving vehicular communication authentication with hierarchical vacy, authentication, and provable security. He was
aggregation and fast response,” IEEE Trans. Comput., vol. 65, no. 8, a Research Scientist with the Infocomm Secu-
pp. 2562–2574, Aug. 2016, doi: 10.1109/TC.2015.2485225. rity Department, Institute for Infocomm Research,
[36] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and Z. Dong, “Round- Singapore over seven years. He is currently a Senior
efficient and sender-unrestricted dynamic group key agreement protocol Lecturer with the Faculty of Information Technol-
for secure group communications,” IEEE Trans. Inf. Forensics Security, ogy, Monash University, Australia. His current tech-
vol. 10, no. 11, pp. 2352–2364, Nov. 2015. nical focus is particularly cyber security in the cloud
[37] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distributed computing paradigm, big data, lightweight security, and privacy enhanced
aggregate privacy-preserving authentication in VANETs,” IEEE Trans. technology. He has authored over 100 referred journal and conference papers.
Intell. Transp. Syst., to be published, doi: 10.1109/TITS.2016.2579162. He received the best paper award from ESORICS 2014 and ESORICS
[38] L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable 2015. He is the cofounder of ProvSec (International Conference on Provable
robust authentication protocol for secure vehicular communications,” Security). He has served as the Program Chair of ProvSec 2007, 2014
IEEE Trans. Veh. Technol., vol. 59, no. 4, pp. 1606–1617, May 2010. ACISP 2016, and as the Program Committee Member over 50 international
conferences.
Jiangtao Li received the B.S. degree (Hons.) in Haifeng Qian received the B.S. and master’s
mathematics and applied mathematics from Henan degrees in algebraic geometry from the Department
Normal University, China. He is currently the of Mathematics, East China Normal University, in
Ph.D. degree with the School of Computer Sci- 2000 and 2003, respectively, and the Ph.D. degree
ence and Software Engineering, East China Normal from the Department of Computer Science and Engi-
University, China. His research interests include neering, Shanghai Jiao Tong University in 2006.
information security, public key cryptography and He is currently a Professor with East China Normal
network security. University. His main research interests include net-
work security, cryptography, and algebraic geometry.
He is currently serving as a Reviewer of multiple
international journals and academic conferences.