2572 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO.
11, NOVEMBER 2016
Privacy-Preserving Public Auditing Protocol for
Low-Performance End Devices in Cloud
Jiangtao Li, Lei Zhang, Member, IEEE, Joseph K. Liu, Haifeng Qian, and Zheming Dong
Abstract— Cloud storage provides tremendous storage
resources for both individual and enterprise users. In a cloud
storage system, the data owned by a user are no longer possessed
locally. Hence, it is not competent to ensure the integrity of
the outsourced data using traditional data integrity checking
methods. A privacy-preserving public auditing protocol allows a
third party auditor to check the integrity of the outsourced data
on behalf of the users without violating the privacy of the data.
However, existing privacy-preserving public auditing protocols
assume that the end devices of users are powerful enough to
compute all costly operations in real time when the data to be
outsourced are given. In fact, the end devices may also be those
with low computation capabilities. In this paper, we propose
two lightweight privacy-preserving public auditing protocols.
Our protocols are based on online/offline signatures, by which
an end device only needs to perform lightweight computations
when a file to be outsourced is available. Besides, our proposals
support batch auditing and data dynamics. Experiments show
that our protocols are hundreds of times more efficient than
a recent proposal regarding to the computational overhead on
user side.
Index Terms— Cloud storage, privacy-preserving, public
auditing, online/offline signature.
I. I NTRODUCTION
C LOUD computing has been deemed to be a profound
innovation in information technology industry. The fea-
tures of ubiquitous access, high reliability, resilience, scala-
bility and cost efficiency exactly satisfy the demand of both
individuals and enterprises [1], [11], [12], [16], [31], [32].
It is transforming the traditional view of data processing since
the data is outsourced and centralized in cloud environment.
As a key component of cloud computing, cloud storage has
been adopted widely and deployed for commercial purposes in
Manuscript received November 16, 2015; revised April 25, 2016 and
June 16, 2016; accepted June 27, 2016. Date of publication July 7, 2016;
date of current version September 1, 2016. This work was supported in
part by the National Science Foundation of China under Grant 61572198,
Grant 61321064, and Grant 61571191, and in part by the Science and
Technology Commission of Shanghai Municipality under Grant 13JC1403502;
by the Priority Academic Program Development of Jiangsu Higher Education
Institutions; by the Jiangsu Collaborative Innovation Center on Atmospheric
Environment and Equipment Technology. The associate editor coordinat-
ing the review of this manuscript and approving it for publication was
Prof. Mauro Barni. (Corresponding author: Lei Zhang.)
J. Li, L. Zhang, H. Qian, and Z. Dong are with the Shanghai Key Laboratory
of Trustworthy Computing, School of Computer Science and Software
Engineering, East China Normal University, Shanghai 200062, China; and
also with Nanjing University of Information Science and Technology,
Nanjing 210044, China (e-mail: lijiangtao@ecnu.cn; leizhang@
sei.ecnu.edu.cn; hfqian@cs.ecnu.edu.cn; kgpolly@gmail.com).
J. K. Liu is with the Faculty of Information Technology, Monash University,
Clayton, VIC 3800, Australia (e-mail: joseph.liu@monash.edu).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TIFS.2016.2587242
1556-6013 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
recent years. Compared with personal local storage, cloud stor-
age has massive advantages. Especially, cloud storage releases
users from the burden of local massive data processing.
In bringing the massive benefits, cloud storage also puts
the data at a new risk: the integrity of the data is hard
to guarantee. Indeed, cloud service providers (CSPs) usually
claim to provide much more reliable infrastructures than
personal storage devices, whereas, the cases of outages and
security breaches of cloud services occur frequently [18], [25].
Hence, the risk of data loss still exists in cloud storage.
On the other side, a CSP may delete (or modify) users’ data
for its own profile (e.g., delete the rarely accessed data for
monetary cost consideration). Since users no longer possess
their data physically after they have uploaded their data to
the cloud, the integrity of the data is a major concern of
users [10]. Generally, it is a critical issue for users to check the
integrity of their outsourced data with reasonable computation
and communication cost in the cloud environment.
A. Related Work
Traditional data integrity checking methods are no longer
suitable for the cloud storage environment, since it is impracti-
cal for users to download the whole data for integrity checking.
In 2007, Ateniese et al. [2] proposed two integrity checking
protocols in the “provable data possession” (PDP) model
which are based on RSA cyptosystem and homomorphic linear
authenticators. The protocols are probabilistic, namely only
checking some random sampled file blocks, the data corruption
will be detected with a high probability. Besides, the improved
protocol [2] also enables public auditability, which allows
anyone, not just the data owner, to check the data integrity.
Another approach to check the integrity of the outsourced
data is called “Proofs of Retrievability” which is proposed by
Juels and Kaliski [14]. In addition to the data integrity check-
ing, it can also restore the data even if the data is not intact.
Later, this protocol is improved by Shacham and Waters [23]
to achieve the public auditability. Other similar work can
be found in [5]–[8], [21], [22]. It was also shown by
Ateniese et al. [3] that those schemes can be used to construct
leakage-resilient identification (ID) protocols in the bounded
retrieval model.
We note that all the above protocols are not privacy-
preserving (see Section II-B). In fact, the auditing processes
in those protocols may potentially leak users’ data to exter-
nal auditors [25]. Obviously, most users do not want to
leak their data to any external auditor. Observing this fact,
Wang et al. [27] proposed the first privacy-preserving public
auditing protocol based on the work in [23] and the random
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL
masking technique. In their proposed protocol, a third party
auditor (TPA) is employed to perform the public auditing
tasks on behalf of the users. As a result, a user gets rid of
the heavy burden of the data integrity checking. Furthermore,
the TPA cannot extract the original data of a user during the
auditing process. Besides, their protocol also supports batch
auditing which allows multiple auditing tasks to be handled
simultaneously and efficiently. The security of the protocol
in [27] is revisited in [29] and [30]. The original protocol
in [27] was shown to be vulnerable to attacks from a malicious
CSP and an outside attacker. The root cause for the insecurity
of this scheme is the inappropriate definition and the use of
private/public parameters during signature generation. In [29],
Worku et al. proposed a scheme which is more efficient than
the protocol in [27]. However, it was shown in [15] that even
deleting all files of a data owner, a malicious CSP is still able
to generate a response to a challenge without being caught by
TPA. We note that a privacy enhanced protocol was introduced
in [9], in which an adversary could not even distinguish which
file was checked. Nevertheless, the computational overheads
of all the entities in the system are greatly increased.
In the real world, users may not only access but also
update (e.g., modify, insert or delete) their data. Hence, public
auditing protocols should also support data dynamics. Usually,
we expect that a user only needs to perform several lightweight
operations when he wants to update his outsourced data.
To address this issue, several protocols [4], [8], [26] have
been proposed. However, in these protocols, the insertion
operations are not well supported.1 Later, Wang et al. [28]
utilized Merkle Hash Tree (see Section II-D) to enable fully
data dynamics. That is, users can proceed all update operations
(i.e., modification, deletion and insertion) with several light-
weight operations. On the other side, this protocol does not
consider the privacy of users’ data against external auditors.
In [25], based on the protocol in [27], Wang et al. proposed
an improved privacy-preserving public auditing protocol which
supports fully data dynamics and batch auditing. Besides, the
protocol is proven in a stronger security paradigm defined
in [23]. In [13], a privacy-preserving public auditing protocol
is also proposed, although batch auditing is not discussed
in that protocol. We note that a file may be sometimes
shared and modified by more than one users in a cloud
storage system. In [33], a public auditing protocol supporting
multiuser modification and user revocation is proposed. But
given the fact that a file is owned by a single user in most
cases, we only consider the single user case in this paper.
B. Our Work
Existing privacy-preserving public auditing protocols
assume the users’ end devices are powerful enough to cal-
culate all costly computations efficiently when a file is to
be outsourced. However, in the real world, the users’ end
devices may be those with low computation capabilities (e.g.,
PDAs and mobile phones). Observing this fact, we propose
1 We note that data append operation [2], i.e., adding a block after the last
block of a file, is a special case of data insert operation. To append a new
data block, a user just needs to insert the block after the last block of the
original data. Hence, we do not discuss this operation independently.
2573
two privacy-preserving public auditing protocols for low per-
formance end device: the basic one and the improved one.
The basic protocol assumes users only upload short data
(e.g., telephone numbers) to the cloud. In the basic protocol,
the TPA is employed to perform the auditing task to check
the data integrity on behalf of users. Privacy is preserved
in the proposed protocol. Hence users’ data will not be
revealed to the TPA during the auditing procedure. Besides,
our protocol also supports fully data dynamics and fast audit-
ing (see Section II-B). Especially, the proposed protocol is
low performance end device friendly. This is achieved by
using our online/offline signatures (see Section II-C). Unlike
other existing privacy-preserving public auditing protocols, our
protocol allows all costly computations to be carried out in the
offline phase before the outsourced file is available. A user
only needs to perform lightweight computations to construct
the final data to be outsourced in the online phase, i.e., when
the outsourced file is given.
In the basic protocol, the TPA needs to store the partial
signatures corresponding to the data blocks of the whole date.
If the data to be outsourced is huge, it’s a challenge of the
TPA’s storage capacity. Hence, the basic protocol is only
practical for situations where users only upload short data.
Our improved protocol removes this restriction and achieves
all the requirements which are achieved in the basic protocol,
i.e., public auditability, privacy-preserving, fully data dynam-
ics, fast auditing and low performance end device friendliness.
This is achieved by using the Merkle Hash Tree authentication
structure which is utilized to guarantee the correctness of the
partial signatures in the improved protocol. In this way, the
storage space of the TPA is greatly saved. Experiment results
show that both of our protocols are about 300 times more
efficient than the protocols in [25] on user side. Therefore,
our protocols are more practical for the users with low
performance end devices.
C. Organization
The rest of the paper is organized as follows. Section II
is the background. We propose our basic protocol and the
improved protocol in Section III. Section IV analyzes the
security of the proposed protocols. Section V evaluates the
performance of our protocols. We conclude the paper in
Section VI.
II. BACKGROUND
A. System Architecture
As shown in Fig. 1, the system architecture of our proposals
consists of the following entities:
• Trusted Authority (TA): TA is a fully trusted authority.
It generates the system global parameter and issues cer-
tificates for entities in the system.
• Cloud Service Provider (CSP): CSP provides data stor-
age service. It has abundant storage and computation
resources.
• Users: Users have their files to be uploaded to the CSP.
In a cloud storage system, users’ end devices may be the
devices with low computation capacities, e.g., PDAs and
mobile phones.
2574 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 11, NOVEMBER 2016
Fig. 1. System Architecture.
• Third Party Auditor (TPA): TPA performs public auditing
tasks on behalf of users. It is assumed to be semi-trusted,
i.e., curious but honest. It has to follow the protocol.
Otherwise, TPA may report the auditing result as it wants
and no secure auditing protocol can be constructed in
this setting. However, it may try to violate the privacy of
users’ data. This assumption is the same as that of the
existing public auditing protocols.
B. Design Goals
In a public auditing protocol, an attacker could be the CSP
or the TPA or any external entity except the CSP and the TPA.
Obviously, an external entity has less knowledge than the CSP
or the TPA. We only need to consider the attacks from the CSP
and the TPA. Similar to [25], in our protocol, we assume that
the TPA and the CSP do not collude with each other, and the
TPA is semi-trusted. As defined in [25], a privacy-preserving
public auditing protocol for cloud data storage should satisfy
the following security guarantees:
• Storage Correctness: In most cases, the CSP behaves
properly. However, in practice, a cloud storage system
may suffer from some attacks/threatens related to data
integrity. For instance, a malicious CSP may violate the
integrity of users’ data, e.g., remove users’ rarely used
data. Due to some accidents, users’ data is vulnerable
to being lost. For its own profit, the CSP might hide its
misbehavior or the data loss caused by accident. In our
protocol, only a data owner may update his outsourced
data legally. If the integrity of users’ data is violated, then
the TPA may find this inconsistent. Storage correctness
guarantees that the CSP cannot pass the TPA’s auditing
procedure if the data stored is not intact.
• Privacy Preservation: With the help of TPA, the burden
of auditing task on user side is eliminated. However, the
TPA may behave curious. It may try to violate the privacy
of a user’s data. A public auditing protocol that satisfies
privacy preservation implies that the users’ data should
not reveal to the TPA during the auditing procedure.
In [25], several performance guarantees are also defined:
• Public Auditability: The TPA may perform the auditing
task to check the data integrity on behalf of users.
•Fast Auditing2: The TPA may receive multiple auditing
tasks in a very short period. Fast auditing requires that
multiple auditing tasks can be handled simultaneously to
accelerate the auditing procedure. Further, it requires that
the communication and computation overheads should be
lightweight for the TPA to perform auditing tasks.
• Fully Data Dynamics: For various application purposes,
users may interact with the CSP and the TPA to update
(i.e., modify, delete or insert) their outsourced data with
several lightweight operations.
Besides the above basic security and performance require-
ments, this paper addresses the requirement of low perfor-
mance end device friendliness.
• Low Performance End Device Friendliness: The users’
end devices may be those with low computation capabil-
ities. This requirement requires that a privacy-preserving
public auditing protocol can be also applied to the end
devices with low computation capabilities.
C. Online/Offline Signatures
An online/offline signature scheme [17], [24] allows a
signer to generate a signature in two phases: offline phase
and online phase. The offline phase is performed before a
message to be signed is given. The most costly operations are
calculated in this phase. In our system, the offline phase can be
executed as a background computation whenever an end device
is connected to power. The online phase is performed after the
message is given. It is typically very fast, and can be executed
efficiently even by any end device with weak processor.
Chameleon hash functions [19] are usually employed to
construct online/offline signature schemes and other efficient
schemes. For instance, in [24], an efficient one-way chain
based on chameleon functions with constant storage and com-
putational requirements is proposed. It is even more efficient
than SHA-1 based one-way chain. A chameleon hash function
is associated with a public key and a private key. If only the
public key is known, it is hard to generate collisions of the hash
function. However, it becomes easy if the private key is also
known. In this paper, we will use the chameleon hash function
defined in [24]: Let G1 be a multiplicative cyclic group with
prime order p, and g be a generator of G1 . Let y ∈ Z∗p be the
private key, and g2 = g y be the public key. It is defined as
HC H (m, r ) = g2m gr , where (m, r ) ∈ Z p . For an entity who
knows the private key y, given (m, r ) ∈ Z p , it is easy to com-
pute r  = (m − m  )y +r such that HC H (m  , r  ) = HC H (m, r ),
where m  = m. However, it is hard to find (m  , r  ), m  = m
such that HC H (m  , r  ) = HC H (m, r ) if y is not given.
Given a chameleon hash function, an online/offline signa-
ture scheme can be constructed using the “hash-sign-switch”
method proposed by Shamir and Tauman [24]. This method
separates the signature generation procedure into two phases.
In the first offline phase, for randomly selected (m, r ) ∈ Z p ,
the hash value HC H (m, r ) is signed using a secure signature
scheme. Given an actual message m  , in the latter online phase,
r  such that HC H (m, r ) = HC H (m  , r  ) is found using the
2 Our definition of Fast Auditing combines the properties of batch auditing
and lightweight defined in [25].
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL
Fig. 2. An example of Merkle hash tree authentication.
private key. The pre-computed signature on HC H (m, r ) and
r  form the full signature on message m  .
D. Bilinear Maps and Merkle Hash Tree
1) Bilinear Maps: Our protocol is implemented with bilin-
ear maps [34], [36], [38]. Let G1 , G2 and GT be multiplicative
cyclic groups of prime order p. We say e : G1 × G2 → GT is
a bilinear map if it satisfies: 1) Bilinearity: for all u ∈ G1 ,
v ∈ G2 and α, β ∈ Z p , e(u α , v β ) = e(u, v)αβ ; 2) Non-
degeneracy: e(g, h) = 1, where g, h are the generators of
G1 and G2 respectively; 3) Computability: there exists an
efficient algorithm to calculate e(u, v).
2) Merkle Hash Tree: A Merkle Hash Tree (MHT) is an
authentication structure which is constructed as a binary tree.
The leaves in the MHT are the hashes of authentic values.
An MHT enables a prover to prove that a set of elements are
undamaged and unaltered.
Fig 2 illustrates an example of authentication. The verifier
with the authentic h 0 request for {T3 , T5 }. To prove the intact
of {T3 , T5 }, the prover returns the auxiliary authentication
information (AAI) 3 = (h 4 , h c ), 5 = (h 6 , h f ). Then
the verifier can compute h 3 = H1(T3 ), h 5 = H1(T5 ),
h d = H1(h 3 , h 4 ), h a = H1(h c , h d ), h e = H1(h 5 , h 6 ),
h b = H1(h e , h f ), hˆ0 = H1(h a , h b ). If hˆ0 = h 0 , the intact
of {T3 , T5 } can then be proved.
III. O UR P ROPOSALS
In this section, we first present a basic privacy-preserving
public auditing protocol, then we propose an improved one.
In the basic protocol, we assume users’ data is short data
(e.g., a telephone no.) and the TPA is required to store the
partial signature of each block of the data. The improved one
is designed to remove the above restriction. Table I lists all
notations that will be used in our protocols.
A. The Basic Protocol
The basic protocol consists of nine phases: GlobeSetup,
UserSetup, OffTagGen, OnTagGen, Audit, Batch Audit,
Modification, Insertion and Deletion. In the first phase
(GlobeSetup), the TA generates the system global parameter.
In the second phase (UserSetup), a user’s public-private key
pair and the corresponding certificate are generated. In the
2575
TABLE I
N OTATIONS IN O UR P ROPOSALS
third phase (OffTagGen), a pool of offline tags are generated
by the user through calculation in the background. Those
tags will be used in the next phase. In the fourth phase
(OnTagGen), the user generates the online tags based on the
offline tags when the data file to be outsourced is available.
In the fifth phase (Audit), the TPA launches the public auditing
task by sending a challenge message to the CSP. The CSP
will generate a response and send it to the TPA. Finally, the
TPA verifies the response to check whether the data is intact.
The sixth phase (Batch Audit) considers the case when the
TPA receives multiple auditing tasks. The last three phases
(Modification, Insertion and Deletion) allow the user to
modify, insert and delete his file respectively. Our protocol
is as follows:
• GlobeSetup: On input a security parameter λ, the
TA generates multiplicative cyclic groups G1 , G2 and GT
of prime order p, and a bilinear map e : G1 × G2 → GT ,
selects a generator g ∈ G1 and a generator h ∈ G2 ,
chooses a hash function H2 : GT → Z p ; chooses a
secure signature scheme Sig privat e key ()/V er public key ();
generates a private-public key pair (msk, mpk). The
system global parameter is par am = (e, G1 , G2 ,
g, h, Sig privat e key ()/V er public key (), H2 , mpk).
• UserSetup: A user Ul randomly chooses x l , yl ∈ Z p
and computes ql = g yl and dl = h xl . Ul also gener-
ates a private-public key pair (sskl , spkl ) correspond-
ing to Sig privat e key ()/V er public key (). The full private
key of the user is (xl , yl , sskl ) and the public key is
(ql , dl , spkl ). Finally, a certificate signed by the TA using
msk is issued for the user.
• OffTagGen: The user Ul chooses a set of random
values {wi,l , ri,l }i∈{1,...,Bl } ∈ Z p , computes {Wi,l =
wi,l xl , Ri,l = ri,l xl }i∈{1,...,Bl } and generates the offline
of f
tags {Ti,l }i∈{1,...,Bl } in the background, where Bl is
the number of the tags that the user wants to generate,
of f W of f
Ti,l = ql i,l g Ri,l . Finally, {wi,l , ri,l , Ti,l }i∈{1,...,Bl } are
stored locally.
2576 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 11, NOVEMBER 2016

• OnTagGen: Given a file Fl with filename namel , sim- • Batch Audit: The above Audit algorithm only allows
ilar to [25], we split Fl into nl blocks {m j } j ∈{1,...,nl } , the TPA to perform the auditing tasks from different
where m j ∈ Z p . The user Ul retrieves nl unused tuples users independently. However, since the TPA will receive
of f
from {wi,l , ri,l , Ti,l }i∈{1,...,Bl } from his local storage. huge requests from different users, it is inefficient for
of f
Assume those tuples are {w j,l , r j,l , T j,l } j ∈{1,...,nl } , Ul the TPA to perform the auditing tasks independently.
computes the online tags T j,l = (w j,l − m j )yl +
on Here, we propose a batch auditing technique, i.e., the
r j,l , j ∈ {1, . . . , nl }. The final tag of the file is Tl = TPA may perform the auditing tasks simultaneously.
of f Assume that there exist K auditing tasks requested by
{T j,l , T j,lon }
j ∈{1,...,nl } . Finally, the user sends (Fl , Tl ) to
K users {Ul }l∈{1,...,K } on K data files. For simplicity,
the CSP and t = t0  Sigsskl (t0 ) to the TPA, where
we assume that all the K files have the same number
t0 = namel  nl  T1,l on  · · ·  T on and Sig
nl ,l sskl (t0 )
of n blocks. Let the private-public key pair of Ul be
is the signature on t0 under spkl . On receiving the file
((xl , yl , sskl ), (ql , dl , spkl )), where xl , yl ∈ Z p , ql = g yl
and tags, the TPA checks whether Sigsskl (t0 ) is a valid
and dl = h xl , (sskl , spkl ) is a private-public key pair cor-
signature on t0 under spkl using the V erspkl algorithm.
on ? of f responding to Sig privat e key ()/V er public key (). Assume
Besides, the CSP checks e(ql m j g T j,l , dl ) = e(T j,l , h) Ul ’s file is Fl and the corresponding filename is namel ;
for all j ∈ {1, . . . , nl } to verify whether Tl is a valid the offline tags corresponding to file Fl are T j,l =
of f
online/offline signature on Fl . W
• Audit: In this phase, the TPA launches the auditing ql j,l g R j,l , where {W j,l = w j,l xl , R j,l = r j,l xl } j ∈{1,...,n} ,
task. Assume the filename that the TPA wants to chal- {w j,l , r j,l } j ∈{1,...,n} ∈ Z p ; the online tags corresponding
lenge is namel and the corresponding online tags are to file Fl are T j,l on
= (w j,l − m j,l )yl + r j,l . The batch
{T j,l
on
} j ∈{1,...,nl } . As shown in [25], the TPA only needs auditing technique works as follows:
to check c file blocks of the whole file and the detection 1) The TPA chooses the indices of the chosen
probability is P = 1−(1−κ)c , where κ is the fraction of blocks J = {s1 , . . . sc } and random values
data corrupted. When κ = 1%, P is over 95% if c = 300, V = {v s1 , . . . , v sc }, where v si ∈ Z p . Then
and 99% if c = 460. The concrete procedure comes as the TPA sends the challenge message chal =
follows: ({namel }l∈{1,...,K } , J, V) to the CSP for the K users.
1) Let the indices of the chosen blocks be J = 2) On receiving chal from the TPA,  for l ∈ {1, . . . , K },
{s1 , . . . , sc }. The TPA chooses V = {v s1 , . . . , v sc }, the CSP calculates μl = v j m j,l and σl =
j ∈J
where v si ∈ Z p , si ∈ J. The TPA sends the 
(T j,l )v j . To blind μl , the CSP chooses a blind
of f
challenge message chal = (namel , {( j, v j )} j ∈J ) to
j ∈J
the CSP.

K
2) On  receiving chal,the o fCSP calculates μ = factor u l ∈ Z p , sets Ul = e(ql , dl )ul , U = Ul .
f vj
v j m j and σ = (T j,l ) . Similarly to [25], l=1
j ∈J j ∈J Further the CSP computes μl = u l + H2
we have to blind μ .
Otherwise, the TPA may (U  dl  V)μl and sends {{μl , σl }l∈{1,...,K } , U } to
learn m j . To do this, the CSP chooses a blind the TPA.
factor u ∈ Z p , computes U = e(ql , dl )u and μ = 3) When the TPA receives {{μl , σl }l∈{1,...,K } , U }, it
u + H2(U )μ . Finally, {μ, σ, U } is sent to the TPA. computes γl = H2(U  dl  V), l = γl · v j T j,l
on
j ∈J
3) When the TPA receives  {μ, σ, U }, it computes

K
γ 
K
μ
γ = H2(U ), = γ · v j T j,l
on
and verifies: and verifies: U · e(
?
σl l , h) = e(g l · ql l , dl ).
j ∈J l=1 l=1
? μ If the above equation holds, the TPA outputs 1
U · e(σ γ , h) = e(g · ql , dl ). If the equation holds,
the TPA outputs 1, which implies the data retains which implies the data retains intact; otherwise,
intact; otherwise, it outputs 0, which means that the it outputs 0 which means at least one of the K users’
data is modified. Notice thaton the chameleon hash data is not kept intact.
w m T • Modification: Assume the file block m j,l is modified
satisfies ql j,l gr j,l = ql j g j,l . The correctness of
the equation is shown below: to m j,l . The concrete procedure comes as follows:
of f 
U · e(σ γ , h) 1) Ul chooses an unused offline tag T j,l from his
 of f local storage and generates the corresponding online
= e(ql , dl )u · e(( (T j,l )v j )γ , h) tag T j,l on  the same way as it is generated in
j ∈J OnTagGen. Ul sends the request = (
=
 
v j w j,l on  of f 
j ∈J
v j r j,l (M, namel , τ, j, T j,l ), m j,l , T j,l , Sigsskl (
)) to
= e(qlu , dl ) · e((ql g j ∈J
)γ , h x l ) the CSP, where M denotes modification, τ is a
 
vjmj v j T j,l
on
timestamp.
j ∈J
= e(qlu , dl ) · e((ql g j ∈J )γ , h x l ) 2) When the CSP receives , it verifies whether

γ μ
γ v j T j,l
on
Sigsskl (
) is a valid signature on
and
= e(qlu , dl ) · e((ql g j ∈J
), h xl ) of f  on  ) is a valid online/offline signature
(T j,l , T j,l
μ
= e(g · ql , dl ). 
on m j,l . If they are valid, the CSP retrieves
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL 2577

an additional hash function H1 : {0, 1}∗ → Z p is selected in

of f
( j, m j,l , T j,l , T j,l
on ) from its storage space, updates
of f  on  GlobeSetup phase.
m j,l , T j,l , T j,l
of f
( j, m j,l , T j,l , T j,l
on
) to ( j, ) and
Similar to the basic protocol, we assume Ul whose
forwards (
, Sigsskl (
)) to the TPA.
private-public key pair is ((xl , yl , sskl ), (ql , dl , spkl )) wants
3) When the TPA receives (
, Sigsskl (
)), it verifies
to upload his file Fl which has the filename namel to the
whether Sigsskl (
) is a valid signature on
. If the
on from its cloud. In OnTagGen phase, Ul separates Fl into nl blocks
signature is valid, the TPA retrieves T j,l

on to T on , and, returns 1 {m j,l } j ∈{1,...,nl } and generates the corresponding online tags
storage space, updates T j,l j,l on
T j,l the same way as it does in the basic protocol. Besides,
to the CSP and Ul .
Ul should also generate an MHT with the root node r ootl .
• Insertion: Assume Ul wants to insert the file block m #
The leave nodes of the MHT are the ordered hash values
after the j -th block m j,l of the file Fl . The protocol
of online tags H1 (T j,l on
) j ∈{1,...,nl } corresponding to the file
performs the following steps:
of f blocks of Fl . Ul generates a signature on r ootl by computing
1) Ul chooses an unused offline tag Tl# from his
σrootl = Sigsskl (rootl ) . The user sends σrootl and r ootl to
local storage and generates the online tag Tlon # the TPA. In the (Batch) Audit phase, on receiving chal, the
corresponding to m # the same way as it is gen- on and their corresponding AAI
CSP should also response T j,l
erated in OnTagGen. Ul sends the request =
of f  j,l for j ∈ J. Upon receiving the response, the TPA computes
(
= (I, namel , τ, j, Tlon ), m # , Tl# , Sigsskl (
))
# ˆ l from  j,l and H1(T j,l
r oot on ) ˆ l = r ootl , the TPA
j ∈J . If r oot
to the CSP, where I denotes insertion and τ is a
can then perform the auditing task the same as in the main
timestamp.
protocol. The last three phases of the improved protocol work
2) On receiving , the CSP verifies whether Sigsskl (
)
of f as follows:
is a valid signature on
and (Tl# , Tlon ) is
# Modification: Assume the file block m j,l is modified
a valid online/offline signature on m # . If they
of f to m j,l . Table II shows the basic idea. The concrete procedure
are valid, the CSP inserts ( j, m # , Tl# , Tlon ) after
# comes as follows:
of f
( j, m j,l , T j,l , T j,l ) and forwards (
, Sigsskl (
))
on of f 
1) Ul chooses an unused offline tag T j,l from his local
to the TPA. storage and generates the corresponding online tag T j,l on 
3) When the TPA receives (
, Sigsskl (
)), it verifies the same way as it is generated in our basic protocol.
whether Sigsskl (
) is a valid signature on
. If the of f  on 
on from its Ul sends the request (M, j, m j,l , T j,l , T j,l ) to the
signature is valid, the TPA retrieves T j,l
on on CSP, where M denotes modification.
storage space, inserts Tl# after T j,l , and, returns 1
2) After receiving the request, the CSP retrieves
to CSP and Ul . of f
( j, m j,l , T j,l , T j,l
on ) from the storage space and
• Deletion: Assume the j -th file block m j,l of Fl
does the following:
will be deleted. The concrete procedure comes as of f 
a) Verify that whether (T j,l , T j,l on  ) is a valid
follows:

1) Ul sends the request = (
= online/offline signature on m j,l . If not, return
of f
(D, namel , τ, j ), Sigsskl (
)) to the CSP, where F AL S E; else, update ( j, m j,l , T j,l , T j,l
on ) to ( j,
D denotes deletion, τ is a timestamp. of f  on  ).
m j,l , T j,l , T j,l
2) When the CSP receives , it verifies whether on  ) and
b) Replace H1(T j,l on ) in
the MHT with H1(T j,l
Sigsskl (
) is a valid signature on
. If it is valid, 
of f generate the new MHT root r ootl .
the CSP deletes ( j, m j,l , T j,l , T j,l on
) from its storage 
c) Response the user with { j,l , T j,l on , σ
rootl , r ootl },
space and forwards (
, Sigsskl (
)) to the TPA.
where  j,l is AAI for authentic of T j,l . on
3) When the TPA receives (
, Sigsskl (
)), it ver- 
ifies whether Sigsskl (
) is a valid signature on 3) On receiving { j,l , T j,l on , σ
rootl , r ootl }, Ul does the fol-

. If the signature is valid, the TPA deletes lowing:
on
T j,l from its storage space, and, returns 1 to the a) Based on { j,l , H1(T j,l on
)}, retrieve the previous
MHT root r ootl .
CSP and Ul .
b) If V erspkl (σrootl , r ootl ) = T RU E and r oot ˆ l =
r ootl , generate a signature σroot  = Sigsskl (r ootl ),
B. The Improved Protocol l
where r oot ˆ l is the new root generated based on
The above basic protocol is efficient only if short data is on  )}; else, send F AL S E to CSP.
{ j,l , H1(T j,l
stored to the cloud. However, if users upload big files to the c) Send σrootl and r ootl to the TPA.
cloud, the storage overhead of the TPA will be very high,
4) On receiving σrootl and r ootl , the TPA checks whether
since the TPA needs to store all the corresponding online tags.
σrootl is a valid signature on r ootl . If the signature is
In this section, we propose an improved protocol to remove
this weakness. Our construction is based on MHT [25], [28]. valid, the TPA replaces r ootl with r ootl ; otherwise, it
The protocol also has nine phases which is the same as our outputs F AL S E.
basic protocol, and runs as follows: 5) If the CSP receives F L AS E, it revokes the
of f  on  ) back
The first three phases GlobeSetup, UserSetup, update, i.e., modifies ( j, m j,l , T j,l , T j,l
of f
OffTagGen are the same as our basic protocol, except that to ( j, m j,l , T j,l , T j,l
on
).
2578 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 11, NOVEMBER 2016

TABLE II
D ATA M ODIFICATION

TABLE III
D ATA I NSERTION

Insertion: The interaction is shown in Table III. Assume H1(H1(T j,l

on
), H1 (Tlon
#
)), where T j,l
on
is the online tag
Ul wants to insert the file block m # after the j - corresponding to the index j . Also, the CSP adds
th block m j,l of the file Fl . The protocol runs as of f
the offline and online tags (Tl# , Tlon ) to Tl accord-
#
follows: ingly. Finally, the CSP generates the new MHT
of f
1) Ul chooses an unused offline tag Tl# from his local root r ootl and sends ( j,l , T j,lon
, Tlon , σrootl , r ootl )
#
storage and generates the online tag Tlon corresponding to Ul .
#
to m # the same way as it is generated in our basic 3) Similar to data modification, Ul first generates
of f
protocol. Ul sends the request (I, j, m # , Tl# , Tlon #
) to the previous root r ootl and verifies whether
the CSP, where I denotes insertion. V erspkl (σrootl , r ootl ) = T RU E. If so, it computes
2) On receiving the request, the CSP verifies whether the new root r oot ˆ l based on { j,l , T j,l
on
, Tlon } and
#
of f 
(Tl# , Tlon ) is a valid online/offline signature on m # . compares it with r ootl . If they are equal, it generates
a signature σrootl = Sigsskl (r ootl ) on r ootl . Else if
#
If not, it returns F AL S E; else, it inserts m #
after m j,l and replaces the leaf node H1(T j,l on ) with
V erspkl (σrootl , r ootl ) = T RU E or r ootˆ l = r ootl ,
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL 2579

it sends F AL S E to the CSP. Moreover, Ul also sends
σrootl and r ootl to the TPA.
4) On receiving σrootl and r ootl , the TPA checks if σrootl
is a valid signature on r ootl , if so, it replaces r ootl with
r ootl ; otherwise, it outputs F AL S E.
5) If the CSP receives F L AS E, it revokes the insertion,
i.e., it deletes m # .
Deletion: For the file block m j,l to be deleted, the user
sends (D, j ) to the CSP, where D denotes deletion. The CSP
will delete m j,l and the corresponding leaf node in the MHT.
The CSP also needs to generate the new MHT root r oot  . The
procedure is similar to that of the data modification and data
insertion. Thus we omit it here.
Theorem 2: Our protocols satisfy the storage correctness
property, i.e., the CSP cannot pass the Audit procedure if the
data stored is not intact.
Proof: In the following, we show that if an attacker can
break the storage correctness property, then there exists an
extractor who can generate a μ such that {σ, μ } is a valid
response of the proof of storage system [23] in the random
oracle model which is proven to be hard.
We treat the CSP as an adversary. It will make hash queries
to the extractor who controls the random oracle H2 . When the
extractor returns the challenge γ = H2 (U ), the CSP outputs
{μ, σ, U } which satisfies:
U · e(σ γ , h) = e(g · q μ , d). (1)

IV. S ECURITY A NALYSIS Following the technique in [25], an attacker may output
another response {μ∗ , σ, U }, but the extractor returns
As a public auditing protocol supports fully data dynamics, γ ∗ = H2(U ) with γ ∗ = γ . We note {μ∗ , σ, U } satisfies:
it is required that the data modification, deletion and insertion ∗ ∗ ∗
algorithms are secure, i.e., an attacker cannot change a user’s U · e(σ γ , h) = e(g · q μ , d). (2)
data without the permission of the user. We have the following
Divide equation (1) by (2), we have
theorem.
∗ ∗ ∗
Theorem 1: The algorithms for data modification, deletion e(σ γ −γ , h) = e(g − · q μ−μ , d)

and insertion in our protocols are secure. ∗
(γ −γ ∗ ) v j T jon ∗
Proof: In those algorithms, a secure signature scheme e(σ γ −γ , h) = e(g j ∈J
, h x )e(q μ−μ , h x )

and/or MHT are chosen. A secure signature scheme states ∗
x·(γ −γ ∗ ) v j T jon ∗)
that any entity cannot forge a valid signature of a user without σ γ −γ = g j ∈J
· q x·(μ−μ

the knowledge of the user’s private key [35], [37]. A secure 
sc
o f f v j γ −γ ∗
x·(γ −γ ∗ ) v j T jon ∗)
( (T j ) ) =g j ∈J
· q x·(μ−μ
MHT implies that an attacker cannot find two MHTs T and T 
j =s1
such that their root nodes have the same value but ∗)  on ∗
/g x·T j )v j )γ −γ .
of f
with T = T  . q x·(μ−μ =( (T j
It is easy to prove that the data modification, deletion and j∈J
insertion algorithms in our basic protocol are secure, since Notice that:
they are essentially the OnTagGen of our basic protocol.
x·T jon
= q w j x gr j x /g x·((w j −m j )y+r j )
of f
In our improved protocol, when a data modification or deletion Tj /g
or insertion operation is performed, the values of some nodes, = q w j x g x ym j −x yw j
including the root node r oot, of the MHT T will be updated
= q xm j .
to the new values. The value of the updated root node has
to be signed by the user. It is easy to see that, if an attacker We have
wants to break our scheme (i.e., change a user’s data without ∗)  ∗
the permission of the user), he must find another MHT T  with q x·(μ−μ =( (q xm j )v j )γ −γ
the root node r oot  such that r oot = r oot  , or forge the user’s j∈J

signature on r oot  . Since our MHT and underlying signature μ−μ = ( ∗
v j m j )(γ − γ ∗ )
scheme are secure, the probability for the attacker to find such j∈J
an MHT or generate a forgery is negligible. Therefore, our μ = (μ − μ∗ )/(γ − γ ∗ ).

modification, deletion and insertion algorithms in the improved
protocol are secure. The extractor gets the valid response {σ, μ = (μ − μ∗ )/
As discussed in Section II-B, we need to prove that our (γ − γ ∗ )}.
protocols satisfy the storage correctness and the privacy- Theorem 3: Our protocols satisfy the privacy-preserving
preserving properties. The first property requires that the CSP property, i.e., the TPA cannot extract the original data of a
cannot pass the Audit phase if the data stored in the CSP user during the Audit phase.
has been modified. The second property guarantees that the Proof: Essentially, we have to prove that the TPA cannot
TPA cannot extract the original data of a user during the learn any information of μ from the CSP’s response {μ, σ, U }.
entire auditing process. We note that Audit and Batch Audit Similar to [27], we prove this theorem in three steps.
in both of our protocols are essentially the same. The main Firstly, we prove that μ will not reveal any information
difference is that the online-tags are not stored by the TPA of μ . This is because that μ is blinded by u and u is kept
in the improved protocol. The following theorems show that secret by the CSP. It is an unknown value to the TPA. Even
both of our protocols achieve storage correctness and privacy- with U = e(q, d)u , the value u is still hidden due to the
preserving. discrete-log assumption. Secondly, we show that μ cannot
2580 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 11, NOVEMBER 2016

TABLE IV TABLE V
N OTATIONS IN E VALUATIONS C OMPARISON OF C OMPUTING C OST

 of f v j TABLE VI
be learnt from σ . It is obvious, since σ = (T j ) and RUNNING T IME C OMPARISON
j ∈J
of f
the offline tag T j is independent of a data file. Finally, we
need to prove that μ cannot be learnt from {μ, σ, U }. In fact,
U = e(q, d)u and μ = u + H2 (U )μ have the same structure
as the Schnorr signature. We can view u as a random element
and μ as a secret key. The Audit phase in our protocol can
be regarded as a honest verifier zero-knowledge identification
protocol. Under [20, Th. 10], the secret μ will not reveal to
the TPA. Therefore, Theorem 3 is proven.
Theorem 4: Our protocols satisfy the same storage
correctness and privacy-preserving properties in batch audit
phase.
Since the storage correctness and privacy-preserving prop-
erties in multi-user situation for batch audit can be
reduced to the single-user case [25], we omit the proof
Fig. 3. Comparison of computational overhead for a user to generate the
here. final tag after a file is given.

V. P ERFORMANCE E VALUATION
In this section, we evaluate the efficiency of our protocols.
and two Add operations to generate the final tag. However,
Since the protocol in [25] is the only privacy-preserving
one H , two E x p and one Mul G operations are needed in the
public auditing protocol which enables data dynamics and
protocol in [25]. We note that, E x p and H operations are much
batch auditing, we compare our protocols with it. In par-
more expensive than Mul Z and Add operations. According to
ticular, we perform several simulations to evaluate the effi-
our simulation, the time cost of one H , E x p, Mul Z , and Add
ciency of our protocols. The simulations were run on a
operations are 0.028860 ms, 0.068310 ms, 0.000139 ms and
Linux machine using AMD FX-8120 at 3.1GHz. The cryp-
0.000096 ms respectively. The cost of an E x p operation is
tographic algorithms are implemented using the pairing-based
about 490 times more expensive than a Mul Z operation and
cryptography (PBC) library. For better comparability, in our
710 times more expensive than an Add operation. While the
simulation, we choose the same security setting as that in [25].
cost of an H operation is about 208 times more expensive
In particular, a type D curve is chosen, and the size of a group
than a Mul Z operation and 300 times more expensive than an
element in G1 is about 21 bytes. Table IV lists the notations
Add operation.
that will be used in our evaluations.
The simulation result is shown in Table VI and Figure 3.
In the following, for easy reading, we omit the com-
In our simulation, the number of blocks of a file is ranging
putational cost for a user to generate the signature using
from 10 thousand to 80 thousand. It is easy to see that the
Sig privat e key ()/V er public key () and the MHT, since both the
time cost grows linearly as the number of blocks increases
protocols in this paper and [25] need to do those operations.
in our protocols and the protocol in [25]. In our protocols,
Besides, to modify, insert or delete a file block, a user
it takes about 5.63 ms for a user to generate the final tag
only needs to perform lightweight operations. Hence, in the
(or online tags) for a file with 10 thousand blocks and about
following, we do not compare the computational cost of these
52.07 ms for a file with 80 thousand blocks. However, the
phases.
protocol in [25] requires 1,851.28 ms and 24,566.81 ms to
generate the final tag for a file with 10 thousand blocks
A. Computational Cost on User Side and 80 thousand blocks respectively. Our protocols are over
We compare the computational cost of our protocols on user 300 times more efficient than the protocol in [25] to generate
side with that of the protocol in [25] in this section. the final tag when a file is given.
Table V shows the theoretical comparison result between In the real world application, there exists the scenario that
our protocols and the protocol in [25]. When a file is given, the pre-generated offline tags are not enough for a user to
since the most complex part is computed as a background generate all tags of a file. In this situation, the user should
computation, our protocols only need to compute one Mul Z run the OffTagGen from scratch to replenish the offline
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL
TABLE VII
RUNNING T IME C OMPARISON W ITH OffTagGen
Fig. 4. Comparison of computational overhead for a user to generate the
full tag.
TABLE VIII
E FFICIENCY IN AUDIT P HASE W ITH 95% AND 99%
A SSURANCE ON THE TPA S IDE
tags before running OnTagGen. We perform a simulation
to evaluate the efficiency of our protocols in this condition.
We note that in this condition, the computational cost involves
the costs of both OffTagGen and OnTagGen. The result is
shown in Table VII and Figure 4. Obviously, our protocols are
still more efficient than the protocol in [25].
The above two simulations indicate that our protocols
greatly reduce the time cost on user side. Therefore, our
protocols are much more practical than the protocol in [25]
for the end devices with lower computation capability.
B. Efficiency of Audit
The efficiency of the whole protocol is also dominated by
the Audit phase. In this section, we evaluate the performance
of our Audit phase. As mentioned before, the TPA only needs
to select c file blocks to be checked rather than all the file
blocks. In order to achieve the high assurance, the value of
c is usually selected to be 300 and 460 for the probability
of 95% and 99% respectively. In Table VIII, we show the
time cost for the TPA to verify the response from the CSP.
Compared with the protocol in [25], the TPA only needs
8.65ms for 300 sampled blocks and 8.86ms for 460 sampled
blocks in our protocols.
The above analysis indicates that our protocols are also
efficient in the Audit phase. We do not increase the com-
putational cost for the CSP to respond the challenge from
the TPA. Meanwhile, the TPA needs much less time to verify
the response.
2581
Fig. 5. Comparison of the total time between the batch audit and audit for
the 99% assurance(c=460).
Fig. 6. Time per task in Batch Audit phase with 99% assurance on the
TPA side.
C. Efficiency of Batch Audit
In this section, we show the efficiency of the batch auditing
protocol in Section III-A. We compare the efficiency of Batch
Audit with Audit of our protocols and the batch auditing
protocol in [25].
Since Batch Audit performs multi auditing tasks simulta-
neously, we evaluate the protocols with different numbers of
tasks. We set the task numbers ranging from 1 to 200. Figure 5
shows the simulation results of our Batch Audit and Audit in
our protocols. It is obvious to see that the computational cost
of Batch Audit increases slower than that of the Audit. For
100 tasks, the cost of Batch Audit is just 500ms while that of
the Audit reaches 863ms. Comparing with the computational
cost of Batch Audit in [25], we calculate the time per task.
The result is shown in Figure 6. In our protocols, the time
cost retains at the level of 5ms. As to Wang et al. protocol,
the time cost per task is about 272ms.
D. Transmission Overhead
In this section, we compare the transmission overheads of
our protocols and the protocols in [25]. Since the GlobeSetup,
UserSetup, OffTagGen and OnTagGen algorithms only
needs to be run once, we only compare the Audit, Batch Audit,
Modification, Insertion and Deletion algorithms. Table IX
compares the transmission overheads of our protocols and
the protocols in [25]. We note that, l p , l1 , l T , ls , l0 denote
the bit length of an element in Z p , an element in G1 ,
an element in GT , a signature and a file name respectively.
2582 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 11, NOVEMBER 2016
TABLE IX
C OMPARISON OF THE T RANSMISSION OVERHEADS OF O UR P ROTOCOLS AND THE P ROTOCOLS IN [25]
As defined in our protocols, c is the number of challenged file
blocks, K is the number of auditing tasks in a batch auditing
procedure, n is the number of file blocks and ln is the bit
length of n. Table IX shows that, the transmission overhead
of our basic/improved protocol is comparable with that of the
basic/improved protocol in [25].
VI. C ONCLUSION
In this paper, we have proposed two privacy-preserving pub-
lic auditing protocols for secure storage in cloud environment.
Our protocols are based on online/offline signatures, by which
a user only needs to perform lightweight computing when
a data file to be outsourced is given. Further, our protocols
also support batch auditing and data dynamics. Simulation
shows that our protocol is much more efficient than a recent
privacy-preserving public auditing protocol. Thus, we believe
that our protocols are practical for those end devices with low
computation capabilities.
R EFERENCES
[1] I. Agudo, D. Nuñez, G. Giammatteo, P. Rizomiliotis, and
C. Lambrinoudakis, “Cryptography goes to the cloud,” in Proc.
Secure and Trust Computing, Data Management, and Applicat.
(STA 2011 Workshops), 2011, pp. 190–197.
[2] G. Ateniese et al., “Provable data possession at untrusted stores,”
in Proc. 14th ACM conf. Comput. Commun. Secur. (CCS), 2007,
pp. 598–609.
[3] G. Ateniese, A. Faonio, and S. Kamara, “Leakage-resilient identification
schemes from zero-knowledge proofs of storage,” in Proc. IMA Int. Conf.
Cryptogr. Coding, 2015, pp. 311–328.
[4] G. Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik, “Scalable and
efficient provable data possession,” in Proc. 4th Int. Conf. Secure Privacy
Commun. Netw. (SecureComm), 2008, pp. 1–10.
[5] K. D. Bowers, A. Juels, and A. Oprea, “Proofs of retrievability:
Theory and implementation,” in Proc. ACM Workshop Cloud Comput.
Secur. (CCSW), 2009, pp. 43–54.
[6] L. Chen, “Using algebraic signatures to check data possession in cloud
storage,” Future Generat. Comput. Syst., vol. 29, no. 7, pp. 1709–1715,
2013.
[7] Y. Dodis, S. Vadhan, and D. Wichs, “Proofs of retrievability via
hardness amplification,” in Proc. Theory Cryptogr. Conf. (TCC), 2009,
pp. 109–127.
[8] C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, “Dynamic
provable data possession,” in Proc. 16th ACM Conf. Comput. Commun.
Secur. (CCS), 2009, pp. 213–222.
[9] X. Fan, G. Yang, Y. Mu, and Y. Yu, “On indistinguishability in remote
data integrity checking,” Comput. J., vol. 58, no. 4, pp. 823–830, 2015.
[10] Y. Feng, Y. Mu, G. Yang, and J. K. Liu, “A new public remote integrity
checking scheme with user privacy,” in Proc. 20th Austral. Conf. Inf.
Secur. Privacy (ACISP), 2015, pp. 377–394.
[11] Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enabling personal-
ized search over encrypted outsourced data with efficiency improve-
ment,” IEEE Trans. Parallel Distrib. Syst., to be published, doi:
10.1109/TPDS.2015.2506573.
[12] Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving efficient cloud
search services: Multi-keyword ranked search over encrypted cloud data
supporting parallel computing,” IEICE Trans. Commun., vol. E98-B,
no. 1, pp. 190–200, 2015.
[13] Z. Hao, S. Zhong, and N. Yu, “A privacy-preserving remote data integrity
checking protocol with data dynamics and public verifiability,” IEEE
Trans. Knowl. Data Eng., vol. 23, no. 9, pp. 1432–1437, Mar. 2011.
[14] A. Juels and B. S. Kaliski, Jr., “PORs: Proofs of retrievability for large
files,” in Proc. 14th ACM Conf. Comput. Commun. Secur. (CCS), 2007,
pp. 584–597.
[15] H. Liu, L. Chen, Z. Davar, and M. Pour, “Insecurity of an efficient
privacy-preserving public auditing scheme for cloud data storage,”
J. Universal Comput. Sci., vol. 21, no. 3, pp. 473–482, 2015.
[16] J. K. Liu, M. H. Au, X. Huang, R. Lu, and J. Li, “Fine-grained two-
factor access control for Web-based cloud computing services,” IEEE
Trans. Inf. Forensics Security, vol. 11, no. 3, pp. 484–497, Mar. 2016.
[17] J. K. Liu, J. Baek, J. Zhou, Y. Yang, and J. W. Wong, “Efficient
online/offline identity-based signature for wireless sensor network,” Int.
J. Inf. Secur., vol. 9, no. 4, pp. 287–296, 2010.
[18] J. K. Liu, K. Liang, W. Susilo, J. Liu, and Y. Xiang, “Two-factor data
security protection mechanism for cloud storage system,” IEEE Trans.
Comput., vol. 65, no. 6, pp. 1992–2004, Jun. 2016.
[19] R. Di Pietro, L. V. Mancini, A. Durante, and V. Patil, “Addressing the
shortcomings of one-way chains,” in Proc. ACM Symp. Inf., Comput.
Commun. Secur. (ASIACCS), 2006, pp. 289–296.
[20] D. Pointcheval and J. Stern, “Security proofs for signature schemes,” in
Proc. Advances in Cryptology (EUROCRYPT 1996), 1996, pp. 387–398.
[21] Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, “Mutual verifiable provable
data auditing in public cloud storage,” J. Internet Technol., vol. 16, no. 2,
pp. 317–323, 2015.
[22] F. Sebe, J. Domingo-Ferrer, A. Martinez-Balleste, Y. Deswarte, and
J.-J. Quisquater, “Efficient remote data possession checking in critical
information infrastructures,” IEEE Trans. Knowl. Data Eng., vol. 20,
no. 8, pp. 1034–1038, Aug. 2008.
[23] H. Shacham and B. Waters, “Compact proofs of retrievability,” in Proc.
14th Int. Conf. Theory Appl. Cryptol. Inf. Secur. (ASIACRYPT), 2008,
pp. 90–107.
[24] A. Shamir and Y. Tauman, “Improved online/offline signature schemes,”
in Proc. 21st Annu. Int. Cryptol. Conf., 2001, pp. 355–367.
[25] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy-
preserving public auditing for secure cloud storage,” IEEE Trans.
Comput., vol. 62, no. 2, pp. 362–375, Feb. 2013.
[26] C. Wang, Q. Wang, K. Ren, and W. Lou, “Ensuring data storage
security in cloud computing,” in Proc. 17th Int. Workshop Quality
Service (IWQoS), 2009, pp. 1–9.
[27] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public
auditing for data storage security in cloud computing,” in Proc. IEEE
Int. Conf. Comput. Commun. (INFOCOM), Mar. 2010, pp. 1–9.
[28] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, “Enabling public
verifiability and data dynamics for storage security in cloud computing,”
IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 5, pp. 847–859,
May 2011.
[29] S. Worku, C. Xu, J. Zhao, and X. He, “Secure and efficient privacy-
preserving public auditing scheme for cloud storage,” Comput. Elect.
Eng., vol. 40, no. 5, pp. 1703–1713, 2014.
[30] C. Xu, X. He, and D. Abraha-Weldemariam, “Cryptanalysis of Wang’s
auditing protocol for data storage security in cloud computing,” in Proc.
Inform. Computing and Applicat. (ICICA 2012), 2012, pp. 422–428.
[31] Z. Xia, X. Wang, X. Sun, and Q. Wang, “A secure and dynamic multi-
keyword ranked search scheme over encrypted cloud data,” IEEE Trans.
Parallel Distrib. Syst., vol. 27, no. 2, pp. 340–352, Feb. 2016.
[32] Y. Yang, J. K. Liu, K. Liang, K. Y. Choo, and J. Zhou, “Extended proxy-
assisted approach: Achieving revocable fine-grained encryption of cloud
data,” in Proc. 20th Eur. Symp. Res. Comput. Secur. (ESORICS), 2015,
pp. 146–166.
[33] J. Yuan and S. Yu, “Public integrity auditing for dynamic data shar-
ing with multiuser modification,” IEEE Trans. Inf. Forensics Security,
vol. 10, no. 8, pp. 1717–1726, Aug. 2015.
LI et al.: PRIVACY-PRESERVING PUBLIC AUDITING PROTOCOL
[34] L. Zhang, “Certificateless one-pass and two-party authenticated key
agreement protocol and its extensions,” Inf. Sci., vol. 293, pp. 182–195,
Feb. 2015.
[35] L. Zhang, C. Hu, Q. Wu, J. Domingo-Ferrer, and B. Qin, “Privacy-
preserving vehicular communication authentication with hierarchical
aggregation and fast response,” IEEE Trans. Comput., vol. 65, no. 8,
pp. 2562–2574, Aug. 2016, doi: 10.1109/TC.2015.2485225.
[36] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and Z. Dong, “Round-
efficient and sender-unrestricted dynamic group key agreement protocol
for secure group communications,” IEEE Trans. Inf. Forensics Security,
vol. 10, no. 11, pp. 2352–2364, Nov. 2015.
[37] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distributed
aggregate privacy-preserving authentication in VANETs,” IEEE Trans.
Intell. Transp. Syst., to be published, doi: 10.1109/TITS.2016.2579162.
[38] L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable
robust authentication protocol for secure vehicular communications,”
IEEE Trans. Veh. Technol., vol. 59, no. 4, pp. 1606–1617, May 2010.
Jiangtao Li received the B.S. degree (Hons.) in
mathematics and applied mathematics from Henan
Normal University, China. He is currently the
Ph.D. degree with the School of Computer Sci-
ence and Software Engineering, East China Normal
University, China. His research interests include
information security, public key cryptography and
network security.
Lei Zhang (M’13) received the Ph.D. degree from
Universitat Rovira i Virgili in 2010. He is currently
a Professor with East China Normal University.
He was a Postdoctoral Researcher with Universitat
Rovira i Virgili. He is a holder/co-holder of nine
China/Spain funded projects. He has authored over
60 publications. His fields of activity are information
security, cryptography, data privacy, and network
security. He has served in the program committee
of several international conferences in information
security and privacy.
2583
Joseph K. Liu received the Ph.D. degree in infor-
mation engineering from the Chinese University of
Hong Kong in 2004 with a focus on cyber secu-
rity, protocols for securing wireless networks, pri-
vacy, authentication, and provable security. He was
a Research Scientist with the Infocomm Secu-
rity Department, Institute for Infocomm Research,
Singapore over seven years. He is currently a Senior
Lecturer with the Faculty of Information Technol-
ogy, Monash University, Australia. His current tech-
nical focus is particularly cyber security in the cloud
computing paradigm, big data, lightweight security, and privacy enhanced
technology. He has authored over 100 referred journal and conference papers.
He received the best paper award from ESORICS 2014 and ESORICS
2015. He is the cofounder of ProvSec (International Conference on Provable
Security). He has served as the Program Chair of ProvSec 2007, 2014
ACISP 2016, and as the Program Committee Member over 50 international
conferences.
Haifeng Qian received the B.S. and master’s
degrees in algebraic geometry from the Department
of Mathematics, East China Normal University, in
2000 and 2003, respectively, and the Ph.D. degree
from the Department of Computer Science and Engi-
neering, Shanghai Jiao Tong University in 2006.
He is currently a Professor with East China Normal
University. His main research interests include net-
work security, cryptography, and algebraic geometry.
He is currently serving as a Reviewer of multiple
international journals and academic conferences.
Zheming Dong is currently pursuing the master’s
degree with the Software Engineering Institute, East
China Normal University, China. His fields of activ-
ity are information security, data privacy, network
security, and wireless sensor network.