1. Introduction
Cloud storage is one of the most important online storage models. It provides users with easy data access and pay-as-you-go storage service. Outsourcing data to the cloud helps users avoid investing a lot of money in maintaining the local hardware/software and data. Although cloud storage brings many benefits to users, it also raises several security concerns. The data stored in the cloud might be lost or corrupted due to the inevitable hardware/software failures and human errors [1-4]. What is more serious, the cloud might deliberately delete the data which are rarely used for saving storage space, and hide the fact that data are lost for maintaining its reputation [5]. So it is very necessary to check the integrity of data stored in the cloud.
In order to verify the integrity of data in the cloud, the notion of the cloud storage auditing has been proposed [6-23]. In a cloud storage auditing scheme, auditing task can be carried out by a data owner or a third party auditor (TPA). The cloud storage auditing scheme allows to verify the integrity of data efficiently without downloading the entire data from the cloud. Many cloud storage auditing schemes focusing on different aspects have been proposed [10-23]. If TPA challenges the same data blocks several times during the data auditing, he/she might derive the contents of user data. In order to deal with this problem, Wang et al. [10] utilized homomorphic linear authenticators and random masking technique to guarantee that TPA would not know anything about data content; that is to say, the users’ data were not leaked during the process of auditing. Solomon et al. [11] further proposed a privacy-preserving auditing scheme which had the same security level as the scheme in [10] but had better efficiency. In addition, the data stored in the cloud might be updated frequently by users for various applications. In order to satisfy this requirement, Erway et al. [12] proposed the first data auditing scheme supporting dynamic data updates based on skip list structure. Zhu et al. [13] used index hash tables to construct a data auditing scheme supporting data dynamic operations. Wang et al. [14] proposed a data auditing scheme supporting dynamic data updates based on Merkle hash tree. Mo et al. [15] further improved the scheme in [14], and proposed a data auditing scheme supporting dynamic data updates based on Merkle hash tree and B+ tree, which had better efficiency than the scheme in [14]. Ranked Merkle hash tree [16] and balanced update tree [17] can be used to improve efficiency of dynamic data updates. If the secret key for cloud storage auditing is exposed, it can cause the serious security problem. In order to deal with this problem, Yu et al. [18] proposed the first practical auditing protocol with built-in key-exposure resilience for cloud storage based on binary tree in [19].
Sometimes, the data are not only stored in the cloud, but also shared across multiple users in some cloud data storage applications, such as iCloud, Google Drive and Dropbox. These applications allow a number of users to work together as a group by sharing data each other. Once one of these users in the group uploads shared data to the cloud, the rest users of the group can access these shared cloud data. In above scenario, data auditing is still necessary to assure the integrity of shared cloud data. The auditing mechanism in [24] is built to support shared cloud data dynamic by using leverage index hash tables. With the technique of proxy re-signature, the auditing scheme for shared cloud data proposed in [25] not only supports group dynamic (user enrollment and user revocation) but also supports identity privacy. Yuan et al. [26] designed a polynomial-based authentication tags and a proxy tag update technique to implement an efficient and scalable public data checking scheme with multi-user revocation. Wang et al. [27] designed an auditing scheme for shared cloud data based on ring signatures, in which TPA checks the integrity of shared cloud data but he/she cannot know the identity of actual signer in auditing process.
Observing all previous auditing schemes for shared cloud data mentioned above, there exist the following problems:
(1) The above mentioned auditing schemes [24-27] for shared cloud data do not consider the problem of user access authorization. If a user is revoked from a group, although the signatures generated by this revoked user are not valid any more, the cloud does not know which user in the group is revoked [24-27]. It leads to this revoked user still being able to access shared cloud data. Therefore, how to achieve user access authorization is a further worth research.
(2) The above mentioned auditing schemes [24-27] for shared cloud data do not realize the necessity of the auditing authentication for TPA when shared cloud data are challenged. As Liu et al. [16] mentioned, it was necessary to add auditing authentication process between the auditor and the cloud. Adding auditing authentication for TPA is to eliminate the threat of unauthorized auditing challenges from malicious or pretended TPA. Malicious or pretended TPA can challenge data stored in the cloud without the group’s permission, which might cause the cloud spending a lot of computing resources in responding to these auditing challenges. In the auditing schemes for shared cloud data, there also exists above problem. Therefore, it is essential to verify whether the TPA is authorized in the auditing scheme for shared cloud data.
(3) Very few auditing schemes for shared cloud data supporting data privacy and identity privacy simultaneously. Both identity and data content are confidential information for users, so they might be unwilling to reveal their identity and data content to TPA. For example, in electronic medical, a patient may agree medical researchers to analyze his/her health record stored in the cloud for research purpose, but this patient is unwilling to disclose his/her identity and data content to other people. Therefore, supporting both data privacy and identity privacy is very vital in many applications.
In order to deal with above problems, we design a novel auditing scheme for shared cloud data in this paper. The contributions of this paper can be summarized as follows:
(1) We firstly consider the user access authorization in the auditing for shared cloud data. To efficiently achieve user access authorization, we design an efficient mechanism in which the cloud keeps an access authorization credential (one hash value of group private key and group public key) from group manager. Only the users in the group can provide the valid access authorization credential to access the shared data in the cloud. When a user is revoked from the group, the access authorization credential would be updated. Because this revoked user does not know this new access authorization credential, he/she cannot access shared cloud data any longer. So it solves the problem that the revoked user can still access shared cloud data.
(2) We add TPA auditing authorization mechanism in our scheme for avoiding the cloud responding to the unauthorized auditing challenges from malicious TPA. In our scheme, we can ensure that only the TPA authorized by group manager can receive the auditing proof from the cloud. That is to say, if a TPA who sends an auditing challenge to the cloud has a valid auditing authorization from group manager, the cloud will generate an auditing proof as the response; otherwise, will not.
(3) In addition, our scheme not only supports the group dynamic, but also preserves data privacy and identity privacy simultaneously. In order to preserve data privacy, our scheme utilizes a new random masking technique, which makes TPA unable to derive the content of data from the cloud’s response. In order to preserve identity privacy, our scheme uses a common group privacy key to calculate signatures on all data blocks, which makes TPA cannot know the identity of actual signer.
(4) Finally, we also extend the proposed scheme to support batch auditing, which can efficiently perform multiple auditing tasks simultaneously from different groups.
Organization. The rest of this paper is organized as follows: Section 2 presents the system model and the design goals. We introduce some simple definitions in Section 3. The detailed description of the proposed scheme and the scheme supporting batch auditing are introduced in Section 4 and Section 5, respectively. In Section 6, we provide the security analysis of the proposed scheme. The evaluation of performance is shown in Section 7. Finally, we conclude our paper in Section 8.
2. System Model and Design Goals
2.1. System Model
The system model involves three kinds of different entities: the cloud, users and the third party auditor (TPA), as shown in Fig. 1. The cloud provides data storage and data sharing service to users. In a group, there are multiple users. One of these users is regarded as a special one, who is named as group manager. The differences between the group manager and the other group users are as follows: Firstly, the group manager is in charge of generating the group public/private key and distributing group private key to every user in the group. Secondly, he is responsible for computing and sending the access authorization credential to the cloud. The cloud verifies whether the user who accesses the shared cloud data is legal or not by this access authorization credential. Thirdly, he is also in charge of generating and sending the group auditing authorization to TPA. When a user in the group who provides the valid access authorization credential, he/she can create and share data with other group users in the cloud, and moreover, can access other shared cloud data. TPA is a public verifier who is delegated by group manager to audit the integrity of shared cloud data.
Fig. 1.The system model
In our paper, only the users able to provide the valid access authorization credential can access shared data in the cloud. When group manager wants to check the integrity of shared cloud data, he/she will give an auditing authorization to TPA. After TPA verifies the auditing authorization from group manager is valid, he/she sends an auditing challenge along with the auditing authorization to the cloud. After receiving these messages, the cloud needs to verify whether this TPA is indeed authorized by group manager. If it is, the cloud will respond to this TPA with a proof of shared cloud data possession; otherwise, will not. Finally, TPA will check the correctness of the proof to verify the integrity of shared cloud data.
2.2. Design Goals
To efficiently check the integrity of shared cloud data, our scheme should be designed to achieve the following properties:
3. Definition
3.1 Bilinear Maps
Let G1, G2 be two multiplicative cyclic groups of prime order p , and g be a generator of G1. A bilinear map e is a map e :G1×G1→G2 with the following properties:
3.2 Computational Diffie-Hellman (CDH) Problem
For x, y ∈ Zp*, given g , gx and gy ∈ G1 as input, outputs gxy ∈ G1. The CDH assumption in G1 holds if it is computationally infeasible to solve the CDH problem in G1.
3.3 Discrete Logarithm (DL) Problem
For x ∈ Zp*, given g , gx ∈ G1 as input, outputs x . The DL assumption in G1 holds if it is computationally infeasible to solve the DL problem in G1 .
3.4 Access-Authorizing and Privacy-Preserving Auditing Scheme with Group Dynamic for Shared Cloud Data
An access-authorizing and privacy-preserving auditing scheme with group dynamic for shared cloud data includes seven algorithms: KeyGen , SigGen , Join , Revoke , Resign , ProofGen , and ProofVerify :
4. The Proposed Scheme
4.1 Notation
Let G1 and G2 be two multiplicative cyclic groups of prime order p , g be a generator of G1 , e :G1×G1→G2 be a bilinear map, and u be a random generator of G1 . Let H : {0,1}*→G1, h1(·) : Zp* × G1 → Zp* and h2(·) : G1 → Zp* be three cryptographic hash functions. The global parameters are (G1,G2,p,e,g,u,H,h1,h2). Shared cloud data M are divided into n blocks (m1, ..., mn) . Assume the total number of users in the group is d .
4.2 Description of the Scheme
(1) Algorithm KeyGen(1k)
(2) Algorithm SigGen(F,sk,name)
(3) Algorithm Join(U)
When a new user U joins a group, the group manager sends the private key sk to this new user U . Then this new user U calculates the access authorization credential h1(x,v) according to the private key sk .
(4) Algorithm Revoke(U)
(5) Algorithm Resign(uk)
The cloud recalculates the signatures of cloud data blocks by the update key uk = y / x . The new signature of each block in shared cloud data is computed by the cloud as follows:
(6) Algorithm ProofGen(F,Φ,chal)
(7) Algorithm VerifyProof (pk,chal,P)
The correctness of the above verification equation can be shown as follows:
In SigGen algorithm, user calculates the signatures on data blocks which are created by this user with the group private key x , and calculates the tag of file t with the signing private key ssk . When a user is revoked from a group, the group manager generates an update key y / x in Revoke algorithm. In Resign algorithm, the cloud recomputes and updates previous signatures on all data blocks with this update key y / x . In ProofGen algorithm, to verify the integrity of shared cloud data and to avoid the cloud responding to the unauthorized auditing challenges from malicious TPA, we add auditing authorization to TPA. When a group manager wants to check the integrity of shared cloud data, he/she will give an auditing authorization to a specified TPA. Then this specified TPA checks the validity of the file tag t by using spk . Only when the file tag t is valid, can the TPA send auditing challenge to the cloud. The cloud verifies whether the auditing authorization of TPA is valid. If it is, the cloud will respond an auditing proof P to this TPA; otherwise, will not. In ProofVerify algorithm, TPA can verify the correctness of the auditing proof P .
In a cloud storage system, the shared data stored in the cloud may be updated for various application purposes [14]. The data dynamic operation includes block level operations of insertion, deletion and modification. Thus, supporting data dynamic operation is very important in public auditing. Now, we present how our scheme supports data dynamic and achieves data privacy protection based on the technique in [14].
In [14], data dynamic is achieved by replacing (H(i||name) with H(mi) as the tag for block mi in computing the data signatures and utilizing Merkle hash tree (MHT) to perform block dynamic operation. Therefore, we can use the similar technique to achieve the data dynamic in our scheme. Specifically, every data block signature will be changed into σi = (H(mi)·umi)x . In SignGen algorithm, user needs to generate a tree root Ω based on MHT and sends it to TPA for auditing task. In MHT, the leave nodes are an ordered set of hashes of “block tags” H(mi)(i∈[1,n]) . In ProofGen algorithm, the auditing proof P generated by the cloud not only includes {R,μ,σ} , but also includes {H(mi)}i∈I and the corresponding auxiliary information {Ωi}i∈I in the MHT. The cloud’s auditing proof P is set as {R,μ,σ,{H(mi),Ωi}i∈I} . When TPA receives the auditing proof from the cloud, he/she computes a tree root Ω based on {H(mi),Ωi}i∈I and verifies whether it equals to the tree root he/she has stored. If the both tree roots are same, TPA will verify the correctness of the auditing proof P via equation (1), where ∏i∈I(H(iǁname)vi is replaced by ∏i∈IH(mi)vi . All these changes above mentioned have no influence on the random making technique in our scheme. Thus, data privacy is still protected. When a data block is performed for dynamic operation, user needs to generate a new tree root and sends it to TPA for auditing task. The details of performing data dynamic operations are similar to [14]. We do not describe the details of process here. If we use the balanced Merkle hash tree to support data dynamic operation, the efficiency of the scheme is O(logn) .
5. Batch Auditing
In this section, we show how to extend our scheme to support batch auditing, which can handle multiple auditing delegations simultaneously from various group managers of different groups. Specifically, we assume that TPA takes K auditing delegations from K different groups with K diverse data files. The batch auditing scheme achieves the aggregation of K verification equations into a single one with K auditing delegations [10]. The details are described as follows:
(1) Algorithm KeyGen(1k)
Each group manager k (k∈[1,K]) generates skk = (xk,sskk) as his/her private key and pkk = (vk = gxk, spkk) as his/her public key. Then, each group manager k (k∈[1,K]) distributes the private key skk to all users in his/her group, and sends access authorization credential h1(xk,vk) to the cloud through a secure channel. One user belonging to group k (k∈[1,K]) who wants to access shared cloud data needs to compute access authorization credential h1(xk,vk) according the group private key xk . The cloud will verify whether the user provides a valid access authorization credential h1(xk,vk) when a user asks to access the shared cloud data.
(2) Algorithm SigGen(F={Fk}1≤k≤K,sk={skk}1≤k≤K, name={namek}1≤k≤K)
We assume a group k (k∈[1,K]) has a data file Fk = (mk,1,...,mk,n) to be outsourced to the cloud. He/She calculates the tag of data file as tk = namek||Sigsskk (namek) , where namek is a random value as the identifier of k data file. He/She chooses uk ∈ G1 randomly, then computes the signature for every file block mk,i as follows: σk,i=(H(iǁnamek)‧ukmk,i)xk where i ∈ [1,n] and k ∈ [1,K] . Finally, each group k (k∈[1,K]) sends {h1(xk,vk),Fk,Φk={σk,i}1≤i≤n,tk} to the cloud, and deletes the file Fk and its corresponding set of signatures from local storage.
(3) Algorithm ProofGen(F={Fk}1≤k≤K, Φ={Φk}1≤k≤K, chal)
Each group manager k (k∈[1,K]) sends AUTHk to the cloud, where AUTHk is randomly generated by group manager k . Next, he/she computes sigAUTHk=SSigsskk(tkǁVIDǁAUTHk) (VID is the identity of TPA), then sends sigAUTHk and tk (the tag of file k ) to TPA which is authorized. After that, this TPA verifies the validity of the file tag tk using spkk , he/she will not execute this auditing task if the file tag tk is invalid; otherwise, he/she constructs and sends an auditing challenge chal{{i,vi}i∈I, {VID}pkcloud, sigAUTHk} to the cloud. The computation of challenge parameters is the same as single user scheme. After receiving an auditing challenge from TPA, the cloud will verify whether this TPA is indeed authorized by group manager k . If it is, the cloud will respond to this TPA with a proof of shared cloud data possession; otherwise, will not. Before generating the proof, the cloud computes where k∈[1,K], and then randomly chooses rk ∈ Z*p for each group and sets Finally, the cloud outputs an auditing proof {{Rk}1≤k≤K, {μk}1≤k≤K,{σk}1≤k≤K} to this TPA.
(4) Algorithm VerifyProof (pk,chal,P)
After receiving the proof {{Rk}1≤k≤K, {μk}1≤k≤K,{σk}1≤k≤K}, this TPA computes h2(Rk), and then verifies the integrity of shared cloud data by checking the following equation :
If the above verification equation holds, this TPA believes that all the shared cloud data are correct; otherwise, does not.
The correctness of the verification equation (2) can be shown as follows:
6. Security Analysis
Theorem 1: A user who is not in a group cannot access shared cloud data belonging to this group in the proposed scheme. The cloud cannot know the group private key x from the knowledge of access authorization credential h1(x,v) .
Proof: In our scheme, only the users in the group can calculate access authorization credential h1(x,v) by the group private key x . When a user is revoked from the group, group manager will generate an update key y / x , and send it to all the users in the group except the revoked user. These users can compute a new access authorization credential h1(y,gy) according to this update key y / x . However, this revoked user cannot forge this new access authorization credential h1(y,gy) because he/she does not know the information of the update key y / x . Because the hash function is one-way, the cloud cannot know the group private key x to forge the data authenticators from the knowledge of access authorization credential h1(x,v). □
Theorem 2: In the auditing process, the cloud would not generate a proof to respond to the unauthorized auditing challenge from malicious TPA, unless this TPA obtains the auditing authorization from group manager.
Proof: TPA can not forge auditing authorization from group manager in our scheme. Because TPA does not know the information of signing private key ssk , he/she can not forge the signature of auditing authorization sigAUTH . If the TPA sends auditing challenge to the cloud, but he/she does not obtain auditing authorization from group manager, the cloud would not generate a proof to respond to this TPA. □
Theorem 3: From the cloud’s response {R,μ,σ} , TPA cannot derive the content of users’ data μ' .
Proof: In our scheme, the privacy of μ' is guaranteed from μ. We use random masking technique to make μ be blinded by r as μ=h2(R)μ'–r, where r is chosen randomly by the cloud and its value is hidden from TPA. Given u∈G1, R=ur ∈ G1, computing r is hard, due to the hardness of computational Discrete Logarithm (DL) problem, so the value of r is unknown to TPA. No information of μ' can be known from σ .
From our scheme, it follows that
From the above equations, we can see that (uμ')x is blinded by ∏i∈I(H(iǁname)vi)x . Given (H(i||name))vi and gx , computing ∏i∈I(H(iǁname)vi)x is hard, due to the hardness of Computational Diffie-Hellman Problem. It tells us that TPA cannot derive the value of (uμ')x , let alone μ'. □
Theorem 4: For the cloud, it is computationally infeasible to generate a forgery of an auditing proof in our scheme. The cloud passes the verification only if it truly possesses the challenged blocks.
Proof: Following the security game defined in [7,11], we can prove that, if the cloud could win the following security game, named Game 1 , by forging an auditing proof on corrupted shared cloud data, then we can solve the Discrete Logarithm (DL) problem in G1 . Game 1 is described as follows:
Game 1: When TPA sends an auditing challenge {{i,vi}i∈I, {VID}pkcloud, sigAUTH} to the cloud, the auditing proof {R,μ,σ} on correct shared cloud data M is generated, which is able to pass the verification with equation (1). The cloud generates a proof {R,μ*,σ} on incorrect shared cloud data M*. Define Δμ = μ* - μ . If this invalid proof based on the incorrect shared cloud data M * can successfully pass the verification, then the untrusted cloud wins; otherwise, it fails.
We assume that the cloud wins the game. Then according to equation (1), we have:
Because {R,μ*,σ} is a valid auditing proof, we have
Then, we can learn that
For two random elements g , h ∈ G1 , there exists x∈Zp* and h=gx because G1 is a cyclic group. Without loss of generality, given g, h , set u=gαhβ∈G1 , where α and β are random values of Zp . Then, we find the solution for the discrete logarithm problem that is,
Then the solution to the DL problem is,
Note that β is zero only with the probability 1/ p , which is negligible because p is a large prime. Then, we can find a solution to the DL problem with a probability of 1-1/ p , which contradicts the assumption that the DL problem in G1 is hard. Therefore, for an untrusted cloud, it is computationally infeasible to generate a forgery of an auditing proof.
7. Performance Evaluation
In this section, we analyze the cost of computation and communication in our scheme, and evaluate the performance in experiments.
7.1 Performance Analysis
When TPA obtains the auditing authorization from group manager, he/she will construct and send an auditing challenge to the cloud. Then, after receiving this auditing challenge, the cloud needs to calculate a proof of shared cloud data possession and sends it to TPA. The cost of computing this auditing proof is where MulG1 denotes the cost of computing one multiplication in G1 , ExpG1 denotes the cost of computing one exponentiation in denote the cost of computing one hashing operation, computing one multiplication, computing one subtraction and computing one addition in Zp* , respectively. When TPA receives the auditing proof from the cloud, he/she will verify the correctness of the proof based on equation (1). The cost of checking this auditing proof is where HashG1 denotes the cost of computing one hashing operation in G1 , Pair denotes the cost of computing one pairing operation in e : G1×G1→G2.
The cost of communication in our scheme is divided into auditing challenge and auditing proof. The size of an auditing challenge {{i,vi}i∈I,{VID}pkcloud,sigAUTH} is c‧(|n|+|p|)+2|p| bits, where c is the number of selected blocks, |n| is the size of an element of set [1,n] and |p| is the size of an element of Zp*. The size of an auditing proof {R,μ,σ} is 2|q| + |p| bits, where |q| is the size of an element of G1. Therefore, the cost of communication is c · (|n| + |p|) + 3|p| + 2|q| bits in total for an auditing task.
In scheme [10], the computing method of data masking is μ = r + h(R)·μ' , where R=e(u,v)r. In our scheme, the computing method of data masking is μ = h2(R)·μ'- r , where R = ur. Thus, we can know that the scheme in [10] performs one more time-consuming pairing operation which costs more computation overhead in generating proof than our scheme. In scheme [10], the extra cost of user data privacy protection is In our scheme, the extra cost of user data privacy protection is Therefore, our scheme is more efficient.
7.2 Experimental Results
In this section, we evaluate the performance of our scheme in experiments. In our experiments, we utilize the GNU Multiple Precision Arithmetic (GMP) and Pairing-Based Cryptography (PBC) library. All the following experiments are based on C language and tested in Linux OS with an Intel Pentium 2.70GHz processor and 4GB memory. In the experiments, we set the size of the base field to be 512 bits and the size of an element in Zp* to be |p| =160 bits. The size of shared cloud data we choose is 20MB.
Performance of Auditing. We analyze the time spent on three phases (challenge, proof, verification) in order to evaluate the overhead of auditing computation in our scheme which is presented in Fig. 2. For considering efficiency, we choose to challenge different blocks from 0 to 1000 increased by an interval of 100 in our experiments. In Fig. 2, we can see that the running time of challenge is the shortest among the three phases, ranging from 0.0434s to 0.432s. So we can conclude that it spends the least computational cost for generating challenge. The running time of generating the proof ranges from 0.419s to 3.857s. Verifying the correctness of proof costs the largest computation. And it is affected by challenged block number largely, ranging from 0.876s to 8.721s. We can see that the auditing computation time of each phase linearly increases with the number of challenged blocks. So we can infer that when the number of challenged blocks is larger, the cost of computation increases more dramatically in verification phase. Thus, we should find a trade-off between auditing computational cost and integrity guarantee.
Fig. 2.Computation cost of each algorithm in auditing phase
Performance of Protecting Data Privacy. In order to demonstrate the process of data privacy protection costs only a little extra computational cost, here, we compare our scheme with Wang et al. ’s scheme in [25] which does not support to protect data privacy. In Fig. 3 and Fig. 4, we can see that the communicational cost of proof generation and proof verification in our scheme is only slightly higher than [25]. Thus, we can conclude that our scheme achieves data privacy protection only with acceptable computing overhead.
Fig. 3.Comparison of the cost of proof generation between our scheme and scheme[25]
Fig. 4.Comparison of the cost of verification between our scheme and scheme[25]
Performance of Batch Auditing. In our experiments, we set the number of auditing delegations to be K = 10 and K = 100 , which means TPA performs ten and one hundred auditing tasks. In this experiment, we compare separated auditing (TPA performs ten and one hundred auditing tasks separately) with batch auditing (TPA performs ten and one hundred auditing tasks simultaneously). Comparing Fig. 5 with Fig. 6, we can see that batching auditing can save a lot of time used in generating verification than separated auditing. With the increase of auditing tasks, this effect is more obvious. Thus, we can conclude that batch auditing is much more efficient than separated auditing.
Fig. 5.Comparison of the cost of verification between separated auditing and batch auditing (K=10)
Fig. 6.Comparison of the cost of verification between separated auditing and batch auditing (K=100)
8. Conclusion
In this paper, we proposed a new public auditing scheme for shared cloud data, which adds the user access authorization and the TPA auditing authorization, and supports group dynamic. With the user access authorization, only the user in the group can upload and access shared cloud data. When a user is revoked from a group, he/she cannot access the shared cloud data. The auditing authorization of TPA avoids the cloud responding to the unauthorized auditing challenges from malicious TPA. Moreover, our scheme utilizes a new random masking technique to preserve data privacy from TPA, and uses a common group privacy key to calculate the signatures on all data blocks to preserve users’ identity privacy. To improve the efficiency of verifying multiple auditing tasks, we extend our scheme to support batch auditing. The experimental results show the high efficiency of our scheme.
References
- K. Ren, C. Wang and Q. Wang, “Security Challenges for the Public Cloud,” IEEE Internet Computing, vol. 16, pp. 69-73, 2012. Article (CrossRef Link) https://doi.org/10.1109/MIC.2012.14
- D. Song, E. Shi, I. Fischer and U. Shankar, “Cloud Data Protection for the Masses,” IEEE Computer, vol. 45, no. 1, pp. 39-45, 2012. Article (CrossRef Link) https://doi.org/10.1109/MC.2012.1
- M. Arrington, "Gmail Disaster: Reports of Mass Email Deletions," Online at http://techcrunch.com/2006/12/28/gmail-disaster-reports-of-mass-email-deletions/, 2006. Article (CrossRef Link)
- Amazon S3 Team. Amazon S3 Availability Event: July 20, 2008. Online at http://status.aws.amazon.com/s3-20080720.html, 2008. Article (CrossRef Link)
- K. Yang and X. Jia, “Data storage auditing service in cloud computing: challenges, methods and opportunities,” World Wide Web, vol. 15, no. 4, pp. 409-428, 2012. Article (CrossRef Link) https://doi.org/10.1007/s11280-011-0138-0
- G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson and D. Song, "Provable Data Possession at Untrusted Stores," in Proc. of ACM CCS 2007, pp. 598-610, 2007. Article (CrossRef Link)
- H. Shacham and B. Waters, "Compact Proofs of Retrievability," in Proc. of ASIACRYPT 2008, Springer-Verlag, pp. 90-107, 2008. Article (CrossRef Link)
- C. Wang, Q. Wang, K. Ren and W. Lou, "Ensuring Data Storage Security in Cloud Computing," in Proc. of ACM/ IEEE IWQoS. 2009, pp. 1-9, 2009. Article (CrossRef Link)
- N. Cao, S. Yu, Z. Yang, W. Lou and Y. T. Hou, "LT Codes-based Secure and Reliable Cloud Storage Service," in Proc. of IEEE INFOCOM 2012, pp. 693-701, March 25-30, 2012. Article (CrossRef Link)
- C. Wang, S. Chow, Q. Wang, K. Ren and W. Lou, “Privacy Preserving Public Auditing for Secure Cloud Storage,” IEEE Transactions on Computers, vol. 62, no. 2, pp. 362-375, 2013. Article (CrossRef Link) https://doi.org/10.1109/TC.2011.245
- S. G. Worku, C. Xu, J. Zhao and X. He, “Secure and efficient privacy-preserving public auditing scheme for cloud storage,” Computers and Electrical Engineering, vol. 40, no. 5, pp. 1703-1713, 2014. Article (CrossRef Link) https://doi.org/10.1016/j.compeleceng.2013.10.004
- C. Erway, A. Küpçü, C. Papamanthou and R. Tamassia, "Dynamic Provable Data Possession," in Proc. of the 16th ACM Conference on Computer and Communications Security (CCS'09), pp. 213-222, 2009. Article (CrossRef Link)
- Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu and S. S. Yau, "Dynamic Audit Services for Integrity Verification of Outsourced Storage in Clouds," in Proc. of ACM SAC 2011, pp. 1550-1557, 2011. Article (CrossRef Link)
- Q. Wang, C. Wang and K. Ren, “Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 5, pp. 847-859, 2011. Article (CrossRef Link) https://doi.org/10.1109/TPDS.2010.183
- Z. Mo, Y. Zhou and S. Chen, "A Dynamic Proof of Retrievability (PoR) Scheme with O(logn) Complexity," in Proc. of Communication(ICC), 2012 IEEE Information Conference on IEEE, pp. 912-916, June 10-15, 2012. Article (CrossRef Link)
- C. Liu, J. Chen and T. Yang, “Authorized Public Auditing of Dynamic Big Data Storage on Cloud with Efficient Verifiable Fine-grained Updates,” IEEE Transactions on Parallel and Distributed Systems, vol.25, no.9, pp. 2234-2244, 2014. Article (CrossRef Link) https://doi.org/10.1109/TPDS.2013.191
- Y. Zhang and M. Blanton, "Efficient Dynamic Provable Possession of Remote Data via Balanced Update Trees," in Proc. of Department of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, pp.183-194, 2013. Article (CrossRef Link)
- J. Yu, K. Ren, C. Wang and V. Varadharajan, “Enabling Cloud Storage Auditing with Key-Exposure Resistance,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 6, pp.1167-1179, 2015. Article (CrossRef Link) https://doi.org/10.1109/TIFS.2015.2400425
- J. Yu, R. Hao, H. Zhao, M. Shu, and J. Fan, “IRIBE: Intrusion-Resilient Identity-Based Encryption,” Information Sciences, Vol. 329, pp. 90-104, 2016. Article (CrossRef Link) https://doi.org/10.1016/j.ins.2015.09.020
- J. Yu, K. Ren, and C. Wang, “Enabling Cloud Storage Auditing with Verifiable Outsourcing of Key Updates,” IEEE Transactions on Information Forensics and Security, Vol. 11, No. 5, pp. 1362 – 1375, 2016. Article (CrossRef Link) https://doi.org/10.1109/TIFS.2016.2528500
- G. Yang, J. Yu, W. Shen, Q. Su, Z. Fu, and R. Hao, “Enabling Public Auditing for Shared Data in Cloud Storage Supporting Identity Privacy and Traceability,” Journal of Systems and Software, Vol. 113, pp. 130-139, 2016. Article (CrossRef Link) https://doi.org/10.1016/j.jss.2015.11.044
- Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, “Mutual verifiable provable data auditing in public cloud storage,” Journal of Internet Technology, Vol. 16, No. 2, pp. 317-323, 2015. Article (CrossRef Link) https://doi.org/10.6138/JIT.2015.16.2.20140918
- H. Wang, Q. Wu, B. Qin and J. Domingo-Ferrer, “Identity-based remote data possession checking in public clouds,” Information Security, IET, vol.8, no.2, pp.114-121, 2014. Article (CrossRef Link) https://doi.org/10.1049/iet-ifs.2012.0271
- B. Wang, B. Li and H. Li, "Public Auditing for Shared Data with Efficient User Revocation in the Cloud," in Proc. of IEEE INFOCOM 2013, pp. 2904-2912, 2013. Article (CrossRef Link)
- B. Wang, H. Li and M. Li, "Privacy-Preserving Public Auditing for Shared Cloud Data Supporting Group Dynamics," in Proc. of Communications (ICC), 2013 IEEE International Conference on IEEE, pp. 1946-1950, June 9-13, 2013.Article (CrossRef Link)
- J. Yuan and S. Yu, "Efficient Public Integrity Checking for Cloud Data Sharing with Multi-user Modification," in Proc. of IEEE INFOCOM 2014, pp. 2121-2129, April 27-May 2, 2014. Article (CrossRef Link)
- B. Wang, B. Li and H. Li, "Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud," in Proc. of IEEE Cloud 2012, pp. 295-302, June 24-29, 2012. Article (CrossRef Link)
Cited by
- Efficient and Secure Identity-Based Public Auditing for Dynamic Outsourced Data with Proxy vol.11, pp.10, 2016, https://doi.org/10.3837/tiis.2017.10.019
- ID-Based Public Auditing Protocol for Cloud Data Integrity Checking with Privacy-Preserving and Effective Aggregation Verification vol.2018, pp.None, 2016, https://doi.org/10.1155/2018/3205898