Traceable Dynamic Public Auditing with Identity Privacy Preserving for Cloud Storage

Abstract

In cloud computing era, an increasing number of resource-constrained users outsource their data to cloud servers. Due to the untrustworthiness of cloud servers, it is important to ensure the integrity of outsourced data. However, most of existing solutions still have challenging issues needing to be addressed, such as the identity privacy protection of users, the traceability of users, the supporting of dynamic user operations, and the publicity of auditing. In order to tackle these issues simultaneously, in this paper, we propose a traceable dynamic public auditing scheme with identity privacy preserving for cloud storage. In the proposed scheme, a single user, including a group manager, is unable to know the signer's identity. Furthermore, our scheme realizes traceability based on a secret sharing mechanism and supports dynamic user operations. Based on the security and efficiency analysis, it is shown that our scheme is secure and efficient.

1. Introduction

 As the amount of user data continues to increase, storing these data will bring a huge burden on users with limited resources. Considering storage overhead, more and more organizations and individuals store their data in the cloud [1]. At present, cloud storage is a commonly used tool in various cloud services. Data storage in the cloud has gradually become an irresistible trend [2]. Recently, the development of cloud computing has promoted some simple storage services [3], such as on-line data backup services of Amazon and cloud based software Google Drive. However, due to hardware and software problems or improper operation of the user, the data stored in the cloud server may be changed. It is necessary to ensure the authenticity of data before analyzing and processing it [4], [5]. In order to ensure that the integrity of the data stored in the cloud server is not threatened, many integrity auditing schemes have been proposed [2], [6]-[12].

 In a realistic scenario, users may join the cloud storage system at any time, or may leave the system at any time for some reasons. So it is especially important to support flexible user dynamic operations. But some proposed schemes [12]-[14] do not support user dynamic operations. In addition, in some cases, people are reluctant to disclose their identity information to others. So more and more anonymous applications have appeared, such as electronic auctions, electronic voting, etc. Schemes [15] and [16] can be used as possible solutions to achieve privacy protection. Wang et al. proposed anonymous two-factor authentication in distributed systems [17] and in wireless sensor networks [18]. Zhang et al. proposed two blockchain-based fair payment protocols called BPay [19] and BCPay [20] for outsourcing services in cloud computing. The protocol BPay [19] is compatible with the Bitcoin blockchain based on an iterative all-or-nothing checking-proof protocol and a top-down checking method. However, the performance remains to be improved. At the cost of losing the compatibility with the Bitcoin blockchain, the protocol BCPay [20] realizes robust fair payment based on a one round all-or-nothing checking-proof protocol and hence is very efficient in terms of the computation cost and the number of transactions. These two protocols can be adopted to enable trustworthy keyword search over cloud encrypted data with two-side verifiability [21], secure outsourcing computation, and dynamic data integrity in cloud computing. There is a growing demand for storage services. It not only needs to support user dynamic operations, but also needs to ensure that the user's identity privacy is not disclosed. Some proposed schemes [2], [8], [22] do not support identity privacy protection. Therefore, it makes sense to consider how to design a data integrity auditing scheme that has identity privacy protection and supports user dynamic operations.

 Cloud storage is one of the hot spots of cloud computing research in recent years [22]-[24]. In 2007, Athenians et al. [25] first proposed the concept of public auditing, which has been widely accepted by researchers. Some improved data integrity checking schemes have been proposed [6], [12], [26]. Shacham et al. [26] proposed compact proofs of retrievability by making use of publicly verifiable homomorphic authenticators from BLS signature [27]. Yu et al. [6] proposed an identity-based remote data integrity checking scheme with perfect data privacy preserving for cloud storage. However, scheme [6] could neither guarantee identity privacy protection nor support efficient dynamic user operation. Wang et al. [12] proposed a privacy-preserving public auditing scheme for shared data in the cloud. Because scheme [12] uses ring signatures, dynamic user operations are not supported. Huang et al. [14] proposed a privacy-preserving public auditing scheme for non-manager group shared data, but this scheme did not realize dynamic user operation.

 In addition, Hu et al. [28] pointed out that currently there is no scheme to realize the public integrity checking with identity privacy protection of efficient dynamic groups in cloud storage, so they proposed an identity-preserving public integrity checking scheme with dynamic groups for cloud storage. They used BLS short signature [29] to verify the legality of user identity, the identity of the signer in this scheme is normally kept confidential. In order to reveal the identity of the signer in the group when necessary, Hu et al. [28] introduced zero-knowledge proof into the signature algorithm in the proposed scheme, so as to realize the group manager to track the identity of the signer. However, the complex zero-knowledge proof reduces the signature efficiency and is difficult to implement. Recently, cloud computing security and privacy has become more and more important [30]-[31]. Zheng and Li et al. proposed a signature scheme [32]-[33] for threshold tracking based on the idea that secret sharing scheme [34] can reconstruct secret. Huang et al. [14] used the threshold tracking method to achieve the identity tracking of signers. Inspired by scheme [14], we introduced the idea of threshold tracking into the signature algorithm in our scheme in order to track the identity of the signer. Since our scheme uses threshold tracking method, a certain number of users can track the identity of signer, rather than relying only on group manager, which is more fair and equitable. In addition, we use the polynomial function proposed by [28] and [35] to construct the group secret key and efficiently update the group secret key.

 In this paper, we propose a traceable dynamic public auditing scheme with identity privacy preserving for cloud storage. Our scheme has many attractive features as below:

 (1) It realizes data integrity checking, supports dynamic user operation, and enables group secret key update by constructing polynomial functions.

 (2) It realizes full anonymity such that a single user including the group manager is unable to know the identity of the user. The cloud server can verify the legitimacy of the user's identity even if it does not know the identity of the user, thereby hiding the identity of the user.

 (3) In our scheme, a (t, n) secret sharing scheme is used to perform user tracking by reconstructing the public key of the signer. Specifically, any subset can reveal the identity of the signer if and only if it consists of at least t users.

 The rest of the paper is organized as follows: In section 2, we present some relevant preliminaries. In section 3, we present the system model and relevant definitions. We describe our concrete scheme in section 4. In section 5 and section 6, we give security analysis and performance analysis, respectively. Finally, we give concluding remarks in section 7.

 

2. Preliminaries

2.1 Bilinear Pairing

 Let \(G_{1}, G_{T}\)  be two groups of prime order q , and g₁ be a generator of group G₁.  e is a bilinear map e:\(G_{1} \times G_{1} \rightarrow G_{T}\), which satisfies the following properties:

 (1) For all \(P, Q \in G_{1}\)and \(a \in Z_{q}^{*}, e\left(P^{a}, Q\right)=e\left(P, Q^{a}\right)\)

 (2) There is non-degenerate, \(e\left(g_{1}, g_{1}\right) \neq 1\) .

 

2.2 Computational Diffie-Hellman (CDH) Problem

 For \(x \in Z_{q}^{*}\) , given \(\mathrm{g}_{1}, g_{1}^{x} \in G_{1}\),  and \(h \in G_{1}\) as input, output \(h^{x} \in G_{1}\).

 

2.3 Discrete Logarithm Problem

 For  \(x \in Z_{q}^{*}\),  given \(\mathrm{g}_{1}, g_{1}^{x} \in G_{1}\) as input, output x .

 

2.4 BLS Scheme

The BLS signature scheme is described as follows. Signer randomly selects \(x \in Z_{q}^{*}\) as the private key and calculates as the public key. Then the signature operation is performed by calculating \(y=g_{1}^{x} \in G_{1}\) and \(h=H(M) \in G_{1} \text { and } \sigma=h^{x} \in G_{1}\) where \(M \in\{0,1\}\),  \(H:\{0,1\}^{*} \rightarrow G_{1}\) is a hash function and is the generated signature of M. Finally signature verification operation is performed by calculating \(h=H(M) \in G_{1}\)and determining Whether the equation holds or not. If the above equation \(e(h, y)=e\left(\sigma, g_{1}\right)\)holds, the verification succeeds, otherwise the verification fails.

 

2.5 Secret Sharing

 In a (t, n) threshold scheme [34] based on Lagrange interpolation formula, there are n participants. A t-1 degree polynomial \(f(x)=a_{0}+a_{1} x+\cdots+a_{t-1} x^{t-1}\) is constructed, where \(a_{i} \in Z_{q}^{*}\) and \(1<t<n\). If the secret isf(0) , n sub-keys are f(i),  \(1 \leq i \leq n\). Any t sub-keys can reconstruct polynomial f(x)to obtain secret s. They use \(\{(i, f(i))\}_{1 \leq i \leq t}\) to construct polynomial based on Lagrange interpolation formula:

\(f(x)=\sum_{i=1}^{t} f(i) \prod_{j=1 \atop j \neq i}^{t} \frac{(x-j)}{i-j}(\bmod q)\)       (1)

 Therefore, without knowing , participants can get secret as follows:

\(s=\sum_{i=1}^{t} f(i) \prod_{l=1 \atop l \neq j}^{t} \frac{j}{j-i}(\bmod q)\)       (2)

 

3. System Model and Definition

 In this section, we present the system model, design goals, definition of algorithm, and security problems that might exist.

 

3.1 System Model

 The system model consists of four entities: a cloud storage server, a third party auditor  (TPA), a group manager and users. The system model is illustrated in Fig. 1. The group manager is mainly responsible for the generation of the user's initial key and the update of the group secret key, and supports the user's dynamic operation. Users joining the system are considered as legitimate users and can store data on the cloud storage server. A certain number of legitimate users can verify the identity of the signer together. The cloud storage server is mainly responsible for storing user data. TPA is primarily responsible for verifying the integrity of stored data.

During the data integrity checking process, the user sends an integrity checking request to TPA. After receiving the request, TPA generates a challenge message and sends it to the cloud storage server. After receiving the challenge message, the cloud storage server generates corresponding proof information and sends it to TPA. TPA verifies the proof and returns the verification result to the user.

Fig. 1. System model

 

3.2 Design Goals

 (1) Public integrity verification: A public verifier can detect data integrity without retrieving complete storage data.

 (2) Full anonymity: Whether in the process of uploading data or in the process of integrity verification, it can ensure that the user's identity privacy is not disclosed.

 (3) Traceability: A certain number of legitimate users can jointly track the identity of the signer.

 (4) Dynamic user operation: It can efficiently implement user revocation.

 

3.3 Definition of Algorithm

 Our scheme includes eight algorithms: Setup Algorithm, Users Join Algorithm, Group Key Generation Algorithm, Signature Generation Algorithm, Upload Algorithm, Public Integrity Checking Algorithm, Trace Algorithm and Revocation Algorithm.

 (1) Setup Algorithm: the setup algorithm is run by group manager. It takes as input security parameter. It outputs public parameter param and issuing key ik of group manager.

 (2) Users Join Algorithm: the users join algorithm is run by group manager and user. It takes as input public parameter param , issuing key ik of group manager and user's identity ID_k .  It outputs the private key sk_k and public key pk_k of user, as well as the user's initial key A_k generated by the group manager.

 (3) Group Key Generation Algorithm: the group key generation algorithm is run by group manager.  It takes as input public parameter param , the user's initial key A_k generated by the group manager. It outputs the group secret key K_g, the group public key \(\rho\),  the polynomial function f(x) and EX.

 (4) Signature Generation Algorithm: the signature generation algorithm is run by user.  It takes as input  public parameter param , the user's initial key A_k generated by the group manager,  user's private key sk_k ,file data M , as well as the public key \(\left\{p k_{i}\right\}_{1 \leq i \leq n}\)of the legitimate user in the system. It outputs the metadata information of user data including \(\theta, \left\{\sigma_{y}\right\}_{\mathrm{L} \leq y \leq m},\left\{c_{y}\right\}_{\mathrm{ls} y \leq m}\)and  secret sharing share.

 (5) Upload Algorithm: the upload algorithm is run by user and cloud storage server. It takes as input  public parameter param , the metadata information of user data including \(\theta, \left\{\sigma_{y}\right\}_{\mathrm{L} \leq y \leq m},\left\{c_{y}\right\}_{\mathrm{ls} y \leq m}\)  and  secret sharing share. Cloud storage server outputs “accept” or “reject”.

 (6) Public Integrity Checking Algorithm: the public integrity checking algorithm is run by the cloud server and TPA. It takes as input  public parameter \(\left\{s k_{i}\right\}_{1 \leq i \leq t}\) and file name . It outputs “1” or “0” and returns it to the user.

 (7) Trace Algorithm: the trace algorithm is run by t valid users. It takes as input  public parameter param ,  secret sharing share and the private keys of t valid users. It outputs the public key pk_k of the signer.

 (8) Revocation Algorithm: the revocation algorithm is run by group manager.  It takes as input  public parameter param  , the polynomial function f(x) and the identity of the revoked user . It outputs new group secret key K_g' , new group public  key \(\rho\)', new polynomial function f'(X) and EK'.

 

3.4 Security Problem

 In our scheme, we consider the possible security problems from the following three points. One is the forgery of the signature, the second is the denial of the signature, and the third is the update of the group secret key. If an adversary forges the signature of a legitimate user in the system in order to deceive the cloud storage server to store the data on the server, the signature of legitimate users will be threatened. In signer identity tracking, the identity of signer is tracked by tracing the public key of the signer. If the signer wants to deny his signature, it will interfere with the tracking results and cause controversy. In view of the above problems, we need to ensure that the signature is non-forgery and non-repudiation. In the group key update phase, if an adversary can successfully update the group key, the adversary can masquerade the legitimate user to cheat. So we must also ensure that only the legitimate users in the system can update the group key.

 

4. Description of Proposed Scheme

 In this section, we introduce our proposed scheme in detail. Our Scheme includes eight algorithms which are Setup Algorithm, Users Join Algorithm, Group Key Generation Algorithm, Signature Generation Algorithm, Upload Algorithm, Public Integrity Checking Algorithm, Trace Algorithm and Revocation Algorithm.

 (1) Setup Algorithm: This algorithm is designed to generate system parameters. The group manager generates two order q  cyclic multiplicative groups G₁ and  G_r, which satisfies a bilinear map  \(e: G_{1} \times G_{1} \rightarrow G_{T}\).  g₁  is a generator of group G₁ . Firstly, the group manager randomly chooses \(i k \in Z_{q}^{*}\) as issuing key and calculates \(P=g_{1}^{i k}\). Then the group manager randomly chooses \(\varepsilon \in Z_{q}^{*}\). Finally two hash functions are defined, \(H_{1}:\{0,1\}^{*} \rightarrow Z_{q}^{*}\) and \(H_{2} \cdot\{0,1\} \rightarrow G_{1}\) respectively. Let public parameter be  \(\text {param}=\left(G_{1}, G_{T}, H_{1}, H_{2}, g_{1}, P, \varepsilon\right)\).

(2) Users Join Algorithm: This algorithm is designed to generate user's public key and private key.

 Let the group manager's public and private key be (gmpk,gmsk). A user with identity encrypts his identity by the group manager's public key and sends the encrypted identity to the group manager. The group manager decrypts the encrypted identity of the user with his private key to obtain the user identity ID_k. The group manager randomly chooses \(x_{k} \in Z_{q}^{*}\), calculates:

\(A_{k}=x_{k}+i k \cdot H_{1}\left(I D_{k}\right)\)       (3)

\(R_{k}=g_{1}^{x_{k}}\)       (4)

and returns A_k and R_k to the user.

 After receives A_k and R_k , the user firstly verifies whether the equation \(g_{1}^{A_{k}}=R_{k} \cdot P^{H_{1}\left(D_{k}\right)}\) holds or not. If the equation holds, it means that A_k  is valid. Then the user chooses \(y_{k} \in Z_{q}^{*}\) , and calculates:

\(s k_{k}=y_{k}+A_{k}\)       (5)

\(p k_{k}=g_{1}^{y_{k}}\)       (6)

as the user's private key and the public key respectively. Users who generate public and private keys based on the users join algorithm become legitimate users.

 (3) Group Key Generation Algorithm: This algorithm is designed to generate group secret key. Group manager firstly calculates:

\(V_{k}=H_{1}\left(A_{k}\right)\)       (7)

and creates the register table which includes ID_k and V_k , saving the table locally. Then group manager creates a polynomial function \(f(x)=\prod_{i=1}^{n}\left(x-V_{i}\right)=\sum_{i=0}^{n} a_{i} x^{i}(\bmod q)\), and defines a exponential function  \(\left\{W_{0}, W_{1}, \cdots, W_{n}\right\}=\left\{\varepsilon^{a_{0}}, \varepsilon^{a_{1}}, \cdots, \varepsilon^{a_{n}}\right\}\) . Finally, the group manager randomly selects \(K_{g} \in Z_{p}^{*}\) as the group secret key and calculates

\(\rho=g_{1}^{K_{g}}\)       (8)

\(E K=\left\{K_{g} \cdot W_{0}, W_{1}, \cdots, W_{n}\right\}\)       (9)

and  publishes the group public \(\rho\) key and EK.

 (4) Signature Generation Algorithm: This algorithm is designed to generate signature and the secret sharing. This algorithm consists of two phases which are signature generation and secret sharing generation.

 The phase of signature generation is described in below. When the user with ID_kidentify  wants to upload file data M to the cloud,  divides the file data into m blocks which are denoted as \(m_{y}, 1 \leq y \leq m\) and  calculates:

\(V_{k}=H_{1}\left(A_{k}\right)\)       (10)

\(K_{g} \cdot W_{0} \cdot \prod_{i=1}^{n} W_{i}^{V_{k}^{i}}=K_{g} \cdot \varepsilon^{f\left(V_{k}\right)}=K_{g}\)       (11)

\(\theta=\left(H_{2}(M)\right)^{K_{g}}\)       (12)

 Then the user randomly chooses  and calculates:

\(\delta_{y}=H_{2}( {filename} \| y) \cdot u^{m_{y}}\)       (13)

\(\sigma_{y}=\delta_{y}^{s k_{k}}\)       (14)

\(c_{y}=H_{2}\left(\sigma_{y}\right) \cdot \delta_{y}\)       (15)

where \(1 \leq y \leq m\) . Finally, the signature of the file data is completed.

 The phase of secret sharing generation is described in below. Define the number of registered users in the system as n. Firstly the user randomly selects \(\alpha_{j} \in Z_{q}^{*}\), \(0 \leq j \leq t-1,1<t<n\) , and constructs a polynomial function:

\(p(z)=\alpha_{0}+\alpha_{1} z+\cdots+\alpha_{t-1} z^{t-1}\)       (16)

where . The user keeps the polynomial secretly. Then the user calculates:

\(\tau_{j}=g_{1}^{\alpha_{j}}, 0 \leq j \leq t-1\)       (17)

\(\chi_{i}=\prod_{j=0}^{t-1} \tau_{j}^{i^{j}}, 1 \leq i \leq n\)       (18)

\(\eta_{i}=p k_{i}^{p(i)}, 1 \leq i \leq n\)       (19)

\(\gamma=g_{1}^{\alpha_{0}} \cdot p k_{k}\)       (20)

 Finally, the user calculates:

\(s=H_{2}\left(\chi_{1}, \chi_{2}, \cdots, \chi_{n}, \eta_{1}, \eta_{2}, \cdots, \eta_{n}\right)\)       (21)

and sets \(\text {share}=\left(\tau_{0}, \tau_{1}, \cdots, \tau_{t-1}, \eta_{1}, \eta_{2}, \cdots, \eta_{n}, s\right)\) .

 (5) Upload Algorithm: This algorithm is designed to upload user data and the metadata information of user data. The user uploads

\(\left\{ { filename} | m, u, \theta,\left\{\sigma_{y}\right\}_{1 \leq y \leq m},\left\{c_{y}\right\}_{1 \leq y \leq m}\right.,\left.\gamma, {share},\left\{m_{y}\right\}_{1 \leq y \leq m}\right\}\)

to the cloud storage server. After receiving the data sent by the user, the cloud storage server firstly verifies the legality of the user's identity by verifying whether the equation \(e\left(\theta, g_{1}\right)=e\left(H_{2}(M), \rho\right)\) holds. If the equation holds, it means that the user is a legitimate user. Otherwise, the cloud storage server refuses to serve the user. After ensuring the legality of the user's identity, the cloud storage server takes over the data and stores them to the sever.

 (6) Public Integrity Checking Algorithm: This algorithm is designed to check data integrity. This algorithm consists of three phases: challenge generation phase, proof generation phase and proof verification phase.

 In the challenge generation phase, mainly run by TPA. TPA picks a set 
L with l elements, where \(L \subseteq[1, n]\) , and chooses a random element \(v_{y} \in Z_{q}^{*}\) for each \(y \in L \) . TPA generates a challenge \(\text {chal}=\text {filename} \|\left\{\left(y, v_{y}\right)\right\}_{y \in L}\) and sends it to the cloud storage server.

 In the proof generation phase, mainly run by cloud  storage server. After receiving the challenge message from the TPA, the cloud storage server firstly finds the corresponding file block \(\left\{m_{y}\right\}_{y \in L}\) based on the file name \(filename \) and index y, then calculates:

\(\mu=\sum_{y \in L} m_{y} v_{y}\)       (22)

\(T=\prod_{y \in L} c_{y}^{v_{y}} H_{2}\left(\sigma_{y}\right)^{-v_{y}}\)       (23)

and sends \((u, \mu, T)\) to TPA.

 In the proof verification phase, mainly run by TPA. After receives the proof from the cloud storage server, TPA checks whether the Eq.(24) holds or not.

\(T=u^{\mu} \prod_{y \in L} H_{2}( {filename} \| y)^{v_{y}}\)       (24)

 If the equation holds, the TPA accepts the proof and returns “1” to user. Otherwise the proof is invalid, and the TPA returns “0” to user.

 (7) Trace Algorithm: This algorithm is designed to track the identity of the signer. Firstly these valid users get the signer's secret sharing and from the cloud. With \(\text {share}=\left(\tau_{0}, \tau_{1}, \cdots, \tau_{t-1}, \eta_{1}, \eta_{2}, \cdots, \eta_{n}, s\right)\) , any valid user calculates:

\(\chi_{i}=\prod_{j=0}^{t-1} \tau_{j}^{i^{j}}, 1 \leq i \leq n\)       (25)

\(s^{*}=H_{2}\left(\chi_{1}, \chi_{2}, \cdots, \chi_{n}, \eta_{1}, \eta_{2}, \cdots, \eta_{n}\right)\)       (26)

 If \(S^{*}=S\), t valid users can track the identity of the signer as follows. Each of the t valid users calculates:

\(\xi_{i}=\eta_{i}^{s k_{i}^{-1}}\)       (27)

\(\lambda_{i}=\prod_{j=1,2, \cdots, t, j \neq i} \frac{j}{j-i}\)       (28)

where by using their private keys. Then the public key of the signer can be obtained by calculating .

 (8) Revocation Algorithm: This algorithm is designed to revoke user and update the group key. After tracking to the user who needs to be revoked according to the tracking algorithm, the group manager queries the register  table to find the registration information of the user who needs to be revoked. Group manager updates polynomial function and exponential function as follows:

\(f^{\prime}(x)=f(x) /\left(x-V_{k}\right)=\sum_{i=0}^{n-1} a_{i}^{\prime} x^{i}(\bmod q)\)       (29)

\(\left\{W_{0}^{\prime}, W_{1}^{\prime}, \cdots, W_{n-1}^{\prime}\right\}=\left\{\varepsilon^{a_{0}^{\prime}}, \varepsilon^{a_{1}^{\prime}}, \cdots, \varepsilon^{{a_{n-1}}^{\prime}}\right\}\)       (30)

 Finally, the group manager updates the group secret key:

\(K_{g}=K_{g}^{\prime}\)       (31)

and sets  \(E K^{\prime}=\left\{K_{g}^{\prime} \cdot W_{0}^{\prime}, W_{1}^{\prime}, \cdots, W_{n}^{\prime}\right\}\).

 

5. Security Analysis

 In this section we prove our scheme is correctness, traceability, full anonymity, unforgeability, non-repudiation and can safely update group key.

 

5.1 Correctness

 In Users Join Algorithm, it is necessary to verify the validity of A_k by calculating \(g_{1}^{A_{k}}=R_{k} \cdot P^{H_{1}\left(M_{k}\right)}\) after the user receives \(A_{k}\) and \(R_{k}\) from the group manager. The correctness of the above equation can be proved as follows:

\(g_{1}^{A_{k}}=g_{1}^{x_{k}+i k \cdot H_{1}\left(I D_{k}\right)}=g_{1}^{x_{k}} \cdot g_{1}^{i k \cdot H_{1}\left(I D_{k}\right)}=R_{k} \cdot P^{H_{1}\left(U D_{k}\right)}\)       (32)

 In Upload Algorithm, due to only legitimate user can enjoy the storage service, the cloud storage server must verify the identity of the user before storing data. Because only legitimate user has , the cloud storage server can verify the legitimacy of the user's identity by calculating \(e\left(\theta, g_{1}\right)=e\left(H_{2}(M), \rho\right)\).The correctness of the above equation can be proved as follows:

\(e\left(\theta, g_{1}\right)=e\left(\left(H_{2}(M)\right)^{K_{g}}, g_{1}\right)=e\left(H_{2}(M), g_{1}^{K_{g}}\right)=e\left(H_{2}(M), \rho\right)\)       (33)

 In the proof verification phase of Public Integrity Checking Algorithm, TPA verifies data integrity by calculating \(T=u^{\mu} \prod_{y \in L} H_{2}(\text {filename} \| y)^{v_{y}}\). The correctness of the above equation can be proved as follows:

\(\begin{aligned}& T=\prod_{y \in L} c_{y}^{v_{y}} H_{2}\left(\sigma_{y}\right)^{v_{y}} \\=& \prod_{y \in L}\left(H_{2}\left(\sigma_{y}\right) \cdot \delta_{y}\right)^{v_y} H_{2}\left(\sigma_{y}\right)^{-v_{y}}\\=&\prod_{y \in L} \delta_{y}^{v_{y}}\\=&\prod_{y \in L}\left(H_{2}( {filename}|| y) \cdot u^{m_{y}}\right)^{y_{y}}\\=&\mathcal{U}^{\sum_{y \in L} m_{y} v_{y}} \cdot\prod_{y \in L} H_{2}( { filename} \| y)^{v_{y}}\\=&u^{\mu} \cdot \prod_{y \in L} H_{2}( {filename} \| y)^{v_{y}}\end{aligned}\)       (34)

 In Trace Algorithm, when t legitimate users track the identity of the signer, the public key of the signer is obtained by calculating \(\gamma \cdot\left(\prod_{i=1}^{t} \xi_{i}^{\lambda_{i}}\right)^{-1}\) . The proof of the correctness of the equation \(p k_{k}=\gamma \cdot\left(\prod_{i=1}^{t} \xi_{i}^{\lambda_{i}}\right)^{-1}\)  is as follows:

\(\begin{array}{lc}\gamma \cdot\left(\prod_{i=1}^{t} \xi_{i}^{\lambda_{i}}\right)^{-1}=\gamma \cdot\left(\prod_{i=1}^{t}\left(\eta_{i}^{s k_{i}^{-1}}\right)^{\lambda_{i}}\right)^{-1} \\=\gamma \cdot\left(\prod_{i=1}^{t}\left(p k_{i}^{p(i)}\right)^{sk_{i} \cdot^{-1} \cdot \lambda_{i}}\right)^{-1}\\=\gamma \cdot\left(\prod_{i=1}^{t}\left(g_{1}^{s k_{i}}\right)^{p(i) \cdot s k_{i}^{-1} \cdot \lambda_{i}}\right)^{-1}\\=\gamma \cdot\left(\prod_{i=1}^{t} g_{1}^{p(i)-\lambda_{i}}\right)^{-1}\\=\gamma \cdot\left(\prod_{i=1}^{t} g_{1}^{p(i)\cdot\prod_{j_{j-1,2 \cdots ,t},j \neq i} \frac{j}{j-i}} \right)^{-1}\\=\gamma \cdot g_{1}^{-\sum_{i=1}^{t} p(i)\cdot\prod_{j=1,2, \cdots, t, j \neq i} \frac{j}{j-i}}\\=g_{1}^{\alpha_{0}} \cdot p k_{k} \cdot g_{1}^{-\alpha_{0}}\\=p k_{k}\end{array}\)       (35)

 

5.2 Traceability

 Our scheme uses the secret sharing scheme to track the identity of the signer. Only no less than t legitimate users can track the identity of the signer. The signer generates a secret during the signature process, so these users who do the tracking can reconstructs the secret during the track process by using their private keys. Thereby they obtains the signer's public key, and tracks the identity of the signer.

 Due to the traceability of the (t, n) threshold, any subset with more than t legitimate users can reveal the identity of the signer. A subset of users who do not meet the requirements cannot reveal the identity of the signer. Detailed proof can refer to [28], [29].

 

5.3 Full anonymity

 The privacy of the user's identity can be ensured during the data upload phase and the data integrity verification phase. In the data upload phase, because only legitimate users can store data in the cloud storage server, the cloud storage server only needs to verify the legitimacy of the user's identity, and does not know the identity of the user. During the integrity verification phase, the verifier does not know the identity of the user and can still verify the integrity of the data. Therefore, full anonymity can be achieved.

 

5.4 Unforgeability

 The unforgeability of signatures is mainly described in two parts, that is unforgeability of signature \(\theta\) and \(\left\{\sigma_{y}\right\}_{1<y<m}\).

 (1) Unforgeability of signature \(\theta\): If an adversary tries to forge a signature \(\theta\)* and uploads data M* to the cloud server. According to the CDH problem, knowing \(g_{1}, \rho=g_{1}^{K_{s}} \in G_{1}\), \(H_{2}\left(M^{*}\right) \in G_{1}\) it is difficult to calculate \(\theta^{\prime}=\left(H_{2}\left(M^{*}\right)\right)^{K_{k}}\) without knowing k_g, so the adversary  forges a signature \(\theta^{*} \neq \theta^{\prime}\). In the upload stage, the user's identity needs to be verified by determining whether the equation \(e\left(\theta^{*}, g_{1}\right)=e\left(H_{2}\left(M^{*}\right) \rho\right)\)  holds or not . Only when the above equation holds, can the cloud server accept the user's data.

\(e\left(H_{2}\left(M^{*}\right), \rho\right)=e\left(H_{2}\left(M^{*}\right), g_{1}^{k_{g}}\right)=e\left(\left(H_{2}\left(M^{*}\right)\right)^{k_{g}}, g_{1}\right)=e\left(\theta^{\prime}, g_{1}\right) \neq e\left(\theta^{*}, g_{1}\right)\)       (36)

 It can be seen from the Eq.(36) that the above equation cannot be verified, so the cloud storage server will reject the data of the adversary.

 (2) Unforgeability of signature \(\left\{\sigma_{y}\right\}_{1<y<m}\): When the CDH assumption holds, the signature \(\left\{\sigma_{y}\right\}_{1<y<m}\) can only be generated by the signer himself. Suppose an adversary wants to forge the signature of user ID^*  about data \(\left\{m_{y}^{*}\right\}_{1<y<m}\) in the system. He calculates \(\delta_{y}^{*}=H_{2}(\text {filename} \| y) \cdot u^{m_{y}^{*}}\). According to the CDH assumption, knowing \(g_{1}, \delta_{y} ,p k^{*}\) it is difficult to calculate \(\sigma_{y}^{\prime}=\delta_{y}^{s k^{*}} \in G_{1}\) . Therefore, the forged signature by the adversary satisfied  \(\sigma_{y}^{*}=\sigma_{y}^{\prime}\) is equivalent to solving the CDH problem. So only the signer with the private key can generate valid signature.

 

5.5 Non-repudiation

 If a user in the system has illegal behavior, the user can be tracked by the tracking algorithm, at this time the identity of the user will no longer be kept confidential. In the signature algorithm, the user signs the data with his own private key. Once the user's identity is disclosed, the user's signature can be verified with the user's public key by verifying the Eq.(37):

\(e\left(\sigma_{y}, g_{1}\right)\overset{?}=e\left(H_{2}( { filename} \| y) \cdot u^{m_{y}}, p k\right)\)       (37)

 Because the signature can not be forged, once the verification is passed, it means the signature belongs to the user, and the user can not deny it.

 The accuracy of the verification is as follows:

\(\begin{array}{l}e\left(\sigma_{y}, g_{1}\right)=e\left(\delta_{y}^{s k}, g_{1}\right) \\\quad=e\left(\left(H_{2}( {filename} \| y) \cdot u^{m_{y}}\right)^{s k}, g_{1}\right) \\\quad=e\left(H_{2}( {filename} \| y) \cdot u^{m_{y}}, g_{1}^{s k}\right) \\\quad=e\left(H_{2}( {filename} \| y) \cdot u^{m_{y}}, p k\right)\end{array}\)       (38)

 

5.6 Dynamic user revocation

 Under the DL problem, only non-revoked users can update the group secret key. In the revocation algorithm, the group manager updates polynomial function \(f^{\prime}(x)=f(x) /\left(x-V_{k}\right)=\sum_{i=0}^{n-1} a_{i} x^{\prime}(\bmod q)\) and exponential function \(\left\{W_{0}^{\prime}, W_{1}^{\prime}, \cdots, W_{n-1}^{\prime}\right\}=\left\{\varepsilon^{a_{0}^{\prime}}, \varepsilon^{a_{1}^{\prime}}, \cdots, \varepsilon^{a_{n-1}}\right\}\) = and updates the group secret  key to \(K_{g}^{\prime}\) . For a non-revoked user \(I D_{\tilde{k}}\) , he can calculate \(V_{\tilde{k}}=H_{1}\left(A_{\tilde{k}}\right), V_{\tilde{k}} \in\left\{V_{i}\right\}_{1 \leq i \leq n-1}\). Let \(\text { Let } x=V_{\tilde{k}}, f^{\prime}\left(V_{\tilde{k}}\right)=\prod_{i=1}^{n-1}\left(V_{\tilde{k}}-V_{i}\right)=0\) This polynomial can only output 0 when \(1 \leq \tilde{k} \leq n-1\) . So only non-revoked users can calculate \(K_{g}^{\prime} \cdot W_{0}^{\prime} \cdot \prod_{i=1}^{n-1} W_{i}^{V_{i}^{\prime}}=K_{g}^{\prime} \cdot \varepsilon^{f\left(V_{i}\right)}=K_{g}^{\prime}\). If an adversary wants to calculate a group secret key \(K_{g}^{\prime}\), given \(g_{1}\)and \(\rho=g_{1}^{K_{s}} \in G_{1}\), he should deal with DL problem, which is impossible.

 

6 Performance Analysis

 In this section, we evaluate the performance of our scheme by calculating the computation cost and communication cost. By comparing our scheme with Huang [14] and Hu [28], we can analyze the performance of our scheme more clearly. The relevant symbols are shown in Table 1.

Table 1. Notation

 

6.1 Computation Cost

 We mainly consider computation cost in two aspects: the efficiency of signature and the efficiency of public integrity checking.

 (1) Signature efficiency: In the signature generation process, the total computation cost is

\(H_{1}+(2 m+2) H_{2}+(\mathrm{nt}+2 n) E x p_{Z_{q}^{*}}+n M u l_{Z_{q}^{*}}+(n t+n+t+2 m+2) E x p_{G_{1}}+(n t-n+2 m+1) M u l_{G_1}\)

 The signature algorithm consists of two phases: the signature generation phase and the secret sharing generation phase. In the signature generation phase, the user needs to calculate \(\left\{V_{k}, K_{g}, \theta,\left\{\delta_{y}\right\}_{\mathrm{ISySm}}\left\{\sigma_{y}\right\}_{\mathrm{LSySm}},\left\{c_{y}\right\}_{\mathrm{ISySm}}\right\}\). As shown in Table 2, in this phase, computation cost is

\(H_{1}+(2 m+1) H_{2}+2 n E x p_{Z_{q}^{*}}+n M u l_{Z_{q}^{*}}+(2 m+1) E x p_{G_{1}}+2 m M u l_{G_{1}}\)

 In the secret sharing generation phase, the user needs to calculate  to obtain secret sharing \(\left\{\left\{\tau_{j}\right\}_{0 \leq j \leq t},\left\{\chi_{i}\right\}_{1 \leq i \leq n},\left\{\eta_{i}\right\}_{1 \leq i \leq n}, \gamma, s\right\}\) . As shown in Table 2, in this phase, computation cost is

\(H_{2}+n t E x p_{Z_{q}^{*}}+(n t+n+t+1) E x p_{G_{1}}+(n t-n+1) M u l_{G_{1}}.\)

 In addition, we display the computation cost of the signature for Huang's and Hu's schemes in Table 2.

Table 2. Computation cost of signature

Table 3. Computation cost of public integrity checking

 (2) Public integrity checking efficiency: In public integrity checking process, the total computation cost is\(2 l H_{2}+l M u l_{z_{i}}+(3 l+1) E x p_{G_{1}}+(3 l-1) M u l_{G_{1}}\)  . The public integrity checking algorithm consists of three phases: the challenge generation phase, the proof generation phase, and the proof verification phase. Since there is no computation cost in the challenge generation phase, the computation cost of public integrity checking algorithm is mainly generated by the proof generation phase and the proof verification phase. In the proof generation phase, the cloud storage server needs to calculate \(\{\mu, T\}\). The computational cost is \(l H_{2}+l M u l_{Z_{i}^{*}}+2 l E x p_{G_{1}}+(2 l-1) M u l_{G_{1}}\) , as shown in Table 3. In the proof verification phase, TPA performs verification. Its computational cost is \(l H_{2}+(l+1) E x p_{G_{1}}+l M u l_{G_{1}}\)  as shown in Table 3. In addition, we display the computation cost of public integrity checking for Huang's and Hu's schemes in Table 3.

 

6.2 Communication Cost

 We compared the communication overhead of our scheme with Huang's scheme [14] and Hu's scheme [28]. During the challenge generation process of our scheme, TPA sends challenge \(\text { chal }\left.=\text { filename } \|\left(y, v_{y}\right)\right\}_{y \in L}\) to the cloud storage server and its communication cost is \(l \cdot l_{q}+l \cdot l_{s}+l_{n a m e}\) . In the proof generation stage, the cloud storage server sends the proof \(\{u, \mu, T\}\)to the TPA, and its communication overhead is \(l_{q}+2 l_{G_{1}}\). Therefore, during public integrity checking process, the total communication cost of our scheme is   \( (l+1) l_{q}+l \cdot l_{s}+l_{\text {name}}+2 l_{G_{\mathrm{h}}}\) as shown in Table 4. In addition, we display the communication cost of  Huang's and Hu's schemes in Table 4.

Table 4. Communication cost

 

6.3 Experimental Results

 In this paper, we analyze the efficiency of our scheme and compare it with Huang's scheme [14] and Hu's scheme [28]. Our experiment was carried out under the windows platform and used java programming language with Java Paring Based Cryptography(JPBC). We set base field size to be 160bits and the size of an element in \(Z_{q}^{*}\) to be 160bits.

 The efficiency of signature generation can be shown in Fig. 2. We set  and  . When the number of legitimate users in the system increases from 50 to 150, the signature time in our scheme and Hu's scheme [28] increases slowly with the increase of the number of users in the system, but the signature time of Hu's scheme [28] is slightly more than that of our scheme. However, the signature time of Huang's scheme [14] is greatly affected by the number of users in the system, and the signature time increases linearly with the increase of the number of users.

Fig. 2. Comparison of signature time

 The efficiency of public integrity checking can be shown in Fig. 3 (a) and Fig. 3 (b). In order to achieve detection rate of 99%, we also set \(m=10000, l=460\) like Hu's scheme [28]. As shown in Fig. 3 (a), when the number of blocks to be detected is \(l=460\) , computation time of cloud storage server in our scheme and Hu's scheme [28] is constant and independent of the number of users. And our scheme take less time than Hu's scheme [28], because Hu's scheme [28] needs to calculate some relevant values of zero-knowledge proof to generate proof. However, computation cost of cloud storage server in Huang's scheme [14] is greatly affected by the number of users in the system, and the signature time increases linearly with the increase of the number of users. As shown in Fig. 3 (b), computation time of TPA in our scheme and Hu's scheme [28] is also constant and independent of the number of users. And our scheme takes less time than Hu's scheme [28].  However, computation cost of TPA in Huang's scheme [14] increases linearly with the increase of the number of users.

Fig. 3. (a) Comparison of computation cost of cloud storage server

Fig. 3. (b) Comparison of computation cost of TPA

 In the process of public integrity checking, the communication cost is shown in Fig. 4. We set \(l_{s}=32, l_{\text {name}}=128\). The communication overhead in Huang's scheme [14] increases linearly with the increase of the number of users. The communication overhead in our scheme and Hu's scheme [28] has nothing to do with the number of users, and our scheme has less communication overhead than Hu's scheme [28]. Obviously our scheme is more effective than Huang's and Hu's schemes.

Fig. 4. Comparison of communication cost

 

7. Conclusion

 In this paper, we propose a traceable dynamic public auditing with identity privacy preserving for cloud storage, which supports dynamic user operation. In addition, our scheme realizes full anonymity and traceability. In the proposed scheme, a certain number of legitimate users can work together to trace the identity of the signer, but a single user, including a group manager, is unable to trace the identity. The security and efficiency analysis shows that our scheme is secure and efficient.