Embed Size (px)
Citation preview
Research ArticleGenuine and Secure Identity-Based Public Audit for the StoredData in Healthcare Cloud
Jianhong Zhang 12 Zhibin Sun1 and Jian Mao3
1School of Electronic and Information Engineering North China University of Technology Beijing 100144 China2Guangxi Key Laboratory of Cryptography and Information Security Guilin 541004 China3School of Electronic and Information Engineering Beihang University Beijing 100191 China
Correspondence should be addressed to Jianhong Zhang zjhncut163com
Received 31 July 2017 Revised 14 December 2017 Accepted 22 July 2018 Published 18 September 2018
Academic Editor Zong-Min Wang
Copyright copy 2018 Jianhong Zhang et al -is is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited
Cloud storage has attractedmore andmore concern since it permits cloud users to save and employ the corresponding outsourcedfiles at arbitrary time with arbitrary facility and from arbitrary place To make sure data integrality numerous public auditingconstructions have been presented However existing constructions mainly have built on the PKI In these constructions toachieve data integrality the auditor first must authenticate the legality of PKC which leads to a great burden for the auditor Toeliminate the verification of time-consuming certificate in this work we present an efficient identity-based public auditingproposal Our construction is an identity-based data auditing system in the true sense in that the algorithm to calculate au-thentication signature is an identity-based signature algorithm By extensive security evaluation and experimental testing theconsequences demonstrate that our proposal is safe and effective it can efficiently hold back forgery attack and replay attackFinally compared with the two identity-based public auditing proposals our proposal outperforms the two proposals under thecondition of overall considering computational cost communication overhead and security strength
1 Introduction
With the technique progress in communication filed theamount of the generated data is going through fast growthMany companies working on the healthcare trade in-creasingly make use of cloud storage services Instead ofevery hospital storing and maintaining medical data inphysical servers cloud storage is becoming a popular al-ternative since it can offer the clients more convenientnetwork-connection service on-demand data storage ser-vice and resource-sharing service
-e aging population problem urges healthcare servicesto make the continuous reformation so as to obtain cost-effectiveness and timeliness and furnish the services ofhigher quality Numerous specialists deem that cloud-computing technique may make healthcare services goodby reducing EHC (electronic-health-record) start-up costssuch as software equipment employee and various licensefees -ese reasons will urge to adopt the relevant cloud
techniques Let us see one instance of healthcare services inwhich cloud technique is applied the Healthcare Sensorsystem can automatically collect the patientsrsquo vital data of thewearable devices which are connected to traditional medicalequipment via wireless sensor networks and then uploadthese data to ldquomedical cloudrdquo for storage Another typicalinstance is the Sphere of Care by Aossia Healthcare it isstarted in 2015-ese cloud-based systems can automaticallycollect every day real-time data of users It alleviates manualcollection burden so that the deployment of the wholemedical system is simplified However they may makehealthcare providers to face many challenges in migrating alllocal health data to the remote cloud server where theparamount concerns are privacy and security sincehealthcare administrator no longer completely deals with thesecurity of those medical records After medical data arestored on the cloud they are possibly corrupted or dropped
To make sure the intactness of the stored data in theremote server the patients or healthcare service providers
HindawiJournal of Healthcare EngineeringVolume 2018 Article ID 9638680 9 pageshttpsdoiorg10115520189638680
expect that the stored data integrality can be periodicallychecked to avoid the damage of the stored data Howeverfor the individuals one of the greatest challenges is how tocarry out the termly data integrality detection when theindividuals have the copy of local files Meanwhile themethod is also infeasible to conduct data integralityverification for a source-limited individual though re-trieving the total data file
To deal with the above issue many specialists hadpresented a number of problem-solving methods which aimat the diverse systems and diverse security models in [1ndash20]Nevertheless most existing problem-solving methods hadbuilt on public key infrastructure (for short PKI) As ev-eryone knows that the PKI-based auditing proposals existcomplex key management problem data client needs toconduct key updating key revocation and key maintainingand so on Hence the key management and certificateverification in the PKI-data auditing system will be a trou-blesome issue Furthermore PKC also needs more storagespace than the individual ID since key pair (PK sk) needs tobe locally kept For a verifier to guarantee data integrality itmust firstly extract PKC from public key directory and thenverify whether public key certificate (for short PKC) is valid-erefore it also increases computation burden and com-munication overhead for the verifier
In 2014 the first so-called ID-based data integralityproposal was proposed by Wang et al [13] Strictly speakingtheir proposal is not a kind of identity-based auditing onebecause the algorithm to generatemetadata authentication tagis not an idenity-based algorithm but a PKC-based one In2015 Yu et al put forward a generic method of constructingidentity-based public auditing system by integrating theidentity-based signature algorithm with traditional PDPprotocols in [15]-eir research is very significant on studyingthe ID-based public auditing system However in theirscheme the algorithm to produce metablock authenticationtag is still to adopt a PKI-based one Furthermore in theauditing phase the auditor firstly verifies the validity of anidentity-based signature on a public key PK and then itexecutes data integrity verificationby using this public key PKagain which increases the computation burden of the auditorIn 2016 Zhang and Dong brought forward a novel identity-based public auditing proposal in [16] -e proposal is theidentity-based public auditing system from the literal sensesince their algorithm to produce metadata authentication tagis the ID-based signature algorithm However their scheme isshown to be insecure in Appendix
To increase efficiency and strengthen the security of ID-based auditing protocols in this work a secure and efficientID-based auditing construction is proposed For our con-struction its original contributions are as follows
(1) On the basis of the idea of homomorphic signature inID-based setting we devise an authentic identity-based auditing proposal of data integrality -eproposal can not only avoid the key managing butalso relieve the auditorrsquos burden
(2) In auditing the phase our scheme has constantcommunication overhead Compared with the two
schemes [15 16] our proposal has more advantageswith regard to computational cost and communi-cation cost
(3) In the random oracle model the proposed proposalhas serious security proof and the correspondingproof can be tightly reduced to the CDHmathematicproblem
2 Architecture and Security of System
In the following chapter in order to better understand ourID-based data integrality auditing protocol (ID-DIAP forshort) we firstly give a description of the system model andafterwards the security model of our ID-DIAP for cloudstorage is defined
21 System Architecture For our ID-DIAP system in cloudthe architecture is composed of four entities privacy keygenerator (for short the PKG) the third party verifierauditor(for short the TPA) cloud servers and data user -e wholesystematic architecture is demonstrated in Figure 1
To avoid biases in the auditing process the TPA isrecommended to implement the audit function in oursystem model Detail function of each role in system ar-chitecture is described as below
(i) Data User It acts as a cloud user and possessesa number of files which need to be uploaded to theremote cloud server without local data copyGenerally speaking data user may be a resource-limited entity due to the limited capability of storingand computing And it can flexibly access at anytime and share the outsourced data
(ii) Cloud Servers -ey are composed of a group ofdistributed servers and have tremendous capabilityof storing and computing Furthermore it is an-swerable to save and maintain the stored files incloud Nevertheless the cloud server might be un-trusted and for its own profits and a good com-mercial reputation it might conceal data corruptionincidents for its cloud users
(iii) 0e 0ird Auditor It acts as a verifier of data in-tactness In principle it has professional experienceand practical capability to take charge data in-tegrality audit in the person of cloud usersdatausers
(iv) 0e PKG It is a trusted entity and is duty bound tobuild up system parameters and to calculate privacykey of every cloud user
For a cloud-based storing system its goals are to alleviatethe burden of data storage and maintaining of cloud usersNevertheless after data are uploaded to the remote sever incloud it might lead to a potential security problem since theuploaded data have been out of control for the data user andthe remote server in cloud is generally unreliable Data usermight concern whether the stored files in cloud are intact-us the data user wants some security measures to ensure
2 Journal of Healthcare Engineering
that the integrality of the outsourced data is examinedregularly without a local copy
Definition 1 (identity-based data integrity auditingprotocol ID-DIAP) In general an ID-DIAP system con-tains the three stages
(1) System Initialization Phase In this phase the PKG isduty bound to produce system parameters -ere-fore it runs Setup(1k) algorithm to obtain systemparameters Para the PKGrsquos key pair (mpk mpsk) byinputting λ which is a safety parameter On thecontrary the PKG also invokes KeyExtr(1λ Parampsk ID) algorithm to calculate privacy key skID forthe data user with identity ID by inputting its mpskand Para as well as the identity ID of the data user
(2) Data Outsourcing Phase In this phase for the dataowner (data user) it runs TagGen(M skID) to generatemetadata authentication tag δi on each data block mi
by inputting its private key skID and the outsourcedfile M where M m1 mn Finally it uploadsmetadata authentication tags δ δ1 δn1113864 1113865 to thecloud server
(3) Data Auditing Phase -is phase is divided into threesubphases Challenging Proof and Verifying Firstlythe auditor runs algorithm Challenging(Minfo) tocalculate Chall as the challenged information AfterreceivingChall the cloud server runs Proof(M δ andChall) to calculate Prf as proving information thenreturns Prf to the auditor At last the auditor invokesthe algorithm Verifying(Chall Prf mpk and Minfo)to test whether the returned proving information Prfis valid
22 Different Types of Attack and Security Definition In thesubsection we will analyze that our ID-DIAP system may be
confronted with diverse attacks in light of the behavior ofevery role in the system architecture In our system archi-tecture the PKG is the privacy key generator which cal-culates data userrsquos privacy key In general it is a credibleauthority We assume that the PKG does not launch anysecurity attack to the other entities in the whole systemmodel For the third auditor it is deemed to be an honest-but-curious entity and can earnestly execute every step in theauditing course And cloud server is considered to be un-reliable It might deliberately delete or alter rarely accesseddata files for saving storage space It is a powerful insideattacker in our security model And the goal of the attacker isto tamper and replace the stored data without being foundby the auditor Because the cloud server is a powerful at-tacker in our security model we mainly consider the attacks[7] which are launched by the cloud server in this paper
221 Forge Attack -e vicious cloud server may producea forged meta-authentication signature on a new data blockor fabricate the fake proving information Prf to deceive theauditor by satisfying the auditing verification
222 Replace Attack If a certain data block in the challengeset was corrupted the vicious cloud server would selectanother valid pair (mi δi) of data block and authenticationtag to substitute the corrupted pair (mj δj) of data block anddata tag
223 Replay Attack It is an efficient attack With respect tothe vicious storage server in cloud it might produce thenew proof information Prflowast without retrieving the challengedata of the auditor though realizing the former provinginformation Prf
Cloud storage service
Data owner
The third auditor
Security
data flo
w
Security data flow
Security data flow
Private key generator
Key
gene
ratio
n
Data flow
Figure 1 ID-based data storage model in cloud
Journal of Healthcare Engineering 3
3 Our Public Auditing Construction
In the following we will give the description of our ID-DIAPsystem It contains four entities the PKG cloud server datauser and TPA And the whole system is composed of fivePPT algorithms As for every entity and all algorithms thediagram of the framework is represented in Figure 2 Toclearly describe our protocol the algorithms are given indetail below
31 Setup For the sake of enhancing readability somenotations used in our ID-DIAP system are listed in Table 1
-e PKG makes use of a parameter λ as an input andgenerates two cyclic groups G1 and GT -e two groupshave the identical prime order qgt 2k And let P and T
be two generators of group G1 where they satisfy PneTAnd define a bilinear pairing map e G1 times G1rarrGT Next itchooses two map-to-point cryptographic hash functionsH0 1 0 lowast rarrG1 and H1 1 0 lowast rarrG1 and a resistant-collision hash function H2 G1 times 1 0 lowast rarrZq And thePKG randomly chooses s isin Zq as its master privacy keycalculates Ppub sP as its public key At last public pa-rameters Para are published as below
Para G1 GT q e P T H0 H1 H2 Ppub1113872 1113873 (1)
And the PKG needs its master privacy key s to be secretlykept
32 Key Extraction For a data user to produce its privacykey it delivers its identification ID to the PKG Sub-sequently the PKG utilizes its master privacy key s and ID toimplement the following process
(1) Firstly the data user delivers its identity informationID to the PKG
(2) Next the PKG generates (DID0 DID1) data userrsquosprivacy key where
DID0 sH0(ID0)
DID1 sH0(ID1)(2)
And then it goes back(DID0 DID1) to the data userthrough a secret and secure channel
(3) Upon receiving the private key (DID0 DID1) this datauser is able to test whether its privacy key is validthrough the following equations
e Ppub H0(ID0)1113872 1113873 e P DID0( 1113857
e Ppub H0(ID1)1113872 1113873 e P DID1( 1113857(3)
33TagGenPhase For the upload data file M firstly data fileM is divided into n blocks by the data user namelyM m1m2 mn To outsource this file M to the cloudthe data user needs to randomly choose a pair (xID YID)which is a private-public key pair of a secure signature al-gorithm 1113936 (SigVer) for example BLS short signature
Let Name denote the identifier of data file M and then itcalculates the file authentication tag τ τ0 1113936 middotSig(xID τ0)where 1113936 middotSig(xID τ0) denotes a secure signature on τ0 andτ0 denotes an information string τ0 ldquoNamenrdquo
Subsequently the data user needs to generate metadataauthentication tag on the data block To compute blockauthentication tags on all data blocks mi1113864 1113865 i 1 2 n thedata user uniformly samples r isin Zq to calculate R rP
Next for i 1 to n it calculates metadata authenticationtag for data block mi by the following steps
(1) First of all it calculates
hi H2 Indexi
IDR01113872 1113873 (4)
(2) And then it makes use of its private key (DID0 DID1)to compute
δi rH1 Indexi
Name1113872 1113873 + hiDID0 + miDID1 (5)
(3) For data block mi the resultant authentication tag ofthe data block is θi (R δi)
At last the data user needs to upload all the meta-authentication tags (τ R δi1113864 1113865 i 1 2 n ) and the out-sourced file M to the remote server in cloud
PKG1 Setup
2 Register ID
Data owner4 Generate tag
(δ1hellipδn)
3 Produceskd = (D0 D1)
Cloudserver
6 Store datafile and
tags
5 Upload (δ1hellipδn) and data file M
The thirdauditor
9 Verifying phase
7 Challenge phase
8 Prove phase
Figure 2 -e relationship of the entities and algorithms
Table 1 Notations in our ID-DIAP system
Symbol MeaningK A security parameterH0 H1 H2 -ree hash functionsS -e master key of the PKGT A random generator of group G1Prf -e proof informationChall -e challenge informationQ A large prime numberGT A multiplicative group with the order qG1 An additive group with the order qE A bilinear pairing|I| -e number of elements in set I
4 Journal of Healthcare Engineering
On obtaining all the aforementioned data (τ R
δj1113966 1113967 j 1 2 n1113864 1113865) the cloud server needs to execute thefollowing validation procedure
For i 1 to n it verifies the relation
e δi P( 1113857 e H1 Indexi
Name1113872 1113873 R1113872 1113873e hiQ0 + miQ1 Ppub1113872 1113873
(6)
where Q1 H0(ID1) and Q0 H0(ID0) If all relationshold then it parses τ into τ0 and 1113936 middotSig(xID τ0) and verifiesthe validity of signature
1113944 middotVer 1113944 middotSig xID τ0( 1113857 τ0 YID1113872 1113873 1 (7)
If it is also valid then the cloud server preserves thesedata in cloud
34ChallengePhase To audit the integrality of the outsourcedfile M firstly the TPA parses τ into τ0 and 1113936 middotSig(xID τ0)and verifies 1113936 middotVer(1113936 middotSig(xID τ0) τ0 YID) 1 If it does nothold then terminate it Otherwise it retrieves the corre-sponding file identifier name and block size n
Later on the auditor picks a subset Isube[1 n] randomlywhere |I| l and ρ isin Zq to generate a challenge information
Chall ρ I1113864 1113865 (8)
Finally it delivers Chall to the cloud server as thechallenge
35 Proving Phase After obtaining the correspondingchallenge information Chall I ρ1113864 1113865 for i isin 1 |I| cloud server calculates vi ρimodq and then it producesa set Q i vi1113864 1113865 iisinI
Subsequently in light of the outsourced data file M
m1 mn1113864 1113865 and meta-authentication tag θi of each blocki isin 1 2 n it produces as follows
δ 1113944jisinI
vj middot δj
μ 1113944jisinI
vj middot mj(9)
Finally the cloud storage server goes back 3-tuple Prf
(δ μ R) to the auditor as the corresponding proofinformation
36 Verifying Phase To check the outsourced datarsquos in-tegrality in cloud after receiving the responded proof in-formation Prf (δ μ R) the third auditor calculates asbelow
h 1113944iisinI
vi middot hi
H 1113944iisinI
vi middot H1 Indexi
Name1113872 1113873(10)
where hi H2(indexiIDR0) for i isin I
-en it checks the validity of the following equation
e(δ P) e(H R)e hQ0 + μ middot Q11113872 1113873 (11)
If the aforementioned Equation (11) satisfies then theTPA outputs VerifyRes as true if not it outputs VerifyReS asfalse
4 Security Analysis
To show our proposalrsquos security we will demonstrate thatour proposal is proven to be secure against the above threeattacks
Theorem 1 Assume there exists a PPTadversary Adv that isprobabilistic polynomial-time attacker (for shot PPT) and cancheat the auditor using invalid proving information Prf whichis forged by the adversary Adv (the dishonest cloud storageserver) in a nonignorable probability ε then we are able todesign an algorithm $B$ that can efficiently break the CDHassumption by invoking Adv as subprogram
Proof Let us suppose that a PPT adversary Adv is capableto calculate a faked proving information Prf after the datablocks or metadata authentication tags are corruptedthen we are capable of constructing another a PPT algo-rithm B which is capable of breaking the CDH assumptionby utilizing the adversary Adv First of all let a 3-tuple(P aP bP) isin G1 be a CDH assumptionrsquos random instance itis hard to obtain the solution abP
To show the security proof hash functionH0 in the gameis regarded as random oracle and identity ID of each datauser is only made H0-query once For H1 and H2 they onlyact as one-way functions In addition the adversary Adv iscapable of adaptively issuing the queries to three oraclesH0-oracle Key-Extract oracle and TagGen oracle
Setup Choose two cyclic groups G1 and GT and their ordersare the same prime number q -e algorithm B firstly setsPpub aP as the public key of the PKG Let H0 H1 and H2be three hash functions Finally it sends public systemparameters (G1 GT P T q Ppub e H0 H1 H2) to the ad-versary Adv And let jlowast isin 1 qH01113864 1113865 be a challengedidentity index of the data user
H0-Hash Oracle -e adversary Adv submits a queryto H0-oracle with an identity IDi If the index of identityIDi satisfies ine jlowast then the challenger B picks ti0 ti1 isin Zq
randomly to set up H0(IDi0) ti0P hi0 and H0(IDi1)
ti1P hi1 Otherwise the challenger B uniformly samplestlowast1 and tlowast0 from Zq to set up
hi0 H0 IDi
01113872 1113873 tlowast0bP
hi1 H0 IDi
11113872 1113873 minustlowast1bP(12)
In the end the 5-tuple (IDi hi0 hi1 ti0 ti1) is added in theH0-list being initially empty
Journal of Healthcare Engineering 5
Key Extraction Oracle For a key extraction query Advsubmits an identity information IDi to key extraction oracleTo response it the challenger B calculates the following
(1) If the identity index of IDi satisfies ine jlowast then B
looks for 5-tuple (hi0 hi1 IDi ti0 ti1) in the H0-listIf it exists B sends Di0 ti0aP Di1 ti1aP to theadversary Adv otherwise it implicitly queriesa H1-Oracle with identity IDi
(2) Otherwise B terminates it
TagGen Oracle If the adversary Adv submits 3-tuple (MIDi Name) to TagGen Oracle for authentication tag querywhere M m1 mn and Name is the file identifier ofdata file M To response it the challenge B calculates thefollowing
(1) First of all it searches the H0-list to check if IDiexists If it is then the corresponding 5-tuple(hi0 hi1 IDi ti0 ti1) in the H0-list is returned Oth-erwise B needs to query H0-Oracle with identityinformation IDi
(2) If the identity index satisfies i jlowast then the chal-lenge B aborts it Otherwise it produces authenti-cation tags on data file M by the following process
(a) Firstly for file identifier ldquoNamerdquo it picksrname isin Zq randomly to calculate Rname rnameP
(b) Next for l 1 to n it calculates
hil H2 Indexl
IDi
Rname111396701113874 1113875 (13)
And then for l 1 to n B calculates data block m1rsquosauthentication tag as
δil rname middot H1 Indexi
Name1113872 1113873 + hilti0 + mlti1( 1113857Ppub
(14)
and adds (IDi Rname ml δil1113864 1113865 1le lle n ) to the Tag list whichis initially empty
(3) Finally it returns (IDi Rname ml δil1113864 1113865 1le lle n ) tothe adversary Adv
Output In the end for a challenge information (i vi)1113864 1113865 i isin Ithe adversary Adv outputs a fake proving information(δlowast μlowast Rlowast) on data userrsquos the corrupted file Mlowast in a non-neglected probability ε where the data userrsquos identity is IDlowastAdv wins this security game if and only if the followingconstraint condition holds
(1) IDlowast IDj
(2) Prf prime (δlowast Rlowast) can pass verification equation (11)(3) Prf prime ne Prf where Prf (δ R μ) should be a legiti-
mate proving information for the challenge in-formation (i vi) i isin I and the data file M whichsatisfies Mprime neM
When the adversary Adv wins this game then we arecapable of obtaining the following
e δlowast P( 1113857 e H Rlowast
( 1113857e 1113954hlowast
middot QIDj0 + μlowastQIDj1 Ppub1113872 1113873
e(δ P) e(H R)e 1113954h middot QIDj0 + μQIDj1 Ppub1113872 1113873(15)
where 1113954h 1113936iisinIviH2(IndexiRlowastIDj0) and hlowast 1113936iisinIviH2(IndexiRlowastIDj0) because 1113954H 1113936iisinIvi middot H1(IndexiName)is computed by the verifier and for the same data fileR Rlowast
and hlowast h -us we have
e δ minus δlowast( 1113857 e Ppub μminus μlowast( 1113857QIDj1113872 1113873
dArr
e δ minus δlowast( 1113857 e aP μminus μlowast( 1113857 minustlowast1( 1113857bP( 1113857
dArr
abP 1
μminus μlowast( 1113857 middot tlowast1δ minus δlowast( 1113857
(16)
It indicates that the CDH assumption is able to bebroken with nonneglected probability εprime Apparently it isimpossible since it is a hard problem to solve the CDHproblem
Theorem 2 For a malicious cloud server its replay attack inour proposed auditing proposal can efficiently be resisted
Proof -e proof in detail is very alike with the security proofin [16] Hence it is left out due to the limited space
5 Performance Evaluation
To efficiently evaluate our proposalrsquos performance in thefollowing part we show that our proposal is efficient bycomparing with Yu et alrsquos proposal [15] and Zhang andDongrsquos proposal [16] in the light of computational cost andcommunication overhead where Zhang and Dongrsquos pro-posal [16] which is the state-of-the-art identity-basedpublic auditing schemes in the aspect of communicationoverhead
51 Computation Costs To evaluate the computation costsof our proposal we would like to contrast our proposalwith Zhang and Dongrsquos proposal [16] and Yu et alrsquosproposal [15] since the two schemes are recent two efficientID-based public auditing schemes We emulate the oper-ators adopted in the three schemes on an HP-laptopcomputer with an Intel-Core i3-6500 CPU at 24 GHzprocessor and 8GB RAM and all algorithms are imple-mented using the MIRACL cryptography library [21 22]which is used for the ldquoMIRACL-Authentication Server-Project Wikirdquo by Certivox We employ a Super-singularelliptic curve over field GFp which has the 160-bit modulusp and a 2-embedding degree Moreover in our experi-ments the whole statistical results are from the mean valuesof 10 simulation trials
6 Journal of Healthcare Engineering
For explicit demonstration we use MulG1 to denotepoint multiplication operation and let Hash and Pairing beone hash-to-point operation from Zq to G1 and a bilinearpairing operation respectively For a public auditing pro-tocol the computational cost in the TagGen phase is mainlydetermined by computation of producing block authenti-cation tags To outsource a data file the data user requires(3n+ 1) MulG1 + n hash to produce block authentication tagin our construction in Yu et alrsquos proposal and Zhang et alrsquo sproposal each data user needs (n+ 1)Hash + (2n+ 2) MulG1and 4n MulG1 to calculate metablock authentication tagrespectively where n is the numbers of data block InFigure 3 we show the simulation result of generating theblock authentication tag for the size of diverse data blockswith the identical data file
From Figure 3 we can know that in the TagGen phaseZhang et alrsquos proposal is the most time-consuming andYu et alrsquos proposal is the most efficient Our proposal isslightly slower than Yu et alrsquos one since the algorithm toproduce the block authentication tag is a public keycertificate-based signature algorithm in Yu et alrsquos pro-posal however the algorithm which is used in ourproposal is the ID-based signature algorithm Becauseblock authentication tags for the data file can be producedin the off-line phase it has a little influence on the wholeprotocol
In auditing the verification phase the computationalcost mainly comes from verifying proof information It isdetermined by the numbers of the challenge data blocks Forour construction to check the validity of proving in-formation the auditor requires 3pairing+ c Hash + (c+ 2)Mul_G_1 however in the other two proposals the TPAneeds to execute 3Pairing+ 2MulG1 and 5Pairing+ (c+ 2)MulG1 + c Hash to check the integrality of the stored file incloud respectively where c expresses the size of the chal-lenge subset In Table 2 we give their comparison ofcomputational time in the different challenge subset
According to Table 2 we infer that the proposal in [16] isthe most efficient Our proposal is slightly more efficientthan the proposal in [15] However the proposal in [16] isshown to be insecure and its detail attack is shown inAppendix At the same time we also find that the TPArsquoscomputational costs grow linearly with the size of thechallenge subset
52 Communication Cost In a data audit system com-munication costs mainly come from two aspects On theone hand it is from the outsource phase of the datafile onthe other hand it is from the auditing phase In the out-source phase data owner uploads data file and the cor-responding meta-authentication tags As far as ourproposal the data owner wants to upload (n + 1)|G_1| + |M|bits to cloud storage server however in the proposals[15 16] the data owner wants to upload (n + 3)|G_1| + |M|bits and 2n middot |G_1| + |M| bits respectively Here |G_1|represents the bit length of an element of group G1 |M|denotes the bit length of data file and n is the number ofdata blocks
In the auditing phase communication costs are mainlyfrom the challenge information and proving informationtransmitting between the TPA and cloud storage servers Inour scheme the challenge information Chall is |Z_q| + |I|bits proving information is 3middot|G_1| bits and thus the totalcommunication overhead is |Z_q| + |I| + 3middot|G_1| bits where|Z_q| represents the bit length of an element in group Zqand |I| is the size of the challenge subset In the proposal[16] the total communication cost is 2|Z_q| + |I| + 2middot|G_1|bits in the auditing phase in the proposal [15] the totalcommunication costs is (2 + |I|)|Z_q| + |I| + 5middot|G_1| bits inthe auditing phase -eir comparison in detail is shown inTable 3
As shown in Table 3 our scheme has the least com-munication overhead among three schemes
53 Security Comparison According to 0eorem 1 weknow that our scheme is provably secure against thevicious cloud server in the computational DiffiendashHellman assumption and it has tight security reductionFor Yu et alrsquos proposal in [15] their proposal is alsoprovably secure against the vicious cloud server underthe CDH assumption However for Zhang and Dongrsquos
1800
1600
1400
1200
1000
800
600
400
200
Com
puta
tion
time (
ms)
Different block numbers
Our schemeZhang schemeYu scheme
00 50 100 150 200 250 300 350 400
Figure 3 Computational cost of authentication tag generation fordifferent block numbers
Table 2 Comparison of computation time in the auditing phase
Scheme-e number of the challenged blocksc 300 c 460 c 1000
Computation time inYu et alrsquos scheme (s) 0644 09733 231
Computation time inZhang et alrsquos scheme (s) 0109 0161 0333
Computation time inour scheme (s) 0616 09367 202
Journal of Healthcare Engineering 7
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
expect that the stored data integrality can be periodicallychecked to avoid the damage of the stored data Howeverfor the individuals one of the greatest challenges is how tocarry out the termly data integrality detection when theindividuals have the copy of local files Meanwhile themethod is also infeasible to conduct data integralityverification for a source-limited individual though re-trieving the total data file
To deal with the above issue many specialists hadpresented a number of problem-solving methods which aimat the diverse systems and diverse security models in [1ndash20]Nevertheless most existing problem-solving methods hadbuilt on public key infrastructure (for short PKI) As ev-eryone knows that the PKI-based auditing proposals existcomplex key management problem data client needs toconduct key updating key revocation and key maintainingand so on Hence the key management and certificateverification in the PKI-data auditing system will be a trou-blesome issue Furthermore PKC also needs more storagespace than the individual ID since key pair (PK sk) needs tobe locally kept For a verifier to guarantee data integrality itmust firstly extract PKC from public key directory and thenverify whether public key certificate (for short PKC) is valid-erefore it also increases computation burden and com-munication overhead for the verifier
In 2014 the first so-called ID-based data integralityproposal was proposed by Wang et al [13] Strictly speakingtheir proposal is not a kind of identity-based auditing onebecause the algorithm to generatemetadata authentication tagis not an idenity-based algorithm but a PKC-based one In2015 Yu et al put forward a generic method of constructingidentity-based public auditing system by integrating theidentity-based signature algorithm with traditional PDPprotocols in [15]-eir research is very significant on studyingthe ID-based public auditing system However in theirscheme the algorithm to produce metablock authenticationtag is still to adopt a PKI-based one Furthermore in theauditing phase the auditor firstly verifies the validity of anidentity-based signature on a public key PK and then itexecutes data integrity verificationby using this public key PKagain which increases the computation burden of the auditorIn 2016 Zhang and Dong brought forward a novel identity-based public auditing proposal in [16] -e proposal is theidentity-based public auditing system from the literal sensesince their algorithm to produce metadata authentication tagis the ID-based signature algorithm However their scheme isshown to be insecure in Appendix
To increase efficiency and strengthen the security of ID-based auditing protocols in this work a secure and efficientID-based auditing construction is proposed For our con-struction its original contributions are as follows
(1) On the basis of the idea of homomorphic signature inID-based setting we devise an authentic identity-based auditing proposal of data integrality -eproposal can not only avoid the key managing butalso relieve the auditorrsquos burden
(2) In auditing the phase our scheme has constantcommunication overhead Compared with the two
schemes [15 16] our proposal has more advantageswith regard to computational cost and communi-cation cost
(3) In the random oracle model the proposed proposalhas serious security proof and the correspondingproof can be tightly reduced to the CDHmathematicproblem
2 Architecture and Security of System
In the following chapter in order to better understand ourID-based data integrality auditing protocol (ID-DIAP forshort) we firstly give a description of the system model andafterwards the security model of our ID-DIAP for cloudstorage is defined
21 System Architecture For our ID-DIAP system in cloudthe architecture is composed of four entities privacy keygenerator (for short the PKG) the third party verifierauditor(for short the TPA) cloud servers and data user -e wholesystematic architecture is demonstrated in Figure 1
To avoid biases in the auditing process the TPA isrecommended to implement the audit function in oursystem model Detail function of each role in system ar-chitecture is described as below
(i) Data User It acts as a cloud user and possessesa number of files which need to be uploaded to theremote cloud server without local data copyGenerally speaking data user may be a resource-limited entity due to the limited capability of storingand computing And it can flexibly access at anytime and share the outsourced data
(ii) Cloud Servers -ey are composed of a group ofdistributed servers and have tremendous capabilityof storing and computing Furthermore it is an-swerable to save and maintain the stored files incloud Nevertheless the cloud server might be un-trusted and for its own profits and a good com-mercial reputation it might conceal data corruptionincidents for its cloud users
(iii) 0e 0ird Auditor It acts as a verifier of data in-tactness In principle it has professional experienceand practical capability to take charge data in-tegrality audit in the person of cloud usersdatausers
(iv) 0e PKG It is a trusted entity and is duty bound tobuild up system parameters and to calculate privacykey of every cloud user
For a cloud-based storing system its goals are to alleviatethe burden of data storage and maintaining of cloud usersNevertheless after data are uploaded to the remote sever incloud it might lead to a potential security problem since theuploaded data have been out of control for the data user andthe remote server in cloud is generally unreliable Data usermight concern whether the stored files in cloud are intact-us the data user wants some security measures to ensure
2 Journal of Healthcare Engineering
that the integrality of the outsourced data is examinedregularly without a local copy
Definition 1 (identity-based data integrity auditingprotocol ID-DIAP) In general an ID-DIAP system con-tains the three stages
(1) System Initialization Phase In this phase the PKG isduty bound to produce system parameters -ere-fore it runs Setup(1k) algorithm to obtain systemparameters Para the PKGrsquos key pair (mpk mpsk) byinputting λ which is a safety parameter On thecontrary the PKG also invokes KeyExtr(1λ Parampsk ID) algorithm to calculate privacy key skID forthe data user with identity ID by inputting its mpskand Para as well as the identity ID of the data user
(2) Data Outsourcing Phase In this phase for the dataowner (data user) it runs TagGen(M skID) to generatemetadata authentication tag δi on each data block mi
by inputting its private key skID and the outsourcedfile M where M m1 mn Finally it uploadsmetadata authentication tags δ δ1 δn1113864 1113865 to thecloud server
(3) Data Auditing Phase -is phase is divided into threesubphases Challenging Proof and Verifying Firstlythe auditor runs algorithm Challenging(Minfo) tocalculate Chall as the challenged information AfterreceivingChall the cloud server runs Proof(M δ andChall) to calculate Prf as proving information thenreturns Prf to the auditor At last the auditor invokesthe algorithm Verifying(Chall Prf mpk and Minfo)to test whether the returned proving information Prfis valid
22 Different Types of Attack and Security Definition In thesubsection we will analyze that our ID-DIAP system may be
confronted with diverse attacks in light of the behavior ofevery role in the system architecture In our system archi-tecture the PKG is the privacy key generator which cal-culates data userrsquos privacy key In general it is a credibleauthority We assume that the PKG does not launch anysecurity attack to the other entities in the whole systemmodel For the third auditor it is deemed to be an honest-but-curious entity and can earnestly execute every step in theauditing course And cloud server is considered to be un-reliable It might deliberately delete or alter rarely accesseddata files for saving storage space It is a powerful insideattacker in our security model And the goal of the attacker isto tamper and replace the stored data without being foundby the auditor Because the cloud server is a powerful at-tacker in our security model we mainly consider the attacks[7] which are launched by the cloud server in this paper
221 Forge Attack -e vicious cloud server may producea forged meta-authentication signature on a new data blockor fabricate the fake proving information Prf to deceive theauditor by satisfying the auditing verification
222 Replace Attack If a certain data block in the challengeset was corrupted the vicious cloud server would selectanother valid pair (mi δi) of data block and authenticationtag to substitute the corrupted pair (mj δj) of data block anddata tag
223 Replay Attack It is an efficient attack With respect tothe vicious storage server in cloud it might produce thenew proof information Prflowast without retrieving the challengedata of the auditor though realizing the former provinginformation Prf
Cloud storage service
Data owner
The third auditor
Security
data flo
w
Security data flow
Security data flow
Private key generator
Key
gene
ratio
n
Data flow
Figure 1 ID-based data storage model in cloud
Journal of Healthcare Engineering 3
3 Our Public Auditing Construction
In the following we will give the description of our ID-DIAPsystem It contains four entities the PKG cloud server datauser and TPA And the whole system is composed of fivePPT algorithms As for every entity and all algorithms thediagram of the framework is represented in Figure 2 Toclearly describe our protocol the algorithms are given indetail below
31 Setup For the sake of enhancing readability somenotations used in our ID-DIAP system are listed in Table 1
-e PKG makes use of a parameter λ as an input andgenerates two cyclic groups G1 and GT -e two groupshave the identical prime order qgt 2k And let P and T
be two generators of group G1 where they satisfy PneTAnd define a bilinear pairing map e G1 times G1rarrGT Next itchooses two map-to-point cryptographic hash functionsH0 1 0 lowast rarrG1 and H1 1 0 lowast rarrG1 and a resistant-collision hash function H2 G1 times 1 0 lowast rarrZq And thePKG randomly chooses s isin Zq as its master privacy keycalculates Ppub sP as its public key At last public pa-rameters Para are published as below
Para G1 GT q e P T H0 H1 H2 Ppub1113872 1113873 (1)
And the PKG needs its master privacy key s to be secretlykept
32 Key Extraction For a data user to produce its privacykey it delivers its identification ID to the PKG Sub-sequently the PKG utilizes its master privacy key s and ID toimplement the following process
(1) Firstly the data user delivers its identity informationID to the PKG
(2) Next the PKG generates (DID0 DID1) data userrsquosprivacy key where
DID0 sH0(ID0)
DID1 sH0(ID1)(2)
And then it goes back(DID0 DID1) to the data userthrough a secret and secure channel
(3) Upon receiving the private key (DID0 DID1) this datauser is able to test whether its privacy key is validthrough the following equations
e Ppub H0(ID0)1113872 1113873 e P DID0( 1113857
e Ppub H0(ID1)1113872 1113873 e P DID1( 1113857(3)
33TagGenPhase For the upload data file M firstly data fileM is divided into n blocks by the data user namelyM m1m2 mn To outsource this file M to the cloudthe data user needs to randomly choose a pair (xID YID)which is a private-public key pair of a secure signature al-gorithm 1113936 (SigVer) for example BLS short signature
Let Name denote the identifier of data file M and then itcalculates the file authentication tag τ τ0 1113936 middotSig(xID τ0)where 1113936 middotSig(xID τ0) denotes a secure signature on τ0 andτ0 denotes an information string τ0 ldquoNamenrdquo
Subsequently the data user needs to generate metadataauthentication tag on the data block To compute blockauthentication tags on all data blocks mi1113864 1113865 i 1 2 n thedata user uniformly samples r isin Zq to calculate R rP
Next for i 1 to n it calculates metadata authenticationtag for data block mi by the following steps
(1) First of all it calculates
hi H2 Indexi
IDR01113872 1113873 (4)
(2) And then it makes use of its private key (DID0 DID1)to compute
δi rH1 Indexi
Name1113872 1113873 + hiDID0 + miDID1 (5)
(3) For data block mi the resultant authentication tag ofthe data block is θi (R δi)
At last the data user needs to upload all the meta-authentication tags (τ R δi1113864 1113865 i 1 2 n ) and the out-sourced file M to the remote server in cloud
PKG1 Setup
2 Register ID
Data owner4 Generate tag
(δ1hellipδn)
3 Produceskd = (D0 D1)
Cloudserver
6 Store datafile and
tags
5 Upload (δ1hellipδn) and data file M
The thirdauditor
9 Verifying phase
7 Challenge phase
8 Prove phase
Figure 2 -e relationship of the entities and algorithms
Table 1 Notations in our ID-DIAP system
Symbol MeaningK A security parameterH0 H1 H2 -ree hash functionsS -e master key of the PKGT A random generator of group G1Prf -e proof informationChall -e challenge informationQ A large prime numberGT A multiplicative group with the order qG1 An additive group with the order qE A bilinear pairing|I| -e number of elements in set I
4 Journal of Healthcare Engineering
On obtaining all the aforementioned data (τ R
δj1113966 1113967 j 1 2 n1113864 1113865) the cloud server needs to execute thefollowing validation procedure
For i 1 to n it verifies the relation
e δi P( 1113857 e H1 Indexi
Name1113872 1113873 R1113872 1113873e hiQ0 + miQ1 Ppub1113872 1113873
(6)
where Q1 H0(ID1) and Q0 H0(ID0) If all relationshold then it parses τ into τ0 and 1113936 middotSig(xID τ0) and verifiesthe validity of signature
1113944 middotVer 1113944 middotSig xID τ0( 1113857 τ0 YID1113872 1113873 1 (7)
If it is also valid then the cloud server preserves thesedata in cloud
34ChallengePhase To audit the integrality of the outsourcedfile M firstly the TPA parses τ into τ0 and 1113936 middotSig(xID τ0)and verifies 1113936 middotVer(1113936 middotSig(xID τ0) τ0 YID) 1 If it does nothold then terminate it Otherwise it retrieves the corre-sponding file identifier name and block size n
Later on the auditor picks a subset Isube[1 n] randomlywhere |I| l and ρ isin Zq to generate a challenge information
Chall ρ I1113864 1113865 (8)
Finally it delivers Chall to the cloud server as thechallenge
35 Proving Phase After obtaining the correspondingchallenge information Chall I ρ1113864 1113865 for i isin 1 |I| cloud server calculates vi ρimodq and then it producesa set Q i vi1113864 1113865 iisinI
Subsequently in light of the outsourced data file M
m1 mn1113864 1113865 and meta-authentication tag θi of each blocki isin 1 2 n it produces as follows
δ 1113944jisinI
vj middot δj
μ 1113944jisinI
vj middot mj(9)
Finally the cloud storage server goes back 3-tuple Prf
(δ μ R) to the auditor as the corresponding proofinformation
36 Verifying Phase To check the outsourced datarsquos in-tegrality in cloud after receiving the responded proof in-formation Prf (δ μ R) the third auditor calculates asbelow
h 1113944iisinI
vi middot hi
H 1113944iisinI
vi middot H1 Indexi
Name1113872 1113873(10)
where hi H2(indexiIDR0) for i isin I
-en it checks the validity of the following equation
e(δ P) e(H R)e hQ0 + μ middot Q11113872 1113873 (11)
If the aforementioned Equation (11) satisfies then theTPA outputs VerifyRes as true if not it outputs VerifyReS asfalse
4 Security Analysis
To show our proposalrsquos security we will demonstrate thatour proposal is proven to be secure against the above threeattacks
Theorem 1 Assume there exists a PPTadversary Adv that isprobabilistic polynomial-time attacker (for shot PPT) and cancheat the auditor using invalid proving information Prf whichis forged by the adversary Adv (the dishonest cloud storageserver) in a nonignorable probability ε then we are able todesign an algorithm $B$ that can efficiently break the CDHassumption by invoking Adv as subprogram
Proof Let us suppose that a PPT adversary Adv is capableto calculate a faked proving information Prf after the datablocks or metadata authentication tags are corruptedthen we are capable of constructing another a PPT algo-rithm B which is capable of breaking the CDH assumptionby utilizing the adversary Adv First of all let a 3-tuple(P aP bP) isin G1 be a CDH assumptionrsquos random instance itis hard to obtain the solution abP
To show the security proof hash functionH0 in the gameis regarded as random oracle and identity ID of each datauser is only made H0-query once For H1 and H2 they onlyact as one-way functions In addition the adversary Adv iscapable of adaptively issuing the queries to three oraclesH0-oracle Key-Extract oracle and TagGen oracle
Setup Choose two cyclic groups G1 and GT and their ordersare the same prime number q -e algorithm B firstly setsPpub aP as the public key of the PKG Let H0 H1 and H2be three hash functions Finally it sends public systemparameters (G1 GT P T q Ppub e H0 H1 H2) to the ad-versary Adv And let jlowast isin 1 qH01113864 1113865 be a challengedidentity index of the data user
H0-Hash Oracle -e adversary Adv submits a queryto H0-oracle with an identity IDi If the index of identityIDi satisfies ine jlowast then the challenger B picks ti0 ti1 isin Zq
randomly to set up H0(IDi0) ti0P hi0 and H0(IDi1)
ti1P hi1 Otherwise the challenger B uniformly samplestlowast1 and tlowast0 from Zq to set up
hi0 H0 IDi
01113872 1113873 tlowast0bP
hi1 H0 IDi
11113872 1113873 minustlowast1bP(12)
In the end the 5-tuple (IDi hi0 hi1 ti0 ti1) is added in theH0-list being initially empty
Journal of Healthcare Engineering 5
Key Extraction Oracle For a key extraction query Advsubmits an identity information IDi to key extraction oracleTo response it the challenger B calculates the following
(1) If the identity index of IDi satisfies ine jlowast then B
looks for 5-tuple (hi0 hi1 IDi ti0 ti1) in the H0-listIf it exists B sends Di0 ti0aP Di1 ti1aP to theadversary Adv otherwise it implicitly queriesa H1-Oracle with identity IDi
(2) Otherwise B terminates it
TagGen Oracle If the adversary Adv submits 3-tuple (MIDi Name) to TagGen Oracle for authentication tag querywhere M m1 mn and Name is the file identifier ofdata file M To response it the challenge B calculates thefollowing
(1) First of all it searches the H0-list to check if IDiexists If it is then the corresponding 5-tuple(hi0 hi1 IDi ti0 ti1) in the H0-list is returned Oth-erwise B needs to query H0-Oracle with identityinformation IDi
(2) If the identity index satisfies i jlowast then the chal-lenge B aborts it Otherwise it produces authenti-cation tags on data file M by the following process
(a) Firstly for file identifier ldquoNamerdquo it picksrname isin Zq randomly to calculate Rname rnameP
(b) Next for l 1 to n it calculates
hil H2 Indexl
IDi
Rname111396701113874 1113875 (13)
And then for l 1 to n B calculates data block m1rsquosauthentication tag as
δil rname middot H1 Indexi
Name1113872 1113873 + hilti0 + mlti1( 1113857Ppub
(14)
and adds (IDi Rname ml δil1113864 1113865 1le lle n ) to the Tag list whichis initially empty
(3) Finally it returns (IDi Rname ml δil1113864 1113865 1le lle n ) tothe adversary Adv
Output In the end for a challenge information (i vi)1113864 1113865 i isin Ithe adversary Adv outputs a fake proving information(δlowast μlowast Rlowast) on data userrsquos the corrupted file Mlowast in a non-neglected probability ε where the data userrsquos identity is IDlowastAdv wins this security game if and only if the followingconstraint condition holds
(1) IDlowast IDj
(2) Prf prime (δlowast Rlowast) can pass verification equation (11)(3) Prf prime ne Prf where Prf (δ R μ) should be a legiti-
mate proving information for the challenge in-formation (i vi) i isin I and the data file M whichsatisfies Mprime neM
When the adversary Adv wins this game then we arecapable of obtaining the following
e δlowast P( 1113857 e H Rlowast
( 1113857e 1113954hlowast
middot QIDj0 + μlowastQIDj1 Ppub1113872 1113873
e(δ P) e(H R)e 1113954h middot QIDj0 + μQIDj1 Ppub1113872 1113873(15)
where 1113954h 1113936iisinIviH2(IndexiRlowastIDj0) and hlowast 1113936iisinIviH2(IndexiRlowastIDj0) because 1113954H 1113936iisinIvi middot H1(IndexiName)is computed by the verifier and for the same data fileR Rlowast
and hlowast h -us we have
e δ minus δlowast( 1113857 e Ppub μminus μlowast( 1113857QIDj1113872 1113873
dArr
e δ minus δlowast( 1113857 e aP μminus μlowast( 1113857 minustlowast1( 1113857bP( 1113857
dArr
abP 1
μminus μlowast( 1113857 middot tlowast1δ minus δlowast( 1113857
(16)
It indicates that the CDH assumption is able to bebroken with nonneglected probability εprime Apparently it isimpossible since it is a hard problem to solve the CDHproblem
Theorem 2 For a malicious cloud server its replay attack inour proposed auditing proposal can efficiently be resisted
Proof -e proof in detail is very alike with the security proofin [16] Hence it is left out due to the limited space
5 Performance Evaluation
To efficiently evaluate our proposalrsquos performance in thefollowing part we show that our proposal is efficient bycomparing with Yu et alrsquos proposal [15] and Zhang andDongrsquos proposal [16] in the light of computational cost andcommunication overhead where Zhang and Dongrsquos pro-posal [16] which is the state-of-the-art identity-basedpublic auditing schemes in the aspect of communicationoverhead
51 Computation Costs To evaluate the computation costsof our proposal we would like to contrast our proposalwith Zhang and Dongrsquos proposal [16] and Yu et alrsquosproposal [15] since the two schemes are recent two efficientID-based public auditing schemes We emulate the oper-ators adopted in the three schemes on an HP-laptopcomputer with an Intel-Core i3-6500 CPU at 24 GHzprocessor and 8GB RAM and all algorithms are imple-mented using the MIRACL cryptography library [21 22]which is used for the ldquoMIRACL-Authentication Server-Project Wikirdquo by Certivox We employ a Super-singularelliptic curve over field GFp which has the 160-bit modulusp and a 2-embedding degree Moreover in our experi-ments the whole statistical results are from the mean valuesof 10 simulation trials
6 Journal of Healthcare Engineering
For explicit demonstration we use MulG1 to denotepoint multiplication operation and let Hash and Pairing beone hash-to-point operation from Zq to G1 and a bilinearpairing operation respectively For a public auditing pro-tocol the computational cost in the TagGen phase is mainlydetermined by computation of producing block authenti-cation tags To outsource a data file the data user requires(3n+ 1) MulG1 + n hash to produce block authentication tagin our construction in Yu et alrsquos proposal and Zhang et alrsquo sproposal each data user needs (n+ 1)Hash + (2n+ 2) MulG1and 4n MulG1 to calculate metablock authentication tagrespectively where n is the numbers of data block InFigure 3 we show the simulation result of generating theblock authentication tag for the size of diverse data blockswith the identical data file
From Figure 3 we can know that in the TagGen phaseZhang et alrsquos proposal is the most time-consuming andYu et alrsquos proposal is the most efficient Our proposal isslightly slower than Yu et alrsquos one since the algorithm toproduce the block authentication tag is a public keycertificate-based signature algorithm in Yu et alrsquos pro-posal however the algorithm which is used in ourproposal is the ID-based signature algorithm Becauseblock authentication tags for the data file can be producedin the off-line phase it has a little influence on the wholeprotocol
In auditing the verification phase the computationalcost mainly comes from verifying proof information It isdetermined by the numbers of the challenge data blocks Forour construction to check the validity of proving in-formation the auditor requires 3pairing+ c Hash + (c+ 2)Mul_G_1 however in the other two proposals the TPAneeds to execute 3Pairing+ 2MulG1 and 5Pairing+ (c+ 2)MulG1 + c Hash to check the integrality of the stored file incloud respectively where c expresses the size of the chal-lenge subset In Table 2 we give their comparison ofcomputational time in the different challenge subset
According to Table 2 we infer that the proposal in [16] isthe most efficient Our proposal is slightly more efficientthan the proposal in [15] However the proposal in [16] isshown to be insecure and its detail attack is shown inAppendix At the same time we also find that the TPArsquoscomputational costs grow linearly with the size of thechallenge subset
52 Communication Cost In a data audit system com-munication costs mainly come from two aspects On theone hand it is from the outsource phase of the datafile onthe other hand it is from the auditing phase In the out-source phase data owner uploads data file and the cor-responding meta-authentication tags As far as ourproposal the data owner wants to upload (n + 1)|G_1| + |M|bits to cloud storage server however in the proposals[15 16] the data owner wants to upload (n + 3)|G_1| + |M|bits and 2n middot |G_1| + |M| bits respectively Here |G_1|represents the bit length of an element of group G1 |M|denotes the bit length of data file and n is the number ofdata blocks
In the auditing phase communication costs are mainlyfrom the challenge information and proving informationtransmitting between the TPA and cloud storage servers Inour scheme the challenge information Chall is |Z_q| + |I|bits proving information is 3middot|G_1| bits and thus the totalcommunication overhead is |Z_q| + |I| + 3middot|G_1| bits where|Z_q| represents the bit length of an element in group Zqand |I| is the size of the challenge subset In the proposal[16] the total communication cost is 2|Z_q| + |I| + 2middot|G_1|bits in the auditing phase in the proposal [15] the totalcommunication costs is (2 + |I|)|Z_q| + |I| + 5middot|G_1| bits inthe auditing phase -eir comparison in detail is shown inTable 3
As shown in Table 3 our scheme has the least com-munication overhead among three schemes
53 Security Comparison According to 0eorem 1 weknow that our scheme is provably secure against thevicious cloud server in the computational DiffiendashHellman assumption and it has tight security reductionFor Yu et alrsquos proposal in [15] their proposal is alsoprovably secure against the vicious cloud server underthe CDH assumption However for Zhang and Dongrsquos
1800
1600
1400
1200
1000
800
600
400
200
Com
puta
tion
time (
ms)
Different block numbers
Our schemeZhang schemeYu scheme
00 50 100 150 200 250 300 350 400
Figure 3 Computational cost of authentication tag generation fordifferent block numbers
Table 2 Comparison of computation time in the auditing phase
Scheme-e number of the challenged blocksc 300 c 460 c 1000
Computation time inYu et alrsquos scheme (s) 0644 09733 231
Computation time inZhang et alrsquos scheme (s) 0109 0161 0333
Computation time inour scheme (s) 0616 09367 202
Journal of Healthcare Engineering 7
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
that the integrality of the outsourced data is examinedregularly without a local copy
Definition 1 (identity-based data integrity auditingprotocol ID-DIAP) In general an ID-DIAP system con-tains the three stages
(1) System Initialization Phase In this phase the PKG isduty bound to produce system parameters -ere-fore it runs Setup(1k) algorithm to obtain systemparameters Para the PKGrsquos key pair (mpk mpsk) byinputting λ which is a safety parameter On thecontrary the PKG also invokes KeyExtr(1λ Parampsk ID) algorithm to calculate privacy key skID forthe data user with identity ID by inputting its mpskand Para as well as the identity ID of the data user
(2) Data Outsourcing Phase In this phase for the dataowner (data user) it runs TagGen(M skID) to generatemetadata authentication tag δi on each data block mi
by inputting its private key skID and the outsourcedfile M where M m1 mn Finally it uploadsmetadata authentication tags δ δ1 δn1113864 1113865 to thecloud server
(3) Data Auditing Phase -is phase is divided into threesubphases Challenging Proof and Verifying Firstlythe auditor runs algorithm Challenging(Minfo) tocalculate Chall as the challenged information AfterreceivingChall the cloud server runs Proof(M δ andChall) to calculate Prf as proving information thenreturns Prf to the auditor At last the auditor invokesthe algorithm Verifying(Chall Prf mpk and Minfo)to test whether the returned proving information Prfis valid
22 Different Types of Attack and Security Definition In thesubsection we will analyze that our ID-DIAP system may be
confronted with diverse attacks in light of the behavior ofevery role in the system architecture In our system archi-tecture the PKG is the privacy key generator which cal-culates data userrsquos privacy key In general it is a credibleauthority We assume that the PKG does not launch anysecurity attack to the other entities in the whole systemmodel For the third auditor it is deemed to be an honest-but-curious entity and can earnestly execute every step in theauditing course And cloud server is considered to be un-reliable It might deliberately delete or alter rarely accesseddata files for saving storage space It is a powerful insideattacker in our security model And the goal of the attacker isto tamper and replace the stored data without being foundby the auditor Because the cloud server is a powerful at-tacker in our security model we mainly consider the attacks[7] which are launched by the cloud server in this paper
221 Forge Attack -e vicious cloud server may producea forged meta-authentication signature on a new data blockor fabricate the fake proving information Prf to deceive theauditor by satisfying the auditing verification
222 Replace Attack If a certain data block in the challengeset was corrupted the vicious cloud server would selectanother valid pair (mi δi) of data block and authenticationtag to substitute the corrupted pair (mj δj) of data block anddata tag
223 Replay Attack It is an efficient attack With respect tothe vicious storage server in cloud it might produce thenew proof information Prflowast without retrieving the challengedata of the auditor though realizing the former provinginformation Prf
Cloud storage service
Data owner
The third auditor
Security
data flo
w
Security data flow
Security data flow
Private key generator
Key
gene
ratio
n
Data flow
Figure 1 ID-based data storage model in cloud
Journal of Healthcare Engineering 3
3 Our Public Auditing Construction
In the following we will give the description of our ID-DIAPsystem It contains four entities the PKG cloud server datauser and TPA And the whole system is composed of fivePPT algorithms As for every entity and all algorithms thediagram of the framework is represented in Figure 2 Toclearly describe our protocol the algorithms are given indetail below
31 Setup For the sake of enhancing readability somenotations used in our ID-DIAP system are listed in Table 1
-e PKG makes use of a parameter λ as an input andgenerates two cyclic groups G1 and GT -e two groupshave the identical prime order qgt 2k And let P and T
be two generators of group G1 where they satisfy PneTAnd define a bilinear pairing map e G1 times G1rarrGT Next itchooses two map-to-point cryptographic hash functionsH0 1 0 lowast rarrG1 and H1 1 0 lowast rarrG1 and a resistant-collision hash function H2 G1 times 1 0 lowast rarrZq And thePKG randomly chooses s isin Zq as its master privacy keycalculates Ppub sP as its public key At last public pa-rameters Para are published as below
Para G1 GT q e P T H0 H1 H2 Ppub1113872 1113873 (1)
And the PKG needs its master privacy key s to be secretlykept
32 Key Extraction For a data user to produce its privacykey it delivers its identification ID to the PKG Sub-sequently the PKG utilizes its master privacy key s and ID toimplement the following process
(1) Firstly the data user delivers its identity informationID to the PKG
(2) Next the PKG generates (DID0 DID1) data userrsquosprivacy key where
DID0 sH0(ID0)
DID1 sH0(ID1)(2)
And then it goes back(DID0 DID1) to the data userthrough a secret and secure channel
(3) Upon receiving the private key (DID0 DID1) this datauser is able to test whether its privacy key is validthrough the following equations
e Ppub H0(ID0)1113872 1113873 e P DID0( 1113857
e Ppub H0(ID1)1113872 1113873 e P DID1( 1113857(3)
33TagGenPhase For the upload data file M firstly data fileM is divided into n blocks by the data user namelyM m1m2 mn To outsource this file M to the cloudthe data user needs to randomly choose a pair (xID YID)which is a private-public key pair of a secure signature al-gorithm 1113936 (SigVer) for example BLS short signature
Let Name denote the identifier of data file M and then itcalculates the file authentication tag τ τ0 1113936 middotSig(xID τ0)where 1113936 middotSig(xID τ0) denotes a secure signature on τ0 andτ0 denotes an information string τ0 ldquoNamenrdquo
Subsequently the data user needs to generate metadataauthentication tag on the data block To compute blockauthentication tags on all data blocks mi1113864 1113865 i 1 2 n thedata user uniformly samples r isin Zq to calculate R rP
Next for i 1 to n it calculates metadata authenticationtag for data block mi by the following steps
(1) First of all it calculates
hi H2 Indexi
IDR01113872 1113873 (4)
(2) And then it makes use of its private key (DID0 DID1)to compute
δi rH1 Indexi
Name1113872 1113873 + hiDID0 + miDID1 (5)
(3) For data block mi the resultant authentication tag ofthe data block is θi (R δi)
At last the data user needs to upload all the meta-authentication tags (τ R δi1113864 1113865 i 1 2 n ) and the out-sourced file M to the remote server in cloud
PKG1 Setup
2 Register ID
Data owner4 Generate tag
(δ1hellipδn)
3 Produceskd = (D0 D1)
Cloudserver
6 Store datafile and
tags
5 Upload (δ1hellipδn) and data file M
The thirdauditor
9 Verifying phase
7 Challenge phase
8 Prove phase
Figure 2 -e relationship of the entities and algorithms
Table 1 Notations in our ID-DIAP system
Symbol MeaningK A security parameterH0 H1 H2 -ree hash functionsS -e master key of the PKGT A random generator of group G1Prf -e proof informationChall -e challenge informationQ A large prime numberGT A multiplicative group with the order qG1 An additive group with the order qE A bilinear pairing|I| -e number of elements in set I
4 Journal of Healthcare Engineering
On obtaining all the aforementioned data (τ R
δj1113966 1113967 j 1 2 n1113864 1113865) the cloud server needs to execute thefollowing validation procedure
For i 1 to n it verifies the relation
e δi P( 1113857 e H1 Indexi
Name1113872 1113873 R1113872 1113873e hiQ0 + miQ1 Ppub1113872 1113873
(6)
where Q1 H0(ID1) and Q0 H0(ID0) If all relationshold then it parses τ into τ0 and 1113936 middotSig(xID τ0) and verifiesthe validity of signature
1113944 middotVer 1113944 middotSig xID τ0( 1113857 τ0 YID1113872 1113873 1 (7)
If it is also valid then the cloud server preserves thesedata in cloud
34ChallengePhase To audit the integrality of the outsourcedfile M firstly the TPA parses τ into τ0 and 1113936 middotSig(xID τ0)and verifies 1113936 middotVer(1113936 middotSig(xID τ0) τ0 YID) 1 If it does nothold then terminate it Otherwise it retrieves the corre-sponding file identifier name and block size n
Later on the auditor picks a subset Isube[1 n] randomlywhere |I| l and ρ isin Zq to generate a challenge information
Chall ρ I1113864 1113865 (8)
Finally it delivers Chall to the cloud server as thechallenge
35 Proving Phase After obtaining the correspondingchallenge information Chall I ρ1113864 1113865 for i isin 1 |I| cloud server calculates vi ρimodq and then it producesa set Q i vi1113864 1113865 iisinI
Subsequently in light of the outsourced data file M
m1 mn1113864 1113865 and meta-authentication tag θi of each blocki isin 1 2 n it produces as follows
δ 1113944jisinI
vj middot δj
μ 1113944jisinI
vj middot mj(9)
Finally the cloud storage server goes back 3-tuple Prf
(δ μ R) to the auditor as the corresponding proofinformation
36 Verifying Phase To check the outsourced datarsquos in-tegrality in cloud after receiving the responded proof in-formation Prf (δ μ R) the third auditor calculates asbelow
h 1113944iisinI
vi middot hi
H 1113944iisinI
vi middot H1 Indexi
Name1113872 1113873(10)
where hi H2(indexiIDR0) for i isin I
-en it checks the validity of the following equation
e(δ P) e(H R)e hQ0 + μ middot Q11113872 1113873 (11)
If the aforementioned Equation (11) satisfies then theTPA outputs VerifyRes as true if not it outputs VerifyReS asfalse
4 Security Analysis
To show our proposalrsquos security we will demonstrate thatour proposal is proven to be secure against the above threeattacks
Theorem 1 Assume there exists a PPTadversary Adv that isprobabilistic polynomial-time attacker (for shot PPT) and cancheat the auditor using invalid proving information Prf whichis forged by the adversary Adv (the dishonest cloud storageserver) in a nonignorable probability ε then we are able todesign an algorithm $B$ that can efficiently break the CDHassumption by invoking Adv as subprogram
Proof Let us suppose that a PPT adversary Adv is capableto calculate a faked proving information Prf after the datablocks or metadata authentication tags are corruptedthen we are capable of constructing another a PPT algo-rithm B which is capable of breaking the CDH assumptionby utilizing the adversary Adv First of all let a 3-tuple(P aP bP) isin G1 be a CDH assumptionrsquos random instance itis hard to obtain the solution abP
To show the security proof hash functionH0 in the gameis regarded as random oracle and identity ID of each datauser is only made H0-query once For H1 and H2 they onlyact as one-way functions In addition the adversary Adv iscapable of adaptively issuing the queries to three oraclesH0-oracle Key-Extract oracle and TagGen oracle
Setup Choose two cyclic groups G1 and GT and their ordersare the same prime number q -e algorithm B firstly setsPpub aP as the public key of the PKG Let H0 H1 and H2be three hash functions Finally it sends public systemparameters (G1 GT P T q Ppub e H0 H1 H2) to the ad-versary Adv And let jlowast isin 1 qH01113864 1113865 be a challengedidentity index of the data user
H0-Hash Oracle -e adversary Adv submits a queryto H0-oracle with an identity IDi If the index of identityIDi satisfies ine jlowast then the challenger B picks ti0 ti1 isin Zq
randomly to set up H0(IDi0) ti0P hi0 and H0(IDi1)
ti1P hi1 Otherwise the challenger B uniformly samplestlowast1 and tlowast0 from Zq to set up
hi0 H0 IDi
01113872 1113873 tlowast0bP
hi1 H0 IDi
11113872 1113873 minustlowast1bP(12)
In the end the 5-tuple (IDi hi0 hi1 ti0 ti1) is added in theH0-list being initially empty
Journal of Healthcare Engineering 5
Key Extraction Oracle For a key extraction query Advsubmits an identity information IDi to key extraction oracleTo response it the challenger B calculates the following
(1) If the identity index of IDi satisfies ine jlowast then B
looks for 5-tuple (hi0 hi1 IDi ti0 ti1) in the H0-listIf it exists B sends Di0 ti0aP Di1 ti1aP to theadversary Adv otherwise it implicitly queriesa H1-Oracle with identity IDi
(2) Otherwise B terminates it
TagGen Oracle If the adversary Adv submits 3-tuple (MIDi Name) to TagGen Oracle for authentication tag querywhere M m1 mn and Name is the file identifier ofdata file M To response it the challenge B calculates thefollowing
(1) First of all it searches the H0-list to check if IDiexists If it is then the corresponding 5-tuple(hi0 hi1 IDi ti0 ti1) in the H0-list is returned Oth-erwise B needs to query H0-Oracle with identityinformation IDi
(2) If the identity index satisfies i jlowast then the chal-lenge B aborts it Otherwise it produces authenti-cation tags on data file M by the following process
(a) Firstly for file identifier ldquoNamerdquo it picksrname isin Zq randomly to calculate Rname rnameP
(b) Next for l 1 to n it calculates
hil H2 Indexl
IDi
Rname111396701113874 1113875 (13)
And then for l 1 to n B calculates data block m1rsquosauthentication tag as
δil rname middot H1 Indexi
Name1113872 1113873 + hilti0 + mlti1( 1113857Ppub
(14)
and adds (IDi Rname ml δil1113864 1113865 1le lle n ) to the Tag list whichis initially empty
(3) Finally it returns (IDi Rname ml δil1113864 1113865 1le lle n ) tothe adversary Adv
Output In the end for a challenge information (i vi)1113864 1113865 i isin Ithe adversary Adv outputs a fake proving information(δlowast μlowast Rlowast) on data userrsquos the corrupted file Mlowast in a non-neglected probability ε where the data userrsquos identity is IDlowastAdv wins this security game if and only if the followingconstraint condition holds
(1) IDlowast IDj
(2) Prf prime (δlowast Rlowast) can pass verification equation (11)(3) Prf prime ne Prf where Prf (δ R μ) should be a legiti-
mate proving information for the challenge in-formation (i vi) i isin I and the data file M whichsatisfies Mprime neM
When the adversary Adv wins this game then we arecapable of obtaining the following
e δlowast P( 1113857 e H Rlowast
( 1113857e 1113954hlowast
middot QIDj0 + μlowastQIDj1 Ppub1113872 1113873
e(δ P) e(H R)e 1113954h middot QIDj0 + μQIDj1 Ppub1113872 1113873(15)
where 1113954h 1113936iisinIviH2(IndexiRlowastIDj0) and hlowast 1113936iisinIviH2(IndexiRlowastIDj0) because 1113954H 1113936iisinIvi middot H1(IndexiName)is computed by the verifier and for the same data fileR Rlowast
and hlowast h -us we have
e δ minus δlowast( 1113857 e Ppub μminus μlowast( 1113857QIDj1113872 1113873
dArr
e δ minus δlowast( 1113857 e aP μminus μlowast( 1113857 minustlowast1( 1113857bP( 1113857
dArr
abP 1
μminus μlowast( 1113857 middot tlowast1δ minus δlowast( 1113857
(16)
It indicates that the CDH assumption is able to bebroken with nonneglected probability εprime Apparently it isimpossible since it is a hard problem to solve the CDHproblem
Theorem 2 For a malicious cloud server its replay attack inour proposed auditing proposal can efficiently be resisted
Proof -e proof in detail is very alike with the security proofin [16] Hence it is left out due to the limited space
5 Performance Evaluation
To efficiently evaluate our proposalrsquos performance in thefollowing part we show that our proposal is efficient bycomparing with Yu et alrsquos proposal [15] and Zhang andDongrsquos proposal [16] in the light of computational cost andcommunication overhead where Zhang and Dongrsquos pro-posal [16] which is the state-of-the-art identity-basedpublic auditing schemes in the aspect of communicationoverhead
51 Computation Costs To evaluate the computation costsof our proposal we would like to contrast our proposalwith Zhang and Dongrsquos proposal [16] and Yu et alrsquosproposal [15] since the two schemes are recent two efficientID-based public auditing schemes We emulate the oper-ators adopted in the three schemes on an HP-laptopcomputer with an Intel-Core i3-6500 CPU at 24 GHzprocessor and 8GB RAM and all algorithms are imple-mented using the MIRACL cryptography library [21 22]which is used for the ldquoMIRACL-Authentication Server-Project Wikirdquo by Certivox We employ a Super-singularelliptic curve over field GFp which has the 160-bit modulusp and a 2-embedding degree Moreover in our experi-ments the whole statistical results are from the mean valuesof 10 simulation trials
6 Journal of Healthcare Engineering
For explicit demonstration we use MulG1 to denotepoint multiplication operation and let Hash and Pairing beone hash-to-point operation from Zq to G1 and a bilinearpairing operation respectively For a public auditing pro-tocol the computational cost in the TagGen phase is mainlydetermined by computation of producing block authenti-cation tags To outsource a data file the data user requires(3n+ 1) MulG1 + n hash to produce block authentication tagin our construction in Yu et alrsquos proposal and Zhang et alrsquo sproposal each data user needs (n+ 1)Hash + (2n+ 2) MulG1and 4n MulG1 to calculate metablock authentication tagrespectively where n is the numbers of data block InFigure 3 we show the simulation result of generating theblock authentication tag for the size of diverse data blockswith the identical data file
From Figure 3 we can know that in the TagGen phaseZhang et alrsquos proposal is the most time-consuming andYu et alrsquos proposal is the most efficient Our proposal isslightly slower than Yu et alrsquos one since the algorithm toproduce the block authentication tag is a public keycertificate-based signature algorithm in Yu et alrsquos pro-posal however the algorithm which is used in ourproposal is the ID-based signature algorithm Becauseblock authentication tags for the data file can be producedin the off-line phase it has a little influence on the wholeprotocol
In auditing the verification phase the computationalcost mainly comes from verifying proof information It isdetermined by the numbers of the challenge data blocks Forour construction to check the validity of proving in-formation the auditor requires 3pairing+ c Hash + (c+ 2)Mul_G_1 however in the other two proposals the TPAneeds to execute 3Pairing+ 2MulG1 and 5Pairing+ (c+ 2)MulG1 + c Hash to check the integrality of the stored file incloud respectively where c expresses the size of the chal-lenge subset In Table 2 we give their comparison ofcomputational time in the different challenge subset
According to Table 2 we infer that the proposal in [16] isthe most efficient Our proposal is slightly more efficientthan the proposal in [15] However the proposal in [16] isshown to be insecure and its detail attack is shown inAppendix At the same time we also find that the TPArsquoscomputational costs grow linearly with the size of thechallenge subset
52 Communication Cost In a data audit system com-munication costs mainly come from two aspects On theone hand it is from the outsource phase of the datafile onthe other hand it is from the auditing phase In the out-source phase data owner uploads data file and the cor-responding meta-authentication tags As far as ourproposal the data owner wants to upload (n + 1)|G_1| + |M|bits to cloud storage server however in the proposals[15 16] the data owner wants to upload (n + 3)|G_1| + |M|bits and 2n middot |G_1| + |M| bits respectively Here |G_1|represents the bit length of an element of group G1 |M|denotes the bit length of data file and n is the number ofdata blocks
In the auditing phase communication costs are mainlyfrom the challenge information and proving informationtransmitting between the TPA and cloud storage servers Inour scheme the challenge information Chall is |Z_q| + |I|bits proving information is 3middot|G_1| bits and thus the totalcommunication overhead is |Z_q| + |I| + 3middot|G_1| bits where|Z_q| represents the bit length of an element in group Zqand |I| is the size of the challenge subset In the proposal[16] the total communication cost is 2|Z_q| + |I| + 2middot|G_1|bits in the auditing phase in the proposal [15] the totalcommunication costs is (2 + |I|)|Z_q| + |I| + 5middot|G_1| bits inthe auditing phase -eir comparison in detail is shown inTable 3
As shown in Table 3 our scheme has the least com-munication overhead among three schemes
53 Security Comparison According to 0eorem 1 weknow that our scheme is provably secure against thevicious cloud server in the computational DiffiendashHellman assumption and it has tight security reductionFor Yu et alrsquos proposal in [15] their proposal is alsoprovably secure against the vicious cloud server underthe CDH assumption However for Zhang and Dongrsquos
1800
1600
1400
1200
1000
800
600
400
200
Com
puta
tion
time (
ms)
Different block numbers
Our schemeZhang schemeYu scheme
00 50 100 150 200 250 300 350 400
Figure 3 Computational cost of authentication tag generation fordifferent block numbers
Table 2 Comparison of computation time in the auditing phase
Scheme-e number of the challenged blocksc 300 c 460 c 1000
Computation time inYu et alrsquos scheme (s) 0644 09733 231
Computation time inZhang et alrsquos scheme (s) 0109 0161 0333
Computation time inour scheme (s) 0616 09367 202
Journal of Healthcare Engineering 7
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
3 Our Public Auditing Construction
In the following we will give the description of our ID-DIAPsystem It contains four entities the PKG cloud server datauser and TPA And the whole system is composed of fivePPT algorithms As for every entity and all algorithms thediagram of the framework is represented in Figure 2 Toclearly describe our protocol the algorithms are given indetail below
31 Setup For the sake of enhancing readability somenotations used in our ID-DIAP system are listed in Table 1
-e PKG makes use of a parameter λ as an input andgenerates two cyclic groups G1 and GT -e two groupshave the identical prime order qgt 2k And let P and T
be two generators of group G1 where they satisfy PneTAnd define a bilinear pairing map e G1 times G1rarrGT Next itchooses two map-to-point cryptographic hash functionsH0 1 0 lowast rarrG1 and H1 1 0 lowast rarrG1 and a resistant-collision hash function H2 G1 times 1 0 lowast rarrZq And thePKG randomly chooses s isin Zq as its master privacy keycalculates Ppub sP as its public key At last public pa-rameters Para are published as below
Para G1 GT q e P T H0 H1 H2 Ppub1113872 1113873 (1)
And the PKG needs its master privacy key s to be secretlykept
32 Key Extraction For a data user to produce its privacykey it delivers its identification ID to the PKG Sub-sequently the PKG utilizes its master privacy key s and ID toimplement the following process
(1) Firstly the data user delivers its identity informationID to the PKG
(2) Next the PKG generates (DID0 DID1) data userrsquosprivacy key where
DID0 sH0(ID0)
DID1 sH0(ID1)(2)
And then it goes back(DID0 DID1) to the data userthrough a secret and secure channel
(3) Upon receiving the private key (DID0 DID1) this datauser is able to test whether its privacy key is validthrough the following equations
e Ppub H0(ID0)1113872 1113873 e P DID0( 1113857
e Ppub H0(ID1)1113872 1113873 e P DID1( 1113857(3)
33TagGenPhase For the upload data file M firstly data fileM is divided into n blocks by the data user namelyM m1m2 mn To outsource this file M to the cloudthe data user needs to randomly choose a pair (xID YID)which is a private-public key pair of a secure signature al-gorithm 1113936 (SigVer) for example BLS short signature
Let Name denote the identifier of data file M and then itcalculates the file authentication tag τ τ0 1113936 middotSig(xID τ0)where 1113936 middotSig(xID τ0) denotes a secure signature on τ0 andτ0 denotes an information string τ0 ldquoNamenrdquo
Subsequently the data user needs to generate metadataauthentication tag on the data block To compute blockauthentication tags on all data blocks mi1113864 1113865 i 1 2 n thedata user uniformly samples r isin Zq to calculate R rP
Next for i 1 to n it calculates metadata authenticationtag for data block mi by the following steps
(1) First of all it calculates
hi H2 Indexi
IDR01113872 1113873 (4)
(2) And then it makes use of its private key (DID0 DID1)to compute
δi rH1 Indexi
Name1113872 1113873 + hiDID0 + miDID1 (5)
(3) For data block mi the resultant authentication tag ofthe data block is θi (R δi)
At last the data user needs to upload all the meta-authentication tags (τ R δi1113864 1113865 i 1 2 n ) and the out-sourced file M to the remote server in cloud
PKG1 Setup
2 Register ID
Data owner4 Generate tag
(δ1hellipδn)
3 Produceskd = (D0 D1)
Cloudserver
6 Store datafile and
tags
5 Upload (δ1hellipδn) and data file M
The thirdauditor
9 Verifying phase
7 Challenge phase
8 Prove phase
Figure 2 -e relationship of the entities and algorithms
Table 1 Notations in our ID-DIAP system
Symbol MeaningK A security parameterH0 H1 H2 -ree hash functionsS -e master key of the PKGT A random generator of group G1Prf -e proof informationChall -e challenge informationQ A large prime numberGT A multiplicative group with the order qG1 An additive group with the order qE A bilinear pairing|I| -e number of elements in set I
4 Journal of Healthcare Engineering
On obtaining all the aforementioned data (τ R
δj1113966 1113967 j 1 2 n1113864 1113865) the cloud server needs to execute thefollowing validation procedure
For i 1 to n it verifies the relation
e δi P( 1113857 e H1 Indexi
Name1113872 1113873 R1113872 1113873e hiQ0 + miQ1 Ppub1113872 1113873
(6)
where Q1 H0(ID1) and Q0 H0(ID0) If all relationshold then it parses τ into τ0 and 1113936 middotSig(xID τ0) and verifiesthe validity of signature
1113944 middotVer 1113944 middotSig xID τ0( 1113857 τ0 YID1113872 1113873 1 (7)
If it is also valid then the cloud server preserves thesedata in cloud
34ChallengePhase To audit the integrality of the outsourcedfile M firstly the TPA parses τ into τ0 and 1113936 middotSig(xID τ0)and verifies 1113936 middotVer(1113936 middotSig(xID τ0) τ0 YID) 1 If it does nothold then terminate it Otherwise it retrieves the corre-sponding file identifier name and block size n
Later on the auditor picks a subset Isube[1 n] randomlywhere |I| l and ρ isin Zq to generate a challenge information
Chall ρ I1113864 1113865 (8)
Finally it delivers Chall to the cloud server as thechallenge
35 Proving Phase After obtaining the correspondingchallenge information Chall I ρ1113864 1113865 for i isin 1 |I| cloud server calculates vi ρimodq and then it producesa set Q i vi1113864 1113865 iisinI
Subsequently in light of the outsourced data file M
m1 mn1113864 1113865 and meta-authentication tag θi of each blocki isin 1 2 n it produces as follows
δ 1113944jisinI
vj middot δj
μ 1113944jisinI
vj middot mj(9)
Finally the cloud storage server goes back 3-tuple Prf
(δ μ R) to the auditor as the corresponding proofinformation
36 Verifying Phase To check the outsourced datarsquos in-tegrality in cloud after receiving the responded proof in-formation Prf (δ μ R) the third auditor calculates asbelow
h 1113944iisinI
vi middot hi
H 1113944iisinI
vi middot H1 Indexi
Name1113872 1113873(10)
where hi H2(indexiIDR0) for i isin I
-en it checks the validity of the following equation
e(δ P) e(H R)e hQ0 + μ middot Q11113872 1113873 (11)
If the aforementioned Equation (11) satisfies then theTPA outputs VerifyRes as true if not it outputs VerifyReS asfalse
4 Security Analysis
To show our proposalrsquos security we will demonstrate thatour proposal is proven to be secure against the above threeattacks
Theorem 1 Assume there exists a PPTadversary Adv that isprobabilistic polynomial-time attacker (for shot PPT) and cancheat the auditor using invalid proving information Prf whichis forged by the adversary Adv (the dishonest cloud storageserver) in a nonignorable probability ε then we are able todesign an algorithm $B$ that can efficiently break the CDHassumption by invoking Adv as subprogram
Proof Let us suppose that a PPT adversary Adv is capableto calculate a faked proving information Prf after the datablocks or metadata authentication tags are corruptedthen we are capable of constructing another a PPT algo-rithm B which is capable of breaking the CDH assumptionby utilizing the adversary Adv First of all let a 3-tuple(P aP bP) isin G1 be a CDH assumptionrsquos random instance itis hard to obtain the solution abP
To show the security proof hash functionH0 in the gameis regarded as random oracle and identity ID of each datauser is only made H0-query once For H1 and H2 they onlyact as one-way functions In addition the adversary Adv iscapable of adaptively issuing the queries to three oraclesH0-oracle Key-Extract oracle and TagGen oracle
Setup Choose two cyclic groups G1 and GT and their ordersare the same prime number q -e algorithm B firstly setsPpub aP as the public key of the PKG Let H0 H1 and H2be three hash functions Finally it sends public systemparameters (G1 GT P T q Ppub e H0 H1 H2) to the ad-versary Adv And let jlowast isin 1 qH01113864 1113865 be a challengedidentity index of the data user
H0-Hash Oracle -e adversary Adv submits a queryto H0-oracle with an identity IDi If the index of identityIDi satisfies ine jlowast then the challenger B picks ti0 ti1 isin Zq
randomly to set up H0(IDi0) ti0P hi0 and H0(IDi1)
ti1P hi1 Otherwise the challenger B uniformly samplestlowast1 and tlowast0 from Zq to set up
hi0 H0 IDi
01113872 1113873 tlowast0bP
hi1 H0 IDi
11113872 1113873 minustlowast1bP(12)
In the end the 5-tuple (IDi hi0 hi1 ti0 ti1) is added in theH0-list being initially empty
Journal of Healthcare Engineering 5
Key Extraction Oracle For a key extraction query Advsubmits an identity information IDi to key extraction oracleTo response it the challenger B calculates the following
(1) If the identity index of IDi satisfies ine jlowast then B
looks for 5-tuple (hi0 hi1 IDi ti0 ti1) in the H0-listIf it exists B sends Di0 ti0aP Di1 ti1aP to theadversary Adv otherwise it implicitly queriesa H1-Oracle with identity IDi
(2) Otherwise B terminates it
TagGen Oracle If the adversary Adv submits 3-tuple (MIDi Name) to TagGen Oracle for authentication tag querywhere M m1 mn and Name is the file identifier ofdata file M To response it the challenge B calculates thefollowing
(1) First of all it searches the H0-list to check if IDiexists If it is then the corresponding 5-tuple(hi0 hi1 IDi ti0 ti1) in the H0-list is returned Oth-erwise B needs to query H0-Oracle with identityinformation IDi
(2) If the identity index satisfies i jlowast then the chal-lenge B aborts it Otherwise it produces authenti-cation tags on data file M by the following process
(a) Firstly for file identifier ldquoNamerdquo it picksrname isin Zq randomly to calculate Rname rnameP
(b) Next for l 1 to n it calculates
hil H2 Indexl
IDi
Rname111396701113874 1113875 (13)
And then for l 1 to n B calculates data block m1rsquosauthentication tag as
δil rname middot H1 Indexi
Name1113872 1113873 + hilti0 + mlti1( 1113857Ppub
(14)
and adds (IDi Rname ml δil1113864 1113865 1le lle n ) to the Tag list whichis initially empty
(3) Finally it returns (IDi Rname ml δil1113864 1113865 1le lle n ) tothe adversary Adv
Output In the end for a challenge information (i vi)1113864 1113865 i isin Ithe adversary Adv outputs a fake proving information(δlowast μlowast Rlowast) on data userrsquos the corrupted file Mlowast in a non-neglected probability ε where the data userrsquos identity is IDlowastAdv wins this security game if and only if the followingconstraint condition holds
(1) IDlowast IDj
(2) Prf prime (δlowast Rlowast) can pass verification equation (11)(3) Prf prime ne Prf where Prf (δ R μ) should be a legiti-
mate proving information for the challenge in-formation (i vi) i isin I and the data file M whichsatisfies Mprime neM
When the adversary Adv wins this game then we arecapable of obtaining the following
e δlowast P( 1113857 e H Rlowast
( 1113857e 1113954hlowast
middot QIDj0 + μlowastQIDj1 Ppub1113872 1113873
e(δ P) e(H R)e 1113954h middot QIDj0 + μQIDj1 Ppub1113872 1113873(15)
where 1113954h 1113936iisinIviH2(IndexiRlowastIDj0) and hlowast 1113936iisinIviH2(IndexiRlowastIDj0) because 1113954H 1113936iisinIvi middot H1(IndexiName)is computed by the verifier and for the same data fileR Rlowast
and hlowast h -us we have
e δ minus δlowast( 1113857 e Ppub μminus μlowast( 1113857QIDj1113872 1113873
dArr
e δ minus δlowast( 1113857 e aP μminus μlowast( 1113857 minustlowast1( 1113857bP( 1113857
dArr
abP 1
μminus μlowast( 1113857 middot tlowast1δ minus δlowast( 1113857
(16)
It indicates that the CDH assumption is able to bebroken with nonneglected probability εprime Apparently it isimpossible since it is a hard problem to solve the CDHproblem
Theorem 2 For a malicious cloud server its replay attack inour proposed auditing proposal can efficiently be resisted
Proof -e proof in detail is very alike with the security proofin [16] Hence it is left out due to the limited space
5 Performance Evaluation
To efficiently evaluate our proposalrsquos performance in thefollowing part we show that our proposal is efficient bycomparing with Yu et alrsquos proposal [15] and Zhang andDongrsquos proposal [16] in the light of computational cost andcommunication overhead where Zhang and Dongrsquos pro-posal [16] which is the state-of-the-art identity-basedpublic auditing schemes in the aspect of communicationoverhead
51 Computation Costs To evaluate the computation costsof our proposal we would like to contrast our proposalwith Zhang and Dongrsquos proposal [16] and Yu et alrsquosproposal [15] since the two schemes are recent two efficientID-based public auditing schemes We emulate the oper-ators adopted in the three schemes on an HP-laptopcomputer with an Intel-Core i3-6500 CPU at 24 GHzprocessor and 8GB RAM and all algorithms are imple-mented using the MIRACL cryptography library [21 22]which is used for the ldquoMIRACL-Authentication Server-Project Wikirdquo by Certivox We employ a Super-singularelliptic curve over field GFp which has the 160-bit modulusp and a 2-embedding degree Moreover in our experi-ments the whole statistical results are from the mean valuesof 10 simulation trials
6 Journal of Healthcare Engineering
For explicit demonstration we use MulG1 to denotepoint multiplication operation and let Hash and Pairing beone hash-to-point operation from Zq to G1 and a bilinearpairing operation respectively For a public auditing pro-tocol the computational cost in the TagGen phase is mainlydetermined by computation of producing block authenti-cation tags To outsource a data file the data user requires(3n+ 1) MulG1 + n hash to produce block authentication tagin our construction in Yu et alrsquos proposal and Zhang et alrsquo sproposal each data user needs (n+ 1)Hash + (2n+ 2) MulG1and 4n MulG1 to calculate metablock authentication tagrespectively where n is the numbers of data block InFigure 3 we show the simulation result of generating theblock authentication tag for the size of diverse data blockswith the identical data file
From Figure 3 we can know that in the TagGen phaseZhang et alrsquos proposal is the most time-consuming andYu et alrsquos proposal is the most efficient Our proposal isslightly slower than Yu et alrsquos one since the algorithm toproduce the block authentication tag is a public keycertificate-based signature algorithm in Yu et alrsquos pro-posal however the algorithm which is used in ourproposal is the ID-based signature algorithm Becauseblock authentication tags for the data file can be producedin the off-line phase it has a little influence on the wholeprotocol
In auditing the verification phase the computationalcost mainly comes from verifying proof information It isdetermined by the numbers of the challenge data blocks Forour construction to check the validity of proving in-formation the auditor requires 3pairing+ c Hash + (c+ 2)Mul_G_1 however in the other two proposals the TPAneeds to execute 3Pairing+ 2MulG1 and 5Pairing+ (c+ 2)MulG1 + c Hash to check the integrality of the stored file incloud respectively where c expresses the size of the chal-lenge subset In Table 2 we give their comparison ofcomputational time in the different challenge subset
According to Table 2 we infer that the proposal in [16] isthe most efficient Our proposal is slightly more efficientthan the proposal in [15] However the proposal in [16] isshown to be insecure and its detail attack is shown inAppendix At the same time we also find that the TPArsquoscomputational costs grow linearly with the size of thechallenge subset
52 Communication Cost In a data audit system com-munication costs mainly come from two aspects On theone hand it is from the outsource phase of the datafile onthe other hand it is from the auditing phase In the out-source phase data owner uploads data file and the cor-responding meta-authentication tags As far as ourproposal the data owner wants to upload (n + 1)|G_1| + |M|bits to cloud storage server however in the proposals[15 16] the data owner wants to upload (n + 3)|G_1| + |M|bits and 2n middot |G_1| + |M| bits respectively Here |G_1|represents the bit length of an element of group G1 |M|denotes the bit length of data file and n is the number ofdata blocks
In the auditing phase communication costs are mainlyfrom the challenge information and proving informationtransmitting between the TPA and cloud storage servers Inour scheme the challenge information Chall is |Z_q| + |I|bits proving information is 3middot|G_1| bits and thus the totalcommunication overhead is |Z_q| + |I| + 3middot|G_1| bits where|Z_q| represents the bit length of an element in group Zqand |I| is the size of the challenge subset In the proposal[16] the total communication cost is 2|Z_q| + |I| + 2middot|G_1|bits in the auditing phase in the proposal [15] the totalcommunication costs is (2 + |I|)|Z_q| + |I| + 5middot|G_1| bits inthe auditing phase -eir comparison in detail is shown inTable 3
As shown in Table 3 our scheme has the least com-munication overhead among three schemes
53 Security Comparison According to 0eorem 1 weknow that our scheme is provably secure against thevicious cloud server in the computational DiffiendashHellman assumption and it has tight security reductionFor Yu et alrsquos proposal in [15] their proposal is alsoprovably secure against the vicious cloud server underthe CDH assumption However for Zhang and Dongrsquos
1800
1600
1400
1200
1000
800
600
400
200
Com
puta
tion
time (
ms)
Different block numbers
Our schemeZhang schemeYu scheme
00 50 100 150 200 250 300 350 400
Figure 3 Computational cost of authentication tag generation fordifferent block numbers
Table 2 Comparison of computation time in the auditing phase
Scheme-e number of the challenged blocksc 300 c 460 c 1000
Computation time inYu et alrsquos scheme (s) 0644 09733 231
Computation time inZhang et alrsquos scheme (s) 0109 0161 0333
Computation time inour scheme (s) 0616 09367 202
Journal of Healthcare Engineering 7
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
On obtaining all the aforementioned data (τ R
δj1113966 1113967 j 1 2 n1113864 1113865) the cloud server needs to execute thefollowing validation procedure
For i 1 to n it verifies the relation
e δi P( 1113857 e H1 Indexi
Name1113872 1113873 R1113872 1113873e hiQ0 + miQ1 Ppub1113872 1113873
(6)
where Q1 H0(ID1) and Q0 H0(ID0) If all relationshold then it parses τ into τ0 and 1113936 middotSig(xID τ0) and verifiesthe validity of signature
1113944 middotVer 1113944 middotSig xID τ0( 1113857 τ0 YID1113872 1113873 1 (7)
If it is also valid then the cloud server preserves thesedata in cloud
34ChallengePhase To audit the integrality of the outsourcedfile M firstly the TPA parses τ into τ0 and 1113936 middotSig(xID τ0)and verifies 1113936 middotVer(1113936 middotSig(xID τ0) τ0 YID) 1 If it does nothold then terminate it Otherwise it retrieves the corre-sponding file identifier name and block size n
Later on the auditor picks a subset Isube[1 n] randomlywhere |I| l and ρ isin Zq to generate a challenge information
Chall ρ I1113864 1113865 (8)
Finally it delivers Chall to the cloud server as thechallenge
35 Proving Phase After obtaining the correspondingchallenge information Chall I ρ1113864 1113865 for i isin 1 |I| cloud server calculates vi ρimodq and then it producesa set Q i vi1113864 1113865 iisinI
Subsequently in light of the outsourced data file M
m1 mn1113864 1113865 and meta-authentication tag θi of each blocki isin 1 2 n it produces as follows
δ 1113944jisinI
vj middot δj
μ 1113944jisinI
vj middot mj(9)
Finally the cloud storage server goes back 3-tuple Prf
(δ μ R) to the auditor as the corresponding proofinformation
36 Verifying Phase To check the outsourced datarsquos in-tegrality in cloud after receiving the responded proof in-formation Prf (δ μ R) the third auditor calculates asbelow
h 1113944iisinI
vi middot hi
H 1113944iisinI
vi middot H1 Indexi
Name1113872 1113873(10)
where hi H2(indexiIDR0) for i isin I
-en it checks the validity of the following equation
e(δ P) e(H R)e hQ0 + μ middot Q11113872 1113873 (11)
If the aforementioned Equation (11) satisfies then theTPA outputs VerifyRes as true if not it outputs VerifyReS asfalse
4 Security Analysis
To show our proposalrsquos security we will demonstrate thatour proposal is proven to be secure against the above threeattacks
Theorem 1 Assume there exists a PPTadversary Adv that isprobabilistic polynomial-time attacker (for shot PPT) and cancheat the auditor using invalid proving information Prf whichis forged by the adversary Adv (the dishonest cloud storageserver) in a nonignorable probability ε then we are able todesign an algorithm $B$ that can efficiently break the CDHassumption by invoking Adv as subprogram
Proof Let us suppose that a PPT adversary Adv is capableto calculate a faked proving information Prf after the datablocks or metadata authentication tags are corruptedthen we are capable of constructing another a PPT algo-rithm B which is capable of breaking the CDH assumptionby utilizing the adversary Adv First of all let a 3-tuple(P aP bP) isin G1 be a CDH assumptionrsquos random instance itis hard to obtain the solution abP
To show the security proof hash functionH0 in the gameis regarded as random oracle and identity ID of each datauser is only made H0-query once For H1 and H2 they onlyact as one-way functions In addition the adversary Adv iscapable of adaptively issuing the queries to three oraclesH0-oracle Key-Extract oracle and TagGen oracle
Setup Choose two cyclic groups G1 and GT and their ordersare the same prime number q -e algorithm B firstly setsPpub aP as the public key of the PKG Let H0 H1 and H2be three hash functions Finally it sends public systemparameters (G1 GT P T q Ppub e H0 H1 H2) to the ad-versary Adv And let jlowast isin 1 qH01113864 1113865 be a challengedidentity index of the data user
H0-Hash Oracle -e adversary Adv submits a queryto H0-oracle with an identity IDi If the index of identityIDi satisfies ine jlowast then the challenger B picks ti0 ti1 isin Zq
randomly to set up H0(IDi0) ti0P hi0 and H0(IDi1)
ti1P hi1 Otherwise the challenger B uniformly samplestlowast1 and tlowast0 from Zq to set up
hi0 H0 IDi
01113872 1113873 tlowast0bP
hi1 H0 IDi
11113872 1113873 minustlowast1bP(12)
In the end the 5-tuple (IDi hi0 hi1 ti0 ti1) is added in theH0-list being initially empty
Journal of Healthcare Engineering 5
Key Extraction Oracle For a key extraction query Advsubmits an identity information IDi to key extraction oracleTo response it the challenger B calculates the following
(1) If the identity index of IDi satisfies ine jlowast then B
looks for 5-tuple (hi0 hi1 IDi ti0 ti1) in the H0-listIf it exists B sends Di0 ti0aP Di1 ti1aP to theadversary Adv otherwise it implicitly queriesa H1-Oracle with identity IDi
(2) Otherwise B terminates it
TagGen Oracle If the adversary Adv submits 3-tuple (MIDi Name) to TagGen Oracle for authentication tag querywhere M m1 mn and Name is the file identifier ofdata file M To response it the challenge B calculates thefollowing
(1) First of all it searches the H0-list to check if IDiexists If it is then the corresponding 5-tuple(hi0 hi1 IDi ti0 ti1) in the H0-list is returned Oth-erwise B needs to query H0-Oracle with identityinformation IDi
(2) If the identity index satisfies i jlowast then the chal-lenge B aborts it Otherwise it produces authenti-cation tags on data file M by the following process
(a) Firstly for file identifier ldquoNamerdquo it picksrname isin Zq randomly to calculate Rname rnameP
(b) Next for l 1 to n it calculates
hil H2 Indexl
IDi
Rname111396701113874 1113875 (13)
And then for l 1 to n B calculates data block m1rsquosauthentication tag as
δil rname middot H1 Indexi
Name1113872 1113873 + hilti0 + mlti1( 1113857Ppub
(14)
and adds (IDi Rname ml δil1113864 1113865 1le lle n ) to the Tag list whichis initially empty
(3) Finally it returns (IDi Rname ml δil1113864 1113865 1le lle n ) tothe adversary Adv
Output In the end for a challenge information (i vi)1113864 1113865 i isin Ithe adversary Adv outputs a fake proving information(δlowast μlowast Rlowast) on data userrsquos the corrupted file Mlowast in a non-neglected probability ε where the data userrsquos identity is IDlowastAdv wins this security game if and only if the followingconstraint condition holds
(1) IDlowast IDj
(2) Prf prime (δlowast Rlowast) can pass verification equation (11)(3) Prf prime ne Prf where Prf (δ R μ) should be a legiti-
mate proving information for the challenge in-formation (i vi) i isin I and the data file M whichsatisfies Mprime neM
When the adversary Adv wins this game then we arecapable of obtaining the following
e δlowast P( 1113857 e H Rlowast
( 1113857e 1113954hlowast
middot QIDj0 + μlowastQIDj1 Ppub1113872 1113873
e(δ P) e(H R)e 1113954h middot QIDj0 + μQIDj1 Ppub1113872 1113873(15)
where 1113954h 1113936iisinIviH2(IndexiRlowastIDj0) and hlowast 1113936iisinIviH2(IndexiRlowastIDj0) because 1113954H 1113936iisinIvi middot H1(IndexiName)is computed by the verifier and for the same data fileR Rlowast
and hlowast h -us we have
e δ minus δlowast( 1113857 e Ppub μminus μlowast( 1113857QIDj1113872 1113873
dArr
e δ minus δlowast( 1113857 e aP μminus μlowast( 1113857 minustlowast1( 1113857bP( 1113857
dArr
abP 1
μminus μlowast( 1113857 middot tlowast1δ minus δlowast( 1113857
(16)
It indicates that the CDH assumption is able to bebroken with nonneglected probability εprime Apparently it isimpossible since it is a hard problem to solve the CDHproblem
Theorem 2 For a malicious cloud server its replay attack inour proposed auditing proposal can efficiently be resisted
Proof -e proof in detail is very alike with the security proofin [16] Hence it is left out due to the limited space
5 Performance Evaluation
To efficiently evaluate our proposalrsquos performance in thefollowing part we show that our proposal is efficient bycomparing with Yu et alrsquos proposal [15] and Zhang andDongrsquos proposal [16] in the light of computational cost andcommunication overhead where Zhang and Dongrsquos pro-posal [16] which is the state-of-the-art identity-basedpublic auditing schemes in the aspect of communicationoverhead
51 Computation Costs To evaluate the computation costsof our proposal we would like to contrast our proposalwith Zhang and Dongrsquos proposal [16] and Yu et alrsquosproposal [15] since the two schemes are recent two efficientID-based public auditing schemes We emulate the oper-ators adopted in the three schemes on an HP-laptopcomputer with an Intel-Core i3-6500 CPU at 24 GHzprocessor and 8GB RAM and all algorithms are imple-mented using the MIRACL cryptography library [21 22]which is used for the ldquoMIRACL-Authentication Server-Project Wikirdquo by Certivox We employ a Super-singularelliptic curve over field GFp which has the 160-bit modulusp and a 2-embedding degree Moreover in our experi-ments the whole statistical results are from the mean valuesof 10 simulation trials
6 Journal of Healthcare Engineering
For explicit demonstration we use MulG1 to denotepoint multiplication operation and let Hash and Pairing beone hash-to-point operation from Zq to G1 and a bilinearpairing operation respectively For a public auditing pro-tocol the computational cost in the TagGen phase is mainlydetermined by computation of producing block authenti-cation tags To outsource a data file the data user requires(3n+ 1) MulG1 + n hash to produce block authentication tagin our construction in Yu et alrsquos proposal and Zhang et alrsquo sproposal each data user needs (n+ 1)Hash + (2n+ 2) MulG1and 4n MulG1 to calculate metablock authentication tagrespectively where n is the numbers of data block InFigure 3 we show the simulation result of generating theblock authentication tag for the size of diverse data blockswith the identical data file
From Figure 3 we can know that in the TagGen phaseZhang et alrsquos proposal is the most time-consuming andYu et alrsquos proposal is the most efficient Our proposal isslightly slower than Yu et alrsquos one since the algorithm toproduce the block authentication tag is a public keycertificate-based signature algorithm in Yu et alrsquos pro-posal however the algorithm which is used in ourproposal is the ID-based signature algorithm Becauseblock authentication tags for the data file can be producedin the off-line phase it has a little influence on the wholeprotocol
In auditing the verification phase the computationalcost mainly comes from verifying proof information It isdetermined by the numbers of the challenge data blocks Forour construction to check the validity of proving in-formation the auditor requires 3pairing+ c Hash + (c+ 2)Mul_G_1 however in the other two proposals the TPAneeds to execute 3Pairing+ 2MulG1 and 5Pairing+ (c+ 2)MulG1 + c Hash to check the integrality of the stored file incloud respectively where c expresses the size of the chal-lenge subset In Table 2 we give their comparison ofcomputational time in the different challenge subset
According to Table 2 we infer that the proposal in [16] isthe most efficient Our proposal is slightly more efficientthan the proposal in [15] However the proposal in [16] isshown to be insecure and its detail attack is shown inAppendix At the same time we also find that the TPArsquoscomputational costs grow linearly with the size of thechallenge subset
52 Communication Cost In a data audit system com-munication costs mainly come from two aspects On theone hand it is from the outsource phase of the datafile onthe other hand it is from the auditing phase In the out-source phase data owner uploads data file and the cor-responding meta-authentication tags As far as ourproposal the data owner wants to upload (n + 1)|G_1| + |M|bits to cloud storage server however in the proposals[15 16] the data owner wants to upload (n + 3)|G_1| + |M|bits and 2n middot |G_1| + |M| bits respectively Here |G_1|represents the bit length of an element of group G1 |M|denotes the bit length of data file and n is the number ofdata blocks
In the auditing phase communication costs are mainlyfrom the challenge information and proving informationtransmitting between the TPA and cloud storage servers Inour scheme the challenge information Chall is |Z_q| + |I|bits proving information is 3middot|G_1| bits and thus the totalcommunication overhead is |Z_q| + |I| + 3middot|G_1| bits where|Z_q| represents the bit length of an element in group Zqand |I| is the size of the challenge subset In the proposal[16] the total communication cost is 2|Z_q| + |I| + 2middot|G_1|bits in the auditing phase in the proposal [15] the totalcommunication costs is (2 + |I|)|Z_q| + |I| + 5middot|G_1| bits inthe auditing phase -eir comparison in detail is shown inTable 3
As shown in Table 3 our scheme has the least com-munication overhead among three schemes
53 Security Comparison According to 0eorem 1 weknow that our scheme is provably secure against thevicious cloud server in the computational DiffiendashHellman assumption and it has tight security reductionFor Yu et alrsquos proposal in [15] their proposal is alsoprovably secure against the vicious cloud server underthe CDH assumption However for Zhang and Dongrsquos
1800
1600
1400
1200
1000
800
600
400
200
Com
puta
tion
time (
ms)
Different block numbers
Our schemeZhang schemeYu scheme
00 50 100 150 200 250 300 350 400
Figure 3 Computational cost of authentication tag generation fordifferent block numbers
Table 2 Comparison of computation time in the auditing phase
Scheme-e number of the challenged blocksc 300 c 460 c 1000
Computation time inYu et alrsquos scheme (s) 0644 09733 231
Computation time inZhang et alrsquos scheme (s) 0109 0161 0333
Computation time inour scheme (s) 0616 09367 202
Journal of Healthcare Engineering 7
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Key Extraction Oracle For a key extraction query Advsubmits an identity information IDi to key extraction oracleTo response it the challenger B calculates the following
(1) If the identity index of IDi satisfies ine jlowast then B
looks for 5-tuple (hi0 hi1 IDi ti0 ti1) in the H0-listIf it exists B sends Di0 ti0aP Di1 ti1aP to theadversary Adv otherwise it implicitly queriesa H1-Oracle with identity IDi
(2) Otherwise B terminates it
TagGen Oracle If the adversary Adv submits 3-tuple (MIDi Name) to TagGen Oracle for authentication tag querywhere M m1 mn and Name is the file identifier ofdata file M To response it the challenge B calculates thefollowing
(1) First of all it searches the H0-list to check if IDiexists If it is then the corresponding 5-tuple(hi0 hi1 IDi ti0 ti1) in the H0-list is returned Oth-erwise B needs to query H0-Oracle with identityinformation IDi
(2) If the identity index satisfies i jlowast then the chal-lenge B aborts it Otherwise it produces authenti-cation tags on data file M by the following process
(a) Firstly for file identifier ldquoNamerdquo it picksrname isin Zq randomly to calculate Rname rnameP
(b) Next for l 1 to n it calculates
hil H2 Indexl
IDi
Rname111396701113874 1113875 (13)
And then for l 1 to n B calculates data block m1rsquosauthentication tag as
δil rname middot H1 Indexi
Name1113872 1113873 + hilti0 + mlti1( 1113857Ppub
(14)
and adds (IDi Rname ml δil1113864 1113865 1le lle n ) to the Tag list whichis initially empty
(3) Finally it returns (IDi Rname ml δil1113864 1113865 1le lle n ) tothe adversary Adv
Output In the end for a challenge information (i vi)1113864 1113865 i isin Ithe adversary Adv outputs a fake proving information(δlowast μlowast Rlowast) on data userrsquos the corrupted file Mlowast in a non-neglected probability ε where the data userrsquos identity is IDlowastAdv wins this security game if and only if the followingconstraint condition holds
(1) IDlowast IDj
(2) Prf prime (δlowast Rlowast) can pass verification equation (11)(3) Prf prime ne Prf where Prf (δ R μ) should be a legiti-
mate proving information for the challenge in-formation (i vi) i isin I and the data file M whichsatisfies Mprime neM
When the adversary Adv wins this game then we arecapable of obtaining the following
e δlowast P( 1113857 e H Rlowast
( 1113857e 1113954hlowast
middot QIDj0 + μlowastQIDj1 Ppub1113872 1113873
e(δ P) e(H R)e 1113954h middot QIDj0 + μQIDj1 Ppub1113872 1113873(15)
where 1113954h 1113936iisinIviH2(IndexiRlowastIDj0) and hlowast 1113936iisinIviH2(IndexiRlowastIDj0) because 1113954H 1113936iisinIvi middot H1(IndexiName)is computed by the verifier and for the same data fileR Rlowast
and hlowast h -us we have
e δ minus δlowast( 1113857 e Ppub μminus μlowast( 1113857QIDj1113872 1113873
dArr
e δ minus δlowast( 1113857 e aP μminus μlowast( 1113857 minustlowast1( 1113857bP( 1113857
dArr
abP 1
μminus μlowast( 1113857 middot tlowast1δ minus δlowast( 1113857
(16)
It indicates that the CDH assumption is able to bebroken with nonneglected probability εprime Apparently it isimpossible since it is a hard problem to solve the CDHproblem
Theorem 2 For a malicious cloud server its replay attack inour proposed auditing proposal can efficiently be resisted
Proof -e proof in detail is very alike with the security proofin [16] Hence it is left out due to the limited space
5 Performance Evaluation
To efficiently evaluate our proposalrsquos performance in thefollowing part we show that our proposal is efficient bycomparing with Yu et alrsquos proposal [15] and Zhang andDongrsquos proposal [16] in the light of computational cost andcommunication overhead where Zhang and Dongrsquos pro-posal [16] which is the state-of-the-art identity-basedpublic auditing schemes in the aspect of communicationoverhead
51 Computation Costs To evaluate the computation costsof our proposal we would like to contrast our proposalwith Zhang and Dongrsquos proposal [16] and Yu et alrsquosproposal [15] since the two schemes are recent two efficientID-based public auditing schemes We emulate the oper-ators adopted in the three schemes on an HP-laptopcomputer with an Intel-Core i3-6500 CPU at 24 GHzprocessor and 8GB RAM and all algorithms are imple-mented using the MIRACL cryptography library [21 22]which is used for the ldquoMIRACL-Authentication Server-Project Wikirdquo by Certivox We employ a Super-singularelliptic curve over field GFp which has the 160-bit modulusp and a 2-embedding degree Moreover in our experi-ments the whole statistical results are from the mean valuesof 10 simulation trials
6 Journal of Healthcare Engineering
For explicit demonstration we use MulG1 to denotepoint multiplication operation and let Hash and Pairing beone hash-to-point operation from Zq to G1 and a bilinearpairing operation respectively For a public auditing pro-tocol the computational cost in the TagGen phase is mainlydetermined by computation of producing block authenti-cation tags To outsource a data file the data user requires(3n+ 1) MulG1 + n hash to produce block authentication tagin our construction in Yu et alrsquos proposal and Zhang et alrsquo sproposal each data user needs (n+ 1)Hash + (2n+ 2) MulG1and 4n MulG1 to calculate metablock authentication tagrespectively where n is the numbers of data block InFigure 3 we show the simulation result of generating theblock authentication tag for the size of diverse data blockswith the identical data file
From Figure 3 we can know that in the TagGen phaseZhang et alrsquos proposal is the most time-consuming andYu et alrsquos proposal is the most efficient Our proposal isslightly slower than Yu et alrsquos one since the algorithm toproduce the block authentication tag is a public keycertificate-based signature algorithm in Yu et alrsquos pro-posal however the algorithm which is used in ourproposal is the ID-based signature algorithm Becauseblock authentication tags for the data file can be producedin the off-line phase it has a little influence on the wholeprotocol
In auditing the verification phase the computationalcost mainly comes from verifying proof information It isdetermined by the numbers of the challenge data blocks Forour construction to check the validity of proving in-formation the auditor requires 3pairing+ c Hash + (c+ 2)Mul_G_1 however in the other two proposals the TPAneeds to execute 3Pairing+ 2MulG1 and 5Pairing+ (c+ 2)MulG1 + c Hash to check the integrality of the stored file incloud respectively where c expresses the size of the chal-lenge subset In Table 2 we give their comparison ofcomputational time in the different challenge subset
According to Table 2 we infer that the proposal in [16] isthe most efficient Our proposal is slightly more efficientthan the proposal in [15] However the proposal in [16] isshown to be insecure and its detail attack is shown inAppendix At the same time we also find that the TPArsquoscomputational costs grow linearly with the size of thechallenge subset
52 Communication Cost In a data audit system com-munication costs mainly come from two aspects On theone hand it is from the outsource phase of the datafile onthe other hand it is from the auditing phase In the out-source phase data owner uploads data file and the cor-responding meta-authentication tags As far as ourproposal the data owner wants to upload (n + 1)|G_1| + |M|bits to cloud storage server however in the proposals[15 16] the data owner wants to upload (n + 3)|G_1| + |M|bits and 2n middot |G_1| + |M| bits respectively Here |G_1|represents the bit length of an element of group G1 |M|denotes the bit length of data file and n is the number ofdata blocks
In the auditing phase communication costs are mainlyfrom the challenge information and proving informationtransmitting between the TPA and cloud storage servers Inour scheme the challenge information Chall is |Z_q| + |I|bits proving information is 3middot|G_1| bits and thus the totalcommunication overhead is |Z_q| + |I| + 3middot|G_1| bits where|Z_q| represents the bit length of an element in group Zqand |I| is the size of the challenge subset In the proposal[16] the total communication cost is 2|Z_q| + |I| + 2middot|G_1|bits in the auditing phase in the proposal [15] the totalcommunication costs is (2 + |I|)|Z_q| + |I| + 5middot|G_1| bits inthe auditing phase -eir comparison in detail is shown inTable 3
As shown in Table 3 our scheme has the least com-munication overhead among three schemes
53 Security Comparison According to 0eorem 1 weknow that our scheme is provably secure against thevicious cloud server in the computational DiffiendashHellman assumption and it has tight security reductionFor Yu et alrsquos proposal in [15] their proposal is alsoprovably secure against the vicious cloud server underthe CDH assumption However for Zhang and Dongrsquos
1800
1600
1400
1200
1000
800
600
400
200
Com
puta
tion
time (
ms)
Different block numbers
Our schemeZhang schemeYu scheme
00 50 100 150 200 250 300 350 400
Figure 3 Computational cost of authentication tag generation fordifferent block numbers
Table 2 Comparison of computation time in the auditing phase
Scheme-e number of the challenged blocksc 300 c 460 c 1000
Computation time inYu et alrsquos scheme (s) 0644 09733 231
Computation time inZhang et alrsquos scheme (s) 0109 0161 0333
Computation time inour scheme (s) 0616 09367 202
Journal of Healthcare Engineering 7
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
For explicit demonstration we use MulG1 to denotepoint multiplication operation and let Hash and Pairing beone hash-to-point operation from Zq to G1 and a bilinearpairing operation respectively For a public auditing pro-tocol the computational cost in the TagGen phase is mainlydetermined by computation of producing block authenti-cation tags To outsource a data file the data user requires(3n+ 1) MulG1 + n hash to produce block authentication tagin our construction in Yu et alrsquos proposal and Zhang et alrsquo sproposal each data user needs (n+ 1)Hash + (2n+ 2) MulG1and 4n MulG1 to calculate metablock authentication tagrespectively where n is the numbers of data block InFigure 3 we show the simulation result of generating theblock authentication tag for the size of diverse data blockswith the identical data file
From Figure 3 we can know that in the TagGen phaseZhang et alrsquos proposal is the most time-consuming andYu et alrsquos proposal is the most efficient Our proposal isslightly slower than Yu et alrsquos one since the algorithm toproduce the block authentication tag is a public keycertificate-based signature algorithm in Yu et alrsquos pro-posal however the algorithm which is used in ourproposal is the ID-based signature algorithm Becauseblock authentication tags for the data file can be producedin the off-line phase it has a little influence on the wholeprotocol
In auditing the verification phase the computationalcost mainly comes from verifying proof information It isdetermined by the numbers of the challenge data blocks Forour construction to check the validity of proving in-formation the auditor requires 3pairing+ c Hash + (c+ 2)Mul_G_1 however in the other two proposals the TPAneeds to execute 3Pairing+ 2MulG1 and 5Pairing+ (c+ 2)MulG1 + c Hash to check the integrality of the stored file incloud respectively where c expresses the size of the chal-lenge subset In Table 2 we give their comparison ofcomputational time in the different challenge subset
According to Table 2 we infer that the proposal in [16] isthe most efficient Our proposal is slightly more efficientthan the proposal in [15] However the proposal in [16] isshown to be insecure and its detail attack is shown inAppendix At the same time we also find that the TPArsquoscomputational costs grow linearly with the size of thechallenge subset
52 Communication Cost In a data audit system com-munication costs mainly come from two aspects On theone hand it is from the outsource phase of the datafile onthe other hand it is from the auditing phase In the out-source phase data owner uploads data file and the cor-responding meta-authentication tags As far as ourproposal the data owner wants to upload (n + 1)|G_1| + |M|bits to cloud storage server however in the proposals[15 16] the data owner wants to upload (n + 3)|G_1| + |M|bits and 2n middot |G_1| + |M| bits respectively Here |G_1|represents the bit length of an element of group G1 |M|denotes the bit length of data file and n is the number ofdata blocks
In the auditing phase communication costs are mainlyfrom the challenge information and proving informationtransmitting between the TPA and cloud storage servers Inour scheme the challenge information Chall is |Z_q| + |I|bits proving information is 3middot|G_1| bits and thus the totalcommunication overhead is |Z_q| + |I| + 3middot|G_1| bits where|Z_q| represents the bit length of an element in group Zqand |I| is the size of the challenge subset In the proposal[16] the total communication cost is 2|Z_q| + |I| + 2middot|G_1|bits in the auditing phase in the proposal [15] the totalcommunication costs is (2 + |I|)|Z_q| + |I| + 5middot|G_1| bits inthe auditing phase -eir comparison in detail is shown inTable 3
As shown in Table 3 our scheme has the least com-munication overhead among three schemes
53 Security Comparison According to 0eorem 1 weknow that our scheme is provably secure against thevicious cloud server in the computational DiffiendashHellman assumption and it has tight security reductionFor Yu et alrsquos proposal in [15] their proposal is alsoprovably secure against the vicious cloud server underthe CDH assumption However for Zhang and Dongrsquos
1800
1600
1400
1200
1000
800
600
400
200
Com
puta
tion
time (
ms)
Different block numbers
Our schemeZhang schemeYu scheme
00 50 100 150 200 250 300 350 400
Figure 3 Computational cost of authentication tag generation fordifferent block numbers
Table 2 Comparison of computation time in the auditing phase
Scheme-e number of the challenged blocksc 300 c 460 c 1000
Computation time inYu et alrsquos scheme (s) 0644 09733 231
Computation time inZhang et alrsquos scheme (s) 0109 0161 0333
Computation time inour scheme (s) 0616 09367 202
Journal of Healthcare Engineering 7
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
proposal [16] it is shown to be insecure against thevicious cloud server attack A vicious cloud server iscapable of deleting the whole file without being con-scious of the TPA and the detail security analysis is givenin Appendix
6 Conclusion
In this work we present a novel identity-based public auditsystem by merging the homomorphic authenticationtechnique in the ID-based cryptography into the auditsystem Our proposal overcomes the security problem andefficiency problems which have existed in the ID-basedpublic audit systems Finally the proposal is proven to besecure their security is tightly relevant to the classical CDHsecurity assumption By compared with two efficient ID-based schemes our scheme outperforms those two ID-based schemes under the condition of overall consideringcomputation complexity communication overhead andsecurity
Appendix
For a vicious s cloud storage server its attack is conducted asfollows
(1) Suppose that FM is an outsourced file It is firstlypartitioned into n blocks ie FM m1 mnAnd πi (δi Ri) is a meta-authentication signatureof each block mj for j 1 n
(2) For a vicious cloud storage cloud it calculateshi H2(miIDRi0) 1le ile n
(3) Subsequently it uniformly samples a numberra isin Zq to compute 1113954Ri miRi + ramiP and 1113954δi δi +
ramiT for i 1 2 n And delete all data blocksmi from the cloud server for i 1 n
(4) After the challenge information Chall (ρ I) isreceived the vicious remote server in cloud firstlycalculates vi ρi mod q for i isin I
(5) -en it calculates δlowast 1113936iisinIvi1113954δi hlowast 1113936iisinIvihi and
Rlowast 1113936iisinIvi middot 1113954Ri Note that hi has been calculated instep 2
(6) -e forged proof information is Prflowast (δlowast hlowast Rlowast)Since the forged proof information satisfies therelation
e δlowast P( 1113857 e 1113944iisinI
υiδi + υiraT( 1113857 P⎛⎝ ⎞⎠
e⎛⎝ 1113944iisinI
υi rimiT + hiDID0 + hprimeiDID1( 1113857
+ υiramiT P⎞⎠
e1113888 1113944iisinI
υi rimiT + ramiT( 1113857 P1113889
middot e 1113944iisinI
υi hiDID0 + hprimeiDID1( 1113857 P⎛⎝ ⎞⎠
e T 1113944iisinI
υi ri + ra( 1113857miP⎛⎝ ⎞⎠
middot e 1113944iisinI
υihi( 1113857DID0 + 1113944iisinI
υihprimei( 1113857DID1⎛⎝ ⎞⎠ P⎛⎝ ⎞⎠
e T Rlowast
( 1113857 middot e hlowastDID0 + hprimelowast1113872 1113873DID11113872 1113873 P1113872 1113873
(A1)
Conflicts of Interest
-e authors declare that they have no conflicts of interest
Acknowledgments
We would like to thank the anonymous referees for theirinvaluable suggestions in TrustCom2016 -is research wassupported by the Beijing Municipal Natural ScienceFoundation (no 4162020) Guangxi Key Laboratory ofCryptography and Information Security (no GCIS201710)and Research Fund of Guangxi KeyLab of Multi-SourceInformation Mining amp Security (no MIMS16-01)
References
[1] E-C Chang and J Xu ldquoRemote integrity check with dis-honest storage serverrdquo in Proceedings of European Symposiumon Research in Computer Security (ESORICSrsquo08) pp 223ndash237Malaga Spain October 2008
[2] A Juels and B S Kaliski Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of 14th ACM Conference on
Table 3 Comparison of communication overhead and security among three schemes
Scheme Challenge information (bits) Proof information (bits) Total (bits) SecurityZhang et alrsquos scheme |I| + |Zq| |Zq| + 2|G1| 2|Zq| + 2|G1| + |I| NoOur scheme |I| + |Zq| 3|G1| |Zq| + 3|G1| + |I| YesYu et alrsquos scheme |I||Zq| + |I| + 2|G1| 2|Zq| + |I| + 3|G1| (2 + |I|)|Zq| + 3|G1| + |I| Yes
8 Journal of Healthcare Engineering
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Computer and Communications Security (CCSrsquo07) pp 584ndash597 Alexandria VA USA October-November 2007
[3] S G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrustedstoresrdquo in Proceedings of 14th ACMConference on Computer and Communications Security(CCSrsquo07) pp 598ndash609 Alexandria VA USA October-November 2007
[4] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings ofInternational Conference on 0eory and Application ofCryptology and Information Security Advances in Cryptologypp 319ndash333 Tokyo Japan December 2009
[5] J Zhang W Tang and J Mao ldquoEfficient public verificationproof of retrievability scheme in cloudrdquo Cluster Computingvol 17 no 4 pp 1401ndash1411 2014
[6] H Wang ldquoIdentity-based distributed provable data posses-sion in multicloud storagerdquo IEEE Transactions on ServicesComputing vol 8 no 2 pp 328ndash340 2015
[7] J Zhang and H Meng ldquoComment on id-based remote dataintegrity checking with data privacy preservingrdquo IOP Con-ference Series Materials Science and Engineering vol 231article 012006 2017
[8] C Liu R Ranjan C Yang X Zhang L Wang and J ChenldquoMuR-DPA top-down levelled multi-replica Merkle Hashtree based secure public auditing for dynamic big data storageon cloudrdquo IEEE Transactions on Computers vol 64 no 9pp 2609ndash2622 2015
[9] N Kaaniche A Boudguiga and M Laurent ldquoID-basedcryptography for secure cloud data storagerdquo in Proceedingsof IEEE Sixth International Conference on Cloud Computingpp 375ndash382 Santa Clara CA USA 2013
[10] F Sebe J Domingo-Ferrer A Martnez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEETransactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008
[11] H Shacham and B Waters ldquoCompact proofs of retriev-abilityrdquo in Proceedings of International Conference on the0eory and Application of Cryptology and Information Se-curity (ASIACRYPTrsquo08) pp 90ndash107 Melbourne VIC Aus-tralia December 2008
[12] K Ren C Wang and Q Wang ldquoSecurity challenges for thepublic cloudrdquo IEEE Internet Computing vol 16 no 1pp 69ndash73 2012
[13] H Wang Q Wu B Qin and J Domingo-Ferrer ldquoIdentity-based remote data possession checking inpublic cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014
[14] M A Shah M Baker J C Mogul and R SwaminathanldquoAuditingto keep online storage services honestrdquo in Pro-ceedings of 11th USENIXWorkshop on Hot Topics in OperatingSystems (HOTOSrsquo07) G C Hunt Ed San Diego CA USAMay 2007
[15] Y Yu Y Zhang Y Mu W Susilo and H Liu ldquoProvablysecure identity based provable data possessionrdquo in Pro-ceedings of International Conference on Provable Security(ProvSec 2015) pp 310ndash325 Kanazawa Japan November2015
[16] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciencesvol 343-344 pp 1ndash14 2016
[17] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedings ofIEEE Conference on Computer Communications (INFOCOM2013) pp 2904ndash2912 Turin Italy April 2013
[18] Q Wang C Wang K Ren W Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011
[19] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM 2010) pp 525ndash533 San Diego CA USAMarch 2010
[20] C Wang K Ren W Lou and J Li ldquoToward publicly au-ditable secure cloud data storage servicesrdquo IEEE Networkvol 24 no 4 pp 19ndash24 2010
[21] httpslibrariesdocsmiraclcommiracl-explainedwhat-is-miracl
[22] C Gritti W Susilo and T Plantard ldquoEfficient file sharing inelectronic health recordsrdquo in Proceedings of InternationalConference on Information Security Practice and Experience(ISPEC 2015) LNCS vol 9065 pp 499ndash513 Beijing ChinaMay 2015
Journal of Healthcare Engineering 9
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
![The Integrality of Speech in Multimodal Interfaces Abstractfinin/papers/papers/tochi99.pdf · The Integrality of Speech in Multimodal Interfaces Page 3 Michael A. Grasso [1993] points](https://img.dokumen.tips/doc/110x75/5a9d4d597f8b9abd058b9bbc/the-integrality-of-speech-in-multimodal-interfaces-abstract-fininpaperspapers.jpg)
![Non-InteractiveSimulationand …Computing SDP integrality gaps for CSPs [Raghavendra-Steurer ’09] Amortized communication complexity =Informationcomplexity …](https://img.dokumen.tips/doc/110x75/5e575288d2292c3a996f9abf/non-interactivesimulationand-computing-sdp-integrality-gaps-for-csps-raghavendra-steurer.jpg)
