ieee transactions on dependable and secure …1croreprojects.com/dotnetbasepaper/cloud-dotnet... ·...

1545-5971 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2018.2829880, IEEETransactions on Dependable and Secure Computing

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. , NO. , 2017 1

Enabling Efficient User Revocation in Identity-basedCloud Storage Auditing for Shared Big Data

Yue Zhang, Jia Yu, Rong Hao, Cong Wang, Senior Member, IEEE and Kui Ren, Fellow, IEEE

Abstract—Cloud storage auditing schemes for shared datarefer to checking the integrity of cloud data shared by a group ofusers. User revocation is commonly supported in such schemes,as users may be subject to group membership changes forvarious reasons. Previously, the computational overhead for userrevocation in such schemes is linear with the total number offile blocks possessed by a revoked user. The overhead, however,may become a heavy burden because of the sheer amount ofthe shared cloud data. Thus, how to reduce the computationaloverhead caused by user revocations becomes a key researchchallenge for achieving practical cloud data auditing. In thispaper, we propose a novel storage auditing scheme that achieveshighly-efficient user revocation independent of the total numberof file blocks possessed by the revoked user in the cloud. Thisis achieved by exploring a novel strategy for key generation anda new private key update technique. Using this strategy and thetechnique, we realize user revocation by just updating the non-revoked group users’ private keys rather than authenticators ofthe revoked user. The integrity auditing of the revoked user’sdata can still be correctly performed when the authenticatorsare not updated. Meanwhile, the proposed scheme is based onidentity-base cryptography, which eliminates the complicatedcertificate management in traditional Public Key Infrastructure(PKI) systems. The security and efficiency of the proposed schemeare validated via both analysis and experimental results.

Index Terms—Cloud computing; cloud storage auditing; userrevocation; big data; identity-based cryptography

I. INTRODUCTION

THE data sharing is one of the most widely used servicesthat the cloud storage provides. With data sharing service,

users can share their data in the cloud with a group of users,

Copyright (c) 2013 IEEE. Personal use of this material is permitted.However, permission to use this material for any other purposes must beobtained from the IEEE by sending a request to [email protected]

This research is supported by National Natural Science Foundation of China(61572267,61572412), National Development Foundation of Cryptography(MMJJ20170118,MMJJ20170126), the Research Grants Council of HongKong under Project CityU C1008-16G, the Open Project of Co-InnovationCenter for Information Supply and Assurance Technology, Anhui University,the Open Project of the State Key Laboratory of Information Security,Institute of Information Engineering, Chinese Academy of Sciences(2017-MS-21, 2016-MS-23). (Corresponding author: J. Yu)

Y. Zhang is with the College of Computer Science and Technology, QingdaoUniversity, Qingdao 266071, China. E-mail:[email protected].

J. Yu is with the College of Computer Science and Technology, QingdaoUniversity, Qingdao 266071, China, with State Key Laboratory of InformationSecurity, Institute of Information Engineering, Chinese Academy of Sciences,Beijing 100093, China. E-mail:[email protected].

R. Hao is with the College of Computer Science and Technology, QingdaoUniversity, Qingdao 266071, China. E-mail:[email protected].

C. Wang is with the Department of Computer Science, City University ofHong Kong, Hong Kong. E-mail:[email protected].

K. Ren is with with the Department of Computer Science and Engineer-ing, The State University of New York at Buffalo, NY 14260 USA. E-mail:[email protected].

and reduce the burden of local data storage. Users, however,will lose the physical control over their data when they sharethem in the cloud. Any error (the carelessness of human or thefailure of hardware/software) might cause loss or damage tothe data [1]. In order to check the data integrity, some cloudstorage auditing schemes for shared data are proposed [2–8].When a group user misbehaves or leaves the group, the usershould be revoked from the group. Therefore, user revocationis a common realistic necessity in cloud storage auditing forshared data.

In cloud storage auditing schemes, the data owner needs touse his/her private key to generate authenticators(signatures)for file blocks. These authenticators are used to prove thatthe cloud truly possesses these file blocks. When a user isrevoked, the user’s private key should also be revoked. Fortraditional cloud storage auditing schemes for share data [2–5], all of authenticators generated by the revoked user shouldbe transformed into the authenticators of one designated non-revoked group user. In this case, this non-revoked groupuser needs to download all of revoked user’s blocks, re-signthese blocks, and upload new authenticators to the cloud.Obviously, it costs huge amount of computation resource andcommunication resource due to the large size of shared datain the cloud. In order to solve this problem, recently, someauditing schemes for shared data with user revocation havebeen proposed [6–8]. When a user is revoked, the cloud willtransform the authenticators of the revoked user’s blocks intothe authenticators of one non-revoked group user correspond-ing to these blocks, with a re-signing key. The computationoverhead of user revocation is still linear with the total numberof file blocks stored by the revoked user in the cloud. Althoughthis method relieves the burden on the non-revoked group user,it transfers the burden to the cloud. According to a researchby Nasuni, there was over 1 exabyte of data stored in thecloud [9]. In reality, people might share extensive amount offile blocks with others on the cloud. Once a user is revokedfrom the group, the burden of user revocation might be huge,even for the computationally powerful cloud. The matter willbe even worse when the membership of the group frequentlyalters. Therefore, how to design a cloud storage auditingscheme for shared data supporting real efficient user revocationis very worthwhile.

Contribution. We construct a novel cloud storage auditingscheme for shared data supporting real efficient user revocationin this paper. In order to realize efficient user revocation, wecome up with a novel strategy for key generation. In thisdesign, the group’s public key is replaced by the group’sidentity information, which remains unchanged in the whole




lifetime. The group’s private key derives from two compo-nents. One component remains fixed since being issued, andthe other component alters with user revocation. We alsopropose a novel private key update technique to support userrevocation. When users are revoked from the group, all ofthe non-revoked users can update their private keys by thistechnique to make the cloud storage auditing still work, whilethe identity information of the group does not need to change.In addition, the revoked users are not able to upload data andauthenticators to the cloud any more. In this way, all of theauthenticators generated before user revocation do not need tobe recomputed. Therefore, the overhead of user revocation isfully independent of the total number of the revoked user’sblocks. Even when the amount of data is immense, the groupcan still complete user revocation very efficiently. Besides,our scheme is based on identity-based cryptography, whicheliminates the complicated certificate management in tradi-tional PKI systems, including certificate generation, certificaterevocation, certificate renewal, etc.

We prove the correctness and the security of the proposedscheme by concrete analysis. We also justify the performanceof the proposed scheme by concrete implementation. In ourexperiments, we evaluate the performance in different phases,and compare our scheme with others in terms of the com-putation overhead of user revocation. The experiments resultshows that our scheme is efficient.

A. Related Work

How to ensure the integrity of outsourced data stored in theuntrusted cloud is a hot topic. Up to now, a lot of schemes havebeen proposed based on various techniques. Ateniese et al.[10] firstly proposed the notion of “Provable Data Possession”(PDP) based on homomorphic authenticators and samplingstrategies. Juels et al. [11] proposed a “Proof of Retrievability”(PoR) model by using the tools of spot checking and errorcorrecting codes to ensure both possession and retrievabilityof the data at untrusted servers. Shacham et al. [12] proposeda compact version of PoR, which efficiently realized publicauditing based on the BLS short signature. To support dynamiccloud data auditing, Ateniese et al. [13] proposed a noveldynamic PDP scheme. Wang et al. [14] proposed a full datadynamic auditing scheme by employing the Merkle Hash Tree.Later, some other cloud storage auditing schemes supportingdata dynamics [15–19] were proposed sequentially. To protectthe privacy of data, Wang et al. [20] proposed a public cloudstorage auditing scheme with data privacy preservation byutilizing random masking technique. To reduce the damageof key exposure in cloud storage auditing, Yu et al. [21–23]proposed cloud storage auditing schemes with key-exposureresilience by using key update technique [24, 25]. Some othercloud storage auditing schemes [26–28] have already beenproposed.

The above schemes are all based on the PKI system. PKI-based cloud storage auditing schemes usually involve com-plicated certificate management and certificate verification. Inorder to solve this problem, Wang et al. [29] firstly proposedan identity-based cloud storage auditing scheme, in which the

public key was replaced by the user’s identity information(e.g.e-mail address or name), and the private key was computed bya trusted Private Key Generator (PKG). Yu et al. [30] proposedan identity-based auditing scheme with perfect data privacypreservation, which achieved zero knowledge privacy againstthe auditor. Wang et al. [31] proposed an identity-based proxy-oriented data uploading and remote data integrity auditingscheme, which realizes private, delegated and public remotedata integrity auditing. Wang et al. [32] proposed an incentiveand unconditionally anonymous identity-based public PDPscheme, which protected the identity privacy of users andallowed users to disclose bad events. Li et al. [33] proposed afuzzy identity-based auditing scheme for reliable cloud storagesystems, which simplified the complex key management.

The data sharing is a widely used service that the cloudstorage provides. Wang et al. [2] firstly proposed a cloudstorage auditing scheme for shared data (named Oruta), basedon ring signatures. To improve the efficiency of Oruta, Wanget al. [3] proposed another cloud storage auditing schemefor shared data based on group signatures. Yang et al. [4]proposed an efficient cloud storage auditing scheme, whichpreserved the identity privacy and the identity traceability forgroup members concurrently. Shen et al. [5] proposed a light-weight and privacy-preserving cloud storage auditing schemeby introducing a third party medium. User revocation is arealistic necessity in cloud storage auditing schemes for shareddata. When a group user misbehaves or leaves the group,the user should be revoked from the group. Jiang et al. [34]proposed a shared data integrity auditing scheme with userrevocation. However, the efficiency is low because the schemeis based on group signature. Wang et al. [6] firstly proposeda cloud storage auditing scheme with user revocation basedon the proxy re-signature technique. In this scheme, the cloudcould help revoked users to convert their authenticators intothe authenticators of one non-revoked group user. Yuan etal. [7] proposed a dynamic public integrity auditing schemewith group user revocation, which adopted polynomial au-thentication tags and proxy tag update techniques. Luo et al.[8] proposed a secure and efficient auditing scheme for userrevocation based on Shamir secret sharing technique, whichdivided the re-signing process into a number of parts anddeployed them to different proxies. Although the efficiencyof user revocation has improved in [6–8], the overhead ofuser revocation is still linear with the number of the revokeduser’s blocks. When one faces with large-scale data, the userrevocation will incur huge burden.

B. Organization

The rest of this paper is organized as follows: In SectionII, we present the system model and the design goals. InSection III, we present notations, definition and preliminaries.In Section IV, we describe the proposed scheme. In SectionV and Section VI, we give the security analysis and theperformance evaluation of our scheme, respectively. Finally,we conclude our paper in Section VII.




Fig. 1. The system model

II. SYSTEM MODEL AND DESIGN GOALS

A. System Model

As illustrated in Fig.1, the system model in our schemeincludes five entities: the group user, the group manager, thecloud, the Private Key Generator (PKG), and the Third PartyAuditor (TPA).

(1) Group user: There are multiple group users in a group.Each group user can share data with others through thecloud storage. Group users can join or leave the group. Thelegal group users are honest and will not leak any privateinformation to others.

(2) Group manager: The group manager is a powerful entity.It can be viewed as an administrator of the group. When auser leaves the group, the manager is in charge of revokingthis user. The revoked user cannot upload data to the cloudany more.

(3) Cloud: The cloud provides enormous storage spaceand computing resources for group users. Through the cloudstorage, group users can enjoy the data sharing service.

(4) PKG: The PKG is trusted by other entities. It is in chargeof generating system public parameters and the identity keyof the group according to the group’s identity (ID).

(5) TPA: The TPA is responsible for auditing the integrity ofcloud data on behalf of group users. When the TPA wants toaudit the data integrity, it will send an auditing challenge to thecloud. After receiving the auditing challenge, the cloud willrespond to the TPA with a proof of data possession. Finally, theTPA will verify the data integrity by checking the correctnessof the proof. The TPA is a powerful party and it is honest.

In our system model, the shared data belong to the dynamicgroup composed of non-revoked users. Everyone in this dy-namic group can upload data and share them with other groupusers. When a user is revoked, these data uploaded by it arestill shared by the dynamic group. The owner of these datastill are this group. However, the revoked user would not beable to upload data and the corresponding authenticators tothe cloud any more.

TABLE INOTATIONS

Notation Meaningq One large prime q

G1, G2 Two cyclic multiplicative groups withthe same order q

g, u Two generators of G1

e A bilinear pairing e : G1 ×G1 → G2

H1 The cryptographic hash function:H1 : {0, 1}∗ ×G1 → Z∗

q

H2 The cryptographic hash function:H2 : {0, 1}∗ ×G1 × {0, 1}∗ → Z∗

q

h The cryptographic hash function:h : {0, 1}∗ → G1

RN The number of user revocationk The security parameterx The master secret keyy The master partial keyID The identity information of group

IDKID The identity keyTKID,RN The partial keySKID,RN The private key

F The shared file by groupmi(i = 1, ..., n) the i-th block of file F

Ti The authenticator of block mi

chal The challenge message from the TPAP The proof message from the cloud

B. Design Goals

To ensure efficient user revocation in identity-based cloudstorage auditing for shared data, our designed scheme shouldmeet the following objectives:

(1) Correctness: to ensure that the proof from the cloudcan pass the TPA’s validation, if the cloud, group users, thegroup manager and the TPA are honest and obey the specifiedprocedures.

(2) Soundness: to ensure that the cloud cannot pass theTPA’s verification if it does not store group users’ intact data.

(3) Secure user revocation: to ensure that the revoked userscannot upload data and the corresponding authenticators to thecloud any more.

(4) Efficient user revocation: to ensure that the computationoverhead of user revocation is completely independent of thetotal number of revoked user’s blocks.

(5) Public auditing: to ensure that the TPA can verify theintegrity of shared cloud data on behalf of group users.

III. NOTATIONS, DEFINITION AND PRELIMINARIES

A. Notations

In Table I, we show some notations used in the descriptionof our scheme.

B. Definition

As illustrated in Fig. 2, an identity-based cloud storageauditing scheme with efficient user revocation includes thefollowing six algorithms:

1) Setup algorithm: the setup algorithm is run by the PKG.It takes as input a security parameter k. It outputs the




Fig. 2. Definition of identity-based cloud storage auditing scheme withefficient user revocation

master secret key x, the master partial key y and thesystem public parameters params. The PKG holds themaster secret key x itself, and sends the master partialkey y to the group manager.

2) Private Key Generation algorithm: the private keygeneration algorithm is run by the PKG, the groupmanager and group users. Based on the group’s ID, thePKG computes the identity key IDKID and sends it togroup users. Set the number of user revocation RN = 0.The group manager computes the partial key TKID,RN ,and sends it to group users. According to the identity keyIDKID and the partial key TKID,RN , each group usercomputes his/her private key SKID,RN .

3) Authenticator Generation algorithm: the authenticatorgeneration algorithm is run by the group user. It takesas input a file F = (m1, ...,mn), the number of userrevocation RN and the user’s private key SKID,RN ,and generates a file tag tag and the authenticators Ti(i =1, ..., n) for blocks mi. The cloud verifies the correctnessof the file tag tag and the authenticators.

4) Proof Generation algorithm: the proof generation al-gorithm is run by the cloud. It takes as input a file F , aset of the corresponding authenticators and an auditingchallenge chal, and generates a proof P which is usedto prove the cloud accurately stores F .

5) Verification algorithm: the proof verification algorithmis run by the TPA. It takes as input a proof P , andsystem public parameters, and returns “success” if theproof is valid; or “failure”, otherwise.

6) User Revocation algorithm: the user revocation al-gorithm is run by the group manger and non-revokedgroup users. Set the number of user revocations RN =RN + 1. The group manager computes the new partialkey TKID,RN and sends it to all of the non-revokedgroup users. Each non-revoked group user computes thenew private key SKID,RN according to the identity keyIDKID and the new partial key TKID,RN .

C. Preliminaries

1) Bilinear Maps: Let G1 and G2 be two cyclic multi-plicative groups with the same prime order q, that is, |G

1| =

|G2| = q. Let e : G1 × G1 → G2 be a bilinear map, whichsatisfies the following properties:

The private key

The public key

The partial key

The identity key

,ID RNTK

IDIDK

The group's ID

Changes along with user revocation

computed by the group

manager according to

ID and RN

computed by the PKG

according to ID

Remains the same in the whole lifetime

Remains fixed since being issued

When group users are revoked, set

RN = RN + 1. The group manager

computes the new partial key for

the non-revoked group users.

Fig. 3. The strategy for key generation

• Bilinearity: ∀g1, g2 ∈ G1 and a, b ∈R Z∗q , there ise(ga1 , g

b2) = e(g1, g2)ab.

• Non-degeneracy: For some g1, g2 ∈ G1, e(g1, g2) 6= 1.• Computability: There is an efficient algorithm to compute

this map.2) Computational Diffie-Hellman (CDH) Problem: For

x, y ∈ Z∗q , given g, v = gx and gy ∈ G1 as input,output vy ∈ G1 . The CDH assumption in G1 holds if it iscomputationally infeasible to solve the CDH problem in G1.

3) Discrete Logarithm (DL) Problem: For x ∈ Z∗q , giveng, gx ∈ G1 as input, output x. The DL assumption in G1 holdsif it is computationally infeasible to solve the DL problem inG1.

IV. THE PROPOSED SCHEME

A. High-level Technique Explanation

In existing approaches, when group users are revoked, theauthenticators of revoked users’ blocks will be transformedinto those of some designated non-revoked group user tomake the cloud storage auditing still work. It will incur hugecomputation overhead because the number of revoked users’blocks is usually enormous in big data storage scenario. Ourbasic idea of solving this problem is to update the non-revokedgroup users’ private keys rather than update authenticators forrealizing user revocation. One challenge we face is how toachieve the integrity checking of the revoked user’s data underthe condition that the revoked user’s authenticators are notupdated. In addition, we need to be able to detect and refusethe uploading request from the revoked user once he/she isrevoked.

In order to address above challenges, we design a novelstrategy for key generation shown in Fig. 3. In our design, allgroup users have the same public key and the same privatekey. The public key is the group’s ID, which remains fixedduring the entire lifetime. The private key derives from twocomponents, namely, an identity key IDKID and a partialkey TKID,RN . The identity key IDKID is generated by thePKG, which is related to the group’s ID and remains fixedsince being issued. The partial key TKID,RN is generatedby the group manager, which is related to the group’s ID




Fig. 4. The process of private key generation

and the number of user revocations RN , and alters alongwith user revocation. Group users compute their new privatekeys SKID,RN by using the identity key IDKID and thepartial key TKID,RN . The user revocation is realized by akey update technique. The number of user revocations RNplays an important role in the key update. RN is a value setby the group manager, and also known by group users andthe cloud. When the system is initialized, set RN = 0. Whenusers are revoked, set RN = RN + 1. The group managergenerates a new partial key corresponding to this new value ofRN , and sends it to all of the non-revoked group users. Thenthe non-revoked group users update their private keys usingthe new partial key. In this way, the revoked user cannot getthe current private key related to the newest RN . Because weutilize the well-known Schnorr signature [36] to compute theidentity key and the partial key, the private key in our schemeis fully compatible with blockless verifiable authenticator.

In our design, the number of user revocations RN isintegrated into authenticators and the file tag. When a groupuser would like to upload data to the cloud, he/she computesauthenticators for file blocks according to the current privatekey and the newest RN , and then uploads them to the cloud.The cloud firstly verifies the validity of the file tag and theauthenticators related to the current private key and the newestRN . Because the revoked user cannot use a previous privatekey to generate the valid authenticators under the newest RN ,the data and the authenticators from the revoked user will berefused by the cloud. When the integrity auditing is performed,the TPA needs to retrieve the value of RN which has beenintegrated into the file tag. The TPA verifies the cloud dataintegrity using this RN and the group identity. In this way,the integrity auditing of the revoked user’s data can still beperformed even if the revoked user’s authenticators are notupdated.

B. Description of Our Scheme

In our scheme, a shared file F that will be uploaded isdivided into n blocks (m1, ...,mn), where mi ∈ Z∗q denotesthe i-th block of F . In previous cloud storage auditing schemes[14, 20, 21, 33], a secure digital signature is used to ensurethe integrity of the file identifier name. We also use a similarID-based digital signature SSig to ensure the integrity of thefile identifier name, user revocation number and verificationvalues. We use ssk and ID to denote the secret key and thegroup identity corresponding to SSig respectively. We assume

group users have held the secret key ssk. Such an assumptioncan make our scheme description more simple and clear. Now,we give the detailed description of our scheme.

1) Setup algorithm: In this algorithm, the PKG generatesthe master secret key, the master partial key and thesystem public parameters.

a) The PKG randomly chooses a bilinear map e :G1 × G1 → G2, where G1 and G2 are two mul-tiplicative cyclic groups with prime order q. ThePKG randomly chooses two random generators gand u of G1, and three different cryptographic hashfunctions H1 : {0, 1}∗×G1 → Z∗q , H2 : {0, 1}∗×G1 × {0, 1}∗ → Z∗q and h : {0, 1}∗ → G1.

b) The PKG randomly chooses the master secret keyx ∈ Z∗q , which is used to generate the identity keyfor group users. The PKG holds the master secretkey itself.

c) The PKG randomly chooses the master partial keyy ∈ Z∗q , which is sent to the group manager forgenerating the partial key.

d) The PKG computes two public values Y1 = gx andY2 = gy .

e) The PKG publishes params =(G1, G2, e, q, g, u, Y1, Y2, H1, H2, h) as thesystem public parameters.

2) Private Key Generation algorithm: In this algorithm,the PKG generates the identity key, the group managergenerates the partial key, and group users generatetheir private keys using the identity key and the partialkey. Besides, group users can verify the correctness ofthe identity key and the partial key. This process isillustrated in Fig. 4.

a) After receiving the group’s ID, the PKG randomlypicks rID ∈ Z∗q , and computes RID = grID andσID = rID + xH1(ID,RID) mod q. The PKGsets the identity key IDKID = (RID, σID), andsends it to group users.

b) Group users can verify the correctness of thereceived identity key IDKID by checking whethergσID = RID ·Y1

H1(ID,RID) holds. If this equationholds, group users accept the identity key IDKID;otherwise, refuse it.

c) The group manager sets the number of user revo-cations RN = 0, and sends this message to groupusers and the cloud. The group manager randomly




a. Computes authenticators

set

b. Computes file tag tag( , )F S

1{ }i i nTi i n1{ }i i n1}i i n

d. Verifies the validity of

and tag

Group user Cloud

c. and tag

S

Fig. 5. The process of authenticator generation

picks rRN ∈ Z∗q , and computes RRN = grRN andσRN = rRN + yH2(ID,RRN , RN) mod q. Thegroup manager sets the partial key TKID,RN =(RRN , σRN ), and sends it to group users.

d) Group users can verify the correctness ofTKID,RN by checking whether gσRN = RRN ·Y2H2(ID,RRN ,RN) holds. If this equation holds,

group users accept the partial key TKID,RN ; oth-erwise, refuse it.

e) After receiving the identity key IDKID =(RID, σID) and the partial key TKID,RN =(RRN , σRN )(Here RN = 0), group users computeσ = (σID + σRN ) mod q. Their private keysSKID,RN are (RID, RRN , σ).

3) Authenticator Generation algorithm: In this algo-rithm, the group user computes an authenticator foreach block mi of file F , and generates a file tag toensure the integrity of the file identifier name name,verification values RID and RRN , and the number ofuser revocations RN . The group user uploads the file Fand the set of authenticators along with the file tag tothe cloud. Finally, the cloud verifies the correctness ofauthenticators. The process is illustrated in Fig. 5.

a) The group user computes authenticator Ti =(h(name||i||RN)umi)σ , where name is the u-nique identifier of the file F , i is the index of blockmi, and RN is the number of user revocations. Let∑

= {Ti}1≤i≤n be the set of authenticators.b) The group user computes the file tag tag =

name||RN ||RID||RRN ||SSigssk(name||RN ||RID||RRN ).

c) The group user uploads (F,Σ) along with the filetag to the cloud. Then, the group user deletes F =(m1, ...,mn) and

∑= {Ti}1≤i≤n from the local

storage.d) The cloud verifies the validity of the file tag and

authenticators.• The cloud checks whether RN in the file tag

is the newest RN . If it is, the cloud does thefollowing two steps; otherwise, the cloud regardsthe user as a revoked user or an illegal user, andrefuses this user’s request.

• The cloud verifies the validity ofthe file tag by checking whetherSSigssk(name||RN ||RID||RRN ) is a validsignature via ID. If it is, then the cloud doesthe following step; otherwise, the cloud regardsthe signature as invalid.

a. Generates an auditing

challenge chal

b. Computes a proof of data

possession P

c. Verifies the correctness

of P

TPA Cloud

{ , }i i I

chal i vÎ

=

P

Fig. 6. The process of auditing

• The cloud verifies the validity ofauthenticators Ti by checking whethere(Ti, g) = e(h(name||i||RN) · umi , RID ·RRN · Y1

H1(ID,RID) · Y H2(ID,RRN ,RN)2 ) holds.

If this equation does not hold, the cloud regardsthese authenticators come from a revoked useror an illegal user.

4) Proof Generation algorithm: In this algorithm, theTPA generates an auditing challenge for the cloud. Thecloud generates a corresponding proof to demonstrate hepossesses the intact cloud data.

a) To audit the integrity of the shared cloud data, theTPA generates an auditing challenge as follows:i) Randomly picks a set I with c elements, whereI ⊆ [1, n].

ii) Generates a random value vi ∈ Z∗q for eachi ∈ I .

iii) Sends the auditing challenge chal = {i, vi}i∈Ito the cloud.

b) After receiving the auditing challenge chal fromthe TPA, the cloud generates a proof of datapossession as follows:i) Computes T =

∏i∈I T

vii , m =

∑i∈I vimi.

ii) Sends P = (T, m) along with the file tag tothe TPA as the proof.

5) Verification algorithm: In this algorithm, the TPAverifies the correctness of the proof from the cloud.The TPA first retrieves the file tag, and verifiesthe validity of the file tag by checking whetherSSigssk(name||RN ||RID||RRN ) is a valid signaturevia ID. If it is, the TPA parses name, RN , RID andRRN . Then the TPA verifies the correctness of proofP = (T, m) by checking whether the following equationholds:

e(T, g) = e(∏

i∈Ih(name||i||RN)

vi · um,

RID ·RRN · Y1H1(ID,RID) · Y H2(ID,RRN ,RN)

2 ) (1)

If this equation holds, outputs “success”; otherwise,outputs “failure”.The process of auditing is illustrated in Fig. 6.

6) User Revocation algorithm: When group users arerevoked, the group manager and non-revoked groupusers will execute this algorithm. In this algorithm, thenumber of user revocations RN increases by one. Thegroup manager generates a new partial key according tothe new RN , and each non-revoked group user updateshis/her private key according to the new partial key.




b. Computes the new partial key

Group manager Non-revoked group users

,ID RNTK

c. Verify the correctness of

d. Compute the new private key,ID RNSK

a. RN=RN+1

,ID RNTK

,ID RNTK

Fig. 7. The process of user revocation.

The revoked group users cannot upload the new datato the cloud any more. The process of user revocationis illustrated in Fig. 7.

a) When group users are revoked, the group managersets the number of user revocations RN = RN+1,and sends this message to non-revoked group usersand the cloud.

b) The group manager randomly picks rRN ∈ Z∗q ,and computes RRN = grRN and σRN =rRN + yH2(ID,RRN , RN) mod q. The groupmanager sets the new partial key TKID,RN =(RRN , σRN ), and sends it to all of the non-revokedusers in the group.

c) Non-revoked group users can verify the correctnessof TKID,RN by checking whether gσRN = RRN ·Y2H2(ID,RRN ,RN) holds. If this equation holds,

they accept TKID,RN ; otherwise, refuse it.d) After receiving the new partial key TKID,RN =

(RRN , σRN ), non-revoked group users computeσ = (σID + σRN ) mod q. The new private keysof them are SKID,RN = (RID, RRN , σ).

The revoked users do not have the new private key,so they cannot generate valid authenticators of blockscorresponding to the newest RN . When a revoked useruploads new data to the cloud, he/she will not be ableto pass the verification of step d) in AuthenticatorGeneration algorithm. Therefore, the revoked user isnot able to upload new data to the cloud any more.

V. CORRECTNESS AND SECURITY ANALYSIS

Theorem 1 (Correctness): If the cloud, the group manager,group users and the TPA are honest and obey the specified pro-cedures, then the response proof can pass the TPA’s checking.Proof. According to the characteristics of bilinear maps, theverification equation can be proved correct by deducing theleft hand side from the right hand side:

e(T, g)=e(∏

i∈ITivi , g)

=e(∏

i∈I(h(name||i||RN) · umi)

σ·vi , g)

=e(∏

i∈I(h(name||i||RN) · umi)

vi , gσ)

=e(∏

i∈I(h(name||i||RN)

vi · umi·vi), gσ)

=e(∏

i∈Ih(name||i||RN)

vi ·∏

i∈Iumi·vi , gσ)

=e(∏

i∈Ih(name||i||RN)

vi · u∑

i∈I vi·mi , gσ)

=e(∏

i∈Ih(name||i||RN)

vi · u∑

i∈I vi·mi , gσID+σRN )

=e(∏

i∈Ih(name||i||RN)

vi · um,

grID+rRN+xH1(ID,RID)+yH2(ID,RRN ,RN))

=e(∏

i∈Ih(name||i||RN)

vi · um, RID ·RRN

· Y1H1(ID,RID) · Y H2(ID,RRN ,RN)

2 )

Theorem 2 (The security of user revocation): In our pro-posed scheme, the revoked users are not able to upload dataand the corresponding authenticators to the cloud any more.Proof. When a user uploads file blocks and the correspondingauthenticators to the cloud, the cloud will verify the validityof file tag and authenticators Ti. If the file tag and all theauthenticators pass the verification, then the cloud will acceptthe user’s cloud data and the corresponding authenticators;Otherwise, the cloud will reject these data and authenticators.Only the file tag and authenticators generated by the non-revoked group users can pass the cloud’s verification.

Firstly, the cloud verifies whether the RN in the receivedfile tag is the newest RN , if it is not, the cloud regards theuser as a revoked user, and refuses this user’s request. Whena revoked user uses a previous RN , he/she will not pass thecloud’s verification.

Secondly, the cloud verifies whether theSSigssk(name||RN ||RID||RRN ) is a valid signaturevia ID. If it is not, the cloud considers that the signaturemight come from a revoked user or an illegal user, andrefuses this user’s request.

Finally, the cloud verifies the validity of each authenti-cator by checking whether e(Ti, g) = e(h(name||i||RN) ·umi , RID ·RRN · Y1

H1(ID,RID) · Y H2(ID,RRN ,RN)2 ) holds.

The equation holds because:

e(Ti, g)=e((h(name||i||RN) · umi)σ, g)

=e(name||i||RN) · umi , gσ)

=e(name||i||RN) · umi , gσID+σRN )

=e(name||i||RN) · umi ,

grID+rRN+xH1(ID,RID)+yH2(ID,RRN ,RN))

=e(name||i||RN) · umi , RID ·RRN · Y1H1(ID,RID)

· Y H2(ID,RRN ,RN)2 )

If a revoked user uses the previous private key to generateauthenticators and uploads them to the cloud, his/her data andauthenticators will be rejected by the cloud because these data




and authenticators cannot pass the verification correspondingto the newest RN .

Theorem 3 (Detectability): In the proposed scheme, theprobability that the data corruption is detected is at least1−(n−mn )c if the cloud stores a file with n blocks including mbad (deleted or modified) blocks and the number of challengedblocks is c.Proof. The bad blocks can be detected if and only if at leastone of the challenged blocks chosen by the TPA matchesthe bad blocks. Let X be the number of chosen blocks thatmatch the corrupted blocks, PX be the probability that thedata corruption is detected.

PX = P{X ≥ 1} = 1− P{X = 0}= 1− n−m

n · n−1−mn−1 · ... · n−c+1−m

n−c+1

So we can get PX ≥ 1− (n−mn )c.Theorem 4 (Auditing soundness): In our proposed scheme,

the malicious cloud cannot pass the TPA’s verification if itdoes not store the group users’ intact data.Proof. We construct a knowledge extractor and use the methodof knowledge proof [10] to complete this proof. If the clouddoes not store the intact data but can pass the TPA’s verifica-tion, then we can extract the intact challenged data blocks bythe repeated interaction between the knowledge extractor andthe scheme. Now, we prove it by a series of games.

Game 0. The challenger runs Setup algorithm and Pri-vate Key Generation algorithm to generate public parametersparams and all the keys for the group with identity ID, andsends params to the adversary. The adversary selects a seriesof blocks m1, ...,mn, and submits them to the challengerto query the corresponding authenticators. The challengercomputes and returns the corresponding signed file tags andauthenticators for these blocks. And then the challenger sendsa challenge to the adversary. Finally, the adversary returnsP=(T, m) as the proof of data possession. If this proof iscorrect, then the adversary wins.

Game 1. Game 1 is the same as Game 0, only with onedifference. That is, the challenger stores a list to record allthe signed tags issued as part of authenticators queries. If theadversary issues one tag that is a valid signature but not signedby the challenger, the challenger will abort.

Analysis. If the challenger aborts with non-negligible prob-ability in Game 1, it means the adversary is a valid forgeragainst the SSig signature. It contradicts that the SSig is asecure ID-based signature algorithm. So the file identifier namename, number of user revocations RN and verification valuesRID, RRN in the interactions between the challenger and theadversary are all correct and produced by the challenger.

Game 2. Game 2 is the same as Game 1, only with one dif-ference. The challenger stores a list to record its responses tothe queries from the adversary. The challenger observes eachinstance of the challenge from the adversary. The challengerdeclares failure and aborts if he finds the aggregate signatureT is not equal to

∏i∈I T

vii but the adversary succeeds.

Analysis. Assume that (T, m) is a correct proof providedby the honest prover. From the correctness of the scheme, we

can know that the following verification equation holds.

e(T, g) = e(∏

i∈Ih(name||i||RN)

vi · um,


2 ) (2)

Assume that the adversary provides a forged response(T ′, m′), which is different from the honest one. Because theforgery is successful, the following verification equation holds.

e(T ′, g) = e(∏

i∈Ih(name||i||RN)

vi · um′,


2 ) (3)

Obviously, m′ 6= m, otherwise T ′ = T , which contradictsour above assumption. Define ∆m = m′ − m(∆m 6= 0). Wewill show a simulator could break the CDH assumption if theadversary makes the challenger abort with a non-negligibleprobability.

Given g, gα, w ∈ G1, simulator works for outputing wα.The simulator chooses two random elements a, b ∈ Z∗q , andsets u = gawb. The simulator works like the challenger inGame 1, but with some differences.

In the setup and private key generation phase, the challengersets the public value Y1 = gα. It means the challenger does notknows x, σID and σ, but knows y, Y2, rID, RID, rRN , RRNand σRN .

For each i in the challenge, the simulator chooses arandom value ri ∈ Z∗q , and programs the random ora-cle at i as h(name||i||RN) = gri/(gami · wbmi). Wehave h(name||i||RN) · umi = gri/(gami · wbmi) · umi =(gri/(gami · wbmi)

)· gami ·wbmi = gri . So the simulator can

computeTi = (h(name||i||RN) · umi)σ

= (gσ)ri

= (gσID+σRN )ri

= (RID ·RRN · Y1H1(ID,RID) · Y H2(ID,RRN ,RN)

2 )ri

Now, dividing equation (2) by equation (3), we have

e(T ′/T , g)

= e(u∆m, RID ·RRN · Y1H1(ID,RID) · Y H2(ID,RRN ,RN)

2 )

= e((gawb)∆m, grID · grRN · Y1H1(ID,RID)

· gyH2(ID,RRN ,RN))= e(ga∆m · wb∆m, grID+rRN+yH2(ID,RRN ,RN)

· Y H1(ID,RID)1 )

= e(ga∆m, grID+rRN+yH2(ID,RRN ,RN) · Y H1(ID,RID)1 )

· e(wb∆m, grID+rRN+yH2(ID,RRN ,RN) · Y H1(ID,RID)1 )

= e(ga∆m·(rID+rRN+yH2(ID,RRN ,RN)) · Y a∆m·H1(ID,RID)1 , g)

· e(wb∆m·(rID+rRN+yH2(ID,RRN ,RN)), g)

· e(wb∆m, Y H1(ID,RID)1 )

= e(ga∆m·(rID+rRN+yH2(ID,RRN ,RN)) · Y a∆m·H1(ID,RID)1

· wb∆m·(rID+rRN+yH2(ID,RRN ,RN)), g)

· e(wb∆m, Y H1(ID,RID)1 )




So we can know that

e(T ′/T · g−a∆m·(rID+rRN+yH2(ID,RRN ,RN))

· Y −a∆m·H1(ID,RID)1

· w−b∆m·(rID+rRN+yH2(ID,RRN ,RN)), g)

= e(wb∆m, YH1(ID,RID)1 )

= e(w, Y1)b∆m·H1(ID,RID)

= e(wα, g)b∆m·H1(ID,RID)

From the above equation, we can obtain that

wα = (T ′/T · g−a∆m·(rID+rRN+yH2(ID,RRN ,RN))

·Y −a∆m·H1(ID,RID)1

·w−b∆m·(rID+rRN+yH2(ID,RRN ,RN)))1/b∆m·H1(ID,RID)

Note that the probability we cannot solve the the compu-tational Diffe-Hellman problem is the same as the prob-ability of b∆m · H1(ID,RID) = 0. The probability ofb∆m · H1(ID,RID) = 0 is 1/q. Thus, this probability isnegligible.

It means that if there is a non-negligible difference betweenthe adversary’s probabilities of success in Game 1 and Game2, the constructed simulator can solve the CDH problem.

Game 3. Game 3 is the same as Game 2, with one dif-ference. The challenger still stores and observes all instancesof the proposed scheme. For one instance, if the aggregatemessage m is not equal to the expected aggregate message,then the challenger declares failure and aborts.

Analysis. Assume that the correct proof from the honestprover is (T, m). According to the correctness of the scheme,we can know that the following verification equation holds.

e(T, g) = e(∏

i∈Ih(name||i||RN)

vi · um,


2 )

Assume that the response from adversary is (T ′, m′), which isdifferent from the honest prover provided. Because the forgeryis successful, the following verification equation holds.

e(T ′, g) = e(∏

i∈Ih(name||i||RN)

vi · um′,


2 )

From the proof of Game 2, we know T ′ = T . Define ∆m =m′ − m. We construct a simulator that uses the adversary tosolve the DL problem as follows:

Given (g, w) ∈ G1, the goal of simulator is to compute avalue x which satisfies w = gx. The simulator chooses tworandom elements a, b ∈ Z∗q and sets u = gawb. According tothe above two verification equations, we have

e(∏i∈I h(name||i||RN)

vi · um, RID ·RRN· Y1

H1(ID,RID) · Y H2(ID,RRN ,RN)2 )

= e(T, g)= e(T ′, g)

= e(∏i∈I h(name||i||RN)

vi · um′ , RID ·RRN· Y1

H1(ID,RID) · Y H2(ID,RRN ,RN)2 )

Thus, we have um = um′, and therefore that 1 = u∆m =

(gawb)∆m = ga∆m · wb∆m. We have ∆m 6= 0 mod q.

Otherwise, we have m′ = m mod q, which contradicts ourabove assumption. So the solution to the DL problem can befound from

w = g−a∆mb∆m = g

−ab .

Note that b is zero only with probability 1/q, which isnegligible. Thus, we can find a solution to the DL problemwith probability 1 − 1/q, which contradicts the assumptionthat the DL problem in G1 is hard.

It means that if there is a non-negligible difference betweenthe adversary’s probabilities of success in Game 2 and Game3, the above constructed simulator can solve the DL problem.

Therefore, the differences between these games can beignored.

Finally, we construct a knowledge extractor to extract thechallenged data blocks mi(i ∈ I, |i| = c) by selecting c dif-ferent coefficients vi(i ∈ I, |I| = c) and executing c times dif-ferent challenges on the same data blocks mi(i ∈ I, |I| = c).In this case, the knowledge extractor can get c independentlylinear equations in the variables mi(i ∈ I, |I| = c). By solvingthese equations, the knowledge extractor can compute andextract mi(i ∈ I, |I| = c). It means that if the cloud canpass the TPA’s verification, it must truly store the group user’sintact data.

VI. PERFORMANCE ANALYSIS

A. Numerical analysis

We define the following notations to denote the operationsin our scheme: MulG1

denotes one multiplication operationin G1; ExpG1

denotes one exponentiation operation in G1;MulZ∗q denotes one multiplication operation in Z∗q ; AddZ∗qdenotes one addition operation in Z∗q ; HashG1 denotes onehash operation in G1; HashZ∗q denotes one hash operation inZ∗q ; Pair denotes one pairing operation; |p| and |q| denotethe size of an element in G1 and Z∗q , respectively. We analyzethe computation overhead and communication overhead inAuthenticator Generation phase, Auditing phase and UserRevocation phase since they are the most resource-consumingphases in our scheme. In Table II, we show the computationoverhead and communication overhead in different phases.

1) Authenticator Generation phase• The computation overhead: In the Authenticator

Generation phase, the computation overhead isn(2ExpG1

+ MulG1+ HashG1

), where n is thetotal number of blocks in the shared data file.

• The communication overhead: In the AuthenticatorGeneration phase, the data communication overheadbetween the group user and the cloud is n |p|+n |q|bits.

2) Auditing phase• The computation overhead: In the Auditing phase,

the computation overhead mainly comes from proofgeneration and proof verification. According to thedescription of the proposed scheme, we know thatthe computation overhead of proof generation is(c−1)MulG1

+cExpG1+(c−1)AddZ∗q +cMulZ∗q .




TABLE IITHE COMPUTATION OVERHEAD AND COMMUNICATION OVERHEAD IN DIFFERENT PHASES

Phase Computation overhead Communication overheadAuthenticator generation n(2ExpG1 +MulG1 +HashG1) n |p|+ n |q|

Auditing cHashG1 + 2HashZ∗q + (2c+ 2)MulG1+(2c+ 3)ExpG1 + 2Pair + (c− 1)AddZ∗q + cMulZ∗q (c+ 1) · |q|+ |p|+ c · |id|

User Revocation AddZ∗q |p|+ |q|

After receiving the auditing proof, the TPA needsto verify the correctness of the auditing proof.The computation overhead of proof verification iscHashG1

+ 2HashZ∗q + (c + 3)MulG1+ (c +

3)ExpG1 + 2Pair. The total computation overheadin the Auditing phase is cHashG1 + 2HashZ∗q +(2c+ 2)MulG1

+ (2c+ 3)ExpG1+ 2Pair + (c−

1)AddZ∗q + cMulZ∗q .• The communication overhead: In the Auditing

phase, the communication overhead mainly comesfrom the challenge generated by the TPA and theproof generated by the cloud. The size of an auditingchallenge Chal = {i, vi}i∈I is c · (|id| + |q|) bits,where |id| denotes the size of a block index. Thesize of an auditing proof P = (T, m) is |p|+|q| bits.The total communication overhead in the Auditingphase is (c+ 1) · |q|+ |p|+ c · |id| bits.

3) User Revocation phaseIn our scheme, when users are revoked from the group,each non-revoked group user needs to update his/herprivate key.• The computation overhead: In the User Revocation

phase, the computation overhead comes from thenew private key generation. According to the de-scription of the proposed scheme, we know that thecomputation overhead of new private key generationfor each group user is AddZ∗q .

• The communication overhead: In the User Revo-cation phase, the data communication overhead be-tween the group manager and a group user is |p|+|q|bits.

B. Experimental results

In this subsection, we show the performance of our schemeby experiments. In these experiments, we use C programminglanguage with the free Pairing-Based Cryptography (PBC)Library [37] and the GNU Multiple Precision Arithmetic(GMP) [38]. We run these experiments on Linux machinewith an Intel Pentium 2.70GHz processor and 4GB memory.In experiments, we set the base field size to be 512 bits andthe size of an element in Z∗q to be 160 bits. Assume that ashared cloud file is 20MB composed by 1,000,000 blocks.

1) Authenticator Generation phaseTo evaluate the performance of authenticator genera-

tion, we generate the authenticators for different numberof blocks from 200 to 2000 increased by an interval of200 in our experiment. As shown in Fig. 8, the timecost of authenticator generation linearly increases with

the number of blocks, which ranges from 2.232864s to22.413562s.

2) Auditing phaseThe computation overhead during the auditing phase

can be divided into challenge generation, proof gen-eration and proof verification procedures. To evaluatethe auditing overhead of our scheme, we challengedifferent number blocks from 0 to 1000 increased byan interval of 100. As shown in Fig. 9, we can see thatthe auditing computation overhead of these three proce-dures linearly increases with the number of challengedblocks. The proof verification procedure costs muchlonger time than other two phases, and the challengegeneration procedure costs the shortest time amongthe three procedures. When the number of challengedblocks equals to 100, the time of challenge generationonly needs about 0.03515s. The time cost increases to0.36083s when 1000 blocks are challenged. The timeof proof generation ranges from 0.342042s to 3.42364s.The time of proof verification needs about 1.136119swhen the number of challenged blocks is 100; while itneeds nearly 11.288101s when the number of challengedblocks is 1000. So we can conclude that, if all blocks arechallenged, these three phases will bring a large amountof computation overheads.

3) User Revocation phaseIn Wang et al.’s scheme [6], in order to revoke group

users, the cloud generates the re-signing key with theuser ui and a non-revoked user uj as follows: (1) Thecloud generates a random r ∈ Z∗q and sends it to user ui;(2) User ui sends r/xi to user uj , where xi is the privatekey of the revoked user ui; (3) User uj sends r · xj/xito the cloud, where xj is the private key of the non-revoked user uj ; (4) The cloud recovers the re-signingkey xj/xi ∈ Z∗q . The cloud re-signs all the blocks ofthe revoked user through an exponentiation operation bythe re-signing key xj/xi:

Ti′

= Tixj/xi

= (h(name||i)umi)xi·xj/xi

= (h(name||i)umi)xj

In Fig. 10, we compare the overhead of user revocationon the cloud side in our scheme with that in Wang et al.’sscheme. In Wang et al.’s scheme, the overhead of thecloud re-signing these blocks is linear with the numberof the revoked user’s blocks. As shown in Fig.10, whenthe cloud re-signs all the 1,000,000 blocks, it needsnearly 4500s. In contrast, the cloud in our scheme does




Fig. 8. Computation overhead of authenticator generation Fig. 9. Computation overhead in auditing phase

Fig. 10. Computation overhead of user revocation on the cloud side Fig. 11. Computation overhead of user revocation on the group user side

not need any operations. In Fig. 11, we compare theoverhead of user revocation on the group user sidein our scheme with that in Wang et al.’s scheme. InWang et al.’s scheme, the overhead of user revocationon the group user side comes from the re-signing keygeneration of the revoked user and the non-revoked user.The total overhead is about 1.458ms. In our scheme, theoverhead of user revocation on the group user side comesfrom new private key generation for the non-revokedusers, which only needs an addition operation and costsonly about 0.001ms. Therefore, our proposed schemeachieves high efficiency on both cloud side and groupuser side.

VII. CONCLUSION

In this paper, we propose an identity-based cloud storageauditing scheme for shared data, which supports real efficientuser revocation. In our scheme, the cloud or the non-revokeduser does not need to re-sign any file blocks of the revokeduser. The overhead of user revocation in our scheme is fully

independent of the number of the revoked user’s blocks.Security proof and experimental results show that our proposedscheme is secure and efficient.

REFERENCES

[1] K. Ren, C. Wang, and Q. Wang, “Security Challenges forthe Public Cloud,” IEEE Internet Computing, vol. 16, no.1, pp. 69-73, 2012.

[2] B. Wang, B. Li, and H. Li, “Oruta: Privacy-PreservingPublic Auditing for Shared Data in the Cloud,” In Proc.of IEEE Cloud 2012, pp. 295-302, 2012.

[3] B. Wang, B. Li, and H. Li, “Knox: Privacy-PreservingAuditing for Shared Data with Large Groups in theCloud,” In Proc. of International Conference on AppliedCryptography and Network Security, pp. 507-525, 2012.

[4] G. Yang, J. Yu, W. Shen, Q. Su, Z. Fu, and R. Hao. “En-abling Public Auditing for Shared Data in Cloud StorageSupporting Identity Privacy and Traceability,” Journal ofSystems and Software, vol. 113, pp. 130-139, 2016.

[5] W. Shen, J. Yu, H. Xia, H. Zhang, X. Lu and R.




Hao, “Light-weight and Privacy-preserving Secure CloudAuditing Scheme for Group Users via the Third PartyMedium,” Journal of Network and Computer Applications,vol. 82, pp.56-64, 2017.

[6] B. Wang, B. Li, and H. Li, “Panda: Public Auditing forShared Data with Efficient User Revocation in the Cloud,”IEEE Transactions on Services Computing, vol. 8, no. 1,pp. 92-106, 2015.

[7] J. Yuan and S. Yu, “Public Integrity Auditing for DynamicData Sharing With Multiuser Modification,” IEEE Trans-actions on Information Forensics and Security, vol. 10,no. 8, pp. 1717-1726, Aug. 2015.

[8] Y. Luo, M. Xu, S. Fu, D. Wang, and J. Deng, “EfficientIntegrity Auditing for Shared Data in the Cloud with Se-cure User Revocation,” IEEE Trustcom/BigDataSE/ISPA,pp. 434-442, 2015.

[9] Goran CandrliC, “How Much Is Stored in the Cloud?”,online at http://www.globaldots.com/how-much-is-stored-in-the-cloud/.

[10] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kiss-ner, Z. Peterson, and D. Song, “Provable Data Possessionat Untrusted Stores,” In Proc. of ACM CCS 2007, pp. 598-610, 2007.

[11] A. Juels and B. S. Kaliski Jr, “Pors: Proofs of Retriev-ability for Large Files,” In Proc. of 14th ACM conferenceon Computer and communications security, pp. 584-597,2007.

[12] H. Shacham and B. Waters, “Compact Proofs of Retriev-ability,” In Proc. of ASIACRYPT 2008, pp. 90-107, 2008.

[13] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik,“Scalable and Efficient Provable Data Possession,” InProc. of 4th international conference on Security andprivacy in communication netowrks, pp. 1-10, 2008.

[14] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, “EnablingPublic Verifiability and Data Dynamics for Storage Secu-rity in Cloud Computing,” IEEE Transactions on Paralleland Distributed Systems, vol.22,no.5, pp. 847-859, 2011.

[15] Y. Zhu, H.G. Ahn, H. Hu, S.S. Yau, H.J. An, and C.J.Hu, “Dynamic Audit Services for Outsourced Storages inClouds,” IEEE Transactions on Services Computing, vol.6, no. 2, pp. 409-428, 2013.

[16] D. Cash, A. Kupcu, and D. Wichs, “Dynamic Proofs ofRetrievability via Oblivious Ram,” In Proc. 32nd Intl Conf.Theory and Applications of Cryptographic Techniques:Advances in Cryptology (EUROCRYPT 13), pp. 279-295,2013.

[17] K. Yang and X. Jia, “An Efficient and Secure DynamicAuditing Protocol for Data Storage in Cloud Computing,”IEEE Transactions on Parallel and Distributed Systems,Vol. 24, No. 9, pp. 1717-1726, 2013.

[18] M. Sookhak, A. Gania, M. K. Khanb, and R. Buyyac,“Dynamic Remote Data Auditing for Securing Big DataStorage in Cloud Computing,” Information Science, vol.380, pp. 101-116, 2017.

[19] L. Rao, H. Zhang, and T. Tu, “Dynamic Outsourced Au-diting Services for Cloud Storage Based on Batch-Leaves-Authenticated Merkle Hash Tree,” IEEE Transactions onServices Computing, Available online 26 May 2017 DOI:

10.1109/TSC.2017.2708116.[20] C. Wang, S. Chow, Q. Wang, K. Ren, and W. Lou,

“Privacy-Preserving Public Auditing for Secure CloudStorage,” IEEE Transactions on Computers, vol. 62, No.2, pp. 362-375, 2013.

[21] J. Yu, K. Ren, C. Wang, and V. Varadharajan, “EnablingCloud Storage Auditing with Key-Exposure Resistance,”IEEE Transactions on Information Forensics and Security.vol. 10, no. 6, pp. 1167-1179, Jun. 2015.

[22] J. Yu, K. Ren, and C. Wang, “Enabling Cloud StorageAuditing with Verifiable Outsourcing of Key Updates,”IEEE Transactions on Information Forensics and Security,vol. 11, no.5, pp. 1362-1375, 2016.

[23] J. Yu and H. Wang, “Strong Key-Exposure ResilientAuditing for Secure Cloud Storage,” IEEE Transactionson Information Forensics and Security, vol. 12, no.8, pp.1931-1940, 2017.

[24] J. Yu, H. Rong, H. Xia, H. Zhang, X. Cheng, and F.Kong, “Intrusion-resilient identity-based signatures: Con-crete scheme in the standard model and generic construc-tion,” Information Sciences, vol. 442-443, pp. 158-172,2018.

[25] J. Yu, R. Hao, H. Zhao, M. Shu, and J. Fan, “IRIBE:Intrusion-resilient identity-based encryption,” InformationSciences, vol. 329, pp. 90-104, 2016.

[26] W. Shen, G. Yang, J. Yu , H. Zhang, F. Kong, and R. Hao,“Remote data possession checking with privacy-preservingauthenticators for cloud storage,” Future Generation Com-puter Systems, vol. 76, pp. 136-145, 2017.

[27] K. D. Bowers, A. Juels, and A. Oprea, “Proofs ofretrievability: Theory and implementation,” In Proc. of the2009 ACM workshop on Cloud computing security, pp.43-54, 2009.

[28] J. Yuan and S. Yu, “Proofs of Retrievability with PublicVerifiability and Constant Communication Cost in Cloud,”In Proc. of 2013 international workshop on Security incloud computing, pp. 19-26, 2013.

[29] H. Wang, Q. Wu, B. Qin, and J. Domingo-Ferrer,“Identity-based Remote Data Possession Checking in Pub-lic Clouds,” IET Information Security, vol.8, no.2, pp. 114-121, 2014.

[30] Y. Yu, M. Au, G. Ateniese, X. Huang, W. Susilo, Y.Dai, and G. Min, “Identity-based Remote Data IntegrityChecking with Perfect Data Privacy Preserving for CloudStorage,” IEEE Transactions on Information Forensics andSecurity, vol.12, no.4, pp. 767-778, 2016.

[31] H. Wang, D. He, and S. Tang, “Identity-Based Proxy-Oriented Data Uploading and Remote Data IntegrityChecking in Public Cloud,” IEEE Transactions on Infor-mation Forensics and Security. vol. 11, no. 6, pp. 1165-1176, 2016.

[32] H. Wang, D. He, J. Yu, and Z. Wang, “Incentive andUnconditionally Anonymous Identity-Based Public Prov-able Data Possession,” IEEE Transactions on ServicesComputing, Available online 29 November 2016 DOI:10.1109/TSC.2016.2633260.

[33] Y. Li, Y. Yu, G. Min, W. Susilo, J. Ni, and K. Choo,“Fuzzy Identity-Based Data Integrity Auditing for Reliable




Cloud Storage Systems,” IEEE Transactions on Depend-able and Secure Computing, Available online 01 February2017 DOI: 10.1109/TDSC.2017.2662216.

[34] T. Jiang, X. Chen, and J. Ma, “Public Integrity Auditingfor Shared Dynamic Cloud Data with Group User Revo-cation,” IEEE Transactions on Computers, vol. 65, no. 8,pp. 2363-2373, 2016.

[35] Y. Tseng, T. Tsai, S. Huang, and C. Huang, “Identity-Based Encryption with Cloud Revocation Authority andIts Applications,” IEEE Transactions on Cloud Comput-ing, Available online 10 March 2016 DOI: 10.1109/TC-C.2016.2541138.

[36] C. P. Schnorr, “Efficient Signature Generation by SmartCards,” Journal of cryptology, vol.4, no.3, pp.161-174,1991.

[37] B. Lynn, The Pairing-based Cryptographic Library, on-line at http://crypto.Stanford.edu/pbc/, 2015.

[38] The GNU Multiple Precision Arithmetic Library (GMP).online at http://gmplib.org/.

Yue Zhang is a master’s degree candidate in theCollege of Computer Science and Technology, Qing-dao University, China. Her research interests includecloud security and big data security.

Jia Yu is a professor of the College of ComputerScience and Technology at Qingdao University. Hereceived the M.S. and B.S. degrees in School ofComputer Science and Technology from ShandongUniversity in 2003 and 2000, respectively. He re-ceived Ph. D. degree in Institute of Network Secu-rity from Shandong University, in 2006. He was avisiting professor with the Department of ComputerScience and Engineering, the State University ofNew York at Buffalo, from Nov. 2013 to Nov.2014. His research interests include cloud computing

security, key evolving cryptography, digital signature, and network security.

Rong Hao works in the College of ComputerScience and Technology, Qingdao University. Herresearch interest is cloud computing security andcryptography.

Cong Wang is an Assistant Professor in the Com-puter Science Department at City University of HongKong. He received his B.E and M.E degrees fromWuhan University in 2004 and 2007, and PhD de-gree from Illinois Institute of Technology in 2012,all in Electrical and Computer Engineering. He hasworked at Palo Alto Research Center in the summerof 2011. His research interests are in the areas ofcloud computing and security, with current focus onsecure data services in cloud computing, and securecomputation outsourcing. He is a Senior Member of

the IEEE and a Member of the ACM.

Kui Ren is a professor of Computer Science andEngineering and the director of the UbiSeC Labat State University of New York at Buffalo. Hereceived his PhD degree from Worcester Polytech-nic Institute. Kui’s current research interest spansCloud & Outsourcing Security, Wireless & WearableSystem Security, and Human-centered Computing.His research has been supported by NSF, DoE,AFRL, MSR, and Amazon. He is a recipient of NSFCAREER Award in 2011 and Sigma Xi/IIT ResearchExcellence Award in 2012. Kui has published 135

peer-review journal and conference papers and received several Best PaperAwards including IEEE ICNP 2011. He currently serves as an associateeditor for IEEE Transactions on Dependable and Secure Computing, IEEETransactions on Mobile Computing, IEEE Wireless Communications, IEEEInternet of Things Journal, IEEE Transactions on Smart Grid, ElsevierPervasive and Mobile Computing, and Oxford The Computer Journal. Kuiis a fellow of IEEE, a member of ACM, a Distinguished Lecturer of IEEEVehicular Technology Society, and a past board member of Internet PrivacyTask Force, State of Illinois.

ieee transactions on dependable and secure …1croreprojects.com/dotnetbasepaper/cloud-dotnet... ·...

Documents