Attack on Privacy-Preserving Public Auditing Schemes for...

Research ArticleAttack on Privacy-Preserving Public Auditing Schemes forCloud Storage

Baoyuan Kang JiaqiangWang and Dongyang Shao

School of Computer Science and Software Tianjin Polytechnic University Tianjin 300387 China

Correspondence should be addressed to Baoyuan Kang baoyuankangaliyuncom

Received 9 December 2016 Accepted 19 April 2017 Published 11 May 2017

Academic Editor Emilio Insfran

Copyright copy 2017 Baoyuan Kang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

With the development of Internet cloud computing has emerged to provide service to data users But it is necessary for an auditoron behalf of users to check the integrity of the data stored in the cloudThe cloud server also must ensure the privacy of the data Ina usual public integrity check scheme the linear combination of data blocks is needed for verification But after times of auditingon the same data blocks based on collected linear combinations the auditor might derive these blocks Recently a number ofpublic auditing schemes with privacy-preserving are proposed With blinded linear combinations of data blocks the authors ofthese schemes believed that the auditor cannot derive any information about the data blocks and claimed that their schemes areprovably secure in the random oracle model In this paper with detailed security analysis of these schemes we show that theseschemes are vulnerable to an attack from the malicious cloud server who modifies the data blocks and succeeds in forging proofinformation for data integrity check

1 Introduction

With the development of Internet cloud computing hasemerged Cloud computing is a new model of computingin contrast to conventional computing This new paradigmallows data users to outsource their data to a cloud serviceprovider The term cloud refers to a thousand of virtualizedservers distributed over a set of data centers with differentgeographical locations connected together through telecom-munication links [1] The services on the cloud are deliveredto the users as pay-as-you-go pricing model

Although cloud computing offers various advantages toboth users and the cloud service provider and is envisioned asa promising service platform for the next generation Internetsecurity and privacy are the major challenges which inhibitthe cloud computing wide acceptance in practice Once datausers transfer their data to the cloud users lose their physicalcontrol over data The outsourced data on the cloud are atrisk from internal and external threats The first threat isthat the cloud service provider might delete less frequentlyaccessed data So users need to make sure their data remainintact after uploading to the cloud and data integrity check isbecoming vital As data users no longer physically possess the

storage of their data and are confined by resource capabilitytraditional integrity checking technologies are not well suitedfor the cloud environment Data users hope one-third partyon their behalf to verify their data integrityThe issue of publicauditing for data integrity check is proposed

AfterAteniese et alrsquos first work [2] people proposedmanypublic auditing schemes [3ndash16] for data integrity check In atypical public auditing scheme there are three characters onedata user one cloud server and one auditor The data usertransfers his data to the cloud for storage and computing Onbehalf of the user the auditor who has experience and capa-bility is responsible for the data integrity check Before send-ing data to the cloud the user divides a data file into manydata blocksThen using signature technology the user gener-ates an authentication tag for each block These tags are sentto the cloud server with data blocks To check the integrity ofthe outsourced data file using sampling test idea the auditorsends challenging information to the cloud server Uponreceiving the challenging information the cloud server gen-erates a response by the data blocks and corresponding blocktags and sends the response to the auditor Then the auditorverifies the validity of the response If the response is valid the

HindawiMathematical Problems in EngineeringVolume 2017 Article ID 8062182 6 pageshttpsdoiorg10115520178062182

2 Mathematical Problems in Engineering

auditor and the user believe the outsourced data file remainintact

In the security model of public auditing schemes theuser is honest But the cloud server is a semitrusted partyAs mentioned earlier the cloud server might delete less fre-quently accessed data for his benefitThe auditor is honest butcurious The auditor might obtain some information of thedata in auditing process So secure public auditing schemeshould also satisfy the privacy-preserving requirement Infact in many existing schemes the linear combinations ofdata blocks are needed for verification without data privacyguarantee against the auditor The users who rely on theauditor just for the storage security of their data do not wantthe auditing process leaking any information of their dataBut based on collected linear combinations of the same datablocks in times of check the auditor might derive these datablocks

Recently some public auditing schemes [17ndash21] con-cerning privacy-preserving are proposed In [21] Li et alproposed a privacy-preserving cloud data auditing schemewith efficient key update and claimed their scheme is provedsecure in the random oracle model The difference betweenLi et alrsquos scheme and other existing schemes is that in Li etalrsquos scheme each block is further fragmented into a certainnumber of sectors and the authenticator for each block isrelated to its each sector In [19] Wang et al proposed aprivacy-preserving public auditing scheme for secure cloudstorage and claimed that their scheme is provably secureand highly efficient In [17] Wang et al proposed a privacy-preserving public auditing scheme But in [18] Worku et alshowed that in Wang et alrsquos scheme [17] the malicious cloudserver can forge a signature for his any selected block So oncethe server possesses data from users he can modify the dataas he wants Worku et al also proposed an efficient privacy-preserving public auditing scheme and claimed that the pro-posed scheme is proved secure in the random oracle modelHowever in this paper we will point that these schemes[18 19 21] are insecure The malicious cloud server againstthese schemes can break the data integrity without beingfound by the auditor

The rest of the paper is organized as follows In Section 2we review bilinear pairing and computational Diffie-Hellmanproblem relevant to the security of the discussed schemes InSection 3 we review Li et alrsquos scheme We show an attack onLi et alrsquos scheme in Section 4 In Section 5 we review Workuet alrsquos scheme We demonstrate that Worku et alrsquos schemeand Wang et alrsquos scheme are subjected to the same attack InSections 6 and 7 respectively Conclusion is given in Sec-tion 8

2 Preliminary

21 The Bilinear Pairing Let 1198661 be a cyclic additive groupgenerated by 119875 whose order is a prime 119902 and 1198662 be a cyclicmultiplicative group of the same order Let 119890 1198661 times 1198661 rarr 1198662be a pairing map which satisfies the following conditions

(1) Bilinearity for any 119875119876 119877 isin 1198661 then119890 (119875 + 119876 119877) = 119890 (119875 119877) 119890 (119876 119877) 119890 (119875 119876 + 119877) = 119890 (119875 119876) 119890 (119875 119877) (1)

In particular for any 119886 119887 isin 119885119902 119890(119886119875 119887119875) = 119890(119875 119886119887119875) =119890(119886119887119875 119875) = 119890(119875 119875)119886119887(2) Nondegeneracy there exists 119875119876 isin 1198661 such that119890(119875 119876) = 1(3) Computability there is an efficient algorithm to

compute 119890(119875 119876) for all 119875119876 isin 119866122 Computational Diffie-Hellman (CDH) Problem Given agenerator 119875 of an additive cyclic group 119866 with order 119902 andgiven (119886119875 119887119875) for unknown 119886 119887 isin 119885lowast119902 one computes 1198861198871198753 Brief Review of Li et alrsquos Scheme

In [21] Li et al proposed a privacy-preserving cloud dataauditing scheme with key update Here we review it but omitthe content related to key update

CrsGen On input of a security parameter 120582 this algorithmoutputs a large prime 119901 and 119866 119866119879 two multiplicative cyclicgroups of the same order 119901 119892 is a generator of119866 119890 119866times119866 rarr119866119879 denotes a bilinear map and 1198670 1198671 0 1lowast rarr 119866 repre-sent two collision resistant cryptographic hash functions Inaddition this algorithm picks randomly ℎ 1199061 1199062 119906119904 isin 119866and computes 120578 = 119890(119892 ℎ) The common reference string crsis (119901 119866 119866119879 119892 1198901198670 1198671 ℎ 1199061 1199062 119906119904 120578)KeyGen On input of the common reference string crs a clouduser generates a signing key pair (spk ssk) spk = 119892ssk andanother key pair (119886 V) for generating authenticators of fileblocks where 119886 isin 119885119901 and V = 119892119886 The secret key of the datauser is sk = (119886 ssk) and the public key is pk = (spk V) Forconvenience Let 120578119894 = 119890(119906119894 V) 119894 = 1 119904AuthGen Given a file 119865 the data owner firstly applies erasurecodes such as RS code to obtain a processed file 1198651015840 and splits1198651015840 into 119899 blocks Each block is further fragmented into 119904sectors 1198981198941198951le119894le1198991le119895le119904 which is an element of 119885119901 The datauser selects a file name Fn from a sufficiently large domainLet 1199050 = Fn 119899 The data user computes 119905 = (1198670(1199050))ssk1 anddenotes the file tag ft = 1199050 119905 Then for each 119894 1 le 119894 le 119899 theuser computes an authenticator 120590119894 for block 119894 as

120590119894 = (1198671 (Fn 119894) sdot 119904prod119895=1

119906119898119894119895119895 )119886

(2)

Finally the data owner stores

ft 1198981198941198951le119894le1198991le119895le119904 Metadata (3)

to the cloud where Metadata = 1205901198941le119894le119899Proof This is a 5-move interactive proof protocol executedbetween the cloud server and the auditor (TPA) as follows

Mathematical Problems in Engineering 3

(1) The TPA picks a random integer 119888 and 119896 120593 isin 119885119901computing 120595 = 119892119896ℎ120593 For 1 le 119894 le 119888 the TPA selects arandom V119894 isin 119885119901The commitment120595 and the challenge chal =119894 V1198681le119894le119888 which locates the positions of the challengedblocks in this auditing process are sent to the cloud server

(2) Upon receiving (chal 120595) the cloud server firstlychooses 119903 120588119903 1205881 120588119904 isin 119885119901 randomly and then computes

120596 = prod(119894V119894)isinchal

120590V119894119894 sdot ℎ119903119879 = 12057812058811990312057812058811 sdot sdot sdot 120578120588119904119904

(4)

and forwards (119879 120596) to the TPA(3) The TPA sends (119896 120593) to the server(4) The server checks if 120595 = 119892119896ℎ120593 If the equation does

not hold the server aborts Otherwise he computes119911119903 = 120588119903 minus 119896119903120583119895 = sum(119894V119894)isinchal

V119894119898119894119895119911119895 = 120588119895 minus 119896120583119895

(1 le 119895 le 119904)(5)

and sends (119911119903 1199111 119911119904) to the TPA(5)The TPA verifies the file tag ft firstly by checking if the

following equation holds119890 (119892 119905) = 119890 (spk 1198670 (1199050)) (6)

Then TPA verifies the equation

( 119890 (120596 119892)119890 (prod(119894V119894)isinchal1198671 (Fn 119894)V119894 V))

119896 = 11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 (7)

4 Attack on Li et alrsquos Scheme

In this section we show that Li et alrsquos scheme is vulnerable toa modifying attack on data integrity check

In proof phase the malicious cloud server can changedata blocks by modifying blocks sectors He changes

120583119895 = sum(119894V119894)isinchal

V119894119898119894119895119911119895 = 120588119895 minus 119896120583119895

(8)

into120583119895 = sum(119894V119894)isinchal

V119894 (119887119898119894119895) 119911119895 = 120588119895 minus 119896119887minus1120583119895

(9)

respectively where 119887 isin 119885119901 is randomly selected by the serverOther computations remain unchanged Now the forgedproof information

(119879 120596 119911119903 1199111 119911119904) (10)can pass the authorrsquos verification

Theorem 1 The forged proof information (119879 120596 119911119903 1199111 119911119904)produced in the above analysis can pass the auditorrsquos verifica-tion

Proof In fact


119896

= ( 119890 (prod(119894V119894)isinchal120590V119894119894 sdot ℎ119903 119892)119890 (prod(119894V119894)isinchal1198671 (Fn 119894)V119894 V))119896

= (119890 (prod(119894V119894)isinchal (1198671 (Fn 119894) sdot prod119904119895=1119906119898119894119895119895 )119886V119894 sdot ℎ119903 119892)119890 (prod(119894V119894)isinchal1198671 (Fn 119894)V119894 V) )

119896

= (119890 (prod(119894V119894)isinchal (1198671 (Fn 119894) sdot prod119904119895=1119906119898119894119895119895 )V119894 119892119886) sdot 119890 (ℎ119903 119892)119890 (prod(119894V119894)isinchal1198671 (Fn 119894)V119894 V) )

119896

= (119890 (prod(119894V119894)isinchal (1198671 (Fn 119894) sdot prod119904119895=1119906119898119894119895119895 )V119894 V) sdot 119890 (ℎ119903 119892)119890 (prod(119894V119894)isinchal1198671 (Fn 119894)V119894 V) )

119896

= (119890( prod(119894V119894)isinchal

( 119904prod119895=1

119906119898119894119895119895 )V119894 V) sdot 119890 (ℎ119903 119892))

119896

(11)

But

11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 =

12057812058811990312057812058811 sdot sdot sdot 12057812058811990411990412057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 = 120578120588119903minus1199111199031205781205881minus11991111 sdot sdot sdot 120578120588119904minus119911119904119904

= 120578119896119903120578119896119887minus112058311 sdot sdot sdot 120578119896119887minus1120583119904119904 = (120578119903120578119887minus112058311 sdot sdot sdot 120578119887minus1120583119904119904 )119896= (119890 (119892 ℎ)119903 sdot 119890 (1199061 V)119887minus1 sum(119894V119894 )isinchal V119894(1198871198981198941)sdot sdot sdot 119890 (119906119904 V)119887minus1 sum(119894V119894 )isinchal V119894(119887119898119894119904))119896 = (119890 (ℎ119903 119892)sdot 119890 (1199061sum(119894V119894 )isinchal V1198941198981198941 sdot sdot sdot 119906119904sum(119894V119894 )isinchal V119894119898119894119904 V))119896

= (119890( prod(119894V119894)isinchal

( 119904prod119895=1

119906119898119894119895119895 )V119894 V) sdot 119890 (ℎ119903 119892))

119896

(12)

So


119896 = 11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 (13)

(119879 120596 119911119903 1199111 119911119904) passes the auditorrsquos verification it is validproof information The malicious cloud server succeeds inmodifying attack on data integrity check

5 Brief Review of Worku et alrsquos Scheme

In this section we give a brief review ofWorku et alrsquos scheme[18] which is composed of four algorithms

Let 1198661 = 1198662 = 119866 and 119890 119866 times 119866 rarr 119866119879 be a bilinear mapwhere 119866 and 119866119879 are multiplicative cyclic groups of prime


order 119901 Let 119892 be a generator of 119866 Let 119867 0 1lowast rarr 119866 be ahash function whichmaps strings to119866 and let ℎ(sdot) 119866 rarr 119885119901be another hash function which maps group of elements of119866uniformly to 119885119901KeyGen The data user first generates a random signing keypair (ssk spk) and then chooses 119909 larr 119877119885119901 and 119906 larr 119877119866 andcomputes V = 119892119909 The user then states sk = (119909 ssk) as hishersecret key and pk = (119906 V 119892 spk) as public parameters

SigGen For file naming the user chooses a random elementname in 119885119901 for file 119865 = 1198981198941le119894le119899 and computes the file tag as119905 = name Sigssk(name) Next for each block 119898119894 isin 119885119901 usergenerates a signature 120590119894 as follows120590119894 = (119867 (119894) sdot 119906119898119894)119909 (14)

Then finally the user sends 119865 120601 = 1205901198941le119894le119899 119905 to the cloudserver for storage and deletes the file and its corresponding setof signatures from local storage Any time when the auditorwants to start the auditing protocol first he retrieves the filetag 119905 for 119865 and checks its validity using spk and quits if failedIf the proof on 119905 is correct the auditor sends a challengechal to the server That is the auditor picks random elements119888 1198961 1198962 in 119885119901 and sends chal = (119888 1198961 1198962) to the serverwhere 1198961 and 1198962 are pseudorandom permutation keys chosenrandomly by the auditor for each auditing

ProofGen After receiving the challenge the server firstdetermines the subset 119868 = 119904119895 (1 le 119895 le 119888) of set [1 119899] usingpseudorandom permutation 120587key(sdot) as 119904119895 = 1205871198961(119895) and it alsodetermines V119904119895 = 1198911198962(119895) (1 le 119895 le 119888) using pseudorandomfunction 119891key(sdot) Finally for 119894 isin 119868 server computes

120583lowast = 119904119888sum119894=1199041

V119894119898119894120590 = 119904119888prod119894=1199041

120590V119894119894 (15)

For blinding the server chooses a random element 119903 larr119885119901 using the same pseudorandom function as 119903 = 1198911198963(chal)where 1198963 is a pseudorandom function key generated by theserver for each auditingThe server then calculates119877 = 119906119903andcomputes 120583 = 120583lowast + 119903ℎ(119877) and then sends (120583 120590 119877) to theauditor

VerifyProof Upon receiving the proof (120583 120590 119877)TPA computes119904119895 = 1205871198961(119895) and V119904119895 = 1198911198962(119895) (1 le 119895 le 119888) where 1 le 119895 le 119888Finally the auditor verifies the proof by checking the fol-lowing equation and outputs ldquoTruerdquo if valid and ldquoFalserdquootherwise

119890 (120590 119892) = 119890(prod119894isin119868

119867(119894)V119894 sdot 119906120583 sdot 119877minusℎ(119877) V) (16)

6 Attack on Worku et alrsquos Scheme

In this section we demonstrate that the malicious cloudserver can break the integrity check by modification attack

Suppose a file 119872 from the data user is divided into 119899blocks that is = 1198981 1198982 sdot sdot sdot 119898119899 Let 120590119894 be 119898119894rsquos authen-tication tag Let 119860 be a malicious cloud server When 119860receives the file 119872 119860 might replace each file block 119898119894 with119886sdot119898119894 Here 119886(isin 119885119901) is randomly selected by119860 Upon receivingthe challenge information in ProofGen phase 119860 can change

120583lowast = 119904119888sum119894=1199041

V119894119898119894120583 = 120583lowast + 119903ℎ (119877)

(17)

into

120583lowast = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119886minus1 sdot 120583lowast + 119903ℎ (119877)

(18)

respectively Other computations remain unchanged Thenthe forged proof information

(120583 120590 119877) (19)

can pass the authorrsquos verification

Theorem 2 The forged proof information (120583 120590 119877) producedin the above analysis can pass the auditorrsquos verification

Proof In fact based on the equations

120583lowast = 119904119888sum119894=1199041


(20)

produced by themalicious cloud server the following deriva-tion is established

119890 (120590 119892) = 119890( 119904119888prod119894=1199041

120590V119894119894 119892) = 119890( 119904119888prod119894=1199041

(119867 (119894) sdot 119906119898119894)119909V119894 119892)

= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906sum119904119888119894=1199041 119898119894V119894 119892119909)

= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906119886minus1120583lowast V)

= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906120583minus119903ℎ(119877) V)

= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906120583 sdot 119877minusℎ(119877) V)

(21)

So (120583 120590 119877) passes the auditorrsquos verification and it is validproof information The malicious cloud server that modifiesthe file blocks succeeds in deceiving the auditor


7 Attack on Wang et alrsquos Scheme

To save space we do not review Wang et alrsquos scheme For itsdetailed description readers can refer to literature [19] Dueto similarity Wang et alrsquos scheme is subjected to the aboveattack

When the malicious cloud server 119860 receives a data file119872 = 1198981 1198982 sdot sdot sdot 119898119899 similarly 119860might replace each fileblock 119898119894 with 119886 sdot 119898119894 Here 119886(isin 119885119901) is selected by 119860 Uponreceiving the challenge information in ProofGen phasemalicious cloud server 119860 can change

1205831015840 = 119904119888sum119894=1199041

V119894119898119894120583 = 119903 + 1205741205831015840

(22)

into

1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(23)


(120583 120590 119877) (24)



Proof In fact due to the equations

1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(25)


119877 sdot 119890 (120590120574 119892) = 119890 (119906 V)119903sdot 119890 (( 119904119888prod

119894=1199041

(119867 (119882119894) sdot 119906119898119894)119909V119894)120574 119892)

= 119890 (119906119903 V)sdot 119890 ( 119904119888prod119894=1199041

(119867 (119882119894)V119894 sdot 119906V119894119898119894)120574 119892)119909

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906sum119904119888119894=119904119894 V119894119898119894120574 119892119909)

= 119890 (119906119903 V)

sdot 119890 (( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906119886minus11205831015840120574 V)

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583minus119903 V)

= 119890(( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583 V)

(26)

So (120583 120590 119877) passes the auditorrsquos verification it is validproof information The malicious cloud server succeeds indeceiving the auditor

8 Conclusion

In this paper we analyze three existing privacy-preservingpublic auditing schemes for secure cloud storageWe demon-strate an attack against them In the attack the maliciouscloud server that modifies the data blocks succeeds in forgingproof information for data integrity check As far as we knowit is an open problem to propose secure privacy-preservingpublic auditing schemes

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)

References

[1] M Sookhak H Talebian E Ahmed A Gani and M K KhanldquoA review on remote data auditing in single cloud servertaxonomy and open issuesrdquo Journal of Network and ComputerApplications vol 43 pp 121ndash141 2014

[2] G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrusted storesrdquo in Proceedings of the 14th ACMConference on Computer and Communications Security (CCSrsquo07) pp 598ndash609 Virginia Va USA November 2007

[3] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings of theInternational Conference on Theory and Application of Cryptol-ogy and Information Security Advances in Cryptology vol 5912pp 319ndash333 2009

[4] R Lu X Lin T H Luan X Liang and X Shen ldquoPseudonymchanging at social spots an effective strategy for location pri-vacy in VANETsrdquo IEEE Transactions on Vehicular Technologyvol 61 no 1 pp 86ndash96 2012

[5] N Kaaniche A Boudguiga and M Laurent ldquoID-based cryp-tography for secure cloud data storagerdquo in Proceedings of the


IEEE Sixth International Conference on Cloud Computing pp375ndash382 2013

[6] Q-A Wang C Wang K Ren W-J Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011

[7] J Yuan and S Yu ldquoPublic integrity auditing for dynamic datasharing with multiuser modificationrdquo IEEE Transactions onInformation Forensics and Security vol 10 no 8 pp 1717ndash17262015

[8] K Zeng ldquoPublicly verifiable remote data integrityrdquo in Proceed-ings of the 10th International Conference on Information andCommunications Security pp 419ndash434 2008

[9] Y ZhuHHuG-J Ahn andMYu ldquoCooperative provable datapossession for integrity verification inmulticloud storagerdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 12pp 2231ndash2244 2012

[10] Y Zhu H Wang Z Hu G J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011

[11] L Xue J Ni Y Li and J Shen ldquoProvable data transfer fromprovable data possession and deletion in cloud storagerdquo Com-puter Standard amp interfaces March 14 2016

[12] H Jin K ZhouH Jiang D Lei RWei andC Li ldquoFull integrityand freshness for cloud datardquo Future Generation ComputerSystems 2016

[13] H Wang J Domingo-Ferrer Q Wu and B Qin ldquoIdentity-based remote data possession checking in public cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014

[14] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciences vol343-344 pp 1ndash14 2016

[15] Y Yu L Xue M H Au et al ldquoCloud data integrity checkingwith an identity-based auditing mechanism from RSArdquo FutureGeneration Computer Systems vol 62 pp 85ndash91 2016

[16] L Wei H Zhu Z Cao et al ldquoSecurity and privacy for storageand computation in cloud computingrdquo Information Sciencesvol 258 pp 371ndash386 2014

[17] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquo inProceedings of the IEEE INFO-COM pp 525ndash533 March 2010

[18] S Worku C Xu J Zhao and X He ldquoSecure and efficientprivacy-preserving public auditing schemerdquo Computer andElectrical Engineering vol 40 pp 1703ndash1713 2014

[19] C Wang S S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on computers vol 62 no 2 pp 362ndash375 2013

[20] J Zhang and X Zhao ldquoPrivacy-preserving public auditingscheme for shared data with supporting multi-functionrdquo Jour-nal of Communications vol 10 no 7 pp 535ndash542 2015

[21] Y Li Y Yu B Yang G Min and H Wu ldquoPrivacy preservingclouddata auditingwith efficient key updaterdquoFutureGenerationComputer Systems 2016

Submit your manuscripts athttpswwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of


Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of


Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of


Mathematical PhysicsAdvances in

Complex AnalysisJournal of


OptimizationJournal of


CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of


Operations ResearchAdvances in

Journal of


Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences


The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Algebra

Discrete Dynamics in Nature and Society



Decision SciencesAdvances in

Journal of


Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of


auditor and the user believe the outsourced data file remainintact

In the security model of public auditing schemes theuser is honest But the cloud server is a semitrusted partyAs mentioned earlier the cloud server might delete less fre-quently accessed data for his benefitThe auditor is honest butcurious The auditor might obtain some information of thedata in auditing process So secure public auditing schemeshould also satisfy the privacy-preserving requirement Infact in many existing schemes the linear combinations ofdata blocks are needed for verification without data privacyguarantee against the auditor The users who rely on theauditor just for the storage security of their data do not wantthe auditing process leaking any information of their dataBut based on collected linear combinations of the same datablocks in times of check the auditor might derive these datablocks

Recently some public auditing schemes [17ndash21] con-cerning privacy-preserving are proposed In [21] Li et alproposed a privacy-preserving cloud data auditing schemewith efficient key update and claimed their scheme is provedsecure in the random oracle model The difference betweenLi et alrsquos scheme and other existing schemes is that in Li etalrsquos scheme each block is further fragmented into a certainnumber of sectors and the authenticator for each block isrelated to its each sector In [19] Wang et al proposed aprivacy-preserving public auditing scheme for secure cloudstorage and claimed that their scheme is provably secureand highly efficient In [17] Wang et al proposed a privacy-preserving public auditing scheme But in [18] Worku et alshowed that in Wang et alrsquos scheme [17] the malicious cloudserver can forge a signature for his any selected block So oncethe server possesses data from users he can modify the dataas he wants Worku et al also proposed an efficient privacy-preserving public auditing scheme and claimed that the pro-posed scheme is proved secure in the random oracle modelHowever in this paper we will point that these schemes[18 19 21] are insecure The malicious cloud server againstthese schemes can break the data integrity without beingfound by the auditor

The rest of the paper is organized as follows In Section 2we review bilinear pairing and computational Diffie-Hellmanproblem relevant to the security of the discussed schemes InSection 3 we review Li et alrsquos scheme We show an attack onLi et alrsquos scheme in Section 4 In Section 5 we review Workuet alrsquos scheme We demonstrate that Worku et alrsquos schemeand Wang et alrsquos scheme are subjected to the same attack InSections 6 and 7 respectively Conclusion is given in Sec-tion 8

2 Preliminary

21 The Bilinear Pairing Let 1198661 be a cyclic additive groupgenerated by 119875 whose order is a prime 119902 and 1198662 be a cyclicmultiplicative group of the same order Let 119890 1198661 times 1198661 rarr 1198662be a pairing map which satisfies the following conditions

(1) Bilinearity for any 119875119876 119877 isin 1198661 then119890 (119875 + 119876 119877) = 119890 (119875 119877) 119890 (119876 119877) 119890 (119875 119876 + 119877) = 119890 (119875 119876) 119890 (119875 119877) (1)

In particular for any 119886 119887 isin 119885119902 119890(119886119875 119887119875) = 119890(119875 119886119887119875) =119890(119886119887119875 119875) = 119890(119875 119875)119886119887(2) Nondegeneracy there exists 119875119876 isin 1198661 such that119890(119875 119876) = 1(3) Computability there is an efficient algorithm to

compute 119890(119875 119876) for all 119875119876 isin 119866122 Computational Diffie-Hellman (CDH) Problem Given agenerator 119875 of an additive cyclic group 119866 with order 119902 andgiven (119886119875 119887119875) for unknown 119886 119887 isin 119885lowast119902 one computes 1198861198871198753 Brief Review of Li et alrsquos Scheme

In [21] Li et al proposed a privacy-preserving cloud dataauditing scheme with key update Here we review it but omitthe content related to key update

CrsGen On input of a security parameter 120582 this algorithmoutputs a large prime 119901 and 119866 119866119879 two multiplicative cyclicgroups of the same order 119901 119892 is a generator of119866 119890 119866times119866 rarr119866119879 denotes a bilinear map and 1198670 1198671 0 1lowast rarr 119866 repre-sent two collision resistant cryptographic hash functions Inaddition this algorithm picks randomly ℎ 1199061 1199062 119906119904 isin 119866and computes 120578 = 119890(119892 ℎ) The common reference string crsis (119901 119866 119866119879 119892 1198901198670 1198671 ℎ 1199061 1199062 119906119904 120578)KeyGen On input of the common reference string crs a clouduser generates a signing key pair (spk ssk) spk = 119892ssk andanother key pair (119886 V) for generating authenticators of fileblocks where 119886 isin 119885119901 and V = 119892119886 The secret key of the datauser is sk = (119886 ssk) and the public key is pk = (spk V) Forconvenience Let 120578119894 = 119890(119906119894 V) 119894 = 1 119904AuthGen Given a file 119865 the data owner firstly applies erasurecodes such as RS code to obtain a processed file 1198651015840 and splits1198651015840 into 119899 blocks Each block is further fragmented into 119904sectors 1198981198941198951le119894le1198991le119895le119904 which is an element of 119885119901 The datauser selects a file name Fn from a sufficiently large domainLet 1199050 = Fn 119899 The data user computes 119905 = (1198670(1199050))ssk1 anddenotes the file tag ft = 1199050 119905 Then for each 119894 1 le 119894 le 119899 theuser computes an authenticator 120590119894 for block 119894 as

120590119894 = (1198671 (Fn 119894) sdot 119904prod119895=1

119906119898119894119895119895 )119886

(2)

Finally the data owner stores

ft 1198981198941198951le119894le1198991le119895le119904 Metadata (3)

to the cloud where Metadata = 1205901198941le119894le119899Proof This is a 5-move interactive proof protocol executedbetween the cloud server and the auditor (TPA) as follows




120596 = prod(119894V119894)isinchal


(4)



V119894119898119894119895119911119895 = 120588119895 minus 119896120583119895

(1 le 119895 le 119904)(5)





119896 = 11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 (7)




120583119895 = sum(119894V119894)isinchal

V119894119898119894119895119911119895 = 120588119895 minus 119896120583119895

(8)


V119894 (119887119898119894119895) 119911119895 = 120588119895 minus 119896119887minus1120583119895

(9)




Proof In fact


119896



119896


119896


119896

= (119890( prod(119894V119894)isinchal

( 119904prod119895=1

119906119898119894119895119895 )V119894 V) sdot 119890 (ℎ119903 119892))

119896

(11)

But

11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 =



= (119890( prod(119894V119894)isinchal

( 119904prod119895=1

119906119898119894119895119895 )V119894 V) sdot 119890 (ℎ119903 119892))

119896

(12)

So


119896 = 11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 (13)










120583lowast = 119904119888sum119894=1199041

V119894119898119894120590 = 119904119888prod119894=1199041

120590V119894119894 (15)



119890 (120590 119892) = 119890(prod119894isin119868





120583lowast = 119904119888sum119894=1199041

V119894119898119894120583 = 120583lowast + 119903ℎ (119877)

(17)

into

120583lowast = 119904119888sum119894=1199041


(18)


(120583 120590 119877) (19)




120583lowast = 119904119888sum119894=1199041


(20)


119890 (120590 119892) = 119890( 119904119888prod119894=1199041

120590V119894119894 119892) = 119890( 119904119888prod119894=1199041

(119867 (119894) sdot 119906119898119894)119909V119894 119892)

= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906sum119904119888119894=1199041 119898119894V119894 119892119909)

= 119890( 119904119888prod119894=1199041


= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906120583minus119903ℎ(119877) V)

= 119890( 119904119888prod119894=1199041


(21)






1205831015840 = 119904119888sum119894=1199041

V119894119898119894120583 = 119903 + 1205741205831015840

(22)

into

1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(23)


(120583 120590 119877) (24)




1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(25)


119877 sdot 119890 (120590120574 119892) = 119890 (119906 V)119903sdot 119890 (( 119904119888prod

119894=1199041

(119867 (119882119894) sdot 119906119898119894)119909V119894)120574 119892)

= 119890 (119906119903 V)sdot 119890 ( 119904119888prod119894=1199041

(119867 (119882119894)V119894 sdot 119906V119894119898119894)120574 119892)119909

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906sum119904119888119894=119904119894 V119894119898119894120574 119892119909)

= 119890 (119906119903 V)

sdot 119890 (( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906119886minus11205831015840120574 V)

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583minus119903 V)

= 119890(( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583 V)

(26)


8 Conclusion




Acknowledgments


References































Volume 2014




Journal of











Journal of


Function Spaces






Algebra





Journal of







120596 = prod(119894V119894)isinchal


(4)



V119894119898119894119895119911119895 = 120588119895 minus 119896120583119895

(1 le 119895 le 119904)(5)





119896 = 11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 (7)




120583119895 = sum(119894V119894)isinchal

V119894119898119894119895119911119895 = 120588119895 minus 119896120583119895

(8)


V119894 (119887119898119894119895) 119911119895 = 120588119895 minus 119896119887minus1120583119895

(9)




Proof In fact


119896



119896


119896


119896

= (119890( prod(119894V119894)isinchal

( 119904prod119895=1

119906119898119894119895119895 )V119894 V) sdot 119890 (ℎ119903 119892))

119896

(11)

But

11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 =



= (119890( prod(119894V119894)isinchal

( 119904prod119895=1

119906119898119894119895119895 )V119894 V) sdot 119890 (ℎ119903 119892))

119896

(12)

So


119896 = 11987912057811991111990312057811991111 sdot sdot sdot 120578119911119904119904 (13)










120583lowast = 119904119888sum119894=1199041

V119894119898119894120590 = 119904119888prod119894=1199041

120590V119894119894 (15)



119890 (120590 119892) = 119890(prod119894isin119868





120583lowast = 119904119888sum119894=1199041

V119894119898119894120583 = 120583lowast + 119903ℎ (119877)

(17)

into

120583lowast = 119904119888sum119894=1199041


(18)


(120583 120590 119877) (19)




120583lowast = 119904119888sum119894=1199041


(20)


119890 (120590 119892) = 119890( 119904119888prod119894=1199041

120590V119894119894 119892) = 119890( 119904119888prod119894=1199041

(119867 (119894) sdot 119906119898119894)119909V119894 119892)

= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906sum119904119888119894=1199041 119898119894V119894 119892119909)

= 119890( 119904119888prod119894=1199041


= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906120583minus119903ℎ(119877) V)

= 119890( 119904119888prod119894=1199041


(21)






1205831015840 = 119904119888sum119894=1199041

V119894119898119894120583 = 119903 + 1205741205831015840

(22)

into

1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(23)


(120583 120590 119877) (24)




1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(25)


119877 sdot 119890 (120590120574 119892) = 119890 (119906 V)119903sdot 119890 (( 119904119888prod

119894=1199041

(119867 (119882119894) sdot 119906119898119894)119909V119894)120574 119892)

= 119890 (119906119903 V)sdot 119890 ( 119904119888prod119894=1199041

(119867 (119882119894)V119894 sdot 119906V119894119898119894)120574 119892)119909

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906sum119904119888119894=119904119894 V119894119898119894120574 119892119909)

= 119890 (119906119903 V)

sdot 119890 (( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906119886minus11205831015840120574 V)

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583minus119903 V)

= 119890(( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583 V)

(26)


8 Conclusion




Acknowledgments


References































Volume 2014




Journal of











Journal of


Function Spaces






Algebra





Journal of









120583lowast = 119904119888sum119894=1199041

V119894119898119894120590 = 119904119888prod119894=1199041

120590V119894119894 (15)



119890 (120590 119892) = 119890(prod119894isin119868





120583lowast = 119904119888sum119894=1199041

V119894119898119894120583 = 120583lowast + 119903ℎ (119877)

(17)

into

120583lowast = 119904119888sum119894=1199041


(18)


(120583 120590 119877) (19)




120583lowast = 119904119888sum119894=1199041


(20)


119890 (120590 119892) = 119890( 119904119888prod119894=1199041

120590V119894119894 119892) = 119890( 119904119888prod119894=1199041

(119867 (119894) sdot 119906119898119894)119909V119894 119892)

= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906sum119904119888119894=1199041 119898119894V119894 119892119909)

= 119890( 119904119888prod119894=1199041


= 119890( 119904119888prod119894=1199041

119867(119894)V119894 sdot 119906120583minus119903ℎ(119877) V)

= 119890( 119904119888prod119894=1199041


(21)






1205831015840 = 119904119888sum119894=1199041

V119894119898119894120583 = 119903 + 1205741205831015840

(22)

into

1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(23)


(120583 120590 119877) (24)




1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(25)


119877 sdot 119890 (120590120574 119892) = 119890 (119906 V)119903sdot 119890 (( 119904119888prod

119894=1199041

(119867 (119882119894) sdot 119906119898119894)119909V119894)120574 119892)

= 119890 (119906119903 V)sdot 119890 ( 119904119888prod119894=1199041

(119867 (119882119894)V119894 sdot 119906V119894119898119894)120574 119892)119909

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906sum119904119888119894=119904119894 V119894119898119894120574 119892119909)

= 119890 (119906119903 V)

sdot 119890 (( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906119886minus11205831015840120574 V)

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583minus119903 V)

= 119890(( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583 V)

(26)


8 Conclusion




Acknowledgments


References































Volume 2014




Journal of











Journal of


Function Spaces






Algebra





Journal of








1205831015840 = 119904119888sum119894=1199041

V119894119898119894120583 = 119903 + 1205741205831015840

(22)

into

1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(23)


(120583 120590 119877) (24)




1205831015840 = 119904119888sum119894=1199041

V119894 (119886119898119894) 120583 = 119903 + 119886minus1 sdot 120574 sdot 1205831015840

(25)


119877 sdot 119890 (120590120574 119892) = 119890 (119906 V)119903sdot 119890 (( 119904119888prod

119894=1199041

(119867 (119882119894) sdot 119906119898119894)119909V119894)120574 119892)

= 119890 (119906119903 V)sdot 119890 ( 119904119888prod119894=1199041

(119867 (119882119894)V119894 sdot 119906V119894119898119894)120574 119892)119909

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906sum119904119888119894=119904119894 V119894119898119894120574 119892119909)

= 119890 (119906119903 V)

sdot 119890 (( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906119886minus11205831015840120574 V)

= 119890 (119906119903 V)sdot 119890 (( 119904119888prod

119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583minus119903 V)

= 119890(( 119904119888prod119894=1199041

119867(119882119894)V119894)120574 sdot 119906120583 V)

(26)


8 Conclusion




Acknowledgments


References































Volume 2014




Journal of











Journal of


Function Spaces






Algebra





Journal of





























Volume 2014




Journal of











Journal of


Function Spaces






Algebra





Journal of




Attack on Privacy-Preserving Public Auditing Schemes for...

Documents

Transcript of Attack on Privacy-Preserving Public Auditing Schemes for...