Ensuring Dynamic Data Integrity based on Variable Block ... · Ensuring Dynamic Data Integrity...

Ensuring Dynamic Data Integrity based on Variable Block-size BLS in Untrusted Environment

1Long Chen, 2Wei Song, 3Siuming Yiu, 4Wenjun Luo

1,2,4Institute of Computer Forensics, Chongqing University of Posts and Telecommunications, [email protected] [email protected]

3 Department of Computer Science, The University of Hong Kong

Abstract Security becomes the major concern when people utilizing cloud computing. One major

challenge is to ensure the integrity of data in untrusted environment under the condition of supporting public auditability and dynamic data operation. The paper proposes an improved data integrity verifying protocol to ensure the security of user’s data and promote the verifying efficiency using dynamic Merkle tree with relative index. The protocol is based on an extended security model for untrusted environment where each participant may act as an untrusted role. Furthermore, because BLS based schemes have the advantages of shorter homomorphic signatures than RSA based schemes but with disadvantage of fixed and small block-size, a BLS based scheme with variable block-size is integrated in the protocol. Performances analysis showed that the improved protocol is effective and provides a practical and flexible solution for untrusted environment. The computation complexity of dynamic data operation and integrity verifying reaches O(log n) definitely.

Keywords: Data Integrity Auditing; Cloud Computing; BLS; Variable Block-size; Dynamic Data 1. Introduction

Cloud computing brings about not only the improvement of resources utilization efficiency

and conveniences, but also great challenges in the field of data security and privacy protection. Cloud computing security becomes the major concern [1]. One major challenge is to ensure the integrity of data in untrusted environment.

A lot of works have been done on constructing remote data integrity checking protocols [2]-[13] for different security model or application requirements. Several studies have sought to enable public auditability or verifiability [2]-[10] for the integrity of data storage that user or any third-party can challenge the cloud server for correctness of outsourced data, and get the opening result about whether the storage data is intact and available without the data themselves. This public auditability service is significantly important for digital forensics and data assurance in clouds. Therefore, how to efficiently and publicly verify that a storage server is faithfully storing its client’s outsourced data become the important concern of integrity verification. To achieve public auditability, Ateniese et al. [2] proposed “provable data possession” (PDP) model for ensuring possession of static archival storage of large files. Their scheme utilized RSA-based homomorphic authenticator technology and random sampling method to address the problem about retrieving entire data. As an alternative, Juels et al.[3] proposed “proof of retrievability” (POR) model. Shacham et al. [4] improved POR scheme and utilized BLS-based homomorphic authenticators to achieve public auditability for static data files. Wang et al.[5] combined BLS based homomorphic authenticator and the technique of bilinear aggregate signature to enable multiple auditing.

Since the remotely stored data might be not only accessed by the user but also dynamically updated by them, the support for data dynamics via the most general forms of data operation, such as block modification, insertion and deletion, is also a major concern for integrity checking of remote data. Among previous studies [5-9,11], their schemes may base on different authentication structure for supporting dynamic data operation, for instance Merkel Hash tree (MHT) [5], index-hash table [7], Skip list [9].

Portions of the work related to MHT was introdued in our previous work [6]. In this paper, we revise the article a lot and add more technical details as compared to [6]. In particular, we

Ensuring Dynamic Data Integrity based on Variable Block-size BLS in Untrusted Environment Long Chen, Wei Song, Siuming Yiu, Wenjun Luo

International Journal of Digital Content Technology and its Applications(JDCTA) Volume7,Number5,March 2013 doi:10.4156/jdcta.vol7.issue5.98

837

proposed a novel security model for untrusted environment, and then developed an integrated BLS based protocol for the security model which supporting public auditing, user-selectable privacy preserving, and variable block size. Moreover, our scheme achieved batch auditing where multiple delegated auditing tasks from different users can be performed simultaneously by the TPA.

2. Problem Statement

A typical cloud storage network architecture defines three different network entities: Cloud

Storage Server (CSS), managed by the cloud service provider (CSP), it is the prover in the process of data integrity checking; Client (user), can be either individual consumers or organizations; Third-party Auditor (TPA), independent and impartial role which has expertise and capabilities that clients do not have. In the verification process, client and TPA will be the verifier.

Security Model. There are two security requirements [8] for the remote data integrity checking protocol: security against the server, and privacy against third-party verifiers. As we assume the cloud service provider is untrusted, may be the reason for a malicious server or the lack of trust on CSP. We deal with the problem of security against the server with public verifiability. For another thing, if the integrity verification is delegated by the Third-party Auditor, users may worry about the potential for leaking confidential data, i.e. TPA may be malicious. As proposed in [4], the block can be easily obtained by solving a group of linear equations when enough combinations of the same blocks are collected. To address this problem, we blend the privacy preserving into data integrity checking. As privacy preserving may cause a little bit of extra communication and computation costs, we make privacy-preserving as a user-selectable item of quality of service. Actually, the user may also act as an untrusted role, so we take the third security requirements, security against the users, into consideration.

Efficiency Issues and Security Hole of Available Scheme. Wang scheme [5] proposed a significant and creative integrity verification protocol for outsourced storages and it supports dynamic data operations. However, the scheme has major flaws. Firstly, the computation complexity of searching i-th leaf node in the integrity verification process is not O(log n) but O(n) with MHT [5] to support dynamics operation without extra extension, which is relatively high. Assume that there are n leaf nodes of the MHT [5]. If it uses contiguous storage structure, because of insertion, deletion operation which will result to data movement, the computation complexity of insertion or deletion is O(n). If it uses linked storage structure, the i-th leaf node can only be obtained by traversing the linked list one by one, the computation complexity is still O(n). So the available MHT [5] cannot meet the requirements of inserting, deleting, and accessing to the i-th node. Secondly, the scheme brings about a security loophole. After insertion or deletion operation, the heights of leaf nodes of MHT may no longer be the same, and the serial number of a specified node is changed most probably. Because the server only sends i to verifier without leaf node sequence [5], verifier can not verify whether the leaf node is i-th node or not. Since the service provider maybe untrusted, he may use other data blocks instead of the specified data blocks to deceive verifier. Therefore, the integrity verification will be meaningless.

BLS Signature. For currently common security parameters, the length of BLS signature (160bit) is about half that of a DSA signature (320bit) with a similar level of security and RSA signatures are 1024 bits long[14]. However, with disadvantage of small block-size (same length as signature, e.g. 20bytes), Merkle Hash Tree (MHT) based scheme will cost five times as file size storage space (i.e. cost n file blocks, n block signatures, n block tags, n tree leaves and almost n tree internal nodes), so it is inefficient. Therefore, the idea of aggregation can be used to improve authenticating performance and reduce the extra storage. In our scheme, we developed the block structure in [4] to support variable block size which Wang’s scheme just uses fixed block-size (20bytes) under BLS construction.


838

3. The Proposed Scheme

3.1. Preliminaries

Bilinear Map. A bilinear map is a map e : G×G → GT ,where G is a Gap Diffie-Hellman (GDH) group and GT is another multiplicative cyclic group of prime order p. e has the following properties[14]: (i) Computable: there exists an efficiently computable algorithm for computing e; (ii) Bilinear: h1,h2G and a,bZp , 1 2 1 2( , ) ( , )a b abe h h e h h ; (iii) Non-degenerate: e(g,g)≠1, where

g is a generator of G. Dynamic Merkle Hash Tree (DMHT) with the Relative Index. In order to address

efficiency issues and security hole of Wang scheme [5], we improved the storage structure of MHT with Dynamic Merkle Hash Tree (DMHT). Each node of Dynamic Merkle Hash tree (DMHT) carries two information, i.e. hash and relative index, with an extra data field from MHT, the index of a DMHT node indicates the total leaf nodes on the subtree of this node, where the data value of leaf node is 1 to inflect itself. If the left child a and right child b of node w carried auxiliary information hash and index are (ha,na) and (hb,nb) respectively, then the index of internal node w is nw=na+nb, and the hash of it is updated as hw=h(ha||na||hb||nb). In DMHT, the auxiliary authentication information (AAI) is the sibling node information, which carries hash and relative index, and the left or right relationship of sibling node on the path from the leaves to the root. Fig. 1 depicts an example of the DMHT with relative index. In Fig.1, the AAI Ω5=<(h(x6),1,r),(h(x7),1,r),(hf,2,r),(ha,4,l)>, l indicates it is the left sibling of the node on the path and r indicates it is the right sibling.

Now we will describe the two algorithms with Dynamic Merkle Hash Tree (DMHT). Leaf Node Searching algorithm: Input: DMHT Pt, node i; Output: TRUE or FALSE; AAI i Algorithm: if i is greater than n (the index of the root node), it returns FALSE (out of range).

Otherwise, let k=i. (1)For current root, get the left child (ha,na) and right child (hb,nb) nodes, if k≤na, the k-th leaf node is in the left subtree, then use this algorithm to find the node in the left subtree; otherwise, the k-th leaf node in the right sub-tree, let k=k-na, then use this algorithm to find the node in the right subtree; (2) Repeat this process, until k=1 and reached a leaf node. Then, return TRUE. During search the i-th leaf node, the server can record the sibling of current node and the right or left relationship relative to current node of sibling for the AAI (i).

Leaf Node Authentication algorithm: Input: node i, AAI i ; Output: TRUE or FALSE;

Figure 1. The DMHT with relative index

E

R

F

B

G

A

D

h(x7)1

hf 2

har 4

hw 9

hg 2

hb 5

h(x6)1 h(x5)1

x1 x5 x9


839

Algorithm: count all leaves of every left sibling in the path from the i-th leaf node to the root using AAI i noted as k. if k=i-1, returns TRUE, we confirm that this leaf node is just the authenticated node. Otherwise returns FALSE.

In DMHT, because the hash of parent node is correct shows that all children hash and relative index are correct, user or TPA can authenticate the root R. the i-th leaf node is verified that it is i-th one definitly.

3.2. Our Construction

Now we start to present the process of integrity verification. We assume that an outsourced

file F is split into n blocks m1,m2, … ,mn , and each block mi is split into r basic blocks mi,1,mi,2,…,mi,r. Let e : G×G → GT be a bilinear map. Let g be the generator of G. with a hash function H: 0,1* → G, viewed as a random oracle. h is a cryptographic hash function. The workflow of our protocol is illustrated in Figure 2. The procedure of our protocol execution will present as follows which in accordance with Figure 2:

Setup: KeyGen: The cloud user runs KeyGen to generate the system’s public and secret parameters. He chooses a random α ← Zp and r random elements uj ←G, jJ, J=1,2,3,…,r, computes v ← gα and wj

← (uj)α. The secret parameter is sk = (α) and the public parameters are pk = (g,v,wj,ujj∈J). Given F

= m1,m2, … ,mn, mi=mi,1,mi,2,…,mi,r. Let t=name||n||v||g||u1||…||uj||w1||…||wj||SSigsk(name||v||g||u1||u2

||…||uj||w1||…||wj) be the file tag for F.

SigGen: The user runs SigGen to compute signature σi for each block mi.

1

( ( ) )ij

rm

i i jj

H m u

Denote the set of signatures by Φ = σi, 1 ≤ i ≤ n. The client then generates a root R based on the construction of DMHT. Next, the client signs the root R under the private key α: sigsk(H(R)) ← (H(R))α. The client sends F, t,Φ, sigsk(H(R)) to the server, gets the proof from the server and then deletes F,Φ, sigsk(H(R)) from its local storage.

VerifyUser: With our untrusted security model, the user may be malicious, it is probably that the parameters which user given are wrong or the contents of the file F are not consistent with signatures, after the server stored the data, He/She may ask cloud service provider (CSP) for compensation. Therefore, we added a new process that server verified the user's parameters, data and signatures by checking the following equation for each i.

1

( , ) ( ( , )) ij

rm

i i jj

e g e H m u v

(1)

If the verification fails, the server rejects the data. Otherwise, CSP returns a file proof to user to confirm that the server has received use’s outsourced data correctly. The proof can be a file serial number with the signature of CSP. Once the file were lost or damaged, user can claim compensation.


840

Figure 2. The workflow of our protocol

Audit: Before challenging, the TPA first verifies the signature on t. If the verification fails, rejects by emitting FALSE. To generate the message “chal”, the TPA (verifier) picks a random c element subset I = s1, s2, … , sc of set [1, n], where we assume s1 ≤ …≤ sc. For each i ∈ I, the TPA chooses a random

element i ←B Zp. The message “chal” specifies the positions of the blocks to be checked in this

challenge phase. The verifier sends the chal (i, i )i ∈I to the prover (server).

GenProof: Upon receiving challenge chal (i, i )i∈I , the server runs GenProof to generate

a response proof of data storage correctness. Specifically, the server chooses a random element o ← Zp and calculates Qj=(wj)

o=(ujα)o∈G, j∈J=1,2,3,…,r. Let μj' denote the linear combination

of sampled blocks specified in chal: j i i ijm j∈J, i∈I . To blind μj' with o, the server

computes: ( )j j jo h Q ∈Zp. Meanwhile, the server also calculates an aggregated

signature i

ii

. The prover provides the verifier with a small amount of auxiliary

information Ωi i∈I of the DMHT. Then send σ,μj,Qjj∈J,H(mi),Ωii∈I , sigsk(H(R)) as the response proof of storage correctness to the TPA.

VerifyProof: With the response from the server, the TPA runs VerifyProof , generates root R

using 1

( ), ci i s i sH m and verifies it by checking e(sigsk(H(R)),g)=?e(H(R),v) . If the verification

fails, the verifier rejects by emitting FALSE. Otherwise validates the response by checking the verification equation

( )

1

( , )j

rh Q

jj

e Q g

?

1 1

( ( ( )) , )c

ji

i j

j

s r

i s

e H m u v

If so, then outputs TRUE; otherwise outputs FALSE. The correctness of the above verification equation can be elaborated as follows:

( )

1

( , )j

rh Q

jj

e Q g

= ( )

( ( ( ) ) ( ) , )1 1

1

s m h Qr rc ij ji oe H m u u gi j j

i s j j

= ( )

( ( ) ( ) , )1 11

s r r h Qc j ji oe H m u u vi j ji s j j

Setup

Audit


841

= ( )

( ( ) , )11

s r o h Qc j jie H m u vi ji s j

= ( ( ) , )11

s rc jie H m u vi ji s j

.

If users don’t mind their data leak to third-party verifiers, they can make the integrity

verification without privacy preserving since privacy preserving is a user-selectable item of quality of service. The prover can just send σ,μj'j∈J,H(mi),Ωii∈I,sigsk(H(R)) as the response proof of storage correctness to the TPA without privacy preserving and check the verification equation:

'?( , ) ( ( ) , )jie g e H m u vi ji j

Dynamic Data Operation: now we show how our scheme can explicitly and efficiently handle fully dynamic data operations by the dynamic Merkle hash tree.

User CSS

update request

ExecUpdate

update proof

VerifyUpdate

-Data Insertion. Suppose the client wants to insert block m* after the i-th block mi. The workflow of data update is described in Figure 3:

At start, we split m* into r basic blocks m*1,m

*2,…,m*

r and based on m* the client generates the corresponding signature

*

* *( ( ) )1

r m jH m u jj

Then, he constructs an update request message “update = (I,i,m*,σ*)” and sends to the server, where I denotes the insertion operation.

ExecUpdate: Upon receiving the request, the server runs ExecUpdate. Specifically, the server (i) stores m* and leaf node h(H(m*)); (ii) finds h(H(mi)) in the DMHT, reserves Ωi and inserts leaf node h(H(m*)), an internal node will be added to the original tree where h=h(h(H(mi)||1)||h(H(m*))||1) and the index is 2. Then modifies all information of nodes on the path from that internal node to the root, i.e. the index of node plus 1, re-calculate relative Hash; (iii) generates the new root R’ based on the updated DMHT. Then the server responses the client with a proof for this operation, Pupdate=(Ωi,H(mi), sigsk(H(R)),R’), where Ωi is the AAI for authentication of the i-th node in the old DMHT.

VerifyUpdate: After receiving the proof for insert operation from server, the client first generates root R using Ωi,H(mi) and then authenticates the AAI or R by checking if e(sigsk(H(R)),g)=e(H(R),v). If it is not true, output FALSE, otherwise the client can now check whether the server has performed the insertion by further computing the new root value using Ωi,H(mi),H(m*) and comparing it with R’. If it is not true, output FALSE, otherwise output

Figure 3. The workflow of data update


842

TRUE. Then, the client signs the new root metadata R’ by sigsk(H(R’)) and sends it to the server for update. Finally, the client executes the integrity verification protocol. If the output is TRUE, delete sigsk(H(R’)), Pupdate and m* from its local storage. An example is shown in the Figure 4 based on the Figure1, the client wants to insert block x* after x5. In Figure 4, the bold and underlined number indicates that the value was modified, dark dots represent the updated nodes, and circled dots represent the siblings in Ωi.

-Data Deletion. Data deletion is just the opposite operation of data insertion and has similar process. An example is shown in the Figure 5 based on the Figure 1, the client wants to delete x5. -Data Modification. The operation of data modification just replaces the data, which does not change the structure of tree. The details of the protocol procedures are similar to that of data insertion, which are thus omitted here.

For the n-leaf nodes of the DMHT it efficiently achieves the operations about data insertion, deletion, updating, and integrity verification. The algorithm is comparable to searching algorithm of the binary search tree with 2n-1 nodes. In average, the computation complexity is O(log n), which has significantly improved Wang scheme’s O(n). Batch Auditing for Multi-client Data: server may concurrently handle multiple auditing delegations upon different users’ requests, given K signatures on K distinct data files from K clients. We will aggregate all these signatures into a single short one and verify it at one time. Assume data

file ( ) ( ) ( )

1 2( , , , )

k k k

k nF m m m , ( ) ( ) ( ) ( )

1 2( , , , )

k k k k

i i i inm m m m where k∈1,2,3,…,K. For each client k, select

random xk ← Zp and r random elements uk,j ← G，J=1,2,3,…,r, computes vk ← kxg and wk,j ←

,k

x

k ju , signature ( )

, ,

1

( )

( )( )k

i

rm x

k i k j

j

kij kH m u

, In the challenge phase, the verifier sends the query

1( , )

ci s i si to the prover (server) for verification of all K clients. Upon receiving chal, for each user

k (k∈1,…,K), the server randomly picks ok ∈ Zp and calculates , , ,

( ) ( )k k ko x

k j k j k j

oQ w u ∈G. The server

computes: 1

( )

, , ,( )

cs

k

k j i i j k k j

i s

m o h Q

j=1,2,3,…,r, i∈I . 1

,

1

( )c

i

sK

k i

k i s

. The prover then sends

σ,μk,j,Qk,jj∈J,H(mi(k)),Ωk,ii∈I,sigsk(H(Rk))1≤k≤K as the response proof to the TPA. In the verification

phase, the verifier authenticates tags H(mi(k)), If succeeds, then checks the following equation:

,( )

,

1 1

( , )?K

k jh Q

k j

k j

r

e Q g

1

,

,

1 1

( )( )( ( ) ( ) , )

c

k ji

K

k j k

k j

s rk

ii s

H me u v

4. Security Analysis And Performance Analysis 4.1. Security Analysis

The authors in [4] define the correctness and soundness of their scheme: the scheme is correct

if the verification algorithm accepts when interacting with the valid prover and it is sound if any cheating server that convinces the client it is storing the data file is actually storing that file.

hk 2

B

hf 2A

Root、

hg、 3

ha 4 hb、 6

he、 4

hr、10

E

K

G

F

h(x*)1h(x5)1

Figure 4. DMHT update under block insertion Figure 5. DMHT update under block deletion ti

hf 2

F

h(x7)1 h(x6)1

Root、

A B

Eha 4

hb、 4

he、 2

hr、 8


843

Now we will present security analysis of our scheme by analyzing the security model for untrusted environment which described in section 2. Our batch auditing protocol achieves the same storage correctness and privacy preserving guarantee as in the single-user case, so we only analyze the single-user case. 1) Storage Correctness Guarantee for public verifiability: Theorem: If the signature scheme is existentially unforgeable and the computational Diffie-Hellman problem is hard in bilinear groups, no adversary against the soundness of our public-verification scheme could cause verifier to accept in a proof-of-retrievability protocol instance with non-negligible probability, except by responding with correctly computed values. Note that the value Qjj ∈ J in our protocol, which enables the privacy-preserving guarantee, will not affect the validity of the equation, due to the hardness of discrete-log and the commutativity of modular exponentiation in pairing. Therefore, our scheme with privacy preserving and scheme without privacy preserving may have the same prove in method. 2) Privacy Preserving Guarantee: during the audit process, if μj' directly exposed to TPA, then mii∈I can be easily obtained by solving a group of linear equations when enough combinations of the same blocks are collected, so we should make sure no information of μj' will be leaked to TPA.

Because μj' is blind with o which is chosen randomly by cloud server and is unknown to TPA as ' ( )j j jo h Q , Qj=(uj

α)o, and the hardness of discrete-log assumption, privacy of μj' is

guaranteed from μj. On the basis of computational Diffie-Hellman assumption, TPA cannot derive the value μj' from σ. Therefore, private preserving problem is guaranteed. 3) User Data Correctness Guarantee: we want to make sure whether the data F,Φ and parameters from the user are correct when user first outsourced data to the server.

From the proof of the theorem in appendix, we can get the conclusion that our integrated signature scheme is existentially unforgeable, i.e. H(mi) is unforgeable. If the user passes the verification, then user must indeed give the specified data and signatures intact as it is. As v,ujj

∈J, g are public parameters, if either σi or mij were wrong, the verification may fail. Based on the difficulty of discrete logarithm problem, the user can not forge σi and mij at the same time, and ensure their consistency.

This completes the proof.

4.2. Performance Analysis We give the Comparison of communication complexity among Wang’s RSA-based

instantiation (Wang’s RSA scheme), our BLS-based instantiation without privacy preserving (BLS schemeⅠ) and our BLS-based instantiation with privacy preserving (BLS schemeⅡ), Figure 6 showed the costs for 1 GB file with variable block sizes.

180

200

220

240

260

280

300

320

340

360

380

400

420

0 20 40 60 80 100 120 140 160

Block size(KB)

Com

mun

icat

ion

cost

(K

B)

Wang’s RSA scheme

BLS schemeⅠ

BLS schemeⅡ

160

180

200

220

240

260

280

300

256M 512M 1G 2G 4G 8G 16G 32GFile size

Com

mun

icat

ion

cost

(KB

)

20byte

16KB

8KB

Figure 6. Comparison of communicationcomplexity

Figure 7. Comparison of communication costof different size file


844

From Figure 6 We can see that the communication cost in our BLS schemeⅠ is smaller than the other two schemes. Due to BLS construction can offer shorter homomorphic signatures (e.g., 160 bits) than those that use RSA techniques (e.g., 1024 bits). However, if the block size is larger than 20KB, the communication cost in our BLS schemeⅡ will be more than Wang’s RSA-based instantiation. When we choose the block size less than 94KB for BLS schemeⅠ or 45KB for BLS schemeⅡ, we will cost less communication costs than Wang’s BLS scheme.

The figure also suggests that when block size is chosen around 8KB our BLS−based scheme can achieve an optimal point and when block size is chosen around 16KB, the Wang’s RSA-based instantiation and our BLS-based scheme without privacy preserving can achieve an optimal point which communication cost are smallest.

The comparison of communication cost for different file size among Wang’s BLS scheme (20byte), our BLS scheme without privacy preserving chosen 16KB block size (16KB) and our BLS scheme with privacy preserving chosen 8KB block size (8KB). is given in Figure 7.

From Figure 6 and Figure 7, we can see that our scheme can save much communication cost. As a matter of fact, under the technology of aggregation, we can find the detection probability will be more than 99% on the condition of 1% corrupted basic blocks. As for storage space, we can reduce r multiples after aggregation except the original file data because the signatures and MHT are constructed on the bigger block level.

5. Conclusions

In this paper, we presented a novel security model for untrusted environment that server, TPA

and user may act as an untrusted role, we focused on giving integrity verification method to support variable block size. Our scheme introduced public audit service integrity verification with user-selectable privacy preserving under the structure of dynamic Merkel tree with relative index and developed an integrated scheme to support new requirements: public auditability, dynamic data operation, privacy preserving, batch auditing and is suitable to our untrusted security model. Performance analysis show that our solution reduced the communication and space costs obviously. 6. Acknowledgements

This work is supported by Science & Technology Research Program of the Municipal Education Committee of Chongqing of P. R. China (No.KJ110505), Open Program of Key Lab of Computer Network & Communication of Chongqing of P. R. China (No. JK-Y-2010003), and Technology Research and Development Program and Natural Science Foundation Project of CQ CSTC of P. R. China (No.cstc2011AC2155, No.cstc2011jjA40031, cstc2011jjA1350),

7. Reference [1] Kaufman, L M. “Data Security in the World of Cloud Computing”. IEEE Security & Privacy,

vol.7, no.4, pp. 61-64, 2009. [2] G.Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner,Z. Peterson, and D. Song, “Provable

data possession at untrusted stores”, in Proc. of CCS’07, New York, NY, USA: ACM, pp. 598–609, 2007.

[3] A. Juels and B. S. Kaliski, Jr, “proofs of retrievability for large files”, in Proc. of CCS’07. New York, NY, USA: ACM, pp. 584–597,2007.

[4] H. Shacham and B. Waters. “Compact Proofs of Retrievability”. in Proc. of ASI-ACRYPT’08. Springer-Verlag, pp. 90-107, 2008.

[5] Q. Wang, C. Wang, K. Ren, W. J. Lou, J. Li. “Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing”. IEEE Transactions on Parallel and Distributed Systems, vol.22, no.5, pp. 847-859, 2011.

[6] L. Chen, H. B. Chen. “Ensuring Dynamic Data Integrity with Public Auditability for Cloud Storage”. Computer Science and Service System, pp. 261-264, 2012.

[7] Y. Zhu, H. X. Wang, Z. X. Hu, “Dynamic Audit Services for Integrity Verification of Outsourced


845

Storages in Clouds”. In Proc. of the ACM Symposium on Applied Computing, New York, NY, USA: ACM. pp: 1550-1557, 2011.

[8] Z. Hao, S. Zhong, N. H. Yu, “A Privacy-Preserving Remote Data Integrity Checking Protocol with Data Dynamics and Public Verifiability”. IEEE Transactions on Knowledge and Data Engineering. Vol.23, no.9, pp. 1432-1437, 2011.

[9] C. Erway, A. Küpçü, C. Papamanthou, R. Tamassia. “Dynamic Provable Data Possession”. in Proc. of CCS’09. Chicago, IL: USA: ACM, pp. 213-222, 2009.

[10] Cong Wang, Qian Wang, Kui Ren, Wenjing Lou, “Privacy-preserving public auditing for data storage security in cloud computing”, in INFOCOM 2010 Proceedings IEEE, pp.1-9, 14-19, 2010.

[11] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, “Scalable and Efficient Provable Data Possession”, in Proc. of SecureComm ’08, New York, NY, USA: ACM, pp. 1–10, 2008.

[12] Wenjun Luo, Guojing Bai, "Multi-Copy Privacy-Preserving Verification for Cloud Computing", IJACT: International Journal of Advancements in Computing Technology, Vol. 3, No. 9, pp. 9 ~ 16, 2011.

[13] Baoyu An, Dong Li, Da Xiao, Yixian Yang, "Accountability for Data Integrity in Cloud Storage Service", IJACT: International Journal of Advancements in Computing Technology, Vol. 4, No. 7, pp. 360 ~ 370, 2012.

[14] D. Boneh, B. Lynn, and H. Shacham. “Short Signatures from the Weil Pairing”. in Proc. of ASIACRYPT’01. London, UK: Springer- Verlag, pp. 514-532, 2001.


846

Ensuring Dynamic Data Integrity based on Variable Block ... · Ensuring Dynamic Data Integrity...

Documents

Transcript of Ensuring Dynamic Data Integrity based on Variable Block ... · Ensuring Dynamic Data Integrity...