ESDR: An Efficient and Secure Data Repairing Paradigm in ... · privacy-preserving issue in public...

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2016; 9:3646–3657

Published online 31 July 2016 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1571

RESEARCH ARTICLE

ESDR: an efficient and secure data repairing paradigmin cloud storageShungan Zhou1, Ruiying Du1 *, Jing Chen1, Debiao He1 and Hua Deng2

1 School of Computer, Wuhan University, Wuhan, Hubei 430072, China2 State Grid Information and Communication Company of Hunan Electric Power Corp, Changsha, Hunan 410000, China

ABSTRACT

With the dramatic development of cloud computing, more and more challenges emerge for storing massive amounts of data.Data repairing is a main technique to provide data availability in the distributed storage system, such as cloud platform,once storage corruption occurs. In cloud storage, the redundant data are commonly stored in different places for bettercapability of disaster recovery and are transferred through the open channel, such as Internet. Because the data are ofgreat importance for organizations, it is essential to systematically preserve the confidentiality, integrity, and authenticityof the data, which counters threats such as wiretapping, tampering, and pollution attacks. To address these challenges, weput forward a new data repairing paradigm, referred to as efficient and secure data repairing (ESDR) paradigm. In ESDR,the components of the redundant data are distributed to other storage units after being preprocessed and can be collectedand reassembled onto the corrupted unit. Following this paradigm, we propose an ESDR scheme by using regeneratingcode and certificateless signcryption technique. Furthermore, the proposed enc2 – mac – signcrypt preprocessing promotessecurity and efficiency notably. Both theoretical analysis and experimental evaluation confirm that this scheme is practicaland efficient to secure data repairing in cloud storage. Copyright © 2016 John Wiley & Sons, Ltd.

KEYWORDS

cloud storage; data repair; data security; signcryption

*Correspondence

Ruiying Du, School of Computer, Wuhan University, Wuhan, Hubei 430072, China.E-mail: [email protected]

1. INTRODUCTION

Cloud computing, as a new computing paradigm, emergeswith the growing needs for computing resources andthe rapid development of information and communica-tion technology [1]. As a fundamental infrastructure of thecyberspace, cloud storage (i.e., Amazon’s S3) enables bothorganizations and individuals to outsource their data ontothe data centers [2]. In this way, the costs of informationsystem construction for enterprises can be greatly reduced,and the productivity of innovators can be tremendouslyliberated. For instance, without building exclusive datacenters, an international company can store the data in thecloud by renting the storage services from the providers.After that, the staff can access the shared data with even abrowser at any time, in any place.

Data availability is one of the main concerns in cloudstorage [3]. Because the cloud service providers (CSPs)take over the outsourced data, the users are worried aboutthe correctness and integrity of the data in the cloud. Data

service failures will harm public confidence in the CSPs[4]. On the other hand, data are of increasingly significantand can produce even more benefits in the age of big data.Therefore, the CSPs are amenable to provide mechanismsto recover the users’ original data with privacy preservedwhen storage corruption occurs in disaster cases.

Now, we encounter a challenge in such applications.The instinctive solution for CSPs is constructing dis-tributed storage system, in which data will be redundantlystored in remote centers [5]. When the data in one centerare corrupted, the other centers in the cloud storage sys-tem can support the once-failed node by transferring theredundant data back. However, because the cloud environ-ment is insecure [6] and the data are transferred over theopen channel, the security of the data is vulnerable [7].For instance, a pollution attack can be launched by sendinga fake part of the redundant data forward to the back-upnodes or backward to the repairing node, such that the orig-inal data will never be recovered with the fake information.Therefore, one question rises: Can we design an efficient

3646 Copyright © 2016 John Wiley & Sons, Ltd.

S. Zhou et al. ESDR: An effcient and secure data repairing paradigm in cloud storage

and secure data repairing solution with the redundant datatransferring on the open channel?

In a concrete scenario, the data centers located allover the world form a cloud storage system for an inter-national cooperation like Google. For instance, Googledeploys the data centers in the USA, Europe, Japan, HongKong, and Singapore, respectively. Considering the limitof cost, these remote data centers are connected throughthe public channel. For disaster tolerance, every data centerdistributes its redundant data to the other four data centers.Once one of the centers encounters storage corruption indisaster cases (i.e., earthquakes occur in Japan), the otherfour centers can send back the redundant data. With thehelp of the back-up data, the center in Japan can recover itsoriginal data. In this way, the data service of Google fromJapan can be restored with the aids from overseas. Unfor-tunately, there exits an obstacle when a shorter responsetime and the security of the redundant data in transmissionover the Internet are to be guaranteed.

Data replication is seemingly a straightforward solutionto the previous scenario. The replica of the original datacan be divided into several parts and be distributed to theother data centers. When storage corruption occurs, othercenters send back all the parts of the copy. On recevingthe complete constituents, the repairing center is able torecover the original data by piecing together all the con-stituents. For a lower storage consumption, erasure codecan be used to process these pieces before distributing inorder to reduce the storage expenditure [8]. By transform-ing the data of k0 blocks into a larger scale data of k1blocks, the erasure code enables the cloud storage sys-tem to recover the original data from a subset of the k1blocks. However, the communication bandwidth requiredin erasure code reaches the undesirable scale, which is notefficient for wide-area distributed system. Regeneratingcode [9–11] reduces the communication cost and enablesthe data centers in the distributed storage system to inter-act much more efficiently. Unfortunately, the security ofthe transferred data is still not ensured in the previoussolutions.

Indeed, the CSPs in the motivating scenario need anefficient but also secure data repairing system to enablethe cloud storage to backup and recover data within thewide-area distributed system. This data repairing systemallows the redundant data to be distributed and collectedbackward securely over the open channel like the Internet.More specifically, the preprocessed data: (i) can be used torecover the original data; and (ii) should be well protectedin the respect to confidentiality, integrity, and authenticity(CIA) even when it is transferred through the open channel.

1.1. Contribution

After investigating the data repairing solutions in the dis-tributed storage system of cloud computing, the contribu-tions of our work can be summarized as follows.

We put forward an efficient and secure data repair-ing (ESDR) framework for the distributed wide-area cloud

storage. In this system, several data centers form a back-up and recovery group. After preprocessing, every centerdistributes its redundant data forward to other centers inthe group. Once one of the centers encounters storagecorruption in disaster cases, the others can return the redun-dant data backward to help the failed center to reconstructthe original data. These processes are efficient and securewith the help of an offline third party, key generationcenter (KGC).

We propose an ESDR scheme achieving the desirableefficiency and security. The main challenge in such a con-struction is that how to ensure the CIA of the large-scaledata transferred through the open channel. It is complicatedto counter the threats such as pollution attacks and tam-pering attacks without using an asymmetric cryptographictechnique. On the other hand, it is extremely costly to pro-cess the vast data directly with asymmetric cryptographicoperations. We address this challenge by proposing anenc2-mac-signcrypt paradigm and introducing an efficientregenerating code based on the complete graph as well asthe compact certificateless signcryption technique.

We analyze the security merits of the proposed schemeand evaluate the performance of this scheme both theo-retically and experimentally. From all these analyses andevaluations, we find out that our proposal is practicallyefficient and secure for distributed wide-area storage incloud computing.

1.2. Organization

We organize the rest of the paper as follows. We firstreview the related work in Section 2. In Section 3, wepresent the system model. Section 4 describes the designedESDR scheme. We analyze the security of our proposalin Section 5. The performance evaluation is shown inSection 6. Section 7 concludes this paper.

2. RELATED WORK

The main concern on data availability of cloud storage inacademic research is public auditing and network coding.Both are active research areas, which have respectivelygenerated numbers of works in the literature. On theother hand, certificateless public key cryptography, as avariant of identity-based cryptography, is remarkable forpreventing the problem of key escrow.

Public auditing in cloud storage allows users verifythe availability and integrity of the outsourced data [12].In cryptographic community, there are two famous proto-cols called proofs of retrievability [13] and proofs of dataprossession [14]. The proof of retrievability is a challenge-response protocol that enables the CSP to demonstrateto the user that the file stored in the cloud is retriev-able, namely, recoverable from data loss or corruption. Theproof of data prossession highly compresses the size ofresponse messages so that the users can complete the proofwith a small fraction. Later studies reduce the overhead

Security Comm. Networks 2016; 9:3646–3657 © 2016 John Wiley & Sons, Ltd. 3647DOI: 10.1002/sec

ESDR: An effcient and secure data repairing paradigm in cloud storage S. Zhou et al.

of required computation and bandwidth [4,15]. The workin [15] allows for compact proofs with one authenticatorvalue, the construction of which is based on the homo-morphic property of aggregation. The HAIL scheme in [4]enables precise proof of the integrity of the data with con-siderable low cost. Recently, the researches focus on theprivacy-preserving issue in public auditing [3,16]. Wanget al. [3] construct an efficient public auditing systemachieving privacy-preserving. Yu et al. [16] extend thesecurity model of auditing system in cloud storage that theclient’s secret key may be exposed and give a practicalsolution to address the key-exposure challenge.

Network coding in cloud storage improves the relia-bility against node failures with redundancy. It is a gen-eralization of the conventional store-and-forward methodin routing to create linear combinations on intermediatenodes during the repairing process [17,18]. Regenerat-ing codes [19], as one of the most important networkcode, can significantly reduce the communication band-width in repairing. Regenerating code, first proposed byDimakis et al., is a kind of codes that lie on the opti-mal tradeoff between repair bandwidth and storage cost.Hu et al. [20] present a proxy-based multiple-cloud storagesystem, namely, NCCloud, and propose an implementationfor the functional minimum storage regenerating code. Thecomputational and communication costs in their systemturn out to be high. Recently, the researchers are concernon the optimization of exact-repair regenerating code forboth minimum storage regenerating (MSR) and minimumbandwidth regenerating (MBR) [11,21], respectively. Thework in [11] constructs both optimal MBR and MSR codespushing the limit of n = d + 1 by using a new product-matrix framework. The MBR code in this work can achieveall values of [n, k, d], while the MSR code only requiresfor d � 2k – 2. Eraval [21] analyzes the optimal capac-ity of function repair in the case that the n, k, d are closeand the optimal capacity of exact repair in the case that thedistances of n, k, d is fixed but approaches to infinity. Thiswork also constructs the corresponding codes with theseperformances.

Certificateless public key cryptography(CL-PKC) [22],introduced in AsiaCrypto’03, tackles the problem of keyescrow of identity-based encryption system in which pub-lic key infrastructure for distributing public keys is nolonger needed. Traditionally, the KGC is a fully trustedpartity to generate all the private keys [23]. In the case thatthe KGC is compromised, the system will suffer a com-plete breakdown. In CL-PKC, the key generation processis accomplished by both the KGC and the user coopera-tively, and the final private key partially depends on therandom value chosen by the user. Recently, the CL-PKCattracts the attentions of the researchers, and some interest-ing systems based on CL-PKC are proposed and analyzed[24,25]. On the other hand, the signcryption combinespublic key encryption, and digital signatures to simultane-ously provide both confidentiality and authentication of thedata efficiently. Certificateless signcryption [26,27] carriesout the previous achievement without the problem of key

escrow or public key substitutions. Moreover, comparingwith encrypting and signing successively, the certificate-less signcryption technique achieves better performanceand security. Li et al. proposed an online/offline schemeto further enhance the efficiency [26]. Because the secu-rity of this work is based on the assumption of q-valuesbilnear Diffie–Hellman inversion, which is much morecomplicated, this online/offline certificateless signcryptionis not so practical. Meanwhile, the work in [27] gives acompact certificateless signcryption scheme. The securityof this scheme based on the assumption of gap bilnearDiffie–Hellman (GBDH), which is more widely used inconstructing cryptographic primitives.

The exiting public auditing schemes mainly concernhow to check the integrity of the data outsourced on thecloud storage efficiently without leaking users’ privacy. Onthe other hand, the network coding addresses the challengethat how to repair the corrupted data on the data centerefficiently both in storage cost and communication cost.Unfortunately, there is still a gap, on which the exitingworks pay little attention, that how to protect the secu-rity, especially the CIA, of the transferred data throughthe open channel and to repair the original data efficientlyafterwards. As a result, a closed-loop secure solution isneeded to counter the threats in the case of data cor-ruption in wide-area distributed storage systems as thecloud storage.

3. SYSTEM MODEL

3.1. System requirement

We consider efficiently securing the process of data back-up and repairing in cloud storage. For the purpose ofdisaster recovery, back-up data can be distributed andstored in remote places, and the data centers located indifferent places can back up each other. When storage cor-ruption occurs in one of these data centers, the others canhelp recovering the lost data through transferring the back-up data stored in their disks before. The problem is how toaddress the security challenges about the data transferringefficiently.

(1) The transferred data might be very massive becausethe scale of the original data can be very large.

(2) The channel is open and insecure. There are threatssuch as wiretapping, tampering, and forgery attacks.

(3) It is hard to deploy an online authentication centerfor such a long-distance distributed storage.

(4) It is important to shorten the response time whendisaster cases occur.

3.2. System model

We handle the previous problem by introducing and for-malizing an efficient and secure data repairing (ESDR)paradigm. The system model of ESDR is illustrated as

3648 Security Comm. Networks 2016; 9:3646–3657 © 2016 John Wiley & Sons, Ltd.

DOI: 10.1002/sec


Figure 1. System model. DC, data center; KGC, key generation center.

Figure 1. In ESDR system, there are two entities describedas follows.

� Data center (DC): an entity that stores data from vari-ous resources (i.e., user data). Some of these DCs canform a group to back up each other by distributing andcollecting coded data.

� Key generation center (KGC): an entity that is respon-sible for generating secret keys (i.e., system masterkey) and publishing public parameters (i.e., identitiesof the nodes). Besides, this party can be offline, andthere is no interaction between DC and KGC whendata repairing proceeds.

In the ESDR, KGC initializes the system and gener-ates the system public parameters, the system master key,and the partial secret keys of these nodes. After that,each node (data center) encodes the original data anddistributes the coded data to other data centers in an effi-cient and secure way through the Internet. On receivingthe data, the receiver DC will check the authenticity ofthe data source and also the integrity of the data. Oncea storage corruption occurs in one of the DCs, the oth-ers will all send back the corresponding encoded datato that DC in a secure way. By verifying the authentic-ity and correctness of the data, the once-failed DC canreconstruct the original data on it. For a better disaster tol-erance, these data centers are distributed in remote areas.On the other hand, for a short response time, the repair-ing scheme should be efficient. Moreover, there are kindsof security threats because the data are transferred on theopen channel.

3.3. Security goals

According to the practical problem and security threats, wedescribe the security goals of the ESDR system.

Data availability. The system should have a certain abil-ity of fault recovery. When storage fails on one nodeof the system, there should be a mechanism to recoverthe data on that node. In this way, the cloud can sup-port a continuous data availability and reliable storageservice.

Data confidentiality. There should be a systematic pro-tection for the data transferred on the open channel,even if it is encrypted by users. Data and networkcontent are crude oil for a company or an organiza-tion, thus, even the ciphertext generated by the usersshould be re-protected by this system when it is trans-ferred on the open channel in such a large scale.Moreover, for a better security performance, the repair-ing structure ought to be protected as well. In thiscontext, data confidentiality is essential in the ESDRthe system.

Data integrity. The coded data, which is transferred on theopen channel, should be affirmed to be correct and inte-grated. In other words, the system should have the abil-ity to resist tampering attack and to detect the errors ofthe data.

Data authenticity. Because the data are sent on the Inter-net like that, adversaries have the chances to forgethe fake data and to send it to the receivers. With-out the ability of data authenticity, opponents canlaunch attacks such as pollution attack. Therefore,



the system should provide a mechanism for thereceivers to authenticate the identity of the correspond-ing data sender.

4. PROPOSED EFFICIENT ANDSECURE DATA REPAIRING SCHEME

Before presenting our ESDR scheme, we first intro-duce the basic idea and mathematical background of ourconstruction.

4.1. Basic idea

In the ESDR system, several data centers of the cloud stor-age form a mutual backup group. In this group, after codingand transferring the coded data, each node stores not onlyits own data but also others’ coded data, as illustrated inFigure 2. When data failure occurs on one node, othernodes will send the coded data to this data center. Afterrepairing with this coded data, the once-failed data centerwill recover the original data and continue to provide dataservices. Moreover, the confidentiality and integrity of thetransferred data, as well as the authenticity of its sender,are required to be protected and guaranteed, because thedata are running on the Internet.

We construct the ESDR scheme by using the completegraph-based regenerating code [28] and the certificatelesssigncryption scheme [27]. With the technique of regener-ating code, the communication cost during the repairingprocess can be dramatically reduced, while online globaltrusted third party is not needed because of the certificate-less signcryption technique. However, there are still twobig challenges in the ESDR construction: (i) because thescale of data is commonly large and the response-recoverytime needs to be short, the ESDR should be practicallyefficient, especially for cryptographic processes. (ii) Howto protect the CIA of the data under the circumstancethat the transferred data is not encrypted in asymmetricencryption schemes.

We overcome the previous two obstacles by proposingan enc2-mac-signcrypt paradigm. Briefly, in this paradigm,to-be-transferred data are firstly encoded with a MBR code

and encrypted by a symmetric encryption with a secret key,and then the message authentication code of the data iscomputed; finally, this symmetric secret key is signcryptedalong with this MAC by the sender. On receiving the codeddata, every of the other DCs can verify the authenticity andintegrity of this coded data before storing. In this way, thecoded data can be securely transferred on the open channel.

4.2. Mathematical background

The certificateless signcryption in our construction is builton bilinear groups [29], and the complete graph-based codeused in our scheme is also a kind of MBR codes[19].

Bilinear Map. Let G1 and G2 be two multiplicativecyclic groups of the same prime order p, and g is agenerator of G1; then we define map, e : G1 �G1 !

G2, as a Bilinear Map, when it satisfies the followingthree properties:

(1) Bilinearity : for any u, v 2 G1 and any a, b 2Z*

p, we always have the equation e(ua, vb) =

e(u, v)ab.(2) Non-degeneracy : e(g, g) ¤ 1G2

.(3) Computable : there exits a polynomial time

algorithm to compute e(u, v) for any u, v 2 G1.

MBR Code. Firstly, the MBR code satisfies (n, k)MDS property, which means that any k nodes out ofn can recover the original information. Furthermore,the MBR code, as its name indicates, is a regenerat-ing code that can achieve the minimum repair band-width. We can describe this property with the followingtwo equations:

(˛MBR, �MBR) =

�2|M|d

2kd – k2 + k,

2|M|d

2kd – k2 + k

�(1)

|M| = kd –k(k – 1)

2(2)

where ˛ is the number of coded data blocks on the DC, �is the total repair bandwidth, |M| is the size of the file M, k

Figure 2. Example of coding structure. DC, data center.


DOI: 10.1002/sec


is the required number of coded data blocks to repair, andd is the number of actually used data blocks.

From the equation, we can find out that the storage size˛ equals to the total repair bandwidth � , which means thatthe MBR code incurs no extra repair bandwidth and isefficient on communication overhead.

4.3. Proposal

An ESDR scheme is defined by a six-tuple of probabilisticpolynomial time algorithms.

� (Msk, Params) Init(1�). This algorithm, which isrun by the KGC, takes as input the security param-eter 1� and returns the system master key Msk andglobal parameters Params including the system publickey Mpk.

� (Pk, Sk) KeyGen(ID, Msk, Params). This algo-rithm, which is run by the KGC and DC cooperatively,takes as input the DC’s identity ID system masterkey Msk along with global parameters Params andreturns the DC’s public key Pk, and secret key Sk,respectively.

� (CDa, CMK ) EncS(p*). This algorithm, run by thesource sender DC, inputs the 10-tuple parameter p*,where p* = (Da, n, k, K, SkS, IDS, PkS,IDR, PkR, Params). Da refers to the data needed toback up. K refers the symmetric secret key used forencrypting the coded data. As described earlier, n andk refer to the parameters in a (n, k) MDS code. In thissetting, a message block is encoded into n pieces, andwith any k pieces out of n, the original message can beretrieved. SkS, IDS, and PkS refer to the sender DC’ssecret key, identity, and public key, respectively. IDRand PkR refer to the receiver DC’s ID and public key.The output of this algorithm includes (i) ciphertext ofthe coded data CDa under symmetric encryption and(ii) ciphertext of both of the MAC and encryption Keyunder asymmetric cryptographic process.

� CMK EncR(p*0 ). This algorithm, which is run bythe back-up DC, takes as input the eight-tuple param-eter p*0 , where p*0 = (Da, K, SkS, IDS, PkS, IDR, PkR,Params). p*0 is similar to p* except for n and k. In thisalgorithm, the back-up DC signcrypts (i) the digest ofthe coded data and (ii) the symmetric encryption key.

� {?, (MAC, K)} VeD(CDa, CMK ). This algorithm,which is run by the receiver DC, takes as input theciphertext of the coded data CDa and the ciphertext ofboth of the digest and encryption key CMK . It returnsthe plaintext of the digest MAC and key K or a failuresymbol ?.

� {0, 1} Rep({CDa}, {K}). This algorithm, which isrun by the repairing DC, takes as input the collectionof coded data {CDa} and the encryption keys {K}. Itreturns 1 if the repairing proceeds successfully, or 0otherwise.

Figure 3. EncS process.

We now present our concrete ESDR scheme by describ-ing the details of these six algorithms earlier.

Init. The KGC chooses a bilinear group � = (p,G1,G2, e, g), and four cryptographic hash functions: H1 :{0, 1}* ! {0, 1}�, H2 : {0, 1}* ! G1, H3 :{0, 1}* ! G1, and H4 : {0, 1}* ! G1. Then it selectsMsk uniformly at random from Zp, sets Mpk = gMsk

and Params = (� , Mpk).KeyGen. This algorithm can be divided into two steps as

follows.

� The KGC generates the partial secret key KSk =H2(ID)Msk.

� The DC randomly chooses x from Zp as anotherpart of the secret key USk = x. Thus, the secretkey Sk = (x, KSk) and public key Pk = gx aredetermined.

EncS. This algorithm is composed of four steps illustratedin Figure 3. After these four steps, the coded data canbe send on the Internet securely.

EncR. This algorithm is similar to EncS. The only differ-ence is that it does not need to encode the original dataor encrypt it. On the other hand, it has to signcrypt(MAC, K) with its own settings.

VeD. This algorithm can be illustrated in Figure 4. Afterbeing successfully verified, the coded data can be



Figure 4. VeD process.

stored in the repairing DC or decrypted and used torecover the original information.

Rep. For each pair of (CDa, K), this algorithm can bedivided into two steps as follows.

� Decrypt(CDa, K):Decrypt the ciphertext CDa with the key K into

plaintext of coded data Da.� Reconstruct({Da}):

(1) Recover the original data with the collec-tion of {Da} with the MDS property of thecomplete graph-based MBR code.

(2) Return 1 if all the processes are successful,otherwise return ?.

5. SECUTITY ANALYSIS

In this section, we analysis data availability, data confiden-tiality, data authenticity, and data integrity of our proposalresponding to the security goals described in Section 3.

5.1. Data availability

Lemma 1. The ESDR scheme described in Section 4 cancorrectly repair the corrupted data if the bilinear map exitsand the number of failed notes is less than the thresholdvalue of MDS system.

Proof. Data availability in our ESDR system refers to twoaspects: the correctness of the signcryption operation andthe correctness of the exact repair with MBR code.

First, we check the signcryption (and de-sigcryption)processes. There are two equations to notice:

(1) T = e(KSkR, U)?= e (Mpk, H2(IDR))t:

We have e(KSkR, U) = e�

H2(IDR)Msk, gt�

and, on the other hand, e (Mpk, H2(IDR))t =

e�

gMsk, H2(IDR)�t

with the assignments. With

bilinearity, the equation of (1) holds.

(2) UxR ?= Pkt

R:We have UxR = gt�xR = Pkt

R with the assign-ments, hence, the equation of (2) holds.

Therefore, the authenticated DCs can extract theencryption key K. On decrypting the collection of CDa ina symmetric way, the once-failed DC can further recoverthe lost data.

Second, the code construction and regeneration areunique and correct as long as the MDS property is wellmaintained. The formal definitions and detailed proof arerefer to [28].

Therefore, Lemma 1 holds.

5.2. Data confidentiality

Lemma 2. The ESDR scheme described in Section 4is secure using the random oracle model if the GBDHassumption in (G1,G2) holds and the AES (AdvancedEncryption Standard) scheme is secure.

Proof. Data confidentiality in our ESDR scheme ismainly provided by the efficient symmetric encryptionon the code data and the signcryption on the encryptionkey. The security of the efficient symmetric encryptionused in our ESDR, AES, has been well proved by exit-ing literatures, as [30]. Furthermore, the detialed proof ofthe security of the certificateless signcryption we used issimilar to [27] in random oracle model under the assump-tion that the GBDH [31] problem is intractable on thebilinear group.

Therefore, Lemma 2 holds.

5.3. Data integrity

Data integrity in our ESDR scheme is well maintained bythe carefully designed enc2-mac-signcrypt paradigm. InESDR, the digest of the coded data is signcrypted afterbeing calculated. The attackers can never extract the digestof the coded data because of the Lemma 2 earlier, sothat they are not able to tamper or forge the coded data.Therefore, the integrity of the transferred data is providedin ESDR.

5.4. Data authenticity

Lemma 3. The data authenticity in ESDR scheme is wellmaintained using the random oracle model if the compu-tational Diffie–Hellman assumption in the presence of adecision bilinear Diffie–Hellman oracle in G1 holds.

Proof. Data authenticity in our ESDR scheme is well pro-tected by the certificateless signcryption. By sign-verifyconstruction in subprocess of Signcrypt and DSC, adver-saries cannot personate authenticated DC to send the coded


DOI: 10.1002/sec


data. We achieve the data authenticity by checking thefollowing equation:

e(Mpk, H2(IDS))e(U, ı0)e(PkS, ı1)?= e(g, W) (3)

We have e (Mpk, H2(IDS)) e(U, ı0)e(PkS, ı1) =

e�

gMsk, H2(IDS)�

e�gt, ı0

�e (gxS , ı1) and at the same

time e(g, W) = e�

g, H2(IDS)Msk�

e�g, ıt

0

�e (g, ı1)xS as

well. With bilinearity, the equation earlier holds only whenthe identity is authenticated. The detailed proof refersto [27].

Therefore, lemma 3 holds.From the previous analysis, we can conclude that

our ESDR scheme achieves the security goals presentedin Section 3.

6. PERFORMANCE EVALUATION

In this section, we will both theoretically and experimen-tally analyze and evaluate the performance of our ESDRscheme from the systematic view because it is a newparadigm of data repairing in cloud storage.

6.1. Theoretical analysis

In the ESDR system, several data centers in the cloud stor-age form a mutually back-up group. Originally, the systemis initialized, and the keys are generated; each data centercan process its data in an enc2-mac-signcrypt paradigm,before sending to the other data center for back-up. Asdetailed described earlier, original data are sequentiallyencoded, encrypted, and maced (the digest of it is calcu-lated), and then the digest along with the encryption key issigncrypted in our ESDR system. On receiving the codeddata, the receiver data center firstly verifies the authen-ticity and integrity of this data according to the CMK ,which is a part of the output of the algorithm EncS. Ifthe verification is successfully passed, the receiver datacenter stores the coded data and generates its own CMKby applying the algorithm EncR. All of the processes canbe dealed with in the system leisure time. Therefore, wedo not present the analysis of the time cost during theprevious processes, although it consumes not too muchtime yet.

The response time (RT) cost and communication band-width (CB) cost when the storage corruption-recoveringoccurs, as well as the extra storage (ES) cost for codeddata, are more important to benchmark the quality of thecloud storage service. Therefore, we detailedly discussthese three performance indicators: RT , CB, and ES in ourESDR scheme.

Once the storage corruption occurs, the recovery datacenter will receive the collection of the coded data fromother data centers. Because the transmission process ofthe coded data is not included in our ESDR system, RTrefers to the time cost on each block of coded data

during the process including three phases: (i) verifying theauthenticity and integrity of the coded data; (ii) decryptingthe ciphertext of the coded data; and (iii) reconstructingthe original data. Phase (i) includes the procedure of oneDSC and one HMAC; phase (ii) involves one symmetricdecryption, and phase (iii) deals with a data reconstruc-tion. Hence, for each block of coded data, the time cost is3tH + 4te + tp + TM + TE + TR, where tH refers to the timecost in the operation of hash on the parameter strings, terefers to the time cost in the operation of bilinear map onthe elements of G1, tp refers to the time cost in the oper-ation of point multiplication on the elements of G1, TMrefers to the time cost in the calculation of the digest ofthe coded data, and TE and TR refer to the time cost inthe operation of symmetric decryption on the coded dataand of data reconstruction, respectively. Therefore, if thenumber of data centers in the group is n, then we have theresponse time

RT = n ��3tH + 4te + tp + TM + TE + TR

�(4)

Because we carefully design the enc2-mac-signcryptparadigm in ESDR, the process of signecryption isoperated on the message of both the digest MAC andthe encryption Key K, which are infinitesimally smallcompared with the coded data. Moreover, the encryp-tion scheme we used in ESDR is symmetric, suchas AES. In this formula, TM , TE, and TR are pro-portional with the scale of the original data |OD|,respectively. Therefore, our ESDR scheme is practicallyefficient under the circumstances that data security is wellmaintained.

The communication bandwidth CB cost refers to thesize of the total downloaded coded data along with secu-rity assurance messages. According to Equations (1) and(2), if the size of the original data is |OD|, then the size oftotal downloaded coded data is ˛n � |OD| = 2|M|d

n�(2kd–k2+k)�

|OD| = n–1n � |OD|. On the other hand, the security assur-

ance messages refer to the output of the algorithm EncRfrom every other data center. Hence, the size of the secu-rity assurance messages is n �

ˇ̌CMK

ˇ̌. Therefore, we have

the communication bandwidth cost

CB =n – 1

n� |OD| + n �

ˇ̌CMK

ˇ̌(5)

Because the size of the message CMK is much smallerthan the coded data, we can find out that the communica-tion bandwidth cost CB is still smaller than the size of theoriginal data |OD|.

The extra storage ES cost refers to the size of codeddata stored on each data center in the cloud storage system.According to Equations (1) and (2) as well as the analysisearlier, if the size of the original data is |OD|, we have theextra storage cost

ES =d

|M|� |OD| +

ˇ̌CMK

ˇ̌(6)



Table I. The system overhead analysis of efficient and securedata repairing.

Expenditure

Response time n � (3tH + 4te + tp + TM + TE + TR)

Bandwidth n–1n � |OD| + n � |CMK |

Extra storage d|M| � |OD| + |CMK |

Because of the same reason earlier, the extra storage costcan be acceptable, especially when the required number ofcoded data blocks k is small enough.

With the overall analysis of the cost of (i) the responsetime, (ii) the communication bandwidth, and (iii) the extrastorage, illustrated in Table I, we can find out that ourESDR is practically efficient because of (i) the proposedenc2-mac-signcrypt paradigm, (ii) the efficient regenerat-ing code, and (iii) the compact certificateless signcryptionstructure.

6.2. Experimental results

In this part, we implement our ESDR scheme. Thesimulations of this scheme are conducted on the PC

with a 2.8-GHz processor, 4-G main memory, and32 bit Linux OS. In the implementation, we usePBC (Pairing Based Cryptography) [32] and chooseparameters over 512-bit finite field for signcryption. Weset n = 12, k = 3,˛ = n – 1 = 11 for thegenerating code.

We conducted the simulations of the three performanceindicators in ESDR: (i) the response time cost, (ii) thecommunication bandwidth cost, and (iii) the extra stor-age cost. In this experimental environment, we evaluatethe performance of ESDR with the sizes of original data|OD| = 128, 258, 512, 1024, 2048, 4096 MB.

The response time cost grows linearly with the sizeof the original data, as illustrated in Figure 5. Theresults of this experiment are compatible with the formulaEquation (4) in theoretical analysis. In the experiment set-ting, n is constant, and tH , te, tp are constant as well. WhileTM , TE, and TR are proportional with the scale of the orig-inal data |OD|, respectively, the response time cost RT islinear with the size of the original data. More detailedly,when the size of original data rises to 4 GB, our ESDR costabout 17 min to securely reconstruct the corrupted dataon the low power PC. It is practically efficient, because

Figure 5. Response time cost.

Figure 6. Communication bandwidth cost.


DOI: 10.1002/sec


Figure 7. Extra storage cost.

the ESDR serves as an repairing system against storagecorruption in disaster cases for the cloud storage. On theother hand, computation capacity is tremendous in realcloud storage environment.

Furthermore, the communication bandwidth cost riseslinearly with the size of the original data, as presented inFigure 6. The results of this experiment are also consistentwith the formula Equation (5) in theoretical analysis. Inthe experiment setting, n is constant, and CMK is constantand small. Therefore, the communication bandwidth CBis linear with the size of the original data. More specif-ically, the scale of transferred coded data totally reachesno more than the size of the original data because of theefficient encode scheme and the encapsulation mechanismin ESDR.

Moreover, the extra storage cost on every other datacenter increases linearly with the size of the original data,as shown in Figure 7. The results of this experiment agreewell with the formula Equation (6) in theoretical analysis.In the experiment setting, k = 3. With the second propertyof MBR code Equation (2), the extra storage cost on everyother data center ES is obviously linear with the size of theoriginal data. It is acceptable that the size of the extra datastored on every other DC is slightly over 1/3 of the size ofthe original data.

From the previous experimental evaluation, we find outthat our ESDR scheme enables the data centers in the cloudstorage to securely back up and reconstruct the data on anyof the data center in a practically efficient way. We achievethis by using the proposed enc2-mac-signcrypt paradigmand by introducing the efficient regenerating code as wellas the compact signcryption mechanism.

7. CONCLUSION

We proposed a new data repairing paradigm (ESDR).The merit of this paradigm is that the original data on acorrupted data center can be efficiently and securely recon-structed with the help of the other DCs by collecting the

coded data through the open channel. The ESDR systemachieves the security goals of data availability as well asdata CIA, which can counter the threats such as storagecorruption in disaster cases, content leakage, temperingattacks, and pollution attacks. We constructed an ESDRscheme by proposing a enc2-mac-signcrypt paradigm andintroducing an efficient regenerating code along with thecompact certificateless signcryption technique. We theo-retically analyzed and experimentally evaluated the per-formance of our ESDR scheme, which confirms that oursecure data paradigm is practically efficient and secure.Future works in this area may refer to the optimizationof the underlying techniques. It is meaningful to constructnew regenerating codes to reduce the overhead of commu-nication. On the other hand, more efficient cryptographicprimitives are in demand to address the security challenges.

ACKNOWLEDGEMENTS

The authors would like to thank the reviewers for theirdetailed reviews and constructive comments, which havehelped improve the quality of this paper. This workwas supported in part by National High-Tech Researchand Development Program of China (“863” Program)under Grant No. 2015AA016004 and National NaturalScience Foundation of China under Grants No. 61173154,61272451, 61572380, 61572379.

REFERENCES1. Armbrust M, Fox A, Griffith R, Joseph AD, Katz

RH, Konwinshi A, Lee G, Patterson AD, Rabkin A,Stoica I, Zaharia M. A view of cloud computing.Communications of the ACM 2010; 53(4): 50–58.

2. Wang Q, Wang C, Li J, Ren K, Luo WJ. EnablingPublic Verifiability and Data Dynamics for StorageSecurity in Cloud Computing. In 14th European Sym-posium on Research in Computer Security (ESORICS),



LNCS, Vol. 5789. Springer: Saint-Malo, 2009; 355–370.

3. Wang C, Wang Q, Ren K, Luo W. Privacy-preservingpublic auditing for data storage security in cloud com-puting. In 29th IEEE International Conference onComputer Communications (INFOCOM). IEEE: SanDiego, 2010; 1–9.

4. Bowers KD, Juels A, Oprea A. HAIL: a high-availability and integrity layer for cloud storage. InProceedings of the 2009 ACM Conference on Com-puter and Communications Security (CCS). ACM:Chicago, 2009; 187–198.

5. Dabek F, Kaashoek MF, Karger DR, Morris R,Stoica I. Wide-Area Cooperative Storage with CFS. InProceedings of the 18th ACM Symposium on Operat-ing System Principles (SOSP). ACM: Alberta, 2001;202–215.

6. Chang CC, Sun CY, Cheng TF. A dependable stor-age service system in cloud environment. Security andCommunication Networks 2015; 8(4): 574–588.

7. Dhasarathan C, Thirumal V, Ponnurangam D. Dataprivacy breach prevention framework for the cloud ser-vice. Security and Communication Networks 2015; 8(6): 982–1005.

8. Weatherspoon H, Kubiatowicz J. Erasure Coding VS.Replication: A Quantitative Comparison”. In Peer-to-Peer Systems, First International Workshop (IPTPS2002), LNCS, Vol. 2429. Springer: Cambridge, 2006;328–338.

9. Rashmi KV, Shah NB, Ramchandran K, KumarPV. Regenerating codes for errors and erasuresin distributed storage. In Proceedings of the 2012IEEE International Symposium on Information Theory(ISIT). IEEE: Cambridge, 2012; 1202–1206.

10. Shum KW, Hu Y. Exact Minimum-Repair-BandwidthCooperative Regenerating Codes for Distributed Stor-age Systems. In Proceedings of the 2011 IEEE Inter-national Symposium on Information Theory (ISIT).IEEE: Petersburg, 2011; 1442–1446.

11. Rashmi KV, Shah NB, Kumar PV. Optimal exact-regenerating codes for distributed storage at the MSRand MBR points via a product-matrix construction.IEEE Transactions on Information Theory 2011; 57(8): 5227–5239.

12. Liu J, Huang K, Rong H, Wang H, Xian M.Privacy-preserving public auditing for regenerating-code-based cloud storage. IEEE Transactions onInformation Forensics and Security 2015; 10 (7):1513–1528.

13. Juels A, Jr BSK. PORs: Proofs of Retrievability forLarge Files. In Proceedings of the 2007 ACM Con-ference on Computer and Communications Security(CCS). ACM: Alexandria, 2007; 584–597.

14. Ateniese G, Burns RC, Curtmola R, Herring J,Kissner L, Perterson ZNJ, Song DX. Provable DataPossession at Untrusted Stores. In Proceedings of the2007 ACM Conference on Computer and Commu-nications Security (CCS). ACM: Alexandria, 2007;598–609.

15. Shacham H, Waters B. Compact proofs of retrievabil-ity. In Advances in Cryptology - ASIACRYPT, LNCS,Vol. 5350. Springer: Melbourne, 2008; 90–107.

16. Yu J, Ren K, Wang C, Varadharajan V. Enabling cloudstorage auditing with key-exposure resistance. IEEETransactions on Information Forensics and Security2015; 10(6): 1167–1179.

17. Dimakis AG, Ramchandran K, Wu Y, Suh C. A surveyon network codes for distributed storage. Proceedingsof the IEEE 2011; 99(3): 476–489.

18. Chen J, He K, Du R, Xiang Y. Dominating set andnetwork coding-based routing in wireless mesh net-works. IEEE Transactions on Parallel and DistributedSystems 2016; 26(2): 423–433.

19. Dimakis AG, Godfrey B, Wu Y, Wainwright WJ,Ramchandran K. Network coding for distributedstorage systems. IEEE Transactions on InformationTheory 2010; 56(9): 4539–4551.

20. Chen HCH, Hu Y, Lee PPC, Tang Y. NCCloud: anetwork-coding-based storage system in a cloud-of-clouds. IEEE Transactions on Computers 2014; 63(1):31–44.

21. Ernval T. Codes between MBR and MSR points withexact repair property. IEEE Transactions on Informa-tion Theory 2014; 60(11): 6993–7005.

22. Al-Ryami S S, Paterson K G. Certificateless publickey cryptography. In Advances in Cryptology - ASI-ACRYPT, LNCS, Vol. 2894. Springer: Taipei, 2003;452–473.

23. Waters B. Efficient identity-based encryption with-out random oracles. In Advances in Cryptology—EUROCRYPT, LNCS, Vol. 3494. Springer: Aarhus,2005; 114–127.

24. Huang X, Mu Y, Susilo W, Wong DS, Wu W. Certifi-cateless signatures: new schemes and security models.The Computer Journal 2012; 55(4): 457–474.

25. He D, Tian M, Chen J. Insecurity of an efficientcertificateless aggregate signature with constant pair-ing computations. Information Sciences 2014; 268:458–462.

26. Li J, Zhao J, Zhang Y. Certificateless online/offlinesigncryption scheme. Security and CommunicationNetworks 2015; 8(11): 1979–1990.

27. Manuel B, Pooya F. Certificateless signcryption. InProceedings of the 2008 ACM Symposium on Infor-mation, Computer and Communications Security (ASI-ACCS). ACM: Tokyo, 2008; 369–372.


DOI: 10.1002/sec


28. Rashmi KV, Shah NB, Kumar PV, Ramchandran K.Explicit construction of optimal exact regeneratingcodes for distributed storage. In 47th Annual AllertonConference on Communication, Control, and Comput-ing. IEEE: Urbana-Champaign, 2009; 1243–1249.

29. Dan B, Matt F. Identity-based Encryption from theWeil pairing. In Advances in Cryptology - CRYPTO,LNCS, Vol. 2139. Springer: Santa Barbara, 2001;213–229.

30. Daemen J, Rijimen V. The Design of Rijndael: AES—The Advanced Encryption Standard. Springer: Heidel-berg, 2002.

31. Dan B, Ben L. Short signatures from the Weilpairing. In Advances in Cryptology - ASIACRYPT,LNCS, Vol. 2248. Springer: Gold Coast, 2001;514–532.

32. Ben L. PBC Library, 2006. http://crypto.stanford.edu/pbc [Accessed on 20 January 2015].


http://crypto.stanford.edu/pbc

http://crypto.stanford.edu/pbc

ESDR: An Efficient and Secure Data Repairing Paradigm in ... · privacy-preserving issue in public...

Documents

Transcript of ESDR: An Efficient and Secure Data Repairing Paradigm in ... · privacy-preserving issue in public...