Identity-Based Proxy-Oriented Data Uploading and Remote ...€¦ · Identity-Based Proxy-Oriented...

1

Identity-Based Proxy-Oriented Data Uploading andRemote Data Integrity Checking in Public Cloud

Huaqun Wang, Debiao He, Shaohua Tang

Abstract—More and more clients would like to store their datato PCS (public cloud servers) along with the rapid developmentof cloud computing. New security problems have to be solvedin order to help more clients process their data in public cloud.When the client is restricted to access PCS, he will delegate itsproxy to process his data and upload them. On the other hand,remote data integrity checking is also an important securityproblem in public cloud storage. It makes the clients checkwhether their outsourced data is kept intact without downloadingthe whole data. From the security problems, we propose anovel proxy-oriented data uploading and remote data integritychecking model in identity-based public key cryptography: ID-PUIC (identity-based proxy-oriented data uploading and remotedata integrity checking in public cloud). We give the formaldefinition, system model and security model. Then, a concreteID-PUIC protocol is designed by using the bilinear pairings.The proposed ID-PUIC protocol is provably secure based onthe hardness of CDH (computational Diffie-Hellman) problem.Our ID-PUIC protocol is also efficient and flexible. Based on theoriginal client’s authorization, the proposed ID-PUIC protocolcan realize private remote data integrity checking, delegatedremote data integrity checking and public remote data integritychecking.

Index Terms—Cloud computing, Identity-based cryptography,Proxy public key cryptography, Remote data integrity checking

I. I NTRODUCTION

Along with the rapid development of computing and com-munication technique, a great deal of data are generated. Thesemassive data needs more strong computation resource andgreater storage space. Over the last years, cloud computingsatisfies the application requirements and grows very quickly.Essentially, it takes the data processing as a service, such asstorage, computing, data security,etc. By using the publiccloud platform, the clients are relieved of the burden forstorage management, universal data access with independentgeographical locations,etc. Thus, more and more clients wouldlike to store and process their data by using the remote cloudcomputing system.

In public cloud computing, the clients store their massivedata in the remote public cloud servers. Since the stored datais outside of the control of the clients, it entails the security

H. Wang is with the College of Computer, Nanjing University ofPosts and Telecommunications, Nanjing 210003, China, and also withthe State Key Laboratory of Cryptology, Beijing 100878, China (e-mail:[email protected]).

D. He is with the State Key Laboratory of Software Engineering, Com-puter School, Wuhan University, Wuhan 430072, China (e-mail: [email protected]).

S. Tang is with the School of Computer Science, South China Universityof Technology, Guangzhou 510006, China (e-mail: [email protected]).

risks in terms of confidentiality, integrity and availability ofdata and service. Remote data integrity checking is a primitivewhich can be used to convince the cloud clients that their dataare kept intact. In some special cases, the data owner may berestricted to access the public cloud server, the data owner willdelegate the task of data processing and uploading to the thirdparty, for example the proxy. On the other side, the remotedata integrity checking protocol must be efficient in order tomake it suitable for capacity-limited end devices. Thus, basedon identity-based public cryptography and proxy public keycryptography, we will study ID-PUIC protocol .

A. Motivation

In public cloud environment, most clients upload their datato PCS and check their remote data’s integrity by Internet.When the client is an individual manager, some practicalproblems will happen. If the manager is suspected of beinginvolved into the commercial fraud, he will be taken away bythe police. During the period of investigation, the managerwill be restricted to access the network in order to guardagainst collusion. But, the manager’s legal business will goon during the the period of investigation. When a large ofdata is generated, who can help him process these data ?If these data cannot be processed just in time, the managerwill face the lose of economic interest. In order to preventthe case happening, the manager has to delegate the proxy toprocess its data, for example, his secretary. But, the managerwill not hope others have the ability to perform the remote dataintegrity checking. Public checking will incur some danger ofleaking the privacy. For example, the stored data volume canbe detected by the malicious verifiers. When the uploaded datavolume is confidential, private remote data integrity checkingis necessary. Although the secretary has the ability to processand upload the data for the manager, he still cannot check themanager’s remote data integrity unless he is delegated by themanager. We call the secretary as the proxy of the manager.

In PKI (public key infrastructure), remote data integritychecking protocol will perform the certificate management.When the manager delegates some entities to perform theremote data integrity checking, it will incur considerableoverheads since the verifier will check the certificate whenit checks the remote data integrity. In PKI, the considerableoverheads come from the heavy certificate verification, certifi-cates generation, delivery, revocation, renewals,etc. In publiccloud computing, the end devices may have low computationcapacity, such as mobile phone, ipad,etc. Identity-based publickey cryptography can eliminate the complicated certificate

IEEE Transactions on Information Forensics and Security (Volume:11 , Issue: 6 ),21 January 2016

2

management. In order to increase the efficiency, identity-based proxy-oriented data uploading and remote data integritychecking is more attractive. Thus, it will be very necessary tostudy the ID-PUIC protocol.

B. Related work

There exist many different security problems in the cloudcomputing [1], [2]. This paper is based on the research resultsof proxy cryptography, identity-based public key cryptographyand remote data integrity checking in public cloud. In somecases, the cryptographic operation will be delegated to thethird party, for example proxy. Thus, we have to use theproxy cryptography. Proxy cryptography is a very importantcryptography primitive. In 1996, Mamboet al. proposed thenotion of the proxy cryptosystem [3]. When the bilinear pair-ings are brought into the identity-based cryptography, identity-based cryptography becomes efficient and practical. Sinceidentity-based cryptography becomes more efficient because itavoids of the certificate management, more and more expertsare apt to study identity-based proxy cryptography. In 2013,Yoon et al. proposed an ID-based proxy signature schemewith message recovery [4]. Chenet al. proposed a proxysignature scheme and a threshold proxy signature schemefrom the Weil pairing [5]. By combining the proxy cryptog-raphy with encryption technique, some proxy re-encryptionschemes are proposed. Liuet al. formalize and construct theattribute-based proxy signature [6]. Guoet al. presented anon-interactive CPA(chosen-plaintext attack)-secure proxy re-encryption scheme, which is resistant to collusion attacks inforging re-encryption keys [7]. Many other concrete proxyre-encryption schemes and their applications are also pro-posed [8], [9], [10].

In public cloud, remote data integrity checking is an im-portant security problem. Since the clients’ massive data isoutside of their control, the clients’ data may be corruptedby the malicious cloud server regardless of intentionally orunintentionally. In order to address the novel security problem,some efficient models are presented. In 2007, Atenieseet al.proposed provable data possession (PDP) paradigm [11]. InPDP model, the checker can check the remote data integritywithout retrieving or downloading the whole data. PDP isa probabilistic proof of remote data integrity checking bysampling random set of blocks from the public cloud server,which drastically reduces I/O costs. The checker can perfor-m the remote data integrity checking by maintaining smallmetadata. After that, some dynamic PDP model and protocolsare designed [12], [13], [14], [15], [16]. Following Atenieseet al.’s pioneering work, many remote data integrity checkingmodels and protocols have been proposed [17], [18], [19].In 2008, proof of retrievability (POR) scheme was proposedby Shachamet al. [20]. POR is a stronger model whichmakes the checker not only check the remote data integrity butalso retrieve the remote data. Many POR schemes have beenproposed [21], [22], [23], [24], [25], [26]. On some cases,the client may delegate the remote data integrity checkingtask to the third party. In cloud computing, the third partyauditing is indispensable [27], [28], [29], [30]. By using

cloud storage, the clients can access the remote data withindependent geographical locations. The end devices may bemobile and limited in computation and storage. Thus, efficientand secure ID-PUIC protocol is more suitable for cloud clientsequipped with mobile end devices.

From the role of the remote data integrity checker, allthe remote data integrity checking protocols are classifiedinto two categories: private remote data integrity checkingand public remote data integrity checking. In the responsechecking phase of private remote data integrity checking, someprivate information is indispensable. On the contrary, privateinformation is not required in the response checking of publicremote data integrity checking. Specially, when the privateinformation is delegated to the third party, the third party canalso perform the remote data integrity checking. In this case,it is also called delegated checking.

C. Contributions

In public cloud, this paper focuses on the identity-basedproxy-oriented data uploading and remote data integrity check-ing. By using identity-based public key cryptology, our pro-posed ID-PUIC protocol is efficient since the certificate man-agement is eliminated. ID-PUIC is a novel proxy-orienteddata uploading and remote data integrity checking model inpublic cloud. We give the formal system model and securitymodel for ID-PUIC protocol. Then, based on the bilinearpairings, we designed the first concrete ID-PUIC protocol. Inthe random oracle model, our designed ID-PUIC protocol isprovably secure. Based on the original client’s authorization,our protocol can realize private checking, delegated checkingand public checking.

D. Paper Organization

The paper is organized below. The formal system model andsecurity model of ID-PUIC protocol are given in Section II.The concrete protocol, performance analysis and prototypeimplementation are presented in Section III. Section IV ana-lyzes the proposed ID-PUIC protocol’s security. The proposedprotocol is provably secure. At the end of the paper, theconclusion is given in Section V.

II. SYSTEM MODEL AND SECURITY MODEL OFID-PUIC

In this section, we give the system model and security modelof ID-PUIC protocol. An ID-PUIC protocol consists of fourdifferent entities which are described below:

1) OriginalClient: an entity, which has massive data to beuploaded toPCS by the delegated proxy, can performthe remote data integrity checking.

2) PCS(Public Cloud Server): an entity, which is managedby cloud service provider, has significant storage spaceand computation resource to maintain the clients’ data.

3) Proxy: an entity, which is authorized to process theOriginalClient’s data and upload them, is selected andauthorized byOriginalClient. WhenProxy satisfies thewarrantmω which is signed and issued byOriginal-Client, it can process and upload the original client’sdata; otherwise, it can not perform the procedure.


3

4) KGC (Key Generation Center): an entity, when receivingan identity, it generates the private key which corre-sponds to the received identity.

In our proposed ID-PUIC protocol,OriginalClient willinteract with PCS to check the remote data integrity. Thus,we give the the definition of interactive proof system. Then,we give the formal definition and security model of ID-PUICprotocol.

Definition 1 (Interactive proof system):[31] Let c, s : N→R be functions satisfyingc(n) > s(n) + 1

p(n) for some poly-nomialp(·). An interactive pair(P, V ) is called an interactiveproof system for the languageL, with completeness boundc(·) and soundness bounds(·), if

1) Completeness: for everyx ∈ L, Pr[< P, V > (x) =1] ≥ c(|x|).

2) Soundness: for everyx 6∈ L and every interactivemachineB, Pr[< B, V > (x) = 1] ≤ s(|x|).

In the definition of ID-PUIC,i.e., Definition 2, we will takeuse of the interactive proof system.

Definition 2 (ID-PUIC): An ID-PUIC protocol is a collec-tion of four phases (Setup, Extract, Proxy-key Generation,TagGen) and an interactive proof system (Proof). The detailedphases are described below.

1) Setup: When the security parameterk is input, thealgorithm outputs the system public parameters and themaster secret key. The system public parameters aremade public and the master secret keymsk is madeconfidential by KGC.

2) Extract: When the system public parameters, the mastersecret keymsk, and an identityID are input, KGCoutputs the private keyskID which corresponds to theidentity ID.

3) Proxy-key Generation: OriginalClient generates the war-rant mω and signsmω. Then, it sends the warrant-signature pair to the proxy. Upon receiving the warrant-signature pair fromOriginalClient, the proxy generatesthe proxy-key by using its own private key.

4) TagGen: Input the file blockFi and the proxy-key,the proxy generates the corresponding tagTi. Then, ituploads the block-tag pair toPCS.

5) Proof: It is an interactive proof system betweenPCSand OriginalClient. At the end of the interactive proofprotocol, OriginalClient outputs a bit{0|1} denoting“success” or “failure”.

A practical ID-PUIC protocol must be efficient and provablysecure. Based on the communication and computation over-heads, efficiency analysis can be given. On the other hand, asecure ID-PUIC protocol must satisfy the following securityrequirements:

1) OriginalClient can perform the ID-PUIC protocol with-out the local copy of the file(s) to be checked.

2) Only if the proxy is authorized,i.e., it satisfies thewarrantmω, the proxy can process the files and uploadthe block-tag pairs on behalf ofOriginalClient.

3) OriginalClient cannot counterfeit the proxy to generateblock-tag pairs,i.e., the proxy-protection property issatisfied.

4) If some challenged block-tag pairs are modified or lost,PCS’s response cannot passOriginalClient’s integritychecking.

To capture the above security requirements, we formalizethe security definition of an ID-PUIC protocol. First, we givethe formal definition of proxy-protection.

Definition 3 (Proxy-protection):An ID-PUIC protocol sat-isfies the property of proxy-protection if for the probabilisticpolynomial time adversaryA1, the probability thatA1 winsthe ID-PUIC game-1 is negligible. The ID-PUIC game-1betweenA1 and the challengerC1 is given below:

1) Setup: The challengerC1 runsSetup and gets the systempublic parameters and master secret key. By runningExtract, C1 getsOriginalClient IDo’s private keyskIDo

and the proxyIDp’s private keyskIDp. It sends the

public parameters andOriginalClient IDo’s private keyskIDo

toA1 while it keeps confidential the master secretkey msk and the proxyIDp’s private keyskIDp

.2) Oracle queries: A1 adaptively queries the oraclesEx-

tract, Hash, Proxy-key Generation, TagGento C1 below:

• Extract queries.A1 queries the entityID’s privatekey to C1. For the identityID, C1 runsExtract andgets the private keyskID. Then, it forwardsskIDto A1. DenoteS as the queried identity set in thephase. The restriction is thatIDp cannot be queriedin the phase,i.e., IDp 6∈ S.

• Hash queries.A1 querieshashoracle toC1 adap-tively. C1 respondsA1 the hashvalues.

• Proxy-key Generation queries. A1 sends(ID′

o, ID′p) to C1 and queries the proxy-key where

the original client isID′o and the proxy isID′

p.DenoteS′ as the set which is composed of all thequeried original client identity and proxy identitypairs. The restriction is that(IDo, IDp) 6∈ S′.

• TagGenqueries.A1 makes block-tag pair queriesadaptively. For the blockFi, C1 computes its tagTi

and respondsA1 with Ti.

At the end of game-1,A1 outputs the forged block-tagpair (F ′, T ′) with non-negligible probability, whereF ′

has not been queried toTagGenoracle. If (F ′, T ′) isvalid block-tag pair, thenA1 wins the above game withnon-negligible probability.

The security definition 3 gives the formal security defini-tion for proxy-protection property of ID-PUIC protocol. LetOriginalClient be the adversary. IfOriginalClient cannot winthe ID-PUIC game-1 with non-negligible probability, then theID-PUIC protocol satisfies the proxy-protection property. Thefollowing definition formalizes another security property ofID-PUIC protocol,i.e., Unforgeability.

Definition 4 (Unforgeability):An ID-PUIC protocol satis-fies the security property of unforgeability if for any proba-bilistic polynomial time adversaryA2 (i.e., malicious PCS) theprobability thatA2 wins the following ID-PUIC game-2 on aset of file blocks is negligible. LetIDo be the original client.Let IDp be IDo’s proxy who uploads the block-tag pairs toPCS. The ID-PUIC game-2 between the adversaryA2 and thechallengerC2 is given below:


4

1) Setup: C2 runsSetup and gets system public parame-ters and master secret key. It sends the system publicparameters toA2 while it keeps confidential the mastersecret keymsk.

2) First-Phase Queries: A2 adaptively makesExtract,Hash, Proxy-key Generation, TagGenqueries toC2. C2respondsA2.

• Extract queries.A2 queries ID’s private key. Byrunning Extract, C2 gets the corresponding privatekey skID and sends it toA2. DenoteS1 as thequeried identity set in the first-phase. The restrictionis thatIDp 6∈ S1.

• Hash queries.A2 queriesHash oracle adaptively.C2 sendsHashvalues toA2.

• Proxy-key Generation queries. A2 sends(ID′

o, ID′p) to C2 and queries the proxy-key where

the original client isID′o and the proxy isID′

p.DenoteS2 as the set which is composed of all thequeried original client identity and proxy identitypairs. The restriction is that(IDo, IDp) 6∈ S2.

• TagGenqueries.A2 makes block-tag pair queriesadaptively. For the blockFi, C2 computes the tagTi and sends it back toA2. DenoteS3 as the set ofindex that the corresponding block tags have beenqueried in the first-phase.

3) Challenge: For the original clientIDo and the prox-y IDp, C2 generates a challengechal which definesan ordered collection{i1, i2, · · · , ic}, where IDp 6∈S1, (IDo, IDp) 6∈ S2, {i1, i2, · · · , ic} * S3, and c isa positive integer.A2 is required to provide the remotedata integrity proof for the blocksFi1 , · · · , Fic .

4) Second-Phase Queries: Similar to the First-PhaseQueries. DenoteS′

1 as the queried identity set inExtractof the second-phase queries. DenoteS′

2 as the setwhich is composed of all the queried original clientidentity and proxy identity pairs inProxy-key Gener-ation of the second-phase queries. DenoteS′

3 as theset of index that the corresponding block tags havebeen queried inTagGenof the second-phase queries.The restriction is thatIDp 6∈ S1

⋃S′1, (IDo, IDp) 6∈

S2

⋃S′2, {i1, i2, · · · , ic} * S′

3.5) Forge:A2 responsesθ for the challengechal.

If the responseθ can passC2’s verification, the adversaryA2

wins the ID-PUIC game-2.

Definition4 states that, if some challenged blocks have beenmodified or deleted, the maliciousPCScannot generate a validremote data integrity proof. On the other hand, a practical ID-PUIC protocol also needs to convince the client that all of hisoutsourced data is kept integer with a high probability. Thefollowing definition states the security requirement.

Definition 5 ((ρ, δ) security): An ID-PUIC protocol satis-fies the security(ρ, δ) if PCScorruptedρ fraction of the wholeblocks, the probability that the corrupted blocks are detectedis at leastδ.

The notations throughout this paper are listed in Table I.

TABLE INOTATIONS AND DESCRIPTIONS

Notations DescriptionsG1 Cyclic multiplicative group with orderqG2 Cyclic multiplicative group with orderqZ∗

q {1, 2, · · · , q − 1}g A generator ofG1

H,h Two cryptographic hash functionsf Pseudo-random functionπ Pseudo-random permutation

(x, Y ) Master secret/public key pair(IDo, skIDo) Original client’s identity-private key pair

whereskIDo = (Ro, σo)(IDp, skIDp) Proxy’s identity-private key pair

whereskIDp = (Rp, σp)σ The generated proxy-keyn The block number

F = (F ′

1, · · · , F′

n) The stored fileF is split inton blocksPCS Public cloud serverO Original clientu The public parameter which is

picked by the original client(Ni, i) Ni denotes thei-th blockF ′

i ’sname and other properties

(Fi, Ti) The i-th block-tag pairvi The permutated indexvi = πk1(i) of i

θ = (F , T ), PCS’s responseCp, Time cost of bilinear pairings onG1

Ce, Time cost of exponentiation onG1

Cm, Time cost of multiplication onG1

mω, The warrant which is generated and signedby the original client

III. T HE PROPOSEDID-PUIC PROTOCOL

In this section, we propose an efficient ID-PUIC protocolfor secure data uploading and storage service in public clouds.Bilinear pairings technique makes identity-based cryptographypractical. Our protocol is built on the bilinear pairings. Wefirst review the bilinear pairings. Then, the concrete ID-PUICprotocol is designed from the bilinear pairings. At last, basedon the computation cost and communication cost, we give theperformance analysis from two aspects: theoretical analysisand prototype implementation.

A. Bilinear pairings

DenoteG1 andG2 as two cyclic multiplicative groups whohave the same prime orderq. LetZ∗

q denote the multiplicativegroup of the fieldFq. Bilinear pairings is a bilinear mape :G1 × G1 → G2 [32] which satisfies the properties below:

1) Bilinearity: ∀g1, g2, g3 ∈ G1 anda, b ∈ Z∗q ,

e(g1, g2g3) = e(g2g3, g1) = e(g2, g1)e(g3, g1)e(g1

a, g2b) = e(g1, g2)

ab

2) Non-degeneracy:∃g4, g5 ∈ G1 such thate(g4, g5) 6=1G2 .

3) Computability:∀g6, g7 ∈ G1, there is an efficient algo-rithm to computee(g6, g7).

The concrete bilinear pairingse can be constructed byusing the modified Weil [33] or Tate pairings [34] on ellipticcurves. Our ID-PUIC protocol construction takes use of the


5

easiness of DDH (Decisional Diffie-Hellman) problem whileits security is based on the hardness of CDH (ComputationalDiffie-Hellman) problem. Letg be a generator ofG1. CDHproblem and DDH problem are defined below.

Definition 6 (CDH Problem onG1): Given the triple(g, ga, gb) ∈ G31 where a, b ∈ Zq are unknown, computegab ∈ G1.

Definition 7 (DDH Problem onG1): Given the quadruple(g, ga, gb, g) ∈ G41 where a, b ∈ Z∗

q are unknown, decidewhether or not the formulagab = g holds.

In the paper, we choose the groupG1 which satisfies thecondition that CDH problem is difficult but DDH problemis easy. On the groupG1, DDH problem is easy by usingthe bilinear pairings. (G1,G2) are also called GDH (GapDiffie-Hellman) groups. On the groupsG1 andG2, the basicrequirement is that the DLP (Discrete Logarithm Problem) isdifficult. Let g2 be a generator ofG2. It is given below:

Definition 8 (DLP onG1): Given (g, ga) wherea ∈ Z∗q is

unknown, it is difficult to calculatea.Definition 9 (DLP onG2): Given(g2, ga2 ) wherea ∈ Z∗

q isunknown, it is difficult to calculatea.

In the paper, we choose the groupsG1 andG2 which satisfythatDLP,CDH are difficult whileDDH is easy.

B. Our Concrete ID-PUIC Protocol

This concrete ID-PUIC protocol comprises four procedures:Setup, Extract, Proxy-key generation, TagGen, and Proof. Inorder to show the intuition of our construction, the concreteprotocol’s architecture is depicted in Figure 1. First,Setupisperformed and the system parameters are generated. Basedon the generated system parameters, the other procedures areperformed as Figure 1. It is described below: (1) In the phaseExtract, when the entity’s identity is input, KGC generatesthe entity’s private key. Especially, it can generate the privatekeys for the client and the proxy. (2) In the phaseProxy-keygeneration, the original client creates the warrant and helps theproxy generate the proxy key. (3) In the phaseTagGen, whenthe data block is input, the proxy generates the block’s tagand upload block-tag pairs toPCS. (4) In the phaseProof, theoriginal clientO interacts withPCS. Through the interaction,O checks its remote data integrity.

Following the protocol’s architecture, we give the concreteconstruction below. Without loss of generality, suppose thatthe proxy plans to upload the fileF . According to the size ofF , we split it into multiple blocks. Suppose thatF is split inton blocks, i.e., F = (F1, · · · , Fn). Fi denotes thei-th blockof F . Let Ni contain the name and attributes of the blockFi.(Ni, i) will be used to create the tag ofFi. The phases aredescribed in detail as the following.

• Setup: Let G1,G2 be the two groups ande be the bilinearpairings which are given in the section III-A. BothG1and G2 have the same orderq. Let g be a generatorgof the groupG1. Two cryptographic hash functions aregiven below:

H : {0, 1}∗ → Z∗q , h : Z∗

q × {0, 1}∗ → G1

Fig. 1. Architecture of our ID-DPDP protocol

Pick a pseudo-random functionf and a pseudo-randompermutationπ. The two functionsf and π are definedbelow:

f : Z∗q × {1, 2, · · · , n} → Z

∗q

π : Z∗q × {1, 2, · · · , n} → {1, 2, · · · , n}

KGC generates its master secret keyx where x ∈Z∗

q . Then, it computesY = gx. The parameters{G1,G2, e, q, g, Y,H, h, f, π} are made public. The mas-ter secret keyx is kept confidential by KGC.

• Extract: Input the original client’s identityIDo, KGCpicks a randomro ∈ Z∗

q and computes(Ro, σo) below:

Ro = gro , σo = ro + xH(IDo, Ro) mod q

Then, KGC sendsskIDo= (Ro, σo) to the original

client by the secure channel. LetskIDobe the original

client’s private key. The original client verifiesskIDo’s

correctness by verifying the following equation.

gσo = RoYH(IDo,Ro) (1)

If the formula (1) holds, the original clientIDo acceptsskIDo

as its private key; otherwise,IDo rejects it andrequests its private key by usingExtract again.Similarly, input the proxy’s identityIDp, the proxyIDp

can also get its private keyskIDp= (Rp, σp).

• Proxy-key generation: In order to generate the proxy key,the original clientIDo will interact with the proxyIDp

below:1) IDo creates the warrantmω according to its require-

ments. The proxyIDp cannot process and uploadthe original clientIDo’s data unless it satisfiesmω.IDo picks a randomr1 ∈ Z∗

q and computesmω ’ssignature below:

R1 = gr1 , σ1 = r1 + σoH(mω, R1) mod q


6

IDo sends the warrant-signature pair(mω, R1, σ1)andRo to IDp andPCS.

2) IDp checks the validity of(mω, R1, σ1, Ro) byverifying whether or not the following equationholds.

gσ1 = R1(RoYH(IDo,Ro))H(mω ,R1)

If the verification is unsuccessful, the proxy rejectsit and informs IDo; otherwise, it computes theproxy secret key:

σ = σ1 + σpH(mω, R1)

The proxy secret keyσ is kept secret by the proxy.At the same time,IDp sendsRp to IDo.

• TagGen: When IDp satisfies the warrantmω, IDp willhelp IDo process its data. Suppose the original client’splaintext file is F . By using the light-weight symmetricencryption,F is encrypted into the ciphertextF whichwill be uploaded toPCS. Based on the size ofF, theproxyIDp splitsF into n blocks,i.e., F = (F1, · · · , Fn).Fi denotes thei-th block ofF andFi ∈ Z

∗q . Ni contains

the i-th block Fi’s name and its properties. The proxycalculatesu = h(n+ 1, ID0). Then, for1 ≤ i ≤ n, theproxy performs the following procedures step by step:

1) The proxy computesTi = (h(i, Ni)uFi)σ by using

the proxy keyσ;2) The proxy outputs the blockFi’s tag Ti.

{(Fi, Ti), 1 ≤ i ≤ n} and uploads them toPCS.WhenPCSreceivesmω ’s signature(mω, R1, σ1) andRo,it checks (mω, R1, σ1)’s validity by verifying whethergσ1 = R1(RoY

H(IDo,Ro))H(mω ,R1) holds. If it holds,PCS acceptsmω; otherwise, it informsIDo. When re-ceiving the block-tag pairs{(Fi, Ti), 1 ≤ i ≤ n}, PCSchecks whetherIDp satisfiesmω. If it holds,PCSacceptsand stores them; otherwise,PCSrefuses to accept them.

• Proof (PCS, O): This is a 2-move interactive protocolbetweenPCSand the original clientO. If O authorizesthe remote data integrity checking task to some verifier,it sends (Ro, Rp, R1) to the authorized verifier. Theauthorized verifier may be the third auditor orO’s proxy.SinceO has(Ro, Rp, R1), O can performs the interactiveprotocolProof as the verifier. When the verifier isO, theinteraction protocolProof is given below.

1) Challenge (O→ PCS): O generates the challengechal = (c, k1, k2). In chal, c is the challengedblock number which is determined byO andk1, k2are randomly picked fromZ∗

q . Then, it sends thechallengechal to PCS;

2) Response (O← PCS): Upon receivingO’s challengechal = (c, k1, k2), PCS performs the followingprocedures:

a) Search for the two-tuples(O, k1) in the tableTchal. If (O, k1) ∈ Tchal, PCS refuses andinforms the requesterO ; otherwise, it goes on;

b) For 1 ≤ i ≤ c, PCScomputesvi = πk1(i), ai =fk2(i) by usingk1, k2, and

T =∏

1≤i≤c

Tviai

F =∑

1≤i≤c

aiFvi

c) PCSsendsθ = (F , T ) to O.3) Upon receiving the responseθ = (F , T ), O per-

forms the following procedures:a) By using the generatedchal, O computes

vi = πk1 (i), ai = fk2(i)

hvi = h(vi, Nvi), u = h(n+ 1, ID0)

b) O computes

R = R1(RoRpYH(IDo,Ro)+H(IDp,Rp))H(mω ,R1)

and verifies the following formula:

e(T, g) = e(

c∏

i=1

haiviuF , R) (2)

If the formula (2) holds,O outputs “success”; oth-erwise,O outputs “failure”.

4) WhenO outputs “failure”, it will perform the samechallenge many times. If the responses still can-not pass the verification,O will inform the PCSmanager this situation.PCS manager will censorO’s stored data and retrieve the lost data from the

manager will have to evaluate the loss and discussthe reparation according to the loss severity.

Notes: In Proof(PCS, O), O generates the challengechal =(c, k1, k2) where k1, k2 are randomly picked fromZ∗

q .Based onchal, PCS gets the challenged block index set as{v1, v2, · · · , vc} wherevi = πk1(i), 1 ≤ i ≤ c. Sinceπk1(·)is a pseudo-random permutation determined by the randomk1,the challenged block index set{v1, v2, · · · , vc} comes fromthe random selection of then stored block-tag pairs.

Correctness: Our proposed concrete ID-PUIC protocol mustbe workable and correct. Correctness means that, ifKGC, PCS,O and Proxy are honest and follow the specified procedures,PCS’s responseθ can passO’s verification. Our protocol’scorrectness comes from the following deduction:

e(T, g)= e(

∏c

i=1 Taivi, g)

= e(∏c

i=1 h(vi, Nvi)aiuaiFvi ), gσ)

= e(∏c

i=1 h(vi, Nvi)aiu

∑ci=1 aiFvi ), gσ)

= e(∏c

i=1 h(vi, Nvi)aiuF , gσ)

= e(∏c

i=1 haiviuF , gσ)

On the other hand, by using the concreteσ, we get

gσ

= gσ1+σpH(mω ,R1)

= gσ1gσpH(mω ,R1)

= R1(RoYH(IDo,Ro))H(mω ,R1)(RpY

H(IDp,Rp))H(mω ,R1)

= R1(RoRpYH(IDo,Ro)+H(IDp,Rp))H(mω ,R1)


At last, the proxy gets all the block-tag pairs offline backup. If PCS manager fails, O and PCS

7

Denote R = R1(RoRpYH(IDo,Ro)+H(IDp,Rp))H(mω ,R1).

Thus,

e(T, g) = e(

c∏

i=1

haiviuF , R)

Thus, the correctness is proved.

C. Performance analysis

First, we give the computation and communication overheadof our proposed ID-PUIC protocol. At the same time, weimplement the prototype of our ID-PUIC protocol and evaluateits time cost. Then, we give the flexibility of remote dataintegrity checking in the phaseProofof our ID-PUIC protocol.At last, we compare our ID-PUIC protocol with the other up-to-date remote data integrity checking protocols.

Computation: Let the uploaded block number ben. Let thechallenge bechal = (c, k1, k2) where1 ≤ c ≤ n, k1, k2 ∈ Z

∗q .

Based on the different phases, we give the computation over-head. On the groupG1, bilinear pairings, exponentiation, andmultiplication contribute most computation cost. Comparedwith them, the other operations are faster, such as, hashfunction h, the operations onZ∗

q and G2, etc. The hashfunctionH can be done once for all. Thus, we only considerbilinear pairings, exponentiation, and multiplication onG1.For the proxy, the computation overhead mainly comes fromthe phaseTagGen. In the phaseTagGen, the proxy performs2n exponentiation,n multiplication on the groupG1, andn

hash functionh. In the phaseProof, the original clientOgenerates the challengechal andPCSresponds tochal. In theinteractive proofProof, PCS performsc exponentiation andc− 1 multiplication on the groupG1 and sends the responseθto the checkerO. In order to check the responseθ’s validity, Operforms c+3 exponentiation, 2 pairings,3 + c multiplicationon the groupG1 andc hash functionh.

In order to show our protocol’s practical computation over-head, we have simulated the proposed ID-PUIC protocol byusing C programming language with GMP Library (GMP-5.0.5) [36], and PBC Library (pbc-0.5.13) [37], [38]. In thesimulation, PCS works on DELL PowerEdge R420 Serverwith the following settings:

• CPU: Intel R Xeon R processor E5-2400 and E5-2400v2 product families

• Physical Memory: 8GB DDR3 1600MHz• OS: Ubuntu 13.04 Linux 3.8.0-19-generic SMP i686

The proxy and the original client works on PC Laptop withthe following settings:

• CPU: CPU I PDC E6700 3.2GHz• Physical Memory: DDR3 2G 1600MHz• OS: Windows 7

In the simulation, we choose type A pairing parameters,where the group order is 160 bits, and the order of thebase field is 512bit. Type A pairing parameters provide acompetitive security level with 1024-bit RSA. InTagGen,when one tag is created, proxy’s time cost is 0.022472s. Whenone thousand tags are created, proxy’s time cost is 22.567269s.In order to show the time cost, we give Figure 2. Figure 2

0 200 400 600 800 10000

5

10

15

20

25

The number n of created tag

The

tim

e co

st o

f pro

xy in

the

phas

e T

agG

en (

seco

nd)

Fig. 2. Proxy’s time cost in TagGen (second)

depicts proxy’s computation cost inTagGen. X-label denotesthe created tag numbern and Y-label denotes the time cost(second) in order to createn tags. Proxy’s time cost increasesalmost linearly with the created tag numbern. In Proof, theoriginal client interacts withPCS and performs the remotedata integrity checking. InProof, when the challenged blocknumber is 20, the original client’s time cost is 0.567881s.When the challenged block number is 100, the original client’stime cost is 2.356659s. In order to show the time cost, we giveFigure 3. Figure 3 depicts original client’s computation timecost in Proof. X-label denotes the challenged block numberc and Y-label denotes the time cost (second) in order tocheckPCS’s responseθ. At the same time, we consider thecomputation time cost ofPCS. In Proof, when the challengedblock number is 20, thePCS’s time cost is 1.611138s. Whenthe challenged block number is 100, thePCS’s time costis 7.993312s. In order to show the time cost,PCS’s timecost figure is added to Figure 3. Figure 3 also depictsPCS’scomputation time cost inProof. X-label denotes the challengedblock numberc and Y-label denotesPCS’s time cost (second)in order to create the responseθ. From Figure 3, we knowthat most computation are performed byPCS. The end deviceonly performs a little computation. Our protocol can be usedin the environment where the checker’s computation resourceis limited, for example mobile phone.

Communication: National Bureau of Standards and ANSIX9 have determined the shortest key length requirements:RSA and DSA is 1024 bits, ECC is 160 bits [35]. Accordingto the above standard, we analyze our ID-PUIC protocol’scommunication cost. After the data processing, the block-tag pairs are uploaded toPCS once and for all. Thus, weonly consider the communication cost which is incurred inthe remote data integrity checking. InProof, the commu-nication cost comprises the challengechal and responseθ.The original client will interact withPCSperiodically in thephaseProof. Suppose there aren message blocks are storedin the PCS. In order to finish one round interaction, theoriginal client will create the challengechal = (c, k1, k2)and sendchal to PCS. The whole communication cost is


8

20 30 40 50 60 70 80 90 1000

1

2

3

4

5

6

7

8

The number c of challenged block

The

tim

e co

st o

f orig

inal

clie

nt (

PC

S)

in th

e ph

ase

Pro

of (

seco

nd)

OriginalClientPCS

Fig. 3. PCS and OriginalClient’s time cost in Proof (second)

log2 n + 2 log2 q = 320 + log2 n bits. In order to respondthe challengechal, PCScreates the responseθ = (F , T ). θ’sbit length is160 + 1|G1| = 160 + 2 ∗ 512 = 1184 bits. Thus,

cost is320 + log2 n+ 1184 = 1504 + log2 n bits.

Private checking, delegated checking and public checking:Our proposed ID-PUIC protocol satisfies the private checking,delegated checking and public checking. In the remote dataintegrity checking procedure,R1, Ro, Rp are indispensable.Thus, the procedure can only be performed by the entity whohasR1, Ro, Rp. In general, sinceR1, Ro, Rp are kept secretby the original client, our protocol can only be performedby the original client. Thus, it is private checking. On somecases, the original client has no ability to check its remote dataintegrity, such as, he is taking a vacation or in prison or inbattle field,etc. Thus, it will delegate the third party to performthe ID-PUIC protocol. It can be the third auditor or the proxyor other entities. The original client sendsR1, Ro, Rp to thedelegated third party. The delegated third party has the abilityto perform the ID-PUIC protocol. Thus, it has the property ofdelegated checking. On the other hand, if the original clientmakesR1, Ro, Rp public, any entity has the ability to performthe ID-PUIC protocol. Thus, our protocol has also the propertyof public checking.

Notes: In the checking, the checker must haveR1, Ro, Rp.Ro, Rp are the part of original client’s private key and theproxy’s private key respectively. Their publicity cannot leaktheir the other part of private key,i.e., σo, σp cannot be leaked.The private key extraction phaseExtract is actually a modifiedElGamal signature scheme which is existentially unforgeable.For the identity ID, the extracted private key(R, σ) is asignature of ID. Since ElGamal signature is existentiallyunforgeable, the private key partσ will keep secret even ifR is made public. On the other hand,R1 is generated by theoriginal client in order to create the signature on the warrantmω. Thus,R1 is also known to the original client.

Comparison: In order show our ID-PUIC protocol’s superi-ority, we compare our protocol with the recent two protocols,

i.e., Wang’s protocol [16] and Zhanget al.’s protocol [23].Since most computation cost comes from the pairings, expo-nentiation and multiplication on the groupG1, the simplifiedcomparison is given in Table II. In the comparison, we denotethe time cost of pairings, exponentiation and multiplication asCp, Ce, Cm, respectively. From the computation comparison,we know that our protocol has almost the same computationcost in the phasesTagGenand PCS has the same computationcost in the phaseProof. For the checker in the phaseProof,our protocol has less computation cost than the other twoprotocols. On the other hand, our protocol can realize thethree security properties: proxy data processing and uploading,remote data integrity checking with flexibility and not requiredcertificate management. Flexibility means that our protocol canrealize the private checking, delegated checking and publicchecking according to the original client’s authorization.

Hybrid cloud: Our contributions are also suitable for thescenario of hybrid clouds, where the proxy can be treatedas the private cloud of the original client. In the scenario,the private cloud gets its private/public key pairs. The privatecloud gets the proxy-key and the authorization of the originalclient through the interaction between the original client and its

perform the data uploading task, it informs its private cloud.Upon receiving the original client’s instruction, the privatecloud will interact with the public cloud and finish the datauploading task.

IV. SECURITY ANALYSIS

The security of our ID-PUIC protocol mainly consists of thefollowing parts: correctness, proxy-protection and unforgeabil-ity. The correctness has been shown in the subsection III-B.In the following paragraph, we study the proxy-protectionand unforgeability. Proxy-protection means that the originalclient cannot pass himself off as the proxy to create the tags.Unforgeability means that when some challenged blocks aremodified or deleted,PCScannot send the valid response whichcan pass the integrity checking.

In order to formally prove our protocol, we give the defini-tion of (t, ǫ)-security below:

Definition 10 ((t, ǫ)-security): A problem is called to sat-isfy (t, ǫ)-security if no adversary can break it with theprobability at leastǫ within the time periodt.

Theorem 1 (Proxy-protection):Let (G1,G2) be a (t′, ǫ′)-GDH group pair whereG1 and G2 have the same primeorderq. Then, our proposed ID-PUIC protocol is(t, ǫ) proxy-protective in the random oracle model, wheret andǫ satisfiesǫ′ ≥ 1

n( qTqT+1 )

qT 1qT+1ǫ andt′ ≤ t+O(qH)+O(qh)+O(qE)+

O(qT ) +O(qp). n denotes the number of all the identities. Inparticular, supposeA1 is an adversary in the random oraclemodel, andA1 runs in timet, and makes at mostqH hashH-Oraclequeries,qh hashh-Oraclequery,qE Extract-Oraclequery,qT TagGen-Oraclequery andqp Proxy-key Generation-Oracle query. Based on the difficulty of CDH problem, ourID-PUIC protocol satisfies the property of proxy-protection.

Proof: Let the selected identity set beI ={ID1, ID2, · · · , IDn} which includes the proxy identityIDp.


for one round interaction of Proof, the whole communication private cloud. When the original client needs its private cloud

9

TABLE IICOMPARISON OF COMPUTATION AND SECURITY PROPERTY

Protocols TagGen PCS’s cost Checker’s cost Proxy Data Integrity Certificate Keyin Proof in Proof Processing Checking management Escrow

& Uploading FlexibilityWang [16] 1Cp+2Ce+1Cm cCe+(c-1)Cm 3Cp+(c+1)Ce+cCm No No Required NoZhang [23] 2Ce+2Cm cCe+(c-1)Cm 3Cp+(c+2)Ce+cCm No No Required No

Our protocol 2Ce+1Cm cCe+(c-1)Cm 2Cp+(c+1)Ce+cCm Yes Yes Not Required Yes

Let the uploaded data beF which is divided inton blocks,i.e., F = (F1, F2, · · · , Fn), whereFi ∈ Z

∗q . Suppose that

the original client can(t, ǫ)-counterfeit the proxy to generateblock-tag pairs. We can construct another algorithmC1 whichcan(t′, ǫ′)-break the CDH problem. Based on the difficulty ofCDH problem, the theorem is proved.C1 will simulateA1’sattack environment. Denoteg as a generator of the groupG1.In the following game, the adversary is denoted asA1 and thechallenger is denoted asC1. Let (P1, P2) beP1 = ga, P2 = gb

wherea, b ∈ Z∗q are unknown. Input the tuple(g, P1, P2), C1

will try to calculategab by usingA1’s forgery.Setup: C1 picksx ∈ Z∗

q and calculatesY = gx. Then, it setsthe KGC’s private key/public key pair is(x, Y ). Let mω bethe warrant which describes the original client’s authorization.C1 calculatesu = h(n+1, IDo) and sendsu toA1. The threetablesTH , Th, andTE are initialized to be empty.TH storesthe hash functionH’s query-response records,Th stores thehash functionh’s query-response records andTE stores theoracleExtract’s query-response records.

H-query. A1 sendsQi = (IDi, Ri) or Qi = (mω, Ri) toC1. C1 looks up the tableTH . If there exists(Qi, ti) ∈ TH ,C1 sendsti to A1; otherwise,C1 picks a randomti ∈ Z∗

q andstores(Qi, ti) in the tableTH . Then, it outputsti to A1 asthe response.

h-query. A1 sends(i, Ni) to C1. C1 respondsA1 below:1) C1 looks up the tableTh whose records are the format

(i, Ni, zi, bi, ci). If the query(i, Ni) has been stored inthe tableTh, C1 sendsziu−Fi to A1, i.e., h(i, Ni) =ziu

−Fi .2) If the query(i, Ni) does not be stored inTh, C1 picks

a randombi ∈ Z∗q . At the same time, it also picks

a random coinci ∈ {0, 1} based on the bivariateprobability distributionPr[ci = 0] = 1

qT+1 . If ci = 1, C1calculateszi = gbi ; otherwise,C1 calculateszi = P2g

bi .Then,C1 adds the record(i, zi, bi, ci) to Th and respondsh(i, Ni) = ziu

−Fi to A1.Extract: A1 sendsIDi to C1 whereIDi 6= IDp. SinceC1

has KGC’s private keyx, it can calculateIDi’s private key(Ri, σi) by using the phaseExtract of our ID-PUIC protocol.Especially,A1 can query the original client’s private key andget (Ro, σo) from C1. In TE , the corresponding record canbe denoted as(Qo, Ho, σo) whereQo = (IDo, Ro), Ho =H(IDo, Ro). On the other hand, althoughA1 cannot query theproxy IDp’s private key, butC1 can generate part ofIDp’sprivate key below: Picks randomHp ∈ Z

∗q and calculates

Rp = P1Y−Hp . Then, C1 sets Hp = H(IDp, Rp). It is

obvious thatσp = a is unknown.Proxy-key Generation query. A1 sends(ID′

o, ID′p) to C1. If

ID′p 6= IDp, ID′

p andID′o’s private keys can be extracted in

the phaseExtract. Thus, proxy-key can be generated by usingthe normal procedure. Otherwise, aborts.

Notes: SinceA1 has gotten the original client’s private key,it can generates the warrantmω ’s signature(mω , R1, σ1) andsends it toC1. In the practical scenario, the proxy can also getthe warrant’s signature. Our assumption is appropriate.

TagGen query. A1 sends(i, Ni, Fi) to C1. C1 performs thefollowing procedures: If(i, Ni, zi, bi, ci) has not been storedin the tableTh, A1 sends the query(i, Ni) to h-Oracle.C1 respondsA1 and adds the record(i, Ni, zi, bi, ci) to Th.Otherwise,C1 performs the following procedure. Ifci = 0, C1reports failure and terminates; otherwise,C1 calculates

Ti = gσ1bi(P1)biH(mω ,R1)

and sendsTi to A1.Notes: C1’s response to the tag query is valid from the

derivation :

Ti = gσ1bi(P1)biH(mω ,R1)

= (gσ1gaH(mω ,R1))bi

= (gσ1gσpH(mω ,R1))bi

= (gσ)bi

= (gbi)σ

= (h(i, Ni)uFi)σ

Output: At last,A1 outputs a forged block-tag pair(Ff , Tf )where the blockFf ’s index-name pair is(f,Nf ). C1 looksup the tableTh and gets the record(f,Nf , zf , bf , cf ) (If therecord does not exist,C1 calculates and adds it toTh based onthe phaseh-query). Whencf = 1, the game aborts and fails;otherwise,

Tf = (h(f,Nf )uFf )σ

= (P2gbf )σ

= (P2gbf )σ1(P2g

bf )aH(mω ,R1)

We can get

gab = P a2 = [Tf (P2g

bf )−σ1P−bfH(mω ,R1)1 ]

1H(mω,R1)

Thus, CDH problem is solved.Probability Analysis. Now, we evaluateC1’s success prob-

ability. In order to break CDH problem, the following fourevents must hold simultaneously:

1) E1: C1 does not abort inA1’s Proxy-key Generationquery.

2) E2: C1 does not abort inA1’s TagGenquery.3) E3: A1 generates a valid block-tag forgery(Ff , Tf )

which satisfiescf = 0.


10

0 100 200 300 400 500 6000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1The probability curves Px of detecting the corruption based on n=10000

The number t of corrupted block−tag pairs

The

prob

abili

ty P

x of

det

ectin

g th

e co

rrup

tion

c=70c=50

Fig. 4. The probability curvePX of detecting the corruption

C1 succeeds if the above three events hold. We calculate thefollowing probability:

Pr[E1∧E2

∧E3]

= Pr[E1] Pr[E2|E1] Pr[E3|E1∧E2]

= 1n( qTqT +1 )

qT 1qT +1ǫ

In C1’s simulation environment, we assume that(G1,G2) is(t′, ǫ′)-secure GDH group. We can get

ǫ′ ≥ Pr[E1∧E2

∧E3] =

1

n(

qT

qT + 1)qT

1

qT + 1ǫ

C1’s running time is the same asA1’s running time plusthe time which is spent to respondqH H-query, qh h-query, qE Extract-query, qT TagGen-queryand qp Proxy-keyGeneration-query. Thus,C1’s whole running time is at mostt′ ≤ t + O(qH) + O(qh) + O(qE) + O(qT ) + O(qp). Thus,if A1 can (t, ǫ)-forge block-tag pair,C1 can (t′, ǫ′)-break theGDH group. It contradicts the assumption that(G1,G2) is a(t′, ǫ′)-GDH group pair. The proof is completed.

In our ID-PUIC protocol, the phaseTagGen is the sameas the phasePub.Stof PoRs construction for public verifia-bility [20]. Based on the protocol [20]’s unforgeability, ourID-PUIC protocol satisfies the unforgeability.

Theorem 2 (Unforgeability):The proposed ID-PUIC proto-col is existentially unforgeable in the random oracle model ifCDH problem onG1 is hard.

Since the proof process is almost the same as Shacham-Waters’s protocol [20], we only give the differences. InShacham-Waters’s protocol,u is randomly picked fromG1.In our ID-PUIC protocol,u is calculated by using the hashfunction h. In the random oracle model,h’s output value isindistinguishable from a random value nn the groupG1. In thephaseTagGen, the proxy-keyσ is used in ID-PUIC protocolwhile the data owner’s secret keya is used in Shacham-Waters’s protocol [20]. ForPCS, σ and a has the samefunction to generate the block tags. WhenPCS is dishonest,since Shacham-Waters’s protocol is existentially unforgeablein random oracle model, our proposed ID-PUIC protocol isalso existentially unforgeable in the random oracle model. Thedetailed proof process is omitted since it is very similar toShacham-Waters’s protocol.

Theorem 3:Let the uploaded block-tag pairs number ben.When d block-tag pairs are broken andc block-tag pairs arechallenged, the broken block-tag pairs can be found out withprobability at least1− (n−d

n)c and at most1− (n−c+1−d

n−c+1 )c.

Thus, our ID-PUIC protocol is( dn, 1− (n−d

n)c)-secure,i.e.,

1− (n− d

n)c ≤ PX ≤ 1− (

n− c+ 1− d

n− c+ 1)c

wherePX denotes the probability of detecting the modifica-tion.

Proof: Let the challenged block-tag pair set beS and themodified block-tag pair set beM. Let the random variableXbeX = |S

⋂M|. According to the definition ofPX , we can

get

PX = P{X ≥ 1}

= 1− P{X = 0}

= 1−n− d

n

n− 1− d

n− 1· · · · ·

n− c+ 1− d

n− c+ 1

Thus, we can get

1− (n− d

n)c ≤ PX ≤ 1− (

n− c+ 1− d

n− c+ 1)c

This completes the proof of the theorem.We give the probability curve ofPX in Figure 4. Combined

with the performance analysis, when the stored block-tag pairsnumber be 10000 andd = 500, c = 70, the probability is97.28%, the original client’s time cost is 1.920119s andPCS’stime cost is 6.397231s. Whenn = 10000, d = 500, c = 50,the probability is 92.36%, the original client’s time costis 1.715752s andPCS’s time cost is 5.516639s. From ourexperiments, our ID-PUIC protocol is efficient and practical.

V. CONCLUSION

Motivated by the application needs, this paper proposes thenovel security concept of ID-PUIC in public cloud. The paperformalizes ID-PUIC’s system model and security model. Then,the first concrete ID-PUIC protocol is designed by using thebilinear pairings technique. The concrete ID-PUIC protocolis provably secure and efficient by using the formal securityproof and efficiency analysis. On the other hand, the proposedID-PUIC protocol can also realize private remote data integritychecking, delegated remote data integrity checking and publicremote data integrity checking based on the original client’sauthorization.

ACKNOWLEDGMENTS

The author sincerely thanks the Editor for allocating qual-ified and valuable referees. The author sincerely thanks theanonymous referees for their very valuable comments. Thework of H. Wang was supported by the National NaturalScience Foundation of China (No. 61272522), the NaturalScience Foundation of Liaoning Province (No. 2014020147)and the Program for Liaoning Excellent Talents in Univer-sity (No. LR2014021). The work of D. He was supportedby the National Natural Science Foundation of China (Nos.61572379, 61501333) and the Natural Science Foundation of


11

Hubei Province of China (No. 2015CFB257). The work of S.Tang was supported by 973 Program (No. 2014CB360501),and Guangdong Provincial Natural Science Foundation (No.2014A030308006).

REFERENCES

[1] Z. Fu, X. Sun, Q. Liu, L. Zhou, J. Shu, “Achieving efficient cloud searchservices: multi-keyword ranked search over encrypted cloud data sup-porting parallel computing,”IEICE Transactions on Communications,vol. E98-B, no. 1, pp.190-200, 2015.

[2] Y. Ren, J. Shen, J. Wang, J. Han, S. Lee, “Mutual verifiable provabledata auditing in public cloud storage,”Journal of Internet Technology,vol. 16, no. 2, pp. 317-323, 2015.

[3] M. Mambo, K. Usuda, E. Okamoto, “Proxy signature for delegatingsigning operation”,CCS 1996, pp. 48C57, 1996.

[4] E. Yoon, Y. Choi, C. Kim, “New ID-based proxy signature scheme withmessage recovery”,Grid and Pervasive Computing, LNCS 7861, pp.945-951, 2013.

[5] B. Chen, H. Yeh, “Secure proxy signature schemes from the weilpairing”, Journal of Supercomputing, vol. 65, no. 2, pp. 496-506, 2013.

[6] X. Liu, J. Ma, J. Xiong, T. Zhang, Q. Li, “Personal health recordsintegrity verification using attribute based proxy signature in cloudcomputing”, Internet and Distributed Computing Systems, LNCS 8223,pp. 238-251, 2013.

[7] H. Guo, Z. Zhang, J. Zhang, “Proxy re-encryption with unforgeable re-encryption keys”,Cryptology and Network Security, LNCS 8813, pp.20-33, 2014.

[8] E. Kirshanova, “Proxy re-encryption from lattices”,PKC 2014, LNCS8383, pp. 77-94, 2014.

[9] P. Xu, H. Chen, D. Zou, H. Jin, “Fine-grained and heterogeneous proxyre-encryption for secure cloud storage”,Chinese Science Bulletin, vol.59,no.32, pp. 4201-4209, 2014.

[10] S. Ohata, Y. Kawai, T. Matsuda, G. Hanaoka, K. Matsuura, “Re-encryption verifiability: how to detect malicious activities of a proxyin proxy re-encryption”,CT-RSA 2015, LNCS 9048, pp. 410-428, 2015.

[11] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson,D. Song, “Provable data possession at untrusted stores”,CCS’07, pp.598-609, 2007.

[12] G. Ateniese, R. DiPietro, L. V. Mancini, G. Tsudik, “Scalable andefficient provable data possession”,SecureComm 2008, 2008.

[13] C. C. Erway, A. Kupcu, C. Papamanthou, R. Tamassia, “Dynamicprovable data possession”,CCS’09, pp. 213-222, 2009.

[14] E. Esiner, A. Kupcu, O Ozkasap, “Analysis and optimization onFlexDPDP: a practical solution for dynamic provable data possession”,Intelligent Cloud Computing, LNCS 8993, pp. 65-83, 2014.

[15] E. Zhou, Z. Li, “An improved remote data possession checking protocolin cloud storage”,Algorithms and Architectures for Parallel Processing,LNCS 8631, pp. 611-617, 2014.

[16] H. Wang, “Proxy provable data possession in public clouds,”IEEETransactions on Services Computing, vol. 6, no. 4, pp. 551-559, 2013.

[17] H. Wang, “Identity-based distributed provable data possession in mul-ticloud storage”,IEEE Transactions on Services Computing, vol. 8, no.2, pp. 328-340, 2015.

[18] H. Wang, Q. Wu, B. Qin, J. Domingo-Ferrer, “FRR: Fair remote retrievalof outsourced private medical records in electronic health networks”,Journal of Biomedical Informatics, vol. 50, pp. 226-233, 2014.

[19] H. Wang, “Anonymous multi-receiver remote data retrieval for pay-tvin public clouds”,IET Information Security, vol. 9, no. 2, pp. 108-118,2015.

[20] H. Shacham, B. Waters, “Compact proofs of retrievability”,ASIACRYPT2008, LNCS 5350, pp. 90-107, 2008.

[21] Q. Zheng, S. Xu, “Fair and dynamic proofs of retrievability”,CO-DASPY’11, pp. 237-248, 2011.

[22] D. Cash, A. Kupcu, D. Wichs, “Dynamic proofs of retrievability viaoblivious ram”,EUROCRYPT 2013, LNCS 7881, pp. 279-295, 2013.

[23] J. Zhang, W. Tang, J. Mao, “Efficient public verification proof ofretrievability scheme in cloud”,Cluster Computing, vol. 17, no. 4, pp.1401-1411, 2014.

[24] J. Shen, H. Tan, J. Wang, J. Wang, S. Lee, “A novel routing protocolproviding good transmission reliability in underwater sensor networks”,Journal of Internet Technology, vol. 16, no. 1, pp. 171-178, 2015.

[25] T. Ma, J. Zhou, M. Tang, Y. Tian, Al-dhelaan A., Al-rodhaan M.,L. Sungyoung, “Social network and tag sources based augmentingcollaborative recommender system”,IEICE Transactions on Informationand Systems, vol.E98-D, no.4, pp. 902-910, 2015.

[26] K. Huang, J. Liu, M. Xian, H. Wang, S. Fu, “Enabling dynamic proofof retrievability in regenerating-coding-based cloud storage”,ICC 2014,pp.712-717, 2014.

[27] C. Wang, Q. Wang, K. Ren, W. Lou, “Privacy-preserving public auditingfor data storage security in cloud computing”,INFOCOM 2010, pp. 1-9,2010.

[28] Q. Wang, C. Wang, K. Ren, W. Lou, J. Li, “Enabling public auditabilityand data dynamics for storage security in cloud computing”,IEEETransactions on Parallel And Distributed Systems, vol. 22, no. 5, pp.847-859, 2011.

[29] C. Wang, Q. Wang, K. Ren, N. Cao, W. Lou, “Toward secure anddependable storage services in cloud computing,”IEEE Transactionson Services Computing, vol. 5, no. 2, pp. 220-232, 2012.

[30] Y. Zhu, G. Ahn, H. Hu, S. Yau, H. An, S. Chen, “Dynamic AuditServices for Outsourced Storages in Clouds,”IEEE Transactions onServices Computing, vol. 6, no. 2, pp. 227-238, 2013.

[31] O. Goldreich, “Foundations of cryptography: basic tools”,PublishingHouse of Electronics Industry, Beijing, pp. 194-195, 2003.

[32] D. Boneh, B. Lynn, H. Shacham, “Short signatures from the weilpairing”, ASIACRYPT 2001, LNCS 2248, pp. 514-532, 2001.

[33] D. Boneh, M. Franklin, “Identity-based encryption from the weil pair-ing”, CRYPTO 2001, LNCS 2139, pp. 213-229, 2001.

[34] A. Miyaji, M. Nakabayashi, S. Takano, “New explicit conditions of el-liptic curve traces for fr-reduction”,IEICE Transactions Fundamentals,vol. 5, pp. 1234-1243, 2001.

[35] C. Research, “SEC 2: Recommended elliptic curve domain parameters”,http://www.secg.org/collateral/secfinal.pdf

[36] The GNU multiple precision arithmetic library (GMP). Available:http://gmplib.org/.

[37] The pairing-based cryptography library (PBC). Available:http://crypto.stanford.edu/pbc/howto.html.

[38] Lynn B., “On the implementation of pairing-based cryptosystems”,Ph.D. dissertation, http://crypto.stanford.edu/pbc/thesis.pdf, Stanford U-niversity, 2008.

Huaqun Wang received the BS degree in mathemat-ics education from the Shandong Normal Universityand the MS degree in applied mathematics from theEast China Normal University, both in China, in1997 and 2000, respectively. He received the Ph.D.degree in Cryptography from Nanjing Universityof Posts and Telecommunications in 2006. He iscurrently a professor of Nanjing University of Postsand Telecommunications, China. His research inter-ests include applied cryptography, network security,and cloud computing security. He has published

more than 40 papers. He has served in the program committee of severalinternational conferences and the editor board of international journals.

Debiao He received his Ph.D. degree inappliedmathematics from School of Mathematics and Statis-tics, Wuhan University in 2009. He is currently anAssociate Professor of the State Key Lab of SoftwareEngineering, Computer School, Wuhan University,Wuhan, China. His main research interests includecryptography and information security, in particu-lar,cryptographic protocols.

Shaohua Tang received the B.Sc. and M.Sc. De-grees in applied mathematics, and the Ph.D. Degreein communication and information system all fromthe South China University of Technology, in 1991,1994, and 1998, respectively. He has been a fullprofessor with the School of Computer Science andEngineering, South China University of Technologysince 2004. His current research interests includeinformation security, networking, and informationprocessing.


Identity-Based Proxy-Oriented Data Uploading and Remote ...€¦ · Identity-Based Proxy-Oriented...

Documents

Transcript of Identity-Based Proxy-Oriented Data Uploading and Remote ...€¦ · Identity-Based Proxy-Oriented...