October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcscisrc.ccs.asia.edu.tw/www/myjournal/P310.pdf ·...

October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc

Journal of Circuits, Systems, and Computersc⃝ World Scientific Publishing Company

Achieving Dynamic Data Guarantee and Data Confidentiality of Public

Auditing in Cloud Storage Service

Min-Shiang Hwang

Department of Computer Science and Information Engineering, Asia University500 Liufeng Road, Wufeng, Taichung, Taiwan 402, R.O.C.

Department of Medical Research, China Medical University HospitalChina Medical University, No.91, Hsueh-Shih Road, Taichung, Taiwan 40402, R.O.C.

[email protected]

Tsuei-Hung Sun

Department of Management Information Systems, National Chung Hsing University250 Kuo Kuang Road, Taichung, Taiwan 402, R.O.C.

[email protected]

Cheng-Chi Lee∗

Department of Library and Information Science, Fu Jen Catholic University

No. 510, Zhongzheng Rd., Xinzhuang Dist.,New Taipei City 24205, Taiwan, R.O.C.

∗Corresponding Email: [email protected]

Received (28 Nov 2014)Revised (18 Jan 2016)

Accepted (09 Oct 2016)

Recently, storage as a service of cloud computing becomes a new trend to access orshare files. Once files are stored in Cloud, owner can access files seamlessly by personalcomputer or mobile device. However, owner may worry about confidentiality and in-

tegrity of owner’s files stored in Cloud because cloud service providers are not alwaystrustworthy. Therefore, there are many kinds of data correctness verification methodsproposed to prevent cloud service providers from cheating data owners. Among thesemodels for auditing, bilinear pairing can achieve the most efficient way to verify data

correctness and batch auditing. Although auditing methods can ensure whether datais stored properly, it is not considered that the data may be a secret data or a dataowner doesn’t want to be known by both auditors and cloud service providers. Another

important issue is providing dynamic data of auditing in Cloud. Wang et al. proposed ascheme that can provide public auditing and dynamic data, but it still cannot guaranteeCloud has updated data honestly. For this reason, we propose a dynamic data guaranteeand data confidentiality scheme for public auditing in cloud storage service.

Keywords: Cloud storage service; public auditing; data confidentiality; dynamic data;security.

∗Corresponding Author

1


2 M.-S. Hwang et al.

1. Introduction

This decade, technologies grow rapidly and promote ubiquitous internet. In the

quickly changing world, users start to change the habit of using data from using

an individual computer to sharing in an outsourcing server 1. In the recent years,

the cloud storage service in cloud computing brings a new paradigm for data out-

sourcing to demand more cheaper and elastic storage spaces. No matter traditional

data outsourcing or current cloud storage services, one of most important criteria

of data security is that data confidentiality need be achieved 2,3,4.

The cloud storage service provided by business enterprises is not always trusted,

and data may be tampered or deleted from storage due to pecuniary reasons 5,6,7,8,9.

Therefore, data auditing is another important issue. The most simple way to data

auditing is to generate a hash value for each data; and then data and hash are sent to

an auditor and an outsourcing server, respectively. Then, auditor can request data

from a server, and a hash value based on requested data is generated to compare

with the initial hash value to check whether the data is correct or not. But this

way needs to retrieve data, which may cost great amount of communication cost

between an auditor and a cloud storage service 10. Another improved way is to

send the number of MAC keys and corresponding hash values to an auditor. When

an auditor wants to audit the data, an auditor will send a MAC key to the cloud

storage service to ask a new response hash value, which can be compared with the

initial hash value. But this way may incur another problem that an auditor needs

to maintain a key table to manage MAC keys. The table sizes derived from the

times of auditing data.

In order to prevent retrieving data from a cloud storage service for auditing and

limits on auditing times, the schemes 10,11,12 with blockless and stateless verifica-

tion method were proposed one after another by a bilinear map and hash data with

index of a data block. Although blockless and stateless verification can be achieved

by above schemes, these schemes cannot support dynamic data operation (e.g. up-

date, insert, and delete) because the verified hash value is tied with the index of

data block, which will be different when the block is changed. Schemes proposed by

Wang et al. 13 and Wang et al. 14 can support dynamic data, but these two schemes

have advantages and disadvantages. Wang et al.’s scheme 14 can provide data con-

fidentiality, but it cannot support insert operation of dynamic data. Wang et al. 13

can support all dynamic data operations, but it cannot provide data confidentiality.

However, both of these schemes cannot promise a cloud storage service to update

requested data really that a cloud storage service can keep old data after auditing

and discard updated data that an auditor cannot detect the data is correct or not.

In addition, the most serious problem found by us is that most of auditing

schemes 10,11,12,13,14 do not provide data confidentiality, and only some schemes 10,14

provide privacy presenting against auditors. Therefore, we will propose a more

efficient scheme to improve above mentioned problems. The followings are security

criteria which need to be achieved in cloud data auditing:


Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 3

(1) Public Auditing: Not only a data owner but also others who has the computing

ability can verify data correctness of the data.

(2) Privacy Presenting: During the process of auditing, a data owner doesn’t want

let auditors know the real content.

(3) Data Confidentiality: Since a cloud storage service is not always trustworthy, all

data need to be encrypted before uploaded and stored in cloud storage service.

(4) Blockless Verification: Auditor doesn’t need to retrieve auditing blocks in verifi-

cation process to avoid great amount of communication cost between an auditor

and a cloud storage service.

(5) Stateless Verification: Auditor doesn’t need to maintain state information for

auditing static data to avoid requesting a data owner being always online. State

information means the data that the auditor operates the audit.

(6) Batch Auditing: In order to reduce auditor’s computing overhead, the auditing

task should be able to aggregate into one task more efficiently.

(7) Dynamic Data: The data stored in a cloud storage service may be modified by

a data owner frequently so that dynamic data operation should be supported.

(8) Modify Guarantee: After dynamic data operations, it should be able to guar-

antee that a cloud storage service indeed modifies the requested data instead

of discarding and not storing the new data.

The contribution of this paper is that we propose a new scheme to achieve

the all above security criteria. Compare with other related schemes in Table 2,

we can see that our proposed scheme is superior to other schemes. Additionally,

our proposed scheme can solve two important issues. One is both auditors and

cloud service providers do not know the stored files when the auditing process

is performing. Another is our proposed scheme can also provide dynamic data of

auditing in cloud.

The rest of parts are composed as follows: Related works of bilinear maps and

Wang et al.’s scheme 13 are described in the Section 2. Section 3 is assumptions,

notation table, and detail of our scheme. In Section 4, the criteria comparison and

performance are discussed. In the end Section 5 is our contributions, conclusion,

and future work of the presented scheme.

2. Related Works

First, we will introduce bilinear pairing definition and characteristics. After that,

Wang et al.’s scheme 13 will be described and the defects of their scheme are shown.

2.1. Bilinear Maps

Bilinear maps provide a more efficient and secure way to achieve verification 15.

Here we will describe definition and characteristics of bilinear maps.

Let G be an additive group and GT be a multiplicative group, and q is a large

prime order of G and GT . g is a generator of G. There exists a bilinear map



e : G×G→ GT and satisfies the following three characteristics 16,17,18:

(1) Bilinear: Let all g1, g2 ∈ G and all a, b ∈ Z, e(ag1, bg2) = e(g1, g2)ab.

(2) Non-degenerate: If g is the generator of G, and e(g, g) is the generator of GT ,

it needs to satisfy e(g, g) = 1.

(3) Computable: An efficient algorithm exists to compute e(g1, g2) for any g1, g2 ∈G.

2.2. Wang et al.’s Scheme

Wang et al.’s scheme via bilinear map with Merkle Hash Tree (MHT) was to achieve

public auditing, blockless verification, and stateless verification 13. And it used the

hash value of block as data tag instead of using hash value of block index with data

block 10,11,12 to achieve dynamic data operation.

In Wang et al.’s scheme, client stores data in cloud storage server (CSS), and

third party auditor (TPA) will process an auditing task. Their protocol shown in

Figure 1 has four executions: setup, default integrity verification, dynamic data

operation with integrity assurance, and batch auditing for multiclient data.

Setup:

(1) Client generates a signing key pair (spk, ssk) and selects a private key α to

generate corresponding public key v ← gα. The secret key is sk = (α, ssk) and

the public key is pk = (v, spk).

(2) Client randomly selects u ← G and sets a file tag as t = name ∥ n ∥ u ∥SSigssk(name ∥ n ∥ u). name denotes the name of the file F and n denotes

the file F is divided into n blocks m1,m2, ...,mn.

(3) Client signs each block by σi ← (H(mi) · umi)α and generates a root R of the

MHT by adding each hash value H(mi) of block i as a leaf node, and computes

insider nodeHx by the ruleHx = H(Lowerlevelnode ∥ Lowerlevelsiblingnode)(see more detail in 13).

(4) Client signs a root R as sigsk(H(R)) and sends F, t,Φ, sigsk(H(R)) to CSS,

then deletes F, t,Φ, sigsk(H(R)) from the local storage. Denote the set of

signatures by Φ = σi, 1 ≤ i ≤ n.

Default Integrity Verification (See Figure 1 (a)):

(1) TPA randomly selects c blocks as a subset I = s1, s2, ..., sc from the auditing

file, chooses a randomly value vi for each block in I, and then sends the challenge

(i, vi)i∈I to CSS.

(2) CSS uses the stored block mi with corresponding vi to compute µ = Σivimi ∈Zp and σ = Πiσ

vii ∈ G, and then the proof µ, σ, H(mi), Ωii∈I , sigsk(H(R))

to TPA. Ωi denotes a small amount of auxiliary information.



TPA CSS

Client

Iiivi ),(

1. Generate random

subset .

(a) Default Integrity Verification

(b) Dynamic Data Operation with Integrity Assurance

Iiivichal

! ),(

! i iimv 2. Compute

3. Compute ! i

v

ii

))((,),(,, RHsigmHP skIiii !" #$

4. Compute R by

and

verify sigsk(H(R)).IiiimH

! ),(

5. Verify Iiim )(

CSS

1. Generate .

! ))(( im

ii umH

! "

),,),(( iimiIM !!

2. Update F and

compute R .

)),((),(,( RRHsigmHP skiiupdate !"

3. Compute R by

and verify sigsk(H(R)).

),( iimH

3. Compute Rnew by ),( iimH !

RRnew !?

and check .

))(( RHsig sk

2. Update R .

Fig. 1. Wang et al.’s Scheme

(3) TPA can check integrity by e(σ, g) = e(Πi∈IH(mi)vi · uµ, v). If the equation is

established, the auditing is successful.

Dynamic Data Operation with Integrity Assurance (See Figure 1 (b)):



(1) Client generates a new signature of block i by σ′i = (H(m′

i)·um′i)α and sends the

updated message (M, i,m′i, σ

′i) to CSS. M denotes the modification operation.

(2) CSS updates m′i, σ

′i by replacing old block and signature, computes a new root

R′, and then sends the proof (Ωi,H(mi), sigsk(H(R)), R′) to client.

(3) Client first checks if the old R is correct or not, then generates a new Rnew to

compare with receive R′. If correct, a new root is signed as sigsk(H(R′)) and

sent to CSS to update the root signature.

Batch Auditing:

Bilinear maps can achieve aggregating different signatures on different files owned

by different users easily because it has above mentioned bilinear characteristic. Here

Wang et al.’s scheme assumes that k is a specific client, andK is the number of client

in the system. To support batch auditing, there is a little difference at aggregating

all delegated signatures into one signature by equation σ = Πi=1,...,K(Πi∈Iσvik,i).

2.3. Weaknesses of Wang et al.’s Scheme

Although Wang et al.’s scheme can achieve public auditing and dynamic data in-

tegrity assurance, it still has following problems:

(1) Data is transferred in plaintext form between a data owner and the cloud

storage service so that an attacker can eavesdrop and gets the file content. A

simple way to solve this problem is that we can additionally use a symmetric

or asymmetric cryptography systems to encrypt/decrypt these communicated

messages against the eavesdropping. However, the method will increase the

computational cost additionally during the auditing. We should try to embed

any encryption/decryption protocol in the auditing scheme to solve this prob-

lem.

(2) In the data modification, although a data owner can check if the CSS has

accomplished modify operation, TPA only uses the information provided by

CSS so that it cannot distinguish whether the data is newest or not if CSS

discards the updated result and keeps the original value for auditing. We will

solve this problem in Section 3.3.

3. The Proposed Scheme

Next, we will describe assumptions of the public auditing in a cloud storage service.

Then, the notations used in the proposed scheme will be shown as Table 1. In the

end, the environment and detail steps will be presented.

The assumptions of public auditing in a cloud storage service and our scheme

are described as following:

(1) Although cloud storage service usually executes user’s request honestly, cloud

storage service is not always be trusted because a cloud service provider may



modify or delete user’s data due to some benefits 10,13,14,19,20.

(2) Cloud may keep original authenticator values to pass the auditing, but the data

has already been modified and not detected.

(3) Each file encryption key will be pre-shared when a data user obtains the access

right.

Table 1. Notation Table

x Data owner’s private key

y Data owner’s public key

G A multiplicative cyclic group of prime order p

g The generator of G

F File

mi The data block of the file, i = 1, ..., n

C The ciphiertext of the file

Ci The corresponding ciphertext of mi

KF The file encryption key of file F

t The file tag

name The name of the file

n The number of data block the file has

d A random select value for the file

V er The version information of the file

si The signature of mi

S The data block signature set of the file

Sagg The aggregated signature of verified blocks

H(·) A one-way hash function in group G

E Symmetric encryption function

The proposed scheme is based on Wang et al.’s scheme 13, but we do not use

MHT structure to deal with dynamic data. The environment of the proposed scheme

is shown in Figure 2, and there has three types of participants: Data Owner, Cloud

Storage Service, and Auditor. Data owner is a person who has many files stored in

cloud storage service, and he/she doesn’t have much time to regularly check data

correctness. Cloud storage service operated by a business enterprise is providing

storage space for a data owner, who may modify or delete owner’s data due to

benefit of money. Auditor can be an authorized and trustworthy person who has

the ability to verify the stored data (e.g. trust third party auditor or data owner

self) or a data user who has the access right to the data owner’s data.

At first, a data owner will upload the encrypted data to cloud storage, and send

the auditing metadata to auditors for auditing. Then, auditors can send request



Fig. 2. The System Environment of Our Scheme

to verify randomly selected blocks in each file at regular intervals (by authorized

party) or check data correctness after downloading data (by data user). Our scheme

has three parts: setup, auditing, and data modification.

3.1. Setup

Here a data owner will initialize bilinear pairing parameters and pre-process files

to be stored and audited, then send the auditing metadata to an auditor and the

encrypted files to a cloud storage service.

(1) Choose a random value x ← Zp as his/her private key, and y ← gx as a

corresponding public key.

(2) Divide a file into n sequence blocks as F = (m1,m2, . . . ,mn) and select a secret

key KF for file F . Then, encrypt each block by Ci = EKF (mi) and donate the

complete ciphertext as C = (C1, . . . , Cn).

(3) Choose a random element d ← G, and set file tag as t = name||n||d||V er||(name||n||d||V er)x.

(4) Compute each block signature by si = ((H(Ci) · V er) · dCi)x and donate all

signatures as S = (s1, . . . , sn).

(5) Send (C, S) to a cloud storage service and t to an auditor respectively. Next,

delete the local storage except t.



3.2. Auditing

Auditing has two cases: authorized party and data user. First case is after a period

of time, authorized party will send an auditing message to cloud storage service to

request verifying randomly selected blocks of each file, shown in Case 1 as Figure 3.

The other case is data user wants to download a file and checks the data correct-

ness, so he/she will send a request to ask ciphertext with auditing proof, shown in

Case 2 as Figure 4.

Case 1 - Auditor:

Vi∈

),||( Vliriname ∈

pVi ii ZCr ∈=∈

µ

∏∈∈=

Vi

r

iagg GsS i

))(,,( Viiagg CHSP ∈= µ

),)))((((),(?

∏ ∈⋅⋅=

Vi

r

iagg ydVerCHegSe i µ

,..., 1 lvvV =

Fig. 3. Auditing Operation - Case 1

∏ ==

n

i iagg sS1

! ),)))((((),(1

?

ydVerCHegSen

i

C

iaggi∏ =

⋅⋅=

Fig. 4. Auditing Operation - Case 2



(1) Auditor randomly selects l blocks donated as a set V from the audited

file, and sets a random value ri for each block vl as an auditing value.

Then, auditor will send an auditing message (name ∥ i, rii∈V ) to a

cloud storage service requested to verify the correctness of these blocks.

(2) After a cloud storage service receives the auditing message, it will find

out these blocks from the storage by name, and then uses ri to compute

with Ci and si respectively. Besides, a cloud storage service will compute

the hash value H(Ci) of each verified block to achieve blockless verifica-

tion. For more efficiency, a cloud storage service will aggregate all verified

signatures as Sagg to reduce auditor’s computing overhead. In the end, a

cloud storage service will send the proof message P to an auditor.

(3) Auditor will use V er he/she has and P to verify whether the correctness

is existed or not by checking e(Sagg, g) = e((∏

i∈V (H(Ci) ·V er)ri) ·dµ, y).If so, the auditing task is successful.

(4) This auditing can be extended into the batch auditing by aggregating all

tasks into one verified task just the same as 13. Here we only show the

parts different from Wang et al. in Figure 5.

,..., ,1, luuu vvV =

uVi∈

),||(uVii

riname ∈

pVi iuiu ZCr ∈= ∈ ,µ

GsSU

u Vi

r

iaggu

i ∈= ∏ ∏= ∈1)(

))(,,( , Viiuaggu CHSP ∈= µ

∏ ∏= ∈⋅⋅=

U

u Vi uu

r

uiuaggu

ui ydVerCHegSe1 ,

?

),)))((((),(µ

Fig. 5. Batch Auditing Example

(5) In Figure 5, we can see values: V , µ, H(Ci), V er, d, and y, which extrude

a subscript u to express these values belonging to a specific user u, and U

represents a total number of the delegator that one auditor has.

Case 2 - Data User: (1) Data user will send a message to a cloud storage ser-

vice to request ciphertext C and corresponding auditing information.

(2) After a cloud storage service receives the message, it will compute aggre-

gate signature Sagg as proof information and send with C to data user.



(3) Data user will use the received C to compute the hash value H(Ci) for

each Ci, and use these H(Ci) with V er his/her hold to verify correctness

of the file by checking e(Sagg, g) = e((∏

ni=1(H(Ci) · V er) · dCi), y).

Proof of auditing verification:

e(Sagg, g) = e(∏i∈V

srii , g)

= e(∏i∈V

(((H(Ci) · V er) · dCi)x)ri , g)

= e(∏i∈V

((H(Ci) · V er)ri · dCiri), gx)

= e((∏i∈V

(H(Ci) · V er)ri) · dµ, y).

3.3. Data Modification

Data owner wants to update some blocks of a file, and here we only use one block,

for example. And this scheme can be used in both updating data and inserting data

(see Figure 6).

Data Owner Cloud Storage Service

1. Regenerate xC

ii

idrVeCHs )))(((′

⋅′⋅′=′

2. Compute xrVednnamerVednnamet )||||||(|||||||| ′′=′

3. ),,,(iisClM ′′

4. Replace (Ci,si) by . ),(iisC ′′

Auditor(t)

3.

4. Update

t ′

t ′

Fig. 6. The Data Modification

(1) Data owner will regenerate the signature s′i for the modified block, and renew

t′, and then send a new block number, ciphertext, and signature as a modify

message to a cloud storage service, and new tag t′ to all auditors including

authorized data users.

(2) Cloud storage will use the received message to update ciphertext and signature.

Then an auditor will delete old t and store t′ for afterward auditing.



4. Discussions and Analysis

4.1. Security Analysis

In this section, we will describe how our scheme achieves the criteria mentioned in

Section 1 and the comparison with other auditing schemes is shown in Table 2.

Table 2. Comparison of Security Criteria

11 12 10 14 13 Our Scheme

Public Auditing Yes Yes Yes No Yes Yes

Privacy Preserving No No Anyone TPA,Cloud No Anyone

Data Confidentiality No No No Yes No Yes

Blockless Verification Yes Yes Yes No Yes Yes

Stateless Verification Yes Yes Yes No Yes Yes

Batch Auditing No No Yes No Yes Yes

Data Dynamic No No No Partial Yes Yes

Modify Guarantee No No No No Partial Yes

Public auditing, blockless verification, and stateless verification are more funda-

mental criteria for auditing schemes 10,11,12,13. Public auditing can let a data owner

delegate auditing ability to anyone easily; Blockless can reduce communication cost

between an auditor and a cloud storage service; Stateless can avoid introducing ad-

ditional data owner overhead (need come to online frequently). Because each data

owner has a large number of files stored in a cloud storage service, and he/she

both has no time to verify each file regularly and worries about file correctness.

These criteria can solve data owner’s fear. Our scheme uses t to achieve these three

criteria. Scheme 14 is the only one not to achieve these three criteria because it is

only for trusting third party auditor (TPA) to execute verification without using

bilinear pairing.

Privacy preserving is a part of the data confidentiality only against the auditor,

but we consider that a cloud storage service is a semi-trust server that may use

the real content for pecuniary benefits. Therefore, we present an auditing scheme

based on ciphertext to achieve protecting privacy against both a cloud storage

service and other auditors. In the comparison table, only scheme 14 achieves both

privacy preserving and data confidentiality by matrix scheme. Like scheme 14, we

embed the encryption protocol in our auditing scheme. No one can eavesdrop the

communicated messages during the auditing.

When a data owner delegates an auditing task to auditor, the same auditor may

receive many auditing delegations from different data owners. For efficiency, 10 first

introduces batch auditing to aggregate all delegated tasks into one auditing task by



bilinear map. In order to achieve batch auditing, both scheme 13 and our scheme

follow the aggregate structure.

In the cloud scenario, a data owner stores dynamic data instead of traditional

static data which may modify his/her data frequently. Thus, operations (e.g. like

insert, modify, and delete) should be supported. Scheme 10,11,12,14 cannot support

dynamic data because their tags for verification are tied with the data block index.

Thence, scheme 13 and our scheme are usingH(mi) instead ofH(name||i) which can

only update a specific block and not affect other blocks in the same file. Although 13

uses Merkle Hash Tree (MHT) to achieve dynamic data and provide updating

checking, a malicious cloud storage service still can discard all updated data and

related verifying information, and keep old data and related verifying information

for auditing. Our scheme adds a value V er in to signature, and updates V er after

dynamic data operation and sends a new V er to auditors to guarantee updated

data to be stored in a cloud storage service; otherwise, the inconsistency of data

version will reveal when auditing.

4.2. Performance Evaluation

Our scheme is based on ciphertext and bilinear pairing to improve problems in

auditing, i.e. data confidentiality and dynamic data. Here we compare computing

cost and storage cost in each part of our scheme with the scheme 13 to conform

requirements defined.

The performance comparison with Wang et al.’s scheme 13 and our scheme is

shown in Table 3. The notations are briefly introduced as follows:

• TE : The computing time of symmetric encryptions.

• TGe: The computing time of exponentiation in group operation.

• TBS : The computing time of BLS signature.

• TB : The computing time of bilinear map.

• TM : The computing time of multiplication.

• TA: The computing time of addition.

• TGM : The computing time of multiplication in group operation.

• Th: The computing time of hash.

• n: The number of block in one file.

• i: The number of verified block.

• s: The number of inside node that needed in MHT.

• o: The number of auxiliary authentication information (AAI).

In Table 3, it can find out that the data owner in both Wang et al. 13 and

our scheme need 1 times of exponentiation in group for generate public key and n

times of hash to generate hash value of all block in setup phase. Besides, We only

need (n + 1) time of BLS signature (n data blocks and a file tag) in setup phase;

Wang et al.’s scheme 13 need (n + 2) times BLS signature (n data blocks, a file

tag, and a MHT root) and additional (s+ 1) times hash to generate internal node



Table 3. Performance Comparison

Wang et al.’s Scheme 13 Our Scheme

Computing Cost

Data Owner1TGe+(n+ s+ 4)Th 1TGe+nTE+(n+ 1)Th

+(n+ 5)TBS +(n+ 3)TBS

Auditor 1TB 1TB

Cloud Storage Servicei(TM + TA + TGM + TGe) i(TM + TA + TGM

+(i+ 2o+ 2)Th +TGe+Th)

Storage Cost

Auditor No t

Cloud Storage Service F, t, S, s(H(R)) C, S

and root node of MHT. Due to our scheme does not using MHT, our scheme can

reduce 1 time BLS signature generated for the signature of MHT root R and (s+1)

related hash values. However, our scheme needs additional n times of symmetric

encryption for all data blocks to protect data confidentiality. The encryption for

data confidentiality is a worth tradeoff which Wang et al. cannot achievw and not

very heavy.

In auditing phase, we keep the merit of the auditor only need 1 time of bilinear

map operation to finish the auditing task which as the same as Wang et al.’s

scheme 13. The cloud storage service in both Wang et al.’s scheme 13 and our

scheme need to compute i times of multiplication and addition to generate µ, i

exponentiation in group operation and multiplication in group operation to generate

Sagg, and i times of hash to generate hash value of all blocks. Since our scheme

doesn’t using MHT, the cloud storage service does not need to compute (o + 1)

times hash operations (o AAI nodes and a root node) of MHT in auditing phase.

When dynamic data is processed, e.g. one block is modified, the data owner of

Wang et al.’s scheme 13 needs to compute 3 times of hash operations (the modified

block, the old R, and the new R′) and 3 times of BLS signature operation (the

modified block, the old R, and the new R′). But our scheme only needs 2 time of

BLS signature operation (the modified block and the new tag t′) and 1 time of hash

operation for the modified block at data owner side. At Cloud storage side, Wang

et al.’s scheme 13 also needs (1 + o) hash operations (the modified data block and

AAI nodes in MHT), but our scheme doesn’t need to compute anything.

In Table 3, we have analyzed the computational cost of our scheme. Although

the computing cost of our scheme is more than 13 at setup phase of the data owner,

our scheme can achieve data confidentiality, and dynamic data without MHT can

reduce cloud storage services to maintain all hash values and related auxiliary

authentication information (AAI) in the MHT. We request an auditor to store a

tag t to achieve modifying guarantee, which is just a metadata size and does not



cause lots of storage cost. Since the tag t includes a version information V er, it is

very useful to guarantee that the data version is newest and completely against a

malicious cloud storage service to discard newest data.

5. Conclusions

Public auditing is an important requirement in cloud storage services to reduce data

owner worrying on cloud data and delegate verification overhead to anyone easily.

But a cloud storage service is a semi-trust server so that a cloud service provider may

access data without being agreed by a data owner due to pecuniary reasons. Data

confidentiality and access control is an important issue in cloud storage, and there

are many kinds of access control schemes proposed (e.g. attribute-base 20,21,22,23,

file group-base, and access list base 1,24,25,26). However, although data in all kinds

of access control schemes is encrypted before uploading to a cloud storage service to

avoid eavesdropping and tampering attacks, data used in all kinds of public auditing

schemes is stored in plaintext form in a cloud storage service and only provided with

privacy protecting against auditors. Therefore, we propose an auditing scheme based

on ciphertext to achieve data confidentiality against to both a cloud service provider

and all auditors.

Furthermore, our scheme is easier and more secure than 13 to support dynamic

data without MHT. In our scheme, we only use a metadata t which includes a ver-

sion information V er to achieve modification guarantee. V er can not only guarantee

the newest version data correctness, but also can extend to verify different versions

or time periods for cooperative collaboration scenario in cloud in the future.

Acknowledgements

The authors would like to thank the anonymous reviewers for their valuable com-

ments and suggestions. In addition, this research was partially supported by the

Ministry of Science and Technology, Taiwan, R.O.C., under contract no.: MOST

105-2221-E-030-012.

References

1. S. D. C. d. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati, Over-encryption: Management of access control evolution on outsourced data, Proceeding ofthe 33th International Conference on Very Large Data Bases (VLDB), Vienna, Austria,September 2007, pp. 123–134.

2. C. C. Lee, C. C. Yang, and M. S. Hwang, A new privacy and authentication protocol forend-to-end mobile users, International Journal of Communication Systems. 16 (2003)799–808.

3. C. T. Li, M. S. Hwang, and Y. P. Chu, Further improvement on a novel privacy preserv-ing authentication and access control scheme for pervasive computing environments,Computer Communications. 31 (2008) 4255–4258.

4. C. T. Li, M. S. Hwang, and Y. P. Chu, A secure and efficient communication schemewith authenticated key establishment and privacy preserving for vehicular ad hoc net-works, Computer Communications. 31 (2008) 2803–2814.



5. M. S. Hwang, S. T. Hsu, and C. C. Lee, A new public key encryption with conjunctivefield keyword search scheme, Information Technology and Control. 43 (2014) 277–288.

6. C. C. Lee, S. T. Hsu, and M. S. Hwang, A study of conjunctive keyword searchableschemes, International Journal of Network Security. 15 (2013) 321–330.

7. C. C. Lee and Y. M. Lai, Toward a secure single sign-on mechanism for distributedcomputer networks, The Computer Journal. 58 (2015) 934–943.

8. C. C. Lee, C. T. Li, S. T. Chiu, and S. D. Chen, Time-bound key-aggregate encryptionfor cloud storage, Security and Communication Networks. 9 (2016) 2059–2069.

9. C. C. Lee, C. T. Li, C. L. Chen, and S. T. Chiu, A searchable hierarchical conditionalproxy re-encryption scheme for cloud storage services, Information Technology AndControl. 45 (2016) 289–299.

10. C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-preserving public auditing for datastorage security in cloud computing, Proceeding of the 29th IEEE INFOCOM 2010,San Diego, CA, USA, March 2010, pp. 1–9.

11. G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song,Provable data possession at untrusted stores, Proceedings of the 14th ACM confer-ence on Computer and communications security, New York, NY, USA, October 2007,pp. 598–610.

12. H. Shacham and B. Waters, Compact proofs of retrievability, Proceedings of the 14thInternational Conference on the Theory and Application of Cryptology and InformationSecurity - ASIACRYPT 2008, Melbourne, Australia, December 2008, pp. 90107.

13. Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, Enabling public auditability and datadynamics for storage security in cloud computing, IEEE Transactions on Parallel andDistributed Systems. 22 (2011) 847–859.

14. C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou, Towards secure and dependablestorage services in cloud computing, IEEE Transactions on Services Computing. 4(2011) 1–14.

15. D. Boneh and M. Franklin, Identity-based encryption from the weil pairing, SIAMJournal on Computing (SICOMP). 32 (2003) 586–615.

16. M. M. Rasslan, A stamped hidden-signature scheme utilizing the elliptic curve discretelogarithm problem, International Journal of Network Security. 13 (2011) 49–57.

17. N. Tiwari and S. Padhye, Provable secure multi-proxy signature scheme without bi-linear maps, International Journal of Network Security. 17 (2015) 736–742.

18. X. Fu, Unidirectional proxy re-encryption for access structure transformation inattribute-based encryption schemes, International Journal of Network Security. 17(2015) 142–149.

19. S. Subashini and V. Kavitha, A survey on security issues in service delivery modelsof cloud computing, Journal of Network and Computer Applications. 34 (2011) 1–11.

20. S. Yu, C. Wang, K. Ren, and W. Lou, Achieving secure, scalable, and fine-graineddata dccess control in cloud computing, Proceeding of the 29th IEEE INFOCOM 2010,San Diego, CA, USA, March 2010, pp. 1–9.

21. Q. Liu, G. Wang, and J. Wu, Efficient sharing of secure cloud storage services, Pro-ceeding of the 10th IEEE International Conference on Computer and Information Tech-nology (CIT 2010), Bradford, USA, June 2010, pp. 922–929.

22. G. Wang, Q. Liu, and J. Wu, Hierarchical attribute-based encryption for fine-grainedaccess control in cloud storage services, Proceeding of the 17th ACM Conference onComputer and Communications Security (CCS 2010), Chicago, Illinois, USA, October2010, pp. 735–737.

23. G. Wang, Q. Liu, J. Wu, and M. Guo, Hierarchical attribute-based encryption andscalable user revocation for sharing data in cloud servers, Computers and Security. 30



(2011) 320–311.24. G. Ateniese, K. Fu, M. Green, and S. Hohenberger, Improved proxy re-encryption

schemes with applications to secure distributed storage, ACM Trans. on Informationand System Security. 9 (2006) 1–30.

25. S. Sanka, C. Hota, and M. Rajarajan, Secure data access in cloud computing, Proceed-ing of the 4th International Conference on Internet Multimedia Systems Architectureand Applications (IMSAA-10), Bangalore, India, December 2009, pp. 1–6.

26. T. H. Sun and M. S. Hwang, A hierarchical data access and key management in cloudcomputing, ICIC Express Letters. 6 (2012) 569–574.

October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcscisrc.ccs.asia.edu.tw/www/myjournal/P310.pdf ·...

Documents

Transcript of October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcscisrc.ccs.asia.edu.tw/www/myjournal/P310.pdf ·...