October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcscisrc.ccs.asia.edu.tw/www/myjournal/P310.pdf ·...
Transcript of October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcscisrc.ccs.asia.edu.tw/www/myjournal/P310.pdf ·...
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Journal of Circuits, Systems, and Computersc⃝ World Scientific Publishing Company
Achieving Dynamic Data Guarantee and Data Confidentiality of Public
Auditing in Cloud Storage Service
Min-Shiang Hwang
Department of Computer Science and Information Engineering, Asia University500 Liufeng Road, Wufeng, Taichung, Taiwan 402, R.O.C.
Department of Medical Research, China Medical University HospitalChina Medical University, No.91, Hsueh-Shih Road, Taichung, Taiwan 40402, R.O.C.
Tsuei-Hung Sun
Department of Management Information Systems, National Chung Hsing University250 Kuo Kuang Road, Taichung, Taiwan 402, R.O.C.
Cheng-Chi Lee∗
Department of Library and Information Science, Fu Jen Catholic University
No. 510, Zhongzheng Rd., Xinzhuang Dist.,New Taipei City 24205, Taiwan, R.O.C.
∗Corresponding Email: [email protected]
Received (28 Nov 2014)Revised (18 Jan 2016)
Accepted (09 Oct 2016)
Recently, storage as a service of cloud computing becomes a new trend to access orshare files. Once files are stored in Cloud, owner can access files seamlessly by personalcomputer or mobile device. However, owner may worry about confidentiality and in-
tegrity of owner’s files stored in Cloud because cloud service providers are not alwaystrustworthy. Therefore, there are many kinds of data correctness verification methodsproposed to prevent cloud service providers from cheating data owners. Among thesemodels for auditing, bilinear pairing can achieve the most efficient way to verify data
correctness and batch auditing. Although auditing methods can ensure whether datais stored properly, it is not considered that the data may be a secret data or a dataowner doesn’t want to be known by both auditors and cloud service providers. Another
important issue is providing dynamic data of auditing in Cloud. Wang et al. proposed ascheme that can provide public auditing and dynamic data, but it still cannot guaranteeCloud has updated data honestly. For this reason, we propose a dynamic data guaranteeand data confidentiality scheme for public auditing in cloud storage service.
Keywords: Cloud storage service; public auditing; data confidentiality; dynamic data;security.
∗Corresponding Author
1
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
2 M.-S. Hwang et al.
1. Introduction
This decade, technologies grow rapidly and promote ubiquitous internet. In the
quickly changing world, users start to change the habit of using data from using
an individual computer to sharing in an outsourcing server 1. In the recent years,
the cloud storage service in cloud computing brings a new paradigm for data out-
sourcing to demand more cheaper and elastic storage spaces. No matter traditional
data outsourcing or current cloud storage services, one of most important criteria
of data security is that data confidentiality need be achieved 2,3,4.
The cloud storage service provided by business enterprises is not always trusted,
and data may be tampered or deleted from storage due to pecuniary reasons 5,6,7,8,9.
Therefore, data auditing is another important issue. The most simple way to data
auditing is to generate a hash value for each data; and then data and hash are sent to
an auditor and an outsourcing server, respectively. Then, auditor can request data
from a server, and a hash value based on requested data is generated to compare
with the initial hash value to check whether the data is correct or not. But this
way needs to retrieve data, which may cost great amount of communication cost
between an auditor and a cloud storage service 10. Another improved way is to
send the number of MAC keys and corresponding hash values to an auditor. When
an auditor wants to audit the data, an auditor will send a MAC key to the cloud
storage service to ask a new response hash value, which can be compared with the
initial hash value. But this way may incur another problem that an auditor needs
to maintain a key table to manage MAC keys. The table sizes derived from the
times of auditing data.
In order to prevent retrieving data from a cloud storage service for auditing and
limits on auditing times, the schemes 10,11,12 with blockless and stateless verifica-
tion method were proposed one after another by a bilinear map and hash data with
index of a data block. Although blockless and stateless verification can be achieved
by above schemes, these schemes cannot support dynamic data operation (e.g. up-
date, insert, and delete) because the verified hash value is tied with the index of
data block, which will be different when the block is changed. Schemes proposed by
Wang et al. 13 and Wang et al. 14 can support dynamic data, but these two schemes
have advantages and disadvantages. Wang et al.’s scheme 14 can provide data con-
fidentiality, but it cannot support insert operation of dynamic data. Wang et al. 13
can support all dynamic data operations, but it cannot provide data confidentiality.
However, both of these schemes cannot promise a cloud storage service to update
requested data really that a cloud storage service can keep old data after auditing
and discard updated data that an auditor cannot detect the data is correct or not.
In addition, the most serious problem found by us is that most of auditing
schemes 10,11,12,13,14 do not provide data confidentiality, and only some schemes 10,14
provide privacy presenting against auditors. Therefore, we will propose a more
efficient scheme to improve above mentioned problems. The followings are security
criteria which need to be achieved in cloud data auditing:
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 3
(1) Public Auditing: Not only a data owner but also others who has the computing
ability can verify data correctness of the data.
(2) Privacy Presenting: During the process of auditing, a data owner doesn’t want
let auditors know the real content.
(3) Data Confidentiality: Since a cloud storage service is not always trustworthy, all
data need to be encrypted before uploaded and stored in cloud storage service.
(4) Blockless Verification: Auditor doesn’t need to retrieve auditing blocks in verifi-
cation process to avoid great amount of communication cost between an auditor
and a cloud storage service.
(5) Stateless Verification: Auditor doesn’t need to maintain state information for
auditing static data to avoid requesting a data owner being always online. State
information means the data that the auditor operates the audit.
(6) Batch Auditing: In order to reduce auditor’s computing overhead, the auditing
task should be able to aggregate into one task more efficiently.
(7) Dynamic Data: The data stored in a cloud storage service may be modified by
a data owner frequently so that dynamic data operation should be supported.
(8) Modify Guarantee: After dynamic data operations, it should be able to guar-
antee that a cloud storage service indeed modifies the requested data instead
of discarding and not storing the new data.
The contribution of this paper is that we propose a new scheme to achieve
the all above security criteria. Compare with other related schemes in Table 2,
we can see that our proposed scheme is superior to other schemes. Additionally,
our proposed scheme can solve two important issues. One is both auditors and
cloud service providers do not know the stored files when the auditing process
is performing. Another is our proposed scheme can also provide dynamic data of
auditing in cloud.
The rest of parts are composed as follows: Related works of bilinear maps and
Wang et al.’s scheme 13 are described in the Section 2. Section 3 is assumptions,
notation table, and detail of our scheme. In Section 4, the criteria comparison and
performance are discussed. In the end Section 5 is our contributions, conclusion,
and future work of the presented scheme.
2. Related Works
First, we will introduce bilinear pairing definition and characteristics. After that,
Wang et al.’s scheme 13 will be described and the defects of their scheme are shown.
2.1. Bilinear Maps
Bilinear maps provide a more efficient and secure way to achieve verification 15.
Here we will describe definition and characteristics of bilinear maps.
Let G be an additive group and GT be a multiplicative group, and q is a large
prime order of G and GT . g is a generator of G. There exists a bilinear map
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
4 M.-S. Hwang et al.
e : G×G→ GT and satisfies the following three characteristics 16,17,18:
(1) Bilinear: Let all g1, g2 ∈ G and all a, b ∈ Z, e(ag1, bg2) = e(g1, g2)ab.
(2) Non-degenerate: If g is the generator of G, and e(g, g) is the generator of GT ,
it needs to satisfy e(g, g) = 1.
(3) Computable: An efficient algorithm exists to compute e(g1, g2) for any g1, g2 ∈G.
2.2. Wang et al.’s Scheme
Wang et al.’s scheme via bilinear map with Merkle Hash Tree (MHT) was to achieve
public auditing, blockless verification, and stateless verification 13. And it used the
hash value of block as data tag instead of using hash value of block index with data
block 10,11,12 to achieve dynamic data operation.
In Wang et al.’s scheme, client stores data in cloud storage server (CSS), and
third party auditor (TPA) will process an auditing task. Their protocol shown in
Figure 1 has four executions: setup, default integrity verification, dynamic data
operation with integrity assurance, and batch auditing for multiclient data.
Setup:
(1) Client generates a signing key pair (spk, ssk) and selects a private key α to
generate corresponding public key v ← gα. The secret key is sk = (α, ssk) and
the public key is pk = (v, spk).
(2) Client randomly selects u ← G and sets a file tag as t = name ∥ n ∥ u ∥SSigssk(name ∥ n ∥ u). name denotes the name of the file F and n denotes
the file F is divided into n blocks m1,m2, ...,mn.
(3) Client signs each block by σi ← (H(mi) · umi)α and generates a root R of the
MHT by adding each hash value H(mi) of block i as a leaf node, and computes
insider nodeHx by the ruleHx = H(Lowerlevelnode ∥ Lowerlevelsiblingnode)(see more detail in 13).
(4) Client signs a root R as sigsk(H(R)) and sends F, t,Φ, sigsk(H(R)) to CSS,
then deletes F, t,Φ, sigsk(H(R)) from the local storage. Denote the set of
signatures by Φ = σi, 1 ≤ i ≤ n.
Default Integrity Verification (See Figure 1 (a)):
(1) TPA randomly selects c blocks as a subset I = s1, s2, ..., sc from the auditing
file, chooses a randomly value vi for each block in I, and then sends the challenge
(i, vi)i∈I to CSS.
(2) CSS uses the stored block mi with corresponding vi to compute µ = Σivimi ∈Zp and σ = Πiσ
vii ∈ G, and then the proof µ, σ, H(mi), Ωii∈I , sigsk(H(R))
to TPA. Ωi denotes a small amount of auxiliary information.
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 5
TPA CSS
Client
Iiivi ),(
1. Generate random
subset .
(a) Default Integrity Verification
(b) Dynamic Data Operation with Integrity Assurance
Iiivichal
! ),(
! i iimv 2. Compute
3. Compute ! i
v
ii
))((,),(,, RHsigmHP skIiii !" #$
4. Compute R by
and
verify sigsk(H(R)).IiiimH
! ),(
5. Verify Iiim )(
CSS
1. Generate .
! ))(( im
ii umH
! "
),,),(( iimiIM !!
2. Update F and
compute R .
)),((),(,( RRHsigmHP skiiupdate !"
3. Compute R by
and verify sigsk(H(R)).
),( iimH
3. Compute Rnew by ),( iimH !
RRnew !?
and check .
))(( RHsig sk
2. Update R .
Fig. 1. Wang et al.’s Scheme
(3) TPA can check integrity by e(σ, g) = e(Πi∈IH(mi)vi · uµ, v). If the equation is
established, the auditing is successful.
Dynamic Data Operation with Integrity Assurance (See Figure 1 (b)):
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
6 M.-S. Hwang et al.
(1) Client generates a new signature of block i by σ′i = (H(m′
i)·um′i)α and sends the
updated message (M, i,m′i, σ
′i) to CSS. M denotes the modification operation.
(2) CSS updates m′i, σ
′i by replacing old block and signature, computes a new root
R′, and then sends the proof (Ωi,H(mi), sigsk(H(R)), R′) to client.
(3) Client first checks if the old R is correct or not, then generates a new Rnew to
compare with receive R′. If correct, a new root is signed as sigsk(H(R′)) and
sent to CSS to update the root signature.
Batch Auditing:
Bilinear maps can achieve aggregating different signatures on different files owned
by different users easily because it has above mentioned bilinear characteristic. Here
Wang et al.’s scheme assumes that k is a specific client, andK is the number of client
in the system. To support batch auditing, there is a little difference at aggregating
all delegated signatures into one signature by equation σ = Πi=1,...,K(Πi∈Iσvik,i).
2.3. Weaknesses of Wang et al.’s Scheme
Although Wang et al.’s scheme can achieve public auditing and dynamic data in-
tegrity assurance, it still has following problems:
(1) Data is transferred in plaintext form between a data owner and the cloud
storage service so that an attacker can eavesdrop and gets the file content. A
simple way to solve this problem is that we can additionally use a symmetric
or asymmetric cryptography systems to encrypt/decrypt these communicated
messages against the eavesdropping. However, the method will increase the
computational cost additionally during the auditing. We should try to embed
any encryption/decryption protocol in the auditing scheme to solve this prob-
lem.
(2) In the data modification, although a data owner can check if the CSS has
accomplished modify operation, TPA only uses the information provided by
CSS so that it cannot distinguish whether the data is newest or not if CSS
discards the updated result and keeps the original value for auditing. We will
solve this problem in Section 3.3.
3. The Proposed Scheme
Next, we will describe assumptions of the public auditing in a cloud storage service.
Then, the notations used in the proposed scheme will be shown as Table 1. In the
end, the environment and detail steps will be presented.
The assumptions of public auditing in a cloud storage service and our scheme
are described as following:
(1) Although cloud storage service usually executes user’s request honestly, cloud
storage service is not always be trusted because a cloud service provider may
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 7
modify or delete user’s data due to some benefits 10,13,14,19,20.
(2) Cloud may keep original authenticator values to pass the auditing, but the data
has already been modified and not detected.
(3) Each file encryption key will be pre-shared when a data user obtains the access
right.
Table 1. Notation Table
x Data owner’s private key
y Data owner’s public key
G A multiplicative cyclic group of prime order p
g The generator of G
F File
mi The data block of the file, i = 1, ..., n
C The ciphiertext of the file
Ci The corresponding ciphertext of mi
KF The file encryption key of file F
t The file tag
name The name of the file
n The number of data block the file has
d A random select value for the file
V er The version information of the file
si The signature of mi
S The data block signature set of the file
Sagg The aggregated signature of verified blocks
H(·) A one-way hash function in group G
E Symmetric encryption function
The proposed scheme is based on Wang et al.’s scheme 13, but we do not use
MHT structure to deal with dynamic data. The environment of the proposed scheme
is shown in Figure 2, and there has three types of participants: Data Owner, Cloud
Storage Service, and Auditor. Data owner is a person who has many files stored in
cloud storage service, and he/she doesn’t have much time to regularly check data
correctness. Cloud storage service operated by a business enterprise is providing
storage space for a data owner, who may modify or delete owner’s data due to
benefit of money. Auditor can be an authorized and trustworthy person who has
the ability to verify the stored data (e.g. trust third party auditor or data owner
self) or a data user who has the access right to the data owner’s data.
At first, a data owner will upload the encrypted data to cloud storage, and send
the auditing metadata to auditors for auditing. Then, auditors can send request
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
8 M.-S. Hwang et al.
Fig. 2. The System Environment of Our Scheme
to verify randomly selected blocks in each file at regular intervals (by authorized
party) or check data correctness after downloading data (by data user). Our scheme
has three parts: setup, auditing, and data modification.
3.1. Setup
Here a data owner will initialize bilinear pairing parameters and pre-process files
to be stored and audited, then send the auditing metadata to an auditor and the
encrypted files to a cloud storage service.
(1) Choose a random value x ← Zp as his/her private key, and y ← gx as a
corresponding public key.
(2) Divide a file into n sequence blocks as F = (m1,m2, . . . ,mn) and select a secret
key KF for file F . Then, encrypt each block by Ci = EKF (mi) and donate the
complete ciphertext as C = (C1, . . . , Cn).
(3) Choose a random element d ← G, and set file tag as t = name||n||d||V er||(name||n||d||V er)x.
(4) Compute each block signature by si = ((H(Ci) · V er) · dCi)x and donate all
signatures as S = (s1, . . . , sn).
(5) Send (C, S) to a cloud storage service and t to an auditor respectively. Next,
delete the local storage except t.
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 9
3.2. Auditing
Auditing has two cases: authorized party and data user. First case is after a period
of time, authorized party will send an auditing message to cloud storage service to
request verifying randomly selected blocks of each file, shown in Case 1 as Figure 3.
The other case is data user wants to download a file and checks the data correct-
ness, so he/she will send a request to ask ciphertext with auditing proof, shown in
Case 2 as Figure 4.
Case 1 - Auditor:
Vi∈
),||( Vliriname ∈
pVi ii ZCr ∈=∈
µ
∏∈∈=
Vi
r
iagg GsS i
))(,,( Viiagg CHSP ∈= µ
),)))((((),(?
∏ ∈⋅⋅=
Vi
r
iagg ydVerCHegSe i µ
,..., 1 lvvV =
Fig. 3. Auditing Operation - Case 1
∏ ==
n
i iagg sS1
! ),)))((((),(1
?
ydVerCHegSen
i
C
iaggi∏ =
⋅⋅=
Fig. 4. Auditing Operation - Case 2
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
10 M.-S. Hwang et al.
(1) Auditor randomly selects l blocks donated as a set V from the audited
file, and sets a random value ri for each block vl as an auditing value.
Then, auditor will send an auditing message (name ∥ i, rii∈V ) to a
cloud storage service requested to verify the correctness of these blocks.
(2) After a cloud storage service receives the auditing message, it will find
out these blocks from the storage by name, and then uses ri to compute
with Ci and si respectively. Besides, a cloud storage service will compute
the hash value H(Ci) of each verified block to achieve blockless verifica-
tion. For more efficiency, a cloud storage service will aggregate all verified
signatures as Sagg to reduce auditor’s computing overhead. In the end, a
cloud storage service will send the proof message P to an auditor.
(3) Auditor will use V er he/she has and P to verify whether the correctness
is existed or not by checking e(Sagg, g) = e((∏
i∈V (H(Ci) ·V er)ri) ·dµ, y).If so, the auditing task is successful.
(4) This auditing can be extended into the batch auditing by aggregating all
tasks into one verified task just the same as 13. Here we only show the
parts different from Wang et al. in Figure 5.
,..., ,1, luuu vvV =
uVi∈
),||(uVii
riname ∈
pVi iuiu ZCr ∈= ∈ ,µ
GsSU
u Vi
r
iaggu
i ∈= ∏ ∏= ∈1)(
))(,,( , Viiuaggu CHSP ∈= µ
∏ ∏= ∈⋅⋅=
U
u Vi uu
r
uiuaggu
ui ydVerCHegSe1 ,
?
),)))((((),(µ
Fig. 5. Batch Auditing Example
(5) In Figure 5, we can see values: V , µ, H(Ci), V er, d, and y, which extrude
a subscript u to express these values belonging to a specific user u, and U
represents a total number of the delegator that one auditor has.
Case 2 - Data User: (1) Data user will send a message to a cloud storage ser-
vice to request ciphertext C and corresponding auditing information.
(2) After a cloud storage service receives the message, it will compute aggre-
gate signature Sagg as proof information and send with C to data user.
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 11
(3) Data user will use the received C to compute the hash value H(Ci) for
each Ci, and use these H(Ci) with V er his/her hold to verify correctness
of the file by checking e(Sagg, g) = e((∏
ni=1(H(Ci) · V er) · dCi), y).
Proof of auditing verification:
e(Sagg, g) = e(∏i∈V
srii , g)
= e(∏i∈V
(((H(Ci) · V er) · dCi)x)ri , g)
= e(∏i∈V
((H(Ci) · V er)ri · dCiri), gx)
= e((∏i∈V
(H(Ci) · V er)ri) · dµ, y).
3.3. Data Modification
Data owner wants to update some blocks of a file, and here we only use one block,
for example. And this scheme can be used in both updating data and inserting data
(see Figure 6).
Data Owner Cloud Storage Service
1. Regenerate xC
ii
idrVeCHs )))(((′
⋅′⋅′=′
2. Compute xrVednnamerVednnamet )||||||(|||||||| ′′=′
3. ),,,(iisClM ′′
4. Replace (Ci,si) by . ),(iisC ′′
Auditor(t)
3.
4. Update
t ′
t ′
Fig. 6. The Data Modification
(1) Data owner will regenerate the signature s′i for the modified block, and renew
t′, and then send a new block number, ciphertext, and signature as a modify
message to a cloud storage service, and new tag t′ to all auditors including
authorized data users.
(2) Cloud storage will use the received message to update ciphertext and signature.
Then an auditor will delete old t and store t′ for afterward auditing.
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
12 M.-S. Hwang et al.
4. Discussions and Analysis
4.1. Security Analysis
In this section, we will describe how our scheme achieves the criteria mentioned in
Section 1 and the comparison with other auditing schemes is shown in Table 2.
Table 2. Comparison of Security Criteria
11 12 10 14 13 Our Scheme
Public Auditing Yes Yes Yes No Yes Yes
Privacy Preserving No No Anyone TPA,Cloud No Anyone
Data Confidentiality No No No Yes No Yes
Blockless Verification Yes Yes Yes No Yes Yes
Stateless Verification Yes Yes Yes No Yes Yes
Batch Auditing No No Yes No Yes Yes
Data Dynamic No No No Partial Yes Yes
Modify Guarantee No No No No Partial Yes
Public auditing, blockless verification, and stateless verification are more funda-
mental criteria for auditing schemes 10,11,12,13. Public auditing can let a data owner
delegate auditing ability to anyone easily; Blockless can reduce communication cost
between an auditor and a cloud storage service; Stateless can avoid introducing ad-
ditional data owner overhead (need come to online frequently). Because each data
owner has a large number of files stored in a cloud storage service, and he/she
both has no time to verify each file regularly and worries about file correctness.
These criteria can solve data owner’s fear. Our scheme uses t to achieve these three
criteria. Scheme 14 is the only one not to achieve these three criteria because it is
only for trusting third party auditor (TPA) to execute verification without using
bilinear pairing.
Privacy preserving is a part of the data confidentiality only against the auditor,
but we consider that a cloud storage service is a semi-trust server that may use
the real content for pecuniary benefits. Therefore, we present an auditing scheme
based on ciphertext to achieve protecting privacy against both a cloud storage
service and other auditors. In the comparison table, only scheme 14 achieves both
privacy preserving and data confidentiality by matrix scheme. Like scheme 14, we
embed the encryption protocol in our auditing scheme. No one can eavesdrop the
communicated messages during the auditing.
When a data owner delegates an auditing task to auditor, the same auditor may
receive many auditing delegations from different data owners. For efficiency, 10 first
introduces batch auditing to aggregate all delegated tasks into one auditing task by
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 13
bilinear map. In order to achieve batch auditing, both scheme 13 and our scheme
follow the aggregate structure.
In the cloud scenario, a data owner stores dynamic data instead of traditional
static data which may modify his/her data frequently. Thus, operations (e.g. like
insert, modify, and delete) should be supported. Scheme 10,11,12,14 cannot support
dynamic data because their tags for verification are tied with the data block index.
Thence, scheme 13 and our scheme are usingH(mi) instead ofH(name||i) which can
only update a specific block and not affect other blocks in the same file. Although 13
uses Merkle Hash Tree (MHT) to achieve dynamic data and provide updating
checking, a malicious cloud storage service still can discard all updated data and
related verifying information, and keep old data and related verifying information
for auditing. Our scheme adds a value V er in to signature, and updates V er after
dynamic data operation and sends a new V er to auditors to guarantee updated
data to be stored in a cloud storage service; otherwise, the inconsistency of data
version will reveal when auditing.
4.2. Performance Evaluation
Our scheme is based on ciphertext and bilinear pairing to improve problems in
auditing, i.e. data confidentiality and dynamic data. Here we compare computing
cost and storage cost in each part of our scheme with the scheme 13 to conform
requirements defined.
The performance comparison with Wang et al.’s scheme 13 and our scheme is
shown in Table 3. The notations are briefly introduced as follows:
• TE : The computing time of symmetric encryptions.
• TGe: The computing time of exponentiation in group operation.
• TBS : The computing time of BLS signature.
• TB : The computing time of bilinear map.
• TM : The computing time of multiplication.
• TA: The computing time of addition.
• TGM : The computing time of multiplication in group operation.
• Th: The computing time of hash.
• n: The number of block in one file.
• i: The number of verified block.
• s: The number of inside node that needed in MHT.
• o: The number of auxiliary authentication information (AAI).
In Table 3, it can find out that the data owner in both Wang et al. 13 and
our scheme need 1 times of exponentiation in group for generate public key and n
times of hash to generate hash value of all block in setup phase. Besides, We only
need (n + 1) time of BLS signature (n data blocks and a file tag) in setup phase;
Wang et al.’s scheme 13 need (n + 2) times BLS signature (n data blocks, a file
tag, and a MHT root) and additional (s+ 1) times hash to generate internal node
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
14 M.-S. Hwang et al.
Table 3. Performance Comparison
Wang et al.’s Scheme 13 Our Scheme
Computing Cost
Data Owner1TGe+(n+ s+ 4)Th 1TGe+nTE+(n+ 1)Th
+(n+ 5)TBS +(n+ 3)TBS
Auditor 1TB 1TB
Cloud Storage Servicei(TM + TA + TGM + TGe) i(TM + TA + TGM
+(i+ 2o+ 2)Th +TGe+Th)
Storage Cost
Auditor No t
Cloud Storage Service F, t, S, s(H(R)) C, S
and root node of MHT. Due to our scheme does not using MHT, our scheme can
reduce 1 time BLS signature generated for the signature of MHT root R and (s+1)
related hash values. However, our scheme needs additional n times of symmetric
encryption for all data blocks to protect data confidentiality. The encryption for
data confidentiality is a worth tradeoff which Wang et al. cannot achievw and not
very heavy.
In auditing phase, we keep the merit of the auditor only need 1 time of bilinear
map operation to finish the auditing task which as the same as Wang et al.’s
scheme 13. The cloud storage service in both Wang et al.’s scheme 13 and our
scheme need to compute i times of multiplication and addition to generate µ, i
exponentiation in group operation and multiplication in group operation to generate
Sagg, and i times of hash to generate hash value of all blocks. Since our scheme
doesn’t using MHT, the cloud storage service does not need to compute (o + 1)
times hash operations (o AAI nodes and a root node) of MHT in auditing phase.
When dynamic data is processed, e.g. one block is modified, the data owner of
Wang et al.’s scheme 13 needs to compute 3 times of hash operations (the modified
block, the old R, and the new R′) and 3 times of BLS signature operation (the
modified block, the old R, and the new R′). But our scheme only needs 2 time of
BLS signature operation (the modified block and the new tag t′) and 1 time of hash
operation for the modified block at data owner side. At Cloud storage side, Wang
et al.’s scheme 13 also needs (1 + o) hash operations (the modified data block and
AAI nodes in MHT), but our scheme doesn’t need to compute anything.
In Table 3, we have analyzed the computational cost of our scheme. Although
the computing cost of our scheme is more than 13 at setup phase of the data owner,
our scheme can achieve data confidentiality, and dynamic data without MHT can
reduce cloud storage services to maintain all hash values and related auxiliary
authentication information (AAI) in the MHT. We request an auditor to store a
tag t to achieve modifying guarantee, which is just a metadata size and does not
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 15
cause lots of storage cost. Since the tag t includes a version information V er, it is
very useful to guarantee that the data version is newest and completely against a
malicious cloud storage service to discard newest data.
5. Conclusions
Public auditing is an important requirement in cloud storage services to reduce data
owner worrying on cloud data and delegate verification overhead to anyone easily.
But a cloud storage service is a semi-trust server so that a cloud service provider may
access data without being agreed by a data owner due to pecuniary reasons. Data
confidentiality and access control is an important issue in cloud storage, and there
are many kinds of access control schemes proposed (e.g. attribute-base 20,21,22,23,
file group-base, and access list base 1,24,25,26). However, although data in all kinds
of access control schemes is encrypted before uploading to a cloud storage service to
avoid eavesdropping and tampering attacks, data used in all kinds of public auditing
schemes is stored in plaintext form in a cloud storage service and only provided with
privacy protecting against auditors. Therefore, we propose an auditing scheme based
on ciphertext to achieve data confidentiality against to both a cloud service provider
and all auditors.
Furthermore, our scheme is easier and more secure than 13 to support dynamic
data without MHT. In our scheme, we only use a metadata t which includes a ver-
sion information V er to achieve modification guarantee. V er can not only guarantee
the newest version data correctness, but also can extend to verify different versions
or time periods for cooperative collaboration scenario in cloud in the future.
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable com-
ments and suggestions. In addition, this research was partially supported by the
Ministry of Science and Technology, Taiwan, R.O.C., under contract no.: MOST
105-2221-E-030-012.
References
1. S. D. C. d. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati, Over-encryption: Management of access control evolution on outsourced data, Proceeding ofthe 33th International Conference on Very Large Data Bases (VLDB), Vienna, Austria,September 2007, pp. 123–134.
2. C. C. Lee, C. C. Yang, and M. S. Hwang, A new privacy and authentication protocol forend-to-end mobile users, International Journal of Communication Systems. 16 (2003)799–808.
3. C. T. Li, M. S. Hwang, and Y. P. Chu, Further improvement on a novel privacy preserv-ing authentication and access control scheme for pervasive computing environments,Computer Communications. 31 (2008) 4255–4258.
4. C. T. Li, M. S. Hwang, and Y. P. Chu, A secure and efficient communication schemewith authenticated key establishment and privacy preserving for vehicular ad hoc net-works, Computer Communications. 31 (2008) 2803–2814.
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
16 M.-S. Hwang et al.
5. M. S. Hwang, S. T. Hsu, and C. C. Lee, A new public key encryption with conjunctivefield keyword search scheme, Information Technology and Control. 43 (2014) 277–288.
6. C. C. Lee, S. T. Hsu, and M. S. Hwang, A study of conjunctive keyword searchableschemes, International Journal of Network Security. 15 (2013) 321–330.
7. C. C. Lee and Y. M. Lai, Toward a secure single sign-on mechanism for distributedcomputer networks, The Computer Journal. 58 (2015) 934–943.
8. C. C. Lee, C. T. Li, S. T. Chiu, and S. D. Chen, Time-bound key-aggregate encryptionfor cloud storage, Security and Communication Networks. 9 (2016) 2059–2069.
9. C. C. Lee, C. T. Li, C. L. Chen, and S. T. Chiu, A searchable hierarchical conditionalproxy re-encryption scheme for cloud storage services, Information Technology AndControl. 45 (2016) 289–299.
10. C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-preserving public auditing for datastorage security in cloud computing, Proceeding of the 29th IEEE INFOCOM 2010,San Diego, CA, USA, March 2010, pp. 1–9.
11. G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song,Provable data possession at untrusted stores, Proceedings of the 14th ACM confer-ence on Computer and communications security, New York, NY, USA, October 2007,pp. 598–610.
12. H. Shacham and B. Waters, Compact proofs of retrievability, Proceedings of the 14thInternational Conference on the Theory and Application of Cryptology and InformationSecurity - ASIACRYPT 2008, Melbourne, Australia, December 2008, pp. 90107.
13. Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, Enabling public auditability and datadynamics for storage security in cloud computing, IEEE Transactions on Parallel andDistributed Systems. 22 (2011) 847–859.
14. C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou, Towards secure and dependablestorage services in cloud computing, IEEE Transactions on Services Computing. 4(2011) 1–14.
15. D. Boneh and M. Franklin, Identity-based encryption from the weil pairing, SIAMJournal on Computing (SICOMP). 32 (2003) 586–615.
16. M. M. Rasslan, A stamped hidden-signature scheme utilizing the elliptic curve discretelogarithm problem, International Journal of Network Security. 13 (2011) 49–57.
17. N. Tiwari and S. Padhye, Provable secure multi-proxy signature scheme without bi-linear maps, International Journal of Network Security. 17 (2015) 736–742.
18. X. Fu, Unidirectional proxy re-encryption for access structure transformation inattribute-based encryption schemes, International Journal of Network Security. 17(2015) 142–149.
19. S. Subashini and V. Kavitha, A survey on security issues in service delivery modelsof cloud computing, Journal of Network and Computer Applications. 34 (2011) 1–11.
20. S. Yu, C. Wang, K. Ren, and W. Lou, Achieving secure, scalable, and fine-graineddata dccess control in cloud computing, Proceeding of the 29th IEEE INFOCOM 2010,San Diego, CA, USA, March 2010, pp. 1–9.
21. Q. Liu, G. Wang, and J. Wu, Efficient sharing of secure cloud storage services, Pro-ceeding of the 10th IEEE International Conference on Computer and Information Tech-nology (CIT 2010), Bradford, USA, June 2010, pp. 922–929.
22. G. Wang, Q. Liu, and J. Wu, Hierarchical attribute-based encryption for fine-grainedaccess control in cloud storage services, Proceeding of the 17th ACM Conference onComputer and Communications Security (CCS 2010), Chicago, Illinois, USA, October2010, pp. 735–737.
23. G. Wang, Q. Liu, J. Wu, and M. Guo, Hierarchical attribute-based encryption andscalable user revocation for sharing data in cloud servers, Computers and Security. 30
October 12, 2016 15:12 WSPC/INSTRUCTION FILE ws-jcsc
Data Guarantee and Data Confidentiality of Public Auditing in Cloud Storage Service 17
(2011) 320–311.24. G. Ateniese, K. Fu, M. Green, and S. Hohenberger, Improved proxy re-encryption
schemes with applications to secure distributed storage, ACM Trans. on Informationand System Security. 9 (2006) 1–30.
25. S. Sanka, C. Hota, and M. Rajarajan, Secure data access in cloud computing, Proceed-ing of the 4th International Conference on Internet Multimedia Systems Architectureand Applications (IMSAA-10), Bangalore, India, December 2009, pp. 1–6.
26. T. H. Sun and M. S. Hwang, A hierarchical data access and key management in cloudcomputing, ICIC Express Letters. 6 (2012) 569–574.