Privacy-Preserving Public Auditing for Regenerating-Code-Based Cloud Storage

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015 1513

Privacy-Preserving Public Auditing forRegenerating-Code-Based Cloud Storage

Jian Liu, Kun Huang, Hong Rong, Huimei Wang, and Ming Xian

Abstract To protect outsourced data in cloud storage againstcorruptions, adding fault tolerance to cloud storage togetherwith data integrity checking and failure reparation becomescritical. Recently, regenerating codes have gained popularity dueto their lower repair bandwidth while providing fault tolerance.Existing remote checking methods for regenerating-coded dataonly provide private auditing, requiring data owners to alwaysstay online and handle auditing, as well as repairing, whichis sometimes impractical. In this paper, we propose a publicauditing scheme for the regenerating-code-based cloud storage.To solve the regeneration problem of failed authenticators inthe absence of data owners, we introduce a proxy, which isprivileged to regenerate the authenticators, into the traditionalpublic auditing system model. Moreover, we design a novel publicverifiable authenticator, which is generated by a couple of keysand can be regenerated using partial keys. Thus, our scheme cancompletely release data owners from online burden. In addition,we randomize the encode coefficients with a pseudorandomfunction to preserve data privacy. Extensive security analysisshows that our scheme is provable secure under random oraclemodel and experimental evaluation indicates that our schemeis highly efficient and can be feasibly integrated into theregenerating-code-based cloud storage.

Index Terms Cloud storage, regenerating codes, public audit,privacy preserving, authenticator regeneration, proxy, privileged,provable secure.

I. INTRODUCTION

CLOUD storage is now gaining popularity because itoffers a flexible on-demand data outsourcing servicewith appealing benefits: relief of the burden for storagemanagement, universal data access with locationindependence, and avoidance of capital expenditure onhardware, software, and personal maintenances, etc., [1].Nevertheless, this new paradigm of data hosting service alsobrings new security threats toward users data, thus makingindividuals or enterprisers still feel hesitant.

It is noted that data owners lose ultimate control over thefate of their outsourced data; thus, the correctness, availabilityand integrity of the data are being put at risk. On the onehand, the cloud service is usually faced with a broad range

Manuscript received August 26, 2014; revised December 19, 2014and March 9, 2015; accepted March 9, 2015. Date of publicationMarch 25, 2015; date of current version June 2, 2015. The associate editorcoordinating the review of this manuscript and approving it for publicationwas Prof. Nitesh Saxena.

The authors are with the State Key Laboratory of ComplexElectromagnetic Environment Effects on Electronic and InformationSystem, National University of Defense Technology, Changsha 410073,China (e-mail: [email protected]; [email protected];[email protected]; [email protected]; [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TIFS.2015.2416688

of internal/external adversaries, who would maliciously deleteor corrupt users data; on the other hand, the cloud serviceproviders may act dishonestly, attempting to hide data lossor corruption and claiming that the files are still correctlystored in the cloud for reputation or monetary reasons. Thus itmakes great sense for users to implement an efficient protocolto perform periodical verifications of their outsourced data toensure that the cloud indeed maintains their data correctly.

Many mechanisms dealing with the integrity of outsourceddata without a local copy have been proposed under differentsystem and security models up to now. The most signifi-cant work among these studies are the PDP (provable datapossession) model and POR (proof of retrievability) model,which were originally proposed for the single-server scenarioby Ateniese et al. [2] and Juels and Kaliski [3], respectively.Considering that files are usually striped and redundantlystored across multi-servers or multi-clouds, [4][10] exploreintegrity verification schemes suitable for such multi-serversor multi-clouds setting with different redundancy schemes,such as replication, erasure codes, and, more recently,regenerating codes.

In this paper, we focus on the integrity verification prob-lem in regenerating-code-based cloud storage, especiallywith the functional repair strategy [11]. Similar studies havebeen performed by Chen et al. [7] and Chen and Lee [8]separately and independently. [7] extended the single-serverCPOR scheme (private version in [12]) to the regenerating-code-scenario; [8] designed and implemented a data integrityprotection (DIP) scheme for FMSR [13]-based cloud storageand the scheme is adapted to the thin-cloud setting.1 However,both of them are designed for private audit, only the dataowner is allowed to verify the integrity and repair the faultyservers. Considering the large size of the outsourced data andthe users constrained resource capability, the tasks of auditingand reparation in the cloud can be formidable and expensivefor the users [14]. The overhead of using cloud storage shouldbe minimized as much as possible such that a user does notneed to perform too many operations to their outsourced data(in additional to retrieving it) [15]. In particular, users may notwant to go through the complexity in verifying and reparation.The auditing schemes in [7] and [8] imply the problem thatusers need to always stay online, which may impede itsadoption in practice, especially for long-term archival storage.

To fully ensure the data integrity and save the userscomputation resources as well as online burden, we propose

1Indicating that the cloud servers are only provided with the RESTfulinterface.

1556-6013 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

1514 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015

a public auditing scheme for the regenerating-code-basedcloud storage, in which the integrity checking and regeneration(of failed data blocks and authenticators) are implementedby a third-party auditor and a semi-trusted proxy separatelyon behalf of the data owner. Instead of directly adapting theexisting public auditing scheme [12] to the multi-serversetting, we design a novel authenticator, which is moreappropriate for regenerating codes. Besides, we encrypt thecoefficients to protect data privacy against the auditor, whichis more lightweight than applying the proof blind techniquein [14] and [15] and data blind method in [16]. Severalchallenges and threats spontaneously arise in our new systemmodel with a proxy (Section II-C), and security analysis showsthat our scheme works well with these problems. Specifically,our contribution can be summarized by the following aspects:

We design a novel homomorphic authenticator based onBLS signature [17], which can be generated by a coupleof secret keys and verified publicly. Utilizing the linearsubspace of the regenerating codes, the authenticators canbe computed efficiently. Besides, it can be adapted fordata owners equipped with low end computation devices(e.g. Tablet PC etc.) in which they only need to sign thenative blocks.

To the best of our knowledge, our scheme is the first toallow privacy-preserving public auditing for regenerating-code-based cloud storage. The coefficients are maskedby a PRF (Pseudorandom Function) during the Setupphase to avoid leakage of the original data. This methodis lightweight and does not introduce any computationaloverhead to the cloud servers or TPA.

Our scheme completely releases data owners from onlineburden for the regeneration of blocks and authenticatorsat faulty servers and it provides the privilege to a proxyfor the reparation.

Optimization measures are taken to improve the flexibilityand efficiency of our auditing scheme; thus, the storageoverhead of servers, the computational overhead of thedata owner and communication overhead during the auditphase can be effectively reduced.

Our scheme is provable secure under random oraclemodel against adversaries illustrated in Section II-C.Moreover, we make a comparison with the state of theart and experimentally evaluate the performance of ourscheme.

The rest of this paper is organized as follows: Section IIintroduces some preliminaries, the system model, threat model,design goals and formal definition of our auditing scheme.Then we provide the detailed description of our schemein Section III; Section IV analyzes its security and Section Vevaluates its performance. Section VI presents a review of therelated work on the auditing schemes in cloud storage. Finally,we conclude this paper in Section VII.

II. PRELIMINARIES AND PROBLEM STATEMENTA. Notations and Preliminaries

1) Regenerating Codes: Regenerating codes are first intro-duced by Dimakis et al. [18] for distributed storage to

reduce the repair bandwidth. Viewing cloud storage to bea collection of n storage servers, data file F is encodedand stored redundantly across these servers. Then F canbe retrieved by connecting to any k-out-of-n servers, whichis termed the MDS2-property. When data corruption at aserver is detected, the client will contact healthy serversand download bits from each server, thus regener-ating the corrupted blocks without recovering the entireoriginal file. Dimakis et al. [18] showed that the repairbandwidth = can be significantly reduced with k.Furthermore, they analyzed the fundamental tradeoff betweenthe storage cost and the repair bandwidth , thenpresented two extreme and practically relevant points on theoptimal tradeoff curve: the minimum bandwidth regenerat-ing (MBR) point, which represents the operating point withthe least possible repair bandwidth, and the minimum storageregenerating (MSR) point, which corresponds to the leastpossible storage cost on the servers. Denoted by the parametertuple (n, k, , , ), we obtain:

(M S R, M S R) =( |F |

k,

|F |k( k + 1)

)(1)

(M B R, M B R) =(

2|F |2k k2 + k ,

2|F |2k k2 + k

)(2)

Moreover, according to whether the corrupted blocks can beexactly regenerated, there are two versions of repair strategy:exact repair and functional repair [11]. Exact repair strategyrequires the repaired server to store an exact replica ofthe corrupted blocks, while functional repair indicates thatthe newly generated blocks are different from the corruptedones with high probability. As one basis of our work, thefunctional repair regenerating codes are non-systematic anddo not perform as well for read operation as systematic codes,but they really make sense for the scenario in which data repairoccurs much more often than read, such as regulatory storage,data escrow and long-term archival storage [7].

The regenerating codes with functional repair strategycan be achieved using the random network coding.Given a file represented by m blocks {wi }mi=1, with eachwi = (wi1, wi2, . . . , wis ), where wi j s belong to the finitefield G F(2) and are referred to as symbols, the dataowner then generates coded blocks from these native blocks;specifically, m coding coefficients {i }mi=1 are chosen randomlyfrom G F(2) and computed out v = mi=1 i wi , where allalgebraic operations work over G F(2). When the size ofthe finite field G F(2), where the coefficients are drawn, islarge enough, any m coded blocks will be linearly independentwith high probability [19]; thus, the original file can bereconstructed from any m coded blocks by solving a setof m equations. The coded blocks will be distributed acrossn storage servers, with each server storing blocks. Anyk-out-of-n servers can be used to recover the original datafile when the inequality k m is maintained, thus satis-fying the MDS property. When the periodic auditing processdetect data corruption at one server, the repair procedure willcontact servers and obtain blocks from each to regenerate

2Maximum Distance Separable.

LIU et al.: PRIVACY-PRESERVING PUBLIC AUDITING FOR REGENERATING-CODE-BASED CLOUD STORAGE 1515

Fig. 1. An example of functional repair regenerating code with parameters(n = 3, k = 2, = 2, = 2, = 1). The data owner computessix coded blocks as random linear combinations of the native three blocks,and distributes them across three servers. When Server 1 gets corrupted, theproxy contacts the remaining two servers and retrieves one block (obtainedalso by linear combination) from each, then it linearly combines them togenerate two new coded blocks. Finally, the new coded blocks are sent to anew healthy server. The resulting storage system turns out to satisfy the (3, 2)MDS property.

the corrupted blocks. Fig.1 shows an example of functionalrepair regenerating code. The guidelines for choosingparameter tuple (n, k, , , ) can be found in [7] and [18].

2) Linear Subspace From Regenerating Code: Asmentioned above, each coded block represents the linearcombination of m native blocks in the functional repairregenerating code scenario. Thus, we can generate a linearsubspace with dimension m for file F in the followingway [20]:

Before encoding, F is split into m blocks, and the orig-inal m s-dimensional vectors (or blocks indistinguishably){wi G F(p)s}mi=1 are properly augmented as:

wi = (wi1, wi2, . . . , wis ,m

0, . . . , 0, 1 i

, 0, . . . , 0) G F(p)s+m

(3)for each symbol, wi j G F(p). Eq.(3) shows that eachoriginal block wi is appended with the vector of length mcontaining a single 1 in the i th position and is otherwisezero.

Then, the augmented vectors are encoded into n codedblocks. Specifically, they are linearly combined and generatecoded blocks with randomly chosen coefficients i G F(p).

v =m

i=1iwi G F(p)s+m (4)

Obviously, the latter additional m elements in the vector vkeep track of the values of the corresponding blocks, i.e.,

v = (vi1, vi2, . . . , vis data

, 1, . . . , m coe f f icients

) G F(p)s+m (5)

where (vi1, vi2, . . . , vis ) are the data, and the remainingelements indicate the coding coefficients. Notice that theblocks regenerated in the repair phase also meet the formof Eq.(5), thus we can construct a linear subspace V ofm-dimension by spanning the base vectors w1,w2, . . . ,wm ; allvalid coded blocks appended with coding coefficients wouldbelong to subspace V .

Under the construction of linear subspace V , we cangenerate tags for vectors in V efficiently, i.e., we onlyneed to sign the m base vectors in the beginning.

Fig. 2. The system model.

Such a signature scheme can be viewed as similar withsigning on the subspace V [20]. We will further introduce thisprocedure and its better performance in the following section.

3) Bilinear Pairing Map: Let G and GT be multiplicativecyclic groups of the same large prime order p. A bilinearpairing map e : G G GT is a map with the followingproperties:

Bilinear: e(ua, vb) = e(u, v)ab for all u, v G anda, b Zp , this property can be stretch to the multiplica-tive property that e(u1 u2, v) = e(u1, v) e(u2, v) forany u1, u2 G;

Non-degenerate: e(g, g) generates the group GT wheng is generator of group G;

Computability: There exists an efficient algorithm tocompute e(u, v) for all u, v G.

Such a bilinear map e can be constructed by the modifiedWeil [21] or Tate pairings [22] on elliptic curves.

B. System ModelWe consider the auditing system model for Regenerating-

Code-based cloud storage as Fig.2, which involves fourentities: the data owner, who owns large amounts of datafiles to be stored in the cloud; the cloud, which aremanaged by the cloud service provider, provide storage serviceand have significant computational resources; the third partyauditor (TPA), who has expertise and capabilities to conductpublic audits on the coded data in the cloud, the TPA is trustedand its audit result is unbiased for both data owners and cloudservers; and a proxy agent, who is semi-trusted and acts onbehalf of the data owner to regenerate authenticators and datablocks on the failed servers during the repair procedure. Noticethat the data owner is restricted in computational and storageresources compared to other entities and may becomes off-lineeven after the data upload procedure. The proxy, who wouldalways be online, is supposed to be much more powerfulthan the data owner but less than the cloud servers in termsof computation and memory capacity. To save resources aswell as the online burden potentially brought by the periodicauditing and accidental repairing, the data owners resort to


the TPA for integrity verification and delegate the reparationto the proxy.

Compared with the traditional public auditing system model,our system model involves an additional proxy agent. In orderto reveal the rationality of our design and make our followingdescription in Section III to be more clear and concrete,we consider such a reference scenario: A company employsa commercial regenerating-code-based public cloud andprovides long-term archival storage service for its staffs,the staffs are equipped with low end computation devices(e.g., Laptop PC, Tablet PC, etc.) and will be frequentlyoff-line. For public data auditing, the company relies on atrusted third party organization to check the data integrity;Similarly, to release the staffs from heavy online burden fordata and authenticator regeneration, the company supply apowerful workstation (or cluster) as the proxy and provideproxy reparation service for the staffs data.

C. Threat ModelApparently, threat in our scheme comes from the

compromised servers, curious TPA and semi-trusted proxy.In terms of compromised servers, we adopt a mobile

adversary under the multi-servers setting, similar with [5],who can compromise at most n k out of the n servers in anyepoch, subject to the (n, k)-MDS fault tolerance requirement.To avoid creeping-corruption which may lead to the unrecover-able of the stored data, the repair procedure will be triggeredat the end of each epoch once some corruption is detected.There are some differences in our model compared withthe one in [5]: First, the adversary can corrupt not onlythe data blocks but also the coding coefficients storedin the compromised servers; and second, the compromisedserver may act honestly for auditing but maliciously forreparation. We assume that some blocks stored in server Siare corrupted at some time, the adversary may launch thefollowing attacks in order to prevent the auditor from detectingthe corruption:

Replace Attack: The server Si may choose another validand intact pair of data block and authenticator to replacethe corrupted pair, or even simply store the blocksand authenticators at another healthy server Sj , thussuccessfully passing the integrity check.

Replay Attack: The server may generate the proof froman old coded block and corresponding authenticator topass the verification, thus leading to a reduction of dataredundancy to the point that the original data becomesunrecoverable.3

Forge Attack: The server may forge an authenticator formodified data block and deceive the auditor.

Pollution Attack: The server may use correct data to avoiddetection in the audit procedure but provide corrupteddata for repairing; thus the corrupted data may pollute allthe data blocks after several epoches.

With respect to the TPA, we assume it to be honestbut curious. It performs honestly during the whole auditingprocedure but is curious about the data stored in the cloud.

3We refer readers to [7] for the details of such replay attack.

The proxy agent in our system model is assumed to besemi-trusted. It will not collude with the servers but mightattempt to forge authenticators for some specified invalidblocks to pass the following verification.

D. Design GoalsTo correctly and efficiently verify the integrity of data and

keep the stored file available for cloud storage, our proposedauditing scheme should achieve the following properties:

Public Auditability: To allow TPA to verify the intactnessof the data in the cloud on demand without introducingadditional online burden to the data owner.

Storage Soundness: To ensure that the cloud server cannever pass the auditing procedure except when it indeedmanage the owners data intact.

Privacy Preserving: To ensure that neither the auditor northe proxy can derive users data content from the auditingand reparation process.

Authenticator Regeneration: The authenticator of therepaired blocks can be correctly regenerated in theabsence of the data owner.

Error Location: To ensure that the wrong server can bequickly indicated when data corruption is detected.

E. Definitions of Our Auditing SchemeOur auditing scheme consists of three procedures:

Setup, Audit and Repair. Each procedure contains certainpolynomial-time algorithms as follows:

Setup: The data owner maintains this procedure to initializethe auditing scheme.

K eyGen(1) (pk, sk): This polynomial-time algorithmis run by the data owner to initialize its public and secretparameters by taking a security parameter as input.

Degelation(sk) (x): This algorithm represents theinteraction between the data owner and proxy. The data ownerdelivers partial secret key x to the proxy through a secureapproach.

Sig And BlockGen(sk, F) (,, t): This polynomialtime algorithm is run by the data owner and takes the secretparameter sk and the original file F as input, and then outputsa coded block set , an authenticator set and a file tag t .

Audit: The cloud servers and TPA interact with one anotherto take a random sample on the blocks and check the dataintactness in this procedure.

Challenge(Fin f o) (C): This algorithm is performed bythe TPA with the information of the file Fin f o as input and achallenge C as output.

Proof Gen(C,,) (P): This algorithm is run by eachcloud server with input challenge C, coded block set andauthenticator set , then it outputs a proof P .

V eri f y(P, pk, C) (0, 1): This algorithm is run by TPAimmediately after a proof is received. Taking the proof P ,public parameter pk and the corresponding challenge C asinput, it outputs 1 if the verification passed and 0 otherwise.

Repair: In the absence of the data owner, the proxy interactswith the cloud servers during this procedure to repair thewrong server detected by the auditing process.


Fig. 3. The sequence chart of our scheme.

Claim For Rep(Fin f o) (Cr ): This algorithm is similarwith the Challenge() algorithm in the Audit phase, butoutputs a claim for repair Cr .

GenFor Rep(Cr ,,) (B A): The cloud servers runthis algorithm upon receiving the Cr and finally output theblock and authenticators set B A with another two inputs , .

Block And Sig ReGen(Cr, B A) (, ,): The proxyimplements this algorithm with the claim Cr and responsesB A from each server as input, and outputs a new coded blockset and authenticator set if successful, outputting ifotherwise.

The sequence chart of our scheme is shown in Fig.3.

III. THE PROPOSED SCHEMEIn this section we start from an overview of our auditing

scheme, and then describe the main scheme and discuss howto generalize our privacy-preserving public auditing scheme.Furthermore, we illustrate some optimized methods to improveits performance.

A. OverviewAlthough [7], [8] introduced private remote data checking

schemes for regenerating-code-based cloud storage, there arestill some other challenges for us to design a public auditableversion.

First, although a direct extension of the techniquesin [2], [12], and [15] can realize public verifiability inthe multi-servers setting by viewing each block as a setof segments and performing spot checking on them, sucha straightforward method makes the data owner generatetags for all segments independently, thus resulting in highcomputational overhead. Considering that data owners com-monly maintains limited computation and memory capacity,it is quite significant for us to reduce those overheads.Second, unlike cloud storage based on traditional erasurecode or replication, a fixed file layout does not existin the regenerating-code-based cloud storage. During therepair phase, it computes out new blocks, which aretotally different from the faulty ones, with high probability.

Thus, a problem arises when trying to determine how toregenerate authenticators for the repaired blocks. A directsolution, which is adopted in [7], is to make data ownershandle the regeneration. However, this solution is not prac-tical because the data owners will not always remain onlinethrough the life-cycle of their data in the cloud, moretypically, it becomes off-line even after data uploading.Another challenge is brought in by the proxy in our systemmodel (see Section II-C).

The following parts of this section shows our solution tothe problems above. First, we construct a BLS-based [17]authenticator, which consists of two parts for each segmentof coded blocks. Utilizing its homomorphic property and thelinearity relation amongst the coded blocks, the data owner isable to generate those authenticators in a new method, whichis more efficient compared to the straightforward approach.Our authenticator contains the information of encodingcoefficients to avoid data pollution in the reparation withwrong coefficients. To reduce the bandwidth cost during theaudit phase, we perform a batch verification over all blocksat a certain server rather than checking the integrity of eachblock separately as [7] does. Moreover, to make our schemesecure against the replace attack and replay attack, informationabout the indexes of the server, blocks, and segments areall embedded into the authenticator. Besides, our primitivescheme can be easily improved to support privacy-preservingthrough the masking of the coding coefficients witha keyed PRF.

All the algebraic operations in our scheme work over thefield G F(p) of modulo p, where p is a large prime (at least80 bits).4

B. Construction of Our Auditing SchemeConsidering the regenerating-code-based cloud storage with

parameters (n, k, , , ), we assume = 1 for simplicity. LetG and GT be multiplicative cyclic groups of the same largeprime order p, and e : G G GT be a bilinear pairingmap as introduced in the preliminaries. Let g be a generatorof G and H () : {0, 1} G be a secure hash function thatmaps strings uniformly into group G. Table I list the primarynotations and terminologies used in our scheme description.

Setup: The audit scheme related parameters are initializedin this procedure.

K eyGen(1) (pk, sk): The data owner generatesa random signing key pair (spk, ssk), two random elementsx, y R Zp and computes pkx gx, pky gy . Then thesecret parameter is sk = (x, y, ssk) and the public parameteris pk = (pkx, pky, spk).

Delegation(sk) (x): The data owner sends encrypted xto the proxy using the proxys public key, then the proxydecrypts and stores it locally upon receiving.

Sig And BlockGen(sk, F) (,, t): The data owneruniformly chooses a random identifier I D R {0, 1},a random symbol u R G, one set = {w1, w2, . . . wm}

4Analysis in [23] showed that the successful decoding probability for thefunctional repair regenerating code over G F(2) and over G F(p) is similarwhile the two fields have about the same order (e.g., when = 8, p is 257).


TABLE ISOME PRIMARY NOTATIONS IN OUR SCHEME DESCRIPTION

Fig. 4. An example with m = 3 for the Sig And BlockGen() algorithm.

with elements wiR G, and a file tag t =

(I D||u||w1|| . . . ||wm)||Sigssk(I D||u||w1|| . . . ||wm) for F .Sig() means a standard signature scheme. Recall that theoriginal file F is split into m blocks, {wi }mi=1; the clientcomputes and stores n coded blocks amongst n cloud servers.Viewing each segment of the blocks as a single symbol forsimplicity, our signature is generated simultaneously with theencoding process as follows (Fig.4 shows an instance of thisalgorithm with m = 3.):

Augmentation: The data owner properly augments thenative m blocks as Eq.(3).

Signing for Native Blocks: The data owner views thedata parts of the augmented blocks as a set of segments andcomputes authenticator for each segment, i.e.,

joko =(

uw joko m

=1w

w jo(s+)

)y= (uw joko w jo)y (6)

where 1 jo m, 1 ko s. Combination and Aggregation: The data owner randomly

chooses m elements {i j}m=1 from G F(p) to be coefficientsand linearly combines the augmented native blocks to generate

coded blocks vi j (1 i n, 1 j ), as follows:

vi j =m

=1i jw G F(p)s+m (7)

and apparently each symbol can be obtained by

vi j k =m

=1i jwk G F(p) (8)

with 1 k s + m. Then we can get the aggregated tags as:

i j k =m

=1( k )

i j =(

uvi jk m

=1w

i j

)y(9)

with 1 k s. Authenticator Generation: The data owner generates an

authenticator for vi j k as:

i j k = H (I D||i || j ||k)x i j k= H (I D||i || j ||k)x

(uvi jk

m=1

wi j

)y(10)

where the symbols i, j, k denote the index of the server, theindex of the block at a server and the index of a segment ina certain coded block.

Then, authenticator set = {i = {i j k} 1 j1ks

}1in andcoded block set = {i = {vi j }1 j}1in are obtained.Finally the data owner distributes these two sets across n cloudservers, specifically sending {i ,i , t} to server i and deletethem from local storage.

Audit: For each of the n servers, TPA verifies thepossession of coded blocks by randomly checking samplesof segments of every block and performing a batch verification.

Challenge(Fin f o) (C): Taking the information of fileFin f o as input, TPA randomly generates a c-element setQi = {(k , a )}1c for server i (1 i n) with thesampled segment indexes k R [1, s] and correspondingrandomness a R G F(p). Furthermore, to execute abatch auditing, TPA picks another random symbol seti = {a }1 with each a R G F(p). TPA sendsC = {Qi ,i } to the server i .

Proof Gen(C,,) (P): Upon receiving the challengeC = {Qi ,i }, server i first computes

i j =c

=1a vi j k , i j =

c=1

i j ka (11)

for coded block j [1, ] stored on itself, and then itgenerates an aggregated proof using i , i.e.,

i =

j=1a ji j , i =

j=1

i j a j (12)

For the coefficients checking, server i generates m symbolsas

i =

j=1a ji j

c=1

a (13)

where 1 m. Let i = {i1, i2, . . . , im }.


Thus the i th server responds to the TPA with proofP = {i , i ,i , t}.

V eri f y(P, pk, C) (0, 1): Upon receiving a proof Pfrom server i , TPA uses spk to verify the signature on t tocheck whether or not it is the delegated file that needs auditing,retrieves u and = {w1, w2, . . . wm} if successful and abortsif otherwise.

Then, TPA computes:

RH S = e

j=1

c=1

H a j a

i j k , pkx

e (ui , pky) (14)

where Hijk = H (I D||i || j ||k). Finally, TPA verify if thefollowing equation holds:

e

(m

=1w

i , pky

) e (i , g) ?= RH S (15)

if so, output 1; otherwise, output 0. Repair: As previously introduced, the data owner empow-

ers a proxy to take charge of faulty server reparation andmoves off-line once it completes its upload procedure. WhenTPA detects a server corruption, an alert will be sent toproxy and then a repair procedure will be triggered. Moreover,to avoid pollution attack, the blocks downloaded fromservers will be first verified before they are used for blockregeneration. Without loss of generality, we assume that theTPA has identified a certain faulty server .

Claim For Rep(Fin f o) (Cr ): The proxy randomlycontacts healthy servers {i }1. For each serveri {i }1, the proxy draws a coefficient set i ={a }1 with a G F(p). Then it sends claim Cr = {i }to server i .

GenFor Rep(Cr ,,) (B A): When server i receivesthe repair claim Cr , it linearly combines local coded blocksinto one single block and then generates tags for verification:

vi =

j=1a jvi j , ik =

j=1

i j k a j (16)

where (1 k s). Then server i responds with the block andauthenticators set B Ai =

{vi , {ik }1ks

}.

Block And Sig ReGen(Cr, B A) (, ,): Beforeregeneration, the proxy will execute batch verificationfor the received blocks. By viewing each vi as(vi1, . . . , vis , i1, . . . , im ) consulting Eq.(5), the proxyverifies whether the k following equations hold,

e(

i{i }ik , g)

?= e

i{i }

j=1

H a ji j k, pkx

e(

u

i{i } vik , pky)

e(

m=1

w

i{i } i

, pky

)(17)

where 1 k s and Hijk = H (I D||i || j ||k). If verificationfails, which means that some of the servers connected aremalicious for repair, proxy aborts the reparation; otherwise,it continues to generate new coded blocks and authenticators.

Assuming that the repaired coded blocks would be stored ata new added server , the proxy rebuilds blocks as follows:The proxy picks up random coefficients zi

R G F(p) foreach i {i }1 and then computes a linear combination

v j =

i{i }zi vi (18)

and regenerate authenticators for each segment,

j k = T xjk

i{i }(ik )

zi (19)

where 1 j , 1 k s and the transform operatorT j k denotes

T j k = H (I D|||| j ||k)

i{i }

j=1 H (I D||i || j||k)a j zi(20)

Finally, the regenerated block set = {v j }1 j andauthenticator set = { j k} 1ks

1 jare sent to server . Thus,

the repair process is finished.Example Description: To make our contribution easier to

follow, we briefly introduce our above scheme under thereference scenario in Section II-B: The staffs (i.e., cloud users)first generate their public and private keys, and then delegatethe authenticator regeneration to a proxy (a cluster or powerfulworkstation provided by the company) by sharing partialprivate key. After producing encoded blocks andauthenticators, the staffs upload and distribute them tothe cloud servers. Since that the staffs will be frequentlyoff-line, the company employs a trust third party (the TPA)to interact with the cloud and perform periodical verificationon the staffs data blocks in a sampling mode. Once somedata corruption is detected, the proxy is informed, it willact on behalf of the staffs to regenerate the data blocks aswell as corresponding authenticators in a secure approach.So we could see that our scheme guarantees that the staffscan use the regenerating-code-based cloud in a practical andlightweight way, which completely releases the staffs fromonline burden for data auditing and reparation.

Enabling Privacy-Preserving Auditable: The privacyprotection of the owners data can be easily achieved throughintegrating with the random proof blind technique [15] orother technique [9]. However, all these privacy-preservationmethods introduce additional computation overhead to theauditor, who usually needs to audit for many clouds and alarge number of data owners; thus, this could possibly makeit create a performance bottleneck. Therefore, we preferto present a novel method, which is more light-weight,to mitigate private data leakage to the auditor. Notice that ina regenerating-code-based cloud storage, data blocks storedat servers are coded as linear combinations of the originalblocks {wi }mi=1 with random coefficients. Supposing that thecurious TPA has recovered m coded blocks by elaboratelyperforming Challenge-Response procedures and solvingsystems of linear equations [14], the TPA still requies tosolve another group of m linearly independent equationsto derive the m native blocks. We can utilize a keyedpseudorandom function fkey() : {0, 1} K G F(p) to


mask the coding coefficients and thus prevent the TPA fromcorrectly obtaining the original data. Specifically, the dataowner maintains a secret key for f () in the beginning ofthe Setup procedure and augments m original data blocks as

wi = (wi1, wi2, . . . , wis ,m

0, . . . , 0, f (i) i

, 0, . . . , 0) (21)

thus every coded blocks can be represented as

v = (vi1, vi2, . . . , vis datapart

, 1, . . . , m masked

coe f f icients

) G F(p)s+m (22)

where i = f(i) i , i.e., the i th coefficient of a coded blockis masked with f (i). The TPA is unable to recover correctcoding coefficients as the key is kept secret by the dataowner. Without the knowledge of coding coefficients, the TPAcan not retrieve the original data blocks {wi }mi=1 correctly, thusrealizing the privacy-preserve. Specifically, this method alsoguarantees that the proxy can not obtain the private originaldata either.

Apparently, our novel privacy-preserve method can beeasily integrated with the above primitive auditing scheme.We only need to modify the Augmentation step ofSig And BlockGen() as Eq.(21) and leave the rest unchanged.The experiment in Section V-B shows the efficiency of thismethod.

Mitigating the Overhead of Data Owner: Despite that thedata owner has been released from online burden for auditingand repairing, it still makes sense to reduce its computationoverhead in the Setup phase because data owners usuallymaintain very limited computational and memory resources.As previously described, authenticators are generated in a newmethod which can reduce the computational complexity ofthe owner to some extent; however, there exists a much moreefficient method to introduce further reduction.

Considering that there are so many modular exponentarithmetic operations during the authenticator generation, thedata owner can securely delegate part of its computing taskto the proxy in the following way: The data owner firstproperly augments the m native blocks, signs for them asEq.(6), and thus obtains the { joko } 1 jom1kos , then it sends theaugmented native blocks and { joko } to the proxy. Afterreceiving from the data owner, the proxy implements thelast two steps of SigAndBlockGen() and finally generatesentire authenticators i j k for each segment vi j k with secretvalue x . In this way, the data owner can migrate the expen-sive encoding and authenticator generation task to the proxywhile itself maintaining only the first two lightweight steps;thus, the workload of data owner can be greatly mitigated.A detailed analysis will be shown in Section V. Besides,Theorem 4 in Section IV argues that the proxy can not forgevalid authenticators for invalid segments with non-negligibleprobability.

A Tradeoff Between Storage and Communication: In ourauditing scheme described above, we assume that eachsegment contains only one symbol for simplicity and is accom-panied by an authenticator of equal length. This approach gives

a storage overhead twice as much as the length of the datablock (i.e., 2 s |p| bits), and the servers response in eachepoch is (m + 2) |p| bits. As noted in paper [12], we canintroduce a parameter that gives a tradeoff between storageoverhead and response length: By denoting each segment asa collection of symbols and computing an authenticator foreach segment, the server storage overhead can be reduced by afactor of (i.e., (1+ 1 ) s |p|) bits, while the communicationoverhead will be increased to (m + + 1) |p| bits. We omita detailed description of the variant scheme due to spacelimitations.

Detection Probability: The TPA performs random spotchecking on each coded block to improve the efficiency ofour auditing scheme, while still achieving detection of faultyservers with high probability [2]. Supposing that an adversaryis able to corrupt data blocks as well as coefficients at a certainserver with probability p1 and p2 respectively, we can computethe probability of detection as PD = 1(1 p1)c(1 p2)m ,where c denotes the number of segments selected from eachcoded block during each Audit phase. More specifically, ifthe corruption proportion is set to be p1 = 0.5%, p2 = 0.2%,and the system parameter is chosen as m = 15, = 5, thenthe TPA can detect the corrupted server with a probability99% or 95%, where the number of sampled segments c ineach coded block is 185 or 120, respectively.

IV. SECURITY ANALYSISIn this section, we first elaborate on the correctness of

verification in our auditing scheme and then formally eval-uate the security by analyzing its fulfillment of soundness,regeneration-unforgeable and secure guarantee against replayattack.

A. CorrectnessThere are two verification process in our scheme, one for

spot checking during the Audit phase and another for blockintegrity checking during the Repair phase.

Theorem 1: Given a cloud server i storing data blocks iand accompanied authenticators i , TPA is able to correctlyverify its possession of those data blocks during audit phase,and the proxy can correctly check the integrity of downloadedblocks during repair phase.

Proof: Proving the correctness of our auditing scheme isequivalent of proving that Eq.(15) and Eq.(17) is correct. Thecorrectness of Eq.(15) is shown in Appendix A and Eq.(17)in Appendix B.

B. SoundnessFollowing from paper [12], we say that our auditing protocol

is sound if any cheating server that convinces the verificationalgorithm that it is storing the coded blocks and correspondingcoefficients is actually storing them.

Before proving the soundness, we will first show that theauthenticator as Eq.(10) is unforgeable against malicious cloudservers (referred to as adversary in the following definition)under the random oracle model. Similar to the standardnotion of security for a signature scheme [24], we give the


formal definition of security model for our authenticator inDefinition 1.5

Definition 1: Our authenticator as Eq.(10) is existentiallyunforgeable under adaptive chosen message attacks if no PPTadversary has a non-negligible advantage in the followinggame-Game 0:

1. Setup: The challenger runs the KeyGen() algorithmon input 1 and gives the public parameter (pkx , pky) toadversary A.

2. Queries: The challenger maintains the following oracleswhich can be queried by the adversary A:

Hash Oracle(Ohash): provide result of H () for hashqueries.

UW Oracle(Ouw): produce the random parameters u,w(1 m) for signature or forgery.

Sign Oracle(Osign): produce authenticators on adaptivelychosen tuple {I D, i, j, k, vi j k , {i j}m=1}, and return anauthenticator i j k .

3. Output: Eventually, the adversary A produces atuple {I D, i, j, k, v, {}m=1, }, and we say thatA wins the game if Eq.(23) holds while the input tuple{I D, i, j, k, v, {}m=1} was not submitted to the SignOracle Osign .

e( , g) = e (Hi jk , pkx) e(

uv

m=1

w , pky

)(23)

In the following theorem, we will show that our authentica-tor is secure under the CDH (Computational Diffie-Hellman)assumption.

Theorem 2: If the adversary A is able to win Game 0 withnon-negligible advantage after at most qh hash queries andquw UW queries (quw = qh implied by our assumption infootnote 5), then there exist a PPT algorithm S that can solvethe CDH problem with non-negligible probability .6

Proof: See Appendix C. The formal definition of auditing soundness is shown in

Definition 2.Definition 2: Our auditing scheme is sound if no PPT

adversary has a non-negligible advantage in the followinggame-Game 1:

1. Setup: The challenger runs the KeyGen() algorithmon input 1 and gives the public parameter (pkx , pky) toadversary A.

2. Store Query: The adversary A queries store oracle ondata F, the challenger implements the SigAndBlockGen()algorithm of our protocol and returns {i ,i , t} to A.

3. Challenge: For any F on which A previouslymade a store query, the challenger generates a challengeC = {Qi ,i } and requests A to provide a proof of possessionfor the selected segments and corresponding coefficients.

5Notice that in the definition, we modeled the randomness u,w(1 m) as a random oracle Ouw just as Dan Boneh et al. didin [20] (Section 4). Besides, we assume that A is well-behaved that italways queries the oracles Ohash and Ouw before it requests a signaturefor adaptively chosen input tuple, and that it always query the Ohash andOuw before it outputs the forgery [17].

6In this paper we only give a sketch proof due to space limitation, a rigorousversion can be conducted similar with the proof in [17] (Section 4).

4. Forge: Suppose the expected proof P should be{i , i , {i}m=1}, which can pass the verification withEq.(15). However, the adversary A generates a forgery of theproof as P = {i , i , {i}m=1}. If the P can still pass theverification in the following two case:

Case 1: i = i ; Case 2: i = i , but at least one of the following

inequalities should be satisfied: i = i , i = i with1 m;

then adversary A wins this game, otherwise, it fails.Theorem 3: If the authenticator scheme is existentially

unforgeable and adversary A is able to win Game 1 with non-negligible probability , then there exist a PPT algorithm Sthat can solve the CDH problem or DL (Discrete LogarithmProblem) problem with non-negligible probability .

Proof: See Appendix D.

C. Regeneration-UnforgeableNoting that the semi-trusted proxy handles regeneration

of authenticators in our model, we say our authenticator isregeneration-unforgeable if it satisfies the following theorem.

Theorem 4: The adversary (or proxy) can only regeneratea forgery of authenticator for invalid segment from certaincoded block (augmented) and pass the next verification withnegligible probability, except that it implements the Repairprocedure correctly.

Proof: See Appendix E.

D. Resistant to Replay AttackTheorem 5: Our public auditing scheme is resistant to replay

attack mentioned in [7, Appendix B], since the repaired servermaintains identifier which is different with the corruptedserver .

V. EVALUATIONA. Comparison

Table II lists the features of our proposed mechanismand makes a comparison with other remote data checkingschemes [7], [8] for regenerating-coding-based cloud storage.The security parameter is eliminated in the costs estimationfor simplicity. While the previously presented schemesin [7] and [8] are designed for private verification, ours allowsanyone to challenge the servers for data possession whilepreserving the privacy of the original data. Moreover, ourscheme can completely release the owners from online burdencompared with schemes in [7] and [8] where data ownersshould stay online for faulty server reparation. To localize thefaulty server during the audit phase, [8] suggested a traversalmethod and thus demanded many times of auditing operationwith complexity O(Ckn (n k)) before the auditor can pickup the wrong server, while our scheme is able to localize thefaulty server by a one-time auditing procedure.

For the storage overhead of each cloud server, our schemeperforms slightly better than Chen Bos as the servers do notstore the repair tags [7], but computes them on the fly.For communication overhead during the audit phase, both [7]and ours generate aggregated proofs for blocks verification,


TABLE IICOMPARISON OF DIFFERENT AUDIT SCHEMES FOR REGENERATING-CODE-BASED CLOUD STORAGE

thus significantly reducing the bandwidth compared with [8].Besides, the communication cost of our scheme is lowerthan Chen Bos [7] by a factor of , because we generatea single aggregated proof for all blocks at each server,while [7] checks the integrity of each one separately.Nevertheless, the bandwidth cost during the repair procedureof our scheme is higher; this comes from the transmissionof authenticators (total number s) for each segment of theblock generated by a helper server. These authenticators arenot only for verifying the integrity of the received blocks butalso for the regeneration of authenticators for repaired blocks;this type of overhead can be reduced by reducing the numberof authenticators which can be achieved through increasingthe parameter 1.B. Performance Analysis

We focus on evaluating the performance of ourprivacy-preserving public audit scheme during the Setup,Audit and Repair procedure. In our experiments, all the codesare written in C++ language on an OpenSUSE 12.2 Linuxplatform with kernel version 3.4.6-2-desktop and compilerversion g++ 4.7.1. All entities in our prototype (as shownin Fig.2) are represented by PCs with Intel Core i5-24502.5GHz, 8G DDR3 RAM and a 7200 RPM Hitachi 500GSATA drive. The implementation of our algorithms usesopen source PBC (Pairing-Based Cryptography) Libraryversion 0.5.14, GMP version 5.13 and Opensslversion 1.0.1e. The elliptic curve utilized here isBarreto-Naehrig curve [25], with base field size of 160 bitsand embedding degree 12. The security level is chosen tobe 80 bits and thus |p| = 160. All the experimental resultsrepresent the mean of 10 trials. In addition, the choiceof parameters (n, k, , , ) for regenerating codes is inreference [7]. Notice that we only focus on the choice of = 1 and = 1 here, from which similar performanceresults can be easily obtained for other choices of and .

1) Setup Computational Complexity: During the Setupphase, the authenticators are generated in a novel methodinstead of computing an authenticator for each segment ofevery coded block independently (meaning that the file is firstencoded and then authenticator is directly computed for eachsegment as Eq.(10), we call this the straightforward approachhereafter). Fixing the parameters (n = 10, k = 3, = 3, = 3, = 1), we assume that the original data fileis split into m = 6 native blocks and would be encoded

Fig. 5. Time for system setup with different segment number s.

into n = 30 coded blocks. First we evaluate the runningtime of the data owner for auditing system setup. We mainlymeasure the time cost of the block and authenticator generationin this experiment.

Fig.5 compares the running time of setup phase utilizingthree different authenticator generation methods (with variables = 60, 80, 100): the straightforward approach, our primi-tive approach (described in Section III-B Setup) and ourdelegation approach (described in Section III-B MitigatingThe Overhead Of Data Owner). Apparently, all the threeapproaches introduce higher time cost with larger s, asthere are more units need to sign; nevertheless, ours isalways more efficient than the straightforward approach. Thereason is that our primitive generation method decreases thetimes of the time-consuming modular exponent operations tons(m + 1) + 2m compared to the straightforward approach,which requires ns(m + 3) operations totally. However,it is still intensive resource consuming and even unaf-fordable when data owners use resource limited equipment(e.g., Tablet PC et al.) to sign their data blocks and uploadthem. Thus, we introduce another delegation method to solvethis problem. Experimental result shows that our delegationmethod releases the data owner from heavy computationaloverhead; the computational complexity of data owner isreduced to about 1/18 of that with our primitive method, whichmakes our schemes more flexible and practical for low powercloud users.

Moreover, we evaluate the efficiency of ourprivacy-preserving method and the results in Table IIIshow that our design is perfectly lightweight for the dataowner to execute. Because our privacy-preservation methodis implemented only once during the whole life of a usersfile, while the random blind process in [9] and [15] would


TABLE IIICOMPUTATIONAL COST INTRODUCED BY

THE PRIVACY-PRESERVING METHOD

Fig. 6. Time for Audit with different .

be performed in each Audit instance, apparently our schemeis much more efficient and thus we do not experimentallycompare their performance. In addition, [16] introduced asimilar privacy preserve method for their public auditingprotocol. Both their scheme and ours utilize random maskin linear-code-based distributed storage to avoid the auditorgetting enough information for original data retrieve. However,there is one significant difference between the two, i.e., [16]smethod used the PRF to blind the data blocks before theencoding process, while ours choose to mask the codingcoefficients instead. Numberically comparing them, we cansee that they need to execute PRF for s m times and m timesduring the Setup phase, separately. Thus our privacy preservemethod is more efficient and effective than [16].

2) Audit Computational Complexity: Considering that thecloud servers are usually powerful in computing capacity, wefocus on analyzing the computational overhead on the auditorside and omit those on the cloud side. Theoretically, verifica-tion for an aggregated proof requires less pairing operations,which is the most expensive operation compared to modularexponentiations and multiplication, than for separate proofs.To get a complete view of the batching efficiency, we conducttwo timed batch auditing tests, the first is implemented withvariable from 1 to 8, and other parameters are set as n = 10,c = 25, s = 60, k = and m = (k2 + k)/2, while thesecond one maintains the number of spot segment per block cfrom 1 to 25 with fixed n = 10, s = 60, k = 3, m = 6and = 3. Fig.6 and Fig.7 show the time cost of auditing tasksfor a single server, and it can be found that the batch auditingindeed helps reduce the TPAs computational complexity by afactor of approximately .

3) Repair Computational Complexity: The regenerationof the faulty blocks and authenticators is delegated toa proxy in our auditing scheme; we now experimentallyevaluate its performance here. Fixing the parameters asn = 10, k = 3, = 3, = 3 and letting s vary tobe 60, 80 and 100, we measure the running time of threesub-processes: Verification for Repair, Regeneration for Blocksand Regeneration for Authenticators, thus obtaining the results

Fig. 7. Time for Audit with different c.

Fig. 8. Time for Repair with different s.

in Fig.8. Obviously, it takes the proxy much more time toverify the received blocks for repair, less to regenerate theauthenticators, and negligible to regenerate the faulty blocks.This situation occurs mainly because there are a mass ofexpensive pairing operations and less expensive modular expo-nentiations during the verification, thus leading to the mosttime consuming sub-process. In contrast, there are only asymp-totic s(++1) modular exponentiations and s inversionsin a finite group across the authenticator regeneration, and onlys multiplications during the block regeneration. However,the efficiency of the verification can be significantly improvedusing a batch method, where we can randomly choose sweights for each received blocks, aggregate the segments andauthenticators, and then verify them all in one, thus we canavoid applying so many pairing operations.

VI. RELATED WORKThe problem of remote data checking for integrity was first

introduced in [26] and [27]. Then Ateniese et al. [2] andJuels and Kaliski [3] gave rise to the similar notions provabledata possession (PDP) and proof of retrievability (POR),respectively. Ateniese et al. [2] proposed a formal definitionof the PDP model for ensuring possession of files on untrustedstorage, introduced the concept of RSA-based homomorphictags and suggested randomly sampling a few blocks of thefile. In their subsequent work [28], they proposed a dynamicversion of the prior PDP scheme based on MAC, which allowsvery basic block operations with limited functionality butblock insertions. Simultaneously, Erway et al. [29] gave aformal framework for dynamic PDP and provided the firstfully dynamic solution to support provable updates to storeddata using rank-based authenticated skit lists and RSA trees.To improve the efficiency of dynamic PDP, Wang et al. [30]proposed a new method which uses merkle hash tree to supportfully dynamic data.


To release the data owner from online burden forverification, [2] considered the public auditability in the PDPmodel for the first time. However, their variant protocolexposes the linear combination of samples and thus gives nodata privacy guarantee. Then Wang et al. [14], [15] developeda random blind technique to address this problem in theirBLS signature based public auditing scheme. Similarly,Worku et al. [31] introduced another privacy-preservingmethod, which is more efficient since it avoids involving acomputationally intensive pairing operation for the sake of datablinding. Yang and Jia [9] presented a public PDP scheme,where the data privacy is provided through combining thecryptography method with the bilinearity property of bilinearpairing. [16] utilized random mask to blind data blocks inerror-correcting coded data for privacy-preserving auditingwith TPA. Zhu et al. [10] proposed a formal frameworkfor interactive provable data possession (IPDP) and azero-knowledge IPDP solution for private clouds.Their ZK-IPDP protocol supports fully data dynamics,public verifiability and is also privacy-preserving against theverifiers.

Considering that the PDP model does not guaranteethe retrievability of outsourced data, Juels and Kaliski [3]described a POR model, where spot-checking and errorcorrecting codes are used to ensure both possessionand retrievability of data files on remote archive servicesystems. Later, Browers et al. [32] proposed an improvedframework for POR protocols that generalizes Juels work.Dodis et al. [33] also gave a study on different variants of PORwith private auditability. A representative work upon the PORmodel is the CPOR presented by Shacham and Waters [12]with full proofs of security in the security model definedin [3]. They utilize the publicly verifiable homomorphic linearauthenticator built from BLS signatures to achieve publicauditing. However, their approach is not privacy preservingdue to the same reason as [2].

To introduce fault tolerance in practical cloud storage,outsourced data files are commonly striped and redundantlystored across multi-servers or even multi-clouds. It is desiredto design efficient auditing protocols for such settings.Specifically, [4][6] extend those integrity checking schemesfor the single-server setting to the multi-servers settingunder replication and erasure coding respectively. BothChen et al. [7] and Chen and Lee [8] make great effort todesign auditing schemes for regenerating-code-based cloudstorage, which is similar to our contribution except thatours release the data owner from online burden for ver-ification and regeneration. Furthermore, Zhu et al. [10]proposed an efficient construction of cooperative provable datapossession (CPDP) which can be used in multi-clouds,and [9] extend their primitive auditing protocol to supportbatch auditing for both multiple owners and multiple clouds.

VII. CONCLUSIONIn this paper, we propose a public auditing scheme for

the regenerating-code-based cloud storage system, where thedata owners are privileged to delegate TPA for their datavalidity checking. To protect the original data privacy against

the TPA, we randomize the coefficients in the beginning ratherthan applying the blind technique during the auditing process.Considering that the data owner cannot always stay online inpractise, in order to keep the storage available and verifiableafter a malicious corruption, we introduce a semi-trusted proxyinto the system model and provide a privilege for the proxy tohandle the reparation of the coded blocks and authenticators.To better appropriate for the regenerating-code-scenario,we design our authenticator based on the BLS signature.This authenticator can be efficiently generated by the dataowner simultaneously with the encoding procedure. Extensiveanalysis shows that our scheme is provable secure, and the per-formance evaluation shows that our scheme is highly efficientand can be feasibly integrated into a regenerating-code-basedcloud storage system.

APPENDIX ACORRECTNESS OF EQ. (15)

e(i , g2) = e

j=1

a ji j , g2

=

j=1e(i j , g2

)a j

=

j=1e

(c

=1

ai j k , g2

)a j

=

j=1

(e

((c

=1H a

j

)x, g2

))a j

j=1e

u

c=1

a vi jk

y

, g2

a j

j=1e

(m

=1w

i j

)y c=1

a, g2

a j

=

j=1

(e

(c

=1H a

j , pkx

))a j

j=1e(ui j , pky

)a j

j=1e

(m

=1w

i j

) c=1

a, pky

a j

= e

j=1

c=1

H a a j

j , pkx

e

u

j=1

a j i j, pky

e

m=1

w

j=1

a ji jc

=1a

, pky

= e

j=1

c=1

H a a j

j , pkx

e (ui , pky)

e(

m=1

wi , pky

)


thus we get

e

(m

=1w

i , pky

) e (i , g2) = RH S.

APPENDIX BCORRECTNESS OF EQ. (17)

e(ik , g2) = e

j=1i j k a j , g2

= e

j=1

(H xi jk

(uvi jk

m=1

wi j

)y)a j, g2

= e

j=1H xa ji j k , g2

e

uy

j=1

a jvi jk, g2

e

m=1

w

y

j=1a j i j

, g2

= e

j=1H a ji j k, pkx

e (u vik , pky)

e(

m=1

wi , pky

)

Obviously we can easily get:

e

i{i }ik , g2

= e

i{i }

j=1

H a ji j k, pkx

e(

u

i{i } vik , pky)

e(

m=1

w

i{i } i

, pky

).

APPENDIX CPROOF OF THEOREM 2

Given g, gx , gy G, the algorithm S maintains the chal-lenger in Game 0 and interacts with adversary A as follows:

Setup: S runs the KeyGen() algorithm on input 1 and givesthe public parameter (pkx , pky) to adversary A.

Queries: S operates the oracles as follows. Hash Oracle(Ohash): For each query with input tuple

{I D, i, j, k}, if it has already been queried, the oraclereturns Hijk . If this query is a new one, S guesseswhether this current query is for forgery or not, if so,it sets Hijk = gy , otherwise sets Hijk = gi jk withi j k

R G F(p). UW Oracle(Ouw): For each query for u, w(1

m) with input {I D, i, j, k, vi j k , {i j}m=1} ,if this tuple has been queried, returns correspond-ing u, w(1 m). Otherwise, S randomlychooses r, r G F(p), 1 m, and guesses whetherthis current query is for forgery or not, if so, S setsu = (gx)r , w = (gx)r (1 m), if not, S setsu = (g )r , w = (g )r (1 m) with R G F(p).

Sign Oracle(Osign): For each input {pkx, pky} andtuple {I D, i, j, k, vi j k , {i j}m=1}, S outputs thei j k = (gi jk )x ((g )rvi jk +

m=0 ri j )y by querying the

Ohash and Ouw .Output: Eventually, the adversary A outputs a result tuple

{I D, i, j, k, v, {}m=1, }, if Eq.(23) holds while theinput tuple {I D, i, j, k, v, {}m=1} was not submittedto the Sign Oracle Osign , A wins Game 0 and S declaressuccess, otherwise A loses Game 0 and S aborts.

If S declares success, she obtains =(gy)x((gx)rv

+m=1 r)y = (gxy)1+rv+m

=0 r.

Thus the proposed CDH problem can be solved asgxy = ( )

11+rv+m=0 r

.

The probability that S guesses the forged input tuple is morethan 1/qh , then S can solve the CDH problem with probability /qh which is non-negligible.

APPENDIX DPROOF OF THEOREM 3

The authenticator in our auditing mechanism is existentiallyunforgeable as Theorem 2 shows.

Treating the cloud server i as an adversary A, we let Smaintain the challenger and simulate the environment foreach auditing instance. Our proof follows from [12] with onemodification that we introduce a stronger adversary, who cannot only obtain the public parameters but also can retrieve theratio y/x from the environment. Obviously, if an adversarywith the value y/x cannot forge a proof under our scheme,the auditing proof is unforgeable for a common adversary asdefined in [12].

Initially, the challenger/simulator S sets pkx = gx,pky = gy as public keys, meaning that it does not know thecorresponding secret keys x, y. However, we assume that Sknows the ratio value y/x as mentioned above.

For each k in the Qi = {(k , a )} of a challenge, thesimulator S randomly chooses rk R G F(p), sets u = g hand w = gh with each , , , R G F(p). ThenS programs the random oracle at k as

H (I D||i || j ||k)= g

rk

(g vi jk+m

=1 i j hvi jk +m

=1 i j )y/x(1)

and computes i j k as

i j k = H (I D||i || j ||k)x(

uvi jkm

=1w

i j

)y

=(

grk

(g vi jk+m

=1 i j hvi jk +m

=1 i j )y/x

)x

(

g vi jk+m

=1 i j hvi jk+m

=1 i j)y

= (gx)rk (2)Assuming that the adversary A wins Game 1, we will show

that the simulator can solve the CDH problem or DL problemin the following cases:


Case 1 ( i = i ): In this case, the simulator is given inputvalues g, gy, h G, and its goal is to output hy .

We know that the expected proof satisfies the verificationequation:

e (i , g) = e

j=1

c=1

H a j a

j , pkx

e (ui , pky) e(

m=1

wi , pky

)(3)

and the forged proof can also pass the verification as

e( i , g

) = e

j=1

c=1

H a j a

j , pkx

e(

ui , pky

) e

(m

=1w

i , pky

)(4)

Obviously, equations i = i , i = i(1 m)cannot be satisfied simultaneously, otherwise contradicts ourassumption i = i . Therefore, we define i = i i andi = i i(1 m), it must be the case that at leastone of {i ,i} is nonzero.

Now we divide Eq.(4) by Eq.(3) and obtain

e( i

1i , g

)= e (ui , pky) e

(m

=1w

i , pky

)

= e(

uim

=1w

i , pky

)

= e((g h )i

m=1

(gh )i , pky

)

(5)Rearranging terms yields

e( i

1i pk

(i+m=1 i)y , g

)

= e (hy, g)i +m=1 i (6)From the property of bilinear pairing map, it is clear that

the simulator solves the CDH problem

hy =( i

1i pk

(i+m=1 i)y

) 1i +

m=1 i (7)

unless the denominator i + m=1 i equals to zero.Notice that not all of the set {i ,i} can be zero, andthe value , i are chosen by the challenger and hidden fromthe adversary, so the denominator is zero with a negligibleprobability 1/p.

Thus, if the adversary can win Game 1 with non-negligibleprobability , the simulator is able to solve the CDH problemwith probability = (11/p) which is also non-negligible.

Case 2: i = i , but at least one of the followinginequalities should be satisfied: i = i , i = i with1 m.

Given g, h G as input in this case, the simulator aims tooutput such that h = g .

Similar with notations above, we define i = i i andi = ii(1 m), and at least one of {i ,i}is nonzero. Now we have

e (i , g) = e( i , g

)

e

(ui

m=1

wi , pky

)= e

(u

i

m=1

wi , pky

)

1 = uim

=1w

i

1 = (g h )i (m

=1(gh )i )

obviously the simulator gets the solution of DL problemh = g with

= i +m

=1 ii + m=1 i (8)

Analyzing similar with above, we see the denominator iszero with a negligible probability 1/p since the prime p islarge enough. Then the simulator can solve the DL problemwith non-negligible probability = (1 1/p).

APPENDIX EPROOF OF THEOREM 4

As mentioned in Section II-A, any non-zero vectorv G F(p)s+m does not belong to the linear subspace Vspanned by base vectors {wi }mi=1 is invalid, and will resultin data unrecoverable in the regenerating-code-based cloudstorage after a series of epoches.

Without loss of generality, we assume that each segmentcontains symbols. By viewing the kth segment of codedblock v as a vector vk = (vk1, vk2, . . . vk ) G F(p) andappending it with m corresponding coefficients, we can get theaugment vector vk = (vk1, . . . vk , k1, . . . km) G F(p)+m .Denoting Vs to be the linear subspace spanned by m basevectors, each base vector is obtained by properly augmentingthe kth segment of one native vectors wi . Similarly withpreviously described, any vector vk belonging to subspaceVs is valid, otherwise invalid. Extended from Eq.(10) (in themain body of this paper), we can easily get the authenticatorfor the kth segment as

k = H (I D|| . . .)x

=1uvk

m=1

wk

y

(9)

Since that the proxy owns the secret value x , the proof ofTheorem 4 is equivalent to the unforgeability of the tag in thefollowing equation for invalid segment vk without knowledgeof key y.

k =

=1uvk

m=1

wk

y

(10)

Viewing each w as the output of an independent hashfunction Hw(I D||) (also modeled as a random oracle as


Boneh et al. [20] does), we get

k =

=1uvk

m=1

Hw(I D||)k

y

(11)

which is identical to NC S1 signature scheme presented in [20].In [20, Th. 6], Boneh et al. proved that NC S1 signaturescheme is secure against forgery under random oracle model.That is, it is computational infeasible for an adversary togenerate a valid signature for any vectors not belonging tothe subspace Vs .

Consequently, we get that the proxy can not forge a valid kfor an invalid segment v k with non-negligible probability inour proposed scheme.

REFERENCES[1] M. Armbrust et al., Above the clouds: A Berkeley view of cloud

computing, Dept. Elect. Eng. Comput. Sci., Univ. California, Berkeley,CA, USA, Tech. Rep. UCB/EECS-2009-28, 2009.

[2] G. Ateniese et al., Provable data possession at untrusted stores, inProc. 14th ACM Conf. Comput. Commun. Secur. (CCS), New York, NY,USA, 2007, pp. 598609.

[3] A. Juels and B. S. Kaliski, Jr., PORs: Proofs of retrievability forlarge files, in Proc. 14th ACM Conf. Comput. Commun. Secur., 2007,pp. 584597.

[4] R. Curtmola, O. Khan, R. Burns, and G. Ateniese, MR-PDP:Multiple-replica provable data possession, in Proc. 28th Int. Conf.Distrib. Comput. Syst. (ICDCS), Jun. 2008, pp. 411420.

[5] K. D. Bowers, A. Juels, and A. Oprea, HAIL: A high-availability andintegrity layer for cloud storage, in Proc. 16th ACM Conf. Comput.Commun. Secur., 2009, pp. 187198.

[6] J. He, Y. Zhang, G. Huang, Y. Shi, and J. Cao, Distributed datapossession checking for securing multiple replicas in geographically-dispersed clouds, J. Comput. Syst. Sci., vol. 78, no. 5, pp. 13451358,2012.

[7] B. Chen, R. Curtmola, G. Ateniese, and R. Burns, Remote datachecking for network coding-based distributed storage systems, in Proc.ACM Workshop Cloud Comput. Secur. Workshop, 2010, pp. 3142.

[8] H. C. H. Chen and P. P. C. Lee, Enabling data integrity protection inregenerating-coding-based cloud storage: Theory and implementation,IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 2, pp. 407416,Feb. 2014.

[9] K. Yang and X. Jia, An efficient and secure dynamic auditing protocolfor data storage in cloud computing, IEEE Trans. Parallel Distrib. Syst.,vol. 24, no. 9, pp. 17171726, Sep. 2013.

[10] Y. Zhu, H. Hu, G.-J. Ahn, and M. Yu, Cooperative provable datapossession for integrity verification in multicloud storage, IEEE Trans.Parallel Distrib. Syst., vol. 23, no. 12, pp. 22312244, Dec. 2012.

[11] A. G. Dimakis, K. Ramchandran, Y. Wu, and C. Suh, A survey onnetwork codes for distributed storage, Proc. IEEE, vol. 99, no. 3,pp. 476489, Mar. 2011.

[12] H. Shacham and B. Waters, Compact proofs of retrievability, inAdvances in Cryptology. Berlin, Germany: Springer-Verlag, 2008,pp. 90107.

[13] Y. Hu, H. C. H. Chen, P. P. C. Lee, and Y. Tang, NCCloud: Applyingnetwork coding for the storage repair in a cloud-of-clouds, in Proc.USENIX FAST, 2012, p. 21.

[14] C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-preserving publicauditing for data storage security in cloud computing, in Proc. IEEEINFOCOM, Mar. 2010, pp. 19.

[15] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou,Privacy-preserving public auditing for secure cloud storage, IEEETrans. Comput., vol. 62, no. 2, pp. 362375, Feb. 2013.

[16] C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou, Toward secure anddependable storage services in cloud computing, IEEE Trans. ServiceComput., vol. 5, no. 2, pp. 220232, Apr./Jun. 2012.

[17] D. Boneh, B. Lynn, and H. Shacham, Short signatures from the Weilpairing, J. Cryptol., vol. 17, no. 4, pp. 297319, 2004.

[18] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, andK. Ramchandran, Network coding for distributed storage systems,IEEE Trans. Inf. Theory, vol. 56, no. 9, pp. 45394551, Sep. 2010.

[19] T. Ho et al., A random linear network coding approach to multicast,IEEE Trans. Inf. Theory, vol. 52, no. 10, pp. 44134430, Oct. 2006.

[20] D. Boneh, D. Freeman, J. Katz, and B. Waters, Signing a linearsubspace: Signature schemes for network coding, in Public KeyCryptography. Berlin, Germany: Springer-Verlag, 2009, pp. 6887.

[21] D. Boneh and M. Franklin, Identity-based encryption from the Weilpairing, in Advances in Cryptology. Berlin, Germany: Springer-Verlag,2001, pp. 213229.

[22] A. Miyaji, M. Nakabayashi, and S. Takano, New explicit conditions ofelliptic curve traces for FR-reduction, IEICE Trans. Fundam. Electron.,Commun., Comput. Sci., vol. E84-A, no. 5, pp. 12341243, 2001.

[23] R. Gennaro, J. Katz, H. Krawczyk, and T. Rabin, Secure networkcoding over the integers, in Public Key Cryptography. Berlin, Germany:Springer-Verlag, 2010, pp. 142160.

[24] S. Goldwasser, S. Micali, and R. L. Rivest, A digital signature schemesecure against adaptive chosen-message attacks, SIAM J. Comput.,vol. 17, no. 2, pp. 281308, 1988.

[25] P. S. L. M. Barreto and M. Naehrig, Pairing-friendly elliptic curvesof prime order, in Selected Areas in Cryptography. Berlin, Germany:Springer-Verlag, 2006, pp. 319331.

[26] Y. Deswarte, J.-J. Quisquater, and A. Sadane, Remote integritychecking, in Integrity and Internal Control in Information Systems VI.Berlin, Germany: Springer-Verlag, 2004, pp. 111.

[27] D. L. G. Filho and P. S. L. M. Barreto, Demonstrating data posses-sion and uncheatable data transfer, Cryptology ePrint Archive, Tech.Rep. 2006/150, 2006. [Online]. Available: http://eprint.iacr.org/

[28] G. Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik, Scalable andefficient provable data possession, in Proc. 4th Int. Conf. Secur. PrivacyCommun. Netw., 2008, Art. ID 9.

[29] C. Erway, A. Kp, C. Papamanthou, and R. Tamassia, Dynamicprovable data possession, in Proc. 16th ACM Conf. Comput. Commun.Secur., 2009, pp. 213222.

[30] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, Enablingpublic verifiability and data dynamics for storage security in cloudcomputing, in Computer Security. Berlin, Germany: Springer-Verlag,2009, pp. 355370.

[31] S. G. Worku, C. Xu, J. Zhao, and X. He, Secure and efficient privacy-preserving public auditing scheme for cloud storage, Comput. Elect.Eng., vol. 40, no. 5, pp. 17031713, 2013.

[32] K. D. Bowers, A. Juels, and A. Oprea, Proofs of retrievability: Theoryand implementation, in Proc. ACM Workshop Cloud Comput. Secur.,2009, pp. 4354.

[33] Y. Dodis, S. Vadhan, and D. Wichs, Proofs of retrievability viahardness amplification, in Theory of Cryptography. Berlin, Germany:Springer-Verlag, 2009, pp. 109127.

Jian Liu received the bachelors and mastersdegrees from the National University of DefenseTechnology, in 2009 and 2011, respectively, wherehe is currently pursuing the Ph.D. degree with theState Key Laboratory of Complex ElectromagneticEnvironment Effects on Electronics and InformationSystem. His research interests include secure storageand computation outsourcing in cloud computing,and security of distributed systems.

Kun Huang received the bachelors and mastersdegrees from the National University of DefenseTechnology, in 2010 and 2012, respectively, wherehe is currently pursuing the Ph.D. degree withthe State Key Laboratory of Complex Electromag-netic Environment Effects on Electronics and Infor-mation System and is currently studying abroadwith the University of Melbourne with advisorProf. U. Parampalli. His research interests includeapplied cryptography, network encoding, and cloudcomputing.


Hong Rong received the bachelors degree from theSouth China University of Technology, in 2011, andthe masters degree from the National University ofDefense Technology, in 2013, where he is currentlypursuing the Ph.D. degree with the State Key Lab-oratory of Complex Electromagnetic EnvironmentEffects on Electronics and Information System. Hisresearch interests include privacy preservation of bigdata, cloud computing, and virtualization.

Huimei Wang received the bachelors degree fromSouthwest Jiaotong University, in 2004, and themasters and Ph.D. degrees in information and com-munication engineering from the National Universityof Defense Technology, in 2007 and 2012, respec-tively. She is currently with the State Key Laboratoryof Complex Electromagnetic Environment Effectson Electronics and Information System, NationalUniversity of Defense Technology, as a Lecturer. Herresearch interests include network security, cloudcomputing, and distributed systems.

Ming Xian received the bachelors, masters, andPh.D. degrees from the National University ofDefense Technology, in 1991, 1995, and 1998,respectively. He is currently a Professor with theState Key Laboratory of Complex ElectromagneticEnvironment Effects on Electronics and InformationSystem, National University of Defense Technology.His research focus on cryptography and informa-tion security, cloud computing, distributed systems,wireless sensor network and system modeling, andsimulation and evaluation.

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 150 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 600 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 400 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/Description >>> setdistillerparams> setpagedevice

Privacy-Preserving Public Auditing for Regenerating-Code-Based Cloud Storage

Documents

Transcript of Privacy-Preserving Public Auditing for Regenerating-Code-Based Cloud Storage