Академический Документы
Профессиональный Документы
Культура Документы
7, JULY 2015
1513
I. I NTRODUCTION
1556-6013 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1514
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015
1515
wi = (w i1 , w i2 , . . . , w is , 0, . . . , 0, 1, 0, . . . , 0) G F( p)s+m
i
(3)
for each symbol, wi j G F( p). Eq.(3) shows that each
original block wi is appended with the vector of length m
containing a single 1 in the i th position and is otherwise
zero.
Then, the augmented vectors are encoded into n coded
blocks. Specifically, they are linearly combined and generate
coded blocks with randomly chosen coefficients i G F( p).
v=
i wi G F( p)s+m
(4)
i=1
(5)
coe f f icient s
Fig. 2.
1516
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015
Fig. 3.
1517
1518
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015
TABLE I
S OME P RIMARY N OTATIONS IN O UR S CHEME D ESCRIPTION
i j w G F( p)s+m
(7)
=1
i j w k G F( p)
(8)
=1
m
m
i j
i j
vi j k
(k )
= u
w
(9)
i j k =
=1
=1
with 1 k s.
Authenticator Generation: The data owner generates an
authenticator for v i j k as:
i j k = H (I D||i || j ||k)x ij k
= H (I D||i || j ||k)
vi j k
m
=1
Fig. 4.
with elements wi
m
y
w jo (s+)
w jo ko
w
= u w jo ko w jo
(6)
jo ko = u
=1
where 1 jo m, 1 ko s.
Combination and Aggregation: The data owner randomly
chooses m elements {i j }m
=1 from G F( p) to be coefficients
and linearly combines the augmented native blocks to generate
wi j
y
(10)
c
=1
a v i j k , i j =
c
=1
i j k a
(11)
a j i j , i =
j =1
i j a j
(12)
j =1
i =
j =1
a j i j
c
=1
(13)
a a
RH S = e
(14)
Hi j kj , pk x e u i , pk y
j =1 =1
m
?
i
w , pk y e (i , g) = R H S
(15)
e
=1
a j vi j ,
ik =
j =1
i j k a j
(16)
j =1
aj
?
e(
ik , g) = e
Hi j k , pk x
i{i }
i{i } j =1
v
e u i{i } ik , pk y
m
i
i{i }
e
w
, pk y
(17)
=1
1519
(19)
i{i }
j =1 H (I D||i || j ||k)
i{i }
T jk =
(20)
1520
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015
mask the coding coefficients and thus prevent the TPA from
correctly obtaining the original data. Specifically, the data
owner maintains a secret key for f () in the beginning of
the Setup procedure and augments m original data blocks as
m
wi = (w i1 , w i2 , . . . , w is , 0, . . . , 0, f (i ), 0, . . . , 0)
(21)
(22)
masked
coe f f icients
tuple {I D , i, j , k , v , { }m
=1 , }, and we say that
A wins the game if Eq.(23) holds while the input tuple
{I D , i, j , k , v , { }m
=1 } was not submitted to the Sign
Oracle Osign .
(23)
e( , g) = e Hi j k , pk x e u v
w , pk y
=1
In the following theorem, we will show that our authenticator is secure under the CDH (Computational Diffie-Hellman)
assumption.
Theorem 2: If the adversary A is able to win Game 0 with
non-negligible advantage after at most qh hash queries and
quw UW queries (quw = qh implied by our assumption in
footnote 5), then there exist a PPT algorithm S that can solve
the CDH problem with non-negligible probability .6
Proof: See Appendix C.
The formal definition of auditing soundness is shown in
Definition 2.
Definition 2: Our auditing scheme is sound if no PPT
adversary has a non-negligible advantage in the following
game-Game 1:
1. Setup: The challenger runs the KeyGen() algorithm
on input 1 and gives the public parameter ( pk x , pk y ) to
adversary A.
2. Store Query: The adversary A queries store oracle on
data F , the challenger implements the SigAndBlockGen()
algorithm of our protocol and returns { i ,
i , t} to A.
3. Challenge: For any F on which A previously
made a store query, the challenger generates a challenge
C = {Q i , i } and requests A to provide a proof of possession
for the selected segments and corresponding coefficients.
5 Notice that in the definition, we modeled the randomness u,
w (1 m) as a random oracle Ouw just as Dan Boneh et al. did
in [20] (Section 4). Besides, we assume that A is well-behaved that it
always queries the oracles Ohash and Ouw before it requests a signature
for adaptively chosen input tuple, and that it always query the Ohash and
Ouw before it outputs the forgery [17].
6 In this paper we only give a sketch proof due to space limitation, a rigorous
version can be conducted similar with the proof in [17] (Section 4).
1521
1522
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015
TABLE II
C OMPARISON OF D IFFERENT AUDIT S CHEMES FOR R EGENERATING -C ODE -BASED C LOUD S TORAGE
Fig. 5.
1523
TABLE III
C OMPUTATIONAL C OST I NTRODUCED BY
THE
Fig. 6.
Fig. 7.
Fig. 8.
1524
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015
aj
e(i , g2 ) = e
i j , g2
j =1
a
=
e i j , g2 j
j =1
=
=
a
i jk , g2
j =1
=1
j =1
=1
c
e u =1
a
H j
a j
a j
, g2
a v i j k
a j
, g2
j =1
a j
c
y
m
a
=1
e
wi j
, g2
j =1
j =1
j =1
j =1
= e
=1
c
=1
=1
m
=1
H j , pk x e u j =1
j =1
a j i j
a a j
c
=1
a j i j
, pk y
H j , pk x e u i , pk y
a a j
j =1 =1
m
wi ,
=1
pk x
a j
m
a
i j =1
e
w
, pk y
= e
a j
a
e u i j , pk y j
j =1 =1
a
H j ,
pk y
, pk y
thus we get
=1
j =1
y a j
i
j
= e
w
, g2
Hixj k u v i j k
= e
j =1
xa
= e
e
=1
Hi j k j , g2 e u
j =1
=1
j =1
=1
j =1
a j vi j k
, g2
pk x e u
v ik
, pk y
pk y
aj
ik , g2 = e
Hi j k , pk x
e
i{i }
1
m
i{i } j =1
v
e u i{i } ik , pk y
m
i
i{i }
w
, pk y .
e
=1
A PPENDIX C
P ROOF OF T HEOREM 2
Given g, g x , g y G, the algorithm S maintains the challenger in Game 0 and interacts with adversary A as follows:
Setup: S runs the KeyGen() algorithm on input 1 and gives
the public parameter ( pk x , pk y ) to adversary A.
Queries: S operates the oracles as follows.
Hash Oracle(Ohash ): For each query with input tuple
{I D, i, j, k}, if it has already been queried, the oracle
returns Hi j k . If this query is a new one, S guesses
whether this current query is for forgery or not, if so,
it sets Hi j k = g y , otherwise sets Hi j k = g i j k with
G F( p).
i j k
UW Oracle(Ouw ): For each query for u, w (1
m) with input {I D, i, j, k, v i j k , {i j }m
=1 } ,
if this tuple has been queried, returns corresponding u, w (1 m). Otherwise, S randomly
chooses r, r G F( p), 1 m, and guesses whether
this current query is for forgery or not, if so, S sets
u = (g x )r , w = (g x )r (1 m), if not, S sets
R
G F( p).
u = (g )r , w = (g )r (1 m) with
m
(g v i j k + =1 i j
and computes i j k as
g rk
m
=1
m
h vi j k +
i j k = H (I D||i || j ||k)x u v i j k
g x y = ( ) 1+rv + =0 r .
The probability that S guesses the forged input tuple is more
than 1/qh , then S can solve the CDH problem with probability
/qh which is non-negligible.
A PPENDIX D
P ROOF OF T HEOREM 3
wi ,
{I D , i, j , k , v , { }m
=1 , }, if Eq.(23) holds while the
input tuple {I D , i, j , k , v , { }m
=1 } was not submitted
to the Sign Oracle Osign , A wins Game 0 and S declares
success, otherwise A loses Game 0 and S aborts.
=
If S declares
success, she obtains
+m r y
+m r
rv
1+rv
y
x
x
x
y
=1 )
=0 .
(g ) ((g )
=
(g )
Thus the proposed CDH problem can be solved as
, g2
a
Hi j kj ,
j =1m
a j i j
, pk y e (i , g2 ) = R H S.
A PPENDIX B
C ORRECTNESS OF E Q . (17)
e(
ik , g2 ) = e
i j k a j , g2
1525
m
g rk
=1 i j
wi j
(1)
) y/x
y
x
m
(g v i j k + =1 i j h v i j k + =1 i j ) y/x
y
m
m
g v i j k + =1 i j h v i j k + =1 i j
= (g x )rk
(2)
1526
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015
Case 1 (i
= i ): In this case, the simulator is given input
values g, g y , h G, and its goal is to output h y .
We know that the expected proof satisfies the verification
equation:
a a
e (i , g) = e
H j , pk x
j
j =1 =1
e u i , pk y e
=1
=1
wi , pk y
(3)
m
e u i , pk y e
wi , pk y
(4)
i , i
Obviously, equations
=
= i (1 m)
cannot be satisfied simultaneously, otherwise contradicts our
assumption i
= i . Therefore, we define i = i i and
(1 m), it must be the case that at least
i = i
i
one of {i , i } is nonzero.
Now we divide Eq.(4) by Eq.(3) and obtain
m
1
i
i
e i i , g = e u
, pk y e
w , pk y
= e u i
m
=1
=1
i
= e (g h )
i
, pk y
i
(g h )
, pk y
=1
(5)
Rearranging terms yields
( i + m
=1 i )
e i i1 pk y
,g
i +m=1 i
= e hy, g
i
(g h )i )
=1
=1
i
1 = u i
1 = (g h )i (
=1
=1
c
a j a
e i , g = e
H
, pk x
j =1 =1
m
m
i
i
i
i
w , pk y = e u
w , pk y
e u
(6)
m
u v k
wk
(9)
k = H (I D|| . . .)x
=1
=1
Since that the proxy owns the secret value x, the proof of
Theorem 4 is equivalent to the unforgeability of the tag in the
following equation for invalid segment v k without knowledge
of key y.
k =
u v k
wk
(10)
=1
=1
m
k =
u v k
Hw (I D||)k
=1
(11)
=1
1527
1528
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 7, JULY 2015