Identity-Based Data Outsourcing With Comprehensive Auditing in Clouds PDF

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2646913, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON XXX, VOL. XX, NO. XX, XXXX 201X 1
Identity-Based Data Outsourcing with

Comprehensive Auditing in Clouds
Yujue Wang, Qianhong Wu, Member, IEEE, Bo Qin, Wenchang Shi
Robert H. Deng, Fellow, IEEE, Jiankun Hu
Abstract—Cloud storage system provides facilitative file storage and sharing services for distributed clients. To address integrity,
controllable outsourcing and origin auditing concerns on outsourced files, we propose an identity-based data outsourcing (IBDO)
scheme equipped with desirable features advantageous over existing proposals in securing outsourced data. First, our IBDO scheme
allows a user to authorize dedicated proxies to upload data to the cloud storage server on her behalf, e.g., a company may authorize
some employees to upload files to the company’s cloud account in a controlled way. The proxies are identified and authorized with their
recognizable identities, which eliminates complicated certificate management in usual secure distributed computing systems. Second,
our IBDO scheme facilitates comprehensive auditing, i.e., our scheme not only permits regular integrity auditing as in existing schemes
for securing outsourced data, but also allows to audit the information on data origin, type and consistence of outsourced files. Security
analysis and experimental evaluation indicate that our IBDO scheme provides strong security with desirable efficiency.
Index Terms—Cloud storage, Data outsourcing, Proof of storage, Remote integrity proof, Public auditing.
1 I NTRODUCTION
C LOUD platform provides powerful storage services to

individuals and organizations [1]. It brings great bene-
fits of allowing on-the-move access to the outsourced files,
communication overheads and computation costs. If some
part of the file has been altered or deleted, for example,
due to random hardware failures, the cloud storage server
simultaneously relieves file-owners from complicated local would not be able to prove the data integrity to convince
storage management and maintenance [2]. However, some the clients.
security concerns may impede users to use cloud storage. We observe two critical issues not well addressed in
Among them, the integrity of outsourced files is considered existing proposals. First, most schemes lack a controlled way
as a main obstacle [3], since the users will lose physical con- of delegatable outsourcing. One may note that many cloud
trol of their files after outsourced to a cloud storage server storage systems (e.g., Amazon, Dropbox, Google Cloud stor-
maintained by some cloud service provider (CSP). Thus, the age) allow the account owner to generate signed URLs using
file-owners may worry about whether their files have been which any other designated entity can upload, and modify
tampered with, especially for those of importance. content on behalf of the user. However, in this scenario, the
Considerable efforts have been made to address this is- delegator cannot validate whether or not the authorized one
sue. Among existing proposals, provable data possession (PDP) has uploaded the file as specified or verify whether or not
[4] is a promising approach in proof of storage (PoS). With the uploaded file has been kept intact. Hence, the delegator
PDP, the file-owner only needs to retain a small amount of has to fully trust the delegatees and the cloud server. In
parameters of outsourced files and a secret key. To check fact, the file-owner may not only need to authorize some
whether or not the outsourced files are kept intact, the file- others to generate files and upload to a cloud, but also need
owner or an auditor can challenge the cloud server with low to verifiably guarantee that the uploaded files have been
kept unchanged. For instance, in Electronic Health Systems
(EHS) [5], [6], when consulting a doctor, the patient needs
• Y. Wang and R. H. Deng are with the School of Information Systems,
Singapore Management University, Singapore 188065. Y. Wang is also
to delegate her doctor to generate electronic health records
with the State Key Laboratory of Integrated Services Networks, Xidian (EHRs) and store them at a remote EHRs center maintained
University, Xi’an, China. by a CSP [7]. In another typical scenario of cloud-aided
E-mail: {yjwang, robertdeng}@smu.edu.sg office applications, a group of engineers in different places
• Q. Wu is with the School of Electronic and Information Engineering,
Beihang University, Beijing 100191, China and with the State Key may fulfill a task in cooperation. The group leader can create
Laboratory of Cryptology, P. O. Box 5159, Beijing, 100878, China. a cloud storage account and authorize the members with
E-mail: qianhong.wu@buaa.edu.cn secret warrants. The behavior of the group members and
• B. Qin and W. Shi are Key Laboratory of Data Engineering and Knowledge
Engineering, Ministry of Education, School of Information, Renmin
the cloud server should be verifiable.
University of China, Beijing, China. B. Qin is also with the State Key Second, existing PoS-like schemes, including PDP and
Laboratory of Information Security, Institute of Information Engineering, Proofs of Retrievability (PoR) [8], do not support data log
Chinese Academy of Sciences, Beijing, 100093, China. related auditing in the process of data possession proof.
E-mail: {bo.qin, wenchang}@ruc.edu.cn
• J. Hu is with the School of Engineering and Information Technology, Uni- The logs are critical in addressing disputes in practice.
versity of New South Wales Defence Force Academy Canberra, Australia. For example, when the patient and doctor in EHS get
E-mail: J.Hu@adfa.edu.au involved medical disputes, it would be helpful if some
Manuscript received April XX, 2016. specific information such as outsourcer, type and generating
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2646913, IEEE
time of the outsourced EHRs are auditable. However, there insertion operations on the outsourced data. Yang and Jia
exist no PoS-like schemes that can allow validation of these [18] presented a scheme to support dynamic update for the
important information in a multi-user setting. outsourced data. Wang et al. [19] introduced a third security-
mediator into PDP system to generate verifiable metadata
1.1 Our Contributions on the outsourced files in a blind way, so that the security-
mediator learns nothing about the file. In [20], Wang et al.
To address the above issues for securing outsourced data in
offloaded the burdensome exponentiations in PDP schemes
clouds, this paper proposes an identity-based data outsourcing
at the client side by outsourcing the computations to a single
(IBDO) system in a multi-user setting. Compared to existing
computation server.
PoS like proposals, our scheme has the following distin-
Using proxy re-signatures, Wang et al. [11] proposed
guishing features.
a secure cloud storage scheme with user revocation in a
• Identity-based outsourcing. A user and her autho- multi-user setting, that is, if some user is revoked, then
rized proxies can securely outsource files to a remote her outsourced data will be re-signed by the cloud storage
cloud server which is not fully trustable, while any server. Chen et al. [12] investigated the relationship between
unauthorized ones cannot outsource files on behalf of secure cloud storage and secure networking coding, where
the user. The cloud clients, including the file-owners, a systematic way is presented to construct a secure cloud s-
proxies and auditors, are recognized with their i- torage scheme from any secure networking coding protocol.
dentities, which avoids the usage of complicated Zhu et al. [21] discussed multicloud storage and presented a
cryptographic certificates. This delegate mechanism cooperative PDP scheme which can efficiently support data
allows our scheme to be efficiently deployed in a migration. Wang [22] also considered the multicloud stor-
multi-user setting. age scenario and proposed a secure identity-based scheme.
• Comprehensive auditing. Our IBDO scheme Recently, Yu et al. [23] studied key-exposure problem in
achieves a strong auditing mechanism. The integri- secure cloud storage. In [24], an identity-based PDP scheme
ty of outsourced files can be efficiently verified by is presented from pre-homomorphic signatures to support
an auditor, even if the files might be outsourced group-oriented applications.
by different clients. Also, the information about the Public verifiability is a preferable property for PDP
origin, type and consistence of outsourced files can schemes, which allows anyone to audit the outsourced data
be publicly audited. Similar to existing publicly au- without knowing the private parameters of the data owner.
ditable schemes, the comprehensive auditability has With this property, the data owner can delegate the rights
advantages to allow a public common auditor to of integrity auditing to a third party auditor (TPA) without
audit files owned by different users, and in case of leaking private information. Aforementioned schemes [4],
disputes, the auditor can run the auditing protocol [11], [12], [17], [19], [21], [22] are all publicly verifiable. Jiang,
to provide convincing judicial witnesses without re- Chen and Ma [25] recently presented a publicly verifiable
quiring disputing parties to be corporative. scheme using the vector commitment technique, which also
• Strong security guarantee. Our IBDO scheme supports secure user revocation. Fan et al. [26], Yu et al. [27]
achieves strong security in the sense that: (1) it can and Yu et al. [28] considered indistinguishability/privacy
detect any unauthorized modification on the out- on outsourced data against the auditor in auditing integri-
sourced files and (2) it can detect any misuse/abuse ty. Zhang and Dong’s publicly verifiable data outsourcing
of the delegations/authorizations. These security scheme [29] is proved with tight security reduction in ID-
properties are formally proved against active collud- based setting. Zhang et al. [30] designed a certificateless
ing attackers. To the best of our knowledge, this is the public verification scheme which provides stronger security
first scheme that simultaneously achieves both goals. against a malicious auditor.
PoR [8] is also related to our work, which allows the
A thorough comparison of our scheme with several relat-
cloud server to convince the clients (file-owners and audi-
ed schemes is shown in Table 1 in terms of delegated data
tors) that the outsourced files can be successfully retrieved.
outsourcing, certificate-freeness, data origin auditing, data
As sentinels are used for detecting unauthorized modifica-
consistence validation and public verifiability. We also con-
tions, only a limit number of integrity queries on the out-
duct extensive experiments on our proposed IBDO scheme
sourced files are supported in [8]. Shacham and Waters [9]
and make comparisons with Shacham and Waters’ (SW) PoR
further presented three PoR schemes with private and pub-
scheme. Both theoretical analyses and experimental results
lic verifiability, which are the first with strict security proofs.
confirm that the IBDO proposal provides resilient security
Bowers, Juels and Oprea [31] investigated PoR in multi-
properties without incurring any significant performance
server setting, which strengthes the security and availability
penalties.
of outsourced files in the standard PoR framework.
Another line of related works support delegatable in-
1.2 Related Work tegrity auditing on outsourced files, yet they cannot support
The notion of PDP introduced by Ateniese et al. [4] allows controlled delegatable data outsourcing. Wang et al. [10]
an auditor to check the integrity of an outsourced file proposed privacy-preserving public auditing cloud storage
without retrieving the entire file from the cloud server; schemes, in which a secure TPA is introduced to verify the
at the same time the server does not need to access the integrity of outsourced files, while TPA can learn nothing
entire file for answering integrity queries. A subsequent about the file’s content. In a proxy PDP scheme presented
work in [17] supports modification and deletion, but not by Wang [13], if the designated auditor is unavailable, then
TABLE 1
Comparison with existing related works ķ
ĺ
Delegated data Origin ĺConsistence Public ķ
Schemes Certificate-Freeness
outsourcing Auditing ķ
Validation Verifiability
ĸ Ĺ √
Shacham and Waters [9] × × × ×
Wang et al. [10] × × × ĺ× × Ļ
√
Wang et al. [11] × × × × √
Chen et al. [12] × × × ĺ×
Wang [13] × × × × ×
Shen and Tzeng [14] × × × × ×
Armknecht et al. [15] × ×
√ × × ×
√
Wang et al. [16] × ķ ĸ × Ĺ × ĺ Ļ
√ √ √ √ √
Ours
the authorized proxy can be delegated for conducting data file or the processed file locally. The duty of the auditor is
possession checking on behalf of the auditor. Shen and to check the integrity of outsourced files and their origin-
Tzeng [14] proposed a delegatable PDP scheme, where a like general log information by interacting with the cloud
user can delegate integrity auditing capability to a delegatee storage server without retrieving the entire file.
so that the delegatee can perform auditing protocol on any
outsoured files of this user. Armknecht et al. [15] studied
delegatable auditing for privately auditable PoR schemes, ķ
which simultaneously protects against collusion attacks by ĺ

ķ
malicious clients, auditors and cloud servers. Based on a File-owner ĺ
ķ Registry Server
variant of the Schnorr signature, Wang et al. [16] proposed ĸ Ĺ
a secure data outsourcing scheme in the identity-based set- Ļ
ĺ
ting, however, their scheme also does not support delegated Auditor
ĺ
data outsourcing mechanism.
Proxies Storage Server
ķ Register ĸ Delegation Ĺ Original file ĺ Processed file Ļ Integrity & origin audit
1.3 Paper Organization
We describe the IBDO system architecture, threat model and Fig. 1. The architecture of IBDO system
security goals in Section 2. The framework of IBDO system
and the corresponding security model are formalized in Sec-
tion 3. A detailed IBDO construction is presented in Section
2.2 Adversary Model and Security Goals
4. The security and performance of our IBDO scheme are
analyzed in Section 5 and Section 6, respectively. Finally, An IBDO system confronts two types of active attacks. The
Section 7 concludes the paper. cloud client may impersonate others, specifically, she may
impersonate an owner or another authorized proxy, or abuse
a delegation, and in this way she can process a file and
2 S YSTEM M ODEL outsource it to the storage server in an unwanted way. On
2.1 System Architecture the other hand, a malicious storage server may modify or
even remove the outsourced files (for example, for saving
The architecture of our IBDO system is shown in Fig. 1.
storage space or due to hardware failures), especially for
An IBDO system consists of five types of entities, that is,
the rarely accessed files.
file-owners, proxies, auditors, registry server, and storage
Taking into account the above realistic attacks, a secure
server. Generally, the file-owners, proxies and auditors are
IBDO system should satisfy the following requirements:
cloud clients. The registry server is a trusted party responsi-
ble for setting up the system and responding to the clients’ • Dedicated delegation: A delegation issued by a file-
registration, and also allows the registered clients to store owner can only be used by the specific authorized
the public parameters of outsourced files. The cloud storage proxy to outsource specified files in a designated
server provides storage services to the registered clients for way. Even the authorized proxy cannot abuse it
storing outsourced files. In real-world applications, an or- to outsource unspecified files, and multiple proxies
ganization buys storage services from some CSP, and the IT cannot cooperatively deduce a valid delegation for a
department of the organization can play the role of a registry new warrant to outsource an unspecified file.
server. In this way, the registered clients (employees) can • Comprehensive auditing: Not only the integrity of
take advantage of the storage services. the outsourced file, but also the log information
The file-owner and her authorized proxies can outsource about the origin, type and consistence of the out-
files to the cloud server. Specifically, on behalf of the owner, sourced files should be verifiable by the auditors.
the authorized proxy processes the file, sends the processed The integrity auditing ensures that the outsourced
results to the storage server, and uploads the corresponding files have been kept intact; the other general log in-
public parameters of the file to the registry server. Neither formation auditing ensures that the file has been out-
the file-owner nor the proxy is required to store the original sourced in the designated way. With comprehensive
auditing, an IBDO system can provide convincing 3.2 Formal Security Definitions
judicial witnesses to address disputes. We present formal security definitions to capture the se-
curity requirements described in Section 2.2. Two types of
probabilistic polynomial-time (PPT) adversaries are used to
3 D EFINITIONS model the malicious clients and a dishonest storage server.
The former may collude to forge or abuse the delegation
3.1 Framework of IBDO System with regard to some file-owner, while the latter may try to
modify the stored files without being caught.
Formally, an IBDO system consists of five polynomial- We first define the security against malicious proxies,
time computable algorithms/protocols, that is, Setup, Regst, where a PPT adversary A is assumed to play the following
Dlgtn, IBDOsc, and Audit. game with a challenger C .
Setup: On input a security parameter κ, the challenger
• Setup(1κ ) → (Para, msk): on input 1κ where κ is
C generates (Para, msk) and sends public parameter Para to
a security parameter, the system setup algorithm,
adversary A.
which is run by the registry server, generates the
Queries: Adversary A can adaptively issue the following
public parameter Para for the system and a master
queries to C . The challenger maintains the corresponding
secret key msk for the registry server itself.
query lists which are initially empty.
• Regst(Para, msk, IDi ) → ski : on input the public
parameter Para, the master secret key msk and an • Register: The adversary can ask for private key for
identity IDi , the register algorithm, which is run by any identity IDi . The challenger generates ski and
the registry server, generates a private key ski for gives it to A. This query means that the attacker can
user IDi . User IDi should be able to validate ski collude with some file-owner or proxy.
and accept it as her/his private key only if it passes • Delegation: In each query, the adversary submits a
the validation. warrant W to C . Note that W contains a delegator
• Dlgtn(Para, IDo , sko , IDp ) → (W, σw ): on input the identity IDo and a delegatee identity IDp . If the
public parameter Para, an identity IDo (file-owner) private key of IDo has not been queried before, the
and her private key sko , and another identity IDp challenger will first generate it. Then, the challenger
(proxy), the delegating outsourcing rights algorithm, answers with a delegation σw . This query implies
which is run by a delegator IDo , generates a pair of that the attacker can obtain any normal delegations.
warrant and delegation (W, σw ) for proxy IDp . The • Processing file: In each query, the adversary submits
proxy IDp should be able to validate (W, σw ) and a tuple (W, M ) to C . If the private key of IDp and
accept the delegation only if it passes the validation. the delegation in relation to warrant W have not
• IBDOsc(Para, W, σw , skp , M ) → (τ, M ∗ ): on input been queried before, the challenger will first generate
the public parameter Para, a pair of warrant and them. Then, the challenger answers with a processed
delegation (W, σw ), a private key skp and a file M , file M ∗ . This query implies that the attacker can
the proxy data outsourcing algorithm, which is run obtain any processed files.
by an authorized proxy IDp , generates a file tag τ
and a processed file M ∗ on behalf of the file-owner. End-Game: Eventually, the adversary A outputs a pro-
cessed file Mf∗ under W f∗ corresponds to an
f . Note that M
• Audit(Para, τ ) → {0, 1}: on input the public pa-
rameter Para and a file tag τ , the public auditing original file M
f and W
f contains a delegator identity ID
f o and
protocol, which is jointly run by the auditor and f p . We say the adversary A succeeds
a delegatee identity ID
storage server, outputs “1” if the origin and integrity if the following conditions hold, no matter whether Mf∗ can
of the outsourced file specified by τ can be verified pass integrity checking for M :
f
as true; otherwise it outputs “0”.
• Adversary A has not been made a registry query on
A secure IBDO scheme must be sound, that is, if all en- identity ID
f o to get a private key;
tities honestly follow the scheme, then no failure will occur • Adversary A has not been made a delegation query
at any stage during the scheme running. Formally, for a on Wf;
security parameter κ ∈ N and any (Para, msk) ← Setup(1κ ), • Adversary A has not been made a processing file
all the following conditions hold: query that involves W f;
• σ̃w is a valid delegation by delegator ID
f o to proxy
• For any private key ski ← Regst(Para, msk, IDi ) IDp under W .
f f
issued by the registry server, it can be validated as
true and thus accepted by user IDi ; Definition 1. An IBDO scheme is secure against adaptive
• For any pair of warrant and delegation (W, σw ) ← impersonation and misusing delegation attacks if any
Dlgtn(Para, IDo , sko , IDp ) issued by user IDo , it can PPT adversary A who plays the above game with C has
be validated as true and thus accepted by user IDp ; only negligible probability in winning the game, that is,
• For any outsourced file (τ, M ∗ ) ← IBDOsc(Para, W,
Pr[Awin ] ≤ (κ)
σw , skp , M ) under a valid delegation σw , it should be
always audited as true in a round of Audit protocol, where the probability is taken over all coin tosses made
that is, Audit(Para, τ ) = 1. by C and A.
We proceed to define the security of IBDO scheme so on. When a file is processed, it is partitioned into blocks,
against a dishonest storage server. Although the storage so as to generate metadada for each block individually. The
server may forge a delegation as it holds a mass of del- warrant should be embedded into every metadata, to char-
egations for outsoured files, it can be essentially captured acterize that the metadata are generated by the authorized
by Definition 1. Thus, the following security game focuses proxy. During the execution of integrity and origin auditing
particularly on the integrity guarantee on outsourced files. protocol, except the aggregate file blocks, the auditor also
Setup: On input a security parameter κ, the challenger requests the aggregate metadata and the signed warrant.
C generates (Para, msk) and sends public parameter Para to Both the aggregate metadata and signed warrant should be
adversary A. Then adversary A adaptively requests pro- audited, in this way to conclude that the file is intact and is
cessed files in the same way as in Definition 1 by interacting indeed outsourced by the one as specified in the warrant.
with the challenger C . From a technical point of view, we employ Paterson and
Queries: The challenger adaptively carries out the in- Schuldt’s identity-based signature scheme [32] as building
tegrity and origin auditing protocol with the adversary A. block. The delegation is generated as an identity-based
That is, adversary A plays the role of a prover, in a way signature on a warrant by their scheme, in this way the
it answers integrity challenges by C on any outsourced file delegation can be publicly verified in Audit protocol of IBDO
that it holds. system. Also, we follow the framework due to Shacham
and Waters [9] to split the file blocks when generating
• The challenger C generates a challenge for some metadata, which provides a trade-off between storage costs
outsourced file and sends it to A; and communication overheads in auditing.
• The adversary responds with a proof according to its
maintained processed file; 4.2 Mathematic Background
• The challenger verifies the proof and gives the veri-
Our scheme is built on bilinear groups. Suppose G and GT
fication results to A.
are two cyclic groups with prime order q , where G = hgi.
End-Game: Eventually, the challenger and the adversary The group G is a symmetric bilinear group if there exists
carry out a final round of integrity auditing protocol. That is, a bilinear map ê : G × G → GT such that: (1) Bilinearity:
the challenger sends out a challenge C e for some processed ∀h1 , h2 ∈ G, and ∀a, b ∈ Zq∗ , ê(ha1 , hb2 ) = ê(h1 , h2 )ab ;
file M ∗
f , and accordingly the adversary returns a proof Pe . (2) Non-degeneracy: ê(g, g) 6= 1 is a generator of GT ; (3)
Assume M f∗ has been tampered with at the storage server Efficiency: the map ê and group operations in G and GT
side and the challenge C e touches the corrupted parts of M f∗ . can be efficiently computed.
We say that the adversary A succeeds in the game if the CDH Assumption [33]. Suppose G = hgi is a cyclic group
tuple (π̃1 , · · · , π̃c , σ̃) in the proof Pe is valid for the challenge with prime order q . Given a triplet (g, g α , g β ) with α, β ∈R
f∗ , while this tuple is different from Zq∗ , for any PPT algorithm A, the probability in computing
Ce and processed file M
that generated by C from the maintained processed file. g αβ , i.e., Pr A(g, g α , g β ) = g αβ , is negligible.
Definition 2. An IBDO scheme is secure against modification 4.3 System Setup: Setup
attacks on outsourced files if any PPT adversary A has
Taking as input a security parameter κ, the registry server
only negligible probability in κ in winnig the above
randomly picks a cyclic group G = hgi with prime order q
game, that is,
and a bilinear map ê : G×G → GT . Then, randomly choose
Pr[Awin ] ≤ (κ)
an integer a ∈R Zq∗ and elements g2 , µ0 , µ1 , · · · , µl , ν0 , ν1 ,
where the probability is taken over all coin tosses made · · · , ν` , u1 , · · · , uB ∈R G, where B is the upper bound
by C and A. of sector number in file blocks. Computes g1 = g a and
msk = g2a . The registry server also chooses three collision-
resistant hash functions such as H1 : {0, 1}∗ → {0, 1}l ,
4 A N IBDO S CHEME H2 : {0, 1}∗ → {0, 1}` and H3 : {0, 1}∗ → G, where the
4.1 An Overview bitstring lengths l and ` are determined by κ. The public
system parameter is Para = (1κ , G, GT , ê, q, g, g1 , g2 , µ0 , µ1 ,
It is challenging to achieve both proxy data outsourcing · · · , µl , ν0 , ν1 , · · · , ν` , u1 , · · · , uB , H1 , H2 , H3 ). The master
and comprehensive auditing functionalities in IBDO. At a key msk is kept secret by the registry server.
first glance, it seems that if the file-owner has delegated
her outsourcing rights to some proxy, then the authorized 4.4 Register: Regst
proxy can simply employ the existing PDP/PoR schemes
Using the master secret key msk , the registry server gen-
for processing and outsourcing files. However, although this
erates a private key ski for every user IDi who may be
delegation has been signed by the file-owner, there exists a
a file-owner or a proxy in the IBDO system. In detail, the
gap that the information of the file-owner is not bounded
registry server computes
with the file, which leaves a vulnerability that the proxy
may abuse the delegation without being caught. We fill this ~ui = (ui,1 , · · · , ui,l ) ← H1 (IDi ), (1)
gap in our IBDO construction.
picks a random value ti ∈R Zq∗ and generates ski as follows:
In our IBDO system, to delegate outsourcing rights to
a proxy, the file-owner signs a dedicated warrant for the l
u
Y
proxy. The warrant may specify who can outsource which ski = (ski,1 , ski,2 ) = (g2a · (µ0 µj i,j )ti , g ti ) (2)
kind of files during what time on behalf of the owner, and j=1
Finally, the registry server sends ski to IDi . 4.7 Auditing Outsourced Data: Audit
The user IDi can validate ski = (ski,1 , ski,2 ) by com- The auditing procedure consists of three phases: challenge,
puting ~ui and checking whether response and verification.
l [Phase 1: Challenge] The auditor first makes sure the file
? u
Y
ê(ski,1 , g) = ê(g1 , g2 ) · ê(µ0 µj i,j , ski,2 ) (3) tag τ is valid, that is, he retrieves τ from the registry server
j=1 and performs S.Vrf(τ0 , tpk). If it is invalid, which means
this outsourced file cannot be audited, then the protocol
If the equality holds, then IDi accepts the private key ski ;
aborts; otherwise, the auditor parses τ0 to obtain the total
otherwise, she f ails to register.
number r of file blocks. The auditor randomly picks a
nonempty subset I ⊆ [1, r] along with a number of random
4.5 Delegating Outsourcing Rights: Dlgtn values si ∈R Zq∗ for every i ∈ I . After that, the auditor
For authorizing a proxy IDp , the file-owner IDo generates sends the challenge C = {(i, si ) : i ∈ I} and file identifer
a warrant W which includes her identity IDo , the proxy’s f id to the storage server.
identity IDp , the validity period of W , and may also contain [Phase 2: Response] When receiving a challenge C and
some other specifics such as file type, etc. For example, a file identifier f id, the storage server locates to the corre-
W = IDo kIDp kT imeP eriodkF ileT ype. With Para, the file- sponding outsourced file M ∗ and computes
owner IDo evaluates hash function X Y s
πj = si mi,j mod q for all j ∈ [1, c], and σ = σi i .
~ = (w1 , · · · , w` ) ← H2 (W )
w (4) i∈I i∈I
picks a random value tw ∈R Zq∗ and produces a delegation The storage server sends to the auditor a proof P which
using her private key as follows: consists of π1 , · · · , πc , σ and the first part of delegation.
[Phase 3: Verification] On receiving a proof P , with
l `
Y u
Y w Para and τ , the auditor computes ~uo ← H1 (IDo ), ~up ←
σw = (g2a · (µ0 µj o,j )to · (ν0 νj j )tw , g to , g tw ) H1 (IDp ), and w ~ ← H2 (W ) as shown in Equalities (1)
j=1 j=1
and (4). The auditor checks the validity of σw indicated by
The warrant-delegation pair (W, σw ) is sent to IDp . Equality (5) and σ as follows
Upon receiving (W, σw ) = (W, (α, β, γ)) from IDo , l
the proxy IDp can validate the delegation. Specifically, he ? u
P Y P
si
ê(σ, g) =ê(g1 , g2 ) i∈I · ê(µ0 µj p,j , g tp ) i∈I si
computes the hash values ~ uo ← H1 (IDo ) and w ~ as shown j=1
in Equations (1) and (4), and checks whether c
π
Y Y
l ` · ê( H3 (W kf idki)si · uj j , vf ) (6)
? u w
Y Y
ê(α, g) = ê(g1 , g2 ) · ê(µ0 µj o,j , β) · ê(ν0 νj j , γ) (5) i∈I j=1
j=1 j=1 If Equality (5) holds, the auditor concludes that IDp is
If the condition holds, then the proxy IDp accepts the dele- authorized by IDo with W . If Equality (6) also holds, she
gation from IDo which means he is successfully authorized is convinced that the challenged file is intact.
with the warrant W ; otherwise, he rejects the delegation. In the above three-phase auditing procedure, the audi-
tor can also simultaneously request for the specifics (e.g.,
file creation/process/outsourcing time) associated with the
4.6 Identity-Based Data Outsourcing: IBDOsc
warrant W of the audited file. In this case, the response P
Given a file M ∈ {0, 1}∗ to be outsourced under a valid will additionally contain the requested data specifics, so that
warrant-delegation pair (W, σw ), the authorized proxy IDp they can be checked by the auditor. In fact, the verification
partitions the file M into blocks such that each block com- on these specifics requires no crypto techniques.
prises c (1 ≤ c ≤ B) sectors, that is, M = (mi,j )r×c
where mi,j ∈ Zq . Then, IDp chooses a random identifier
f id ∈R Zq∗ and a random value tf ∈R Zq∗ for file M , com- 4.8 Discussions
putes vf = g tf , and sets τ0 = W kf idkrkckg to kg tp kg tw kvf . As remarked in [32], each user IDi can re-randomize
The proxy IDp proceeds to choose a (one-time) signature his/her private key ski = (ski,1 , ski,2 ) issued by the registry
scheme S = hKgen, Sig, Vrfi and generates the file tag server, that is, he/she may pick a random value t0i ∈R Zq∗
for M as τ = τ0 kS.Sig(τ0 , tsk)ktpk , where (tpk, tsk) ← and generates ski0 as follows
S.Kgen(1κ ). l
The proxy IDp continues to create metadata σi (1 ≤ i ≤ u 0 t0
Y
ski0 = (ski,1
0 0
, ski,2 ) = (ski,1 · (µ0 µj i,j )ti , ski,2
i
)
r) for each file block using his private key skp as follows j=1
l c l
Y u
Y mi,j tf
Y u 0 0
σi = g2a · (µ0 µj p,j )tp · (H3 (W kf idki) · uj ) = (g2a · (µ0 µj i,j )ti +ti , g ti +ti )
j=1 j=1 j=1
Finally, the file tag τ is sent to the registry server, while In a similar way, the proxy is also able to re-randomize
the processed file M ∗ that comprises M , f id, {σi }1≤i≤r and the received delegation. However, when processing and
the first entry of delegation σw is uploaded to the cloud outsourcing a concrete file, both private keys of the file-
storage server and removed at the proxy IDp ’s local side. owner and authorized proxy as well as the corresponding
delegation should be fixed, although they might be differ- against adaptive impersonation and misusing delegation
ent for distinct files. In fact, this is realized by inserting attacks. Specifically, neither any client nor the cloud
g to , g tp , g tw into the file tag. Also, since vf is contained in storage server can forge a valid delegation on some
the file tag, the cloud server cannot randomize the metadata. warrant with regard to any file-owner, any proxy and
Besides, although our IBDO scheme is proposed in sym- any file of his choice, and in this way outputs a valid
metric bilinear groups, it can also be efficiently instantiated processed file under this delegation.
using asymmetric bilinear mapping ê : G1 × G2 → GT , that
is, by choosing H3 : {0, 1}∗ → G2 , and letting g be from G1 , The following proof follows the standard framework
and g2 , µ0 , µ1 , · · · , µl , ν0 , ν1 , · · · , ν` , u1 , · · · , uB from G2 . established in [32], [34].
Proof: Assume the adversary A can output a pro-
5 S OUNDNESS AND S ECURITY cessed file that contains a forged delegation with probability
, in relation to some warrant he generates. Then, we show
We show the soundness of our scheme, that is, if all the that adversary A can break Paterson and Schuldt’s identity-
entities in the IBDO system behave honestly, then the regis- based signature scheme [32] with probability at least . In the
tration information, delegation and processed file produced following, algorithm C will perfectly simulate a challenger
by the proposed IBDO scheme can be correctly audited. when interacting with adversary A.
Theorem 1. In a successful registration, the client always The challenger C is given a group G = hgi with prime
accepts the private key generated by the registry server. order q and a CDH instance (g, g a , h), whose target is to
The proxy always accepts the delegation if the corre- compute ha by interacting with A.
sponding file-owner is honest. If the target outsourced Setup. The challenger C sets lu = 2(qr + qd ) and lw =
file has not been tampered with, then the proof generated 2qd , where qr and qd represent the total number of register
by the storage server will be verified as valid. queries and delegation queries, respectively. It is assumed
Proof: We only need to show that Equation (3), E- that lu (l + 1) < q and lw (` + 1) < q . The challenger C then
quation (5) and Equation (6) all hold. The correctness of picks a series of random values as follows
Equality (3) is straight-forward. Since ~ uo = (uo,1 , · · · , uo,l )
R R
~ = (w1 , · · · , w` ), it follows that
and w ku ← [0, l], and kw ← [0, `]
R R
l ` x0 ← Zl∗u , and xi ← Zl∗u for every 1 ≤ i ≤ l
u w
Y Y
ê(α, g) =ê(g2a , g) · ê((µ0 µj o,j )to , g) · ê((ν0 νj j )tw , g) R R
y 0 ← Zq∗ , and yi ← Zq∗ for every 1 ≤ i ≤ l
j=1 j=1 R R
l `
z 0 ← Zl∗w , and zj ← Zl∗w for every 1 ≤ j ≤ `
u w R R
$0 ← Zq∗ , and $j ← Zq∗ for every 1 ≤ j ≤ `
Y Y
=ê(g1 , g2 ) · ê(µ0 µj o,j , β) · ê(ν0 νj j , γ)
R
j=1 j=1 θj , ϑj ← Zq∗ for every 1 ≤ j ≤ c
Therefore, EqualityP
(5) holds.
Note that πj = i∈I si mi,j mod q for all j ∈ [1, c] and Then, the challenger C sets the public parameters as
follows
l
u
Y Y Y
σ= (g2a )si · ((µ0 µj p,j )tp )si g1 = g a , g2 = h
0 0
i∈I i∈I j=1 µ0 = g2−lu ku +x g y , µi = g2xi g yi for every 1 ≤ i ≤ l
c 0 0 z
·
Y
((H3 (W kf idki) ·
Y
uj
mi,j tf si
) ) ν0 = g2−lw kw +z g $ , νj = g2j g $j for every 1 ≤ j ≤ `
θj ϑj
i∈I j=1 uj = g2 g , 1≤j≤c
l
u These parameters perfectly simulate the adversary A’s
P Y P
=(g2a ) i∈I si
· ((µ0 µj p,j )tp ) i∈I si
j=1 view, that is, they are computationally indistinguishable

c P from the public parameters in Para. Note that the solution
Y Y si mi,j tf
·( H3 (W kf idki)si · uj i∈I
) for the given CDH instance is the same as the master secret
i∈I j=1 key msk .
We have Queries. The adversary A can adaptively issue the fol-
lowing queries to the challenger C .
l
u Register Queries: The adversary A adaptively submits
P Y P
si
ê(σ, g) =ê(g1 , g2 ) i∈I · ê(µ0 µj p,j , g tp ) i∈I si
j=1
identities to C for requesting private keys. Since the chal-
c lenger C does not have the master secret key msk , he will
π
Y Y
· ê( H3 (W kf idki)si · uj j , g tf ) answer this type of queries as follows. For each queried
i∈I j=1 identity IDi , the challenger C computes ~ ui as defined in
Equality (1). For simplicity of presentation, we set
Hence, Equality (6) holds.
The following theorems guarantee the security of our l
X l
X
IBDO scheme as defined. F (~ui ) = x0 + xj ui,j − lu ku , and J(~ui ) = y 0 + yj ui,j .
Theorem 2. Suppose the CDH assumption holds in bilinear j=1 j=1
groups and the signature scheme S used for generating Ql u F (~
ui ) J(~
ui )
file tags is secure. The proposed IBDO scheme is secure Thus, we have µ0 j=1 µj i,j = g2 g .
If F (~ ui ) 6= 0 mod q , then the challenger C chooses a be submitted at first, with inputs (IDo , W ) and IDp , re-
random value ti ∈R Zq∗ and computes a private key ski = spectively. If F (~uo ) = 0 mod lu and K(w) ~ = 0 mod q ,
(ski,1 , ski,2 ) such that where ~ uo ← H1 (IDo ) and w ~ ← H2 (W ), then C just aborts
the game since he cannot generate a delegation for the
J(~
u )
i l 1
− F (~ Y u − F (~ given identities and warrant. For the case that F (~ uo ) 6= 0
µj i,j )ti , and ski,2 = g1 g ti .
u ) u i)
ski,1 = g1 i
· (µ0
mod lu or K(w) ~ 6= 0 mod q , the challenger C carries out
j=1
the following steps.
If denotes t0i = ti − a/F (~
ui ), then one can check that the Step 1: The challenger generates a delegation σw as
above private key ski is valid for IDi due to the following discussed in delegation queries.
equalities Step 2: Computes ~ up ← H1 (IDp ) as shown in Equal-
F (~
ui ) a
− F (~ F (~
ui )
ity (1). If F (~
up ) = 0 mod lu , then the challenger aborts.
ski,1 = g2a · (g2 · g J(~ui ) ) u i) · (g2 · g J(~ui ) )ti Otherwise, the challenger extracts a private key skp for
F (~
ui ) a
ti − F (~
l
Y u 0
IDp as we discuss above. The challenger C picks a ran-
= g2a · (g2 · g J(~ui ) ) u i) = g2a · (µ0 µj i,j )ti dom value tf ∈R Zq∗ and a random unique identifier f id
j=1 for file M , and computes vf = g tf . For each file block
0 ~ i = (mi,1 , · · · , mi,c ) where 1 ≤ i ≤ r, picks random
m
and ski,2 = g ti −a/F (~ui ) = g ti . Thus, the private key ski
values t̂i ∈R Zq∗ and sets
generated in this way is computationally indistinguishable
. Pc θ m
from the real private key in the adversary’s perspective. H3 (W kf idki) = g t̂i (g2 j=1
j i,j
Pc
· g j=1 ϑj mi,j )
Otherwise, i.e., F (~ui ) = 0 mod q , the algorithm aborts.
Delegation Queries: The adversary A can adaptively sub- That is,
mit a warrant W to the challenger C , where W specifies c
mi,j tf
Y
a delegator IDo , a proxy IDp and some other specific (H3 (W kf idki) · uj ) = (g t̂i )tf = (g tf )t̂i
information. The challenger C will generate a delegation of j=1
IDo for IDp with the warrant W as follows. The challenger
Next, the challenger computes the metadata for file block
first computes ~ uo as shown in Equality (1) and evaluates u
~ i as σi = g2a · (µ0 lj=1 µj p,j )tp · (g tf )t̂i . It is easy to
Q
F (~uo ), then gets into one of the following two cases. m
Case 1: F (~uo ) 6= 0 mod lu . In this case, the challenger C see that the metadata generated here is computationally
generates a private key sko for IDo as discussed in register indistinguishable from the real one in the adversary’s view.
queries, and generates a delegation σw as described in our Step 3: The challenger sends the processed file M ∗ which
scheme. The challenger C gives σw to A. includes {σi }1≤i≤r ∪ {σw , f id} to A.
Case 2: F (~ uo ) = 0 mod lu . For a given W , the chal- End-Game. Finally, if the challenger does not abort, then
lenger C computes w ~ as shown in Equality (4). Similar to the adversary A will output a forgery
the discussions of register queries, for simplicity, we set f∗ = (m̃i,j )r̃×c̃ ∪ {σ̃i }1≤i≤r̃ ∪ {σ̃w , fg
M id}
` `
X X in relation to some warrant W f with non-negligible probabil-
~ = z0 +
K(w) ~ = $0 +
zj wj − lw kw , and L(w) $j wj .
ity. According to Definition 1, the adversary A succeeds in
j=1 j=1
the game means that σ̃w is valid for Wf . It further implies σ̃w
Q` w K(w)
~ L(w)
Thus, we have ν0 j=1 νj j = g2 g ~ . is a forged signature for W f in identity-based setting. Thus,
If K(w)~ = 0 mod q , the algorithm aborts; otherwise, if the adversary A can break the proposed scheme with
the challenger C chooses random values to , tw ∈R Zq∗ and probability , then it can also break Paterson and Schuldt’s
computes a delegation σw = (σw,1 , σw,2 , σw,3 ) where identity-based signature scheme [32] (i.e., outputs ha ) with
probability at least .
l L(w)
~ `
− K(
u w Theorem 3. Suppose the CDH assumption holds in bilinear
Y Y
σw,1 = (µ0 µj o,j )to · g1 w)
~
· (ν0 νj j )tw ,
j=1 j=1 groups and the signature scheme S used for generating
file tags is secure. The proposed IBDO scheme is secure
− K(1w) against modification attacks. Specifically, the storage
σw,2 = g to , and σw,3 = g1 ~
· g tw .
server cannot forge a valid response for any integrity
If denote t0w = tw − a/K(w) ~ , then the delegation σw auditing challenge, if the challenged file blocks in the
generated in this way is computationally indistinguishable outsourced file have been corrupted.
from the real delegation in the adversary’s view due to the The following proof is inspired by a standard framework
following equality established in [9].
l ` Proof: The proof consists of a list of security games
Y u
Y w 0 0
σw = (g2a · (µ0 µj o,j )to · (ν0 νj j )tw , g to , g tw ) along with respective analysis.
j=1 j=1 Game 0. In this game, both the adversary and the challenger
Delegated Data Processing Queries: The adversary A can behave in the way defined in Definition 2.
adaptively submit a tuple (W, M ) to the challenger C , where Game 1. This game is identical to Game 0, with the follow-
W specifies a file owner IDo , a proxy IDp and some ing difference. The challenger maintains all the processed
other specific information. From the proposed scheme, we files that have been provided to the adversary in Setup
know that the register query and delegation query should phase. In the final round of integrity auditing protocol, the
adversary outputs a proof that satisfies verification equation and

(6) for the challenge C
e , warrant W
f and processed file M f∗ , l
u
P Y P
si
while the aggregate metadata is not equal to that generated ê(σ, g) =ê(g1 , g2 ) i∈I · ê(µ0 µj p,j , g tp ) i∈I si
by the challenger from its maintained information. j=1
c
Analysis. Suppose the adversary A succeeds in Game 2 Y Y π
· ê( idki)si ·
f kfg
H3 (W uj j , vf ) (8)
with non-negligible probability. Then, we can construct an
i∈I j=1
algorithm C to solve the CDH problem. Algorithm C is given
a group G = hgi with prime order q and a CDH instance Note that π̃j = πj cannot hold for all 1 ≤ j ≤ c since
(g, g α , h), whose goal is to output hα by interacting with A. otherwise, σ̃ = σ . If denote ∆πj = π̃j − πj , then at least
Algorithm C behaves like a challenger of Game 0, but one element of {∆πj : 1 ≤ j ≤ c} should be nonzero.
with the following differences: Dividing Equality (7) by Equality (8) on respective sides and
assuming vf = (g α )āf , we get
• It picks a random value a ∈R Z∗q , and sets g1 = g a , c c
∆πj θ
Y Y
g2 = h and msk = g2a . Also, it randomly chooses ê(σ̃/σ, g) = ê( uj , vf ) = ê( (g2j g ϑj )∆πj , (g α )āf )
R
θj , ϑj ← Zq∗ for each 1 ≤ j ≤ c, and computes uj = j=1 j=1
θj ϑj
g2 g . It further implies
• It controls the random oracle H3 so that it maintains Pc Pc
all the queries and answers them in a consistently ê(σ̃σ −1 (g α )−āf j=1 ϑj ∆πj
, g) = ê(h, g α )āf j=1 θj ∆πj
manner. For the queries of the form H3 (W kf idki),

Thus, we get the solution of the given CDH instance as
it will respond in the following way as shown in
follows
processing file.
Pc 1
For processing a file M under W , it first computes
Pc
•
hα = (σ̃σ −1 (g α )−āf j=1 ϑj ∆πj ) āf j=1 θj ∆πj
~up ← H1 (IDp ) as defined in Equality (1), and Pc
extracts a private key skp for IDp as defined in as long as āf j=1 θj ∆πj 6= 0 mod q . Since some of {∆πj :
the proposed scheme (see Equality (2)). The chal- 1 ≤ j ≤ c} are nonzero and Pcāf , θj for 1 ≤ j ≤ c are random
lenger C picks a random unique identifier f id and values, we know Pr[āf j=1 θj ∆πj = 0 mod q] = 1/q .
a random value ā ∈R Zq∗ for file M , and computes Thus, if the difference between the adversary’s probabilities
vf = (g α )ā which implies tf = αā. For each file of success in Game 0 and Game 1 is non-negligible, then we
block m ~ i = (mi,1 , · · · , mi,c ) where 1 ≤ i ≤ r, picks can construct an algorithm C as discussed above to solve the
a random value t̂i ∈R Zq∗ and sets CDH problem.
. Pc θ m Pc
Game 2. This game is identical to Game 1, with the follow-
H3 (W kf idki) = g t̂i (g2 j=1 · g j=1 ϑj mi,j )
j i,j
ing difference. As in Game 1, the challenger maintains all the
processed files that have been provided to the adversary in
Setup phase. In the final round of integrity auditing proto-
That is,
col, the adversary outputs a proof that satisfies verification
c equation (6) for the challenge Ce , warrant W
f and processed
mi,j tf
Y
∗
(H3 (W kf idki) · uj ) = (g t̂i )tf = (vf )t̂i file M , while at least one of the aggregate challenged file
f
j=1 sectors is not equal to that generated by the challenger
according to its maintained information.
The challenger proceeds to compute the metadata for Analysis. Suppose the adversary A succeeds in Game 2
u
~ i as σi = g2a · (µ0 lj=1 µj p,j )tp · (vf )t̂i .
Q
file block m with non-negligible probability. Then, we can construct an
It is easy to see that the metadata generated in this algorithm C to solve the discrete logarithm (DL) problem.
way is computationally indistinguishable from the Algorithm C is given a group G = hgi with prime order q
real metadata in the adversary’s view. and a DL instance (g, h), whose goal is to output α so that
• Algorithm C interacts with the adversary A to per- h = g α by interacting with A.
form the integrity auditing protocol. As specified in Algorithm C behaves like a challenger of Game 1, but
Game 1, the game aborts if the adversary outputs with the following differences:
an aggregate metadata σ̃ that is not equal to the
expected one σ in a round of auditing. • For processing a file M under W , it first computes
~up ← H1 (IDp ) and extracts a private key skp for
Let (π̃1 , · · · , π̃c ) be the aggregate challenged file sectors IDp as in the proposed scheme. Also, it processing
in the proof Pe . Thus, we have file M by following our scheme but using parameters
θ R
uj = g2j g ϑj for each 1 ≤ j ≤ c, where θj , ϑj ← Zq∗ .
l It is easy to see that the metadata generated in this
u
P Y P
si
ê(σ̃, g) =ê(g1 , g2 ) i∈I · ê(µ0 µj p,j , g tp ) i∈I si
way is computationally indistinguishable from the
j=1 real metadata in the adversary’s view.
Y c
Y π̃
• Algorithm C interacts with A to perform the integrity
· ê( idki)si ·
f kfg
H3 (W uj j , vf ) (7) auditing protocol. As specified in Game 2, the game
i∈I j=1 aborts if the outputted aggregate file sectors {π̃j :
1 ≤ j ≤ c} are different from the expected ones 6.2 Theoretical Analysis

{πj : 1 ≤ j ≤ c} in a round of auditing. We summarize the computation costs of each algorithm and
protocol in Table 2, which shows a comparison between
According to Game 1, we know that σ̃ = σ . By checking our scheme and Shacham and Waters’ publicly verifiable
Equality (7) and Equality (8), it follows that PoR scheme over bilinear groups [9]. The costs of file tag
c generation and verification are not counted as they are
π̃
Y Y
ê( idki)si ·
f kfg
H3 (W uj j , vf ) determined by the specific signature scheme S chosen at
i∈I j=1 the processing file phase. In the table, M and E denote one
c multiplication and one exponentiation in G, respectively;
π
Y Y
= ê( H3 (W idki)si ·
f kfg uj j , vf ) similarly, MT and ET respective denote one multiplication
i∈I j=1 and one exponentiation in GT ; Mq and Aq represent one
multiplication and one addition in Zq , respectively; P de-
Qc π̃ Qc π
It further implies that j=1 uj j = j=1 uj j . Let ∆πj = notes one bilinear pairing evaluation ê : G × G → GT .
π̃j − πj for each 1 ≤ j ≤ c. Thus, at least one element of We do not differentiate hash evaluations of H1 , H2 or H3 ,
{∆πj : 1 ≤ j ≤ c} should be nonzero. We get and denote them commonly as H. Since both g1 and g2
are public parameters in our IBDO scheme, ê(g1 , g2 ) can
c c ∆πj
Y ∆πj
Y θ
Pc Pc be pre-computed and looks also as a public value. Thus, it
uj = g2j g ϑj =h j=1 θj ∆πj
g j=1 ϑj ∆πj
=1 is not included in Table 2. As known that exponentiations
j=1 j=1
and pairings are more time-consuming compared to the
Thus, we get the solution of the given DL instance as follows other ones, they would essentially determine the efficiency
of these two schemes.
c
X c
X In both schemes, all verification cases at user side take
α = −( ϑj ∆πj )( θj ∆πj )−1 mod q only constant pairings, that is, when verifying a private
j=1 j=1 key issued by registry server, validating a delegation gen-
Pc erated by a file owner, or checking a proof in a round of
as long as j=1 θj ∆πj 6= 0 mod q . Since some of {∆πj : (comprehensive) auditing. All other phases do not involve
1 ≤ j ≤ c} are nonzero
Pc and θj for 1 ≤ j ≤ c are random pairing evaluations. For processing a file M with sectors
values, we know Pr[ j=1 θj ∆πj = 0 mod q] = 1/q . Thus, {mi,j }r×c , SW scheme takes (rc + r) exponentiations, rc
if the difference between the adversary’s probabilities of multiplications and r hash evaluations. Our scheme only
success in Game 1 and Game 2 is non-negligible, then we incurs one more time-consuming exponentiation, plus r
can construct an algorithm C as discussed above to solve efficient multiplications. Thus, both SW scheme and ours
the DL problem. enjoy the same efficiency level for processing the same
Since the hardness of CDH problem implies that of DL file. When performing a round of auditing protocol on an
problem, we complete the proof by combing Game 0, Game outsourced file, both schemes require the same number
1 and Game 2. (i.e., |I|) of exponentiations in group G at cloud storage
server side. While at auditor side, SW scheme takes (|I| + c)
exponentiations in group G and two pairings to check a
6 E VALUATION proof, and our scheme would take another four pairings in
order to auditing the corresponding delegation.
6.1 Modification Checkability Analysis Table 3 further compares our IBDO scheme with SW
scheme in terms of storage costs at the cloud side, com-
The detection probability of the storage server’s misbehav-
munication overheads in a round of auditing as well as
ior in PoS related schemes has been discussed in [4], [10]
designing settings. In the table, ESG and ESq respectively
etc. In our scheme, when auditing an outsourced file, both
denote the byte size of group elements in G and Zp . The
the delegation σw and the aggregate metadata σ should
block numbers i ∈ I in a challenge are taken as elements
be validated by the auditor. If the delegation has been
in Zq . For realizing origin auditing on outsourced file, our
tampered with, then it can always be detected by the auditor
scheme should let cloud storage server to keep one more
in an execution of auditing protocol according to Equality
element in G, that is, the first element in the delegation for
(5) and Theorem 2. Furthermore, similarly to the results in
this file, when compared to SW scheme. Also, this additional
[4], if t blocks have been tampered with or deleted by the
element would be sent to the auditor when performing
storage server, then the auditor can detect this misbehavior
Q|I|−1 comprehensive auditing in our scheme.
with probability p = 1 − i=0 r−t−i r−i . Particularly, if t
percent of file blocks have been tampered with, the detection
probability p on the corrupted file is only determined by the 6.3 Experimental Analysis
number of challenged blocks |I|, that is, p ≈ 1 − (1 − t)|I| . In We conducted experiments on our IBDO scheme and the
this case, the auditor can challenge |I| ≈ ln(1 − p)/ ln(1 − t) SW schem using Pairing Based Cryptography (PBC) library
blocks in a round of auditing to achieve detection proba- (http://crypto.stanford.edu/pbc/). All algorithms and pro-
bility p. For example, if the delegation is intact while one tocol were coded using C programming language and con-
percent of blocks are corrupted, then it can be detected with ducted on a system with Intel(R) Core(TM) i5-5200U CPU
probability of 90% and 99% by random choosing 230 and at 2.20GHz and 2.20 GHz and 4.00GB RAM in Windows 8.
460 blocks for auditing in a challenge, respectively. The elliptic curve is of type y 2 = x3 + x with |q| = 160 bits
TABLE 2
Comparison on computation costs of each algorithm in IBDO scheme and SW scheme
Algorithm Costs (at server side) Costs (at client side)

Our IBDO scheme
Setup 2E —
Regst (l + 1)M + 2E + 1H l M + 2 P + 1M T + 1H
Dlgtn (generation) — (` + 1)M + 2E + 1H
Dlgtn (verification) — (l + `)M + 3P + 2MT + 2H
IBDOsc — (rc + r + 1)E + (rc + r)M + rH
(|I| − 1)Aq + 6P + (2l + ` + c + |I| − 1)M
Audit c|I|Mq + c(|I| − 1)Aq + (|I| − 1)M + |I|E
+(|I| + c)E + 2ET + 4MT + (|I| + 3)H
SW scheme in bilinear groups
Processing file — (rc + r)E + rcM + rH
Audit c|I|Mq + c(|I| − 1)Aq + (|I| − 1)M + |I|E 2P + (c + |I| − 1)M + (|I| + c)E + |I|H
TABLE 3
Comparison with SW scheme in bilinear groups
Schemes Storage costs at cloud side Communication costs in auditing Setting Delegation enabled Multi-user
SW scheme |M | + rESG 1ESG + (2|I| + c)ESq Public key ×
√ ×
√
Ours |M | + (r + 1)ESG 2ESG + (2|I| + c)ESq Identity based
and ESG = 256 bits. We set l = 160 and ` = 160. The file of preparing a challenge C since it can be run offline for
sectors are of 160 bits size. sampling a series of random elements. In the experiments,
The performance of generating and verifying a private each file block consists of 100 sectors, which means that
key for some user in Regst, and that of generating and it has around 4KB of size. We consider several cases of
verifying a delegation in Dlgtn are shown in Figure 2. The achieving different detection probability of corruption, i.e.,
time consumed by each of these steps is roughly 10ms, 0.5, · · · , 0.99. The simulation results of Figure 4 demon-
which is negligible for deploying in real-world applications. strate that our IBDO scheme has comparable efficiency as
As discussed in Section 6.2, processing a file using both SW scheme at both sides of the auditor and cloud storage
our scheme and the SW scheme would run a number of server in carrying out the auditing protocol. For example,
exponentiations in group G. In detail, when processing a for realizing 0.9 detection probability, the auditor in both
file of S bytes by splitting into sectors of size ssec , it will schemes can finish in less than 1.2 seconds. Also, in both
create r = dS/(c · ssec )e file blocks. Thus, the number of schemes, the time cost at the auditor side is larger than that
required exponentiations under both schemes for generating at the cloud side, which is consistent with the theoretical
metadata would respectively be analysis shown in Table 2. Note that the former can be
S S shared by several auditors in a multi-auditor setting. That
NIBDO = d e(c+1)+1, and NSW = d e(c+1). is, several auditors can cooperatively audit the same file to
c · ssec c · ssec
achieve a high detection probability of corruption, where
We compare the efficiency of both schemes by letting them each auditor needs only to audit a different part of the
processing a 1MB file, and consider several cases with outsourced file with a low detection probability. Lower de-
different splitting manners, that is, we set c = 100, · · · , 500, tection probability requires smaller amount of computations
respectively. In our experiment setting, ssec = 20 bytes. The so that it would be more efficient for each involved auditor.
experimental results shown in Figure 3 indicate that both
schemes enjoy the same efficiency level in all processing 2.2 2.2
2 IBDO scheme 2 IBDO scheme
cases. This is consistent with above theoretical analysis. 1.8 SW scheme 1.8 SW scheme
Time (seconds)
Time (seconds)
1.6 1.6
1.4 1.4
12 130 1.2 1.2
11 1 1
129 IBDO scheme
10
Time (milliseconds)
0.8 0.8
9 128 SW scheme
0.6 0.6
Time (seconds)
8 127
0.4 0.4
7 126 0.2 0.2
6 125
5 0 0
4 124 0.5 0.6 0.7 0.8 0.9 0.99 0.5 0.6 0.7 0.8 0.9 0.99
3 123 Detection probability of corruption Detection probability of corruption
2 122
1
0
121 (a) Cloud side (b) Auditor side
120
n
rf
vr
100 200 300 400 500

ge
ge
v
ey
el
ey
el
Fig. 4. Performance in a round of (comprehensive) auditing protocol with

D
Sector number per block (c)

K
D
K
different detection probability on a 1% corrupted file

Fig. 2. Performance of Regst and Fig. 3. Performance of process-
Dlgtn ing a 1MB file with different sector
numbers 7 C ONCLUSION
Figure 4 shows the time to audit an outsourced file with In this paper, we investigated proofs of storage in cloud in
1% corruption. We do not take into account the time costs a multi-user setting. We introduced the notion of identity-
based data outsourcing and proposed a secure IBDO [16] H. Wang, Q. Wu, B. Qin, and J. Domingo-Ferrer, “Identity-based
scheme. It allows the file-owner to delegate her outsourcing remote data possession checking in public clouds,” IET Information
Security, vol. 8, no. 2, pp. 114–121, March 2014.
capability to proxies. Only the authorized proxy can process [17] G. Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik, “Scalable
and outsource the file on behalf of the file-owner. Both the and Efficient Provable Data Possession,” in Proceedings of the 4th
file origin and file integrity can be verified by a public International Conference on Security and Privacy in Communication
auditor. The identity-based feature and the comprehensive Netowrks. New York, NY, USA: ACM, 2008.
[18] K. Yang and X. Jia, “An efficient and secure dynamic auditing
auditing feature make our scheme advantageous over exist- protocol for data storage in cloud computing,” IEEE Transactions
ing PDP/PoR schemes. Security analyses and experimental on Parallel and Distributed Systems, vol. 24, no. 9, pp. 1717–1726,
results show that the proposed scheme is secure and has Sept 2013.
[19] B. Wang, S. S. M. Chow, M. Li, and H. Li, “Storing Shared Data
comparable performance as the SW scheme. on the Cloud via Security-Mediator,” in Distributed Computing
Systems (ICDCS), 2013 IEEE 33rd International Conference on, pp.
124–133.
ACKNOWLEDGMENT [20] Y. Wang, Q. Wu, D. S. Wong, B. Qin, S. S. M. Chow, Z. Liu,
and X. Tan, “Securely Outsourcing Exponentiations with Single
This paper is supported by the Natural Science Foundation Untrusted Program for Cloud Storage,” in Computer Security–
of China through projects 61672083, 61370190, 61272501, ESORICS 2014, Part I, vol. 8712. Springer, Switzerland, 2014,
61402029, 61472429, 61202465 and 61532021, by the Beijing pp. 326–343.
Natural Science Foundation through project 4132056, by [21] Y. Zhu, H. Hu, G.-J. Ahn, and M. Yu, “Cooperative provable data
possession for integrity verification in multicloud storage,” Parallel
the Guangxi natural science foundation through project and Distributed Systems, IEEE Transactions on, vol. 23, no. 12, pp.
2013GXNSFBB053005. 2231–2244, Dec 2012.
[22] H. Wang, “Identity-based distributed provable data possession
in multicloud storage,” Services Computing, IEEE Transactions on,
R EFERENCES vol. 8, no. 2, pp. 328–340, March 2015.
[23] J. Yu, K. Ren, C. Wang, and V. Varadharajan, “Enabling cloud stor-
[1] D. Song, E. Shi, I. Fischer, and U. Shankar, “Cloud data protection age auditing with key-exposure resistance,” Information Forensics
for the masses,” Computer, IEEE, vol. 45, no. 1, pp. 39–45, Jan 2012. and Security, IEEE Transactions on, vol. 10, no. 6, pp. 1167–1179,
[2] C.-K. Chu, W.-T. Zhu, J. Han, J. Liu, J. Xu, and J. Zhou, “Security June 2015.
concerns in popular cloud storage services,” Pervasive Computing, [24] Y. Wang, Q. Wu, B. Qin, X. Chen, X. Huang, and J. Lou,
IEEE, vol. 12, no. 4, pp. 50–57, Oct 2013. “Ownership-hidden group-oriented proofs of storage from pre-
[3] K. Yang and X. Jia, “Data storage auditing service in cloud com- homomorphic signatures,” Peer-to-Peer Networking and Application-
puting: challenges, methods and opportunities,” World Wide Web, s, pp. 1–17, 2016.
vol. 15, no. 4, pp. 409–428, 2012. [25] T. Jiang, X. Chen, and J. Ma, “Public integrity auditing for shared
[4] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Pe- dynamic cloud data with group user revocation,” IEEE Transac-
terson, and D. Song, “Provable Data Possession at Untrusted tions on Computers, vol. 65, no. 8, pp. 2363–2373, Aug 2016.
Stores,” in Proceedings of the 14th ACM Conference on Computer and [26] X. Fan, G. Yang, Y. Mu, and Y. Yu, “On indistinguishability in
Communications Security. New York, NY, USA: ACM, 2007, pp. remote data integrity checking,” The Computer Journal, vol. 58,
598–609. no. 4, pp. 823–830, 2015.
[5] J. Sun and Y. Fang, “Cross-Domain Data Sharing in Distributed [27] Y. Yu, M. H. Au, Y. Mu, S. Tang, J. Ren, W. Susilo, and L. Dong,
Electronic Health Record Systems,” Parallel and Distributed System- “Enhanced privacy of a remote data integrity-checking protocol
s, IEEE Transactions on, vol. 21, no. 6, pp. 754–764, 2010. for secure cloud storage,” International Journal of Information Secu-
[6] J. Sun, X. Zhu, C. Zhang, and Y. Fang, “HCPP: Cryptography rity, vol. 14, no. 4, pp. 307–318, 2015.
based Secure EHR System for Patient Privacy and Emergency [28] Y. Yu, M. H. A. Au, G. Ateniese, X. Huang, W. Susilo, Y. Dai, and
Healthcare,” in Distributed Computing Systems (ICDCS), 2011 IEEE G. Min, “Identity-based remote data integrity checking with per-
31st International Conference on. IEEE, 2011, pp. 373–382. fect data privacy preserving for cloud storage,” IEEE Transactions
[7] L. Guo, C. Zhang, J. Sun, and Y. Fang, “PAAS: A Privacy- on Information Forensics and Security, 2016.
Preserving Attribute-Based Authentication System for eHealth [29] J. Zhang and Q. Dong, “Efficient id-based public auditing for
Networks,” in Distributed Computing Systems (ICDCS), 2012 IEEE the outsourced data in cloud storage,” Information Sciences, vol.
32nd International Conference on. IEEE, 2012, pp. 224–233. 343344, pp. 1–14, 2016.
[8] A. Juels and B. S. Kaliski, Jr., “PoRs: Proofs of Retrievability for [30] Y. Zhang, C. Xu, S. Yu, H. Li, and X. Zhang, “SCLPV: Secure
Large Files,” in Proceedings of the 14th ACM Conference on Computer Certificateless Public Verification for Cloud-Based Cyber-Physical-
and Communications Security, New York, NY, USA, 2007, pp. 584– Social Systems Against Malicious Auditors,” IEEE Transactions on
597. Computational Social Systems, vol. 2, no. 4, pp. 159–170, Dec 2015.
[9] H. Shacham and B. Waters, “Compact proofs of retrievability,” [31] K. D. Bowers, A. Juels, and A. Oprea, “HAIL: A High-availability
Journal of Cryptology, vol. 26, no. 3, pp. 442–483, 2013. and Integrity Layer for Cloud Storage,” in Proceedings of the 16th
[10] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy- ACM Conference on Computer and Communications Security. New
Preserving Public Auditing for Secure Cloud Storage,” Computers, York, NY, USA: ACM, 2009, pp. 187–198.
IEEE Transactions on, vol. 62, no. 2, pp. 362–275, 2013. [32] K. G. Paterson and J. C. N. Schuldt, “Efficient Identity-Based
[11] B. Wang, B. Li, and H. Li, “Panda: Public auditing for shared data Signatures Secure in the Standard Model,” in Information Security
with efficient user revocation in the cloud,” IEEE Transactions on and Privacy, ser. LNCS, L. Batten and R. Safavi-Naini, Eds., vol.
Services Computing, vol. 8, no. 1, pp. 92–106, 2015. 4058. Springer, Heidelberg, 2006, pp. 207–222.
[12] F. Chen, T. Xiang, Y. Yang, and S. S. M. Chow, “Secure cloud [33] D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the
storage meets with secure network coding,” IEEE Transactions on Weil Pairing,” in Advances in Cryptology–ASIACRYPT 2001, vol.
Computers, vol. 65, no. 6, pp. 1936–1948, June 2016. 2248. Springer, Heidelberg, 2001, pp. 514–532.
[13] H. Wang, “Proxy Provable Data Possession in Public Clouds,” [34] B. Waters, “Efficient identity-based encryption without random
Services Computing, IEEE Transactions on, vol. 6, no. 4, pp. 551–559, oracles,” in Advances in Cryptology–EUROCRYPT 2005, ser. LNCS,
2013. R. Cramer, Ed. Springer Berlin Heidelberg, 2005, vol. 3494, pp.
[14] S.-T. Shen and W.-G. Tzeng, “Delegable provable data possession 114–127.
for remote data in the clouds,” in Information and Communications
Security, ser. LNCS, S. Qing, W. Susilo, G. Wang, and D. Liu, Eds.
Springer Berlin Heidelberg, 2011, vol. 7043, pp. 93–111.
[15] F. Armknecht, J.-M. Bohli, G. O. Karame, Z. Liu, and C. A. Reuter,
“Outsourced proofs of retrievability,” in Proceedings of the 2014
ACM SIGSAC Conference on Computer and Communications Security,
ser. CCS’14. New York, NY, USA: ACM, 2014, pp. 831–843.
Yujue Wang received the Ph.D. degrees from Robert H. Deng has been a Professor at the
the Wuhan University, Wuhan, China, and City School of Information Systems, Singapore Man-
University of Hong Kong, Hong Kong, under the agement University since 2004. Prior to this, he
joint Ph.D. program, in 2015. He is currently was Principal Scientist and Manager of Infocom-
a Research Fellow with the School of Informa- m Security Department, Institute for Infocom-
tion Systems, Singapore Management Universi- m Research, Singapore. His research interest-
ty. His research interests include applied cryp- s include data security and privacy, multimedia
tography, database security and cloud comput- security, network and system security. He has
ing security. served on the editorial boards of many interna-
tional journals including IEEE Transactions on
Information Forensics and Security, IEEE Trans-
actions on Dependable and Secure Computing, Journal of Computer
Science and Technology (the Chinese Academy of Sciences) and In-
ternational Journal of Information Security. He is currently the chair
of the steering committee of the ACM Asia Conference on Computer
and Communications Security (AsiaCCS). He received the University
Outstanding Researcher Award from the National University of Singa-
pore in 1999 and the Lee Kuan Yew Fellow for Research Excellence
Qianhong Wu received his Ph.D. in Cryptog- from the Singapore Management University in 2006. He was named
raphy from Xidian University in 2004. Since Community Service Star and Showcased Senior Information Security
then, he has been with Wollongong Universi- Professional by (ISC)2 under its Asia-Pacific Information Security Lead-
ty (Australia) as an associate research fellow, ership Achievements program in 2010.
with Wuhan University (China) as an associate
professor, and with Universitat Rovira i Virgili
(Spain) as a research director. He is current-
ly a professor in Beihang University in China.
His research interests include cryptography, in-
formation security and privacy, VANET security
and cloud computing security. He has been a
holder/co-holder of 8 China/Australia/Spain funded projects. He has
authored more than 20 patents and over 120 publications in leading
journals and conferences. He has served in the program committee of
several international conferences in information security and privacy. He
is a member of IACR and IEEE.
Jiankun Hu received the Ph.D. degree in control

engineering from the Harbin Institute of Technol-
ogy, China, in 1993, and the master’s degree
Bo Qin received her Ph.D. degree in Cryptog- in computer science and software engineering
raphy from Xidian University in 2008 in China. from Monash University, Australia, in 2000. He
Since then, she has been with Xi’an University was a Research Fellow with the Delft University
of Technology (China) as a lecturer and with of Technology, The Netherlands, from 1997 to
Universitat Rovira i Virgili (Catalonia) as a post- 1998, and Melbourne University, Australia, from
doctoral researcher. She is currently a lecturer in 1998 to 1999. He has been with Ruhr University,
the Renmin University in China. Her research in- Bochum, Germany. He is currently a full Profes-
terests include pairing-based cryptography, data sor and Research Director of the Cyber Security
security and privacy, and VANET security. She Laboratory with the School of Engineering and Information Technology,
has been a holder/co-holder of 5 China/Spain University of New South Wales, Australia. He received the prestigious
funded projects. She has authored over 80 pub- German Alexander von Humboldt Fellowship from Ruhr University from
lications in well-recognized journals and conferences and served in 1995 to 1996. His main research interest is in the field of cyber security,
the program committee of a number of international conferences in including biometrics security, where he has published many papers in
information security. high-quality conferences and journals, including the IEEE Transactions
on pattern analysis and machine intelligence. He has received seven
Australian Research Council (ARC) Grants, and serves at the presti-
gious Panel of Mathematics, Information and Computing Sciences and
the ARC Excellence in Research for Australia Evaluation Committee. He
has served on the Editorial Board of up to seven international journals
including IEEE Transactions on Information Forensics and Security, and
served as the Security Symposium Chair of the IEEE ICC and the IEEE
Wenchang Shi received his Bachelor from Globecom.
Peking University, Master and Ph.D. from Chi-
nese Academy of Science. He is now a ful-
l professor of Renmin University of China and
an adjunct professor of Institute of Information
Engineering, Chinese Academy of Sciences. His
research interests include information system
security and operation system security. He has
published over 100 publications in these areas
and authored more than 10 patents.

Identity-Based Data Outsourcing With Comprehensive Auditing in Clouds PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Identity-Based Data Outsourcing With Comprehensive Auditing in Clouds PDF

Загружено:

Авторское право:

Доступные форматы

This article has been accepted for publication in a future issue of this journal, but has not been

Identity-Based Data Outsourcing with

C LOUD platform provides powerful storage services to

which simultaneously protects against collusion attacks by ĺ

j=1 view, that is, they are computationally indistinguishable

adversary outputs a proof that satisfies verification equation and

manner. For the queries of the form H3 (W kf idki),

1 ≤ j ≤ c} are different from the expected ones 6.2 Theoretical Analysis

Algorithm Costs (at server side) Costs (at client side)

100 200 300 400 500

Fig. 4. Performance in a round of (comprehensive) auditing protocol with

Sector number per block (c)

different detection probability on a 1% corrupted file

Jiankun Hu received the Ph.D. degree in control

Вам также может понравиться