anefficientintegrityverificationandauthentication...

Research ArticleAn Efficient Integrity Verification and AuthenticationScheme over the Remote Data in the Public Clouds forMobile Users

S Milton Ganesh 1 and S P Manikandan2

1Department of Computer Science and Engineering University College of Engineering Tindivanam Tindivanam 604001Tamilnadu India2Department of Computer Science and Engineering Jerusalem College of Engineering Chennai 600100 Tamilnadu India

Correspondence should be addressed to S Milton Ganesh softengineermiltongmailcom

Received 23 October 2019 Revised 14 February 2020 Accepted 13 March 2020 Published 5 May 2020

Academic Editor Cristina Alcaraz

Copyright copy 2020 SMilton Ganesh and S PManikandanis is an open access article distributed under the Creative CommonsAttribution License which permits unrestricted use distribution and reproduction in anymedium provided the original work isproperly cited

e digitalization of themodern world and its applications seem to be integratedmore with themobile phones than with any othercommunication devices Since the mobile phones have become ubiquitous with applications for nearly all users they have becomea preferred choice for uploading the sensitive information to the cloud serversough the drive for data storage in cloud servers isimplicit due to its pay-per-use policies the manipulation of the data present in the cloud servers by hackers and hardware failureincidents as happened in Amazon cloud servers in 2011 necessitates the demand for data verification at regular intervals over thedata stored in the remote servers In this line modern day researchers have proposedmany novel schemes for ensuring the remotedata integrity but they suffer from attacks or overheads due to computation and communication is research paper providessolutions in three dimensions Firstly a novel scheme is introduced to verify the integrity of the data stored in the remote cloudservers in the context of mobile userse second dimension is that of reducing the computational and communication overheadsduring the auditing process than the previous works e third dimension securely authenticates the mobile user during theauditing process and the dynamic data operations such as block modification insertion and deletion Moreover the proposedprotocol is provably secure exhibiting soundness completeness and data privacy making it an ideal scheme for implementation inthe real-world applications

1 Introduction

e modern world which is getting more and more digitaleveryday has mandated the need for data outsourcing to cloudservers through the mobile phones of individual users tocorporate offices [1 2] Applications like Google Drive GoogleApp Engine OneDrive from Microsoft Google Picasa AdobeCloud Oracle Cloud Dropbox Facebook and other suchapplications have made an implicitly compelling scenarioranging from layman to the highly resourceful technocrats tomake use of the cloud for data storage Hence in this digitalworld a person who possesses a mobile phone views this vastworld as just a small global village where he has access to anyinformation through Internet and cloud storage

At the same time cloud storage has its inherent benefitsin terms of elasticity reliability pay-per-use model andtraffic adjustability during upload download and othersituations [3] In such a context the mobile users whopossess powerful processors and random access memory forprocessing the data need not store the data in their localstorage Once the data is uploaded to the cloud storage theymay be relieved of the burden from maintaining it But thisflexible data storage comes with its own inherent disad-vantages also as cited in the work [4] Newer kinds of attackson the data storage including the cloud servers have becomeapparent nowadays If the sensitive data is captured by thehackers they can use it for mining business patterns usagepatterns which might indeed pave the way for the loss to the

HindawiSecurity and Communication NetworksVolume 2020 Article ID 9809874 13 pageshttpsdoiorg10115520209809874

actual data owners Even the cloud servers may try to hidethe fact of data server crashes which will lead to permanentdata loss to the data owners

In order to enable the verification process first the usersplits the large file to be uploaded into smaller units calledfile blocks e user uploads all the blocks to the remotestorage area like cloud servers Later if the user wants toverify the integrity of the uploaded file he can do so bymaking use of some cryptographically verifiable procedure[5ndash7]

Similarly to ensure the data verifiability in the cloudservers multiple schemes have been proposed by authors intheir past literatures In one such scenario cloud serverswere vested with the responsibility of computing the proof ofverification based on all of the blocks stored in the cloudstorage [8 9] In such cases if the cloud server had to do thiscomputationally intensive work for hundreds of users si-multaneously it may incur a huge computational overheadOn the contrary authors like Juels and Kalisi in 2007 [10]claimed that the audit task must be done at the cloud userrsquosside is method will not suit the users who work withcomputationally constrained battery powered mobilephones

A pioneering attempt by Ateniese et al [11] in 2008claimed that a user who wants to audit the file integrity neednot access the entire file stored in the cloud and also theuser can delegate the audit task to a third party Some worksin this line delegated the verification rights to other partiessuch as trusted third parties or other such entities In theworks proposed [12ndash14] a patient who undergoes a treat-ment from a doctor makes use of electronic health recordsstored in the cloud storage and also allows the doctor tocreate the records and store them in the remote storage onbehalf of the patient A recent work proposed by Yu et al in2017 [15] seems to be a worthwhile protocol with publicauditing capability with efficient computational and storageoverheads Many verifiable schemes have been proposed byChen et al in 2019 [16] Peng et al in 2019 [17] Fujisaki andOkamoto in 1998 [18] Patra et al in 2015 [19] and others

Hence a research work should be able to authenticate alegitimate mobile user during the audit response phase Inthis regard each mobile user should store a unique au-thentication parameter in the cloud server before sendingany audit request Hence during audit response the cloudserver is able to successfully authenticate only the legitimateusers and able to identify the intruders to abort their auditrequests

One essential fact to be considered during the protocoldesign is to make it certain that the utmost security with lesscomputational necessity and the robustness of the protocolmust be resistant to attackers and hackers us thoughthere are multiple methods of ascertaining the integrity ofthe stored file blocks in the cloud servers each methodsuffers from one of the problems such as computationalburden of cloud servers or data owners or reliability of theverification procedure by third parties done on behalf of thecloud users lack of authentication procedures for the cloudservers and cloud users In this research work a novelmethod which will avoid the above shortcomings for

verification of data stored in the remote servers has beenproposed to enable the user who uploads the file to verify theintegrity of the same as well

Unless the data stored in the remote locations are ver-ified thoroughly to the satisfaction of the user with respect tothe security assurance computational and communica-tional capabilities not only these schemes are prone toattacks but also they would be nonoperational for practicaluse by the mobile user community which constitutes a largerportion of the Internet users Based on the necessity toaddress these issues the contributions of this research workcan be highlighted as follows

11 Contributions of ampis Research Work

(i) A novel scheme to verify the integrity of the remotedata and to authenticate the mobile user during theintegrity auditing process is introduced

(ii) e presence of the authentication procedure pre-vents eavesdroppers and hackers from intrudinginto the system

(iii) e proposed work is resistant to attacks andcomputationally more efficient than the previousworks

(iv) e presence of valid proofs for completenesssoundness and perfect data privacy makes this avital contribution for real-world data audits in cloud

12Organization ofampisResearchWork e organization ofthis research manuscript is as follows Section 2 incorporatesthe much needed recent and old literary works pertaining tothe works proposed for remote data integrity verificationand showcases the need for the improvements in themSection 3 provides a quick review of the preliminaries and asuitable architecture of the protocol proposed in this re-search work is in Section 4 e subsequent section showsthe construction of the proposed protocol with its novelprocedures for data integrity verification processes for filesand support for data dynamic operations Section 6 analysesthis work in terms of its correctness soundness and dataprivacy during the audit process In Section 7 the imple-mentation results of the protocol are compared with variousschemes and the results are tabulated Section 8 concludesthis research work

2 Literature Survey

Latest advancements such as Internet-of-ings (IoT) fogcomputing digital transaction with blockchain-based se-curity assurance smart cities cloud computing and othersuch technologies enable a mobile user to upload sensitiveinformation to the cloud servers for future processing Manyworthwhile schemes have been put forward by researchersand students of various institutions to ensure the correctpossession of data stored in the cloud servers

Wang et al in 2010 [20] introduced a similar scheme forthe proposal of the efficient auditing framework withoutrequiring the user to maintain a local copy of the data

2 Security and Communication Networks

uploaded to the cloud server is work is resistant to theattacks from the auditor and supports integrity verificationfor multiple users at the same time A scheme proposed byZhu et al in 2012 [21] enabled the clients to store the files inmultiple cloud servers and introduced a scalable integrityverification service with reduced computational and com-munication complexities based on homomorphic proce-dures and indexing hierarchies

A worthwhile contribution from Zhu et al in 2013 [22]attempts to verify the data integrity of the files stored in thecloud servers by making use of fragment structure hashtable indexes and probabilistic query-based auditing ser-vices for frequent verification processes ough this work isa novel one of its kind it lacks the proper authentication ofthe user during the data dynamic operations and incursrelatively significant computational overhead during theintegrity verification process A work on identity-basedremote data integrity verification scheme proposed by Yangand Jia [23] in 2013 provides support for both static anddynamic data operations In this case the third-party auditorefficiently does the integrity verification of the data stored inthe cloud and provision has been made for doing batchintegrity verification operations for multiple data ownersand multiple cloud servers at the same time But this workdoes not authenticate the third-party auditor who verifiesthe integrity of the data

Huang et al in 2014 [24] allowed a third-party verifi-cation by utilizing the service of semitrusted TPAs In thisscheme the TPA is assumed to be partially trusted and adata owner verifies the proof handed to the TPA by the cloudserver Another work proposed by Wang et al [25] in 2014was based on the identity-based verification scheme whichavoided the complex public key infrastructure based oncomplex certification process Similarly Yu et al in 2015 [26]proposed a protocol for the public verification using alge-braic signatures of data which prevented the replay anddeletion attacks

Another scheme by Liu et al [27] in 2017 introduced alattice-based scheme which is free from certificate verifi-cation processes and escapes the quantum computer attackswhile ensuring data privacy against the third-party auditorey have successfully verified the integrity of the storeddata in the cloud without making use of the costly certifi-cation process e scheme is resistant to the attacks posedby the cloud serverough this work is a commendable oneit lacks user authentication during the verificationprocedure

A recent work by Ren et al [28] in 2018 makes use ofrb23Tree to prevent the cloud servers from manipulatingsome of the sensitive data and escaping from the integrityverification procedure Luo et al in 2018 [29] proposed anefficient scheme using BLS short signatures which preservethe user privacy incurring only less computational andcommunication complexities A very useful recent researchwork which involves the verification of the integrity audit ofcloud data was proposed by Yan et al in 2019 [30] isefficient scheme preserves user privacy along with datablindness at a much less computational cost A well-acclaimed work by He et al in 2015 [31] preserves

conditional privacy and ensures authentication in wirelessenvironments Also a notable work from Zhang et al in2019 [32] preserves the privacy without using bilinearpairings

21Gaps in theLiteratureSurvey Some of the gaps identifiedinclude lack of authentication protocols being susceptible toattacks and more computational complexity among otherse lack of authentication may help attackers masquerade inthe verification process

Objectives of the proposed research work are as follows

(1) To invent a novel algorithm for the remote dataintegrity verification process which is free fromattacks

(2) To invent a computationally efficient algorithm forenabling remote data integrity verification over thedata stored in the cloud servers

(3) To introduce a secure authentication scheme toauthenticate the mobile users during the secret keygeneration

(4) To enable secure authentication for the challengeresponse procedure during the integrity verificationprocess

(5) To support dynamic data operations such as mod-ification deletion and insertion on blocks of the filesstored in the remote cloud storage

(6) To ensure perfect data privacy from the third-partyauditor (TPA) and thereby allowing him only to dothe verification process without gaining any infor-mation of the file stored in the cloud server

3 Preliminaries for the Proposed Work

31 Properties of Bilinear Pairing Let us assume that G1 andG2 represent two multiplicative cyclic groups whose order isq and g be the generator of G1 Now the bilinear mape G1 times G1⟶ G2 represents the bilinear pairing if the mapexhibits the following three properties

(1) e bilinear property of e(Px Qy) e(P Q)xy for allP Q ϵG1 and x y ϵZlowastq

(2) e nondegeneracy property of e(g g)ne 1 where g isa generator of G1

(3) e bilinear pairing function e(P Q) is computableusing an efficient algorithm

32 Notations e notable notations used in this researchwork are presented in Table 1

4 Architecture of the Proposed System

e architecture of the proposed system is shown in Fig-ure 1 and it can be better understood through the followingsteps e system manager initializes the system en thethird-party auditor registers itself with the system manageren a mobile user who wants to upload data to the cloud

Security and Communication Networks 3

server registers with the system manager which in turnuploads the unique parameters of the mobile users to thecloud which enables user authentication during audit re-sponse Apart from this the system manager sends a pa-rameter composed of its master secret which enables themobile user compute its own secret key Now a mobile userwho wants to do audit of its data sends an audit request tothe third-party auditor Accordingly the third-party auditorcreates an audit challenge and sends it to the cloud server Ifthe user authentication is successful the cloud server gen-erates an audit response which is verified by the third-partyauditor and the verification status is sent to the mobile userwho initiated the audit request Besides if a data ownerwishes to update modify or remove any block of datauploaded to the cloud it can be achieved as well throughdynamic data operations

e proposed system consists of four major entities such asdata owner who is the mobile user the cloud server (CS) thesystem manager (SM) and the third-party auditor (TPA)

41 Data Owner ey are the mobile users who want toupload the sensitive files to the cloud storage due to lack of

local storage and maintenance capabilities At regular in-tervals they will ensure the integrity of the remote data bysending auditing requests to the CS through the TPAMoreover the mobile user can modify delete or insertblocks of a file in the CS which was previously uploaded by it

42 System Manager It is the entity which initializes thesystem and is responsible for generating the secret key to themobile user and the TPA for verification purposes isentity also uploads authentication parameters of mobileusers to the cloud server to enable secure authentication ofthe mobile users by the cloud servers

43CloudServer It represents the computer farms with vastpotential for data storage sold in pay-per-use cost models Itis where the huge files which are divided into individualblocks of the mobile users are stored with provisions forintegrity verification e files along with their corre-sponding tags are stored to enable the auditing of theoutsourced data of mobile users and authentication ofmobile users During the audit process by the TPA the CS

Table 1 Important notations and their meanings

Sl no Notation Meaning1 G1 G2 Multiplicative cyclic groups of order q

2 g Generator of the cyclic group G13 e( ) e bilinear map4 P G Y Points in the group G1 in which P Y are public and G is kept secret by the system manager5 α A random element from Zlowastq kept as a secret by the system manager6 IDi Identity of the mobile user i

7 ni Public key of the mobile user i

8 MUi Mobile user i

9 xi A random element from Zlowastq kept as a secret by mobile user i

10 EncniAsymmetric encryption function with the key ni

11 mi ith block of file F

12 σi Tag of the ith block of file F

System manger1 System initialization

3 Mobile user registration

4 Uplo

ad au

thenti

catio

n para

meters

2 TPA registration

5 Secret key generation

Data owner

Cloud server

Third-party auditor9 Integrity verification

7 A

udit

chal

leng

e 8 Audit proof

11 Dynamic data operations

5 Upload file tags

6 Audit request10 Audit response

Figure 1 Architecture of the proposed research work


receives a challenge from the TPA and accordingly sends aresponse back to the TPA to enable integrity verification

44 ampird-Party Auditor It is the entity which does theauditing work on behalf of the mobile user e TPA receivesan auditing request from the mobile user and creates anauditing challenge based on some secret parameters and sendsit to the CS for the authentication of the mobile user and thedata integrity verification e CS creates the correspondingaudit response and sends it to the TPA Now the TPA verifieswhether the received response is a genuine one or not Ifsuccessfully verified this entity sends the auditing response tothe mobile user At regular intervals they will assure theintegrity of the remote data through auditing requests

5 The Proposed Scheme

51 Initializationof the System e SM initializes the systemby selecting two multiplicative cyclic groups whose order isq and the bilinear map is defined by

e G1 times G1⟶ G2 (1)

It selects a hash function H to produce the messagedigest and randomly selects an integer α ϵZlowastq and the pointsP G ϵG1 It computes

Y Gα (2)

Now the SM publishes the parameters of the systemsuch as G1 G2 q e P Y andH e parameters α and G

are kept as a secret by the SM

52 Mobile User Registration in the System is phaseconsists of the following steps between the mobile user MUi

and the system manager SM e MUi sends IDi ni to SMHere IDi refers to the identity of MUi and ni refers to thepublic key to MUi e SM in turn computes

X e Pα G

ni middotH IDi( )1113874 1113875 (3)

A ni middot X (4)

It sends the computed values X and A to the mobile userMUi Now the MUi computes

D ni middot e(P Y)nimiddotH IDi( ) (5)

and verifies whether D A as followsD ni middot e(P Y)

nimiddotH IDi( )

ni middot e P Gα

( 1113857ni middotH IDi( )

ni middot e(P G)αmiddotni middotH IDi( )

ni middot e Pα G

nimiddotH IDi( )1113874 1113875

ni middot X

A

(6)

If successfully verified MUi ascertains that it has finishedits registration with SMwhile sharing its public key with SMAlso SM stores ni A of the user in its local storage By nowMUi and the SM have identified each other is phaseavoids any attacks posed by the attackers during the keygeneration file upload and integrity verification processesSimilarly the TPA registers itself with the SM by sending itsidentity IDtpa and its public key ntpa us the TPA and theSM identify each other as well

53 SystemManager Generating the Secret Key for the MobileUser In this phase the mobile user MUi after successfulregistration makes a conversation with the SM in order togenerate an exclusive secret key pertaining to this mobile user

(1) eMUi selects xi at random from Zlowastq and computesPxi It sends ni ni middot A IDi Pxi to SM as depicted inFigure 2

(2) e SM on receiving the parameters retrieves thevalue of A based on the identity IDi from its localstorage It computes ni middot A and checks whether it isthe same as the received value If not verifiedZ e(P G) and then the operation aborts If ver-ified it selects β at random from Zlowastq and computes

K1 e Pxi G

(β(α+β))1113872 1113873 (7)

K2 P(1α+β)

(8)

Z e(P G) (9)

Now the SM sends Encni(IDi K1 K2 Z) to the mobile

user MUi Besides the SM updates the authenticationtable as cited in Table 2 with the identity IDi and thecorresponding parameter Pxi of the MUie system manager SM at the end of each day up-loads this authentication table along with the signaturefor the authentication details to the cloud server CSe system manager computes the signature ase(Pαmiddoth1 GH(IDcs)) where h1 refers to the hash of thedetails in the authentication table and IDcs refers to theidentity of the cloud servere cloud server verifies thereceived data by checking whether

e Pαmiddoth1 G

H IDcs( )1113874 1113875

e Ph2 Y

H IDcs( )1113874 1113875 (10)

In equation (10) h2 refers to the hash value pertainingto the authentication table as received by the cloudserver given in Table 2 Hence the proof for thisequation is

e Ph2 Y

H IDcs( )1113874 1113875 e Ph2 G

αmiddotH IDcs( )1113874 1113875

e Ph2 G

H IDcs( )1113874 1113875α

e Pαmiddoth2 G

H IDcs( )1113874 1113875

(11)


erefore if the received hash value h1 and thecomputed hash value h2 are the same the equatione(Pαmiddoth2 GH(IDcs)) e(Pαmiddoth1 GH(IDcs)) becomes validwhich ascertains that the received authenticationtable is completely intact

(3) MUi on receiving the encrypted messageEncni

(IDi K1 K2 Z) decrypts it using its corre-sponding private key (using a suitable algorithm likeRSA) and gets the parameters such as IDi K1 K2 ZSince this message is confidential it avoids any man-in-the-middle attack or other such attacks during itstransit from the SM to MUi

(4) Now the mobile user MUi computes the secret keyK3 as follows

K3 e K2 Y( 1113857xi middot K1

e P(1(α+β))

Gα

1113872 1113873xi

middot e Pxi G

(β(α+β))1113872 1113873

e P(1(α+β))

Gα

1113872 1113873xi

middot e(P G)xi middotβ(α+β)( )

e(P G)(1(α+β))middotαmiddotxi middot e(P G)

xi middotβ(α+β)( )

e(P G)αmiddotxi(α+β)( ) middot e(P G)


e(P G)αmiddotxi( )(α+β)( )+ ximiddotβ( )(α+β)( )

e(P G)xi((α+β)(α+β))

e(P G)xi

(12)

(5) Besides the mobile user MUi authenticates thesystem manager SM by verifying whether

K3 Zxi (13)

Since the value of Z can be known only to the SM thisverification procedure successfully authenticates the SM tothe mobile user MUi

54 Tag Generation and File Upload by the Mobile UserLet us assume that the mobile user MUi wants to upload asensitive file F to the public cloud server CS To store the filewithout any integrity breach in the middle and in order to beable to ascertain the genuineness of the file later the mobileuser MUi performs the following steps

(1) MUi divides the file F into n blocks Let us assumethat m1 m2 m3 mn refer to the individual blocksof that file

(2) It randomly selects c ϵZlowastq to be used in the remoteintegrity verification process

(3) It takes each block mi and computes the corre-sponding block tag σi as

σi Zcmiddotxi middot Z

cmiddotmi

e(P G)cmiddotxi middot e(P G)

cmiddotmi

e(P G)cmiddotxi+cmiddotmi

e(P G)xi+mi( )middotc

(14)

(4) emobile user MUi stores all the blocks of the file F

along with the corresponding tags σi1113864 1113865iϵn of thoseblocks in the cloud server where σi refers to theblock tag of the corresponding block mi

(5) Finally MUi deletes its local copy of the file F fromits local storage

Mobile user System manger

1 Selects xiisinZlowastq

2 Computes Pxi

6 Receives IDi K1 K2 Z

7 ComputesK3 = e(K2 Y)xiK1

and gets K3 = e(P G)xi

5 Uploads user authenticationtable to CS

3 Selects βisinZlowastq

4 Computes

K1 = e(Pxi Gβα+β)

K2 = P1α+β

Z = e(P G)

ni niA IDi Pxi

Encni (IDi K1 K2 Z)

Figure 2 System manager generating the secret key for the mobile user

Table 2 Mobile user authentication table

Identity of the mobile user ParameterID1 Px1

ID2 Px2

IDi Pxi


55 RDIC Challenge by the ampird-Party Auditor After acertain interval the mobile user MUi wants to verify theintegrity of the file F which is stored in the public cloud Inorder to verify the integrity MUi requests SM to send thepublic key to the TPA and gets it Now MUi sends theparameters IDi Z xi ni c to the TPA asEncntpa

(IDi Z xi ni c) where ntpa is the public key of theTPA Subsequently TPA creates a challenge as follows basedon the few randomly selected file blocks

(1) e TPA selects a random integer vi ϵZlowastq for each ofthe random selected block to be verified

(2) In order to identify the mobile user MUi to the cloudserver CS and to avoid the man-in-the-middle attackand other possible attacks the TPA computes theparameter E1 as follows

E1 Zxi middotnimiddotH IDi( ) middot e(P Y)

xi

e(P G)ximiddotni middotH IDi( ) middot e(P Y)

xi

e(P G)ximiddotni middotH IDi( ) middot e P G

α( 1113857

xi

e(P G)ximiddotni middotH IDi( ) middot e(P G)

αmiddotxi

e(P G)ximiddotni middotH IDi( )+αmiddotxi

(15)

(3) Also the TPA computes E2 [e(P G)xi ]ni in whichni is the public key of MUi and xi refers to the secretparameter of MUi

(4) Now the TPA creates the challenge based on thecorresponding block numbers and the randomlygenerated integers for those blocks aschal (i vi)1113864 1113865iϵI For example consider the case of(5 v5) where 5 refers to block number 5 and v5refers to the corresponding integer which was ran-domly chosen by the TPA

(5) At last the TPA sends E1 E2 IDi chal to the cloudserver CS

56 RDIC Response by the Cloud Server Upon receiving thechallenge from the TPA the cloud server creates the re-sponse as follows

(1) Firstly the CS authenticates the MUi by checkingwhether the equation

EH IDi( )2 middot e P

xi Y( 1113857

E1 (16)

holds true or not Here Pxi refers to the parametercorresponding to the mobile user MUi which is presentin the user authentication table e proof for theequation can be understood as follows


xi Y( 1113857

e(P G)ximiddotni middotH IDi( ) middot e P

xi Gα

( 1113857


xi middotα

e(P G)ximiddotni middotH IDi( )+ximiddotα

E1

(17)

at is the verification of


xi Y( 1113857 E1 (18)

enables the cloud server to authenticate the mobileuser If the authentication is not successful the CSaborts the integrity verification process

(2) It computes the parameter

μ 1113944iϵI

mi middot vi (19)

(3) It also computes

σ 1113945iϵI

σvi

i (20)

(4) Sends μ σ to the TPA who is waiting for theresponse

57 Integrity Verification by the ampird-Party Auditor Toverify whether the file uploaded long back was kept intact bythe cloud server the TPA does the integrity verification as

σ

1113945iisinI

Zxi middotvi middotc middot Z

cmiddotμ (21)

is proof for the above equation ascertains the fact thatthe individual blocks of the file F which is stored in theremote server is kept intact by the cloud server e overallinteraction between the TPA and the CS during the auditingprocess is depicted in Figure 3

58 Data Dynamic Operations Under some circumstancesthe information stored in a sensitive file may need to bemodified or inserted or deletedis research work strives toensure the same with secure authentication procedure asfollows

For the file blockmodification operation the mobile userwants to replace the block mi of the file F with mlowasti

(1) e mobile user MUi finds that the ith block mi of thefile F needs to be replaced by mlowasti in the cloud serverHence it computes the corresponding block tag forthe block mlowasti as

σ lowasti e(P G)xi+mlowast

i( )middotc (22)

(2) Now the mobile user MUi computesE1 e(P G)ximiddotni middotH(IDi)+αmiddotxi and E2 [e(P G)xi ]ni asin the challenge generation process

(3) MUi sends the parameters(DO IDi i mlowasti σ lowasti E1 E2) to the cloud server inwhich DO refers to the file block modification op-eration i refers to the ith block which is to beupdatedmlowasti refers to the new block which is going toreplace the old block mi and σ lowasti refers to the block tagof the new block mlowasti


(4) e CS upon receiving the parameters(DO IDi i mlowasti σ lowasti E1 E2)from MUi tries to au-thenticate MUi as E

H(IDi)2 middot e(Pxi Y)

E1

at is


xi Y( 1113857

e(P G)xi middotni middotH IDi( ) middot e P

xi Gα

( 1113857

e(P G)xi middotni middotH IDi( ) middot e(P G)

ximiddotα

e(P G)xi middotni middotH IDi( )+xi middotα

E1

(23)

(5) If the authentication of MUi is successful CS re-places the old block mi with mlowasti and hence the file F

becomes m1 miminus1mlowasti mi+1 mn Also it updates

the corresponding tags of the file asσ1 σiminus1σ lowasti σi+1 σn

To delete a block mi of the file F the mobile user per-forms the following steps

(1) As in block modification operation MUi sends theparameters (DO IDi i mi σ lowasti E1 E2) to the cloudserver where DO refers to the block deletion operation

(2) e CS upon receiving the parameters (IDi i mi

σ lowasti E1 E2) from MUi tries to authenticate MUi asE


E1and verifies whether the re-

ceived signature σ lowasti matches with σi of the block mi

which is to be deleted(3) If both authentication ofMUi and tag verification are

successful CS deletes the block mi from its storagespace and hence the file F shall exist as m1 miminus1mi+1 mn and the corresponding signatures areσ1 σiminus1σi+1 σn

To insert a new file block mi+1 for the file F MUi

performs the following steps

(1) MUi sends the parameters (DO IDi i mi+1

σi+1 E1 E2) to the CS in which DO refers to the blockinsertion operation

(2) e CS upon receiving the parameters (DO IDi

i mi+1 σi+1 E1 E2)from MUi tries toauthenticateMUi as E


E1

(3) If the authentication is successful CS inserts theblock mi+1 into its storage space and hence the file F

shall exist as m1 miminus1mimi+1 mn and thecorresponding signatures are σ1 σiminus1σiσi+1 σn

6 Security Analysis of the Proposed Work

A remote integrity protocol is assumed to be secure if itexhibits the properties such as completeness soundness anddata privacy is section analyses the proposed protocolwith regard to these essential properties

Theorem 1 (completeness) ampe integrity verification doneby the TPA after receiving the audit response is based on avalid proof

Proof In this research work 1113937iϵIZxi middotvi middotc middot Zcmiddotμ σ as shown

during the integrity verification process by the TPA ensuresthe completeness of the proposed RDIC protocol e prooffor this equation can be given as follows

1113945iϵI

Zximiddotvimiddotc middot Z

cmiddotμ

1113945iϵI

e(P G)xi middotvi middotc middot e(P G)

cmiddotΣiϵI mimiddotvi

1113945iϵI

e(P G)xi middotvi middotc middot 1113945

iϵIe(P G)

cmiddotmimiddotvi

1113945iϵI


cmiddotmi middotvi( 1113857

1113945iϵI

e(P G)xi middotvi middotc+cmiddotmimiddotvi( 1113857

1113945iϵI

e(P G)xi+mi( )vi middotc1113874 1113875

1113945iϵI

e(P G)xi+mi( )c

1113874 1113875vi

1113874 1113875

1113945iϵI

σvi

i

σ

(24)

Third-party auditor Cloud server

1 Receives audit request from MU

2 Select viisinZlowastq for each block andprepares chal = (i vi)iisinl

3 Computes

4 Authenticates mobile user

5 Computes

6 Verify

E1 = e(P G)xiniH(IDi)e(P Y)xi

E2 = [e(P G)xi]ni

E2H(IDi)e(Pxi Y) = E1

E1 E2 IDi chal

μ σ μ = sumiisinlmivi

σ = Πiisinlσivi

σ = ΠiisinlZxiviγZγμ

Figure 3 Auditing challenge proof generation and verification processes


If the mobile user and the cloud server are truthful andfree from deceit then the equation σ

1113937iϵIZ

ximiddotvimiddotc middot Zcmiddotμ

should hold true

Theorem 2 (user authentication) ampe authentication veri-fication of the cloud server during audit response is done basedon a valid proof

Let us assume that a user i with identity IDi has uploadedthe parameter Pxi to the cloud before uploading any fileBased on the request from that user the TPA computes E1

e(P G)xi middotni middotH(IDi)+αmiddotxi and E2 [e(P G)xi ]ni and sendsE1 E2 IDi chal to the cloud server Here the validity ofE

H(IDi)2 middot e(Pxi Y) E1 done by the cloud server during the

integrity verification ensures that only a valid user is part ofthe verification process and not an intruder In this case Pxi istaken by the cloud server from the authentication table andE1 E2 are received from the TPA Assume that an attackerwith a random value xi

prime andmasquerading as a legitimate userMUi sends an audit request E1prime E2prime IDi chal withE1prime e(P G)xi

primemiddotnimiddotH(IDi)+αmiddotxiprime and E2prime [e(P G)xi

prime]ni e CS

after receiving the audit request E1prime E2prime IDi chal from theattacker retrieves Pxi from the authentication table and triesto verify the authentication as follows

EprimeH IDi( )2 middot e P

xi Y( 1113857

e(P G)xiprimemiddotni middotH IDi( ) middot e P

xi Gα

( 1113857

e(P G)xiprimemiddotni middotH IDi( )e(P G)

ximiddotα

e(P G)xiprimemiddotni middotH IDi( )+xi middotα

neE1prime

(25)

us the authentication fails Hence the proposedsystem gives a valid proof only to a legitimate user during theauthentication process

Theorem 3 (soundness) In our scheme the attacker bypossessing e(P G) vi c cannot break the system and involvein audit cheat

e parameters e(P G)xi vi c are vital and are sharedonly between MUi and the TPA An attacker may be anexistingmember of the system and would like tomasqueradeas user MUi by using its Z e(P G) vi c and tries constructthe equation 1113937iϵIZ

xi middotvi middotc middot Zcmiddotμ but will only fail to do so sincethe value of xi is known only to the legitimate user and theTPA e equation in the proposed work 1113937iϵIZ

xi middotvi middotc middot Zcmiddotμ

1113937iϵIe(P G)ximiddotvimiddotc middot e(P G)cmiddotΣiϵI mi middotvi shows that during integ-rity verification an attacker who wants to break the systemshould possess e(P G)xi vi c which are kept confidentialand being shared only betweenMUi and the TPA Unless theTPA or the mobile user divulges this information an at-tacker cannot guess the values of c and e(P G)xi by knowingonly the pairing operation e() and P Moreover since theintegrity verification is done based on all the blocks underconsideration neither the CS nor the TPA can involve infraud as the values of μ 1113936iϵImi middot vi and σ 1113937iϵIσ

vi

i cannot

be easily computed if the data is corrupt in the cloud serveror fiddled with by an attacker

Theorem 4 (perfect data privacy) In our scheme the TPA isunable to learn any information regarding the data

A user sends Encntpa(IDi Z xi ni c) to the TPA during

an audit request During the whole process of challengegeneration and integrity verification the TPA never accessesthe file blocks m1 m2 m3 mn or their signaturesσ1 σ2 σ3 σn During the challenge generation processthe TPAworks with IDi ni E1 E2 chal which do not divulgethe details of any of the file block Besides during theverification process the TPA verifies σ

1113937iϵIZ


which does not reveal any information regarding the sig-natures or the file blocks ough the value of μ is based onthe file blocks and the value of σ is based on the signatures ofthose blocks they are computed by the cloud server and notby the TPAe TPA plays only the verification role Hencethe TPA cannot learn any file information from these pa-rameters leaving the system preserving the privacy of dataduring the file integrity challenge and the verificationprocesses

7 Results and Discussion

e proposed protocol is implemented in a machine withWindows operating system Intel Core i5-4460 processorrunning at 320GHz and 320GHz with a primary memoryof 4GB e experiments were conducted using pairing-based cryptography library pbc-0514 and C programminglanguage is used for the implementation purposes Table 3shows the security features provided by the proposed workand some notable similar works in the literature

Let us assume that TE refers to the cost of an expo-nentiation operation TH refers to the cost of a hash op-eration TP refers to the cost of a pairing operation TPA

refers to the cost incurred during one point addition TPM

refers to the cost of one point multiplication and TM and TA

refer to the cost of one integer multiplication and integeraddition respectively During the tag generation phase tagfor each of the file block is generated and n refers to thenumber of blocks in the file e proposed research work iscompared with the significant works proposed by Yu et al

Table 3 Comparison of the security features

Protocol Integrityverification

Dynamicdata

operations

User authenticationduring integrityverification

Yu et al[15] Yes No No

Wang et al[20] Yes No No

Zhu et al[22] Yes Yes No

Yang et al[23] Yes Yes No

Proposedprotocol Yes Yes Yes


Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A


[15] Wang et al [20] Zhu et al [22] and Yang et al [23]ough the previous works strive to ensure the integrity ofthe documents they lack the user authentication factorduring this process is novel research work does bothintegrity verification and authentication processes Duringthe document integrity verification process the majoroverhead incurred is due to the tag generation proofgeneration and proof verification processes Hence as partof this research work Table 4 compares the computationalcost of the proposed protocol with the recent protocols in theliterature e order of the group is setup as 160 bits and thetests were conducted with a file size of 1MB with approx-imately 50000 data blocks In Table 4 n refers to the numberof blocks uploaded to the cloud server and c refers to thenumber of challenged blocks during the integrity verificationprocess

e computation involved in the system initialization isdone only during the initialization of the system For eachuser the computation during registration is done only onceduring the user registration A user may try to uploadmultiple files and hence tag generation is done only duringfile upload to the cloud server and the computations foraudit works will be done at regular intervals From Table 4 itis evident that the proposed work incurs relatively lessoverhead than the other recent works in the literature

For tag generation during the file upload themobile usermakes one pairing operation and one exponentiation op-eration as e(P G)(xi+mi)middotc for each block For n blocks theuser has to make n pairing and n exponentiation operationswhich are very less compared to the similar works in theliterature e results as shown in Figure 4 indicate the factthat the proposed work shows an improved efficiency withregard to the computational overhead of the previousprotocols in the literature e graph shows the comparisonfor the cost for a minimum of 100 blocks and a maximum of1000 blocks

e mobile user incurs a computational cost of only oneexponentiation and one pairing operation for the tag gen-eration for each block All the other recent works undercomparison incur greater costs compared to the proposedwork For instance for the tag generation of one block thework proposed by Yu et al involves two exponentiationoperations per block one hash operation per block and onepoint addition operation which is more costly than theproposed work From the graph it can be inferred that forthe generation of tags for a total of 300 blocks the proposedprotocol incurs a computational overhead of 691ms which is599ms less than Yu et alrsquos scheme 390ms less than Wanget alrsquos scheme 724ms less than Zhu et alrsquos scheme and270ms less than Yang et alrsquos scheme

In Figure 5 the performance of the proposed protocol forproof generation is compared with the works proposed by Yuet al Wang et al Zhu et al and Yang et al respectively Forinstance let us consider the cost for the proof generation for700 blocks In this case the proposed protocol attains only aminor performance improvement like 10ms and 41ms thanthe works proposed by Yu et al and Wang et al respectivelyBut it shows a major performance improvement such as1053ms and 1656ms less than the works proposed by Zhu

et al and Yang et al respectivelyus from the figure we caninfer that as the number of blocks increases the performanceof the proposed protocol increases as well

Similarly Figure 6 shows the comparison of the com-putation cost for the proof verification process by the third-party auditor e proof verification makes use of the blockswhich are randomly selected by the third-party auditor

100 200 300 400 500 600 700 800 900 1000No of blocks for proof verification

0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)

Zhu et alProposed protocolYu et al

Wang et alYang et al

Figure 6 Computation overhead due to proof verification

100 200 300 400 500 600 700 800 900 1000No of blocks for tag generation

Zhu et alProposed protocol

0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al


Figure 4 Computation cost for tag generation

100 200 300 400 500 600 700 800 900 1000No of blocks for proof generation

0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)



Figure 5 Computation overhead during proof generation


during audit challenge During the computation of1113937iϵIZ

xivic the TPA can compute the value of xic only onceand use it for the subsequent operations as (xic)vie testshave been conducted by increasing the number of blocksfrom 100 to 1000 e results clearly indicate that for 600blocks the proposed protocol incurs 541ms only which is2582ms 1744ms 1993ms and 1622ms less whencompared to the works proposed by Yu et al Wang et alZhu et al and Yang et al respectively us the proposedprotocol shows improved performance than the previouslyproposed protocols in terms of the computational overhead

Table 5 provides the comparison of the communicationcost incurred by various protocols In the table |p| refers tothe size of an element in G |q| refers to the size of an elementin Zlowastq |n| refers to the size of an element with regard to theblock number and c refers to the number of challengedblocks

e communication cost is mainly due to the frequentaudit challenges sent by the third-party auditor to the cloudserver and the audit responses from the cloud server to thethird-party auditor e communication overhead occursdue to the messages exchanged as part of the registrationprocess challenge generation and response processes ecommunication overhead during the registration is notaccounted in this work as it happens only once for a clouduser For the phase of audit challenge sent by the TPA to theCS TPA sends E1 E2 IDi chal to the cloud Moreover thesize of chal (i vi) is based on the number of challengedblocks and hence the size of the audit challenge is inO(chal) TPA sends E1 E2 to the CS only for the authen-tication purpose us the size of the audit challenge isO(chal) which is better than Yu et al [15] and Zhu et al [22]schemes and incurs similar overhead as that of Wang et al[20] and Yang and Jia [23] schemes respectively

During the audit response phase of the proposed pro-tocol the cloud server sends μ σ to the TPAe size of bothμ and σ is based on the number of challenged blocks eproposed scheme is better than Yu et alrsquos scheme [15] whichincurs a communication overhead of l + log2 r + 320 bitsand is more efficient than Wang et alrsquos scheme [20] whichinvolves μ σ R where R incurs an additional overhead oflog2 q bits compared to the proposed work Moreover theproposed work incurs half of the communication overheadas that of Zhu et al [22] and is identical compared to Yangand Jia [23] scheme us the proposed protocol shows thatit incurs a minimal communication overhead while

providing support for efficient authentication feature andminimal computational complexity

8 Conclusions

To sum up a novel attack resistant and an efficient protocolfor the verification of the remotely stored data in the cloudservers has been introduced in this research work is workis the first of its kind in enabling authenticated verificationprocedure over the remote data stored in the cloud serversfor the mobile users involved in the verification processEnough security analysis has been provided to ascertain thegenuineness of this work with regard to its resistance to theattacks in all aspects e implementation results clearlyshow that this work provides auditing service with lesscomputational complexity compared to the similar works inthe recent literature In this era of mobile computing thiswork shall strive to prove its importance for sensitive filesstored by the mobile users in the cloud servers In future thiswork can be further extended to support verification for theusers of a corporate office or other communities who storedata in multiple cloud servers

Data Availability

No data were used to support this research work

Conflicts of Interest

e authors declare that there are no conflicts of interestregarding the publication of this paper

References

[1] Y Zhang Y Li and Y Wang ldquoSecure and efficient searchablepublic key encryption for resource constrained environmentbased on pairings under prime order grouprdquo Security andCommunication Networks vol 2019 Article ID 528080614 pages 2019

[2] Y Song H Wang X Wei and L Wu ldquoEfficient attribute-based encryption with privacy-preserving key generation andits application in industrial cloudrdquo Security and Communi-cation Networks vol 2019 Article ID 3249726 9 pages 2019

[3] X Zhang A Kunjithapatham S Jeong and S Gibbs ldquoTo-wards an elastic application model for augmenting thecomputing capabilities of mobile devices with cloud com-putingrdquo Mobile Networks and Applications vol 16 no 3pp 270ndash284 2011

[4] E Munivel and A Kannammal ldquoNew authentication schemeto secure against the phishing attack in the mobile cloudcomputingrdquo Security and Communication Networksvol 2019 Article ID 5141395 11 pages 2019

[5] C Wang S S M Chow Q Wang K Ren and W LouldquoPrivacy-preserving public auditing for secure cloud storagerdquoIEEE Transactions on Computers vol 62 no 2 pp 362ndash3752013

[6] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo IEEE Transactions onCloud Computing vol 2 no 1 pp 43ndash56 2014

[7] F Sebe J Domingo-Ferrer AMartinez-Balleste Y Deswarteand J-J Quisquater ldquoEfficient remote data possessionchecking in critical information infrastructuresrdquo IEEE

Table 5 Comparison of communication overhead

Protocol Challenge message (bits) Response message(bits)

Yu et al [15] c(|p| + |p| + |n| + |q| + |p|) |p| + |p| + 2|p|

Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|

Yang and Jia[23] c(|n| + |q|) 2|p|

Proposedprotocol c(|n| + |q|) 2|p|


Transactions on Knowledge and Data Engineering vol 20no 8 pp 1034ndash1038 2008

[8] G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrusted storesrdquo in Proceedings of the 14thACM conference on Computer and Communications Securitypp 598ndash609 New York USA October 2007

[9] Y Deswarte J J Quisquater and A Saidane ldquoRemote in-tegrity checkingrdquo in Proceedings of the 5th Working Con-ference on Integrity and Intl control in Information Systemspp 1ndash11 Lisbon Portugal October 2004

[10] A Juels and B S Kalisi Jr ldquoPors proofs of retrievability forlarge filesrdquo in Proceedings of the 14th ACM conference onComputer and Communication Security (CCS07) pp 584ndash597 Alexandria VA USA October 2007

[11] G Ateniese R D Pietro L V Mancini and G TsudikldquoScalable and efficient provable data possessionrdquo in Pro-ceedings of the 4th International Conference on Security andPrivacy in Communication Networks September 2008

[12] J Sun and Y Fang ldquoCross-domain data sharing in distributedelectronic health record systemsrdquo IEEE Transactions onParallel and Distributed Systems vol 21 no 6 pp 754ndash7642010

[13] J Sun X Zhu C Zhang and Y Fang ldquoHCPP cryptographybased secure HER system for patient privacy and emergencyhealthcarerdquo in Proceedings of the 31st IEEE InternationalConference on Distributed Computing Systems (ICDCS)pp 373ndash382 Washington DC USA June 2011

[14] L Guo C Zhang J Sun and Y Fang ldquoPAAS a privacy-preserving attributed-based authentication system for eHealthnetworksrdquo in Proceedings of the 32nd IEEE InternationalConference on Distributed Computing Systems (ICDCS)pp 224ndash233 Macau China June 2012

[15] Y Yu M H Au G Ateniese et al ldquoIdentity-based remotedata integrity checking with perfect data privacy preservingfor cloud storagerdquo IEEE Transactions on Information Fo-rensics and Security vol 12 no 4 pp 767ndash778 2017

[16] X Chen T Shang F Zhang J Liu and Z Guan ldquoDynamicdata auditing scheme for big data storagerdquo Frontiers ofComputer Science vol 14 no 1 pp 219ndash229 2019

[17] S Peng F Zhou J Li Q Wang and Z Xu ldquoEfficient dy-namic and identity-based remote data integrity checking formultiple replicasrdquo Journal of Network and Computer Appli-cations vol 134 pp 72ndash88 2019

[18] E Fujisaki and T Okamoto ldquoA practical and provably securescheme for publicly verifiable secret sharing and its appli-cationsrdquo Advances in Cryptology EUROCRYPT in LectureNotes in Computer Science Springer vol 1403 pp 32ndash46Berlin Germany 1998

[19] A Patra A Choudhury and C Pandu Rangan ldquoEfficientasynchronous verifiable secret sharing and multiparty com-putationrdquo Journal of Cryptology vol 28 no 1 pp 49ndash1092015

[20] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE Infocom pp 525ndash533 IEEE SanDiego CA USA March 2010

[21] Y Zhu H Hu G-J Ahn and M Yu ldquoCooperative provabledata possession for integrity verification in multicloud stor-agerdquo IEEE Transactions on Parallel and Distributed Systemsvol 23 no 12 pp 2231ndash2244 2012

[22] Y Zhu G J Ahn H Hu S S Yau H G An and S ChenldquoDynamic audit services for outsourced storages in cloudsrdquoIEEE Transactions on Services Computing vol 6 no 2pp 227ndash238 2013

[23] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Trans-actions on Parallel and Distributed Systems vol 24 no 9pp 1717ndash1726 2013

[24] K Huang J Liu M Xian and S Fu ldquoSecuring the cloudstorage audit service defending against frame and colludeattacks of third party auditorrdquo IET Communications vol 8no 12 pp 2106ndash2113 2014

[25] H Wang J Domingo-Ferrer B Qin and Q Wu ldquoIdentity-based remote data possession checking in public cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014

[26] Y Yu Y Zhang J Ni M H Au L Chen andH Liu ldquoRemotedata possession checking with enhanced security for cloudstoragerdquo Future Generation Computer Systems vol 52pp 77ndash85 2015

[27] Z Liu Y Liao X Yang Y He and K Zhao ldquoIdentity-basedremote data integrity checking of cloud storage from latticesrdquoin Proceedings of the 3rd International Conference on Big DataComputing and Communications (BIGCOM) pp 128ndash135Chengdu Sichuan China August 2017

[28] Z Ren L Wang Q Wang and M Xu ldquoDynamic proofs ofretrievability for coded cloud storage systemsrdquo IEEE Trans-actions on Services Computing vol 11 no 4 pp 685ndash6982018

[29] X Luo Z Zhou L Zhong J Mao and C Chen ldquoAn effectiveintegrity verification scheme of cloud data based on BLSsignaturerdquo Security and Communication Networks vol 2018Article ID 2615249 11 pages 2018

[30] X Y Yan L Wu W Y Xu H Wang and Z Man ldquoIntegrityaudit of shared cloud data with identity trackingrdquo Securityand Communication Networks vol 2019 Article ID 135434611 pages 2019

[31] D He S Zeadally B Xu and X Huang ldquoAn efficient identity-based conditional privacy-preserving authentication schemefor vehicular ad hoc networksrdquo IEEE Transactions on Infor-mation Forensics and Security vol 10 no 12 pp 2681ndash26912015

[32] J Zhang J Cui H Zhong Z Chen and L Liu ldquoPA-CRTChinese remainder theorem based conditional privacy-pre-serving authentication scheme in vehicular ad-hoc networksrdquoIEEE Transactions on Dependable and Secure Computing p 12019


actual data owners Even the cloud servers may try to hidethe fact of data server crashes which will lead to permanentdata loss to the data owners

In order to enable the verification process first the usersplits the large file to be uploaded into smaller units calledfile blocks e user uploads all the blocks to the remotestorage area like cloud servers Later if the user wants toverify the integrity of the uploaded file he can do so bymaking use of some cryptographically verifiable procedure[5ndash7]

Similarly to ensure the data verifiability in the cloudservers multiple schemes have been proposed by authors intheir past literatures In one such scenario cloud serverswere vested with the responsibility of computing the proof ofverification based on all of the blocks stored in the cloudstorage [8 9] In such cases if the cloud server had to do thiscomputationally intensive work for hundreds of users si-multaneously it may incur a huge computational overheadOn the contrary authors like Juels and Kalisi in 2007 [10]claimed that the audit task must be done at the cloud userrsquosside is method will not suit the users who work withcomputationally constrained battery powered mobilephones

A pioneering attempt by Ateniese et al [11] in 2008claimed that a user who wants to audit the file integrity neednot access the entire file stored in the cloud and also theuser can delegate the audit task to a third party Some worksin this line delegated the verification rights to other partiessuch as trusted third parties or other such entities In theworks proposed [12ndash14] a patient who undergoes a treat-ment from a doctor makes use of electronic health recordsstored in the cloud storage and also allows the doctor tocreate the records and store them in the remote storage onbehalf of the patient A recent work proposed by Yu et al in2017 [15] seems to be a worthwhile protocol with publicauditing capability with efficient computational and storageoverheads Many verifiable schemes have been proposed byChen et al in 2019 [16] Peng et al in 2019 [17] Fujisaki andOkamoto in 1998 [18] Patra et al in 2015 [19] and others

Hence a research work should be able to authenticate alegitimate mobile user during the audit response phase Inthis regard each mobile user should store a unique au-thentication parameter in the cloud server before sendingany audit request Hence during audit response the cloudserver is able to successfully authenticate only the legitimateusers and able to identify the intruders to abort their auditrequests

One essential fact to be considered during the protocoldesign is to make it certain that the utmost security with lesscomputational necessity and the robustness of the protocolmust be resistant to attackers and hackers us thoughthere are multiple methods of ascertaining the integrity ofthe stored file blocks in the cloud servers each methodsuffers from one of the problems such as computationalburden of cloud servers or data owners or reliability of theverification procedure by third parties done on behalf of thecloud users lack of authentication procedures for the cloudservers and cloud users In this research work a novelmethod which will avoid the above shortcomings for

verification of data stored in the remote servers has beenproposed to enable the user who uploads the file to verify theintegrity of the same as well

Unless the data stored in the remote locations are ver-ified thoroughly to the satisfaction of the user with respect tothe security assurance computational and communica-tional capabilities not only these schemes are prone toattacks but also they would be nonoperational for practicaluse by the mobile user community which constitutes a largerportion of the Internet users Based on the necessity toaddress these issues the contributions of this research workcan be highlighted as follows

11 Contributions of ampis Research Work

(i) A novel scheme to verify the integrity of the remotedata and to authenticate the mobile user during theintegrity auditing process is introduced

(ii) e presence of the authentication procedure pre-vents eavesdroppers and hackers from intrudinginto the system

(iii) e proposed work is resistant to attacks andcomputationally more efficient than the previousworks

(iv) e presence of valid proofs for completenesssoundness and perfect data privacy makes this avital contribution for real-world data audits in cloud

12Organization ofampisResearchWork e organization ofthis research manuscript is as follows Section 2 incorporatesthe much needed recent and old literary works pertaining tothe works proposed for remote data integrity verificationand showcases the need for the improvements in themSection 3 provides a quick review of the preliminaries and asuitable architecture of the protocol proposed in this re-search work is in Section 4 e subsequent section showsthe construction of the proposed protocol with its novelprocedures for data integrity verification processes for filesand support for data dynamic operations Section 6 analysesthis work in terms of its correctness soundness and dataprivacy during the audit process In Section 7 the imple-mentation results of the protocol are compared with variousschemes and the results are tabulated Section 8 concludesthis research work

2 Literature Survey

Latest advancements such as Internet-of-ings (IoT) fogcomputing digital transaction with blockchain-based se-curity assurance smart cities cloud computing and othersuch technologies enable a mobile user to upload sensitiveinformation to the cloud servers for future processing Manyworthwhile schemes have been put forward by researchersand students of various institutions to ensure the correctpossession of data stored in the cloud servers

Wang et al in 2010 [20] introduced a similar scheme forthe proposal of the efficient auditing framework withoutrequiring the user to maintain a local copy of the data



































8 MUi Mobile user i







4 Uplo

ad au

thenti

catio

n para

meters

2 TPA registration


Data owner

Cloud server


7 A

udit

chal

leng

e 8 Audit proof


5 Upload file tags










Y Gα (2)





X e Pα G

ni middotH IDi( )1113874 1113875 (3)

A ni middot X (4)




nimiddotH IDi( )

ni middot e P Gα



ni middot e Pα G

nimiddotH IDi( )1113874 1113875

ni middot X

A

(6)





K1 e Pxi G

(β(α+β))1113872 1113873 (7)

K2 P(1α+β)

(8)

Z e(P G) (9)



e Pαmiddoth1 G

H IDcs( )1113874 1113875

e Ph2 Y

H IDcs( )1113874 1113875 (10)


e Ph2 Y

H IDcs( )1113874 1113875 e Ph2 G

αmiddotH IDcs( )1113874 1113875

e Ph2 G

H IDcs( )1113874 1113875α

e Pαmiddoth2 G

H IDcs( )1113874 1113875

(11)







e P(1(α+β))

Gα

1113872 1113873xi

middot e Pxi G

(β(α+β))1113872 1113873

e P(1(α+β))

Gα

1113872 1113873xi








e(P G)xi

(12)


K3 Zxi (13)







cmiddotmi


cmiddotmi



(14)






2 Computes Pxi






4 Computes


K2 = P1α+β

Z = e(P G)

ni niA IDi Pxi

Encni (IDi K1 K2 Z)




ID2 Px2

IDi Pxi







xi


xi


α( 1113857

xi


αmiddotxi


(15)







xi Y( 1113857

E1 (16)



xi Y( 1113857


xi Gα

( 1113857


xi middotα


E1

(17)



xi Y( 1113857 E1 (18)



μ 1113944iϵI

mi middot vi (19)


σ 1113945iϵI

σvi

i (20)



σ

1113945iisinI


cmiddotμ (21)






i( )middotc (22)






E1

at is


xi Y( 1113857


xi Gα

( 1113857


ximiddotα


E1

(23)




















E1








1113945iϵI


cmiddotμ

1113945iϵI



1113945iϵI


iϵIe(P G)

cmiddotmimiddotvi

1113945iϵI



1113945iϵI


1113945iϵI


1113945iϵI

e(P G)xi+mi( )c

1113874 1113875vi

1113874 1113875

1113945iϵI

σvi

i

σ

(24)




3 Computes


5 Computes

6 Verify


E2 = [e(P G)xi]ni


E1 E2 IDi chal


σ = Πiisinlσivi





1113937iϵIZ


should hold true








prime]ni e CS



xi Y( 1113857


xi Gα

( 1113857


ximiddotα


neE1prime

(25)







vi

i cannot





1113937iϵIZ











Dynamicdata

operations








Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|
































































8 MUi Mobile user i







4 Uplo

ad au

thenti

catio

n para

meters

2 TPA registration


Data owner

Cloud server


7 A

udit

chal

leng

e 8 Audit proof


5 Upload file tags










Y Gα (2)





X e Pα G

ni middotH IDi( )1113874 1113875 (3)

A ni middot X (4)




nimiddotH IDi( )

ni middot e P Gα



ni middot e Pα G

nimiddotH IDi( )1113874 1113875

ni middot X

A

(6)





K1 e Pxi G

(β(α+β))1113872 1113873 (7)

K2 P(1α+β)

(8)

Z e(P G) (9)



e Pαmiddoth1 G

H IDcs( )1113874 1113875

e Ph2 Y

H IDcs( )1113874 1113875 (10)


e Ph2 Y

H IDcs( )1113874 1113875 e Ph2 G

αmiddotH IDcs( )1113874 1113875

e Ph2 G

H IDcs( )1113874 1113875α

e Pαmiddoth2 G

H IDcs( )1113874 1113875

(11)







e P(1(α+β))

Gα

1113872 1113873xi

middot e Pxi G

(β(α+β))1113872 1113873

e P(1(α+β))

Gα

1113872 1113873xi








e(P G)xi

(12)


K3 Zxi (13)







cmiddotmi


cmiddotmi



(14)






2 Computes Pxi






4 Computes


K2 = P1α+β

Z = e(P G)

ni niA IDi Pxi

Encni (IDi K1 K2 Z)




ID2 Px2

IDi Pxi







xi


xi


α( 1113857

xi


αmiddotxi


(15)







xi Y( 1113857

E1 (16)



xi Y( 1113857


xi Gα

( 1113857


xi middotα


E1

(17)



xi Y( 1113857 E1 (18)



μ 1113944iϵI

mi middot vi (19)


σ 1113945iϵI

σvi

i (20)



σ

1113945iisinI


cmiddotμ (21)






i( )middotc (22)






E1

at is


xi Y( 1113857


xi Gα

( 1113857


ximiddotα


E1

(23)




















E1








1113945iϵI


cmiddotμ

1113945iϵI



1113945iϵI


iϵIe(P G)

cmiddotmimiddotvi

1113945iϵI



1113945iϵI


1113945iϵI


1113945iϵI

e(P G)xi+mi( )c

1113874 1113875vi

1113874 1113875

1113945iϵI

σvi

i

σ

(24)




3 Computes


5 Computes

6 Verify


E2 = [e(P G)xi]ni


E1 E2 IDi chal


σ = Πiisinlσivi





1113937iϵIZ


should hold true








prime]ni e CS



xi Y( 1113857


xi Gα

( 1113857


ximiddotα


neE1prime

(25)







vi

i cannot





1113937iϵIZ











Dynamicdata

operations








Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|





































Y Gα (2)





X e Pα G

ni middotH IDi( )1113874 1113875 (3)

A ni middot X (4)




nimiddotH IDi( )

ni middot e P Gα



ni middot e Pα G

nimiddotH IDi( )1113874 1113875

ni middot X

A

(6)





K1 e Pxi G

(β(α+β))1113872 1113873 (7)

K2 P(1α+β)

(8)

Z e(P G) (9)



e Pαmiddoth1 G

H IDcs( )1113874 1113875

e Ph2 Y

H IDcs( )1113874 1113875 (10)


e Ph2 Y

H IDcs( )1113874 1113875 e Ph2 G

αmiddotH IDcs( )1113874 1113875

e Ph2 G

H IDcs( )1113874 1113875α

e Pαmiddoth2 G

H IDcs( )1113874 1113875

(11)







e P(1(α+β))

Gα

1113872 1113873xi

middot e Pxi G

(β(α+β))1113872 1113873

e P(1(α+β))

Gα

1113872 1113873xi








e(P G)xi

(12)


K3 Zxi (13)







cmiddotmi


cmiddotmi



(14)






2 Computes Pxi






4 Computes


K2 = P1α+β

Z = e(P G)

ni niA IDi Pxi

Encni (IDi K1 K2 Z)




ID2 Px2

IDi Pxi







xi


xi


α( 1113857

xi


αmiddotxi


(15)







xi Y( 1113857

E1 (16)



xi Y( 1113857


xi Gα

( 1113857


xi middotα


E1

(17)



xi Y( 1113857 E1 (18)



μ 1113944iϵI

mi middot vi (19)


σ 1113945iϵI

σvi

i (20)



σ

1113945iisinI


cmiddotμ (21)






i( )middotc (22)






E1

at is


xi Y( 1113857


xi Gα

( 1113857


ximiddotα


E1

(23)




















E1








1113945iϵI


cmiddotμ

1113945iϵI



1113945iϵI


iϵIe(P G)

cmiddotmimiddotvi

1113945iϵI



1113945iϵI


1113945iϵI


1113945iϵI

e(P G)xi+mi( )c

1113874 1113875vi

1113874 1113875

1113945iϵI

σvi

i

σ

(24)




3 Computes


5 Computes

6 Verify


E2 = [e(P G)xi]ni


E1 E2 IDi chal


σ = Πiisinlσivi





1113937iϵIZ


should hold true








prime]ni e CS



xi Y( 1113857


xi Gα

( 1113857


ximiddotα


neE1prime

(25)







vi

i cannot





1113937iϵIZ











Dynamicdata

operations








Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|




































e P(1(α+β))

Gα

1113872 1113873xi

middot e Pxi G

(β(α+β))1113872 1113873

e P(1(α+β))

Gα

1113872 1113873xi








e(P G)xi

(12)


K3 Zxi (13)







cmiddotmi


cmiddotmi



(14)






2 Computes Pxi






4 Computes


K2 = P1α+β

Z = e(P G)

ni niA IDi Pxi

Encni (IDi K1 K2 Z)




ID2 Px2

IDi Pxi







xi


xi


α( 1113857

xi


αmiddotxi


(15)







xi Y( 1113857

E1 (16)



xi Y( 1113857


xi Gα

( 1113857


xi middotα


E1

(17)



xi Y( 1113857 E1 (18)



μ 1113944iϵI

mi middot vi (19)


σ 1113945iϵI

σvi

i (20)



σ

1113945iisinI


cmiddotμ (21)






i( )middotc (22)






E1

at is


xi Y( 1113857


xi Gα

( 1113857


ximiddotα


E1

(23)




















E1








1113945iϵI


cmiddotμ

1113945iϵI



1113945iϵI


iϵIe(P G)

cmiddotmimiddotvi

1113945iϵI



1113945iϵI


1113945iϵI


1113945iϵI

e(P G)xi+mi( )c

1113874 1113875vi

1113874 1113875

1113945iϵI

σvi

i

σ

(24)




3 Computes


5 Computes

6 Verify


E2 = [e(P G)xi]ni


E1 E2 IDi chal


σ = Πiisinlσivi





1113937iϵIZ


should hold true








prime]ni e CS



xi Y( 1113857


xi Gα

( 1113857


ximiddotα


neE1prime

(25)







vi

i cannot





1113937iϵIZ











Dynamicdata

operations








Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|




































xi


xi


α( 1113857

xi


αmiddotxi


(15)







xi Y( 1113857

E1 (16)



xi Y( 1113857


xi Gα

( 1113857


xi middotα


E1

(17)



xi Y( 1113857 E1 (18)



μ 1113944iϵI

mi middot vi (19)


σ 1113945iϵI

σvi

i (20)



σ

1113945iisinI


cmiddotμ (21)






i( )middotc (22)






E1

at is


xi Y( 1113857


xi Gα

( 1113857


ximiddotα


E1

(23)




















E1








1113945iϵI


cmiddotμ

1113945iϵI



1113945iϵI


iϵIe(P G)

cmiddotmimiddotvi

1113945iϵI



1113945iϵI


1113945iϵI


1113945iϵI

e(P G)xi+mi( )c

1113874 1113875vi

1113874 1113875

1113945iϵI

σvi

i

σ

(24)




3 Computes


5 Computes

6 Verify


E2 = [e(P G)xi]ni


E1 E2 IDi chal


σ = Πiisinlσivi





1113937iϵIZ


should hold true








prime]ni e CS



xi Y( 1113857


xi Gα

( 1113857


ximiddotα


neE1prime

(25)







vi

i cannot





1113937iϵIZ











Dynamicdata

operations








Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|

































E1

at is


xi Y( 1113857


xi Gα

( 1113857


ximiddotα


E1

(23)




















E1








1113945iϵI


cmiddotμ

1113945iϵI



1113945iϵI


iϵIe(P G)

cmiddotmimiddotvi

1113945iϵI



1113945iϵI


1113945iϵI


1113945iϵI

e(P G)xi+mi( )c

1113874 1113875vi

1113874 1113875

1113945iϵI

σvi

i

σ

(24)




3 Computes


5 Computes

6 Verify


E2 = [e(P G)xi]ni


E1 E2 IDi chal


σ = Πiisinlσivi





1113937iϵIZ


should hold true








prime]ni e CS



xi Y( 1113857


xi Gα

( 1113857


ximiddotα


neE1prime

(25)







vi

i cannot





1113937iϵIZ











Dynamicdata

operations








Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|
































1113937iϵIZ


should hold true








prime]ni e CS



xi Y( 1113857


xi Gα

( 1113857


ximiddotα


neE1prime

(25)







vi

i cannot





1113937iϵIZ











Dynamicdata

operations








Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|































Tabl

e4

Com

parisonof

compu

tatio

nalc

ost

Sl

no

Protocol

Taggeneratio

n(m

s)Proo

fgeneration(m

s)Proo

fverificatio

n(m

s)

1Yu

etal

[15]

nlowast(

1TE

+1T

H+1T

E+1T

PA

)2T

H+2T

P+

TE

+T

PA

+clowast

(T

M+

TE)

+(

cminus1)lowast

(T

A+

TP

A)

clowast

(T

H+

TE

+T

P)

+1T

E+

(c

minus1)lowast

TP

A+1T

H

2Wang

etal[20]

clowast

(T

H+

TE

+T

PA

)+

TE

1TE

+clowast

TM

+(

cminus1)lowast

TA

+T

M+

TA

+T

H+

clowast

TE

+(

cminus1)lowast

TP

A

1TP

+T

PA

+T

E+

TH

+clowast

(T

H+

TE

+T

PA

)

+(

cminus1)lowast

TP

A

3Zh

uet

al

[22]

(nlowast

TE

+nlowast

TA

+1T

H)

+(

nlowast3

TM

+

(n

minus1)lowast

TA

+1T

E)

+(

nlowast

(T

H+

TE)+

nlowast

TP

M)

clowast

TM

+clowast

TE

+(

cminus1)lowast

TP

A

+clowast(

1TA

+1T

M+

clowast

TM

+(

cminus1)

TA

)

TP

+T

PA

+(

cminus1)

TA

+clowast

(T

H+

TE)

+T

P+

clowast

TE

+(

cminus1)

TA

+T

P+

TP

4Ya

ngetal

[23]

nlowast

(T

H+2T

PM

+2T

E)

clowast(

1TE

+1T

M+1T

P+1T

E)

+(

cminus1)

TP

A+

(c

minus1)

TA

+(

cminus1)

TP

Aclowast

(T

H+

TE)

+(

cminus1)

TP

A+

TP

M+

TP

+T

PA

+T

P

5Prop

osed

protocol

nlowast

(T

P+

TA

+1T

M+1T

E)

(1T

H+1T

E+1T

P+1T

PA

)+

clowast

TM

+(

cminus1)lowast

TA

+clowast

TE

+(

cminus1)lowast

TP

A

TH

+clowast

(T

H+

TE)

+(

cminus1)lowast

TP

A+

TM

+1T

E+

TP

A










0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|







































0

1000

2000

3000

4000

5000

6000

Com

puta

tion

cost

(ms)






0500

100015002000250030003500400045005000

Com

puta

tion

cost

(ms)

Yu et al




0500

1000150020002500300035004000

Com

puta

tion

cost

(ms)











8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|





































8 Conclusions


Data Availability




References











Wang et al[20] c(|n| + |q|) |q| + 2|p|

Zhu et al [22] c(|n| + |q| + |p|) 4|p|































anefficientintegrityverificationandauthentication...

Documents