research article a secure and efficient audit mechanism...
TRANSCRIPT
Research ArticleA Secure and Efficient Audit Mechanism for Dynamic SharedData in Cloud Storage
Ohmin Kwon Dongyoung Koo Yongjoo Shin and Hyunsoo Yoon
Department of Computer Science Korea Advanced Institute of Science and Technology (KAIST) Daejeon 305-701 Republic of Korea
Correspondence should be addressed to Dongyoung Koo dykoonslabkaistackr
Received 29 January 2014 Accepted 26 February 2014 Published 12 May 2014
Academic Editors Y Pan and J J Park
Copyright copy 2014 Ohmin Kwon et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
With popularization of cloud services multiple users easily share and update their data through cloud storage For data integrityand consistency in the cloud storage the audit mechanisms were proposed However existing approaches have some securityvulnerabilities and require a lot of computational overheads This paper proposes a secure and efficient audit mechanism fordynamic shared data in cloud storageThe proposed scheme prevents a malicious cloud service provider from deceiving an auditorMoreover it devises a new index table management method and reduces the auditing cost by employing less complex operationsWe prove the resistance against some attacks and show less computation cost and shorter time for auditing when compared withconventional approaches The results present that the proposed scheme is secure and efficient for cloud storage services managingdynamic shared data
1 Introduction
Cloud computing is a promising paradigm to create vari-ous computing environments such as [1ndash3] Cloud serviceprovider (CSP) allows network-connected users to make useof computing resources in a remote location As the usage ofcloud service matures users try to share their data in cloudstorage and process the data efficiently at a low cost [3ndash5]Although several CSPs such as Google [6] and Amazon [7]support computing environments for shared data integrity ofoutsourced data is hard to be guaranteed Due to the lack oftransparency users delegate the control for datamanagementto the third-party CSP but there is no way for users to benoticed about data loss or modification occurred at the cloudstorage In addition for the reputation of the cloud serviceCSPs are reluctant to reveal data inconsistency caused byexternal threats softwarehardware failures inside attacksand so on Therefore audit mechanisms are required forverifying consistent data management in the cloud storage
There are several studies verifying integrity of outsourceddata at untrusted storages [8ndash18] Most of them [8ndash14] areyet to consider a situation where the same data is sharedby multiple users In these approaches only a single user
is allowed to update his own data And he can audit thedata either by himself [8 9 13] or with assistance from athird-party auditor (TPA) [10ndash12 14] Recent studies [16ndash18]consider audit for shared data but they only support a limitednumber of data updates In addition the CSP can cheat oncensorship in these schemes since an index table used forverification is managed only by the CSP One way to preventsuch a cheat is to make users and the TPA also maintain theindex table Owing to storage and synchronization overheadhowever it might cause a significant delay and degrade thequality of service (QoS) as the number of data updatesincreases
In order to design a secure and efficient audit mechanismfor dynamic shared data in cloud storage aforementionedchallenges should be efficiently addressed In other words thescheme must guarantee the following properties
(1) Audit for Outsourced Data The TPA is able to checkthe integrity of outsourced data without retrieving alldata contents
(2) SharedDynamicData Users are allowed to outsourceshare insert delete or modify their data contentswithout restriction
Hindawi Publishing Corporatione Scientific World JournalVolume 2014 Article ID 820391 10 pageshttpdxdoiorg1011552014820391
2 The Scientific World Journal
(3) Efficiency Computational overhead for data out-sourcing and update at users side as well as the onesfor auditing at the TPA should be low
(4) Soundness The CSP is not allowed to deceive users orthe TPA into passing a censorship of damaged datacontents
We propose an audit mechanism satisfying the aboverequirements by utilizing aggregate signature [19] and sampleauditing [8] For data integrity and consistency the TPAmanages an index table and the CSP keeps renewing anidentifier for data update In addition the audit mechanismprovides efficiency to users and the TPA through makingthe auditing operations simple Specially in this paper weconsider forge attack and replace attack as regards soundnessfor the sake of secure audit These attacks are described in[20] and they can be summarized as follows Forge attack is anattack to forge a verifying term for a data content which wasnot actually outsourced by users Replace attack is an attackto pass a censorship by choosing another data content forverification in place of the damaged data content
The rest of this paper is organized as follows In Section 2we introduce related works about auditing data in the cloudstorage In Section 3 issues about index table managementare described depending on which entity manages it InSection 4 we present methods for our audit mechanism InSection 5 preliminaries used in our work are briefly intro-duced In Section 6 a secure and efficient audit mechanismfor dynamic shared data is presented In Section 7 security ofthe proposed scheme is analyzed In Section 8 performanceevaluations and experimental results show efficiency of ourmechanism Finally we conclude our work in Section 9
2 Related Work
Ateniese et al firstly introduced the notion of provable datapossession (PDP) in [8] for integrity check of outsourceddata in untrusted storage They could achieve efficient auditwith high probability of detection by sampling randomblocksfrom outsourced data instead of downloading the entiredata Since the original PDP does not consider dynamicdata a user should download the whole data and regeneratemetadata for verification whenever there is a modificationof the outsourced data To provide audit for dynamic datawithout retrieving entire data subsequent works adoptedauthenticated data structures such as skip list Merkle treeor index tables [9 12 14ndash18] Erway et al [9] proposeddynamic provable data possession (DPDP) based on rank-based authenticated skip list and Wang et al [12] presented amechanism by exploiting Merkle tree Both schemes requirereconstruction of the authenticated data structure when thecorresponding data is updated Another data structure calledindex table was introduced to handle data updates moreefficiently by keeping unique identifier for each data block[14ndash18]
It is also notable that outsourced data should be auditedperiodically for verifying consistent data management Ded-icated to this purpose TPAs can be delegated by usersfor auditing outsourced data in privacy-preserving manner
Privacy preservation means that the TPA cannot learn anyinformation about the data during audit process It wasachieved through the methods of random masking [11] andbilinear map [14]
3 Index Table Management
Previous works [14ndash18] utilized an index table for efficientdata updates It is composed of indices which representthe sequences of data blocks and identifiers The identifierwhich is used in tag (tag is a verifying term stored withdata in the cloud storage and has consistency with a datablock) generation and verification is a number identifyingeach data block It should be defined in order to keep theinitial value in all circumstances Otherwise a user repeatsfollowing operations whenever identifiers of data blocks inthe cloud storage are changed The user downloads datablocks which have changed identifiers regenerates tags ofthem and uploads the tags to the cloud storage
In this section we look into security issues and updateflows depending on which entity manages an index table Atthe security aspect we check the possibility of forge attackand replace attack Then we describe communication flowsfor getting an identifier of new data block when a user tries toupdate
31 Management by the CSP When the CSP onlymanages anindex table users and the TPA do not have any informationabout identifiers of data blocks which are already uploadedand will be updated As illustrated in Figure 1 the userrequests an identifier of new data block to the CSP when hetries to update In this environment the CSP can forge tagsof data blocks which users have not uploaded It transmits anidentifier already existed in the index table then obtains tagswhich are of different data blocks but have same identifierIt can learn meaningful information for forgery throughcombination of these data blocks and tags
Since the TPA needs identifiers of challenged data blockswhen verifying it receives a proof that includes the identifiersfrom the CSP [16ndash18] However the TPA cannot distinguishthem from the challenged ones because it does not maintainan index table Therefore if challenged data blocks aremodified or deleted the CSP can replace them with otherundamaged data blocks
32 Management by the TPA One simple way to preventthe forge attack and replace attack in the above case is thatthe TPA manages an index table [15] Even though the CSPtries to launch a forge attack by exploiting a collision ofidentifiers it is impossible because the CSP has no knowledgeof identifiers In addition a replace attack can be detectedeasily because the TPA knows identifiers of challenged datablocks through the index table
Figure 2 shows that the TPA participates in the updateprocess and a user who tries to update cannot generate a tagfor new data block without a reception of new identifier fromthe TPA Accordingly update process can be delayed when
The Scientific World Journal 3
TPA Users CSP
Request new identifier
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifier
Generate
id1
id2
idn
New identifier id998400i
tag 120590998400i
Update data m998400i and tag 120590998400
i
u1 uk ud
Figure 1 Data update flows when the only CSP manages an indextable
New identifier id998400i
tag 120590998400i
Update data m998400i
and tag 120590998400i
TPA Users CSP
Request new identifier
Update report
Generate
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifierid1
id2
idn
u1 uk ud
Figure 2 Data update flows when the only TPA manages an indextable
the TPA is on sleep or suffers from bottleneck caused by alarge number of requests from users
33 Management by Both the TPA and Users Delays ofupdate process can be removed through managing an indextable by a user directly [14] Generally it is suitable for asituation where data is not shared However it has a problemabout synchronization of index tables because the indextables are managed separately by each individual user whoshares the data If they are not synchronized identifiersgenerated by other users can have same value then the CSPcan exploit forge attack or replace attack by using such tagsgenerated by the same identifiers
Broadcasting update information after a user finisheddata update is a solution for synchronization as shown inFigure 3 However it requires all users to always wake upOtherwise the users need to request the information forsynchronization but cannot easily determine who has thenewest index table Although the users can request it to theTPA this is not different from a previous way that the onlyTPA manages an index table
TPA Users CSP
Synchronize index tables of TPAand users after data update
Generatetag 120590998400
i
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifierid1
id2
idn
Update data m998400i
and tag 120590998400i
u1 uj uk ud
Figure 3 Data update flows when the TPA and users manage anindex table together
4 Methods
In this section we present methods for a secure and efficientaudit mechanism for shared dynamic data
41 System Model Our system model for auditing mecha-nism is illustrated in Figure 4There are four entities CSP ini-tial uploader users and TPA The CSP provides a large-scalestorage for shared data to users It should process requestsfrom authorized users and respond to every challenge fromthe TPA An initial uploader uploads data to cloud storagefirstly and forms a group of users who share the data togetherUsers in the group are able to access and update shared datain the cloud storage Both an initial uploader and the usersare able to audit shared data in cloud storage via the TPAdelegated by the initial uploader
42 Secure and Efficient Index Table Management We pro-pose a secure and efficient index table management thatis used for our audit mechanism As mentioned in theprevious section a TPA must manage an index table toprevent forge attack and replace attack However delay andsynchronization problems can be caused when the indextable is managed by the only TPA or each user To solvethese problems it is required that a user who tries to updateobtains an identifier from the CSP as described in Figure 5Consequently a way that the TPA manages an index tableand the CSP keeps renewing an identifier for new data blocksatisfies security and efficiency
43 Identifier Definition for Dynamic Data Changing iden-tifiers of data blocks by update process causes repetitivetasks to usersThey download the corresponding data blocksregenerate tags to apply the modified identifiers and uploadthe tags again to cloud storage Our mechanism removesthese repetitive tasks by defining the identifier as an uploadsequence of the data block If an update of data block happensthen new identifier is assigned as the upload sequence fromthe CSP
4 The Scientific World Journal
(1) D
elegat
ion of
auditin
g
for share
d data
(2) A
uditing r
equest
(5) A
uditing r
eport
(3) Challenge for auditing
(4) Response for proof
Initial uploader
Group
Data flow
CSP
TPA
Data
Tag
m1 m2 mnmiddot middot middot
1205901 1205902 middot middot middot 120590nmiddot middot middot middot middot middot
Manage users in group
Figure 4 Our system model for auditing mechanism
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifier
TPA Users CSP
Request new
Update report
Identifier id998400
Renewidentifier id998400
identifier
Generate
id1
id2
idn
New identifier id998400i
tag 120590998400i
Update data m998400i
and tag 120590998400i
u1 uk ud
Figure 5 Data update flows in the proposed mechanism
44 Simple Operations for Audit Mechanism Conventionalapproaches employ relatively complex operations for auditmechanism It may causemore delay time and computationaloverhead for tag generation and verification For efficiencyof audit mechanism the proposed scheme utilizes simpleoperations in the data integrity check Moreover because itcan reduce delay time and computational overhead throughlight-weight operations the QoS of the cloud storage serviceis improved
5 Preliminaries
In this section cryptographic backgrounds for the proposedscheme are briefly introduced
51 Bilinear Map Let 1198661and 119866
2be multiplicative cyclic
groups of prime order 119901 and let 119892 be a generator of 1198661 Then
a bilinear map 119890 satisfies the following properties
(1) Bilinearity for any 119906 V isin 1198661 and 119886 119887 isin 119885
119901
119890(119906119886 V119887) = 119890(119906 V)119886119887
(2) Nondegeneracy 119890(119892 119892) = 1(3) Computability there exists an efficiently computable
algorithm 119890 satisfying the above properties such that119890 1198661times 1198661rarr 1198662
52 Pseudorandom Permutation Let 119865 0 1119899times 0 1
119899rarr
0 1119899 be an efficiently computable keyed permutation for
positive integer 119899 We say that 119865 is a pseudorandom per-mutation if there exists a negligible function negl for anyprobabilistic polynomial-time distinguisher119863 such that
10038161003816100381610038161003816Pr [119863119865119896(sdot) (1119899) = 1] minus Pr [119863119891(sdot) (1119899) = 1]
10038161003816100381610038161003816le negl (119899) (1)
where 119896$larr 0 1
119899 is a permutation key chosen uniformly atrandom and 119891 is a real-random permutation
53 Discrete Logarithm (DL) Assumption Discrete logarithm(DL) problem is to compute 119886 isin 119885
119901 given 119892 isin 119866
1and 119892
119886isin
1198661 The DL assumption holds in 119866
1if it is computationally
infeasible to solve DL problem in 1198661
6 The Proposed Scheme
In this section we present a secure and efficient audit mech-anism supporting dynamic updates of shared data Whencloud storage service initiates a CSP generates public param-eters for system and publicizes them An initial uploadergenerates secret components and public components used intag generation and verification He divides data into blocksand generates tags for each data blockThen he uploads them
The Scientific World Journal 5
to the cloud storage and deletes them in his local storageTo share the data with other users he needs to deliver secretcomponents for tag generation In addition he can delegateauditing processes to a TPA by delivering a part of secretcomponents for verification
When a user tries to update a new data block he receivesan identifier from the CSP generates a tag for the data blockand uploads them After update is finished the user reportsupdate information to the TPA Then the TPA updates anindex table following the update information And the CSPrenews the identifier as next upload sequence for next update
The TPA maintains the newest index table that keepstrack of upload sequence of data blocks The TPA makes achallenge derived from the index table and transmits it to theCSP periodically or when a user wantsThe CSP who receivesthe challenge makes a proof and responds to it Then theTPA checks whether outsourced data is damaged or not byverifying the proof with the challenge
61 Definition The proposed scheme Π is composed of thefollowing eight algorithms such as Π = 119878119890119905119906119901119870119890119910119866119890119899
119879119886119892119866119890119899 119879119886119892119866119890119899119880119901 119868119879119880119901 119862ℎ119886119897119866119890119899 119875119903119900119900119891119866119890119899 119881119890119903119894119891119910
119878119890119905119906119901(120574) rarr 119901119886119903119886119898 On security parameter 120574 the CSPgenerates and publicizes public parameters 119901119886119903119886119898
119870119890119910119866119890119899(119901119886119903119886119898) rarr (119892119898119904119896 119892119904119896 119892119886119896 119892119901119896) An initialuploader takes public parameter 119901119886119903119886119898 as input and outputsgroupmaster key 119892119898119904119896 group secret key 119892119904119896 group auditingkey 119892119886119896 and group public key 119892119901119896 Group master key 119892119898119904119896
is kept secret Group secret key 119892119904119896 = 1198921199041198961 1198921199041198962 and group
auditing key 119892119886119896 are used in tag generation Group public key119892119901119896 = 119892119901119896
1 1198921199011198962 is used for verification of data integrity
along with group auditing key 119892119886119896
119879119886119892119866119890119899(119872 119892119904119896 119892119886119896) rarr 120590 On uploading data 119872 to thecloud storage the initial uploader divides the data into blocksand generates a set of tags 120590 using 119892119904119896 and 119892119886119896 Eachcomponent of 120590 is a tag of the corresponding data block in119872 such that 120590 = 120590
1 120590
119899
119879119886119892119866119890119899119880119901(1198981015840
119894 119892119904119896 119892119886119896 id1015840
119894) rarr 120590
1015840
119894 When a user tries to
update a data block 1198981015840
119894 he generates a new tag 120590
1015840
119894using 119892119904119896
119892119886119896 and new identifier id1015840119894received from the CSP
119868119879119880119901(119880type 119880index 119880id iT) rarr iT1015840 This algorithm takesupdate information and current index table iT as inputand outputs new index table iT1015840 The update informationincludes three elements119880type 119880index and119880id119880type representsan update type which can be either insertion modificationor deletion 119880index is the index of the data block to beupdated and 119880id is a newly assigned unique identifier usedin 119879119886119892119866119890119899119880119901 for the data block
119862ℎ119886119897119866119890119899(iT) rarr 119888ℎ119886119897 This algorithm generates a challeng-ing query 119888ℎ119886119897 = 119897 119903
119897119897isin119871
for randomly selected blocks TheTPA chooses random indices 119871 from the index table iT andgenerates random values 119903
119897119897isin119871
119875119903119900119900119891119866119890119899(119872 120590 119888ℎ119886119897 119892119901119896) rarr (120572 120573) The CSP generates aproof (120572 120573) for a challenge from the TPA 120572 is derived fromoutsourced data blocks 119898
119897119897isin119871
119903119897119897isin119871
and 119892119901119896 while 120573 iscomputed from tags 120590
119897119897isin119871
and 119903119897119897isin119871
119881119890119903119894119891119910(119888ℎ119886119897 iT (120572 120573) 119892119901119896 119892119886119896) rarr 119879119903119906119890119865119886119897119904119890 This algo-rithm verifies consistency of the proof generated by the CSPfor the given challenge If they are consistent it outputs119879119903119906119890Otherwise it outputs 119865119886119897119904119890
62 Construction Let 1198661 1198662be multiplicative cyclic groups
of prime order 119901 let 119892 be a generator of1198661 let 119890 119866
1times1198661rarr
1198662be a bilinear map and let 119865 0 1
log119901times 0 1
log119901rarr
0 1log119901 be a pseudorandom permutation We consider data
119872 is divided into 119899 blocks as 119872 = (1198981 119898
119899) and each
data block119898119894= (1198981198941 119898
119894119904) contains 119904 sectors of 119885
119901
621 Setup When cloud storage service initiates the CSPchooses two groups 119866
1 1198662with 119892 for a bilinear map 119890
by running 119878119890119905119906119901 algorithm and publicizes 119901119886119903119886119898 =
(1198661 1198662 119901 119892 119890) to users and the TPA
622 Upload for Data Sharing An initial uploader 1199061 runs
119870119890119910119866119890119899 algorithm It first chooses (119904 + 2) random values119892119898119904119896 = 119886 isin 119885
lowast
119901 119892119886119896 = 119887 isin 119885
119901 and 119892119904119896
2= 119892119904119896
2119895=
119888119895isin 119885119901119895isin[1119904]
and computes 1198921199041198961
= 1198921119886
1198921199011198961
= 119892119886 and
1198921199011198962
= 1198921199011198962119895
= 119892119888119895119895isin[1119904]
Then by running 119879119886119892119866119890119899 1199061
generates corresponding tags such as
120590119894= (119892119904119896
1)119865119892119886119896(119894) +sum119895isin[1119904] 1198921199041198962119895 sdot119898119894119895 (2)
for 1 le 119894 le 119899 1199061uploads (119872 120590) to the cloud storage and
deletes them from his local storage When the CSP receivesfresh data from the initial uploader it saves an identifier id1015840 =119899+1 for the next upload sequence To share data119872with otherusers 119906
1delivers group secret key 119892119904119896 and group auditing key
119892119886119896 to them
623 Delegation of Audit The initial uploader 1199061delegates
audit for shared data to the TPA by delivering a groupauditing key 119892119886119896 In addition 119906
1notifies the number of data
blocks 119899 for the TPA to correctly generate an initial indextable for 119872 In other words the TPA creates an index tablewhich includes identifiers defined as block sequences initially
624 Data Update In the proposed scheme any user 119906119896in
the group which shares data 119872 is allowed to modify insertor delete data119872 in the cloud storage
If 119906119896tries to modify 119894-th block 119898
119894 119906119896first receives a new
identifier from theCSP as illustrated in Figure 5On receipt ofthe identifier id1015840
119894 119906119896computes a tag 120590
1015840
119894for updated data block
1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm as follows
1205901015840
119894= (119892119904119896
1)119865119892119886119896(id
1015840
119894) +sum119895isin[1119904]1198921199041198962119895 sdot119898
1015840
119894119895 (3)
Then 119906119896sends (119880type =
1015840 119880index = 119894 119880id = id1015840
119894) along
with (1198981015840
119894 1205901015840
119894) to the CSP where
1015840 stands for modification
6 The Scientific World Journal
Initial next identifierid998400 = n + 1
(UtypeUindex = 2Uid = n + 1)
(UtypeUindex = 3Uid = n + 2)
(UtypeUindex = 3Uid = 0)
Next identifierid998400 = n + 2
Next identifierid998400 = n + 3
Next identifierid998400 = n + 3
n + 1
n + 1
n + 1
n + 1
n + 2m998400
2
1205909984002
m9984002
1205909984002
m9984002
1205909984002
m9984003
1205909984003
m9984002 120590998400
2
m9984003
1205909984003
(a) State after initial upload (b) State after modification of m2
(c) State after insertion of m9984003(d) State after the deletion of m998400
3
Data
Tag
Initial index table (IT)
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
IdentifierIndex12 23
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
1234
1
3middot middot middot middot middot middot
n
Identifier
Data
Tag
m1 m2 m3 mnmiddot middot middot
1205901 1205902 1205903 middot middot middot 120590n
m1 m3 mnmiddot middot middot
1205901 1205903 middot middot middot 120590n
Data
Tag
m1 m3 mnmiddot middot middot
1205901 1205903
m3
1205903
middot middot middot 120590n
Data
Tag
m1 mnmiddot middot middot
1205901 middot middot middot 120590n
TPA CSP TPA CSP
TPA CSPTPA CSP
= M998400
= D998400
= I998400
Figure 6 Examples of data update
The CSP can update the data block in the cloud storage byreplacement of (119898
119894 120590119894) with (119898
1015840
119894 1205901015840
119894) uploaded by 119906
119896
For the case of insertion 119906119896makes a tag 120590
1015840
119894for newly
created data block 1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm and
sends (119880type = 1015840 119880index = 119894 119880id = id1015840
119894) along with (119898
1015840
119894 1205901015840
119894) to
the CSPWhen 119906
119896wants to delete data block in the cloud storage
119906119896sends (119880type =
1015840 119880index = 119894 119880id = 0) to the CSP
and allows the CSP to delete the corresponding data blockfrom the cloud storage In this case 119906
119896does not need to
request a new identifier Therefore we set the value of 119880id byzero
After update is finished 119906119896delivers update information
(119880type 119880index 119880id) to the TPA for consistent audit for updatedshared data in the cloud storage Then the TPA updates theindex table managed by itself according to the informationby running 119868119879119880119901 When 119880type =
1015840 it changes the 119880index-th identifier to 119880id When 119880type =
1015840 the TPA inserts 119880idjust before the 119880index-th field while it removes the 119880index-th field from the index table if 119880type =
1015840 Through thisnotification of data updates the TPA can detect maliciousbehaviors of theCSP In other words the CSP cannot transmitpreviously used identifier in order to exploit forge attack andreplace attack Simple examples of data update are depicted inFigure 6
625 Audit for Outsourced Data For the TPA to checkintegrity of outsourced data it engages in challenge-responseprotocol with the CSPTheTPA first chooses a random subset119871 of indices from the index table and generates randomvalues119903119897
isin 119885lowast
119901119897isin119871
by running 119862ℎ119886119897119866119890119899 algorithm The 119888ℎ119886119897 =
119897 119903119897119897isin119871
is transmitted to the CSP and the CSP generates
a proof (120572 120573) for the challenge 119888ℎ119886119897 by running 119875119903119900119900119891119866119890119899
algorithm as follows
120572 = prod
119895isin[1119904]
119892119901119896sum119897isin119871119903119897sdot119898119897119895
2119895
120573 = prod
119897isin119871
120590119903119897
119897
(4)
After receiving the proof (120572 120573) as a response of thechallenge the TPA verifies it by running 119881119890119903119894119891119910 algorithm asfollows
119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 120572 119892) =
119890 (120573 119892119901119896
1) (5)
If (5) holds then the TPA returns 119879119903119906119890 and returns 119865119886119897119904119890otherwise
7 Security Analysis
In this section we show that the proposed scheme is correctand resistant against forge attack and replace attack
Theorem 1 Π provides correctness to the TPA during audit-ing outsourced data
Proof Correctness of Π is achieved by exploiting bilinearproperty of the bilinear map Left-hand side (LHS) of (5)expands as follows
LHS = 119890(119892sum119897isin119871119903119897sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
1198921198921199041198962119895 sdotsum119897isin119871 119903119897 sdot119898119897119895 119892)
The Scientific World Journal 7
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897)+sum119895isin[1119904](1198921199041198962119895 sdotsum119897isin119871 119903119897sdot119898119897119895) 119892)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(6)
while the right-hand side (RHS) of (5) expands as follows
RHS = 119890(prod
119897isin119871
120590119897
119903119897 1198921199011198961)
= 119890(prod
119897isin119871
119892119903119897 sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890 (119892sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(7)
Since the terms LHS and RHS are the same the proof iscompleted
Theorem 2 Π is secure against forge attack
Proof If the CSP acquires an element in 1198921199011198962119895
1119892119898119904119896=
1198921198921199041198962119895119892119898119904119896
119895isin[1119904]from the public parameter 119892119901119896 the CSP can
forge a tag Given 1198921199011198961= 119892119892119898119904119896 computing 119892119898119904119896 is hard due
to DL assumptionThus it is infeasible for the CSP to acquirean element in 119892
1198921199041198962119895119892119898119904119896119895isin[1119904]
When 119865
119892119886119896(id119894) for 120590
119894and 119865
119892119886119896(id119902) for 120590
119902are the same
the CSP computes 120590119894120590119902 Then the CSP can obtain 120575 =
(1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895) and forge the tag 120590
119911of data block119898
119911
using 120575 as follows
1205901015840
119911= 120590119911times 120575
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119911119895
times (1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895)
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot(119898119911119895+119898119894119895minus119898119902119895)
(8)
Finally the CSP obtains forged tag 1205901015840
119911of modified data block
1198981015840
119911= 119898
119911119895+ 119898119894119895
minus 119898119902119895119895isin[1119904]
However 119865119892119886119896
(id119894) and
119865119892119886119896
(id119902) cannot be the same value for id
119894= id119902because of the
definition of pseudorandompermutationTherefore the CSPcannot forge a tag to pass the censorship This completes theproof
Theorem 3 Π is secure against replace attack
Proof When damaged block 119898119894
is challenged theCSP may try to pass the censorship by choosing adifferent block (119898
119902 120590119902) in place of (119898
119894 120590119894) such as
1205721015840= prod119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897 sdot119898119897119895
2119895and 120573
1015840= 120590119903119894
119902sdot prod119897isin119871119897 = 119894
120590119903119897
119897
Then the left-hand side of (5) is computed as
119890(119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895
2119895 119892)
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 119892
sum119895isin[1119904]1198921199041198962119895 sdot(119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895) 119892)
=119890 (119892119903119894 sdot(119865119892119886119896(id119894)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119902119895)+sum119897isin119871119897 = 119894 119903119897sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895) 119892)
= 119890 (119892(119903119894 sdot119865119892119886119896(id119894)minus119903119894 sdot119865119892119886119896(id119902))119892119898119904119896 times 120573
1015840 1198921199011198961)
(9)
in which 119892(119903119894 sdot(119865119892119886119896(id119894)minus119865119892119886119896(id119902)))119892119898119904119896 should be 1 to satisfy (5)
This means that 119865119892119886119896
(id119894) and 119865
119892119886119896(id119902) should be the same
Due to the bijective property of the permutation howeverthese values cannot be the same
8 Performance Evaluation
In this section the prosed scheme is analyzed and comparedwith previous studies [14ndash16] in terms of communication andcomputational overhead We first evaluate communicationoverhead for updating a data block Then computationaloverhead for tag generation and verification is evaluated
81 Communication Overhead As we described in Section 3the way to get an identifier of updated data block depends onwhich entity manages an index table In Wang et alrsquos work[16] 119906
119896needs one round-trip communication to request and
receive the identifier (Figure 1) Zhu et al [15] utilize a waythat the TPA manages the index table (Figure 2) It needsan additional connection between 119906
119896and the TPA for the
identifier and a report of update information Yang and Jia[14] utilize a way that a user manages the index table byhimself Although it is suitable when the outsourced data ismanaged by a single user it requires more communicationcosts for synchronization of the index tables when the data isshared by multiple users
Communication costs are summarized in Table 1 Weomitted costs for uploading a data block and a correspondingtag for simplicity Although the proposed scheme seems torequire the same cost as Zhu et alrsquos approach there may beupdate delays caused by concentration of communications tothe TPA in [15] On the other hand the proposed schemeremoves this delay via a direct acquisition of the identifierfrom the CSP For [14] to synchronize the index tables of usersand the TPA 119906
119896needs to broadcast extra update information
Considering this circumstance additional communicationscaused by broadcast might be added into Table 1
82 Computational Overhead Computation costs for taggeneration and verification are described in Table 2 Theproposed scheme requires a single Exp
119866operation in tag
generation while the others [14ndash16] require Exp119866and Mul
119866
operations which are proportional to the number of sectors
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
2 The Scientific World Journal
(3) Efficiency Computational overhead for data out-sourcing and update at users side as well as the onesfor auditing at the TPA should be low
(4) Soundness The CSP is not allowed to deceive users orthe TPA into passing a censorship of damaged datacontents
We propose an audit mechanism satisfying the aboverequirements by utilizing aggregate signature [19] and sampleauditing [8] For data integrity and consistency the TPAmanages an index table and the CSP keeps renewing anidentifier for data update In addition the audit mechanismprovides efficiency to users and the TPA through makingthe auditing operations simple Specially in this paper weconsider forge attack and replace attack as regards soundnessfor the sake of secure audit These attacks are described in[20] and they can be summarized as follows Forge attack is anattack to forge a verifying term for a data content which wasnot actually outsourced by users Replace attack is an attackto pass a censorship by choosing another data content forverification in place of the damaged data content
The rest of this paper is organized as follows In Section 2we introduce related works about auditing data in the cloudstorage In Section 3 issues about index table managementare described depending on which entity manages it InSection 4 we present methods for our audit mechanism InSection 5 preliminaries used in our work are briefly intro-duced In Section 6 a secure and efficient audit mechanismfor dynamic shared data is presented In Section 7 security ofthe proposed scheme is analyzed In Section 8 performanceevaluations and experimental results show efficiency of ourmechanism Finally we conclude our work in Section 9
2 Related Work
Ateniese et al firstly introduced the notion of provable datapossession (PDP) in [8] for integrity check of outsourceddata in untrusted storage They could achieve efficient auditwith high probability of detection by sampling randomblocksfrom outsourced data instead of downloading the entiredata Since the original PDP does not consider dynamicdata a user should download the whole data and regeneratemetadata for verification whenever there is a modificationof the outsourced data To provide audit for dynamic datawithout retrieving entire data subsequent works adoptedauthenticated data structures such as skip list Merkle treeor index tables [9 12 14ndash18] Erway et al [9] proposeddynamic provable data possession (DPDP) based on rank-based authenticated skip list and Wang et al [12] presented amechanism by exploiting Merkle tree Both schemes requirereconstruction of the authenticated data structure when thecorresponding data is updated Another data structure calledindex table was introduced to handle data updates moreefficiently by keeping unique identifier for each data block[14ndash18]
It is also notable that outsourced data should be auditedperiodically for verifying consistent data management Ded-icated to this purpose TPAs can be delegated by usersfor auditing outsourced data in privacy-preserving manner
Privacy preservation means that the TPA cannot learn anyinformation about the data during audit process It wasachieved through the methods of random masking [11] andbilinear map [14]
3 Index Table Management
Previous works [14ndash18] utilized an index table for efficientdata updates It is composed of indices which representthe sequences of data blocks and identifiers The identifierwhich is used in tag (tag is a verifying term stored withdata in the cloud storage and has consistency with a datablock) generation and verification is a number identifyingeach data block It should be defined in order to keep theinitial value in all circumstances Otherwise a user repeatsfollowing operations whenever identifiers of data blocks inthe cloud storage are changed The user downloads datablocks which have changed identifiers regenerates tags ofthem and uploads the tags to the cloud storage
In this section we look into security issues and updateflows depending on which entity manages an index table Atthe security aspect we check the possibility of forge attackand replace attack Then we describe communication flowsfor getting an identifier of new data block when a user tries toupdate
31 Management by the CSP When the CSP onlymanages anindex table users and the TPA do not have any informationabout identifiers of data blocks which are already uploadedand will be updated As illustrated in Figure 1 the userrequests an identifier of new data block to the CSP when hetries to update In this environment the CSP can forge tagsof data blocks which users have not uploaded It transmits anidentifier already existed in the index table then obtains tagswhich are of different data blocks but have same identifierIt can learn meaningful information for forgery throughcombination of these data blocks and tags
Since the TPA needs identifiers of challenged data blockswhen verifying it receives a proof that includes the identifiersfrom the CSP [16ndash18] However the TPA cannot distinguishthem from the challenged ones because it does not maintainan index table Therefore if challenged data blocks aremodified or deleted the CSP can replace them with otherundamaged data blocks
32 Management by the TPA One simple way to preventthe forge attack and replace attack in the above case is thatthe TPA manages an index table [15] Even though the CSPtries to launch a forge attack by exploiting a collision ofidentifiers it is impossible because the CSP has no knowledgeof identifiers In addition a replace attack can be detectedeasily because the TPA knows identifiers of challenged datablocks through the index table
Figure 2 shows that the TPA participates in the updateprocess and a user who tries to update cannot generate a tagfor new data block without a reception of new identifier fromthe TPA Accordingly update process can be delayed when
The Scientific World Journal 3
TPA Users CSP
Request new identifier
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifier
Generate
id1
id2
idn
New identifier id998400i
tag 120590998400i
Update data m998400i and tag 120590998400
i
u1 uk ud
Figure 1 Data update flows when the only CSP manages an indextable
New identifier id998400i
tag 120590998400i
Update data m998400i
and tag 120590998400i
TPA Users CSP
Request new identifier
Update report
Generate
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifierid1
id2
idn
u1 uk ud
Figure 2 Data update flows when the only TPA manages an indextable
the TPA is on sleep or suffers from bottleneck caused by alarge number of requests from users
33 Management by Both the TPA and Users Delays ofupdate process can be removed through managing an indextable by a user directly [14] Generally it is suitable for asituation where data is not shared However it has a problemabout synchronization of index tables because the indextables are managed separately by each individual user whoshares the data If they are not synchronized identifiersgenerated by other users can have same value then the CSPcan exploit forge attack or replace attack by using such tagsgenerated by the same identifiers
Broadcasting update information after a user finisheddata update is a solution for synchronization as shown inFigure 3 However it requires all users to always wake upOtherwise the users need to request the information forsynchronization but cannot easily determine who has thenewest index table Although the users can request it to theTPA this is not different from a previous way that the onlyTPA manages an index table
TPA Users CSP
Synchronize index tables of TPAand users after data update
Generatetag 120590998400
i
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifierid1
id2
idn
Update data m998400i
and tag 120590998400i
u1 uj uk ud
Figure 3 Data update flows when the TPA and users manage anindex table together
4 Methods
In this section we present methods for a secure and efficientaudit mechanism for shared dynamic data
41 System Model Our system model for auditing mecha-nism is illustrated in Figure 4There are four entities CSP ini-tial uploader users and TPA The CSP provides a large-scalestorage for shared data to users It should process requestsfrom authorized users and respond to every challenge fromthe TPA An initial uploader uploads data to cloud storagefirstly and forms a group of users who share the data togetherUsers in the group are able to access and update shared datain the cloud storage Both an initial uploader and the usersare able to audit shared data in cloud storage via the TPAdelegated by the initial uploader
42 Secure and Efficient Index Table Management We pro-pose a secure and efficient index table management thatis used for our audit mechanism As mentioned in theprevious section a TPA must manage an index table toprevent forge attack and replace attack However delay andsynchronization problems can be caused when the indextable is managed by the only TPA or each user To solvethese problems it is required that a user who tries to updateobtains an identifier from the CSP as described in Figure 5Consequently a way that the TPA manages an index tableand the CSP keeps renewing an identifier for new data blocksatisfies security and efficiency
43 Identifier Definition for Dynamic Data Changing iden-tifiers of data blocks by update process causes repetitivetasks to usersThey download the corresponding data blocksregenerate tags to apply the modified identifiers and uploadthe tags again to cloud storage Our mechanism removesthese repetitive tasks by defining the identifier as an uploadsequence of the data block If an update of data block happensthen new identifier is assigned as the upload sequence fromthe CSP
4 The Scientific World Journal
(1) D
elegat
ion of
auditin
g
for share
d data
(2) A
uditing r
equest
(5) A
uditing r
eport
(3) Challenge for auditing
(4) Response for proof
Initial uploader
Group
Data flow
CSP
TPA
Data
Tag
m1 m2 mnmiddot middot middot
1205901 1205902 middot middot middot 120590nmiddot middot middot middot middot middot
Manage users in group
Figure 4 Our system model for auditing mechanism
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifier
TPA Users CSP
Request new
Update report
Identifier id998400
Renewidentifier id998400
identifier
Generate
id1
id2
idn
New identifier id998400i
tag 120590998400i
Update data m998400i
and tag 120590998400i
u1 uk ud
Figure 5 Data update flows in the proposed mechanism
44 Simple Operations for Audit Mechanism Conventionalapproaches employ relatively complex operations for auditmechanism It may causemore delay time and computationaloverhead for tag generation and verification For efficiencyof audit mechanism the proposed scheme utilizes simpleoperations in the data integrity check Moreover because itcan reduce delay time and computational overhead throughlight-weight operations the QoS of the cloud storage serviceis improved
5 Preliminaries
In this section cryptographic backgrounds for the proposedscheme are briefly introduced
51 Bilinear Map Let 1198661and 119866
2be multiplicative cyclic
groups of prime order 119901 and let 119892 be a generator of 1198661 Then
a bilinear map 119890 satisfies the following properties
(1) Bilinearity for any 119906 V isin 1198661 and 119886 119887 isin 119885
119901
119890(119906119886 V119887) = 119890(119906 V)119886119887
(2) Nondegeneracy 119890(119892 119892) = 1(3) Computability there exists an efficiently computable
algorithm 119890 satisfying the above properties such that119890 1198661times 1198661rarr 1198662
52 Pseudorandom Permutation Let 119865 0 1119899times 0 1
119899rarr
0 1119899 be an efficiently computable keyed permutation for
positive integer 119899 We say that 119865 is a pseudorandom per-mutation if there exists a negligible function negl for anyprobabilistic polynomial-time distinguisher119863 such that
10038161003816100381610038161003816Pr [119863119865119896(sdot) (1119899) = 1] minus Pr [119863119891(sdot) (1119899) = 1]
10038161003816100381610038161003816le negl (119899) (1)
where 119896$larr 0 1
119899 is a permutation key chosen uniformly atrandom and 119891 is a real-random permutation
53 Discrete Logarithm (DL) Assumption Discrete logarithm(DL) problem is to compute 119886 isin 119885
119901 given 119892 isin 119866
1and 119892
119886isin
1198661 The DL assumption holds in 119866
1if it is computationally
infeasible to solve DL problem in 1198661
6 The Proposed Scheme
In this section we present a secure and efficient audit mech-anism supporting dynamic updates of shared data Whencloud storage service initiates a CSP generates public param-eters for system and publicizes them An initial uploadergenerates secret components and public components used intag generation and verification He divides data into blocksand generates tags for each data blockThen he uploads them
The Scientific World Journal 5
to the cloud storage and deletes them in his local storageTo share the data with other users he needs to deliver secretcomponents for tag generation In addition he can delegateauditing processes to a TPA by delivering a part of secretcomponents for verification
When a user tries to update a new data block he receivesan identifier from the CSP generates a tag for the data blockand uploads them After update is finished the user reportsupdate information to the TPA Then the TPA updates anindex table following the update information And the CSPrenews the identifier as next upload sequence for next update
The TPA maintains the newest index table that keepstrack of upload sequence of data blocks The TPA makes achallenge derived from the index table and transmits it to theCSP periodically or when a user wantsThe CSP who receivesthe challenge makes a proof and responds to it Then theTPA checks whether outsourced data is damaged or not byverifying the proof with the challenge
61 Definition The proposed scheme Π is composed of thefollowing eight algorithms such as Π = 119878119890119905119906119901119870119890119910119866119890119899
119879119886119892119866119890119899 119879119886119892119866119890119899119880119901 119868119879119880119901 119862ℎ119886119897119866119890119899 119875119903119900119900119891119866119890119899 119881119890119903119894119891119910
119878119890119905119906119901(120574) rarr 119901119886119903119886119898 On security parameter 120574 the CSPgenerates and publicizes public parameters 119901119886119903119886119898
119870119890119910119866119890119899(119901119886119903119886119898) rarr (119892119898119904119896 119892119904119896 119892119886119896 119892119901119896) An initialuploader takes public parameter 119901119886119903119886119898 as input and outputsgroupmaster key 119892119898119904119896 group secret key 119892119904119896 group auditingkey 119892119886119896 and group public key 119892119901119896 Group master key 119892119898119904119896
is kept secret Group secret key 119892119904119896 = 1198921199041198961 1198921199041198962 and group
auditing key 119892119886119896 are used in tag generation Group public key119892119901119896 = 119892119901119896
1 1198921199011198962 is used for verification of data integrity
along with group auditing key 119892119886119896
119879119886119892119866119890119899(119872 119892119904119896 119892119886119896) rarr 120590 On uploading data 119872 to thecloud storage the initial uploader divides the data into blocksand generates a set of tags 120590 using 119892119904119896 and 119892119886119896 Eachcomponent of 120590 is a tag of the corresponding data block in119872 such that 120590 = 120590
1 120590
119899
119879119886119892119866119890119899119880119901(1198981015840
119894 119892119904119896 119892119886119896 id1015840
119894) rarr 120590
1015840
119894 When a user tries to
update a data block 1198981015840
119894 he generates a new tag 120590
1015840
119894using 119892119904119896
119892119886119896 and new identifier id1015840119894received from the CSP
119868119879119880119901(119880type 119880index 119880id iT) rarr iT1015840 This algorithm takesupdate information and current index table iT as inputand outputs new index table iT1015840 The update informationincludes three elements119880type 119880index and119880id119880type representsan update type which can be either insertion modificationor deletion 119880index is the index of the data block to beupdated and 119880id is a newly assigned unique identifier usedin 119879119886119892119866119890119899119880119901 for the data block
119862ℎ119886119897119866119890119899(iT) rarr 119888ℎ119886119897 This algorithm generates a challeng-ing query 119888ℎ119886119897 = 119897 119903
119897119897isin119871
for randomly selected blocks TheTPA chooses random indices 119871 from the index table iT andgenerates random values 119903
119897119897isin119871
119875119903119900119900119891119866119890119899(119872 120590 119888ℎ119886119897 119892119901119896) rarr (120572 120573) The CSP generates aproof (120572 120573) for a challenge from the TPA 120572 is derived fromoutsourced data blocks 119898
119897119897isin119871
119903119897119897isin119871
and 119892119901119896 while 120573 iscomputed from tags 120590
119897119897isin119871
and 119903119897119897isin119871
119881119890119903119894119891119910(119888ℎ119886119897 iT (120572 120573) 119892119901119896 119892119886119896) rarr 119879119903119906119890119865119886119897119904119890 This algo-rithm verifies consistency of the proof generated by the CSPfor the given challenge If they are consistent it outputs119879119903119906119890Otherwise it outputs 119865119886119897119904119890
62 Construction Let 1198661 1198662be multiplicative cyclic groups
of prime order 119901 let 119892 be a generator of1198661 let 119890 119866
1times1198661rarr
1198662be a bilinear map and let 119865 0 1
log119901times 0 1
log119901rarr
0 1log119901 be a pseudorandom permutation We consider data
119872 is divided into 119899 blocks as 119872 = (1198981 119898
119899) and each
data block119898119894= (1198981198941 119898
119894119904) contains 119904 sectors of 119885
119901
621 Setup When cloud storage service initiates the CSPchooses two groups 119866
1 1198662with 119892 for a bilinear map 119890
by running 119878119890119905119906119901 algorithm and publicizes 119901119886119903119886119898 =
(1198661 1198662 119901 119892 119890) to users and the TPA
622 Upload for Data Sharing An initial uploader 1199061 runs
119870119890119910119866119890119899 algorithm It first chooses (119904 + 2) random values119892119898119904119896 = 119886 isin 119885
lowast
119901 119892119886119896 = 119887 isin 119885
119901 and 119892119904119896
2= 119892119904119896
2119895=
119888119895isin 119885119901119895isin[1119904]
and computes 1198921199041198961
= 1198921119886
1198921199011198961
= 119892119886 and
1198921199011198962
= 1198921199011198962119895
= 119892119888119895119895isin[1119904]
Then by running 119879119886119892119866119890119899 1199061
generates corresponding tags such as
120590119894= (119892119904119896
1)119865119892119886119896(119894) +sum119895isin[1119904] 1198921199041198962119895 sdot119898119894119895 (2)
for 1 le 119894 le 119899 1199061uploads (119872 120590) to the cloud storage and
deletes them from his local storage When the CSP receivesfresh data from the initial uploader it saves an identifier id1015840 =119899+1 for the next upload sequence To share data119872with otherusers 119906
1delivers group secret key 119892119904119896 and group auditing key
119892119886119896 to them
623 Delegation of Audit The initial uploader 1199061delegates
audit for shared data to the TPA by delivering a groupauditing key 119892119886119896 In addition 119906
1notifies the number of data
blocks 119899 for the TPA to correctly generate an initial indextable for 119872 In other words the TPA creates an index tablewhich includes identifiers defined as block sequences initially
624 Data Update In the proposed scheme any user 119906119896in
the group which shares data 119872 is allowed to modify insertor delete data119872 in the cloud storage
If 119906119896tries to modify 119894-th block 119898
119894 119906119896first receives a new
identifier from theCSP as illustrated in Figure 5On receipt ofthe identifier id1015840
119894 119906119896computes a tag 120590
1015840
119894for updated data block
1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm as follows
1205901015840
119894= (119892119904119896
1)119865119892119886119896(id
1015840
119894) +sum119895isin[1119904]1198921199041198962119895 sdot119898
1015840
119894119895 (3)
Then 119906119896sends (119880type =
1015840 119880index = 119894 119880id = id1015840
119894) along
with (1198981015840
119894 1205901015840
119894) to the CSP where
1015840 stands for modification
6 The Scientific World Journal
Initial next identifierid998400 = n + 1
(UtypeUindex = 2Uid = n + 1)
(UtypeUindex = 3Uid = n + 2)
(UtypeUindex = 3Uid = 0)
Next identifierid998400 = n + 2
Next identifierid998400 = n + 3
Next identifierid998400 = n + 3
n + 1
n + 1
n + 1
n + 1
n + 2m998400
2
1205909984002
m9984002
1205909984002
m9984002
1205909984002
m9984003
1205909984003
m9984002 120590998400
2
m9984003
1205909984003
(a) State after initial upload (b) State after modification of m2
(c) State after insertion of m9984003(d) State after the deletion of m998400
3
Data
Tag
Initial index table (IT)
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
IdentifierIndex12 23
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
1234
1
3middot middot middot middot middot middot
n
Identifier
Data
Tag
m1 m2 m3 mnmiddot middot middot
1205901 1205902 1205903 middot middot middot 120590n
m1 m3 mnmiddot middot middot
1205901 1205903 middot middot middot 120590n
Data
Tag
m1 m3 mnmiddot middot middot
1205901 1205903
m3
1205903
middot middot middot 120590n
Data
Tag
m1 mnmiddot middot middot
1205901 middot middot middot 120590n
TPA CSP TPA CSP
TPA CSPTPA CSP
= M998400
= D998400
= I998400
Figure 6 Examples of data update
The CSP can update the data block in the cloud storage byreplacement of (119898
119894 120590119894) with (119898
1015840
119894 1205901015840
119894) uploaded by 119906
119896
For the case of insertion 119906119896makes a tag 120590
1015840
119894for newly
created data block 1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm and
sends (119880type = 1015840 119880index = 119894 119880id = id1015840
119894) along with (119898
1015840
119894 1205901015840
119894) to
the CSPWhen 119906
119896wants to delete data block in the cloud storage
119906119896sends (119880type =
1015840 119880index = 119894 119880id = 0) to the CSP
and allows the CSP to delete the corresponding data blockfrom the cloud storage In this case 119906
119896does not need to
request a new identifier Therefore we set the value of 119880id byzero
After update is finished 119906119896delivers update information
(119880type 119880index 119880id) to the TPA for consistent audit for updatedshared data in the cloud storage Then the TPA updates theindex table managed by itself according to the informationby running 119868119879119880119901 When 119880type =
1015840 it changes the 119880index-th identifier to 119880id When 119880type =
1015840 the TPA inserts 119880idjust before the 119880index-th field while it removes the 119880index-th field from the index table if 119880type =
1015840 Through thisnotification of data updates the TPA can detect maliciousbehaviors of theCSP In other words the CSP cannot transmitpreviously used identifier in order to exploit forge attack andreplace attack Simple examples of data update are depicted inFigure 6
625 Audit for Outsourced Data For the TPA to checkintegrity of outsourced data it engages in challenge-responseprotocol with the CSPTheTPA first chooses a random subset119871 of indices from the index table and generates randomvalues119903119897
isin 119885lowast
119901119897isin119871
by running 119862ℎ119886119897119866119890119899 algorithm The 119888ℎ119886119897 =
119897 119903119897119897isin119871
is transmitted to the CSP and the CSP generates
a proof (120572 120573) for the challenge 119888ℎ119886119897 by running 119875119903119900119900119891119866119890119899
algorithm as follows
120572 = prod
119895isin[1119904]
119892119901119896sum119897isin119871119903119897sdot119898119897119895
2119895
120573 = prod
119897isin119871
120590119903119897
119897
(4)
After receiving the proof (120572 120573) as a response of thechallenge the TPA verifies it by running 119881119890119903119894119891119910 algorithm asfollows
119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 120572 119892) =
119890 (120573 119892119901119896
1) (5)
If (5) holds then the TPA returns 119879119903119906119890 and returns 119865119886119897119904119890otherwise
7 Security Analysis
In this section we show that the proposed scheme is correctand resistant against forge attack and replace attack
Theorem 1 Π provides correctness to the TPA during audit-ing outsourced data
Proof Correctness of Π is achieved by exploiting bilinearproperty of the bilinear map Left-hand side (LHS) of (5)expands as follows
LHS = 119890(119892sum119897isin119871119903119897sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
1198921198921199041198962119895 sdotsum119897isin119871 119903119897 sdot119898119897119895 119892)
The Scientific World Journal 7
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897)+sum119895isin[1119904](1198921199041198962119895 sdotsum119897isin119871 119903119897sdot119898119897119895) 119892)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(6)
while the right-hand side (RHS) of (5) expands as follows
RHS = 119890(prod
119897isin119871
120590119897
119903119897 1198921199011198961)
= 119890(prod
119897isin119871
119892119903119897 sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890 (119892sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(7)
Since the terms LHS and RHS are the same the proof iscompleted
Theorem 2 Π is secure against forge attack
Proof If the CSP acquires an element in 1198921199011198962119895
1119892119898119904119896=
1198921198921199041198962119895119892119898119904119896
119895isin[1119904]from the public parameter 119892119901119896 the CSP can
forge a tag Given 1198921199011198961= 119892119892119898119904119896 computing 119892119898119904119896 is hard due
to DL assumptionThus it is infeasible for the CSP to acquirean element in 119892
1198921199041198962119895119892119898119904119896119895isin[1119904]
When 119865
119892119886119896(id119894) for 120590
119894and 119865
119892119886119896(id119902) for 120590
119902are the same
the CSP computes 120590119894120590119902 Then the CSP can obtain 120575 =
(1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895) and forge the tag 120590
119911of data block119898
119911
using 120575 as follows
1205901015840
119911= 120590119911times 120575
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119911119895
times (1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895)
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot(119898119911119895+119898119894119895minus119898119902119895)
(8)
Finally the CSP obtains forged tag 1205901015840
119911of modified data block
1198981015840
119911= 119898
119911119895+ 119898119894119895
minus 119898119902119895119895isin[1119904]
However 119865119892119886119896
(id119894) and
119865119892119886119896
(id119902) cannot be the same value for id
119894= id119902because of the
definition of pseudorandompermutationTherefore the CSPcannot forge a tag to pass the censorship This completes theproof
Theorem 3 Π is secure against replace attack
Proof When damaged block 119898119894
is challenged theCSP may try to pass the censorship by choosing adifferent block (119898
119902 120590119902) in place of (119898
119894 120590119894) such as
1205721015840= prod119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897 sdot119898119897119895
2119895and 120573
1015840= 120590119903119894
119902sdot prod119897isin119871119897 = 119894
120590119903119897
119897
Then the left-hand side of (5) is computed as
119890(119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895
2119895 119892)
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 119892
sum119895isin[1119904]1198921199041198962119895 sdot(119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895) 119892)
=119890 (119892119903119894 sdot(119865119892119886119896(id119894)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119902119895)+sum119897isin119871119897 = 119894 119903119897sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895) 119892)
= 119890 (119892(119903119894 sdot119865119892119886119896(id119894)minus119903119894 sdot119865119892119886119896(id119902))119892119898119904119896 times 120573
1015840 1198921199011198961)
(9)
in which 119892(119903119894 sdot(119865119892119886119896(id119894)minus119865119892119886119896(id119902)))119892119898119904119896 should be 1 to satisfy (5)
This means that 119865119892119886119896
(id119894) and 119865
119892119886119896(id119902) should be the same
Due to the bijective property of the permutation howeverthese values cannot be the same
8 Performance Evaluation
In this section the prosed scheme is analyzed and comparedwith previous studies [14ndash16] in terms of communication andcomputational overhead We first evaluate communicationoverhead for updating a data block Then computationaloverhead for tag generation and verification is evaluated
81 Communication Overhead As we described in Section 3the way to get an identifier of updated data block depends onwhich entity manages an index table In Wang et alrsquos work[16] 119906
119896needs one round-trip communication to request and
receive the identifier (Figure 1) Zhu et al [15] utilize a waythat the TPA manages the index table (Figure 2) It needsan additional connection between 119906
119896and the TPA for the
identifier and a report of update information Yang and Jia[14] utilize a way that a user manages the index table byhimself Although it is suitable when the outsourced data ismanaged by a single user it requires more communicationcosts for synchronization of the index tables when the data isshared by multiple users
Communication costs are summarized in Table 1 Weomitted costs for uploading a data block and a correspondingtag for simplicity Although the proposed scheme seems torequire the same cost as Zhu et alrsquos approach there may beupdate delays caused by concentration of communications tothe TPA in [15] On the other hand the proposed schemeremoves this delay via a direct acquisition of the identifierfrom the CSP For [14] to synchronize the index tables of usersand the TPA 119906
119896needs to broadcast extra update information
Considering this circumstance additional communicationscaused by broadcast might be added into Table 1
82 Computational Overhead Computation costs for taggeneration and verification are described in Table 2 Theproposed scheme requires a single Exp
119866operation in tag
generation while the others [14ndash16] require Exp119866and Mul
119866
operations which are proportional to the number of sectors
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World Journal 3
TPA Users CSP
Request new identifier
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifier
Generate
id1
id2
idn
New identifier id998400i
tag 120590998400i
Update data m998400i and tag 120590998400
i
u1 uk ud
Figure 1 Data update flows when the only CSP manages an indextable
New identifier id998400i
tag 120590998400i
Update data m998400i
and tag 120590998400i
TPA Users CSP
Request new identifier
Update report
Generate
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifierid1
id2
idn
u1 uk ud
Figure 2 Data update flows when the only TPA manages an indextable
the TPA is on sleep or suffers from bottleneck caused by alarge number of requests from users
33 Management by Both the TPA and Users Delays ofupdate process can be removed through managing an indextable by a user directly [14] Generally it is suitable for asituation where data is not shared However it has a problemabout synchronization of index tables because the indextables are managed separately by each individual user whoshares the data If they are not synchronized identifiersgenerated by other users can have same value then the CSPcan exploit forge attack or replace attack by using such tagsgenerated by the same identifiers
Broadcasting update information after a user finisheddata update is a solution for synchronization as shown inFigure 3 However it requires all users to always wake upOtherwise the users need to request the information forsynchronization but cannot easily determine who has thenewest index table Although the users can request it to theTPA this is not different from a previous way that the onlyTPA manages an index table
TPA Users CSP
Synchronize index tables of TPAand users after data update
Generatetag 120590998400
i
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifierid1
id2
idn
Update data m998400i
and tag 120590998400i
u1 uj uk ud
Figure 3 Data update flows when the TPA and users manage anindex table together
4 Methods
In this section we present methods for a secure and efficientaudit mechanism for shared dynamic data
41 System Model Our system model for auditing mecha-nism is illustrated in Figure 4There are four entities CSP ini-tial uploader users and TPA The CSP provides a large-scalestorage for shared data to users It should process requestsfrom authorized users and respond to every challenge fromthe TPA An initial uploader uploads data to cloud storagefirstly and forms a group of users who share the data togetherUsers in the group are able to access and update shared datain the cloud storage Both an initial uploader and the usersare able to audit shared data in cloud storage via the TPAdelegated by the initial uploader
42 Secure and Efficient Index Table Management We pro-pose a secure and efficient index table management thatis used for our audit mechanism As mentioned in theprevious section a TPA must manage an index table toprevent forge attack and replace attack However delay andsynchronization problems can be caused when the indextable is managed by the only TPA or each user To solvethese problems it is required that a user who tries to updateobtains an identifier from the CSP as described in Figure 5Consequently a way that the TPA manages an index tableand the CSP keeps renewing an identifier for new data blocksatisfies security and efficiency
43 Identifier Definition for Dynamic Data Changing iden-tifiers of data blocks by update process causes repetitivetasks to usersThey download the corresponding data blocksregenerate tags to apply the modified identifiers and uploadthe tags again to cloud storage Our mechanism removesthese repetitive tasks by defining the identifier as an uploadsequence of the data block If an update of data block happensthen new identifier is assigned as the upload sequence fromthe CSP
4 The Scientific World Journal
(1) D
elegat
ion of
auditin
g
for share
d data
(2) A
uditing r
equest
(5) A
uditing r
eport
(3) Challenge for auditing
(4) Response for proof
Initial uploader
Group
Data flow
CSP
TPA
Data
Tag
m1 m2 mnmiddot middot middot
1205901 1205902 middot middot middot 120590nmiddot middot middot middot middot middot
Manage users in group
Figure 4 Our system model for auditing mechanism
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifier
TPA Users CSP
Request new
Update report
Identifier id998400
Renewidentifier id998400
identifier
Generate
id1
id2
idn
New identifier id998400i
tag 120590998400i
Update data m998400i
and tag 120590998400i
u1 uk ud
Figure 5 Data update flows in the proposed mechanism
44 Simple Operations for Audit Mechanism Conventionalapproaches employ relatively complex operations for auditmechanism It may causemore delay time and computationaloverhead for tag generation and verification For efficiencyof audit mechanism the proposed scheme utilizes simpleoperations in the data integrity check Moreover because itcan reduce delay time and computational overhead throughlight-weight operations the QoS of the cloud storage serviceis improved
5 Preliminaries
In this section cryptographic backgrounds for the proposedscheme are briefly introduced
51 Bilinear Map Let 1198661and 119866
2be multiplicative cyclic
groups of prime order 119901 and let 119892 be a generator of 1198661 Then
a bilinear map 119890 satisfies the following properties
(1) Bilinearity for any 119906 V isin 1198661 and 119886 119887 isin 119885
119901
119890(119906119886 V119887) = 119890(119906 V)119886119887
(2) Nondegeneracy 119890(119892 119892) = 1(3) Computability there exists an efficiently computable
algorithm 119890 satisfying the above properties such that119890 1198661times 1198661rarr 1198662
52 Pseudorandom Permutation Let 119865 0 1119899times 0 1
119899rarr
0 1119899 be an efficiently computable keyed permutation for
positive integer 119899 We say that 119865 is a pseudorandom per-mutation if there exists a negligible function negl for anyprobabilistic polynomial-time distinguisher119863 such that
10038161003816100381610038161003816Pr [119863119865119896(sdot) (1119899) = 1] minus Pr [119863119891(sdot) (1119899) = 1]
10038161003816100381610038161003816le negl (119899) (1)
where 119896$larr 0 1
119899 is a permutation key chosen uniformly atrandom and 119891 is a real-random permutation
53 Discrete Logarithm (DL) Assumption Discrete logarithm(DL) problem is to compute 119886 isin 119885
119901 given 119892 isin 119866
1and 119892
119886isin
1198661 The DL assumption holds in 119866
1if it is computationally
infeasible to solve DL problem in 1198661
6 The Proposed Scheme
In this section we present a secure and efficient audit mech-anism supporting dynamic updates of shared data Whencloud storage service initiates a CSP generates public param-eters for system and publicizes them An initial uploadergenerates secret components and public components used intag generation and verification He divides data into blocksand generates tags for each data blockThen he uploads them
The Scientific World Journal 5
to the cloud storage and deletes them in his local storageTo share the data with other users he needs to deliver secretcomponents for tag generation In addition he can delegateauditing processes to a TPA by delivering a part of secretcomponents for verification
When a user tries to update a new data block he receivesan identifier from the CSP generates a tag for the data blockand uploads them After update is finished the user reportsupdate information to the TPA Then the TPA updates anindex table following the update information And the CSPrenews the identifier as next upload sequence for next update
The TPA maintains the newest index table that keepstrack of upload sequence of data blocks The TPA makes achallenge derived from the index table and transmits it to theCSP periodically or when a user wantsThe CSP who receivesthe challenge makes a proof and responds to it Then theTPA checks whether outsourced data is damaged or not byverifying the proof with the challenge
61 Definition The proposed scheme Π is composed of thefollowing eight algorithms such as Π = 119878119890119905119906119901119870119890119910119866119890119899
119879119886119892119866119890119899 119879119886119892119866119890119899119880119901 119868119879119880119901 119862ℎ119886119897119866119890119899 119875119903119900119900119891119866119890119899 119881119890119903119894119891119910
119878119890119905119906119901(120574) rarr 119901119886119903119886119898 On security parameter 120574 the CSPgenerates and publicizes public parameters 119901119886119903119886119898
119870119890119910119866119890119899(119901119886119903119886119898) rarr (119892119898119904119896 119892119904119896 119892119886119896 119892119901119896) An initialuploader takes public parameter 119901119886119903119886119898 as input and outputsgroupmaster key 119892119898119904119896 group secret key 119892119904119896 group auditingkey 119892119886119896 and group public key 119892119901119896 Group master key 119892119898119904119896
is kept secret Group secret key 119892119904119896 = 1198921199041198961 1198921199041198962 and group
auditing key 119892119886119896 are used in tag generation Group public key119892119901119896 = 119892119901119896
1 1198921199011198962 is used for verification of data integrity
along with group auditing key 119892119886119896
119879119886119892119866119890119899(119872 119892119904119896 119892119886119896) rarr 120590 On uploading data 119872 to thecloud storage the initial uploader divides the data into blocksand generates a set of tags 120590 using 119892119904119896 and 119892119886119896 Eachcomponent of 120590 is a tag of the corresponding data block in119872 such that 120590 = 120590
1 120590
119899
119879119886119892119866119890119899119880119901(1198981015840
119894 119892119904119896 119892119886119896 id1015840
119894) rarr 120590
1015840
119894 When a user tries to
update a data block 1198981015840
119894 he generates a new tag 120590
1015840
119894using 119892119904119896
119892119886119896 and new identifier id1015840119894received from the CSP
119868119879119880119901(119880type 119880index 119880id iT) rarr iT1015840 This algorithm takesupdate information and current index table iT as inputand outputs new index table iT1015840 The update informationincludes three elements119880type 119880index and119880id119880type representsan update type which can be either insertion modificationor deletion 119880index is the index of the data block to beupdated and 119880id is a newly assigned unique identifier usedin 119879119886119892119866119890119899119880119901 for the data block
119862ℎ119886119897119866119890119899(iT) rarr 119888ℎ119886119897 This algorithm generates a challeng-ing query 119888ℎ119886119897 = 119897 119903
119897119897isin119871
for randomly selected blocks TheTPA chooses random indices 119871 from the index table iT andgenerates random values 119903
119897119897isin119871
119875119903119900119900119891119866119890119899(119872 120590 119888ℎ119886119897 119892119901119896) rarr (120572 120573) The CSP generates aproof (120572 120573) for a challenge from the TPA 120572 is derived fromoutsourced data blocks 119898
119897119897isin119871
119903119897119897isin119871
and 119892119901119896 while 120573 iscomputed from tags 120590
119897119897isin119871
and 119903119897119897isin119871
119881119890119903119894119891119910(119888ℎ119886119897 iT (120572 120573) 119892119901119896 119892119886119896) rarr 119879119903119906119890119865119886119897119904119890 This algo-rithm verifies consistency of the proof generated by the CSPfor the given challenge If they are consistent it outputs119879119903119906119890Otherwise it outputs 119865119886119897119904119890
62 Construction Let 1198661 1198662be multiplicative cyclic groups
of prime order 119901 let 119892 be a generator of1198661 let 119890 119866
1times1198661rarr
1198662be a bilinear map and let 119865 0 1
log119901times 0 1
log119901rarr
0 1log119901 be a pseudorandom permutation We consider data
119872 is divided into 119899 blocks as 119872 = (1198981 119898
119899) and each
data block119898119894= (1198981198941 119898
119894119904) contains 119904 sectors of 119885
119901
621 Setup When cloud storage service initiates the CSPchooses two groups 119866
1 1198662with 119892 for a bilinear map 119890
by running 119878119890119905119906119901 algorithm and publicizes 119901119886119903119886119898 =
(1198661 1198662 119901 119892 119890) to users and the TPA
622 Upload for Data Sharing An initial uploader 1199061 runs
119870119890119910119866119890119899 algorithm It first chooses (119904 + 2) random values119892119898119904119896 = 119886 isin 119885
lowast
119901 119892119886119896 = 119887 isin 119885
119901 and 119892119904119896
2= 119892119904119896
2119895=
119888119895isin 119885119901119895isin[1119904]
and computes 1198921199041198961
= 1198921119886
1198921199011198961
= 119892119886 and
1198921199011198962
= 1198921199011198962119895
= 119892119888119895119895isin[1119904]
Then by running 119879119886119892119866119890119899 1199061
generates corresponding tags such as
120590119894= (119892119904119896
1)119865119892119886119896(119894) +sum119895isin[1119904] 1198921199041198962119895 sdot119898119894119895 (2)
for 1 le 119894 le 119899 1199061uploads (119872 120590) to the cloud storage and
deletes them from his local storage When the CSP receivesfresh data from the initial uploader it saves an identifier id1015840 =119899+1 for the next upload sequence To share data119872with otherusers 119906
1delivers group secret key 119892119904119896 and group auditing key
119892119886119896 to them
623 Delegation of Audit The initial uploader 1199061delegates
audit for shared data to the TPA by delivering a groupauditing key 119892119886119896 In addition 119906
1notifies the number of data
blocks 119899 for the TPA to correctly generate an initial indextable for 119872 In other words the TPA creates an index tablewhich includes identifiers defined as block sequences initially
624 Data Update In the proposed scheme any user 119906119896in
the group which shares data 119872 is allowed to modify insertor delete data119872 in the cloud storage
If 119906119896tries to modify 119894-th block 119898
119894 119906119896first receives a new
identifier from theCSP as illustrated in Figure 5On receipt ofthe identifier id1015840
119894 119906119896computes a tag 120590
1015840
119894for updated data block
1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm as follows
1205901015840
119894= (119892119904119896
1)119865119892119886119896(id
1015840
119894) +sum119895isin[1119904]1198921199041198962119895 sdot119898
1015840
119894119895 (3)
Then 119906119896sends (119880type =
1015840 119880index = 119894 119880id = id1015840
119894) along
with (1198981015840
119894 1205901015840
119894) to the CSP where
1015840 stands for modification
6 The Scientific World Journal
Initial next identifierid998400 = n + 1
(UtypeUindex = 2Uid = n + 1)
(UtypeUindex = 3Uid = n + 2)
(UtypeUindex = 3Uid = 0)
Next identifierid998400 = n + 2
Next identifierid998400 = n + 3
Next identifierid998400 = n + 3
n + 1
n + 1
n + 1
n + 1
n + 2m998400
2
1205909984002
m9984002
1205909984002
m9984002
1205909984002
m9984003
1205909984003
m9984002 120590998400
2
m9984003
1205909984003
(a) State after initial upload (b) State after modification of m2
(c) State after insertion of m9984003(d) State after the deletion of m998400
3
Data
Tag
Initial index table (IT)
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
IdentifierIndex12 23
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
1234
1
3middot middot middot middot middot middot
n
Identifier
Data
Tag
m1 m2 m3 mnmiddot middot middot
1205901 1205902 1205903 middot middot middot 120590n
m1 m3 mnmiddot middot middot
1205901 1205903 middot middot middot 120590n
Data
Tag
m1 m3 mnmiddot middot middot
1205901 1205903
m3
1205903
middot middot middot 120590n
Data
Tag
m1 mnmiddot middot middot
1205901 middot middot middot 120590n
TPA CSP TPA CSP
TPA CSPTPA CSP
= M998400
= D998400
= I998400
Figure 6 Examples of data update
The CSP can update the data block in the cloud storage byreplacement of (119898
119894 120590119894) with (119898
1015840
119894 1205901015840
119894) uploaded by 119906
119896
For the case of insertion 119906119896makes a tag 120590
1015840
119894for newly
created data block 1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm and
sends (119880type = 1015840 119880index = 119894 119880id = id1015840
119894) along with (119898
1015840
119894 1205901015840
119894) to
the CSPWhen 119906
119896wants to delete data block in the cloud storage
119906119896sends (119880type =
1015840 119880index = 119894 119880id = 0) to the CSP
and allows the CSP to delete the corresponding data blockfrom the cloud storage In this case 119906
119896does not need to
request a new identifier Therefore we set the value of 119880id byzero
After update is finished 119906119896delivers update information
(119880type 119880index 119880id) to the TPA for consistent audit for updatedshared data in the cloud storage Then the TPA updates theindex table managed by itself according to the informationby running 119868119879119880119901 When 119880type =
1015840 it changes the 119880index-th identifier to 119880id When 119880type =
1015840 the TPA inserts 119880idjust before the 119880index-th field while it removes the 119880index-th field from the index table if 119880type =
1015840 Through thisnotification of data updates the TPA can detect maliciousbehaviors of theCSP In other words the CSP cannot transmitpreviously used identifier in order to exploit forge attack andreplace attack Simple examples of data update are depicted inFigure 6
625 Audit for Outsourced Data For the TPA to checkintegrity of outsourced data it engages in challenge-responseprotocol with the CSPTheTPA first chooses a random subset119871 of indices from the index table and generates randomvalues119903119897
isin 119885lowast
119901119897isin119871
by running 119862ℎ119886119897119866119890119899 algorithm The 119888ℎ119886119897 =
119897 119903119897119897isin119871
is transmitted to the CSP and the CSP generates
a proof (120572 120573) for the challenge 119888ℎ119886119897 by running 119875119903119900119900119891119866119890119899
algorithm as follows
120572 = prod
119895isin[1119904]
119892119901119896sum119897isin119871119903119897sdot119898119897119895
2119895
120573 = prod
119897isin119871
120590119903119897
119897
(4)
After receiving the proof (120572 120573) as a response of thechallenge the TPA verifies it by running 119881119890119903119894119891119910 algorithm asfollows
119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 120572 119892) =
119890 (120573 119892119901119896
1) (5)
If (5) holds then the TPA returns 119879119903119906119890 and returns 119865119886119897119904119890otherwise
7 Security Analysis
In this section we show that the proposed scheme is correctand resistant against forge attack and replace attack
Theorem 1 Π provides correctness to the TPA during audit-ing outsourced data
Proof Correctness of Π is achieved by exploiting bilinearproperty of the bilinear map Left-hand side (LHS) of (5)expands as follows
LHS = 119890(119892sum119897isin119871119903119897sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
1198921198921199041198962119895 sdotsum119897isin119871 119903119897 sdot119898119897119895 119892)
The Scientific World Journal 7
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897)+sum119895isin[1119904](1198921199041198962119895 sdotsum119897isin119871 119903119897sdot119898119897119895) 119892)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(6)
while the right-hand side (RHS) of (5) expands as follows
RHS = 119890(prod
119897isin119871
120590119897
119903119897 1198921199011198961)
= 119890(prod
119897isin119871
119892119903119897 sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890 (119892sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(7)
Since the terms LHS and RHS are the same the proof iscompleted
Theorem 2 Π is secure against forge attack
Proof If the CSP acquires an element in 1198921199011198962119895
1119892119898119904119896=
1198921198921199041198962119895119892119898119904119896
119895isin[1119904]from the public parameter 119892119901119896 the CSP can
forge a tag Given 1198921199011198961= 119892119892119898119904119896 computing 119892119898119904119896 is hard due
to DL assumptionThus it is infeasible for the CSP to acquirean element in 119892
1198921199041198962119895119892119898119904119896119895isin[1119904]
When 119865
119892119886119896(id119894) for 120590
119894and 119865
119892119886119896(id119902) for 120590
119902are the same
the CSP computes 120590119894120590119902 Then the CSP can obtain 120575 =
(1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895) and forge the tag 120590
119911of data block119898
119911
using 120575 as follows
1205901015840
119911= 120590119911times 120575
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119911119895
times (1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895)
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot(119898119911119895+119898119894119895minus119898119902119895)
(8)
Finally the CSP obtains forged tag 1205901015840
119911of modified data block
1198981015840
119911= 119898
119911119895+ 119898119894119895
minus 119898119902119895119895isin[1119904]
However 119865119892119886119896
(id119894) and
119865119892119886119896
(id119902) cannot be the same value for id
119894= id119902because of the
definition of pseudorandompermutationTherefore the CSPcannot forge a tag to pass the censorship This completes theproof
Theorem 3 Π is secure against replace attack
Proof When damaged block 119898119894
is challenged theCSP may try to pass the censorship by choosing adifferent block (119898
119902 120590119902) in place of (119898
119894 120590119894) such as
1205721015840= prod119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897 sdot119898119897119895
2119895and 120573
1015840= 120590119903119894
119902sdot prod119897isin119871119897 = 119894
120590119903119897
119897
Then the left-hand side of (5) is computed as
119890(119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895
2119895 119892)
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 119892
sum119895isin[1119904]1198921199041198962119895 sdot(119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895) 119892)
=119890 (119892119903119894 sdot(119865119892119886119896(id119894)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119902119895)+sum119897isin119871119897 = 119894 119903119897sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895) 119892)
= 119890 (119892(119903119894 sdot119865119892119886119896(id119894)minus119903119894 sdot119865119892119886119896(id119902))119892119898119904119896 times 120573
1015840 1198921199011198961)
(9)
in which 119892(119903119894 sdot(119865119892119886119896(id119894)minus119865119892119886119896(id119902)))119892119898119904119896 should be 1 to satisfy (5)
This means that 119865119892119886119896
(id119894) and 119865
119892119886119896(id119902) should be the same
Due to the bijective property of the permutation howeverthese values cannot be the same
8 Performance Evaluation
In this section the prosed scheme is analyzed and comparedwith previous studies [14ndash16] in terms of communication andcomputational overhead We first evaluate communicationoverhead for updating a data block Then computationaloverhead for tag generation and verification is evaluated
81 Communication Overhead As we described in Section 3the way to get an identifier of updated data block depends onwhich entity manages an index table In Wang et alrsquos work[16] 119906
119896needs one round-trip communication to request and
receive the identifier (Figure 1) Zhu et al [15] utilize a waythat the TPA manages the index table (Figure 2) It needsan additional connection between 119906
119896and the TPA for the
identifier and a report of update information Yang and Jia[14] utilize a way that a user manages the index table byhimself Although it is suitable when the outsourced data ismanaged by a single user it requires more communicationcosts for synchronization of the index tables when the data isshared by multiple users
Communication costs are summarized in Table 1 Weomitted costs for uploading a data block and a correspondingtag for simplicity Although the proposed scheme seems torequire the same cost as Zhu et alrsquos approach there may beupdate delays caused by concentration of communications tothe TPA in [15] On the other hand the proposed schemeremoves this delay via a direct acquisition of the identifierfrom the CSP For [14] to synchronize the index tables of usersand the TPA 119906
119896needs to broadcast extra update information
Considering this circumstance additional communicationscaused by broadcast might be added into Table 1
82 Computational Overhead Computation costs for taggeneration and verification are described in Table 2 Theproposed scheme requires a single Exp
119866operation in tag
generation while the others [14ndash16] require Exp119866and Mul
119866
operations which are proportional to the number of sectors
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
4 The Scientific World Journal
(1) D
elegat
ion of
auditin
g
for share
d data
(2) A
uditing r
equest
(5) A
uditing r
eport
(3) Challenge for auditing
(4) Response for proof
Initial uploader
Group
Data flow
CSP
TPA
Data
Tag
m1 m2 mnmiddot middot middot
1205901 1205902 middot middot middot 120590nmiddot middot middot middot middot middot
Manage users in group
Figure 4 Our system model for auditing mechanism
Index table (IT)Index
1
2
middot middot middot middot middot middot
n
Identifier
TPA Users CSP
Request new
Update report
Identifier id998400
Renewidentifier id998400
identifier
Generate
id1
id2
idn
New identifier id998400i
tag 120590998400i
Update data m998400i
and tag 120590998400i
u1 uk ud
Figure 5 Data update flows in the proposed mechanism
44 Simple Operations for Audit Mechanism Conventionalapproaches employ relatively complex operations for auditmechanism It may causemore delay time and computationaloverhead for tag generation and verification For efficiencyof audit mechanism the proposed scheme utilizes simpleoperations in the data integrity check Moreover because itcan reduce delay time and computational overhead throughlight-weight operations the QoS of the cloud storage serviceis improved
5 Preliminaries
In this section cryptographic backgrounds for the proposedscheme are briefly introduced
51 Bilinear Map Let 1198661and 119866
2be multiplicative cyclic
groups of prime order 119901 and let 119892 be a generator of 1198661 Then
a bilinear map 119890 satisfies the following properties
(1) Bilinearity for any 119906 V isin 1198661 and 119886 119887 isin 119885
119901
119890(119906119886 V119887) = 119890(119906 V)119886119887
(2) Nondegeneracy 119890(119892 119892) = 1(3) Computability there exists an efficiently computable
algorithm 119890 satisfying the above properties such that119890 1198661times 1198661rarr 1198662
52 Pseudorandom Permutation Let 119865 0 1119899times 0 1
119899rarr
0 1119899 be an efficiently computable keyed permutation for
positive integer 119899 We say that 119865 is a pseudorandom per-mutation if there exists a negligible function negl for anyprobabilistic polynomial-time distinguisher119863 such that
10038161003816100381610038161003816Pr [119863119865119896(sdot) (1119899) = 1] minus Pr [119863119891(sdot) (1119899) = 1]
10038161003816100381610038161003816le negl (119899) (1)
where 119896$larr 0 1
119899 is a permutation key chosen uniformly atrandom and 119891 is a real-random permutation
53 Discrete Logarithm (DL) Assumption Discrete logarithm(DL) problem is to compute 119886 isin 119885
119901 given 119892 isin 119866
1and 119892
119886isin
1198661 The DL assumption holds in 119866
1if it is computationally
infeasible to solve DL problem in 1198661
6 The Proposed Scheme
In this section we present a secure and efficient audit mech-anism supporting dynamic updates of shared data Whencloud storage service initiates a CSP generates public param-eters for system and publicizes them An initial uploadergenerates secret components and public components used intag generation and verification He divides data into blocksand generates tags for each data blockThen he uploads them
The Scientific World Journal 5
to the cloud storage and deletes them in his local storageTo share the data with other users he needs to deliver secretcomponents for tag generation In addition he can delegateauditing processes to a TPA by delivering a part of secretcomponents for verification
When a user tries to update a new data block he receivesan identifier from the CSP generates a tag for the data blockand uploads them After update is finished the user reportsupdate information to the TPA Then the TPA updates anindex table following the update information And the CSPrenews the identifier as next upload sequence for next update
The TPA maintains the newest index table that keepstrack of upload sequence of data blocks The TPA makes achallenge derived from the index table and transmits it to theCSP periodically or when a user wantsThe CSP who receivesthe challenge makes a proof and responds to it Then theTPA checks whether outsourced data is damaged or not byverifying the proof with the challenge
61 Definition The proposed scheme Π is composed of thefollowing eight algorithms such as Π = 119878119890119905119906119901119870119890119910119866119890119899
119879119886119892119866119890119899 119879119886119892119866119890119899119880119901 119868119879119880119901 119862ℎ119886119897119866119890119899 119875119903119900119900119891119866119890119899 119881119890119903119894119891119910
119878119890119905119906119901(120574) rarr 119901119886119903119886119898 On security parameter 120574 the CSPgenerates and publicizes public parameters 119901119886119903119886119898
119870119890119910119866119890119899(119901119886119903119886119898) rarr (119892119898119904119896 119892119904119896 119892119886119896 119892119901119896) An initialuploader takes public parameter 119901119886119903119886119898 as input and outputsgroupmaster key 119892119898119904119896 group secret key 119892119904119896 group auditingkey 119892119886119896 and group public key 119892119901119896 Group master key 119892119898119904119896
is kept secret Group secret key 119892119904119896 = 1198921199041198961 1198921199041198962 and group
auditing key 119892119886119896 are used in tag generation Group public key119892119901119896 = 119892119901119896
1 1198921199011198962 is used for verification of data integrity
along with group auditing key 119892119886119896
119879119886119892119866119890119899(119872 119892119904119896 119892119886119896) rarr 120590 On uploading data 119872 to thecloud storage the initial uploader divides the data into blocksand generates a set of tags 120590 using 119892119904119896 and 119892119886119896 Eachcomponent of 120590 is a tag of the corresponding data block in119872 such that 120590 = 120590
1 120590
119899
119879119886119892119866119890119899119880119901(1198981015840
119894 119892119904119896 119892119886119896 id1015840
119894) rarr 120590
1015840
119894 When a user tries to
update a data block 1198981015840
119894 he generates a new tag 120590
1015840
119894using 119892119904119896
119892119886119896 and new identifier id1015840119894received from the CSP
119868119879119880119901(119880type 119880index 119880id iT) rarr iT1015840 This algorithm takesupdate information and current index table iT as inputand outputs new index table iT1015840 The update informationincludes three elements119880type 119880index and119880id119880type representsan update type which can be either insertion modificationor deletion 119880index is the index of the data block to beupdated and 119880id is a newly assigned unique identifier usedin 119879119886119892119866119890119899119880119901 for the data block
119862ℎ119886119897119866119890119899(iT) rarr 119888ℎ119886119897 This algorithm generates a challeng-ing query 119888ℎ119886119897 = 119897 119903
119897119897isin119871
for randomly selected blocks TheTPA chooses random indices 119871 from the index table iT andgenerates random values 119903
119897119897isin119871
119875119903119900119900119891119866119890119899(119872 120590 119888ℎ119886119897 119892119901119896) rarr (120572 120573) The CSP generates aproof (120572 120573) for a challenge from the TPA 120572 is derived fromoutsourced data blocks 119898
119897119897isin119871
119903119897119897isin119871
and 119892119901119896 while 120573 iscomputed from tags 120590
119897119897isin119871
and 119903119897119897isin119871
119881119890119903119894119891119910(119888ℎ119886119897 iT (120572 120573) 119892119901119896 119892119886119896) rarr 119879119903119906119890119865119886119897119904119890 This algo-rithm verifies consistency of the proof generated by the CSPfor the given challenge If they are consistent it outputs119879119903119906119890Otherwise it outputs 119865119886119897119904119890
62 Construction Let 1198661 1198662be multiplicative cyclic groups
of prime order 119901 let 119892 be a generator of1198661 let 119890 119866
1times1198661rarr
1198662be a bilinear map and let 119865 0 1
log119901times 0 1
log119901rarr
0 1log119901 be a pseudorandom permutation We consider data
119872 is divided into 119899 blocks as 119872 = (1198981 119898
119899) and each
data block119898119894= (1198981198941 119898
119894119904) contains 119904 sectors of 119885
119901
621 Setup When cloud storage service initiates the CSPchooses two groups 119866
1 1198662with 119892 for a bilinear map 119890
by running 119878119890119905119906119901 algorithm and publicizes 119901119886119903119886119898 =
(1198661 1198662 119901 119892 119890) to users and the TPA
622 Upload for Data Sharing An initial uploader 1199061 runs
119870119890119910119866119890119899 algorithm It first chooses (119904 + 2) random values119892119898119904119896 = 119886 isin 119885
lowast
119901 119892119886119896 = 119887 isin 119885
119901 and 119892119904119896
2= 119892119904119896
2119895=
119888119895isin 119885119901119895isin[1119904]
and computes 1198921199041198961
= 1198921119886
1198921199011198961
= 119892119886 and
1198921199011198962
= 1198921199011198962119895
= 119892119888119895119895isin[1119904]
Then by running 119879119886119892119866119890119899 1199061
generates corresponding tags such as
120590119894= (119892119904119896
1)119865119892119886119896(119894) +sum119895isin[1119904] 1198921199041198962119895 sdot119898119894119895 (2)
for 1 le 119894 le 119899 1199061uploads (119872 120590) to the cloud storage and
deletes them from his local storage When the CSP receivesfresh data from the initial uploader it saves an identifier id1015840 =119899+1 for the next upload sequence To share data119872with otherusers 119906
1delivers group secret key 119892119904119896 and group auditing key
119892119886119896 to them
623 Delegation of Audit The initial uploader 1199061delegates
audit for shared data to the TPA by delivering a groupauditing key 119892119886119896 In addition 119906
1notifies the number of data
blocks 119899 for the TPA to correctly generate an initial indextable for 119872 In other words the TPA creates an index tablewhich includes identifiers defined as block sequences initially
624 Data Update In the proposed scheme any user 119906119896in
the group which shares data 119872 is allowed to modify insertor delete data119872 in the cloud storage
If 119906119896tries to modify 119894-th block 119898
119894 119906119896first receives a new
identifier from theCSP as illustrated in Figure 5On receipt ofthe identifier id1015840
119894 119906119896computes a tag 120590
1015840
119894for updated data block
1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm as follows
1205901015840
119894= (119892119904119896
1)119865119892119886119896(id
1015840
119894) +sum119895isin[1119904]1198921199041198962119895 sdot119898
1015840
119894119895 (3)
Then 119906119896sends (119880type =
1015840 119880index = 119894 119880id = id1015840
119894) along
with (1198981015840
119894 1205901015840
119894) to the CSP where
1015840 stands for modification
6 The Scientific World Journal
Initial next identifierid998400 = n + 1
(UtypeUindex = 2Uid = n + 1)
(UtypeUindex = 3Uid = n + 2)
(UtypeUindex = 3Uid = 0)
Next identifierid998400 = n + 2
Next identifierid998400 = n + 3
Next identifierid998400 = n + 3
n + 1
n + 1
n + 1
n + 1
n + 2m998400
2
1205909984002
m9984002
1205909984002
m9984002
1205909984002
m9984003
1205909984003
m9984002 120590998400
2
m9984003
1205909984003
(a) State after initial upload (b) State after modification of m2
(c) State after insertion of m9984003(d) State after the deletion of m998400
3
Data
Tag
Initial index table (IT)
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
IdentifierIndex12 23
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
1234
1
3middot middot middot middot middot middot
n
Identifier
Data
Tag
m1 m2 m3 mnmiddot middot middot
1205901 1205902 1205903 middot middot middot 120590n
m1 m3 mnmiddot middot middot
1205901 1205903 middot middot middot 120590n
Data
Tag
m1 m3 mnmiddot middot middot
1205901 1205903
m3
1205903
middot middot middot 120590n
Data
Tag
m1 mnmiddot middot middot
1205901 middot middot middot 120590n
TPA CSP TPA CSP
TPA CSPTPA CSP
= M998400
= D998400
= I998400
Figure 6 Examples of data update
The CSP can update the data block in the cloud storage byreplacement of (119898
119894 120590119894) with (119898
1015840
119894 1205901015840
119894) uploaded by 119906
119896
For the case of insertion 119906119896makes a tag 120590
1015840
119894for newly
created data block 1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm and
sends (119880type = 1015840 119880index = 119894 119880id = id1015840
119894) along with (119898
1015840
119894 1205901015840
119894) to
the CSPWhen 119906
119896wants to delete data block in the cloud storage
119906119896sends (119880type =
1015840 119880index = 119894 119880id = 0) to the CSP
and allows the CSP to delete the corresponding data blockfrom the cloud storage In this case 119906
119896does not need to
request a new identifier Therefore we set the value of 119880id byzero
After update is finished 119906119896delivers update information
(119880type 119880index 119880id) to the TPA for consistent audit for updatedshared data in the cloud storage Then the TPA updates theindex table managed by itself according to the informationby running 119868119879119880119901 When 119880type =
1015840 it changes the 119880index-th identifier to 119880id When 119880type =
1015840 the TPA inserts 119880idjust before the 119880index-th field while it removes the 119880index-th field from the index table if 119880type =
1015840 Through thisnotification of data updates the TPA can detect maliciousbehaviors of theCSP In other words the CSP cannot transmitpreviously used identifier in order to exploit forge attack andreplace attack Simple examples of data update are depicted inFigure 6
625 Audit for Outsourced Data For the TPA to checkintegrity of outsourced data it engages in challenge-responseprotocol with the CSPTheTPA first chooses a random subset119871 of indices from the index table and generates randomvalues119903119897
isin 119885lowast
119901119897isin119871
by running 119862ℎ119886119897119866119890119899 algorithm The 119888ℎ119886119897 =
119897 119903119897119897isin119871
is transmitted to the CSP and the CSP generates
a proof (120572 120573) for the challenge 119888ℎ119886119897 by running 119875119903119900119900119891119866119890119899
algorithm as follows
120572 = prod
119895isin[1119904]
119892119901119896sum119897isin119871119903119897sdot119898119897119895
2119895
120573 = prod
119897isin119871
120590119903119897
119897
(4)
After receiving the proof (120572 120573) as a response of thechallenge the TPA verifies it by running 119881119890119903119894119891119910 algorithm asfollows
119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 120572 119892) =
119890 (120573 119892119901119896
1) (5)
If (5) holds then the TPA returns 119879119903119906119890 and returns 119865119886119897119904119890otherwise
7 Security Analysis
In this section we show that the proposed scheme is correctand resistant against forge attack and replace attack
Theorem 1 Π provides correctness to the TPA during audit-ing outsourced data
Proof Correctness of Π is achieved by exploiting bilinearproperty of the bilinear map Left-hand side (LHS) of (5)expands as follows
LHS = 119890(119892sum119897isin119871119903119897sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
1198921198921199041198962119895 sdotsum119897isin119871 119903119897 sdot119898119897119895 119892)
The Scientific World Journal 7
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897)+sum119895isin[1119904](1198921199041198962119895 sdotsum119897isin119871 119903119897sdot119898119897119895) 119892)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(6)
while the right-hand side (RHS) of (5) expands as follows
RHS = 119890(prod
119897isin119871
120590119897
119903119897 1198921199011198961)
= 119890(prod
119897isin119871
119892119903119897 sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890 (119892sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(7)
Since the terms LHS and RHS are the same the proof iscompleted
Theorem 2 Π is secure against forge attack
Proof If the CSP acquires an element in 1198921199011198962119895
1119892119898119904119896=
1198921198921199041198962119895119892119898119904119896
119895isin[1119904]from the public parameter 119892119901119896 the CSP can
forge a tag Given 1198921199011198961= 119892119892119898119904119896 computing 119892119898119904119896 is hard due
to DL assumptionThus it is infeasible for the CSP to acquirean element in 119892
1198921199041198962119895119892119898119904119896119895isin[1119904]
When 119865
119892119886119896(id119894) for 120590
119894and 119865
119892119886119896(id119902) for 120590
119902are the same
the CSP computes 120590119894120590119902 Then the CSP can obtain 120575 =
(1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895) and forge the tag 120590
119911of data block119898
119911
using 120575 as follows
1205901015840
119911= 120590119911times 120575
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119911119895
times (1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895)
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot(119898119911119895+119898119894119895minus119898119902119895)
(8)
Finally the CSP obtains forged tag 1205901015840
119911of modified data block
1198981015840
119911= 119898
119911119895+ 119898119894119895
minus 119898119902119895119895isin[1119904]
However 119865119892119886119896
(id119894) and
119865119892119886119896
(id119902) cannot be the same value for id
119894= id119902because of the
definition of pseudorandompermutationTherefore the CSPcannot forge a tag to pass the censorship This completes theproof
Theorem 3 Π is secure against replace attack
Proof When damaged block 119898119894
is challenged theCSP may try to pass the censorship by choosing adifferent block (119898
119902 120590119902) in place of (119898
119894 120590119894) such as
1205721015840= prod119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897 sdot119898119897119895
2119895and 120573
1015840= 120590119903119894
119902sdot prod119897isin119871119897 = 119894
120590119903119897
119897
Then the left-hand side of (5) is computed as
119890(119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895
2119895 119892)
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 119892
sum119895isin[1119904]1198921199041198962119895 sdot(119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895) 119892)
=119890 (119892119903119894 sdot(119865119892119886119896(id119894)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119902119895)+sum119897isin119871119897 = 119894 119903119897sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895) 119892)
= 119890 (119892(119903119894 sdot119865119892119886119896(id119894)minus119903119894 sdot119865119892119886119896(id119902))119892119898119904119896 times 120573
1015840 1198921199011198961)
(9)
in which 119892(119903119894 sdot(119865119892119886119896(id119894)minus119865119892119886119896(id119902)))119892119898119904119896 should be 1 to satisfy (5)
This means that 119865119892119886119896
(id119894) and 119865
119892119886119896(id119902) should be the same
Due to the bijective property of the permutation howeverthese values cannot be the same
8 Performance Evaluation
In this section the prosed scheme is analyzed and comparedwith previous studies [14ndash16] in terms of communication andcomputational overhead We first evaluate communicationoverhead for updating a data block Then computationaloverhead for tag generation and verification is evaluated
81 Communication Overhead As we described in Section 3the way to get an identifier of updated data block depends onwhich entity manages an index table In Wang et alrsquos work[16] 119906
119896needs one round-trip communication to request and
receive the identifier (Figure 1) Zhu et al [15] utilize a waythat the TPA manages the index table (Figure 2) It needsan additional connection between 119906
119896and the TPA for the
identifier and a report of update information Yang and Jia[14] utilize a way that a user manages the index table byhimself Although it is suitable when the outsourced data ismanaged by a single user it requires more communicationcosts for synchronization of the index tables when the data isshared by multiple users
Communication costs are summarized in Table 1 Weomitted costs for uploading a data block and a correspondingtag for simplicity Although the proposed scheme seems torequire the same cost as Zhu et alrsquos approach there may beupdate delays caused by concentration of communications tothe TPA in [15] On the other hand the proposed schemeremoves this delay via a direct acquisition of the identifierfrom the CSP For [14] to synchronize the index tables of usersand the TPA 119906
119896needs to broadcast extra update information
Considering this circumstance additional communicationscaused by broadcast might be added into Table 1
82 Computational Overhead Computation costs for taggeneration and verification are described in Table 2 Theproposed scheme requires a single Exp
119866operation in tag
generation while the others [14ndash16] require Exp119866and Mul
119866
operations which are proportional to the number of sectors
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World Journal 5
to the cloud storage and deletes them in his local storageTo share the data with other users he needs to deliver secretcomponents for tag generation In addition he can delegateauditing processes to a TPA by delivering a part of secretcomponents for verification
When a user tries to update a new data block he receivesan identifier from the CSP generates a tag for the data blockand uploads them After update is finished the user reportsupdate information to the TPA Then the TPA updates anindex table following the update information And the CSPrenews the identifier as next upload sequence for next update
The TPA maintains the newest index table that keepstrack of upload sequence of data blocks The TPA makes achallenge derived from the index table and transmits it to theCSP periodically or when a user wantsThe CSP who receivesthe challenge makes a proof and responds to it Then theTPA checks whether outsourced data is damaged or not byverifying the proof with the challenge
61 Definition The proposed scheme Π is composed of thefollowing eight algorithms such as Π = 119878119890119905119906119901119870119890119910119866119890119899
119879119886119892119866119890119899 119879119886119892119866119890119899119880119901 119868119879119880119901 119862ℎ119886119897119866119890119899 119875119903119900119900119891119866119890119899 119881119890119903119894119891119910
119878119890119905119906119901(120574) rarr 119901119886119903119886119898 On security parameter 120574 the CSPgenerates and publicizes public parameters 119901119886119903119886119898
119870119890119910119866119890119899(119901119886119903119886119898) rarr (119892119898119904119896 119892119904119896 119892119886119896 119892119901119896) An initialuploader takes public parameter 119901119886119903119886119898 as input and outputsgroupmaster key 119892119898119904119896 group secret key 119892119904119896 group auditingkey 119892119886119896 and group public key 119892119901119896 Group master key 119892119898119904119896
is kept secret Group secret key 119892119904119896 = 1198921199041198961 1198921199041198962 and group
auditing key 119892119886119896 are used in tag generation Group public key119892119901119896 = 119892119901119896
1 1198921199011198962 is used for verification of data integrity
along with group auditing key 119892119886119896
119879119886119892119866119890119899(119872 119892119904119896 119892119886119896) rarr 120590 On uploading data 119872 to thecloud storage the initial uploader divides the data into blocksand generates a set of tags 120590 using 119892119904119896 and 119892119886119896 Eachcomponent of 120590 is a tag of the corresponding data block in119872 such that 120590 = 120590
1 120590
119899
119879119886119892119866119890119899119880119901(1198981015840
119894 119892119904119896 119892119886119896 id1015840
119894) rarr 120590
1015840
119894 When a user tries to
update a data block 1198981015840
119894 he generates a new tag 120590
1015840
119894using 119892119904119896
119892119886119896 and new identifier id1015840119894received from the CSP
119868119879119880119901(119880type 119880index 119880id iT) rarr iT1015840 This algorithm takesupdate information and current index table iT as inputand outputs new index table iT1015840 The update informationincludes three elements119880type 119880index and119880id119880type representsan update type which can be either insertion modificationor deletion 119880index is the index of the data block to beupdated and 119880id is a newly assigned unique identifier usedin 119879119886119892119866119890119899119880119901 for the data block
119862ℎ119886119897119866119890119899(iT) rarr 119888ℎ119886119897 This algorithm generates a challeng-ing query 119888ℎ119886119897 = 119897 119903
119897119897isin119871
for randomly selected blocks TheTPA chooses random indices 119871 from the index table iT andgenerates random values 119903
119897119897isin119871
119875119903119900119900119891119866119890119899(119872 120590 119888ℎ119886119897 119892119901119896) rarr (120572 120573) The CSP generates aproof (120572 120573) for a challenge from the TPA 120572 is derived fromoutsourced data blocks 119898
119897119897isin119871
119903119897119897isin119871
and 119892119901119896 while 120573 iscomputed from tags 120590
119897119897isin119871
and 119903119897119897isin119871
119881119890119903119894119891119910(119888ℎ119886119897 iT (120572 120573) 119892119901119896 119892119886119896) rarr 119879119903119906119890119865119886119897119904119890 This algo-rithm verifies consistency of the proof generated by the CSPfor the given challenge If they are consistent it outputs119879119903119906119890Otherwise it outputs 119865119886119897119904119890
62 Construction Let 1198661 1198662be multiplicative cyclic groups
of prime order 119901 let 119892 be a generator of1198661 let 119890 119866
1times1198661rarr
1198662be a bilinear map and let 119865 0 1
log119901times 0 1
log119901rarr
0 1log119901 be a pseudorandom permutation We consider data
119872 is divided into 119899 blocks as 119872 = (1198981 119898
119899) and each
data block119898119894= (1198981198941 119898
119894119904) contains 119904 sectors of 119885
119901
621 Setup When cloud storage service initiates the CSPchooses two groups 119866
1 1198662with 119892 for a bilinear map 119890
by running 119878119890119905119906119901 algorithm and publicizes 119901119886119903119886119898 =
(1198661 1198662 119901 119892 119890) to users and the TPA
622 Upload for Data Sharing An initial uploader 1199061 runs
119870119890119910119866119890119899 algorithm It first chooses (119904 + 2) random values119892119898119904119896 = 119886 isin 119885
lowast
119901 119892119886119896 = 119887 isin 119885
119901 and 119892119904119896
2= 119892119904119896
2119895=
119888119895isin 119885119901119895isin[1119904]
and computes 1198921199041198961
= 1198921119886
1198921199011198961
= 119892119886 and
1198921199011198962
= 1198921199011198962119895
= 119892119888119895119895isin[1119904]
Then by running 119879119886119892119866119890119899 1199061
generates corresponding tags such as
120590119894= (119892119904119896
1)119865119892119886119896(119894) +sum119895isin[1119904] 1198921199041198962119895 sdot119898119894119895 (2)
for 1 le 119894 le 119899 1199061uploads (119872 120590) to the cloud storage and
deletes them from his local storage When the CSP receivesfresh data from the initial uploader it saves an identifier id1015840 =119899+1 for the next upload sequence To share data119872with otherusers 119906
1delivers group secret key 119892119904119896 and group auditing key
119892119886119896 to them
623 Delegation of Audit The initial uploader 1199061delegates
audit for shared data to the TPA by delivering a groupauditing key 119892119886119896 In addition 119906
1notifies the number of data
blocks 119899 for the TPA to correctly generate an initial indextable for 119872 In other words the TPA creates an index tablewhich includes identifiers defined as block sequences initially
624 Data Update In the proposed scheme any user 119906119896in
the group which shares data 119872 is allowed to modify insertor delete data119872 in the cloud storage
If 119906119896tries to modify 119894-th block 119898
119894 119906119896first receives a new
identifier from theCSP as illustrated in Figure 5On receipt ofthe identifier id1015840
119894 119906119896computes a tag 120590
1015840
119894for updated data block
1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm as follows
1205901015840
119894= (119892119904119896
1)119865119892119886119896(id
1015840
119894) +sum119895isin[1119904]1198921199041198962119895 sdot119898
1015840
119894119895 (3)
Then 119906119896sends (119880type =
1015840 119880index = 119894 119880id = id1015840
119894) along
with (1198981015840
119894 1205901015840
119894) to the CSP where
1015840 stands for modification
6 The Scientific World Journal
Initial next identifierid998400 = n + 1
(UtypeUindex = 2Uid = n + 1)
(UtypeUindex = 3Uid = n + 2)
(UtypeUindex = 3Uid = 0)
Next identifierid998400 = n + 2
Next identifierid998400 = n + 3
Next identifierid998400 = n + 3
n + 1
n + 1
n + 1
n + 1
n + 2m998400
2
1205909984002
m9984002
1205909984002
m9984002
1205909984002
m9984003
1205909984003
m9984002 120590998400
2
m9984003
1205909984003
(a) State after initial upload (b) State after modification of m2
(c) State after insertion of m9984003(d) State after the deletion of m998400
3
Data
Tag
Initial index table (IT)
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
IdentifierIndex12 23
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
1234
1
3middot middot middot middot middot middot
n
Identifier
Data
Tag
m1 m2 m3 mnmiddot middot middot
1205901 1205902 1205903 middot middot middot 120590n
m1 m3 mnmiddot middot middot
1205901 1205903 middot middot middot 120590n
Data
Tag
m1 m3 mnmiddot middot middot
1205901 1205903
m3
1205903
middot middot middot 120590n
Data
Tag
m1 mnmiddot middot middot
1205901 middot middot middot 120590n
TPA CSP TPA CSP
TPA CSPTPA CSP
= M998400
= D998400
= I998400
Figure 6 Examples of data update
The CSP can update the data block in the cloud storage byreplacement of (119898
119894 120590119894) with (119898
1015840
119894 1205901015840
119894) uploaded by 119906
119896
For the case of insertion 119906119896makes a tag 120590
1015840
119894for newly
created data block 1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm and
sends (119880type = 1015840 119880index = 119894 119880id = id1015840
119894) along with (119898
1015840
119894 1205901015840
119894) to
the CSPWhen 119906
119896wants to delete data block in the cloud storage
119906119896sends (119880type =
1015840 119880index = 119894 119880id = 0) to the CSP
and allows the CSP to delete the corresponding data blockfrom the cloud storage In this case 119906
119896does not need to
request a new identifier Therefore we set the value of 119880id byzero
After update is finished 119906119896delivers update information
(119880type 119880index 119880id) to the TPA for consistent audit for updatedshared data in the cloud storage Then the TPA updates theindex table managed by itself according to the informationby running 119868119879119880119901 When 119880type =
1015840 it changes the 119880index-th identifier to 119880id When 119880type =
1015840 the TPA inserts 119880idjust before the 119880index-th field while it removes the 119880index-th field from the index table if 119880type =
1015840 Through thisnotification of data updates the TPA can detect maliciousbehaviors of theCSP In other words the CSP cannot transmitpreviously used identifier in order to exploit forge attack andreplace attack Simple examples of data update are depicted inFigure 6
625 Audit for Outsourced Data For the TPA to checkintegrity of outsourced data it engages in challenge-responseprotocol with the CSPTheTPA first chooses a random subset119871 of indices from the index table and generates randomvalues119903119897
isin 119885lowast
119901119897isin119871
by running 119862ℎ119886119897119866119890119899 algorithm The 119888ℎ119886119897 =
119897 119903119897119897isin119871
is transmitted to the CSP and the CSP generates
a proof (120572 120573) for the challenge 119888ℎ119886119897 by running 119875119903119900119900119891119866119890119899
algorithm as follows
120572 = prod
119895isin[1119904]
119892119901119896sum119897isin119871119903119897sdot119898119897119895
2119895
120573 = prod
119897isin119871
120590119903119897
119897
(4)
After receiving the proof (120572 120573) as a response of thechallenge the TPA verifies it by running 119881119890119903119894119891119910 algorithm asfollows
119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 120572 119892) =
119890 (120573 119892119901119896
1) (5)
If (5) holds then the TPA returns 119879119903119906119890 and returns 119865119886119897119904119890otherwise
7 Security Analysis
In this section we show that the proposed scheme is correctand resistant against forge attack and replace attack
Theorem 1 Π provides correctness to the TPA during audit-ing outsourced data
Proof Correctness of Π is achieved by exploiting bilinearproperty of the bilinear map Left-hand side (LHS) of (5)expands as follows
LHS = 119890(119892sum119897isin119871119903119897sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
1198921198921199041198962119895 sdotsum119897isin119871 119903119897 sdot119898119897119895 119892)
The Scientific World Journal 7
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897)+sum119895isin[1119904](1198921199041198962119895 sdotsum119897isin119871 119903119897sdot119898119897119895) 119892)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(6)
while the right-hand side (RHS) of (5) expands as follows
RHS = 119890(prod
119897isin119871
120590119897
119903119897 1198921199011198961)
= 119890(prod
119897isin119871
119892119903119897 sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890 (119892sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(7)
Since the terms LHS and RHS are the same the proof iscompleted
Theorem 2 Π is secure against forge attack
Proof If the CSP acquires an element in 1198921199011198962119895
1119892119898119904119896=
1198921198921199041198962119895119892119898119904119896
119895isin[1119904]from the public parameter 119892119901119896 the CSP can
forge a tag Given 1198921199011198961= 119892119892119898119904119896 computing 119892119898119904119896 is hard due
to DL assumptionThus it is infeasible for the CSP to acquirean element in 119892
1198921199041198962119895119892119898119904119896119895isin[1119904]
When 119865
119892119886119896(id119894) for 120590
119894and 119865
119892119886119896(id119902) for 120590
119902are the same
the CSP computes 120590119894120590119902 Then the CSP can obtain 120575 =
(1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895) and forge the tag 120590
119911of data block119898
119911
using 120575 as follows
1205901015840
119911= 120590119911times 120575
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119911119895
times (1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895)
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot(119898119911119895+119898119894119895minus119898119902119895)
(8)
Finally the CSP obtains forged tag 1205901015840
119911of modified data block
1198981015840
119911= 119898
119911119895+ 119898119894119895
minus 119898119902119895119895isin[1119904]
However 119865119892119886119896
(id119894) and
119865119892119886119896
(id119902) cannot be the same value for id
119894= id119902because of the
definition of pseudorandompermutationTherefore the CSPcannot forge a tag to pass the censorship This completes theproof
Theorem 3 Π is secure against replace attack
Proof When damaged block 119898119894
is challenged theCSP may try to pass the censorship by choosing adifferent block (119898
119902 120590119902) in place of (119898
119894 120590119894) such as
1205721015840= prod119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897 sdot119898119897119895
2119895and 120573
1015840= 120590119903119894
119902sdot prod119897isin119871119897 = 119894
120590119903119897
119897
Then the left-hand side of (5) is computed as
119890(119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895
2119895 119892)
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 119892
sum119895isin[1119904]1198921199041198962119895 sdot(119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895) 119892)
=119890 (119892119903119894 sdot(119865119892119886119896(id119894)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119902119895)+sum119897isin119871119897 = 119894 119903119897sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895) 119892)
= 119890 (119892(119903119894 sdot119865119892119886119896(id119894)minus119903119894 sdot119865119892119886119896(id119902))119892119898119904119896 times 120573
1015840 1198921199011198961)
(9)
in which 119892(119903119894 sdot(119865119892119886119896(id119894)minus119865119892119886119896(id119902)))119892119898119904119896 should be 1 to satisfy (5)
This means that 119865119892119886119896
(id119894) and 119865
119892119886119896(id119902) should be the same
Due to the bijective property of the permutation howeverthese values cannot be the same
8 Performance Evaluation
In this section the prosed scheme is analyzed and comparedwith previous studies [14ndash16] in terms of communication andcomputational overhead We first evaluate communicationoverhead for updating a data block Then computationaloverhead for tag generation and verification is evaluated
81 Communication Overhead As we described in Section 3the way to get an identifier of updated data block depends onwhich entity manages an index table In Wang et alrsquos work[16] 119906
119896needs one round-trip communication to request and
receive the identifier (Figure 1) Zhu et al [15] utilize a waythat the TPA manages the index table (Figure 2) It needsan additional connection between 119906
119896and the TPA for the
identifier and a report of update information Yang and Jia[14] utilize a way that a user manages the index table byhimself Although it is suitable when the outsourced data ismanaged by a single user it requires more communicationcosts for synchronization of the index tables when the data isshared by multiple users
Communication costs are summarized in Table 1 Weomitted costs for uploading a data block and a correspondingtag for simplicity Although the proposed scheme seems torequire the same cost as Zhu et alrsquos approach there may beupdate delays caused by concentration of communications tothe TPA in [15] On the other hand the proposed schemeremoves this delay via a direct acquisition of the identifierfrom the CSP For [14] to synchronize the index tables of usersand the TPA 119906
119896needs to broadcast extra update information
Considering this circumstance additional communicationscaused by broadcast might be added into Table 1
82 Computational Overhead Computation costs for taggeneration and verification are described in Table 2 Theproposed scheme requires a single Exp
119866operation in tag
generation while the others [14ndash16] require Exp119866and Mul
119866
operations which are proportional to the number of sectors
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
6 The Scientific World Journal
Initial next identifierid998400 = n + 1
(UtypeUindex = 2Uid = n + 1)
(UtypeUindex = 3Uid = n + 2)
(UtypeUindex = 3Uid = 0)
Next identifierid998400 = n + 2
Next identifierid998400 = n + 3
Next identifierid998400 = n + 3
n + 1
n + 1
n + 1
n + 1
n + 2m998400
2
1205909984002
m9984002
1205909984002
m9984002
1205909984002
m9984003
1205909984003
m9984002 120590998400
2
m9984003
1205909984003
(a) State after initial upload (b) State after modification of m2
(c) State after insertion of m9984003(d) State after the deletion of m998400
3
Data
Tag
Initial index table (IT)
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
123
1
3middot middot middot middot middot middotn n
IdentifierIndex12 23
1
3middot middot middot middot middot middotn n
Identifier
Index table (IT)Index
1234
1
3middot middot middot middot middot middot
n
Identifier
Data
Tag
m1 m2 m3 mnmiddot middot middot
1205901 1205902 1205903 middot middot middot 120590n
m1 m3 mnmiddot middot middot
1205901 1205903 middot middot middot 120590n
Data
Tag
m1 m3 mnmiddot middot middot
1205901 1205903
m3
1205903
middot middot middot 120590n
Data
Tag
m1 mnmiddot middot middot
1205901 middot middot middot 120590n
TPA CSP TPA CSP
TPA CSPTPA CSP
= M998400
= D998400
= I998400
Figure 6 Examples of data update
The CSP can update the data block in the cloud storage byreplacement of (119898
119894 120590119894) with (119898
1015840
119894 1205901015840
119894) uploaded by 119906
119896
For the case of insertion 119906119896makes a tag 120590
1015840
119894for newly
created data block 1198981015840
119894by running 119879119886119892119866119890119899119880119901 algorithm and
sends (119880type = 1015840 119880index = 119894 119880id = id1015840
119894) along with (119898
1015840
119894 1205901015840
119894) to
the CSPWhen 119906
119896wants to delete data block in the cloud storage
119906119896sends (119880type =
1015840 119880index = 119894 119880id = 0) to the CSP
and allows the CSP to delete the corresponding data blockfrom the cloud storage In this case 119906
119896does not need to
request a new identifier Therefore we set the value of 119880id byzero
After update is finished 119906119896delivers update information
(119880type 119880index 119880id) to the TPA for consistent audit for updatedshared data in the cloud storage Then the TPA updates theindex table managed by itself according to the informationby running 119868119879119880119901 When 119880type =
1015840 it changes the 119880index-th identifier to 119880id When 119880type =
1015840 the TPA inserts 119880idjust before the 119880index-th field while it removes the 119880index-th field from the index table if 119880type =
1015840 Through thisnotification of data updates the TPA can detect maliciousbehaviors of theCSP In other words the CSP cannot transmitpreviously used identifier in order to exploit forge attack andreplace attack Simple examples of data update are depicted inFigure 6
625 Audit for Outsourced Data For the TPA to checkintegrity of outsourced data it engages in challenge-responseprotocol with the CSPTheTPA first chooses a random subset119871 of indices from the index table and generates randomvalues119903119897
isin 119885lowast
119901119897isin119871
by running 119862ℎ119886119897119866119890119899 algorithm The 119888ℎ119886119897 =
119897 119903119897119897isin119871
is transmitted to the CSP and the CSP generates
a proof (120572 120573) for the challenge 119888ℎ119886119897 by running 119875119903119900119900119891119866119890119899
algorithm as follows
120572 = prod
119895isin[1119904]
119892119901119896sum119897isin119871119903119897sdot119898119897119895
2119895
120573 = prod
119897isin119871
120590119903119897
119897
(4)
After receiving the proof (120572 120573) as a response of thechallenge the TPA verifies it by running 119881119890119903119894119891119910 algorithm asfollows
119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 120572 119892) =
119890 (120573 119892119901119896
1) (5)
If (5) holds then the TPA returns 119879119903119906119890 and returns 119865119886119897119904119890otherwise
7 Security Analysis
In this section we show that the proposed scheme is correctand resistant against forge attack and replace attack
Theorem 1 Π provides correctness to the TPA during audit-ing outsourced data
Proof Correctness of Π is achieved by exploiting bilinearproperty of the bilinear map Left-hand side (LHS) of (5)expands as follows
LHS = 119890(119892sum119897isin119871119903119897sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
1198921198921199041198962119895 sdotsum119897isin119871 119903119897 sdot119898119897119895 119892)
The Scientific World Journal 7
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897)+sum119895isin[1119904](1198921199041198962119895 sdotsum119897isin119871 119903119897sdot119898119897119895) 119892)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(6)
while the right-hand side (RHS) of (5) expands as follows
RHS = 119890(prod
119897isin119871
120590119897
119903119897 1198921199011198961)
= 119890(prod
119897isin119871
119892119903119897 sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890 (119892sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(7)
Since the terms LHS and RHS are the same the proof iscompleted
Theorem 2 Π is secure against forge attack
Proof If the CSP acquires an element in 1198921199011198962119895
1119892119898119904119896=
1198921198921199041198962119895119892119898119904119896
119895isin[1119904]from the public parameter 119892119901119896 the CSP can
forge a tag Given 1198921199011198961= 119892119892119898119904119896 computing 119892119898119904119896 is hard due
to DL assumptionThus it is infeasible for the CSP to acquirean element in 119892
1198921199041198962119895119892119898119904119896119895isin[1119904]
When 119865
119892119886119896(id119894) for 120590
119894and 119865
119892119886119896(id119902) for 120590
119902are the same
the CSP computes 120590119894120590119902 Then the CSP can obtain 120575 =
(1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895) and forge the tag 120590
119911of data block119898
119911
using 120575 as follows
1205901015840
119911= 120590119911times 120575
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119911119895
times (1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895)
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot(119898119911119895+119898119894119895minus119898119902119895)
(8)
Finally the CSP obtains forged tag 1205901015840
119911of modified data block
1198981015840
119911= 119898
119911119895+ 119898119894119895
minus 119898119902119895119895isin[1119904]
However 119865119892119886119896
(id119894) and
119865119892119886119896
(id119902) cannot be the same value for id
119894= id119902because of the
definition of pseudorandompermutationTherefore the CSPcannot forge a tag to pass the censorship This completes theproof
Theorem 3 Π is secure against replace attack
Proof When damaged block 119898119894
is challenged theCSP may try to pass the censorship by choosing adifferent block (119898
119902 120590119902) in place of (119898
119894 120590119894) such as
1205721015840= prod119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897 sdot119898119897119895
2119895and 120573
1015840= 120590119903119894
119902sdot prod119897isin119871119897 = 119894
120590119903119897
119897
Then the left-hand side of (5) is computed as
119890(119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895
2119895 119892)
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 119892
sum119895isin[1119904]1198921199041198962119895 sdot(119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895) 119892)
=119890 (119892119903119894 sdot(119865119892119886119896(id119894)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119902119895)+sum119897isin119871119897 = 119894 119903119897sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895) 119892)
= 119890 (119892(119903119894 sdot119865119892119886119896(id119894)minus119903119894 sdot119865119892119886119896(id119902))119892119898119904119896 times 120573
1015840 1198921199011198961)
(9)
in which 119892(119903119894 sdot(119865119892119886119896(id119894)minus119865119892119886119896(id119902)))119892119898119904119896 should be 1 to satisfy (5)
This means that 119865119892119886119896
(id119894) and 119865
119892119886119896(id119902) should be the same
Due to the bijective property of the permutation howeverthese values cannot be the same
8 Performance Evaluation
In this section the prosed scheme is analyzed and comparedwith previous studies [14ndash16] in terms of communication andcomputational overhead We first evaluate communicationoverhead for updating a data block Then computationaloverhead for tag generation and verification is evaluated
81 Communication Overhead As we described in Section 3the way to get an identifier of updated data block depends onwhich entity manages an index table In Wang et alrsquos work[16] 119906
119896needs one round-trip communication to request and
receive the identifier (Figure 1) Zhu et al [15] utilize a waythat the TPA manages the index table (Figure 2) It needsan additional connection between 119906
119896and the TPA for the
identifier and a report of update information Yang and Jia[14] utilize a way that a user manages the index table byhimself Although it is suitable when the outsourced data ismanaged by a single user it requires more communicationcosts for synchronization of the index tables when the data isshared by multiple users
Communication costs are summarized in Table 1 Weomitted costs for uploading a data block and a correspondingtag for simplicity Although the proposed scheme seems torequire the same cost as Zhu et alrsquos approach there may beupdate delays caused by concentration of communications tothe TPA in [15] On the other hand the proposed schemeremoves this delay via a direct acquisition of the identifierfrom the CSP For [14] to synchronize the index tables of usersand the TPA 119906
119896needs to broadcast extra update information
Considering this circumstance additional communicationscaused by broadcast might be added into Table 1
82 Computational Overhead Computation costs for taggeneration and verification are described in Table 2 Theproposed scheme requires a single Exp
119866operation in tag
generation while the others [14ndash16] require Exp119866and Mul
119866
operations which are proportional to the number of sectors
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World Journal 7
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897)+sum119895isin[1119904](1198921199041198962119895 sdotsum119897isin119871 119903119897sdot119898119897119895) 119892)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(6)
while the right-hand side (RHS) of (5) expands as follows
RHS = 119890(prod
119897isin119871
120590119897
119903119897 1198921199011198961)
= 119890(prod
119897isin119871
119892119903119897 sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890 (119892sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)119892119898119904119896 119892
119892119898119904119896)
= 119890(119892 119892)sum119897isin119871(119903119897 sdot119865119892119886119896(id119897)+119903119897 sdotsum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895)
(7)
Since the terms LHS and RHS are the same the proof iscompleted
Theorem 2 Π is secure against forge attack
Proof If the CSP acquires an element in 1198921199011198962119895
1119892119898119904119896=
1198921198921199041198962119895119892119898119904119896
119895isin[1119904]from the public parameter 119892119901119896 the CSP can
forge a tag Given 1198921199011198961= 119892119892119898119904119896 computing 119892119898119904119896 is hard due
to DL assumptionThus it is infeasible for the CSP to acquirean element in 119892
1198921199041198962119895119892119898119904119896119895isin[1119904]
When 119865
119892119886119896(id119894) for 120590
119894and 119865
119892119886119896(id119902) for 120590
119902are the same
the CSP computes 120590119894120590119902 Then the CSP can obtain 120575 =
(1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895) and forge the tag 120590
119911of data block119898
119911
using 120575 as follows
1205901015840
119911= 120590119911times 120575
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119911119895
times (1198921199041198961)sum119895isin[1119904]1198921199041198962119895 sdot(119898119894119895minus119898119902119895)
= (1198921199041198961)119865119892119886119896(id119911)+sum119895isin[1119904] 1198921199041198962119895 sdot(119898119911119895+119898119894119895minus119898119902119895)
(8)
Finally the CSP obtains forged tag 1205901015840
119911of modified data block
1198981015840
119911= 119898
119911119895+ 119898119894119895
minus 119898119902119895119895isin[1119904]
However 119865119892119886119896
(id119894) and
119865119892119886119896
(id119902) cannot be the same value for id
119894= id119902because of the
definition of pseudorandompermutationTherefore the CSPcannot forge a tag to pass the censorship This completes theproof
Theorem 3 Π is secure against replace attack
Proof When damaged block 119898119894
is challenged theCSP may try to pass the censorship by choosing adifferent block (119898
119902 120590119902) in place of (119898
119894 120590119894) such as
1205721015840= prod119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897 sdot119898119897119895
2119895and 120573
1015840= 120590119903119894
119902sdot prod119897isin119871119897 = 119894
120590119903119897
119897
Then the left-hand side of (5) is computed as
119890(119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot prod
119895isin[1119904]
119892119901119896119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895
2119895 119892)
= 119890 (119892sum119897isin119871119903119897 sdot119865119892119886119896(id119897) sdot 119892
sum119895isin[1119904]1198921199041198962119895 sdot(119903119894 sdot119898119902119895+sum119897isin119871119897 = 119894 119903119897sdot119898119897119895) 119892)
=119890 (119892119903119894 sdot(119865119892119886119896(id119894)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119902119895)+sum119897isin119871119897 = 119894 119903119897sdot(119865119892119886119896(id119897)+sum119895isin[1119904] 1198921199041198962119895 sdot119898119897119895) 119892)
= 119890 (119892(119903119894 sdot119865119892119886119896(id119894)minus119903119894 sdot119865119892119886119896(id119902))119892119898119904119896 times 120573
1015840 1198921199011198961)
(9)
in which 119892(119903119894 sdot(119865119892119886119896(id119894)minus119865119892119886119896(id119902)))119892119898119904119896 should be 1 to satisfy (5)
This means that 119865119892119886119896
(id119894) and 119865
119892119886119896(id119902) should be the same
Due to the bijective property of the permutation howeverthese values cannot be the same
8 Performance Evaluation
In this section the prosed scheme is analyzed and comparedwith previous studies [14ndash16] in terms of communication andcomputational overhead We first evaluate communicationoverhead for updating a data block Then computationaloverhead for tag generation and verification is evaluated
81 Communication Overhead As we described in Section 3the way to get an identifier of updated data block depends onwhich entity manages an index table In Wang et alrsquos work[16] 119906
119896needs one round-trip communication to request and
receive the identifier (Figure 1) Zhu et al [15] utilize a waythat the TPA manages the index table (Figure 2) It needsan additional connection between 119906
119896and the TPA for the
identifier and a report of update information Yang and Jia[14] utilize a way that a user manages the index table byhimself Although it is suitable when the outsourced data ismanaged by a single user it requires more communicationcosts for synchronization of the index tables when the data isshared by multiple users
Communication costs are summarized in Table 1 Weomitted costs for uploading a data block and a correspondingtag for simplicity Although the proposed scheme seems torequire the same cost as Zhu et alrsquos approach there may beupdate delays caused by concentration of communications tothe TPA in [15] On the other hand the proposed schemeremoves this delay via a direct acquisition of the identifierfrom the CSP For [14] to synchronize the index tables of usersand the TPA 119906
119896needs to broadcast extra update information
Considering this circumstance additional communicationscaused by broadcast might be added into Table 1
82 Computational Overhead Computation costs for taggeneration and verification are described in Table 2 Theproposed scheme requires a single Exp
119866operation in tag
generation while the others [14ndash16] require Exp119866and Mul
119866
operations which are proportional to the number of sectors
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
8 The Scientific World Journal
Table 1 Connections and communication costs for updating a data block
Wang et al [16] Zhu et al [15] Yang and Jia [14] Our scheme
Connections 119906119896harr CSP
119906119896harr TPA 119906
119896with other users 119906
119896harr TPA
119906119896harr CSP 119906
119896harr TPA
119906119896harr CSP
119906119896harr CSP
Extra communication costs 1003816100381610038161003816119902id1003816100381610038161003816 + |id| 1003816100381610038161003816119902id
1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info1003816100381610038161003816 119889 times
1003816100381610038161003816119906info1003816100381610038161003816
1003816100381610038161003816119902id1003816100381610038161003816 + |id| + 1003816100381610038161003816119906info
1003816100381610038161003816
Table 2 Computation costs for a tag generation and verification
Tag generation VerificationWang et al [16] (119878 + 1) sdot Exp
119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878 minus 1) sdotMul
119866+ 119871 sdot 119867
119866
Zhu et al [15] (119878 + 2) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
3 sdot Pair + (119871 + 119878) sdot Exp119866+ (119871 + 119878) sdotMul
119866+ 119871 sdot 119867
119866
Yang and Jia [14] (119878 + 1) sdot Exp119866+ 119878 sdotMul
119866+ 119867119866
2 sdot Pair + (119871 + 1) sdot Exp119866+ 119871 sdotMul
119866+ 119871 sdotMul
119885119901+ 119871 sdot 119867
119866
Our scheme Exp119866+ 119878 sdotMul
119885119901+ 119878 sdot Add
119885119901+ 119865prp
2 sdot Pair + Exp119866+Mul
119866
119871 sdotMul119885119901
+ (119871 minus 1) sdot Add119885119901
+ 119871 sdot 119865prp
in a data block When the TPA verifies a proof received fromthe CSP one Exp
119866and one Mul
119866operations are required in
the proposed scheme regardless of the number of challengeddata blocks However the others require Exp
119866and Mul
119866
operations linear to the number of challenged data blockswhich cause a significant overhead to the TPA
83 Experimental Results We measure the performance ofour scheme and compare it with other works [14ndash16] basedon implementations inUbuntu 1204We utilize Paring BasedCryptography (PBC) library for cryptographic operationsand OpenSSL to use Advanced Encryption Standard (AES)for pseudorandom permutation All experiments are exe-cuted on an Intel Core i3 310GHz with 2GB memory Weassume that |119901| is 160 bits |id| is 80 bits and size of a datablock is 160 bits We simulate each scheme on 4 different datawhich has 1000 data blocks with 5 times All experimentalresults show an average of 20 trials
831 TagGeneration Theperformances of the tag generationtimes are presented in Figure 7(a) Tag generation time inour scheme is 318 milliseconds per block when 119878 = 1
and 328 milliseconds per block when 119878 = 100 Sincea single Exp
119866is required regardless of 119878 119878 almost never
influences on tag generation time However tag generationtimes of the others increase with increasing 119878 Reference[16] requires 32365 milliseconds per block and [14] requires32463 milliseconds per block when 119878 = 100 Since they havesame computation complexity their tag generation times arealmost identical Reference [15] needs onemore Exp
119866Thus it
requires 32997milliseconds per blockwhich ismore than theothers
832 Verification Wemeasure verification times dependingon 119871 when 119878 = 100 As depicted in Figure 7(b) theverification times for the TPA are dependent on 119871 in theothers [14ndash16]When 119871 = 500 [14ndash16] requires 513 566 and575 seconds respectively Furthermore Figure 7(c) shows
that 119878 influences [15 16] However our scheme requires 001seconds for verification regardless of 119871 and 119878
9 Conclusion
In this paper we present a secure and efficient audit mech-anism for shared dynamic data in cloud storage It makespossible for the TPA to correctly audit outsourced data whichcan be updated in a secure manner With simple index tablemanagement by the TPA and identifier renewal by the CSPany user in a group can update shared data block efficientlyFurthermore making the auditing operations simple leads toless computational overhead for the whole auditing processPerformance evaluation and security analysis show thatthe proposed scheme is best suited to the cloud storagewhere multiple users share and update the outsourced datafrequently
Notations
119906119896 A user who tries to update
119889 The number of users in group119871 The number of challenged data blocks119878 The number of sectors in a data blockid An identifier119902id Request for an identifier119906info Update information119865prp Pseudorandom permutation119867119866 0 1
lowast to 119866
Pair Pairing operationExp119866 Exponentiation in 119866
Mul119866 Multiplication in 119866
Mul119885119901 Multiplication in 119885
119901
Add119885119901 Addition in 119885
119901
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World Journal 9
0
50
100
150
200
250
300
350
1 20 40 60 80 100
Tag
gene
ratio
n tim
e (m
s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(a) Impact of 119878 on tag generation time
0
1
2
3
4
5
6
7
100 200 300 400 500
Verifi
catio
n tim
e (s)
The number of challenged data blocksOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(b) Impact of 119871 on verification time when 119878 = 100
0
1
2
3
4
5
6
20 40 60 80 100
Verifi
catio
n tim
e (s)
The number of sectors in a data blockOur scheme
Wang et al [16]Zhu et al [15]
Yang and Jia [14]
(c) Impact of 119878 on verification time when 119871 = 460
Figure 7 Experimental results
Acknowledgment
This work was supported by the IT R amp D program ofMKEKEIT (10041244 SmartTV 20 Software Platform)
References
[1] E-H Song H-W Kim and Y-S Jeong ldquoVisual monitoringsystem of multi-hosts behavior for trustworthiness with mobilecloudrdquo Journal of Information Processing Systems vol 8 no 2pp 347ndash358 2012
[2] J Bringer and H Chabanne ldquoEmbedding edit distance toenable private keyword searchrdquoHuman-Centric Computing andInformation Sciences vol 2 article 2 2012
[3] Y Pan and J Zhang ldquoParallel programming on cloud comput-ing platforms challenges and solutionsrdquo Journal of Convergencevol 3 no 4 pp 23ndash28 2012
[4] T Teraoka ldquoOrganization and exploration of heterogeneouspersonal data collected in daily liferdquoHuman-Centric Computingand Information Sciences vol 2 article 1 no 1 2012
[5] J K Y Ng ldquoUbiquitous healthcare healthcare systems andapplications enabled by mobile and wireless technologiesrdquoJournal of Convergence vol 3 no 2 pp 15ndash20 2012
[6] ldquoGoogle Google driverdquo httpdrivegooglecom[7] ldquoAmazon Amazon s3rdquo httpawsamazoncoms3[8] G Ateniese R Burns R Curtmola et al ldquoProvable data
possession at untrusted storesrdquo in Proceedings of the 14th ACM
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
10 The Scientific World Journal
Conference on Computer and Communications Security (CCSrsquo07) pp 598ndash610 November 2007
[9] C Erway A Kupcu C Papamanthou and R TamassialdquoDynamic provable data possessionrdquo in Proceedings of the 16thACM Conference on Computer and Communications Security(CCS rsquo09) pp 213ndash222 November 2009
[10] H Shacham and B Waters ldquoCompact proofs of retrievabilityrdquoin Proceedings of the 14th International Conference on theTheory and Application of Cryptology and Information SecurityAdvances in Cryptology (ASIACRYPT rsquo08) pp 90ndash107 Springer2008
[11] C Wang S Chow Q Wang K Ren and W Lou ldquoPrivacy-preserving public auditing for secure cloud storagerdquo IEEETransactions on Computers vol 62 no 2 pp 362ndash375 2013
[12] Q Wang C Wang K Ren W Lou and J Li ldquoEnabling publicauditability and data dynamics for storage security in cloudcomputingrdquo IEEE Transactions on Parallel and DistributedSystems vol 22 no 5 pp 847ndash859 2011
[13] A Juels and B S Kaliski Jr ldquoPors proofs of retrievabilityfor large filesrdquo in Proceedings of the 14th ACM Conference onComputer and Communications Security CCS rsquo07) pp 584ndash597ACM November 2007
[14] K Yang and X Jia ldquoAn efficient and secure dynamic auditingprotocol for data storage in cloud computingrdquo IEEE Transac-tions on Parallel and Distributed Systems vol 24 no 9 pp 1717ndash1726 2013
[15] Y Zhu H Wang Z Hu G-J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the 26th Annual ACMSymposium on Applied Computing (SAC rsquo11) pp 1550ndash1557March 2011
[16] B Wang B Li and H Li ldquoPublic auditing for shared datawith efficient user revocation in the cloudrdquo in Proceedingsof the Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM rsquo13) pp 2904ndash2912 2013
[17] B Wang B Li and H Li ldquoOruta privacy-preserving publicauditing for shared data in the cloudrdquo in Proceedings of the 5thIEEE International Conference on Cloud Computing (CLOUDrsquo12) pp 295ndash302 2012
[18] B Wang B Li and H Li ldquoKnox privacy-preserving auditingfor shared data with large groups in the cloudrdquo in AppliedCryptography and Network Security F Bao P Samarati and JZhou Eds vol 7341 of Lecture Notes in Computer Science pp507ndash525 Springer Berlin Germany 2012
[19] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquo inProceedings of the 22nd International Conference on Theory andApplications of Cryptographic Techniques (EUROCRYPT rsquo03)pp 416ndash432 Springer 2003
[20] K Yang and X Jia ldquoData storage auditing service in cloudcomputing challenges methods and opportunitiesrdquo WorldWide Web vol 15 no 4 pp 409ndash428 2012
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014