IEEE TRANSACTIONS ON INFORMATION FORENSICS AND … Papers/2016 .Net/LSD1609 - Identity-… · Identity-Based Proxy-Oriented Data Uploading and Remote Data Integrity Checking in Public

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 6, JUNE 2016 1165

Identity-Based Proxy-Oriented Data Uploading andRemote Data Integrity Checking in Public Cloud

Huaqun Wang, Debiao He, and Shaohua Tang

Abstract— More and more clients would like to store theirdata to public cloud servers (PCSs) along with the rapiddevelopment of cloud computing. New security problems haveto be solved in order to help more clients process their datain public cloud. When the client is restricted to access PCS,he will delegate its proxy to process his data and uploadthem. On the other hand, remote data integrity checking isalso an important security problem in public cloud storage.It makes the clients check whether their outsourced data are keptintact without downloading the whole data. From the securityproblems, we propose a novel proxy-oriented data uploading andremote data integrity checking model in identity-based publickey cryptography: identity-based proxy-oriented data uploadingand remote data integrity checking in public cloud (ID-PUIC).We give the formal definition, system model, and security model.Then, a concrete ID-PUIC protocol is designed using the bilinearpairings. The proposed ID-PUIC protocol is provably securebased on the hardness of computational Diffie–Hellman problem.Our ID-PUIC protocol is also efficient and flexible. Based on theoriginal client’s authorization, the proposed ID-PUIC protocolcan realize private remote data integrity checking, delegatedremote data integrity checking, and public remote data integritychecking.

Index Terms— Cloud computing, identity-based cryptography,proxy public key cryptography, remote data integrity checking.

I. INTRODUCTION

ALONG with the rapid development of computing andcommunication technique, a great deal of data are gen-

erated. These massive data needs more strong computationresource and greater storage space. Over the last years,

Manuscript received September 29, 2015; revised December 8, 2015;accepted January 8, 2016. Date of publication January 21, 2016; date ofcurrent version March 16, 2016. The work of H. Wang was supported in partby the National Natural Science Foundation of China under Grant 61272522,in part by the Natural Science Foundation of Liaoning Province underGrant 2014020147, and in part by the Program for Liaoning ExcellentTalents in University under Grant LR2014021. The work of D. He wassupported in part by the National Natural Science Foundation of China underGrant 61572379 and Grant 61501333 and in part by the Natural Science Foun-dation of Hubei Province of China under Grant 2015CFB257. The work ofS. Tang was supported in part by the 973 Program under Grant 2014CB360501and in part by the Guangdong Provincial Natural Science Foundation underGrant 2014A030308006. The associate editor coordinating the review of thismanuscript and approving it for publication was Dr. Liqun Chen.

H. Wang is with the College of Computer, Nanjing University of Postsand Telecommunications, Nanjing 210003, China, and also with the StateKey Laboratory of Cryptology, Beijing 100878, China (e-mail: [email protected]).

D. He is with the State Key Laboratory of Software Engineering,Computer School, Wuhan University, Wuhan 430072, China (e-mail:[email protected]).

S. Tang is with the School of Computer Science, South China Universityof Technology, Guangzhou 510006, China (e-mail: [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TIFS.2016.2520886

cloud computing satisfies the application requirements andgrows very quickly. Essentially, it takes the data processingas a service, such as storage, computing, data security, etc.By using the public cloud platform, the clients are relieved ofthe burden for storage management, universal data access withindependent geographical locations, etc. Thus, more and moreclients would like to store and process their data by using theremote cloud computing system.

In public cloud computing, the clients store their massivedata in the remote public cloud servers. Since the stored datais outside of the control of the clients, it entails the securityrisks in terms of confidentiality, integrity and availability ofdata and service. Remote data integrity checking is a primitivewhich can be used to convince the cloud clients that their dataare kept intact. In some special cases, the data owner may berestricted to access the public cloud server, the data owner willdelegate the task of data processing and uploading to the thirdparty, for example the proxy. On the other side, the remotedata integrity checking protocol must be efficient in order tomake it suitable for capacity-limited end devices. Thus, basedon identity-based public cryptography and proxy public keycryptography, we will study ID-PUIC protocol.

A. MotivationIn public cloud environment, most clients upload their data

to PCS and check their remote data’s integrity by Internet.When the client is an individual manager, some practicalproblems will happen. If the manager is suspected of beinginvolved into the commercial fraud, he will be taken away bythe police. During the period of investigation, the managerwill be restricted to access the network in order to guardagainst collusion. But, the manager’s legal business will goon during the the period of investigation. When a large ofdata is generated, who can help him process these data?If these data cannot be processed just in time, the managerwill face the lose of economic interest. In order to preventthe case happening, the manager has to delegate the proxy toprocess its data, for example, his secretary. But, the managerwill not hope others have the ability to perform the remote dataintegrity checking. Public checking will incur some danger ofleaking the privacy. For example, the stored data volume canbe detected by the malicious verifiers. When the uploaded datavolume is confidential, private remote data integrity checkingis necessary. Although the secretary has the ability to processand upload the data for the manager, he still cannot checkthe manager’s remote data integrity unless he is delegatedby the manager. We call the secretary as the proxy of themanager.

1556-6013 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

1166 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11, NO. 6, JUNE 2016

In PKI (public key infrastructure), remote data integritychecking protocol will perform the certificate management.When the manager delegates some entities to perform theremote data integrity checking, it will incur considerableoverheads since the verifier will check the certificate whenit checks the remote data integrity. In PKI, the considerableoverheads come from the heavy certificate verification, certifi-cates generation, delivery, revocation, renewals, etc. In publiccloud computing, the end devices may have low computationcapacity, such as mobile phone, ipad, etc. Identity-based publickey cryptography can eliminate the complicated certificatemanagement. In order to increase the efficiency, identity-based proxy-oriented data uploading and remote data integritychecking is more attractive. Thus, it will be very necessary tostudy the ID-PUIC protocol.

B. Related Work

There exist many different security problems in the cloudcomputing [1], [2]. This paper is based on the research resultsof proxy cryptography, identity-based public key cryptographyand remote data integrity checking in public cloud. In somecases, the cryptographic operation will be delegated to thethird party, for example proxy. Thus, we have to use the proxycryptography. Proxy cryptography is a very important cryp-tography primitive. In 1996, Mambo et al. proposed the notionof the proxy cryptosystem [3]. When the bilinear pairings arebrought into the identity-based cryptography, identity-basedcryptography becomes efficient and practical. Since identity-based cryptography becomes more efficient because it avoidsof the certificate management, more and more experts areapt to study identity-based proxy cryptography. In 2013,Yoon et al. proposed an ID-based proxy signature scheme withmessage recovery [4]. Chen et al. proposed a proxy signaturescheme and a threshold proxy signature scheme from theWeil pairing [5]. By combining the proxy cryptography withencryption technique, some proxy re-encryption schemes areproposed. Liu et al. formalize and construct the attribute-basedproxy signature [6]. Guo et al. presented a non-interactive CPA(chosen-plaintext attack)-secure proxy re-encryption scheme,which is resistant to collusion attacks in forging re-encryptionkeys [7]. Many other concrete proxy re-encryption schemesand their applications are also proposed [8]–[10].

In public cloud, remote data integrity checking is animportant security problem. Since the clients’ massive datais outside of their control, the clients’ data may be corruptedby the malicious cloud server regardless of intentionally orunintentionally. In order to address the novel security problem,some efficient models are presented. In 2007, Ateniese et al.proposed provable data possession (PDP) paradigm [11].In PDP model, the checker can check the remote dataintegrity without retrieving or downloading the whole data.PDP is a probabilistic proof of remote data integrity checkingby sampling random set of blocks from the public cloudserver, which drastically reduces I/O costs. The checker canperform the remote data integrity checking by maintainingsmall metadata. After that, some dynamic PDP model andprotocols are designed [12]–[16]. Following Ateniese et al.’s

pioneering work, many remote data integrity checkingmodels and protocols have been proposed [17]–[19]. In 2008,proof of retrievability (POR) scheme was proposed byShacham et al. [20]. POR is a stronger model which makesthe checker not only check the remote data integrity butalso retrieve the remote data. Many POR schemes have beenproposed [21]–[26]. On some cases, the client may delegatethe remote data integrity checking task to the third party.In cloud computing, the third party auditing is indispens-able [27]–[30]. By using cloud storage, the clients can accessthe remote data with independent geographical locations. Theend devices may be mobile and limited in computation andstorage. Thus, efficient and secure ID-PUIC protocol is moresuitable for cloud clients equipped with mobile end devices.

From the role of the remote data integrity checker, allthe remote data integrity checking protocols are classifiedinto two categories: private remote data integrity checkingand public remote data integrity checking. In the responsechecking phase of private remote data integrity checking, someprivate information is indispensable. On the contrary, privateinformation is not required in the response checking of publicremote data integrity checking. Specially, when the privateinformation is delegated to the third party, the third party canalso perform the remote data integrity checking. In this case,it is also called delegated checking.

C. Contributions

In public cloud, this paper focuses on the identity-basedproxy-oriented data uploading and remote data integritychecking. By using identity-based public key cryptology, ourproposed ID-PUIC protocol is efficient since the certificatemanagement is eliminated. ID-PUIC is a novel proxy-orienteddata uploading and remote data integrity checking modelin public cloud. We give the formal system model andsecurity model for ID-PUIC protocol. Then, based on thebilinear pairings, we designed the first concrete ID-PUICprotocol. In the random oracle model, our designed ID-PUICprotocol is provably secure. Based on the original client’sauthorization, our protocol can realize private checking,delegated checking and public checking.

D. Paper Organization

The paper is organized below. The formal system model andsecurity model of ID-PUIC protocol are given in Section II.The concrete protocol, performance analysis and prototypeimplementation are presented in Section III. Section IV ana-lyzes the proposed ID-PUIC protocol’s security. The proposedprotocol is provably secure. At the end of the paper, theconclusion is given in Section V.

II. SYSTEM MODEL AND SECURITY MODEL OF ID-PUIC

In this section, we give the system model and security modelof ID-PUIC protocol. An ID-PUIC protocol consists of fourdifferent entities which are described below:

1) OriginalClient: an entity, which has massive data to beuploaded to PCS by the delegated proxy, can performthe remote data integrity checking.

WANG et al.: IDENTITY-BASED PROXY-ORIENTED DATA UPLOADING 1167

2) PCS (Public Cloud Server): an entity, which is managedby cloud service provider, has significant storage spaceand computation resource to maintain the clients’ data.

3) Proxy: an entity, which is authorized to process theOriginalClient’s data and upload them, is selected andauthorized by OriginalClient. When Proxy satisfies thewarrant mω which is signed and issued by Original-Client, it can process and upload the original client’sdata; otherwise, it can not perform the procedure.

4) KGC (Key Generation Center): an entity, when receivingan identity, it generates the private key which corre-sponds to the received identity.

In our proposed ID-PUIC protocol, OriginalClient willinteract with PCS to check the remote data integrity. Thus,we give the the definition of interactive proof system. Then,we give the formal definition and security model of ID-PUICprotocol.

Definition 1 (Interactive Proof System [31]): Let c, s:N → R be functions satisfying c(n) > s(n) + 1

p(n) forsome polynomial p(·). An interactive pair (P, V ) is calledan interactive proof system for the language L, withcompleteness bound c(·) and soundness bound s(·), if

1) Completeness: for every x ∈ L, Pr[< P, V > (x) =1] ≥ c(|x |).

2) Soundness: for every x �∈ L and every interactivemachine B , Pr[< B, V > (x) = 1] ≤ s(|x |).

In the definition of ID-PUIC, i.e., Definition 2, we will takeuse of the interactive proof system.

Definition 2 (ID-PUIC): An ID-PUIC protocol is a collec-tion of four phases (Setup, Extract, Proxy-key Generation,TagGen) and an interactive proof system (Proof). The detailedphases are described below.

1) Setup: When the security parameter k is input, thealgorithm outputs the system public parameters and themaster secret key. The system public parameters aremade public and the master secret key msk is madeconfidential by KGC.

2) Extract: When the system public parameters, the mas-ter secret key msk, and an identity ID are input,KGC outputs the private key skI D which correspondsto the identity ID.

3) Proxy-Key Generation: OriginalClient generates thewarrant mω and signs mω. Then, it sends the warrant-signature pair to the proxy. Upon receiving the warrant-signature pair from OriginalClient, the proxy generatesthe proxy-key by using its own private key.

4) TagGen: Input the file block Fi and the proxy-key,the proxy generates the corresponding tag Ti . Then,it uploads the block-tag pair to PCS.

5) Proof: It is an interactive proof system between PCSand OriginalClient. At the end of the interactive proofprotocol, OriginalClient outputs a bit {0|1} denoting“success” or “failure”.

A practical ID-PUIC protocol must be efficient and prov-ably secure. Based on the communication and computationoverheads, efficiency analysis can be given. On the other hand,a secure ID-PUIC protocol must satisfy the following securityrequirements:

1) OriginalClient can perform the ID-PUIC protocolwithout the local copy of the file(s) to be checked.

2) Only if the proxy is authorized, i.e., it satisfies thewarrant mω, the proxy can process the files and uploadthe block-tag pairs on behalf of OriginalClient.

3) OriginalClient cannot counterfeit the proxy to generateblock-tag pairs, i.e., the proxy-protection property issatisfied.

4) If some challenged block-tag pairs are modified or lost,PCS’s response cannot pass OriginalClient’s integritychecking.

To capture the above security requirements, we formalizethe security definition of an ID-PUIC protocol. First, we givethe formal definition of proxy-protection.

Definition 3 (Proxy-Protection): An ID-PUIC protocol sat-isfies the property of proxy-protection if for the probabilisticpolynomial time adversary A1, the probability that A1 winsthe ID-PUIC game-1 is negligible. The ID-PUIC game-1between A1 and the challenger C1 is given below:

1) Setup: The challenger C1 runs Setup and gets the systempublic parameters and master secret key. By runningExtract, C1 gets OriginalClient I Do’s private key skI Do

and the proxy I Dp’s private key skI Dp . It sends thepublic parameters and OriginalClient I Do’s private keyskI Do to A1 while it keeps confidential the master secretkey msk and the proxy I Dp’s private key skI Dp .

2) Oracle queries: A1 adaptively queries the oraclesExtract, Hash, Proxy-key Generation, TagGen to C1below:• Extract queries. A1 queries the entity ID’s private

key to C1. For the identity ID, C1 runs Extractand gets the private key skI D . Then, it forwardsskI D to A1. Denote S as the queried identity setin the phase. The restriction is that I Dp cannot bequeried in the phase, i.e., I Dp �∈ S.

• Hash queries. A1 queries hash oracle to C1adaptively. C1 responds A1 the hash values.

• Proxy-key Generation queries. A1 sends(I D′o, I D′p) to C1 and queries the proxy-key wherethe original client is I D′o and the proxy is I D′p .Denote S′ as the set which is composed of all thequeried original client identity and proxy identitypairs. The restriction is that (I Do, I Dp) �∈ S′.

• TagGen queries. A1 makes block-tag pair queriesadaptively. For the block Fi , C1 computes its tagTi and responds A1 with Ti .

At the end of game-1, A1 outputs the forged block-tagpair (F ′, T ′) with non-negligible probability, where F ′has not been queried to TagGen oracle. If (F ′, T ′) isvalid block-tag pair, then A1 wins the above game withnon-negligible probability.

The security definition 3 gives the formal security defini-tion for proxy-protection property of ID-PUIC protocol. LetOriginalClient be the adversary. If OriginalClient cannot winthe ID-PUIC game-1 with non-negligible probability, then theID-PUIC protocol satisfies the proxy-protection property. Thefollowing definition formalizes another security property ofID-PUIC protocol, i.e., Unforgeability.


Definition 4 (Unforgeability): An ID-PUIC protocolsatisfies the security property of unforgeability if for anyprobabilistic polynomial time adversary A2 (i.e., maliciousPCS) the probability that A2 wins the following ID-PUICgame-2 on a set of file blocks is negligible. Let I Do be theoriginal client. Let I Dp be I Do’s proxy who uploads theblock-tag pairs to PCS. The ID-PUIC game-2 betweenthe adversary A2 and the challenger C2 is given below:

1) Setup: C2 runs Setup and gets system public parame-ters and master secret key. It sends the system publicparameters to A2 while it keeps confidential the mastersecret key msk.

2) First-Phase Queries: A2 adaptively makes Extract,Hash, Proxy-key Generation, TagGen queries to C2.C2 responds A2.• Extract queries. A2 queries ID’s private key.

By running Extract, C2 gets the corresponding pri-vate key skI D and sends it to A2. Denote S1 as thequeried identity set in the first-phase. The restrictionis that I Dp �∈ S1.

• Hash queries. A2 queries Hash oracle adaptively.C2 sends Hash values to A2.

• Proxy-key Generation queries. A2 sends(I D′o, I D′p) to C2 and queries the proxy-key wherethe original client is I D′o and the proxy is I D′p .Denote S2 as the set which is composed of all thequeried original client identity and proxy identitypairs. The restriction is that (I Do, I Dp) �∈ S2.

• TagGen queries. A2 makes block-tag pair queriesadaptively. For the block Fi , C2 computes the tag Ti

and sends it back to A2. Denote S3 as the set ofindex that the corresponding block tags have beenqueried in the first-phase.

3) Challenge: For the original client I Do and the proxyI Dp , C2 generates a challenge chal which defines anordered collection {i1, i2, · · · , ic}, where I Dp �∈ S1,(I Do, I Dp) �∈ S2, {i1, i2, · · · , ic} � S3, and c is apositive integer. A2 is required to provide the remotedata integrity proof for the blocks Fi1 , · · · , Fic .

4) Second-Phase Queries: Similar to the First-PhaseQueries. Denote S′1 as the queried identity set in Extractof the second-phase queries. Denote S′2 as the setwhich is composed of all the queried original clientidentity and proxy identity pairs in Proxy-key Gener-ation of the second-phase queries. Denote S′3 as theset of index that the corresponding block tags havebeen queried in TagGen of the second-phase queries.The restriction is that I Dp �∈ S1

⋃S′1, (I Do, I Dp) �∈

S2⋃

S′2, {i1, i2, · · · , ic} � S′3.5) Forge: A2 responses θ for the challenge chal.

If the response θ can pass C2’s verification, the adversary A2wins the ID-PUIC game-2.

Definition 4 states that, if some challenged blocks have beenmodified or deleted, the malicious PCS cannot generate a validremote data integrity proof. On the other hand, a practicalID-PUIC protocol also needs to convince the client that allof his outsourced data is kept integer with a high probability.The following definition states the security requirement.

TABLE I

NOTATIONS AND DESCRIPTIONS

Definition 5 [(ρ, δ) Security]: An ID-PUIC protocol satisfiesthe security (ρ, δ) if PCS corrupted ρ fraction of the wholeblocks, the probability that the corrupted blocks are detectedis at least δ.

The notations throughout this paper are listed in Table I.

III. THE PROPOSED ID-PUIC PROTOCOL

In this section, we propose an efficient ID-PUIC protocolfor secure data uploading and storage service in public clouds.Bilinear pairings technique makes identity-based cryptographypractical. Our protocol is built on the bilinear pairings. We firstreview the bilinear pairings. Then, the concrete ID-PUICprotocol is designed from the bilinear pairings. At last, basedon the computation cost and communication cost, we give theperformance analysis from two aspects: theoretical analysisand prototype implementation.

A. Bilinear Pairings

Denote G1 and G2 as two cyclic multiplicative groups whohave the same prime order q . Let Z∗q denote the multiplicativegroup of the field Fq . Bilinear pairings is a bilinear mape : G1 × G1 → G2 [32] which satisfies the properties below:

1) Bilinearity: ∀g1, g2, g3 ∈ G1 and a, b ∈ Z∗q ,

e(g1, g2g3) = e(g2g3, g1) = e(g2, g1)e(g3, g1)

e(g1a, g2

b) = e(g1, g2)ab


Fig. 1. Architecture of our ID-DPDP protocol.

2) Non-degeneracy: ∃g4, g5 ∈ G1 such that e(g4, g5) �=1G2 .

3) Computability: ∀g6, g7 ∈ G1, there is an efficient algo-rithm to compute e(g6, g7).

The concrete bilinear pairings e can be constructed byusing the modified Weil [33] or Tate pairings [34] on ellipticcurves. Our ID-PUIC protocol construction takes use of theeasiness of DDH (Decisional Diffie-Hellman) problem whileits security is based on the hardness of CDH (ComputationalDiffie-Hellman) problem. Let g be a generator of G1.CDH problem and DDH problem are defined below.

Definition 6 (CDH Problem on G1): Given the triple(g, ga, gb) ∈ G3

1 where a, b ∈ Zq are unknown, computegab ∈ G1.

Definition 7 (DDH Problem on G1): Given the quadruple(g, ga, gb, g) ∈ G4

1 where a, b ∈ Z∗q are unknown, decidewhether or not the formula gab = g holds.

In the paper, we choose the group G1 which satisfies thecondition that CDH problem is difficult but DDH problemis easy. On the group G1, DDH problem is easy by usingthe bilinear pairings. (G1,G2) are also called GDH (GapDiffie-Hellman) groups. On the groups G1 and G2, the basicrequirement is that the DLP (Discrete Logarithm Problem) isdifficult. Let g2 be a generator of G2. It is given below:

Definition 8 (DLP on G1): Given (g, ga) where a ∈ Z∗q isunknown, it is difficult to calculate a.

Definition 9 (DLP on G2): Given (g2, ga2 ) where a ∈ Z∗q is

unknown, it is difficult to calculate a.In the paper, we choose the groups G1 and G2 which satisfy

that DL P, C DH are difficult while DDH is easy.

B. Our Concrete ID-PUIC Protocol

This concrete ID-PUIC protocol comprises four procedures:Setup, Extract, Proxy-key generation, TagGen, and Proof.In order to show the intuition of our construction, the concreteprotocol’s architecture is depicted in Figure 1. First, Setup is

performed and the system parameters are generated. Basedon the generated system parameters, the other procedures areperformed as Figure 1. It is described below: (1) In the phaseExtract, when the entity’s identity is input, KGC generatesthe entity’s private key. Especially, it can generate the privatekeys for the client and the proxy. (2) In the phase Proxy-keygeneration, the original client creates the warrant and helps theproxy generate the proxy key. (3) In the phase TagGen, whenthe data block is input, the proxy generates the block’s tagand upload block-tag pairs to PCS. (4) In the phase Proof, theoriginal client O interacts with PCS. Through the interaction,O checks its remote data integrity.

Following the protocol’s architecture, we give the concreteconstruction below. Without loss of generality, suppose thatthe proxy plans to upload the file F . According to the sizeof F , we split it into multiple blocks. Suppose that F is splitinto n blocks, i.e., F = (F1, · · · , Fn). Fi denotes the i-th blockof F . Let Ni contain the name and attributes of the block Fi .(Ni , i) will be used to create the tag of Fi . The phases aredescribed in detail as the following.• Setup: Let G1,G2 be the two groups and e be the bilinear

pairings which are given in the section III-A. Both G1and G2 have the same order q. Let g be a generator gof the group G1. Two cryptographic hash functions aregiven below:

H : {0, 1}∗ → Z∗q , h : Z∗q × {0, 1}∗ → G1

Pick a pseudo-random function f and a pseudo-randompermutation π . The two functions f and π are definedbelow:

f : Z∗q × {1, 2, · · · , n} → Z∗qπ : Z∗q × {1, 2, · · · , n} → {1, 2, · · · , n}

KGC generates its master secret key x where x ∈ Z∗q .Then, it computes Y = gx . The parameters{G1,G2, e, q, g, Y, H, h, f, π} are made public. The mas-ter secret key x is kept confidential by KGC.

• Extract: Input the original client’s identity I Do,KGC picks a random ro ∈ Z∗q and computes (Ro, σo)below:

Ro = gro , σo = ro + x H (I Do, Ro) mod q

Then, KGC sends skI Do = (Ro, σo) to the originalclient by the secure channel. Let skI Do be the originalclient’s private key. The original client verifies skI Do ’scorrectness by verifying the following equation.

gσo = RoY H(I Do,Ro) (1)

If the formula (1) holds, the original client I Do acceptsskI Do as its private key; otherwise, I Do rejects it andrequests its private key by using Extract again.Similarly, input the proxy’s identity I Dp , the proxy I Dp

can also get its private key skI Dp = (Rp, σp).• Proxy-key generation: In order to generate the proxy key,

the original client I Do will interact with the proxy I Dp

below:


1) I Do creates the warrant mω according to its require-ments. The proxy I Dp cannot process and uploadthe original client I Do’s data unless it satisfies mω.I Do picks a random r1 ∈ Z∗q and computes mω’ssignature below:

R1 = gr1, σ1 = r1 + σo H (mω, R1) mod q

I Do sends the warrant-signature pair (mω, R1, σ1)and Ro to I Dp and PCS.

2) I Dp checks the validity of (mω, R1, σ1, Ro) byverifying whether or not the following equationholds.

gσ1 = R1(RoY H(I Do,Ro))H(mω,R1)

If the verification is unsuccessful, the proxy rejects itand informs I Do; otherwise, it computes the proxysecret key:

σ = σ1 + σp H (mω, R1)

The proxy secret key σ is kept secret by the proxy.At the same time, I Dp sends Rp to I Do .

• TagGen: When I Dp satisfies the warrant mω, I Dp willhelp I Do process its data. Suppose the original client’splaintext file is F . By using the light-weight symmetricencryption, F is encrypted into the ciphertext F whichwill be uploaded to PCS. Based on the size of F, theproxy I Dp splits F into n blocks, i.e., F = (F1, · · · , Fn).Fi denotes the i-th block of F and Fi ∈ Z∗q . Ni containsthe i-th block Fi ’s name and its properties. The proxycalculates u = h(n + 1, I D0). Then, for 1 ≤ i ≤ n,the proxy performs the following procedures step bystep:

1) The proxy computes Ti = (h(i, Ni )uFi )σ by usingthe proxy key σ ;

2) The proxy outputs the block Fi ’s tag Ti .

At last, the proxy gets all the block-tag pairs{(Fi , Ti ), 1 ≤ i ≤ n} and uploads them to PCS.When PCS receives mω’s signature (mω, R1, σ1) and Ro,it checks (mω, R1, σ1)’s validity by verifying whethergσ1 = R1(RoY H(I Do,Ro))H(mω,R1) holds. If it holds,PCS accepts mω; otherwise, it informs I Do. Whenreceiving the block-tag pairs {(Fi , Ti ), 1 ≤ i ≤ n},PCS checks whether I Dp satisfies mω. If it holds, PCSaccepts and stores them; otherwise, PCS refuses to acceptthem.

• Proof (PCS, O): This is a 2-move interactive protocolbetween PCS and the original client O. If O authorizesthe remote data integrity checking task to some verifier,it sends (Ro, Rp, R1) to the authorized verifier. Theauthorized verifier may be the third auditor or O’s proxy.Since O has (Ro, Rp, R1), O can performs the interactiveprotocol Proof as the verifier. When the verifier is O, theinteraction protocol Proof is given below.

1) Challenge (O → PCS): O generates the challengechal = (c, k1, k2). In chal, c is the challengedblock number which is determined by O and k1, k2

are randomly picked from Z∗q . Then, it sends thechallenge chal to PC S;

2) Response (O ← PCS): Upon receiving O’s chal-lenge chal = (c, k1, k2), PCS performs the follow-ing procedures:

a) Search for the two-tuples (O, k1) in the tableTchal . If (O, k1) ∈ Tchal , PCS refuses andinforms the requester O; otherwise, it goes on;

b) For 1 ≤ i ≤ c, PCS computes vi = πk1(i),ai = fk2 (i) by using k1, k2, and

T =∏

1≤i≤c

Tviai

F =∑

1≤i≤c

ai Fvi

c) PCS sends θ = (F, T ) to O.

3) Upon receiving the response θ = (F, T ), O per-forms the following procedures:

a) By using the generated chal, O computes

vi = πk1 (i), ai = fk2 (i)

hvi = h(vi , Nvi ), u = h(n + 1, I D0)

b) O computes

R = R1(Ro RpY H(I Do,Ro)+H(I Dp,Rp))H(mω,R1)

and verifies the following formula:

e(T, g) = e(c∏

i=1

haivi

u F , R) (2)

If the formula (2) holds, O outputs “success”;otherwise, O outputs “failure”.

4) When O outputs “failure”, it will perform thesame challenge many times. If the responses stillcannot pass the verification, O will inform thePCS manager this situation. PCS manager willcensor O’s stored data and retrieve the lost datafrom the offline backup. If PCS manager fails,O and PCS manager will have to evaluate the lossand discuss the reparation according to the lossseverity.

Notes: In Proof (PCS, O), O generates the challengechal = (c, k1, k2) where k1, k2 are randomly picked from Z∗q .Based on chal, PCS gets the challenged block index setas {v1, v2, · · · , vc} where vi = πk1(i), 1 ≤ i ≤ c.Since πk1(·) is a pseudo-random permutation determined bythe random k1, the challenged block index set {v1, v2, · · · , vc}comes from the random selection of the n stored block-tagpairs.

Correctness: Our proposed concrete ID-PUIC protocol mustbe workable and correct. Correctness means that, if KGC, PCS,O and Proxy are honest and follow the specified procedures,PCS’s response θ can pass O’s verification. Our protocol’s


correctness comes from the following deduction:

e(T, g) = e(c∏

i=1

T aivi

, g)

= e(c∏

i=1

h(vi , Nvi )ai uai Fvi ), gσ )

= e(c∏

i=1

h(vi , Nvi )ai u

∑ci=1 ai Fvi ), gσ )

= e(c∏

i=1

h(vi , Nvi )ai u F , gσ )

= e(c∏

i=1

haivi

u F , gσ )

On the other hand, by using the concrete σ , we get

gσ = gσ1+σp H(mω,R1)

= gσ1 gσp H(mω,R1)

= R1(RoY H(I Do,Ro))H(mω,R1)(RpY H(I Dp,Rp))H(mω,R1)

= R1(Ro RpY H(I Do,Ro)+H(I Dp,Rp))H(mω,R1)

Denote R = R1(Ro RpY H(I Do,Ro)+H(I Dp,Rp))H(mω,R1). Thus,

e(T, g) = e(c∏

i=1

haivi

u F , R)

Thus, the correctness is proved.

C. Performance Analysis

First, we give the computation and communication overheadof our proposed ID-PUIC protocol. At the same time, weimplement the prototype of our ID-PUIC protocol and evaluateits time cost. Then, we give the flexibility of remote dataintegrity checking in the phase Proof of our ID-PUIC protocol.At last, we compare our ID-PUIC protocol with the other up-to-date remote data integrity checking protocols.

1) Computation: Let the uploaded block number be n.Let the challenge be chal = (c, k1, k2) where 1 ≤ c ≤ n,k1, k2 ∈ Z∗q . Based on the different phases, we give thecomputation overhead. On the group G1, bilinear pairings,exponentiation, and multiplication contribute most computa-tion cost. Compared with them, the other operations are faster,such as, hash function h, the operations on Z∗q and G2, etc.The hash function H can be done once for all. Thus, we onlyconsider bilinear pairings, exponentiation, and multiplicationon G1. For the proxy, the computation overhead mainly comesfrom the phase T agGen. In the phase TagGen, the proxyperforms 2n exponentiation, n multiplication on the group G1,and n hash function h. In the phase Proof, the original client Ogenerates the challenge chal and PCS responds to chal. In theinteractive proof Proof, PCS performs c exponentiation andc−1 multiplication on the group G1 and sends the response θto the checker O. In order to check the response θ ’s validity,O performs c+3 exponentiation, 2 pairings, 3+c multiplicationon the group G1 and c hash function h.

In order to show our protocol’s practical computationoverhead, we have simulated the proposed ID-PUIC protocol

Fig. 2. Proxy’s time cost in TagGen (second).

by using C programming language with GMP Library(GMP-5.0.5) [36], and PBC Library (pbc-0.5.13) [37], [38].In the simulation, PCS works on DELL PowerEdge R420Server with the following settings:• CPU: Intel R Xeon R processor E5-2400 and E5-2400

v2 product families• Physical Memory: 8GB DDR3 1600MHz• OS: Ubuntu 13.04 Linux 3.8.0-19-generic SMP i686

The proxy and the original client works on PC Laptop withthe following settings:

• CPU: CPU I PDC E6700 3.2GHz• Physical Memory: DDR3 2G 1600MHz• OS: Windows 7

In the simulation, we choose type A pairing parameters,where the group order is 160 bits, and the order of thebase field is 512bit. Type A pairing parameters provide acompetitive security level with 1024-bit RSA. In TagGen,when one tag is created, proxy’s time cost is 0.022472s. Whenone thousand tags are created, proxy’s time cost is 22.567269s.In order to show the time cost, we give Figure 2. Figure 2depicts proxy’s computation cost in TagGen. X-label denotesthe created tag number n and Y-label denotes the time cost(second) in order to create n tags. Proxy’s time cost increasesalmost linearly with the created tag number n. In Proof, theoriginal client interacts with PCS and performs the remotedata integrity checking. In Proof, when the challenged blocknumber is 20, the original client’s time cost is 0.567881s.When the challenged block number is 100, the original client’stime cost is 2.356659s. In order to show the time cost, we giveFigure 3. Figure 3 depicts original client’s computation timecost in Proof. X-label denotes the challenged block numberc and Y-label denotes the time cost (second) in order tocheck PCS’s response θ . At the same time, we consider thecomputation time cost of PCS. In Proof, when the challengedblock number is 20, the PCS’s time cost is 1.611138s. Whenthe challenged block number is 100, the PCS’s time costis 7.993312s. In order to show the time cost, PCS’s timecost figure is added to Figure 3. Figure 3 also depicts PCS’scomputation time cost in Proof. X-label denotes the challengedblock number c and Y-label denotes PCS’s time cost (second)


TABLE II

COMPARISON OF COMPUTATION AND SECURITY PROPERTY

Fig. 3. PCS and OriginalClient’s time cost in Proof (second).

in order to create the response θ . From Figure 3, we knowthat most computation are performed by PCS. The end deviceonly performs a little computation. Our protocol can be usedin the environment where the checker’s computation resourceis limited, for example mobile phone.

2) Communication: National Bureau of Standards andANSI X9 have determined the shortest key length require-ments: RSA and DSA is 1024 bits, ECC is 160 bits [35].According to the above standard, we analyze our ID-PUICprotocol’s communication cost. After the data processing, theblock-tag pairs are uploaded to PCS once and for all. Thus, weonly consider the communication cost which is incurred in theremote data integrity checking. In Proof, the communicationcost comprises the challenge chal and response θ . The originalclient will interact with PCS periodically in the phase Proof.Suppose there are n message blocks are stored in the PCS.In order to finish one round interaction, the original clientwill create the challenge chal = (c, k1, k2) and send chal toPCS. The whole communication cost is log2 n + 2 log2 q =320 + log2 n bits. In order to respond the challenge chal,PCS creates the response θ = (F, T ). θ ’s bit length is160 + 1|G1| = 160 + 2 ∗ 512 = 1184 bits. Thus, for oneround interaction of Proof, the whole communication cost is320+ log2 n + 1184 = 1504+ log2 n bits.

3) Private Checking, Delegated Checking and PublicChecking: Our proposed ID-PUIC protocol satisfies theprivate checking, delegated checking and public checking.In the remote data integrity checking procedure, R1, Ro, Rp

are indispensable. Thus, the procedure can only be performedby the entity who has R1, Ro, Rp . In general, since R1, Ro, Rp

are kept secret by the original client, our protocol can only beperformed by the original client. Thus, it is private checking.On some cases, the original client has no ability to check itsremote data integrity, such as, he is taking a vacation or inprison or in battle field, etc. Thus, it will delegate the thirdparty to perform the ID-PUIC protocol. It can be the thirdauditor or the proxy or other entities. The original client sendsR1, Ro, Rp to the delegated third party. The delegated thirdparty has the ability to perform the ID-PUIC protocol. Thus,it has the property of delegated checking. On the other hand,if the original client makes R1, Ro, Rp public, any entityhas the ability to perform the ID-PUIC protocol. Thus, ourprotocol has also the property of public checking.

Notes: In the checking, the checker must have R1, Ro, Rp .Ro, Rp are the part of original client’s private key and theproxy’s private key respectively. Their publicity cannot leaktheir the other part of private key, i.e., σo, σp cannot beleaked. The private key extraction phase Extract is actuallya modified ElGamal signature scheme which is existentiallyunforgeable. For the identity ID, the extracted private key(R, σ ) is a signature of ID. Since ElGamal signature isexistentially unforgeable, the private key part σ will keepsecret even if R is made public. On the other hand, R1 isgenerated by the original client in order to create the signatureon the warrant mω. Thus, R1 is also known to the originalclient.

4) Comparison: In order show our ID-PUIC protocol’ssuperiority, we compare our protocol with the recent twoprotocols, i.e., Wang’s protocol [16] and Zhang et al.’s proto-col [23]. Since most computation cost comes from the pair-ings, exponentiation and multiplication on the group G1, thesimplified comparison is given in Table II. In the comparison,we denote the time cost of pairings, exponentiation and mul-tiplication as Cp, Ce, Cm , respectively. From the computationcomparison, we know that our protocol has almost the samecomputation cost in the phases TagGen and PCS has thesame computation cost in the phase Proof. For the checkerin the phase Proof, our protocol has less computation costthan the other two protocols. On the other hand, our protocolcan realize the three security properties: proxy data processingand uploading, remote data integrity checking with flexibilityand not required certificate management. Flexibility meansthat our protocol can realize the private checking, delegatedchecking and public checking according to the original client’sauthorization.

5) Hybrid Cloud: Our contributions are also suitable forthe scenario of hybrid clouds, where the proxy can be treatedas the private cloud of the original client. In the scenario,


the private cloud gets its private/public key pairs. The privatecloud gets the proxy-key and the authorization of the originalclient through the interaction between the original client and itsprivate cloud. When the original client needs its private cloudperform the data uploading task, it informs its private cloud.Upon receiving the original client’s instruction, the privatecloud will interact with the public cloud and finish the datauploading task.

IV. SECURITY ANALYSIS

The security of our ID-PUIC protocol mainly consists of thefollowing parts: correctness, proxy-protection and unforgeabil-ity. The correctness has been shown in the subsection III-B.In the following paragraph, we study the proxy-protectionand unforgeability. Proxy-protection means that the originalclient cannot pass himself off as the proxy to create the tags.Unforgeability means that when some challenged blocks aremodified or deleted, PCS cannot send the valid response whichcan pass the integrity checking.

In order to formally prove our protocol, we give thedefinition of (t, ε)-security below:

Definition 10 [(t, ε)-Security]: A problem is called to satisfy(t, ε)-security if no adversary can break it with the probabilityat least ε within the time period t .

Theorem 1 (Proxy-Protection): Let (G1,G2) be a (t ′, ε′)-GDH group pair where G1 and G2 have the same primeorder q . Then, our proposed ID-PUIC protocol is (t, ε) proxy-protective in the random oracle model, where t and ε satisfiesε′ ≥ 1

n ( qTqT+1 )qT 1

qT+1ε and t ′ ≤ t+O(qH )+O(qh)+O(qE )+O(qT ) + O(qp). n denotes the number of all the identities.In particular, suppose A1 is an adversary in the random oraclemodel, and A1 runs in time t , and makes at most qH hashH-Oracle queries, qh hash h-Oracle query, qE Extract-Oraclequery, qT TagGen-Oracle query and qp Proxy-key Generation-Oracle query. Based on the difficulty of CDH problem, ourID-PUIC protocol satisfies the property of proxy-protection.

Proof: Let the selected identity set be I = {I D1,I D2, · · · , I Dn} which includes the proxy identity I Dp . Letthe uploaded data be F which is divided into n blocks, i.e.,F = (F1, F2, · · · , Fn), where Fi ∈ Z∗q . Suppose that theoriginal client can (t, ε)-counterfeit the proxy to generateblock-tag pairs. We can construct another algorithm C1 whichcan (t ′, ε′)-break the CDH problem. Based on the difficulty ofCDH problem, the theorem is proved. C1 will simulate A1’sattack environment. Denote g as a generator of the group G1.In the following game, the adversary is denoted as A1 and thechallenger is denoted as C1. Let (P1, P2) be P1 = ga, P2 = gb

where a, b ∈ Z∗q are unknown. Input the tuple (g, P1, P2),C1 will try to calculate gab by using A1’s forgery.

Setup: C1 picks x ∈ Z∗q and calculates Y = gx . Then, it setsthe KGC’s private key/public key pair is (x, Y ). Let mω be thewarrant which describes the original client’s authorization. C1calculates u = h(n + 1, I Do) and sends u to A1. The threetables TH , Th , and TE are initialized to be empty. TH storesthe hash function H’s query-response records, Th stores thehash function h’s query-response records and TE stores theoracle Extract’s query-response records.

H-Query: A1 sends Qi = (I Di , Ri ) or Qi = (mω, Ri )to C1. C1 looks up the table TH . If there exists (Qi , ti ) ∈ TH ,C1 sends ti to A1; otherwise, C1 picks a random ti ∈ Z∗q andstores (Qi , ti ) in the table TH . Then, it outputs ti to A1 as theresponse.

h-Query: A1 sends (i, Ni ) to C1. C1 responds A1 below:

1) C1 looks up the table Th whose records are the for-mat (i, Ni , zi , bi , ci ). If the query (i, Ni ) has beenstored in the table Th , C1 sends zi u−Fi to A1, i.e.,h(i, Ni ) = zi u−Fi .

2) If the query (i, Ni ) does not be stored in Th , C1 picksa random bi ∈ Z∗q . At the same time, it also picksa random coin ci ∈ {0, 1} based on the bivariateprobability distribution Pr[ci = 0] = 1

qT+1 . If ci = 1,C1 calculates zi = gbi ; otherwise, C1 calculateszi = P2gbi . Then, C1 adds the record (i, zi , bi , ci ) toTh and responds h(i, Ni ) = zi u−Fi to A1.

Extract: A1 sends I Di to C1 where I Di �= I Dp . SinceC1 has KGC’s private key x , it can calculate I Di ’s pri-vate key (Ri , σi ) by using the phase Extract of our ID-PUIC protocol. Especially, A1 can query the original client’sprivate key and get (Ro, σo) from C1. In TE , the cor-responding record can be denoted as (Qo, Ho, σo) whereQo = (I Do, Ro), Ho = H (I Do, Ro). On the other hand,although A1 cannot query the proxy I Dp’s private key, but C1can generate part of I Dp’s private key below: Picks randomHp ∈ Z∗q and calculates Rp = P1Y−Hp . Then, C1 setsHp = H (I Dp, Rp). It is obvious that σp = a is unknown.

Proxy-Key Generation Query: A1 sends (I D′o, I D′p) to C1.If I D′p �= I Dp , I D′p and I D′o’s private keys can be extractedin the phase Extract. Thus, proxy-key can be generated byusing the normal procedure. Otherwise, aborts.

Notes: Since A1 has gotten the original client’s private key,it can generates the warrant mω’s signature (mω, R1, σ1) andsends it to C1. In the practical scenario, the proxy can also getthe warrant’s signature. Our assumption is appropriate.

TagGen Query: A1 sends (i, Ni , Fi ) to C1. C1 performsthe following procedures: If (i, Ni , zi , bi , ci ) has not beenstored in the table Th , A1 sends the query (i, Ni ) to h-Oracle.C1 responds A1 and adds the record (i, Ni , zi , bi , ci ) to Th .Otherwise, C1 performs the following procedure. If ci = 0, C1reports failure and terminates; otherwise, C1 calculates

Ti = gσ1bi (P1)bi H(mω,R1)

and sends Ti to A1.Notes: C1’s response to the tag query is valid from the

derivation:

Ti = gσ1bi (P1)bi H(mω,R1)

= (gσ1 ga H(mω,R1))bi

= (gσ1 gσp H(mω,R1))bi

= (gσ )bi

= (gbi )σ

= (h(i, Ni )uFi )σ

Output: At last, A1 outputs a forged block-tag pair (F f , T f )where the block F f ’s index-name pair is ( f, N f ). C1 looks up


the table Th and gets the record ( f, N f , z f , b f , c f ) (If therecord does not exist, C1 calculates and adds it to Th based onthe phase h-query). When c f = 1, the game aborts and fails;otherwise,

T f = (h( f, N f )uF f )σ

= (P2gb f )σ

= (P2gb f )σ1(P2gb f )a H(mω,R1)

We can get

gab = Pa2 = [T f (P2gb f )−σ1 P

−b f H(mω,R1)1 ] 1

H (mω,R1)

Thus, CDH problem is solved.Probability Analysis. Now, we evaluate C1’s success prob-

ability. In order to break CDH problem, the following fourevents must hold simultaneously:

1) E1: C1 does not abort in A1’s Proxy-key Generationquery.

2) E2: C1 does not abort in A1’s TagGen query.3) E3: A1 generates a valid block-tag forgery (F f , T f )

which satisfies c f = 0.C1 succeeds if the above three events hold. We calculate the

following probability:

Pr[E1 ∧ E2 ∧ E3]= Pr[E1] Pr[E2|E1] Pr[E3|E1 ∧ E2]= 1

n(

qT

qT + 1)qT

1

qT + 1ε

In C1’s simulation environment, we assume that (G1,G2) is(t ′, ε′)-secure GDH group. We can get

ε′ ≥ Pr[E1 ∧ E2 ∧ E3] = 1

n(

qT

qT + 1)qT

1

qT + 1ε

C1’s running time is the same as A1’s running timeplus the time which is spent to respond qH H-query,qh h-query, qE Extract-query, qT TagGen-query and qp Proxy-key Generation-query. Thus, C1’s whole running time is atmost t ′ ≤ t + O(qH ) + O(qh) + O(qE ) + O(qT ) + O(qp).Thus, if A1 can (t, ε)-forge block-tag pair, C1 can (t ′, ε′)-breakthe GDH group. It contradicts the assumption that (G1,G2) isa (t ′, ε′)-GDH group pair. The proof is completed.

In our ID-PUIC protocol, the phase TagGen is the sameas the phase Pub.St of PoRs construction for public verifia-bility [20]. Based on the protocol [20]’s unforgeability, ourID-PUIC protocol satisfies the unforgeability.

Theorem 2 (Unforgeability): The proposed ID-PUIC proto-col is existentially unforgeable in the random oracle model ifCDH problem on G1 is hard.

Since the proof process is almost the same asShacham-Waters’s protocol [20], we only give the differences.In Shacham-Waters’s protocol, u is randomly picked from G1.In our ID-PUIC protocol, u is calculated by using the hashfunction h. In the random oracle model, h’s output valueis indistinguishable from a random value nn the group G1.In the phase TagGen, the proxy-key σ is used in ID-PUICprotocol while the data owner’s secret key a is used inShacham-Waters’s protocol [20]. For PCS, σ and a has thesame function to generate the block tags. When PCS is

Fig. 4. The probability curve PX of detecting the corruption.

dishonest, since Shacham-Waters’s protocol is existentiallyunforgeable in random oracle model, our proposed ID-PUICprotocol is also existentially unforgeable in the random oraclemodel. The detailed proof process is omitted since it is verysimilar to Shacham-Waters’s protocol.

Theorem 3: Let the uploaded block-tag pairs number be n.When d block-tag pairs are broken and c block-tag pairs arechallenged, the broken block-tag pairs can be found out withprobability at least 1 − ( n−d

n )c and at most 1 − ( n−c+1−dn−c+1 )c.

Thus, our ID-PUIC protocol is ( dn , 1− ( n−d

n )c)-secure, i.e.,

1− (n − d

n)c ≤ PX ≤ 1− (

n − c + 1− d

n − c + 1)c

where PX denotes the probability of detecting themodification.

Proof: Let the challenged block-tag pair set be S and themodified block-tag pair set be M. Let the random variable Xbe X = |S ⋂M|. According to the definition of PX , we canget

PX = P{X ≥ 1}= 1− P{X = 0}= 1− n − d

n

n − 1− d

n − 1· · · · · n − c + 1− d

n − c + 1Thus, we can get

1− (n − d

n)c ≤ PX ≤ 1− (

n − c + 1− d

n − c + 1)c

This completes the proof of the theorem.We give the probability curve of PX in Figure 4. Combined

with the performance analysis, when the stored block-tag pairsnumber be 10000 and d = 500, c = 70, the probabilityis 97.28%, the original client’s time cost is 1.920119s andPCS’s time cost is 6.397231s. When n = 10000, d = 500,c = 50, the probability is 92.36%, the original client’stime cost is 1.715752s and PCS’s time cost is 5.516639s.From our experiments, our ID-PUIC protocol is efficient andpractical.

V. CONCLUSION

Motivated by the application needs, this paper proposes thenovel security concept of ID-PUIC in public cloud. The paper


formalizes ID-PUIC’s system model and security model. Then,the first concrete ID-PUIC protocol is designed by using thebilinear pairings technique. The concrete ID-PUIC protocolis provably secure and efficient by using the formal securityproof and efficiency analysis. On the other hand, the proposedID-PUIC protocol can also realize private remote data integritychecking, delegated remote data integrity checking and publicremote data integrity checking based on the original client’sauthorization.

ACKNOWLEDGMENTS

The authors sincerely thank the Editor for allocatingqualified and valuable referees. They sincerely thank theanonymous referees for their very valuable comments.

REFERENCES

[1] Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving efficient cloudsearch services: Multi-keyword ranked search over encrypted cloud datasupporting parallel computing,” IEICE Trans. Commun., vol. E98-B,no. 1, pp. 190–200, 2015.

[2] Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, “Mutual verifiable provabledata auditing in public cloud storage,” J. Internet Technol., vol. 16, no. 2,pp. 317–323, 2015.

[3] M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegatingsigning operation,” in Proc. CCS, 1996, pp. 48–57.

[4] E.-J. Yoon, Y. Choi, and C. Kim, “New ID-based proxy signature schemewith message recovery,” in Grid and Pervasive Computing (LectureNotes in Computer Science), vol. 7861. Berlin, Germany: Springer-Verlag, 2013, pp. 945–951.

[5] B.-C. Chen and H.-T. Yeh, “Secure proxy signature schemes from theweil pairing,” J. Supercomput., vol. 65, no. 2, pp. 496–506, 2013.

[6] X. Liu, J. Ma, J. Xiong, T. Zhang, and Q. Li, “Personal health recordsintegrity verification using attribute based proxy signature in cloudcomputing,” in Internet and Distributed Computing Systems (LectureNotes in Computer Science), vol. 8223. Berlin, Germany: Springer-Verlag, 2013, pp. 238–251.

[7] H. Guo, Z. Zhang, and J. Zhang, “Proxy re-encryption with unforgeablere-encryption keys,” in Cryptology and Network Security (Lecture Notesin Computer Science), vol. 8813. Berlin, Germany: Springer-Verlag,2014, pp. 20–33.

[8] E. Kirshanova, “Proxy re-encryption from lattices,” in Public-KeyCryptography (Lecture Notes in Computer Science), vol. 8383. Berlin,Germany: Springer-Verlag, 2014, pp. 77–94.

[9] P. Xu, H. Chen, D. Zou, and H. Jin, “Fine-grained and heterogeneousproxy re-encryption for secure cloud storage,” Chin. Sci. Bull., vol. 59,no. 32, pp. 4201–4209, 2014.

[10] S. Ohata, Y. Kawai, T. Matsuda, G. Hanaoka, and K. Matsuura,“Re-encryption verifiability: How to detect malicious activities of aproxy in proxy re-encryption,” in Proc. CT-RSA Conf., vol. 9048. 2015,pp. 410–428.

[11] G. Ateniese et al., “Provable data possession at untrusted stores,” inProc. CCS, 2007, pp. 598–609.

[12] G. Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik, “Scalableand efficient provable data possession,” in Proc. SecureComm, 2008,Art. ID 9.

[13] C. C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, “Dynamicprovable data possession,” in Proc. CCS, 2009, pp. 213–222.

[14] E. Esiner, A. Küpçü, and Ö. Özkasap, “Analysis and optimization onFlexDPDP: A practical solution for dynamic provable data possession,”Intelligent Cloud Computing (Lecture Notes in Computer Science),vol. 8993. Berlin, Germany: Springer-Verlag, 2014, pp. 65–83.

[15] E. Zhou and Z. Li, “An improved remote data possession checkingprotocol in cloud storage,” in Algorithms and Architectures for ParallelProcessing (Lecture Notes in Computer Science), vol. 8631. Berlin,Germany: Springer-Verlag, 2014, pp. 611–617.

[16] H. Wang, “Proxy provable data possession in public clouds,” IEEETrans. Services Comput., vol. 6, no. 4, pp. 551–559, Oct./Dec. 2013.

[17] H. Wang, “Identity-based distributed provable data possession in multi-cloud storage,” IEEE Trans. Services Comput., vol. 8, no. 2, pp. 328–340,Mar./Apr. 2015.

[18] H. Wang, Q. Wu, B. Qin, and J. Domingo-Ferrer, “FRR: Fair remoteretrieval of outsourced private medical records in electronic healthnetworks,” J. Biomed. Inform., vol. 50, pp. 226–233, Aug. 2014.

[19] H. Wang, “Anonymous multi-receiver remote data retrieval for pay-TVin public clouds,” IET Inf. Secur., vol. 9, no. 2, pp. 108–118, Mar. 2015.

[20] H. Shacham and B. Waters, “Compact proofs of retrievability,” in Proc.ASIACRYPT, vol. 5350. 2008, pp. 90–107.

[21] Q. Zheng and S. Xu, “Fair and dynamic proofs of retrievability,” in Proc.CODASPY, 2011, pp. 237–248.

[22] D. Cash, A. Küpçü, and D. Wichs, “Dynamic proofs of retrievability viaoblivious RAM,” in Proc. EUROCRYPT, vol. 7881. 2013, pp. 279–295.

[23] J. Zhang, W. Tang, and J. Mao, “Efficient public verification proofof retrievability scheme in cloud,” Cluster Comput., vol. 17, no. 4,pp. 1401–1411, 2014.

[24] J. Shen, H. Tan, J. Wang, J. Wang, and S. Lee, “A novel routing protocolproviding good transmission reliability in underwater sensor networks,”J. Internet Technol., vol. 16, no. 1, pp. 171–178, 2015.

[25] T. Ma et al., “Social network and tag sources based augmentingcollaborative recommender system,” IEICE Trans. Inf. Syst., vol. E98-D,no. 4, pp. 902–910, 2015.

[26] K. Huang, J. Liu, M. Xian, H. Wang, and S. Fu, “Enabling dynamicproof of retrievability in regenerating-coding-based cloud storage,” inProc. IEEE ICC, Jun. 2014, pp. 712–717.

[27] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving publicauditing for data storage security in cloud computing,” in Proc. IEEEINFOCOM, Mar. 2010, pp. 1–9.

[28] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, “Enabling publicauditability and data dynamics for storage security in cloud comput-ing,” IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 5, pp. 847–859,May 2011.

[29] C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou, “Toward secure anddependable storage services in cloud computing,” IEEE Trans. ServicesComput., vol. 5, no. 2, pp. 220–232, Apr./Jun. 2012.

[30] Y. Zhu, G.-J. Ahn, H. Hu, S. S. Yau, H. G. An, and C.-J. Hu, “Dynamicaudit services for outsourced storages in clouds,” IEEE Trans. ServicesComput., vol. 6, no. 2, pp. 227–238, Apr./Jun. 2013.

[31] O. Goldreich, Foundations of Cryptography: Basic Tools. Beijing, China:Publishing House of Electronics Industry, 2003, pp. 194–195.

[32] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weilpairing,” in Proc. ASIACRYPT, vol. 2248. 2001, pp. 514–532.

[33] D. Boneh and M. Franklin, “Identity-based encryption from the weilpairing,” in Proc. CRYPTO, vol. 2139. 2001, pp. 213–229.

[34] A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit conditions ofelliptic curve traces for FR-reduction,” IEICE Trans. Fundam. Electron.,Commun. Comput. Sci., vol. E84-A, no. 5, pp. 1234–1243, 2001.

[35] C. Research. SEC 2: Recommended Elliptic Curve Domain Parameters.[Online]. Available: http://www.secg.org/SEC2-Ver-1.0.pdf, accessed2015.

[36] The GNU Multiple Precision Arithmetic Library (GMP). [Online].Available: http://gmplib.org/, accessed 2015.

[37] The Pairing-Based Cryptography Library (PBC). [Online]. Available:http://crypto.stanford.edu/pbc/howto.html, accessed 2015.

[38] B. Lynn, “On the implementation of pairing-based cryptosystems,”Ph.D. dissertation, Dept. Comput. Sci., Stanford Univ., Stanford, CA,USA, 2008. [Online]. Available: http://crypto.stanford.edu/pbc/thesis.pdf

Huaqun Wang received the B.S. degree in mathe-matics education from Shandong Normal University,in 1997, the M.S. degree in applied mathematicsfrom East China Normal University, China, in 2000,and the Ph.D. degree in cryptography from theNanjing University of Posts and Telecommunica-tions, China, in 2006. He is currently a Professorwith the Nanjing University of Posts and Telecom-munications. He has authored over 40 papers.His research interests include applied cryptography,network security, and cloud computing security.

He has served in the Program Committee of several international conferencesand on the Editorial Board of international journals.


Debiao He received the Ph.D. degree in appliedmathematics from the School of Mathematicsand Statistics, Wuhan University, Wuhan, China,in 2009. He is currently an Associate Professor withthe State Key Laboratory of Software Engineering,School of Computer, Wuhan University. His mainresearch interests include cryptography and informa-tion security, in particular, cryptographic protocols.

Shaohua Tang received the B.Sc. and M.Sc. degreesin applied mathematics and the Ph.D. degree incommunication and information system from theSouth China University of Technology, in 1991,1994, and 1998, respectively. He has been a FullProfessor with the School of Computer Science andEngineering, South China University of Technology,since 2004. His current research interests includeinformation security, networking, and informationprocessing.

Documents

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND … Papers/2016 .Net/LSD1609 - Identity-… · Identity-Based Proxy-Oriented Data Uploading and Remote Data Integrity Checking in Public