Journal An Efficient and Secure Dynamic Auditing

An Efficient and Secure Dynamic AuditingProtocol for Data Storage in Cloud Computing

Kan Yang, Student Member, IEEE, and Xiaohua Jia, Fellow, IEEE

AbstractIn cloud computing, data owners host their data on cloud servers and users (data consumers) can access the data from

cloud servers. Due to the data outsourcing, however, this new paradigm of data hosting service also introduces new security challenges,

which requires an independent auditing service to check the data integrity in the cloud. Some existing remote integrity checkingmethods

can only serve for static archive data and, thus, cannot be applied to the auditing service since the data in the cloud can be dynamically

updated. Thus, an efficient and secure dynamic auditing protocol is desired to convince data owners that the data are correctly stored in

the cloud. In this paper, we first design an auditing framework for cloud storage systems and propose an efficient and privacy-preserving

auditing protocol. Then, we extend our auditing protocol to support the data dynamic operations, which is efficient and provably secure in

the random oracle model. We further extend our auditing protocol to support batch auditing for both multiple owners and multiple clouds,

without using any trusted organizer. The analysis and simulation results show that our proposed auditing protocols are secure and

efficient, especially it reduce the computation cost of the auditor.

Index TermsStorage auditing, dynamic auditing, privacy-preserving auditing, batch auditing, cloud computing

1 INTRODUCTION

CLOUD storage is an important service of cloud comput-ing [1], which allows data owners (owners) to movedata from their local computing systems to the cloud. Moreand more owners start to store the data in the cloud [2].However, this new paradigm of data hosting service alsointroduces new security challenges [3]. Owners wouldworry that the data could be lost in the cloud. This isbecause data loss could happen in any infrastructure, nomatter what high degree of reliable measures cloud serviceproviders would take [4], [5], [6], [7], [8]. Sometimes, cloudservice providers might be dishonest. They could discardthe data that have not been accessed or rarely accessed tosave the storage space and claim that the data are stillcorrectly stored in the cloud. Therefore, owners need to beconvinced that the data are correctly stored in the cloud.

Traditionally, owners can check the data integrity basedon two-party storage auditing protocols [9], [10], [11], [12],[13], [14], [15], [16], [17]. In cloud storage system, however,it is inappropriate to let either side of cloud serviceproviders or owners conduct such auditing, because noneof them could be guaranteed to provide unbiased auditingresult. In this situation, third-party auditing is a naturalchoice for the storage auditing in cloud computing. A third-party auditor (auditor) that has expertise and capabilitiescan do a more efficient work and convince both cloudservice providers and owners.

For the third-party auditing in cloud storage systems,there are several important requirements that have been

proposed in some previous works [18], [19]. The auditingprotocol should have the following properties: 1) Confiden-tiality. The auditing protocol should keep owners dataconfidential against the auditor. 2) Dynamic auditing. Theauditing protocol should support the dynamic updates ofthe data in the cloud. 3) Batch auditing. The auditingprotocol should also be able to support the batch auditingfor multiple owners and multiple clouds.

Recently, several remote integrity checking protocolswere proposed to allow the auditor to check the dataintegrity on the remote server [20], [21], [22], [23], [24], [25],[26], [27], [28]. Table 1 gives the comparisons among someexisting remote integrity checking schemes in terms of theperformance, the privacy protection, the support of dy-namic operations and the batch auditing for multipleowners and multiple clouds. From Table 1, we can findthat many of them are not privacy preserving or cannotsupport the data dynamic operations, so that they cannot beapplied to cloud storage systems.

In [23], the authors proposed a dynamic auditingprotocol that can support the dynamic operations of thedata on the cloud servers, but this method may leak thedata content to the auditor because it requires the server tosend the linear combinations of data blocks to the auditor.In [24], the authors extended their dynamic auditingscheme to be privacy preserving and support the batchauditing for multiple owners. However, due to the largenumber of data tags, their auditing protocols may incur aheavy storage overhead on the server. In [25], Zhu et al.proposed a cooperative provable data possession schemethat can support the batch auditing for multiple clouds andalso extend it to support the dynamic auditing in [26].However, their scheme cannot support the batch auditingfor multiple owners. That is because parameters forgenerating the data tags used by each owner are different,and thus, they cannot combine the data tags from multipleowners to conduct the batch auditing. Another drawback is

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 24, NO. 9, SEPTEMBER 2013 1717

. The authors are with the Department of Computer Science, City Universityof Hong Kong, Tat Chee Avenue, Kowloon, Hong Kong, SAR.E-mail: [email protected], [email protected].

Manuscript received 13 Aug. 2011; revised 7 Sept. 2012; accepted 9 Sept.2012; published online 21 Sept. 2012.Recommended for acceptance by L.E. Li.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TPDS-2011-08-0534.Digital Object Identifier no. 10.1109/TPDS.2012.278.

1045-9219/13/$31.00 2013 IEEE Published by the IEEE Computer Society

that their scheme requires an additional trusted organizer tosend a commitment to the auditor during the multicloudbatch auditing, because their scheme applies the masktechnique to ensure the data privacy. However, suchadditional organizer is not practical in cloud storagesystems. Furthermore, both Wangs schemes and Zhusschemes incur heavy computation cost of the auditor, whichmakes the auditor a performance bottleneck.

In this paper, we propose an efficient and securedynamic auditing protocol, which can meet the above-listed requirements. To solve the data privacy problem, ourmethod is to generate an encrypted proof with the challengestamp by using the Bilinearity property of the bilinearpairing, such that the auditor cannot decrypt it but canverify the correctness of the proof. Without using the masktechnique, our method does not require any trustedorganizer during the batch auditing for multiple clouds.On the other hand, in our method, we let the servercompute the proof as an intermediate value of theverification, such that the auditor can directly use thisintermediate value to verify the correctness of the proof.Therefore, our method can greatly reduce the computingloads of the auditor by moving it to the cloud server.

Our original contributions can be summarized as follows:

1. We design an auditing framework for cloud storagesystems and propose a privacy-preserving andefficient storage auditing protocol. Our auditingprotocol ensures the data privacy by using crypto-graphy method and the Bilinearity property of thebilinear pairing, instead of using the mask techni-que. Our auditing protocol incurs less communica-tion cost between the auditor and the server. It alsoreduces the computing loads of the auditor bymoving it to the server.

2. We extend our auditing protocol to support the datadynamic operations, which is efficient and provablysecure in the random oracle model.

3. We further extend our auditing protocol to supportbatch auditing for not only multiple clouds but alsomultiple owners. Our multicloud batch auditingdoes not require any additional trusted organizer.The multiowner batch auditing can greatly improvethe auditing performance, especially in large-scalecloud storage systems.

The remaining of this paper is organized as follows: InSection 2, we describe definitions of the system model andsecurity model. In Section 3, we propose an efficient andinherently secure auditing protocol and extend it to supportthe dynamic auditing in Section 4. We further extend ourauditing protocol to support the batch auditing for multipleowners and multiple clouds in Section 5. Section 6 give theperformance analysis of our proposed auditing protocols interms of communication cost and computation cost. Thesecurity proof will be shown in the supplemental file, whichcan be found on the Computer Society Digital Library athttp://doi.ieeecomputersociety.org/10.1109/TPDS.2012.278. In Section 7, we give the related work on storageauditing. Finally, the conclusion is given in Section 8.

2 PRELIMINARIES AND DEFINITIONS

In this section, we first describe the system model andgive the definition of storage auditing protocol. Then, wedefine the threat model and security model for a storageauditing system.

2.1 Definition of a System Model

We consider an auditing system for cloud storage as shownin Fig. 1, which involves data owners (owner), the cloudserver (server), and the third-party auditor (auditor). Theowners create the data and host their data in the cloud.The cloud server stores the owners data and provides thedata access to users (data consumers). The auditor is atrusted third-party that has expertise and capabilities toprovide data storage auditing service for both the ownersand servers. The auditor can be a trusted organizationmanaged by the government, which can provide unbiasedauditing result for both data owners and cloud servers.

1718 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 24, NO. 9, SEPTEMBER 2013

Fig. 1. System model of the data storage auditing.

TABLE 1Comparison of Remote Integrity Checking Schemes

n is the total number of data blocks of a file; t is the number of challenged data blocks in an auditing query; s is the number of sectors in each datablock; is the probability of block/sector corruption (suppose the probability of corruption is the same for the equal size of data block or sector).

Before describing the auditing protocol definition, wefirst define some notations as listed in Table 2.

Definition 1 (Storage auditing protocol). A storage auditing

protocol consists of the following five algorithms:

1. KeyGen ! skh; skt; pkt. This key generationalgorithm takes no input other than the implicitsecurity parameter . It outputs a secret hash keyskh and a pair of secret-public tag key skt; pkt.

2. TagGenM; skt; skh ! T . The tag generation algo-rithm takes as inputs an encrypted fileM, the secret tagkey skt, and the secret hash key skh. For each data blockmi, it computes a data tag ti based on skh and skt. Itoutputs a set of data tags T ftigi21;n.

3. ChallMinfo ! C. The challenge algorithm takesas input the abstract information of the data Minfo(e.g., file identity, total number of blocks, versionnumber, time stamp, etc.). It outputs a challenge C.

4. ProveM;T; C ! P. The prove algorithm takes asinputs the file M, the tags T , and the challenge fromthe auditor C. It outputs a proof P.

5. VerifyC;P; skh; pkt;Minfo ! 0=1. The verificationalgorithm takes as inputs P from the server, the secrethash key skh, the public tag key pkt, and the abstractinformation of the data Minfo. It outputs the auditingresult as 0 or 1.

2.2 Definition of a Security Model

We assume the auditor is honest but curious. It performshonestly during the whole auditing procedure, but it iscurious about the received data. But the sever could bedishonest and may launch the following attacks:

1. Replace attack. The server may choose another validand uncorrupted pair of data block and data tagmk; tk to replace the challenged pair of data blockand data tag mi; ti, when it already discarded mior ti.

2. Forge attack. The server may forge the data tag ofdata block and deceive the auditor, if the ownerssecret tag keys are reused for the different versionsof data.

3. Replay attack. The server may generate the prooffrom the previous proof or other information, with-out retrieving the actual owners data.

3 EFFICIENT AND PRIVACY-PRESERVING AUDITINGPROTOCOL

In this section, we first present some techniques we appliedin the design of our efficient and privacy-preservingauditing protocol. Then, we describe the algorithms andthe detailed construction of our auditing protocol for cloudstorage systems. The correctness proof will be shown in thesupplemental file, available online.

3.1 Overview of Our Solution

The main challenge in the design of data storage auditingprotocol is the data privacy problem (i.e., the auditing protocolshould protect the data privacy against the auditor.). This isbecause: 1) For public data, the auditor may obtain the datainformation by recovering the data blocks from the dataproof. 2) For encrypted data, the auditor may obtain contentkeys somehow through any special channels and could beable to decrypt the data. To solve the data privacy problem,our method is to generate an encrypted proof with thechallenge stamp by using the bilinearity property of thebilinear pairing, such that the auditor cannot decrypt it, butthe auditor can verify the correctness of the proof withoutdecrypting it.

Although the auditor has sufficient expertise and cap-abilities to conduct the auditing service, the computingability of an auditor is not as strong as cloud servers. Sincethe auditor needs to audit for many cloud servers and a largenumber of data owners, the auditor could be the perfor-mance bottleneck. In our method, we let the server computethe proof as an intermediate value of the verification(calculated by the challenge stamp and the linear combina-tions of data blocks), such that the auditor can use thisintermediate value to verify the proof. Therefore, our methodcan greatly reduce the computing loads of the auditor bymoving it to the cloud server.

To improve the performance of an auditing system,we apply the data fragment technique and homomorphicverifiable tags in our method. The data fragment techniquecan reduce number of data tags, such that it can reduce thestorage overhead and improve the system performance. Byusing the homomorphic verifiable tags, no matter howmany data blocks are challenged, the server only responsesthe sum of data blocks and the product of tags to theauditor, whose size is constant and equal to only one datablock. Thus, it reduces the communication cost.

3.2 Algorithms for Auditing Protocol

Suppose a file F hasm data components as F F1; . . . ; Fm.Each data component has its physical meanings and can beupdated dynamically by the data owners. For public datacomponents, the data owner does not need to encrypted it,but for private data component, the data owner needs toencrypt it with its corresponding key.

Each data component Fk is divided into nk data blocksdenoted as Fk mk1;mk2; . . . ;mknk. Due to the securityreason, the data block size should be restricted by thesecurity parameter. For example, suppose the security levelis set to be 160 bit (20 Byte), the data block size should be20 Byte. A 50-KByte data component will be divided into2,500 data blocks and generate 2,500 data tags, which incurs50-KByte storage overhead.

YANG AND JIA: AN EFFICIENT AND SECURE DYNAMIC AUDITING PROTOCOL FOR DATA STORAGE IN CLOUD COMPUTING 1719

TABLE 2Notations

By using the data fragment technique, we further spliteach data block into sectors. The sector size is restricted bythe security parameter. We generate one data tag for eachdata block that consists of s sectors, such that less data tagsare generated. In the same example above, a 50-KByte datacomponent only incurs 50/s KByte storage overhead. In realstorage systems, the data block size can be various. That is,different data blocks could have different number ofsectors. For example, if a data block mi will be frequentlyread, then si could be large, but for those frequentlyupdated data blocks, si could be relatively small.

For simplicity, we only consider one data component inour construction and constant number of sectors for eachdata block. Suppose there is a data component M, which isdivided into ndata blocks, and each data block is further splitinto s sectors. For data blocks that have different number ofsectors, we first select the maximum number of sectors smaxamong all the sector numbers si. Then, for each data blockmiwith si sectors, si < smax, we simply consider that the datablock mi has smax sectors by setting mij 0 for si < j smax.Because the size of each sector is constant and equal to thesecurity parameter p, we can calculate the number of datablocks as n sizeofMslog p . We denote the encrypted datacomponent as M fmijgi21;n;j21;s.

Let GG1;GG2, and GGT be the multiplicative groups withthe same prime order p and e : GG1 GG2 ! GGT be thebilinear map. Let g1 and g2 be the generators of GG1 and GG2,respectively. Let h : f0; 1g ! GG1 be a keyed secure hashfunction that maps the Minfo to a point in GG1.

Our storage auditing protocol consists of the followingalgorithms:

KeyGen ! pkt; skt; skh. The key generation algo-rithm takes no input other than the implicit securityparameter . It chooses two random number skt; skh 2 ZZpas the secret tag key and the secret hash key. It outputs thepublic tag key as pkt gskt2 2 GG2, the secret tag key skt andthe secret hash key skh.

TagGenM; skt; skh ! T . The tag generation algorithmtakes each data component M, the secret tag key skt, andthe secret hash key skh as inputs. It first chooses s randomvalues x1; x2; . . . ; xs 2 ZZp and computes uj gxj1 2 GG1 for allj 2 1; s. For each data block mii 2 1; n, it computes adata tag ti as

ti hskh;Wi Ysj1

umijj

!skt;

where Wi FIDki (the k denotes the concatenationoperation), in which FID is the identifier of the data and irepresents the block number of mi. It outputs the set of datatags T ftigi21;n.

ChallMinfo ! C. The challenge algorithm takes theabstract information of the data Minfo as the input. It selectssome data blocks to construct the Challenge Set Q andgenerates a random number vi 2 ZZp for each chosen datablock mii 2 Q. Then, it computes the challenge stamp R pktr by randomly choosing a number r 2 ZZp. It outputs thechallenge as C fi; vigi2Q;R.

ProveM;T; C ! P. The prove algorithm takes as inputsthe data M and the received challenge C fi; vigi2Q;R.

The proof consists of the tag proof TP and the data proof DP .The tag proof is generated as

TP Yi2Q

tvii :

To generate the data proof, it first computes the sector linearcombination of all the challenged data blocks MPj for eachj 2 1; s as

MPj Xi2Q

vi mij:

Then, it generates the data proof DP as

DP Ysj1

euj; RMPj :

It outputs the proof P TP;DP .VerifyC;P; skh; pkt;Minfo ! 0=1. The verification algo-

rithm takes as inputs the challenge C, the proof P, the secrethash key skh, the public tag key pkt, and the abstractinformation of the data component. It first computes theidentifier hash values hskh;Wi of all the challenged datablocks and computes the challenge hash Hchal as

Hchal Yi2Q

hskh;Wirvi :

It then verifies the proof from the server by the followingverification equation:

DP eHchal; pkt eTP; gr2

: 1

If the above verification equation (1) holds, it outputs 1.Otherwise, it outputs 0.

3.3 Construction of Our Privacy-PreservingAuditing Protocol

As illustrated in Fig. 2, our storage auditing protocolconsists of three phases: owner initialization, confirmationauditing, and sampling auditing. During the system initializa-tion, the owner generates the keys and the tags for the data.After storing the data on the server, the owner asks theauditor to conduct the confirmation auditing to make sure


Fig. 2. Framework of our privacy-preserving auditing protocol.

that their data is correctly stored on the server. Onceconfirmed, the owner can choose to delete the local copy ofthe data. Then, the auditor conducts the sampling auditingperiodically to check the data integrity.

Phase 1: Owner initialization. The owner runs the keygeneration algorithm KeyGen to generate the secret hashkey skh, the pair of secret-public tag key skt; pkt. Then, itruns the tag generation algorithm TagGen to compute thedata tags. After all the data tags are generated, the ownersends each data component M fmigi21;n and itscorresponding data tags T ftigi21;n to the server togetherwith the set of parameters fujgj21;s. The owner then sendsthe public tag key pkt, the secret hash key skh, and theabstract information of the data Minfo to the auditor, whichincludes the data identifier FID, the total number of datablocks n.

Phase 2: Confirmation auditing. In our auditing construc-tion, the auditing protocol only involves two-way commu-nication: Challenge and Proof. During the confirmationauditing phase, the owner requires the auditor to checkwhether the owners data are correctly stored on the server.The auditor conducts the confirmation auditing phase as

1. The auditor runs the challenge algorithm Chall togenerate the challenge C for all the data blocks in thedata component and sends the C fi; vigi2Q;R tothe server.

2. Upon receiving the challenge C from the auditor, theserver runs the prove algorithm Prove to generate theproof P TP;DP and sends it back to the auditor.

3. When the auditor receives the proofP from the server,it runs the verification algorithm Verify to check thecorrectness of P and extract the auditing result.

The auditor then sends the auditing result to the owner.If the result is true, the owner is convinced that its data arecorrectly stored on the server, and it may choose to deletethe local version of the data.

Phase 3: Sampling auditing. The auditor will carry out thesampling auditing periodically by challenging a sample setof data blocks. The frequency of taking auditing operationdepends on the service agreement between the data ownerand the auditor (and also depends on how much trust thedata owner has over the server). Similar to the confirmationauditing in Phase 2, the sampling auditing procedure alsocontains two-way communication as illustrated in Fig. 2.

Suppose each sector will be corrupted with a probabilityof on the server. For a sampling auditing involved with tchallenged data blocks, the probability of detection can becalculated as

Prt; s 1 1 ts:That is this t-block sampling auditing can detect any datacorruption with a probability of Prt; s.

4 SECURE DYNAMIC AUDITING

In cloud storage systems, the data owners will dynamicallyupdate their data. As an auditing service, the auditingprotocol should be designed to support the dynamic data,as well as the static archive data. However, the dynamic

operations may make the auditing protocols insecure.Specifically, the server may conduct two following attacks:1) Replay attack. The server may not update correctly theowners data on the server and may use the previousversion of the data to pass the auditing. 2) Forge attack.When the data owner updates the data to the currentversion, the server may get enough information from thedynamic operations to forge the data tag. If the server couldforge the data tag, it can use any data and its forged data tagto pass the auditing.

4.1 Our Solution

To prevent the replay attack, we introduce an index table(ITable) to record the abstract information of the data. TheITable consists of four components: Index, Bi, Vi, and Ti. TheIndex denotes the current block number of data block mi inthe data component M. Bi denotes the original blocknumber of data block mi, and Vi denotes the current versionnumber of data block mi. Ti is the time stamp used forgenerating the data tag.

This ITable is created by the owner during the ownerinitialization and managed by the auditor. When the ownercompletes the data dynamic operations, it sends an updatemessage to the auditor for updating the ITable that is storedon the auditor. After the confirmation auditing, the auditorsends the result to the owner for the confirmation that theowners data on the server and the abstraction informationon the auditor are both up-to-date. This completes the datadynamic operation.

To deal with the forge attack, we can modify the taggeneration algorithm TagGen. Specifically, when generat-ing the data tag ti for the data block mi, we insert all theabstract information into the data tag by setting Wi FIDkikBikVikTi, such that the server cannot get enoughinformation to forge the data tag from dynamic opera-tions. The detailed proof will be given in the supple-mental file, available online.

4.2 Algorithms and Constructions for DynamicAuditing

The dynamic auditing protocol consists of four phases:owner initialization, confirmation auditing, sampling audit-ing, and dynamic auditing.

The first three phases are similar to our privacy-preserving auditing protocol as described in the abovesection. The only differences are the tag generation algo-rithm TagGen and the ITable generation during the ownerinitialization phase. Here, as illustrated in Fig. 3, we onlydescribe the dynamic auditing phase, which contains threesteps: data update, index update, and update confirmation.

Step 1: Data update. There are three types of data updateoperations that can be used by the owner: modification,insertion, and deletion. For each update operation, there isa corresponding algorithm in the dynamic auditing toprocess the operation and facilitate the future auditing,defined as follows:

Modifymi ; skt; skh ! Msgmodify; ti . The modificationalgorithm takes as inputs the new version of data block mi ,the secret tag key skt, and the secret hash key skh. Itgenerates a new version number V i , new time stamp T

i ,

and calls the TagGen to generate a new data tag ti for data


block mi . It outputs the new tag ti and the update message

Msgmodify i; Bi; V i ; T i . Then, it sends the new pair ofdata block and tag mi ; ti to the server and sends theupdate message Msgmodify to the auditor.

Insertmi ; skt; skh ! Msginsert; ti . The insertion algo-rithm takes as inputs the new data block mi , the secret tagkey skt, and the secret hash key skh. It inserts a new datablock mi before the ith position. It generates an originalnumberBi , a new version number V

i , and a new time stamp

T i . Then, it calls the TagGen to generate a new data tag ti for

the new data block mi . It outputs the new tag ti and the

update message Msginsert i; Bi ; V i ; T i . Then, it insertsthe new pair of data block and tag mi ; ti on the server andsends the update message Msginsert to the auditor.

Deletemi !Msgdelete. The deletion algorithm takes asinput the data block mi. It outputs the update messageMsgdelete i; Bi; Vi; Ti. It then deletes the pair of datablock and its tag mi; ti from the server and sends theupdate message Msgdelete to the auditor.

Step 2: Index update. Upon receiving the three types ofupdate messages, the auditor calls three correspondingalgorithms to update the ITable. Each algorithm is designedas follows:

IModifyMsgmodify. The index modification algorithmtakes the update message Msgmodify as input. It replaces theversion number Vi by the new one V

i and modifies Ti by the

new time stamp T i .

IInsertMsginsert. The index insertion algorithm takes asinput the update message Msginsert. It inserts a new record

i; Bi ; V i ; T i in ith position in the ITable. It then moves theoriginal ith record and other records after the ith position inthe previous ITable backward in order, with the index

number increased by 1.IDeleteMsgdelete. The index deletion algorithm takes as

input the update message Msgdelete. It deletes the ith recordi; Bi; Vi; Ti in the ITable and all the records after the ithposition in the original ITable moved forward in order, withthe index number decreased by 1.

Table 3 shows the change of ITable according to the

different type of data update operation. Table 3a describesthe initial table of the data M fm1;m2; . . . ;mng, andTable 3b describes the ITable after m2 is updated. Table 3c

shows the ITable after a new data block is inserted beforem2, and Table 3d shows the ITable after m2 is deleted.

Step 3: Update confirmation. After the auditor updates the

ITable, it conducts a confirmation auditing for the updateddata and sends the result to the owner. Then, the owner canchoose to delete the local version of data according to the

update confirmation auditing result.

5 BATCH AUDITING FOR MULTIOWNER ANDMULTICLOUD

Data storage auditing is a significant service in cloudcomputing that helps the owners check the data integrity onthe cloud servers. Due to the large number of data owners,

the auditor may receive many auditing requests frommultiple data owners. In this situation, it would greatlyimprove the system performance, if the auditor could

combine these auditing requests together and only conductthe batch auditing for multiple owners simultaneously. The

previous work [25] cannot support the batch auditing formultiple owners. That is because parameters for generatingthe data tags used by each owner are different, and thus, the

auditor cannot combine the data tags from multiple ownersto conduct the batch auditing.

On the other hand, some data owners may store theirdata on more than one cloud servers. To ensure the

owners data integrity in all the clouds, the auditor willsend the auditing challenges to each cloud server that

hosts the owners data and verify all the proofs from them.To reduce the computation cost of the auditor, it is


Fig. 3. Framework of auditing for dynamic operations.

TABLE 3ITable of the Abstract Information of Data M

desirable to combine all these responses together and dothe batch verification.

In the previous work [25], the authors proposed acooperative provable data possession for integrity verifica-tion in multicloud storage. In their method, the authors applythe mask technique to ensure the data privacy, such that itrequires an additional trusted organizer to send a commit-ment to the auditor during the commitment phase inmulticloud batch auditing. In our method, we apply theencryption method with the bilinearity property of thebilinear pairing to ensure the data privacy, rather thanthe mask technique. Thus, our multicloud batch auditingprotocol does not have any commitment phase, such that ourmethod does not require any additional trusted organizer.

5.1 Algorithms for Batch Auditing for Multiownerand Multicloud

Let O be the set of owners and S be the set of cloud servers.The batch auditing for multiowner and multicloud can beconstructed as follows:

Phase 1: Owner initialization. Each owner Okk 2 O runsthe key generation algorithm KeyGen to generate the pair ofsecret-public tag key skt;k; pkt;k and a set of secret hash keyfskh;klgl2S . That is, for different cloud servers, the owner hasdifferent secret hash keys. We denote each data componentas Mkl, which means that this data component is ownedby the owner Ok and stored on the cloud server Sl. Supposethe data component Mkl is divided into nkl data blocks,and each data block is further split into s sectors. (Here,we assume that each data block is further split into the samenumber of sectors. We can use the similar techniqueproposed in Section 3.2 to deal with the situation that eachdata block is split into different number of sectors.) Theowner Ok runs the tag generation algorithm TagGen togenerate the data tags Tkl ftkl;igi21;nkl as

tkl;i hskh;kl;Wkl;i Ysj1

umkl;ijk;j

!skt;k;

where Wkl;i FIDklkikBkl;ikVkl;ikTkl;i.After all the data tags are generated, each owner Okk 2

O sends the data component Mkl fmkl;ijgk2O;l2Si21;nkl;j21;s andthe data tags Tkl ftkl;igk2O;l2Si21;nkl to the corresponding serverSl. Then, it sends the public tag key pkt;k, the set of secret

hash key fskhl;kgl2S , the abstract information of datafMinfo;klgk2O;l2S to the auditor.

Phase 2: Batch auditing for multiowner and multicloud. LetOchal and Schal denote the involved set of owners and cloudservers involved in the batch auditing, respectively. Thebatch auditing also consists of three steps: batch challenge,batch proof, and batch verification.

Step 1: Batch challenge. During this step, the auditor runsthe batch challenge algorithm BChall to generate a batchchallenge C for a set of challenged owners Ochal and a setof clouds Schal. The batch challenge algorithm is definedas follows:

BChallfMinfo;klgk2O;l2S ! C. The batch challenge algo-rithm takes all the abstract information as input. It selects aset of owners Ochal and a set of cloud servers Schal. For eachdata owner Okk 2 Ochal, it chooses a set of data blocks as

the challenged subset Qkl from each server Sll 2 Schal. Itthen generates a random number vkl;i for each chosen datablock mkl;ik 2 Ochal; l 2 Schal; i 2 Qkl. It also chooses arandom number r 2 ZZp and computes the set of challengestamp fRkgk2Ochalpkrt;k . It outputs the challenge as

C fClgl2Schal ; fRkgk2Ochal;where Cl fk; l; i; vkl;igk2Ochal .

Then, the auditor sends each Cl to each cloud serverSll 2 Schal together with the challenge stamp fRkgk2Ochal .

Step 2: Batch proof. Upon receiving the challenge, eachserver Sll 2 Schal generates a proof Pl TPl;DPl byusing the following batch prove algorithm BProve andsends the proof Pl to the auditor.BProvefMklgk2Ochal , fTklgk2Ochal , Cl; fRkgk2Ochal ! Pl.

The batch prove algorithm takes as inputs the datafMklgk2Ochal , the data tags fTklgk2Ochal , the received challengeCl, and the challenge stamp fRkgk2Ochal . It generates the tagproof TPl as

TPl Y

k2Ochal

Yi2Qkl

tvkl;ikl;i :

Then, for each j 2 1; s, it computes the sector linearcombination MPkl;j of all the chosen data blocks of eachowner Okk 2 Ochal as

MPkl;j Xi2Qkl

vkl;i mkl;ij;

and generates the data proof DPl as

DPl Ysj1

Yk2Ochal

euk;j; RkMPkl;j :

It outputs the proof Pl TPl;DPl.Step 3: Batch verification. Upon receiving all the proofs

from the challenged servers, the auditor runs the followingbatch verification algorithm BVerify to check the correctnessof the proofs.BVerifyC; fPlg; fskh;lkg; fpkt;kg; fMinfo;klg ! 0=1. The

batch verification algorithm takes as inputs the challengeC, the proofs fPlgl2Schal , the set of secret hash keysfskh;klgk2Ochal;l2Schal , the public tag keys fpkt;kgk2Ochal , and theabstract information of the challenged data blocksfMinfo;klgk2Ochal;l2Schal . For each owner Okk 2 Ochal, it com-putes the set of identifier hash values fhskh;kl;Wkl;igl2Schal;i2Qkl for all the chosen data blocks from eachchallenged server and use these hash values to compute achallenge hash Hchal;k as

Hchal;k Yl2Schal

Yi2Qkl

hskh;kl;Wkl;irvkl;i :

When finished the calculation of all the data ownerschallenge hash fHchal;kgk2Ochal , it verifies the proofs by thebatch verification equation as

Yl2Schal

DPl eQ

l2Schal TPl; gr2

Q

k2Ochal eHchal;k; pkt;k: 2

If (2) is true, it outputs 1. Otherwise, it outputs 0.


6 PERFORMANCE ANALYSIS OF OUR AUDITINGPROTOCOLS

Storage auditing is a very resource demanding service interms of computational resource, communication cost, andmemory space. In this section, we give the communica-tion cost comparison and computation complexity com-parison between our scheme and two existing works:the Audit protocol proposed by Wang et al. [23], [24] andthe IPDP proposed by Zhu et al. [25], [26]. The storageoverhead analysis will be shown in the supplemental file,available online.

6.1 Communication Cost

Because the communication cost during the initialization isalmost the same in these three auditing protocols, we onlycompare the communication cost between the auditor andthe server, which consists of the challenge and the proof.

Consider a batch auditing with K owners and C cloudservers. Suppose the number of challenged data block fromeach owner on different cloud servers is the same, denotedas t, and the data block are split into s sectors in Zhus IPDPand our scheme. We do the comparison under the sameprobability of detection. That is, in Wangs scheme, thenumber of data blocks from each owner on each cloudserver should be st. The result is described in Table 4.

From the table, we can see that the communication cost inWangs auditing scheme is not only linear to C, K, t, s, butalso linear to the total number of data blocks n. As we know,in large-scale cloud storage systems, the total number ofdata blocks could be very large. Therefore, Wangs auditingscheme may incur high communication cost.

Our scheme and Zhus IPDP have the same totalcommunication cost during the challenge phase. Duringthe proof phase, the communication cost of the proof in our

scheme is only linear to C, but in Zhus IPDP, thecommunication cost of the proof is not only linear to C andK, but also linear to s. That is because Zhus IPDP uses themask technique to protect the data privacy, which requires tosend both the masked proof and the encrypted mask to theauditor. In our scheme, the server is only required to send theencrypted proof to the auditor and, thus, incurs lesscommunication cost than Zhus IPDP.

6.2 Computation Complexity

We simulate the computation of the owner, the server, andthe auditor on a Linux system with an Intel Core 2 DuoCPU at 3.16 GHz and 4.00-GB RAM. The code uses thepairing-based cryptography library version 0.5.12 to simu-late our auditing scheme and Zhus IPDP scheme (Underthe same detection of probability, Wangs scheme requiresmuch more data blocks than our scheme and Zhus scheme,such that the computation time is almost s times more thanour scheme and Zhus IPDP, and thus, it is not compar-able). The elliptic curve we used is a MNT d159 curve,where the base field size is 159 bit and the embeddingdegree is 6. The d159 curve has a 160-bit group order, whichmeans p is a 160-bit length prime. All the simulation resultsare the mean of 20 trials.

6.2.1 Computation Cost of the Auditor

We compare the computation time of the auditor versus thenumber of data blocks, the number of clouds, and thenumber of owners in Fig. 4.

Fig. 4a shows the computation time of the auditor versusthe number of challenged data blocks in the single cloud andsingle owner case. In this figure, the number of data blocksgoes to 500 (i.e., the challenged data size equals to 500 KByte),but it can illustrate the linear relationship between thecomputation cost of the auditor versus the challenged datasize. From Fig. 4a, we can see that our scheme incurs lesscomputation cost of the auditor than Zhus IPDP scheme,when coping with large number of challenged data blocks.

In real cloud storage systems, the data size is very large(e.g., petabytes), our scheme apply the sampling auditingmethod to ensure the integrity of such large data.The sample size and the frequency are determined by theservice-level agreement. From the simulation results,we can estimate that it requires 800 seconds to audit for1-GByte data. However, the computing abilities of thecloud server and the auditor are much more powerful than


TABLE 4Communication Cost Comparison of Batch Auditing for K

Owners and C Clouds

t is the number of challenged data blocks from each owner on eachcloud server; s is the number of sectors in each data block; n is the totalnumber of data blocks of a file in Wangs scheme.

Fig. 4. Comparison of computation cost of the auditor (s 50).

our simulation PC, so the computation time can be

relatively small. Therefore, our auditing scheme is practical

in large-scale cloud storage systems.Fig. 4b describes the computation cost of the auditor of

the multicloud batch auditing scheme versus the number of

challenged clouds. It is easy to find that our scheme incurs

less computation cost of the auditor than Zhus IPDP

scheme, especially when there are a large number of clouds

in the large-scale cloud storage systems.Because Zhus IPDP does not support the batch auditing

for multiple owners, in our simulation, we repeat the

computation for several times that is equal to the number of

data owners. Then, as shown in Fig. 4c, we compare the

computation cost of the auditor between our multiowner

batch auditing and the general auditing protocol that does

not support the multiowner batch auditing (e.g., Zhus

IPDP). Fig. 4c also demonstrates that the batch auditing for

multiple owners can greatly reduce the computation cost.

Although in our simulation the number of data owners goes

to 500, it can illustrate the trend of computation cost of the

auditor that our scheme is much more efficient than Zhus

scheme in large-scale cloud storage systems that may have

millions to billions of data owners.

6.2.2 Computation Cost of the Server

We compare the computation cost of the server versus the

number of data blocks in Fig. 5a and the number of data

owners in Fig. 5b. Our scheme moves the computing loads

of the auditing from the auditor to the server, such that it

can greatly reduce the computation cost of the auditor.

7 RELATED WORK

To support the dynamic auditing, Ateniese et al. [29]

developed a dynamic provable data possession protocol

based on cryptographic hash function and symmetric key

encryption. Their idea is to precompute a certain number of

metadata during the setup period, so that the number of

updates and challenges is limited and fixed beforehand. In

their protocol, each update operation requires recreating all

the remaining metadata, which is problematic for large files.

Moreover, their protocol cannot perform block insertions

anywhere (only append-type insertions are allowed). Erway

et al. [22] also extended the PDP model to support dynamic

updates on the stored data and proposed two dynamic

provable data possession scheme by using a new version of

authenticated dictionaries based on rank information.

However, their schemes may cause heavy computation

burden to the server because they relied on the PDP schemeproposed by Ateniese.

In [23], the authors proposed a dynamic auditingprotocol that can support the dynamic operations of thedata on the cloud servers, but this method may leak the datacontent to the auditor because it requires the server to sendthe linear combinations of data blocks to the auditor. In [24],the authors extended their dynamic auditing scheme to beprivacy preserving and support the batch auditing formultiple owners. However, due to the large number of datatags, their auditing protocols will incur a heavy storageoverhead on the server. In [25], Zhu et al. proposed acooperative provable data possession scheme that cansupport the batch auditing for multiple clouds and alsoextend it to support the dynamic auditing in [26]. However,it is impossible for their scheme to support the batchauditing for multiple owners. That is because parameters forgenerating the data tags used by each owner are different,and thus, they cannot combine the data tags from multipleowners to conduct the batch auditing. Another drawback isthat their scheme requires an additional trusted organizer tosend a commitment to the auditor during the batch auditingfor multiple clouds, because their scheme applies the masktechnique to ensure the data privacy. However, suchadditional organizer is not practical in cloud storagesystems. Furthermore, both Wangs schemes and Zhusschemes incur heavy computation cost of the auditor, whichmakes the auditing system inefficient.

8 CONCLUSION

In this paper, we proposed an efficient and inherentlysecure dynamic auditing protocol. It protects the dataprivacy against the auditor by combining the cryptographymethod with the bilinearity property of bilinear paring,rather than using the mask technique. Thus, our multicloudbatch auditing protocol does not require any additionalorganizer. Our batch auditing protocol can also support thebatch auditing for multiple owners. Furthermore, ourauditing scheme incurs less communication cost and lesscomputation cost of the auditor by moving the computingloads of auditing from the auditor to the server, whichgreatly improves the auditing performance and can beapplied to large-scale cloud storage systems.

REFERENCES[1] P. Mell and T. Grance, The NIST Definition of Cloud Comput-

ing, technical report, Natl Inst. of Standards and Technology,2009.

[2] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R.H. Katz, A.Konwinski, G. Lee, D.A. Patterson, A. Rabkin, I. Stoica, and M.Zaharia, A View of Cloud Computing, Comm. ACM, vol. 53,no. 4, pp. 50-58, 2010.

[3] T. Velte, A. Velte, and R. Elsenpeter, Cloud Computing: A PracticalApproach, first ed., ch. 7. McGraw-Hill, 2010.

[4] J. Li, M.N. Krohn, D. Mazie`res, and D. Shasha, Secure UntrustedData Repository (SUNDR), Proc. Sixth Conf. Symp. OperatingSystems Design Implementation, pp. 121-136, 2004.

[5] G.R. Goodson, J.J. Wylie, G.R. Ganger, and M.K. Reiter, EfficientByzantine-Tolerant Erasure-Coded Storage, Proc. Intl Conf.Dependable Systems and Networks, pp. 135-144, 2004.

[6] V. Kher and Y. Kim, Securing Distributed Storage: Challenges,Techniques, and Systems, Proc. ACM Workshop Storage Securityand Survivability (StorageSS), V. Atluri, P. Samarati, W. Yurcik, L.Brumbaugh, and Y. Zhou, eds., pp. 9-25, 2005.


Fig. 5. Comparison of computation cost on the server (s 50).

[7] L.N. Bairavasundaram, G.R. Goodson, S. Pasupathy, and J.Schindler, An Analysis of Latent Sector Errors in Disk Drives,Proc. ACM SIGMETRICS Intl Conf. Measurement and Modeling ofComputer Systems, L. Golubchik, M.H. Ammar, and M. Harchol-Balter, eds., pp. 289-300, 2007.

[8] B. Schroeder and G.A. Gibson, Disk Failures in the Real World:What Does an MTTF of 1,000,000 Hours Mean to You? Proc.USENIX Conf. File and Storage Technologies, pp. 1-16, 2007.

[9] M. Lillibridge, S. Elnikety, A. Birrell, M. Burrows, and M. Isard,A Cooperative Internet Backup Scheme, Proc. USENIX Ann.Technical Conf., pp. 29-41, 2003.

[10] Y. Deswarte, J. Quisquater, and A. Saidane, Remote IntegrityChecking, Proc. Sixth Working Conf. Integrity and Internal Controlin Information Systems (IICIS), Nov. 2004.

[11] M. Naor and G.N. Rothblum, The Complexity of Online MemoryChecking, J. ACM, vol. 56, no. 1, article 2, 2009.

[12] A. Juels and B.S. Kaliski Jr., Pors: Proofs of Retrievability for LargeFiles, Proc. ACM Conf. Computer and Comm. Security, P. Ning,S.D.C. di Vimercati, and P.F. Syverson, eds., pp. 584-597, 2007.

[13] T.J.E. Schwarz and E.L. Miller, Store, Forget, and Check: UsingAlgebraic Signatures to Check Remotely Administered Storage,Proc. 26th IEEE Intl Conf. Distributed Computing Systems, p. 12,2006.

[14] D.L.G. Filho and P.S.L.M. Barreto, Demonstrating Data Posses-sion and Uncheatable Data Transfer, IACR Cryptology ePrintArchive, vol. 2006, p. 150, 2006.

[15] F. Sebe, J. Domingo-Ferrer, A. Martnez-Balleste, Y. Deswarte, andJ.-J. Quisquater, Efficient Remote Data Possession Checking inCritical Information Infrastructures, IEEE Trans. Knowledge DataEng., vol. 20, no. 8, pp. 1034-1038, Aug. 2008.

[16] G. Yamamoto, S. Oda, and K. Aoki, Fast Integrity for LargeData, Proc. ECRYPT Workshop Software Performance Enhancementfor Encryption and Decryption, pp. 21-32, June 2007.

[17] M.A. Shah, M. Baker, J.C. Mogul, and R. Swaminathan, Auditingto Keep Online Storage Services Honest, Proc. 11th USENIXWorkshop Hot Topics in Operating Systems (HOTOS), G.C. Hunt, ed.,2007.

[18] C. Wang, K. Ren, W. Lou, and J. Li, Toward Publicly AuditableSecure Cloud Data Storage Services, IEEE Network, vol. 24, no. 4,pp. 19-24, July/Aug. 2010.

[19] K. Yang and X. Jia, Data Storage Auditing Service in CloudComputing: Challenges, Methods and Opportunities, World WideWeb, vol. 15, no. 4, pp. 409-428, 2012.

[20] G. Ateniese, R.C. Burns, R. Curtmola, J. Herring, L. Kissner, Z.N.J.Peterson, and D.X. Song, Provable Data Possession at UntrustedStores, Proc. ACM Conf. Computer and Comm. Security, P. Ning,S.D.C. di Vimercati, and P.F. Syverson, eds., pp. 598-609, 2007.

[21] H. Shacham and B. Waters, Compact Proofs of Retrievability,Proc. 14th Intl Conf. Theory and Application of Cryptology andInformation Security: Advances in Cryptology, J. Pieprzyk, ed.,pp. 90-107, 2008.

[22] C.C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia,Dynamic Provable Data Possession, Proc. ACM Conf. Computerand Comm. Security, E. Al-Shaer, S. Jha, and A.D. Keromytis, eds.,pp. 213-222, 2009.

[23] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, Enabling PublicAuditability and Data Dynamics for Storage Security in CloudComputing, IEEE Trans. Parallel Distributed Systems, vol. 22, no. 5,pp. 847-859, May 2011.

[24] C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-PreservingPublic Auditing for Data Storage Security in Cloud Computing,Proc. IEEE INFOCOM, pp. 525-533, 2010.

[25] Y. Zhu, H. Hu, G. Ahn, and M. Yu, Cooperative Provable DataPossession for Integrity Verification in Multi-Cloud Storage,IEEE Trans. Parallel and Distributed Systems, vol. 23, no. 12,pp. 2231-2244, Dec. 2012.

[26] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S.S. Yau, DynamicAudit Services for Integrity Verification of Outsourced Storages inClouds, Proc. ACM Symp. Applied Computing, W.C. Chu, W.E.Wong, M.J. Palakal, and C.-C. Hung, eds., pp. 1550-1557, 2011.

[27] K. Zeng, Publicly Verifiable Remote Data Integrity, Proc. 10thIntl Conf. Information and Comm. Security, L. Chen, M.D. Ryan, andG. Wang, eds., pp. 419-434, 2008.

[28] G. Ateniese, S. Kamara, and J. Katz, Proofs of Storage fromHomomorphic Identification Protocols, Proc. Intl Conf. Theoryand Application of Cryptology and Information Security: Advances inCryptology, M. Matsui, ed., pp. 319-333, 2009.

[29] G. Ateniese, R.D. Pietro, L.V. Mancini, and G. Tsudik, Scalableand Efficient Provable Data Possession, IACR Cryptology ePrintArchive, vol. 2008, p. 114, 2008.

[30] R. Ostrovsky, A. Sahai, and B. Waters, Attribute-Based Encryp-tion with Non-Monotonic Access Structures, Proc. ACM Conf.Computer and Comm. Security (CCS 07), P. Ning, S.D.C. diVimercati, and P.F. Syverson, eds., Oct. 2007.

Kan Yang received the BEng degree from theUniversity of Science and Technology of Chinain 2008. He is currently working toward the PhDdegree in the Department of Computer Scienceat the City University of Hong Kong. Hisresearch interests include cryptography, infor-mation security, cloud computing and distributedsystems. He is a student member of the IEEEand the IEEE Computer Society.

Xiaohua Jia received the BSc and MEngdegrees from the University of Science andTechnology of China, in 1984 and 1987,respectively, and the DSc degree in informationscience from the University of Tokyo in 1991. Heis currently a chair professor in the Departmentof Computer Science at the City University ofHong Kong. His research interests include cloudcomputing and distributed systems, computernetworks, wireless sensor networks and mobile

wireless networks. He is an editor of the IEEE Transactions on Paralleland Distributed Systems (2006-2009), Wireless Networks, Journal ofWorld Wide Web, Journal of Combinatorial Optimization, and so on. Heis the general chair of ACM MobiHoc 2008, TPC cochair of IEEE MASS2009, area chair of IEEE INFOCOM 2010, TPC cochair of IEEEGlobeCom 2010 Ad Hoc and Sensor Networking Symp, and panelcochair of IEEE INFOCOM 2011. He is a fellow of the IEEE and theIEEE Computer Society.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 36 /GrayImageMinResolutionPolicy /Warning /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 2.00333 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 36 /MonoImageMinResolutionPolicy /Warning /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.00167 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org) /PDFXTrapped /False

/CreateJDFFile false /Description >>> setdistillerparams> setpagedevice

Documents

Journal An Efficient and Secure Dynamic Auditing