SlideShare a Scribd company logo

Ieeepro techno solutions 2014 ieee java project -panda public auditing for shared data with efficient user revocation in the cloud

H
hemanthbbc

The document proposes a public auditing mechanism called Panda that allows efficient user revocation for shared data integrity verification in the cloud. It utilizes proxy re-signatures so that when a user is revoked, the cloud can re-sign blocks previously signed by the revoked user on behalf of existing users, without existing users needing to download and re-sign the blocks themselves. This improves efficiency of user revocation. It also allows a public verifier to audit data integrity without retrieving the entire data from the cloud, even if some blocks have been re-signed by the cloud. The mechanism aims to achieve correctness of auditing, efficient and secure user revocation, and public auditing with scalability.

Engineering
Related topics:
IEEE Projects Final Year Projects
1 of 14
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Panda: Public Auditing for Shared Data with Efficient User Revocation in the Cloud Boyang Wang, Baochun Li, Member, IEEE, and Hui Li, Member, IEEE Abstract—With data storage and sharing services in the cloud, users can easily modify and share data as a group. To ensure shared data integrity can be verified publicly, users in the group need to compute signatures on all the blocks in shared data. Different blocks in shared data are generally signed by different users due to data modifications performed by different users. For security reasons, once a user is revoked from the group, the blocks which were previously signed by this revoked user must be re-signed by an existing user. The straightforward method, which allows an existing user to download the corresponding part of shared data and re-sign it during user revocation, is inefficient due to the large size of shared data in the cloud. In this paper, we propose a novel public auditing mechanism for the integrity of shared data with efficient user revocation in mind. By utilizing the idea of proxy re-signatures, we allow the cloud to re-sign blocks on behalf of existing users during user revocation, so that existing users do not need to download and re-sign blocks by themselves. In addition, a public verifier is always able to audit the integrity of shared data without retrieving the entire data from the cloud, even if some part of shared data has been re-signed by the cloud. Moreover, our mechanism is able to support batch auditing by verifying multiple auditing tasks simultaneously. Experimental results show that our mechanism can significantly improve the efficiency of user revocation. Index Terms—Public auditing, shared data, user revocation, cloud computing. ! 1 INTRODUCTION WITH data storage and sharing services (such as Dropbox and Google Drive) provided by the cloud, people can easily work together as a group by sharing data with each other. More specifically, once a user creates shared data in the cloud, every user in the group is able to not only access and modify shared data, but also share the latest version of the shared data with the rest of the group. Although cloud providers promise a more secure and reliable environment to the users, the integrity of data in the cloud may still be compromised, due to the existence of hardware/software failures and human errors [2], [3]. To protect the integrity of data in the cloud, a number of mechanisms [3]–[15] have been proposed. In these mechanisms, a signature is attached to each block in data, and the integrity of data relies on the correctness of all the signatures. One of the most significant and common features of these mechanisms is to allow a public verifier to efficiently check data integrity in the cloud without downloading the entire data, referred to as public auditing (or denoted as Provable Data Pos- session [3]). This public verifier could be a client who • Boyang Wang and Hui Li are with the State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an, Shaanxi, 710071, China. E- mail: bywang@mail.xidian.edu.cn; lihui@mail.xidian.edu.cn. • Baochun Li is with the Department of Electrical and Computer Engi- neering, University of Toronto, Toronto, ON, M5S 3G4, Canada. E-mail: bli@eecg.toronto.edu. • This work is supported by the NSF of China (No. 61272457 and 61170251), Fundamental Research Funds for the Central Universities (No. K50511010001), National 111 Program (No. B08038), Doctoral Founda- tion of Ministry of Education of China (No. 20100203110002), Program for Changjiang Scholars and Innovative Research Team in University (PCSIRT 1078). • Most part of this work was done at University of Toronto. A preliminary version [1] of this paper is in Proceedings of the 32nd IEEE International Conference on Computer Communications (IEEE INFOCOM 2013). would like to utilize cloud data for particular purposes (e.g., search, computation, data mining, etc.) or a third- party auditor (TPA) who is able to provide verification services on data integrity to users. Most of the previous works [3]–[13] focus on auditing the integrity of personal data. Different from these works, several recent works [14], [15] focus on how to preserve identity privacy from public verifiers when auditing the integrity of shared data. Unfortunately, none of the above mechanisms, considers the efficiency of user revocation when auditing the correctness of shared data in the cloud. With shared data, once a user modifies a block, she also needs to compute a new signature for the modified block. Due to the modifications from different users, dif- ferent blocks are signed by different users. For security reasons, when a user leaves the group or misbehaves, this user must be revoked from the group. As a result, this revoked user should no longer be able to access and modify shared data, and the signatures generated by this revoked user are no longer valid to the group [16]. Therefore, although the content of shared data is not changed during user revocation, the blocks, which were previously signed by the revoked user, still need to be re-signed by an existing user in the group. As a result, the integrity of the entire data can still be verified with the public keys of existing users only. Since shared data is outsourced to the cloud and users no longer store it on local devices, a straightforward method to re-compute these signatures during user revo- cation (as shown in Fig. 1) is to ask an existing user (i.e., Alice) to first download the blocks previously signed by the revoked user (i.e., Bob), verify the correctness of these blocks, then re-sign these blocks, and finally upload the new signatures to the cloud. However, this straightforward method may cost the existing user a huge amount of communication and computation re- sources by downloading and verifying blocks, and by IEEE TRANSACTIONS ON SERVICE COMPUTING NO:99 VOL:PP YEAR 2014
2 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X re-computing and uploading signatures, especially when the number of re-signed blocks is quite large or the mem- bership of the group is frequently changing. To make this matter even worse, existing users may access their data sharing services provided by the cloud with resource- limited devices, such as mobile phones, which further prevents existing users from maintaining the correctness of shared data efficiently during user revocation. A block signed by Alice A block signed by Bob Before Bob is revoked After Bob is revoked Cloud Cloud Alice 1. Download blocks 4. Upload signatures 3. Re-compute signatures{2. Verify blocks A A A A A B A B B B A A A A A A A A A A A B Fig. 1. Alice and Bob share data in the cloud. When Bob is revoked, Alice re-signs the blocks that were previously signed by Bob with her private key. Clearly, if the cloud could possess each user’s private key, it can easily finish the re-signing task for existing users without asking them to download and re-sign blocks. However, since the cloud is not in the same trusted domain with each user in the group, outsourcing every user’s private key to the cloud would introduce significant security issues. Another important problem we need to consider is that the re-computation of any signature during user revocation should not affect the most attractive property of public auditing — audit- ing data integrity publicly without retrieving the entire data. Therefore, how to efficiently reduce the significant burden to existing users introduced by user revocation, and still allow a public verifier to check the integrity of shared data without downloading the entire data from the cloud, is a challenging task. In this paper, we propose Panda, a novel public au- diting mechanism for the integrity of shared data with efficient user revocation in the cloud. In our mechanism, by utilizing the idea of proxy re-signatures [17], once a user in the group is revoked, the cloud is able to re- sign the blocks, which were signed by the revoked user, with a re-signing key (as presented in Fig. 2). As a result, the efficiency of user revocation can be significantly im- proved, and computation and communication resources of existing users can be easily saved. Meanwhile, the cloud, who is not in the same trusted domain with each user, is only able to convert a signature of the revoked user into a signature of an existing user on the same block, but it cannot sign arbitrary blocks on behalf of either the revoked user or an existing user. By designing a new proxy re-signature scheme with nice properties (described in Section 4), which traditional proxy re- signatures do no have, our mechanism is always able to check the integrity of shared data without retrieving the entire data from the cloud. Moreover, our proposed mechanism is scalable, which Cloud A A A A A A A A A A Cloud re-signs blocks with a re-signing key Cloud A A A A A B A B B B Before Bob is revoked After Bob is revoked A block signed by Alice A block signed by BobA B Fig. 2. When Bob is revoked, the cloud re-signs the blocks that were previously signed by Bob with a re- signing key. indicates it is not only able to efficiently support a large number of users to share data and but also able to han- dle multiple auditing tasks simultaneously with batch auditing. In addition, by taking advantages of Shamir Secret Sharing [18], we can also extend our mechanism into the multi-proxy model to minimize the chance of the misuse on re-signing keys in the cloud and improve the reliability of the entire mechanism. The remainder of this paper is organized as follows: In Section 2, we present the system model, security model and design goals. Then, we introduce several preliminar- ies in Section 3. Detailed design and security analysis of our mechanism are presented in Section 4 and Section 5. We discuss the extension of our mechanism in Section 6, and evaluate the performance of our mechanism in Section 7 and Section 8. Finally, we briefly discuss related work in Section 9, and conclude this paper in Section 10. 2 PROBLEM STATEMENT In this section, we describe the system and security model, and illustrate the design objectives of our pro- posed mechanism. 2.1 System and Security Model As illustrated in Fig. 3, the system model in this paper includes three entities: the cloud, the public verifier, and users (who share data as a group). The cloud offers data storage and sharing services to the group. The public verifier, such as a client who would like to utilize cloud data for particular purposes (e.g., search, computation, data mining, etc.) or a third-party auditor (TPA) who can provide verification services on data integrity, aims to check the integrity of shared data via a challenge-and- response protocol with the cloud. In the group, there is one original user and a number of group users. The original user is the original owner of data. This original user creates and shares data with other users in the group through the cloud. Both the original user and group users are able to access, download and modify shared data. Shared data is divided into a number of blocks. A user in the group can modify a block in shared data by performing an insert, delete or update operation on the block. In this paper, we assume the cloud itself is semi-trusted, which means it follows protocols and does not pollute data integrity actively as a malicious adversary, but it
WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 3 Cloud 1. Challenge2. Response Data M ...... σ1 ......σ2 σn mnm1 m2 Signatures Public Verifier Users Shared Data Flow Fig. 3. The system model includes the cloud, the public verifier, and users. may lie to verifiers about the incorrectness of shared data in order to save the reputation of its data services and avoid losing money on its data services. In addition, we also assume there is no collusion between the cloud and any user during the design of our mechanism. Generally, the incorrectness of share data under the above semi- trusted model can be introduced by hardware/software failures or human errors happened in the cloud. Con- sidering these factors, users do not fully trust the cloud with the integrity of shared data. To protect the integrity of shared data, each block in shared data is attached with a signature, which is com- puted by one of the users in the group. Specifically, when shared data is initially created by the original user in the cloud, all the signatures on shared data are computed by the original user. After that, once a user modifies a block, this user also needs to sign the modified block with his/her own private key. By sharing data among a group of users, different blocks may be signed by different users due to modifications from different users. When a user in the group leaves or misbehaves, the group needs to revoke this user. Generally, as the creator of shared data, the original user acts as the group manager and is able to revoke users on behalf of the group. Once a user is revoked, the signatures computed by this revoked user become invalid to the group, and the blocks that were previously signed by this revoked user should be re-signed by an existing user’s private key, so that the correctness of the entire data can still be verified with the public keys of existing users only. Alternative Approach. Allowing every user in the group to share a common group private key and sign each block with it, is also a possible way to protect the integrity of shared data [19], [20]. However, when a user is revoked, a new group private key needs to be securely distributed to every existing user and all the blocks in the shared data have to be re-signed with the new private key, which increases the complexity of key management and decreases the efficiency of user revocation. 2.2 Design Objectives Our proposed mechanism should achieve the follow- ing properties: (1) Correctness: The public verifier is able to correctly check the integrity of shared data. (2) Efficient and Secure User Revocation: On one hand, once a user is revoked from the group, the blocks signed by the revoked user can be efficiently re-signed. On the other hand, only existing users in the group can generate valid signatures on shared data, and the revoked user can no longer compute valid signatures on shared data. (3) Public Auditing: The public verifier can audit the integrity of shared data without retrieving the entire data from the cloud, even if some blocks in shared data have been re-signed by the cloud. (4) Scalability: Cloud data can be efficiently shared among a large number of users, and the public verifier is able to handle a large number of auditing tasks simultaneously and efficiently. 3 PRELIMINARIES In this section, we briefly introduce some prelimi- naries, including bilinear maps, security assumptions, homomorphic authenticators and proxy re-signatures. 3.1 Bilinear Maps Let G1 and G2 be two multiplicative cyclic groups of prime order p, g be a generator of G1. Bilinear map e is a map e: G1 × G1 → G2 with the following properties: 1) Computability: there exists an efficient algorithm for computing map e. 2) Bilinearity: for all u, v ∈ G1 and a, b ∈ Zp, e(ua , vb ) = e(u, v)ab . 3) Non-degeneracy: e(g, g) = 1. 3.2 Security Assumptions The security of our mechanism is based on the follow- ing security assumptions. Computational Diffie-Hellman (CDH) Problem. Let a, b ∈ Z∗ p, given g, ga , gb ∈ G1 as input, output gab ∈ G1. Definition 1: Computational Diffie-Hellman (CDH) Assumption. For any probabilistic polynomial time adver- sary ACDH, the advantage of adversary ACDH on solving the CDH problem in G1 is negligible, which is defined as Pr[ACDH(g, ga , gb ) = (gab ) : a, b R ← Z∗ p] ≤ . For the ease of understanding, we can also say comput- ing the CDH problem in G1 is computationally infeasible or hard under the CDH assumption. Discrete Logarithm (DL) Problem. Let a ∈ Z∗ p, given g, ga ∈ G1 as input, output a. Definition 2: Discrete Logarithm (DL) Assumption. For any probabilistic polynomial time adversary ADL, the advantage of adversary ADL on solving the DL problem in G1 is negligible, which is defined as Pr[ADL(g, ga ) = (a) : a R ← Z∗ p] ≤ . Similarly, we can also say computing the DL problem in G1 is computationally infeasible or hard under the DL assumption. 3.3 Homomorphic Authenticators Homomorphic authenticators [3], also called homo- morphic verifiable tags, allow a public verifier to check the integrity of data stored in the cloud without down- loading the entire data. They have been widely used as building blocks in the previous public auditing mech- anisms [3]–[15], [19], [20]. Besides unforgeability (only a
4 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X user with a private key can generate valid signatures), a homomorphic authenticable signature scheme, which de- notes a homomorphic authenticator scheme based on signatures, should also satisfy the following properties: Let (pk, sk) denote the signer’s public/private key pair, σ1 denote the signature on block m1 ∈ Zp, and σ2 denote the signature on block m2 ∈ Zp. • Blockless verifiability: Given σ1 and σ2, two ran- dom values α1, α2 in Zp and a block m = α1m1 + α2m2 ∈ Zp, a verifier is able to check the correctness of block m without knowing m1 and m2. • Non-malleability: Given m1 and m2, σ1 and σ2, two random values α1, α2 in Zp and a block m = α1m1 + α2m2 ∈ Zp, a user, who does not have private key sk, is not able to generate a valid signature σ on block m by combining σ1 and σ2. Blockless verifiability enables a verifier to audit the correctness of data in the cloud with only a linear com- bination of all the blocks via a challenge-and-response protocol, while the entire data does not need to be down- loaded to the verifier. Non-malleability indicates that other parties, who do not possess proper private keys, cannot generate valid signatures on combined blocks by combining existing signatures. 3.4 Proxy Re-signatures Proxy re-signatures, first proposed by Blaze et al. [17], allow a semi-trusted proxy to act as a translator of signatures between two users, for example, Alice and Bob. More specifically, the proxy is able to convert a signature of Alice into a signature of Bob on the same block. Meanwhile, the proxy is not able to learn any private keys of the two users, which means it cannot sign any block on behalf of either Alice or Bob. In this paper, to improve the efficiency of user revocation, we propose to let the cloud to act as the proxy and convert signatures for users during user revocation. 3.5 Shamir Secret Sharing An (s, t)-Shamir Secret Sharing scheme [18] (s ≥ 2t − 1), first proposed by Shamir, is able to divide a secret π into s pieces in such a way that this secret π can be easily recovered from any t pieces, while the knowledge of any t − 1 pieces reveals absolutely no information about this secret π. The essential idea of an (s, t)-Shamir Secret Sharing scheme is that, a number of t points uniquely defines a t−1 degree polynomial. Suppose we have the following t − 1 degree polynomial f(x) = at−1xt−1 + · · · + a1x + a0, where at−1, ..., a1 R ←∈ Z∗ p. Then, the secret is π = a0, and each piece of this secret is actually a point of polynomial f(x), i.e. (xi, f(xi)), for 1 ≤ i ≤ s. The secret π can be recovered by any t points of this t−1 degree polynomial f(x) with Lagrange polynomial interpolation. Shamir Se- cret Sharing is widely used in key management schemes [18] and secure multi-party computation [21]. 4 A NEW PROXY RE-SIGNATURE SCHEME In this section, we first present a new proxy re- signature scheme, which satisfies the property of block- less verifiability and non-malleability. Then, we will de- scribe how to construct our public auditing mechanism for shared data based on this proxy re-signature scheme in the next section. 4.1 Construction of HAPS Because traditional proxy re-signature schemes [17], [22] are not blockless verifiable, if we directly apply these proxy re-signature schemes in the public auditing mech- anism, then a verifier has to download the entire data to check the integrity, which will significantly reduce the efficiency of auditing. Therefore, we first propose a homomorphic authenticable proxy re-signature (HAPS) scheme, which is able to satisfy blockless verifiability and non-malleability. Our proxy re-signature scheme includes five algo- rithms: KeyGen, ReKey, Sign, ReSign and Verify. De- tails of each algorithm are described in Fig. 4. Similar as the assumption in traditional proxy re-signature schemes [17], [22], we assume that private channels (e.g., SSL) exist between each pair of entities in Rekey, and there is no collusion between the proxy and any user. Based on the properties of bilinear maps, the correctness of the verification in Verify can be presented as e(σ, g) = e((H(id)wm )a , g) = e(H(id)wm , pkA). 4.2 Security Analysis of HAPS Theorem 1: It is computationally infeasible to generate a forgery of a signature in HAPS as long as the CDH assumption holds. Proof: Following the standard security model de- fined in the previous proxy re-signature scheme [22], the security of HAPS includes two aspects: external security and internal security. External security means an exter- nal adversary cannot generate a forgery of a signature; internal security means that the proxy cannot use its re- signature keys to sign on behalf of honest users. External Security: We show that if a (t , )-algorithm A, operated by an external adversary, can generate a forgery of a signature under HAPS with the time of t and advantage of after making at most qH hash queries, qS signing queries, qR re-signing queries, and requesting at most qK public keys, then there exists a (t, )-algorithm B that can solve the CDH problem in G1 with t ≤ t + qHcG1 + qScG1 + 2qRcP , ≥ /qHqK, where one exponentiation on G1 takes time cG1 and one pairing operation takes time cP . Specifically, on input (g, ga , gb ), the CDH algorithm B simulates a proxy re- signature security game for algorithm A as follows: Public Keys: As A requests the creation of system users, B guesses which one A will attempt a forgery against. Without loss of generality, we assume the target public key as pkv and set it as pkv = ga . For all other
WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 5 Scheme Details: Let G1 and G2 be two groups of order p, g be a generator of G1, e : G1 × G1 → G2 be a bilinear map, w be another generator of G1. The global parameters are (e, p, G1, G2, g, w, H), where H is a hash function with H : {0, 1}∗ → G1. KeyGen. Given global parameters (e, p, G1, G2, g, w, H), a user uA selects a random a ∈ Z∗ p, and outputs public key pkA = ga and private key skA = a. ReKey. The proxy generates a re-signing key rkA→B as follows: (1) the proxy generates a random r ∈ Z∗ p and sends it to user uA; (2) user uA computes and sends r/a to user uB, where skA = a; (3) user uB calculates and sends rb/a to the proxy, where skB = b; (4) the proxy recovers rkA→B = b/a ∈ Z∗ p. Sign. Given private key skA = a, block m ∈ Zp and block identifier id, user uA outputs the signature on block m as: σ = (H(id)wm )a ∈ G1. ReSign. Given re-signing key rkA→B, public key pkA, signa- ture σ, block m ∈ Zp and block identifier id, the proxy checks that Verify(pkA, m, id, σ) ? = 1. If the verification result is 0, the proxy outputs ⊥; otherwise, it outputs σ = σrkA→B = (H(id)wm )a·b/a = (H(id)wm )b . Verify. Given public key pkA, block m, block identifier id, and signature σ, a verifier outputs 1 if e(σ, g) = e(H(id)wm , pkA), and 0 otherwise. Fig. 4. Details of HAPS. public keys, we set pki = gxi for a random xi ∈ Z∗ p. The total number of public keys requested is qK. Oracle Queries: There are three types of oracle queries that B must answer: hash query Qhash, signing query Qsign and re-signing query Qresign. For each hash query Qhash on input (idi, mi), check if there is an entry in table TH. If so, output the cor- responding value; otherwise guess if (idi, mi) is the identifier id∗ and block m∗ that A will attempt to use in a forgery. If idi = id∗ and mi = m∗ , output H(idi)wmi = gb ; otherwise, select a random yi ∈ Z∗ p and output H(idi)wmi = gyi . Record (idi, mi, yi) in the table TH for each idi = id∗ or mi = m∗ . For each signing query Qsign on input (pkj, idi, mi), if j = v, output the signature as σ = (H(idi)wmi )xj (via calling hash query). If j = v and idi = id∗ , or j = v and mi = m∗ , return the signature as σ = (gyi )a = (ga )yi ; otherwise, abort. For each re-signing query Qresign on input (pki, pkj, idk, mk, σ), if Verify(pki, mk, idk, σ)=1, output ⊥. Otherwise, output Qsign(pkj, idk, mk) (via calling signing query). Forgery: Eventually A outputs a forgery (pkj, id, m, σ). If v = j, then B guessed the wrong target user and must abort. If Verify(pkj, m, id, σ)=1 or (id, m,σ ) is the result of any Qsign or Qresign, B also aborts. Otherwise, B outputs σ = (H(id)wm )a = (gb )a = gab as the proposed CDH problem. The probability that B will guess the target user correctly is 1/qK, and the probability that B will guess the forged block identifier id∗ and forged block m∗ is 1/qH . Therefore, if A generates a forgery of a signature with probability , then B solves the CDH problem with probability /qH qK. Algorithm B requires one exponen- tiation on G1 for each hash query, one extra exponentia- tion on G1 for each signing query and two extra pairing operations for each re-signing query, so its running time is A’s running time plus qHcG1 + qScG1 + 2qRcP . Internal Security: We now prove that, if a (t , )- algorithm A, operated by the proxy, can generate a forgery of a signature with the time of t and advantage of after making at most qH hash queries and qS signing queries, then there exists a (t, )-algorithm B that can solve the CDH problem in G1 with t ≤ t + qHcG1 + qScG1 , ≥ /qHqK. On input (g, ga , gb ), the CDH algorithm B simulates a proxy re-signature security game for algorithm A as follows: Public Keys: Without loss of generality, we set the target key as pkv = ga . For each key i = v, choose a random xi ∈ Z∗ p, and set pki = (ga )xi . The total number of public keys requested is qK. Oracle Queries: There are three types of queries that B must answer: hash query Qhash, signing query Qsign and rekey query Qrekey. For each hash query Qhash on input (idi, mi), check if there is an entry in table TH. If so, output the cor- responding value; otherwise guess if (idi, mi) is the identifier id∗ and block m∗ that A will attempt to use in a forgery. If idi = id∗ and mi = m∗ , output H(idi)wmi = gb ; otherwise, select a random yi ∈ Z∗ p and output H(idi)wmi = gyi . Record (idi, mi, yi) in the table TH for each idi = id∗ or mi = m∗ . For each signing query Qsign on input (pkj, idi, mi), if idi = id∗ or mi = m∗ , return the signature as σ = (pkj)yi (via calling hash query); else abort. For each rekey query Qrekey on input (pki, pkj), if i = v or j = v, abort; else return rki→j = (xj/xi). Forgery: Eventually A outputs a forgery (pkj, id, m, σ). If v = j, then B guessed the wrong target user and must abort. If Verify(pkj, m, id, σ)=1 or (id, m,σ ) is the result of any Qsign, B also aborts. Otherwise, B outputs σ = (H(id)wm )a = (gb )a = gab as the proposed CDH problem. Similarly as external security, the probability that B will guess the target user correctly is 1/qK, and the prob- ability that B will guess the forged block identifier id∗ and forged block m∗ is 1/qH . Therefore, if A generates a forgery of a signature with probability , then B solves the CDH problem with probability /qHqK. Algorithm B requires one exponentiation on G1 for each hash query, one extra exponentiation on G1 for each signing query, so its running time is A’s running time plus qHcG1 + qScG1 . According to what we analyzed above, if the ad- vantage of an adversary for generating a forgery of a signature under the external or internal security game is
6 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X non-negligible, then we can find an algorithm to solve the CDH problem in G1 with a non-negligible probabil- ity, which contradicts to the assumption that the CDH problem is computationally infeasible in G1. Therefore, it is computationally infeasible to generate a forgery of a signature in HAPS under the CDH assumption. Theorem 2: HAPS is a homomorphic authenticable proxy re-signature scheme. Proof: As we introduced in Section 3, to prove HAPS is homomorphic authenticable, we need to show HAPS is not only blockless verifiable but also non-malleable. Moreover, we also need to prove that the re-signing per- formed by the proxy does not affect these two properties. Blockless Verifiability. Given user ua’s public key pkA, two random numbers y1, y2 ∈ Z∗ p, two identifiers id1 and id2, and two signatures σ1 and σ2 signed by user ua, a verifier is able to check the correctness of a block m = y1m1 + y2m2 by verifying e(σy1 1 · σy2 2 , g) ? = e(H(id1)y1 H(id2)y2 wm , pkA), (1) without knowing block m1 and block m2. Based on the properties of bilinear maps, the correctness of the above equation can be proved as: e(σy1 1 · σy2 2 , g) = e(H(id1)y1 wy1m1 H(id2)y2 wy2m2 , ga ) = e(H(id1)y1 H(id2)y2 wm , pkA). It is clear that HAPS can support blockless verifiability. Non-malleability. Meanwhile, an adversary, who does not have private key skA = a, cannot generate a valid signature σ for a combined block m = y1m1 + y2m2 by combining σ1 and σ2 with y1 and y2. The hardness of this problem lies in the fact that H must be a one-way hash function (given every input, it is easy to compute; however, given the image of a random input, it is hard to invert). More specifically, if we assume this adversary can generate a valid signature σ for the combined block m by combining σ1 and σ2, we have    σ = σy1 1 · σy2 2 σy1 1 · σy2 2 = (H(id1)y1 H(id2)y2 wm )a σ = (H(id )wm )a and we can further learn that H(id ) = H(id1)y1 H(id2)y2 . Then, that means, given a value of h = H(id1)y1 H(id2)y2 , we can easily find a block identifier id so that H(id ) = h, which contradicts to the assumption that H is a one- way hash function. Because the construction and verification of the sig- natures re-signed by the proxy are as the same as the signatures computed by users, we can also prove that the signatures re-signed by the proxy are blockless verifiable and non-malleable in the same way illustrated above. Therefore, HAPS is a homomorphic authenticable proxy re-signature scheme. 5 PANDA 5.1 Overview Based on the new proxy re-signature scheme and its properties in the previous section, we now present Panda — a public auditing mechanism for shared data with efficient user revocation. In our mechanism, the original user acts as the group manager, who is able to revoke users from the group when it is necessary. Meanwhile, we allow the cloud to perform as the semi-trusted proxy and translate signatures for users in the group with re- signing keys. As emphasized in recent work [23], for security reasons, it is necessary for the cloud service providers to storage data and keys separately on dif- ferent servers inside the cloud in practice. Therefore, in our mechanism, we assume the cloud has a server to store shared data, and has another server to manage re- signing keys. To ensure the privacy of cloud shared data at the same time, additional mechanisms, such as [24], can be utilized. The details of preserving data privacy are out of scope of this paper. The main focus of this paper is to audit the integrity of cloud shared data. 5.2 Support Dynamic Data To build the entire mechanism, another issue we need to consider is how to support dynamic data during public auditing. Because the computation of a signature includes the block identifier, conventional methods — which use the index of a block as the block identifier (i.e., block mj is indexed with j) — are not efficient for supporting dynamic data [8], [14]. Specifically, if a single block is inserted or deleted, the indices of blocks that after this modified block are all changed, and the change of those indices requires the user to re-compute signatures on those blocks, even though the content of those blocks are not changed. mi σi idi si Block Signature Block Identifier Signer Identifier Fig. 6. Each block is attached with a signature, a block identifier and a signer identifier. By leveraging index hash tables [8], [14], we allow a user to modify a single block efficiently without chang- ing block identifiers of other blocks. The details of index hash tables are explained in Appendix A. Besides a block identifier and a signature, each block is also attached with a signer identifier (as shown in Fig. 6). A verifier can use a signer identifier to distinguish which key is required during verification, and the cloud can utilize it to determine which re-signing key is needed during user revocation. 5.3 Construction of Panda Panda includes six algorithms: KeyGen, ReKey, Sign, ReSign, ProofGen, ProofVerify. Details of Panda are presented in Fig. 5. In KeyGen, every user in the group generates his/her public key and private key. In ReKey, the cloud com- putes a re-signing key for each pair of users in the group. As argued in previous section, we still assume that private channels exist between each pair of entities
WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 7 Scheme Details: Let G1 and G2 be two groups of order p, g be a generator of G1, e : G1 × G1 → G2 be a bilinear map, w be another generator of G1. The global parameters are (e, p, G1, G2, g, w, H), where H is a hash function with H : {0, 1}∗ → G1. The total number of blocks in shared data is n, and shared data is described as M = (m1, ..., mn). The total number of users in the group is d. KeyGen. User ui generates a random πi ∈ Z∗ p, and outputs public key pki = gπi and private key ski = πi. Without loss of generality, we assume user u1 is the original user, who is the creator of shared data. The original user also creates a user list (UL), which contains ids of all the users in the group. The user list is public and signed by the original user. ReKey. The cloud generates a re-signing key rki→j as fol- lows: (1) the cloud generates a random r ∈ Zp and sends it to user ui; (2) user ui sends r/πi to user uj, where ski = πi; (3) user uj sends rπj/πi to the cloud, where skj = πj; (4) the cloud recovers rki→j = πj/πi ∈ Z∗ p. Sign. Given private key ski = πi, block mk ∈ Zp and its block identifier idk, where k ∈ [1, n], user ui outputs the signature on block mk as: σk = (H(idk)wmk )πi ∈ G1. ReSign. Given re-signing key rki→j, public key pki, signa- ture σk, block mk and block identifier idk, the cloud first checks that e(σk, g) ? = e(H(idk)wmk , pki). If the verification result is 0, the cloud outputs ⊥; otherwise, it outputs σk = σ rki→j k = (H(idk)wmk )πi·πj /πi = (H(idk)wmk )πj . After the re-signing, the original user removes user ui’s id from UL and signs the new UL. ProofGen. A public verifier generates an auditing message as follows: 1) Randomly picks a c-element subset L of set [1, n] to locate the c selected random blocks that will be checked in this auditing task. 2) Generates a random ηl ∈ Z∗ q , for l ∈ L and q is a much smaller prime than p. 3) Outputs an auditing message {(l,η l)}l∈L, and sends it to the cloud. After receiving an auditing message, the cloud generates a proof of possession of shared data M. More concretely, 1) According to the signer identifier of each selected block, the cloud divides set L into d subset L1, ..., Ld, where Li is the subset of selected blocks signed by user ui. The number of elements in subset Li is ci. Clearly, we have c = d i=1 ci, L = L1 ∪...∪Ld and Li ∩Lj = ∅, for i = j. 2) For each subset Li, the cloud computes αi = l∈Li ηlml ∈ Zp and βi = l∈Li σηl l ∈ G1. 3) The cloud outputs an auditing proof {ααα,βββ, {idl, sl}l∈L}, and sends it to the verifier, where ααα = (α1, ..., αd) and βββ = (β1, ..., βd). ProofVerify. Given an auditing message {(l,η l)}l∈L, an au- diting proof {ααα,βββ, {idl, sl}l∈L}, and all the existing users’ public keys (pk1, ..., pkd), the public verifier checks the cor- rectness of this auditing proof as e( d i=1 βi, g) ? = d i=1 e( l∈Li H(idl)ηl · wαi , pki). (2) If the result is 1, the verifier believes that the integrity of all the blocks in shared data M is correct. Otherwise, the public verifier outputs 0. Fig. 5. Details of Panda. during the generation of re-signing keys, and there is no collusion. When the original user creates shared data in the cloud, he/she computes a signature on each block as in Sign. After that, if a user in the group modifies a block in shared data, the signature on the modified block is also computed as in Sign. In ReSign, a user is revoked from the group, and the cloud re-signs the blocks, which were previously signed by this revoked user, with a re- signing key. The verification on data integrity is per- formed via a challenge-and-response protocol between the cloud and a public verifier. More specifically, the cloud is able to generate a proof of possession of shared data in ProofGen under the challenge of a public verifier. In ProofVerify, a public verifier is able to check the correctness of a proof responded by the cloud. In ReSign, without loss of generality, we assume that the cloud always converts signatures of a revoked user into signatures of the original user. The reason is that the original user acts as the group manager, and we assume he/she is secure in our mechanism. Another way to decide which re-signing key should be used when a user is revoked from the group, is to ask the original user to create a priority list (PL). Every existing user’s id is in the PL and listed in the order of re-signing priority. When the cloud needs to decide which existing user the signatures should be converted into, the first user shown in the PL is selected. To ensure the correctness of the PL, it should be signed with the private key of the original user (i.e., the group manager). Based on the properties of bilinear maps, the correct- ness of our mechanism in ProofVerify can be explained as follows. e( d i=1 βi, g) = d i=1 e( l∈Li σηl l , g) = d i=1 e( l∈Li (H(idl)wml )πiηl , g) = d i=1 e( l∈Li H(idl)ηl · l∈Li wmlηl , gπi ) = d i=1 e( l∈Li H(idl)ηl · wαi , pki). 5.4 Security Analysis of Panda Theorem 3: For the cloud, it is computationally infeasible to generate a forgery of an auditing proof in Panda as long as the DL assumption holds. Proof: Following the security game defined in [4], [14], we can prove that, if the cloud could win a security game, named Game 1, by forging an auditing proof on incorrect shared data, then we can find a solution to the DL problem in G1 with a probability of 1 − 1/p, which contradicts to the DL assumption (the advantage of solv- ing DL problem G1 should be negligible). Specifically, we define Game 1 as follows:
8 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X Game 1: The public verifier sends an auditing mes- sage {(l,ηl)}l∈L to the cloud, the auditing proof on correct shared data M should be {ααα,βββ, {idl}l∈L}, which should pass the verification with Equation (2). How- ever, the cloud generates a proof on incorrect shared data M as {ααα ,βββ, {idl}l∈L}, where ααα = (α1, ..., αd), αi = l∈Li ηlml, for i ∈ [1, d], and M = M . Define ∆αi = αi − αi for 1 ≤ i ≤ d, and at least one element of {∆αi}1≤i≤d is nonzero. If this proof still pass the verification performed by the public verifier, then the cloud wins this game. Otherwise, it fails. We first assume that the cloud wins the game. Then, according to Equation (2), we have e( d i=1 βi, g) = d i=1 e( l∈Li H(idl)ηl · wαi , pki). Because {ααα,βββ, {idl}l∈L} is a correct auditing proof, we have e( d i=1 βi, g) = d i=1 e( l∈Li H(idl)ηl · wαi , pki). Based on the properties of bilinear maps, we learn that d i=1 wαiπi = d i=1 wαiπi , d i=1 wπi∆αi = 1. Because G1 is a cyclic group, then for two elements u, v ∈ G1, there exists x ∈ Zp that v = ux . Without loss of generality, given u, v, each wπi can generated as wπi = uξi vγi ∈ G1, where ξi and γi are random values of Zp. Then, we have 1 = d i=1 (uξi vγi )∆αi = u d i=1 ξi∆αi · v d i=1γi∆αi . Clearly, we can find a solution to the DL problem. Given u, v = ux ∈ G1, we can output v = u − d i=1 ξi∆αi d i=1 γi∆αi , x = − d i=1 ξi∆αi d i=1 γi∆αi , unless the denominator is zero. However, as we defined in Game 1, at least one of element in {∆αi}1≤i≤d is nonzero, and γi is a random element of Zp, therefore, the denominator is zero with a probability of 1/p, which is negligible because p is a large prime. Then, we can find a solution to the DL problem with a non-negligible probability of 1 − 1/p, which contradicts to the DL assumption in G1. 5.5 Efficient and Secure User Revocation We argue that our mechanism is efficient and secure during user revocation. It is efficient because when a user is revoked from the group, the cloud can re-sign blocks that were previously signed by the revoked user with a re-signing key, while an existing user does not have to download those blocks, re-compute signatures on those blocks and upload new signatures to the cloud. The re-signing preformed by the cloud improves the efficiency of user revocation and saves communication and computation resources for existing users. The user revocation is secure because only existing users are able to sign the blocks in shared data. As analyzed in Theorem 1, even with a re-signing key, the cloud cannot generate a valid signature for an arbitrary block on behalf of an existing user. In addition, after being revoked from the group, a revoked user is no longer in the user list, and can no longer generate valid signatures on shared data. 5.6 Limitations and Future Work Remind that in Section 2, we assume there is no collusion between the cloud and any user in the design of our mechanism as the same as the assumption in some traditional proxy re-signatures [17], [22]. The reason is that, in our current design, if a revoked user (e.g., Bob with private key skb) is able to collude with the cloud, who possesses a re-signing key (e.g., rka→b = ska/skb, then the cloud and Bob together are able to easily reveal the private key of an existing user (e.g., Alice’s private key ska). To overcome the above limitation, some proxy re- signature schemes with collusion resistance in [22], which can generate a re-signing key with a revoked user’s public key and an existing user’s private key, would be a possible solution. Specifically, a resigning key is computed as rka→b = pkska b by Alice, then even the cloud (with rka→b) and Bob (with pkb) collude together, they cannot compute the private key of Alice (i.e., ska) due to the hardness of computing the DL problem in G1. Unfortunately, how to design such type of collusion- resistant proxy re-signature schemes while also sup- porting public auditing (i.e., blockless verifiability and non-malleability) remains to be seen. Essentially, since collusion-resistant proxy re-signature schemes generally have two levels of signatures (i.e., the first level is signed by a user and the second level is re-signed by the proxy), where the two levels of signatures are in different forms and need to be verified differently, achieving blockless verifiability on both of the two levels of signatures and verifying them together in a public auditing mechanism is challenging. We will leave this problem for our future work. 6 EXTENSION OF PANDA In this section, we will utilize several different meth- ods to extend our mechanism in terms of detection probability, scalability and reliability. 6.1 Detection Probability of Panda As presented in our mechanism, a verifier selects a number of random blocks instead of choosing all the blocks in shared data, which can improve the efficiency of auditing. Previous work [3] has already proved that a verifier is able to detect the polluted blocks with a high probability by selecting a small number of random blocks, referred to as sample strategies [3]. More specif- ically, when shared data contains n = 1, 000, 000 blocks,
WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 9 if 1% of all the blocks are corrupted, a verifier can detect these polluted blocks with a probability greater than 99% or 95%, where the number of selected blocks c is 460 or 300, respectively. Further discussions and analyses about sample strategies can be found in [3]. To further reduce the number of the undetected pol- luted blocks in shared data and improve the detection probability, besides increasing the number of random selected blocks in one auditing task mentioned in the last paragraph, a verifier can also perform multiple auditing tasks on the same shared data. If the detection probability in a single auditing task is PS, then the total detection probability for a number of t multiple auditing tasks is PM = 1 − (1 − PS)t . For instance, if the detection probability in a single auditing task is PS = 95%, then the total detection probability with two different auditing tasks on the same shared data is PM = 99.75%. Note that to achieve a higher detection probability, both of the two methods require a verifier to spend more communication and computation cost during auditing. 6.2 Scalability of Panda Now we discuss how to improve the scalability of our proposed mechanism by reducing the total number of re- signing keys in the cloud and enabling batch auditing for verifying multiple auditing tasks simultaneously. Reduce the Number of Re-signing Keys. As de- scribed in Panda, the cloud needs to establish and main- tain a re-signing key for each pair of two users in the group. Since the number of users in the group is denoted as d, the total number of re-signing keys for the group is d(d − 1)/2. Clearly, if the cloud data is shared by a very large number of users, e.g. d = 200, then the total number of re-signing keys that the cloud has to securely store and manage is 19, 900, which significantly increases the complexity of key management in cloud. To reduce the total number of re-signing keys required in the cloud and improve the scalability of our mech- anism, the original user, who performs as the group manager, can keep a short priority list (PL) with only a small subset of users instead of the entire PL with all the users in the group. More specifically, if the total number of users in the group is still d = 200 and the size of a short PL is d = 5, which means the cloud is able to convert signatures of a revoked user only into one of these five users shown in the short PL, then the total number of re-signing keys required with the short PL of 5 users is 990. It is only 5% of the number of re-signing keys with the entire PL of all the 200 users. Batch Auditing for Multiple Auditing Tasks. In many cases, the public verifier may need to handle multiple auditing tasks in a very short time period. Clearly, asking the public verifier to perform these au- diting requests independently (one by one) may not be efficient. Therefore, to improve the scalability of our public auditing mechanism in such cases, we can further extend Panda to support batch auditing [7] by utilizing the properties of bilinear maps. With batch auditing, a public verifier can perform multiple auditing tasks simultaneously. Compared to the batch auditing in [7], where the verification metadata (i.e, signatures) in each auditing task are generated by a single user, our batch auditing method needs to perform on multiple auditing tasks where the verification metadata in each auditing task are generated by a group of users. Clearly, designing batch auditing for our mechanism is more complicated and challenging than the one in [7]. More concretely, if the total number of auditing tasks received in a short time is t, then the size of the group for each task is dj, for j ∈ [1, t], each auditing message is represented as {(l,ηj|l)}l∈Lj , for j ∈ [1, t], each au- diting proof is described as {αααj,βββj, {idj|l}l∈Lj }, where αααj = (αj|1, ..., αj|dj ) and βββj = (βj|1, ..., βj|dj ), for j ∈ [1, t], and all the existing users’ public keys for each group are denoted as (pkj|1, ..., pkj|dj ), for j ∈ [1, t]. Based on the properties of bilinear maps, the public verifier can perform batch auditing as below e( t j=1 dj i=1 β θj j|i, g) ? = t j=1 dj i=1 e( l∈Lj|i H(idj|l)ηj|l ·wαj|i , pkj|i)θj , (3) where θj ∈ Z∗ p, for j ∈ [1, t], is a random chosen by the public verifier. The correctness of the above equation is based on all the t auditing proofs are correct. The left hand side (LHS) of this equation can be expended as LHS = t j=1 e( dj i=1 βj|i, g)θj = t j=1 dj i=1 e( l∈Lj|i H(idj|l)ηj|l wαj|i , pkj|i)θj . According to the security analysis of batch verification in [25], the probability that the public verifier accepts an invalid auditing proof with batch auditing is 1/p (since randoms (θ1, ..., θt) are elements of Zp), which is negligible. Therefore, if the above equation holds, then the public verifier believes all the t auditing proofs are correct. One of the most important advantages of batch au- diting is that it is able to reduce the total number of pairing operations, which are the most time consuming operations during verification. According to Equation (3), batch auditing can reduce the total number of pairing operations for t auditing tasks to td + 1, while verifying these t auditing tasks independently requires td + t pairing operations. Moreover, if all the t auditing tasks are all from the same group, where the size of the group is d and all the existing users’ public keys for the group are (pk1, ..., pkd), then batch auditing on t auditing tasks can be further optimized as follows e( t j=1 d i=1 β θj j|i, g) ? = d i=1 e( t j=1 ( l∈Lj|i H(idj|l)ηj|l ·wαj|i )θj , pki). In this case, the total number of pairing operations during batch auditing can be significantly reduced to
10 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X ReKey∗ . Given private key skj = πj, user uj generates a random t − 1 degree polynomial fj(x) as fj(x) = aj,t−1xt−1 + aj,t−2xt−2 + · · · + aj,1x + aj,0, where (aj,t−1, ..., aj,1) R ← Z∗ p and aj,0 = πj. Then, user uj computes s points (x1, yj,1), ..., (xs, yj,s) based on polyno- mial fj(x), where yj,l = fj(xl), for l ∈ [1, s], is a piece of user uj’s private key and (x1, ..., xs) are public. Proxy Pl generates a piece of a re-signing key as follows: (1) proxy Pl generates a random r ∈ Z∗ p and sends it to user ui; (2) user ui computes and sends r/πi to user uj, where ski = πi; (3) user uj computes and sends ryj,l/πi to server Sl, where yj,l = fj(xl) is a piece of private key skj = πj; (4) proxy Pl recovers rki→j,l = yj,l/πi ∈ Zp, where rki→j,l is a piece of re-signing key rki→j. ReSign∗ . Given public key pki, signature σk, block mk and block identifier idk, the cloud first checks e(σk, g) ? = e(H(idk)wmk , pki). If the equation does not hold, the cloud outputs ⊥; other- wise, each proxy converts this signature σk with its own piece of the corresponding re-signing key. Specifically, proxy Pl converts its part of signature σk as σk,l = σ rki→j,l k = (H(idk)wmk )yj,l . Finally, as long as t or more proxies are able to convert their parts correctly, the cloud is able to recover signature σk based on the t parts (σk,1, ..., σk,t) as σk = t l=1 σk,l Fj,l(0) , (4) where σk,l is computed by proxies Pl, and Fj,l(x) is a Lagrange basis polynomial of polynomial fj(x) and can be pre-computed as Fj,l(x) = 0<h≤t,h=l x − xh xl − xh , 1 ≤ l ≤ t. Similar as in Algorithm ReSign in single proxy model, after the re-signing process in the cloud, the original user removes user ui’s id from the user list (UL) and signs the new UL. Fig. 7. Details of ReKey∗ and ReSign∗ . only d + 1, which can further improve the efficiency of batch auditing. The correctness of the above equation can be proved as LHS = t j=1 e( d i=1 βj|i, g)θj = t j=1 d i=1 e( l∈Lj|i H(idj|l)ηj|l wαj|i , pki)θj = d i=1 e( t j=1 ( l∈Lj|i H(idj|l)ηj|l · wαj|i )θj , pki). 6.3 Reliability of Panda In our mechanism, it is very important for the cloud to securely store and manage the re-signing keys of the group, so that the cloud can correctly and successfully convert signatures from a revoked user to an existing user when it is necessary. However, due to the existence of internal attacks, simply storing these re-signing keys in the cloud with a single re-signing proxy may some- times allow inside attackers to disclose these re-signing keys and arbitrarily convert signatures on shared data, even no user is revoking from the group. Obviously, the arbitrary misuse of re-signing keys will change the own- ership of corresponding blocks in shared data without users’ permission, and affect the integrity of shared data in the cloud. To prevent the arbitrary use of re-signing keys and enhance the reliability of our mechanism, we propose an extended version of our mechanism, denoted as Panda∗ , in the multi-proxy model. By leveraging an (s, t)-Shamir Secret Sharing (s ≥ 2t − 1) [18] and s multiple proxies, each re-signing key is divided into s pieces and each piece is distributed to one proxy. These multiple proxies belong to the same cloud, but store and manage each piece of a re-signing key independently (as described in Fig. 8). Since the cloud needs to store keys and data separately [23], the 2. Blocks 1. Re-signing Requests Proxy P1 Proxy Ps ... Data Server 3. Re-signed Signatures User Cloud Fig. 8. Multiple re-signing proxies in the cloud. cloud also has another server to store shared data and corresponding signatures. In Panda∗ , each proxy is able to convert signatures with its own piece, and as long as t or more proxies (the majority) are able to correctly convert signatures when user revocation happens, the cloud can successfully convert signatures from a revoked user to an existing user. Similar multi-proxy model was also recently used in the cloud to secure the privacy of data with re-encryption techniques [26]. According to the security properties of an (s, t)-Shamir Secret Sharing, even up to t−1 proxies are compromised by an inside attacker, it is still not able to reveal a re- signing key or arbitrarily transform signatures on shared data. For Panda∗ , most of algorithms are as the same as in Panda, except the two algorithms for generating re-signing keys and re-signing signatures, denoted as ReKey∗ and ReSign∗ respectively. We use ∗ to distin- guish them from the corresponding algorithms in the single proxy model. Details of Algorithm ReKey∗ and ReSign∗ are described in Fig. 7. According to polynomial interpolation, we have fj(x) = t l=1 yj,l ·Fj,l(x). The correctness of the recovery and transformation of signature σk (i.e., Equation 4) can be explained as t l=1 σk,l Fj,l(0) = t l=1 (H(idk)wmk )yj,lFj,l(0) = (H(idk)wmk ) t l=1 yj,lFj,l(0) = (H(idk)wmk )fj (0) = (H(idk)wmk )πj = σk.
WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 11 7 OVERHEAD ANALYSIS Communication Overhead. According to the descrip- tion in Section 5, during user revocation, our mechanism does not introduce communication overhead to existing users. The size of an auditing message {(l, yl)}l∈L is c·(|n|+|q|) bits, where c is the number of selected blocks, |n| is the size of an element of set [1, n] and |q| is the size of an element of Zq. The size of an auditing proof {ααα,βββ, {idl, sl}l∈L} is 2d · |p| + c · (|id|) bits, where d is the number of existing users in the group, |p| is the size of an element of G1 or Zp, |id| is the size of a block identifier. Therefore, the total communication overhead of an auditing task is 2d · |p| + c · (|id| + |n| + |q|) bits. Computation Overhead. As shown in ReSign of our mechanism, the cloud first verifies the correctness of the original signature on a block, and then computes a new signature on the same block with a re-signing key. The computation cost of re-signing a block in the cloud is 2ExpG1 + MulG1 + 2Pair + HashG1 , where ExpG1 denotes one exponentiation in G1, MulG1 denotes one multiplication in G1, Pair denotes one pairing opera- tion on e : G1 × G1 → G2, and HashG1 denotes one hashing operation in G1. Moreover, the cloud can further reduce the computation cost of the re-signing on a block to ExpG1 by directly re-signing it without verification, because the public auditing performed on shared data ensures that the re-signed blocks are correct. Based on Equation (2), the computation cost of an auditing task in our mechanism is (c + d)ExpG1 + (c + 2d)MulG1 + (d + 1)Pair + dMulG2 + cHashG1 . 8 PERFORMANCE EVALUATION In this section, we evaluate the performance of our mechanism in experiments. We utilize Pairing Based Cryptography (PBC) Library [27] to implement crypto- graphic operations in our mechanism. All the experi- ments are tested under Ubuntu with an Intel Core i5 2.5 GHz Processor and 4 GB Memory over 1, 000 times. In the following experiments, we assume the size of an element of G1 or Zp is |p| = 160 bits, the size of an element of Zq is |q| = 80 bits, the size of a block identifier is |id| = 80 bits, and the total number of blocks in shared data is n = 1, 000, 000. By utilizing aggregation methods from [4], [14], the size of each block can be set as 2 KB, then the total size of shared data is 2 GB. As introduced in Section 1, the main purpose of Panda is to improve the efficiency of user revocation. With our mechanism, the cloud is able to re-sign blocks for existing users during user revocation, so that an existing user does not need to download blocks and re-compute signatures by himself/herself. In contrast, to revoke a user in the group with the straightforward method extended from previous solutions, an existing user needs to download the blocks were previously signed by the revoked user, verify the correctness of these blocks, re- compute signatures on these blocks and upload the new signatures. In the following experiments, the perfor- mance of the straightforward solution is evaluated based on [4] (denoted as SW in this paper), because it is also a public auditing mechanism designed based on bilinear maps. 8.1 Performance of User Revocation Comparison with the Same Computation Ability. In this experiment, we assume the cloud and an existing user have the same computation ability (Intel Core i5 2.5 GHz Processor and 4 GB Memory) to perform user revocation. We also assume the download speed and upload speed for the data storage and sharing services is 1Mbps and 500Kbps, respectively. Let k denote the number of re-signed blocks during user revocation. Fig. 9. Impact of k on revocation time (s). Fig. 10. Impact of the download speed (Mbps) on revocation time (s). The performance comparison between Panda and the straightforward method during user revocation is pre- sented in Fig. 9. With our mechanism, the cloud is able to not only efficiently re-sign blocks but also save existing users’ computation and communication resources. As shown in Fig. 9, when the number of re-signed blocks is 500, which is only 0.05% of the total number of blocks, the cloud in Panda can re-sign these blocks within 15 seconds. In contrast, without our mechanism, an existing user needs about 22 seconds to re-sign the same number of blocks by herself. Both of the two revocation time are linearly increasing with an increase of k—the number of re-signed blocks. Since we assume the cloud and an existing user have the same level of computation ability in this experiment, it is easy to see that the gap in terms of revocation time between the two lines in Fig. 9 is mainly introduced by downloading the re-signed blocks. It is clear that if an existing user could have a faster download speed, the gap in terms of revocation time be- tween our mechanism and the straightforward method can be significantly reduced. We can observe from Fig. 10 that, if we assume the number of re-signed blocks is fixed (k = 500), the revocation time performed independently by an existing user is approaching to the revocation time of our mechanism when the download speed of data storage and sharing services is increasing. Unfortunately, it is generally impractical for a normal user to maintain or reserve a very high download speed for only a single service on his/her computer. Even if it is possible, with the straightforward method, this user still has to download those 500 re-signed blocks first, which costs him/her additional bandwidth during user revocation compared to our mechanism. As we analyzed before, the cloud can even directly re-sign data without verification, which can further im- prove the efficiency of re-signing about 100 times ac- cording to our experiments. More specifically, the re- signing time on one block with verification is 28.19
12 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X milliseconds while the one without verification is only 0.28 milliseconds. Note that due to the existence of transmission errors in networks, it is not a good idea to allow an existing user to re-sign the blocks without verifying them in the straightforward solution. Even if an existing user directly re-signs the blocks without verification, compared to Panda, this user still needs to spend some extra time to download the blocks. As illustrated in Fig. 11, when the number of re-signed blocks is still 500, the cloud in Panda can re-sign these blocks in about 0.14 seconds; while an existing user needs about 8.43 seconds by himself/herself with the straightforward solution. Similarly, as presented in Fig. 12, the revocation time of Panda is independent with the download speed while an existing user with the straightforward method is able to re-sign the blocks sooner if the download speed is faster. With the comparison between Fig. 9 and Fig. 11, we can see that the verification on original signatures before re-signing is one of the main factors that can slow down the entire user revocation process. As shown in Fig. 9 and Fig. 11, the key advantage of Panda is that we can improve the efficiency of user revocation and release existing users from the communication and computation burden introduced by user revocation. Fig. 11. Impact of k on re- vocation time (s) without verification. Fig. 12. Impact of of the download speed (Mbps) on revocation time (s) without verification. Comparison with Different Computation Abilities. In the previous experiment, we assume an existing user and the cloud have the same level of computation ability. Unfortunately, in practical cases, it is common that an existing user may use devices with limited computation resources, such as mobile phones, to access his/her shared data in the cloud. Thus, the computation abilities between the cloud and an existing user are not symmetric in data sharing services. In these cases, Panda can save even more revocation time for an existing user than asking this user to re-signing blocks by himself/herself with the straightforward method. To demonstrate the performance advantage of our mechanism in those cases, we use the same parameters as in the previous ex- periment, except that we assume the existing user is using a resource limited device (e.g., a mobile phone), which has a weaker computation ability than the cloud. Specifically, by leveraging jPBC library [28], we evaluate the performance of the straightforward method on a mobile phone (Motorola MB860, OS: Android 2.3; CPU: Dual-core 1 GHz). As we can see from Fig. 13 and Fig. 14, the revoca- tion time with the straightforward solution on a mobile phone is dramatically and linearly increasing with the number of re-signed blocks. Specifically, when the num- ber of revoked blocks is 500, the revocation time with the straightforward method on a mobile phone is over 350 seconds, while the revocation time with our mechanism is only less than 4% of it. If both of the cloud and an existing user directly re-sign blocks without verification, our mechanism is also able to save amount of time for an existing user when user revocation happens. Fig. 13. Impact of k on revocation time (s) on mo- bile. Fig. 14. Impact of k on re- vocation time (s) without verification on mobile. Comparison with the Multi-Proxy Model. In Section 6, we proposed to utilize an (s, t)-Shamir Secret Sharing and a number of s multiple proxies to improve the reliability of our mechanism. With Panda∗ in the multi- proxy model, even if t − 1 proxies are compromised by adversaries, our mechanism is still able to successfully to convert signatures during user revocation and prevent the arbitrary use of re-signing keys. Clearly, the increase of t will increase the reliability of our mechanism. As a necessary trade-off, the increase of t will inevitably decrease the performance of our mechanism in terms of revocation time. As show in Fig. 15 and Fig. 16, the revocation time of our mechanism in multi-proxy model is linearly increasing with an increase of k and an increase of t. However, these efficiency losses introduced by the multi-proxy model is still acceptable. Fig. 15. Impact of k on re- vocation time (s) in multi- proxy model. Fig. 16. Impact of t on re- vocation time (s) in multi- proxy model (k = 500). 8.2 Performance of Auditing Independent Auditing. We can see from Fig. 17 and Fig. 18 that, in order to maintain a higher detection probability for a single independent auditing, a verifier needs more time and communication overhead to finish the auditing task on shared data. Although the auditing time (the time that a public verifier needs to verify the correctness of an auditing proof based on Equation (5)) and communication cost are linearly increasing with the number of existing users in the group, our mechanism is still quite efficient for supporting large groups. Specifi- cally, as we can observed from Fig. 17 and Fig. 18, when the number of existing users is d = 50, our mechanism
WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 13 can finish an auditing task with only 14 KB and 860 milliseconds by choosing c = 460. In order to further reduce such kind of increases on computation and communication overhead introduced by a larger number of users, some recent work [29] motivated by our mechanism can be utilized. Particu- larly, by performing aggregation on signatures generated by different users, the computation and communication overhead in [29] is independent with regard to the number of users in the group. Further details about this aggregation can be found in [29]. Fig. 17. Impact of d on auditing time (ms). Fig. 18. Impact of d on communication cost (KB). Batch Auditing. As introduced in Section 6, when a public verifier receives amount of auditing requests in a very short time, our mechanism allows this verifier to perform batch auditing to improve the performance on multiple auditing tasks. We can see from Fig. 19 and Fig. 20 that, with batch auditing, the average auditing time spent on each auditing task can be efficiently re- duced. Specifically, according to Fig. 19, if there are 20 auditing tasks, the average auditing time per auditing task with batch auditing is around 270 milliseconds while the average auditing time per task with indepen- dent auditing is 295 milliseconds. Moreover, as shown in Fig. 20, if those multiple tasks are all from the same group, then the performance of batch auditing can be significantly improved due to the dramatic decrease on the number of pairing operations, which we discussed in Section 6. Fig. 19. Impact of t on av- erage auditing time (ms) per task where d = 10. Fig. 20. Impact of t on av- erage auditing time (ms) per task where d = 10. 9 RELATED WORK Provable Data Possession (PDP), first proposed by Ateniese et al. [3], allows a public verifier to check the correctness of a client’s data stored at an untrusted server. By utilizing RSA-based homomorphic authenti- cators and sampling strategies, the verifier is able to publicly audit the integrity of data without retrieving the entire data, which is referred to as public verifiability or public auditing. Shacham and Waters [4] designed an improved PDP scheme based on BLS (Boneh-Lynn- Shacham) signatures [30]. To support dynamic operations on data during audit- ing, Ateniese et al. [31] presented another PDP mech- anism based on symmetric keys. However, it is not publicly verifiable and only provides a user with a limited number of verification requests. Wang et al. [6] utilized the Merkle Hash Tree to support fully dynamic operations in a public auditing mechanism. Erway et al. [32] introduced Dynamic Provable Data Possession by using authenticated dictionaries, which are based on rank information. Zhu et al. [8] exploited the fragment structure to reduce the storage of signatures in their public auditing mechanism. In addition, they also used index hash tables to provide dynamic operations for users. Wang et al. [5] leveraged homomorphic tokens to ensure the correctness of erasure code-based data dis- tributed on multiple servers. To minimize the commu- nication overhead in the phase of data repair, Chen et al. [33] introduced a mechanism for auditing the correctness of data with the multi-server scenario, where these data are encoded with network coding. More recently, Cao et al. [11] constructed an LT code-based secure cloud storage mechanism. Compared to previous mechanisms [5], [33], this mechanism can avoid high decoding computation costs for data users and save com- putation resources for online data owners during data repair. Recently, Wang et al. [34] proposed a certificateless public auditing mechanism to reduce security risks in certificate management compared to previous certificate- based solutions. When a third-party auditor (TPA) is introduced into a public auditing mechanism in the cloud, both the content of data and the identities of signers are private information to users, and should be preserved from the TPA. The public mechanism proposed by Wang et al. [7] is able to preserve users’ confidential data from the TPA by using random maskings. In addition, to operate multiple auditing tasks from different users efficiently, they also extended their mechanism to support batch auditing. Our recent work [14] first proposed a mecha- nism for public auditing shared data in the cloud for a group of users. With ring signature-based homomorphic authenticators, the TPA can verify the integrity of shared data but is not able to reveal the identity of the signer on each block. The auditing mechanism in [16] is designed to preserve identity privacy for a large number of users. However, it fails to support public auditing. Proofs of Retrievability (POR) [35] is another direction to check the correctness of data stored in a semi-trusted server. Unfortunately, POR and its subsequent work [36] do not support public verification, which fails to satisfy the design objectives in our paper. 10 CONCLUSIONS In this paper, we proposed a new public auditing mechanism for shared data with efficient user revocation in the cloud. When a user in the group is revoked, we allow the semi-trusted cloud to re-sign blocks that were
14 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X signed by the revoked user with proxy re-signatures. Experimental results show that the cloud can improve the efficiency of user revocation, and existing users in the group can save a significant amount of computation and communication resources during user revocation. REFERENCES [1] B. Wang, B. Li, and H. Li, “Public Auditing for Shared Data with Efficient User Revoation in the Cloud,” in the Proceedings of IEEE INFOCOM 2013, 2013, pp. 2904–2912. [2] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A View of Cloud Computing,” Communications of the ACM, vol. 53, no. 4, pp. 50–58, Apirl 2010. [3] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peter- son, and D. Song, “Provable Data Possession at Untrusted Stores,” in the Proceedings of ACM CCS 2007, 2007, pp. 598–610. [4] H. Shacham and B. Waters, “Compact Proofs of Retrievability,” in the Proceedings of ASIACRYPT 2008. Springer-Verlag, 2008, pp. 90–107. [5] C. Wang, Q. Wang, K. Ren, and W. Lou, “Ensuring Data Storage Security in Cloud Computing,” in the Proceedings of ACM/IEEE IWQoS 2009, 2009, pp. 1–9. [6] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, “Enabling Public Verifiability and Data Dynamic for Storage Security in Cloud Computing,” in the Proceedings of ESORICS 2009. Springer-Verlag, 2009, pp. 355–370. [7] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing,” in the Proceedings of IEEE INFOCOM 2010, 2010, pp. 525–533. [8] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S. S. Yau, “Dynamic Audit Services for Integrity Verification of Outsourced Storage in Clouds,” in the Proceedings of ACM SAC 2011, 2011, pp. 1550–1557. [9] C. Wang, Q. Wang, K. Ren, and W. Lou, “Towards Secure and Dependable Storage Services in Cloud Computing,” IEEE Trans- actions on Services Computing, vol. 5, no. 2, pp. 220–232, 2011. [10] Y. Zhu, G.-J. Ahn, H. Hu, S. S. Yau, H. G. An, and S. Chen, “Dynamic Audit Services for Outsourced Storage in Clouds,” IEEE Transactions on Services Computing, accepted. [11] N. Cao, S. Yu, Z. Yang, W. Lou, and Y. T. Hou, “LT Codes-based Secure and Reliable Cloud Storage Service,” in the Proceedings of IEEE INFOCOM 2012, 2012, pp. 693–701. [12] J. Yuan and S. Yu, “Proofs of Retrievability with Public Verifiabil- ity and Constant Communication Cost in Cloud,” in Proceedings of ACM ASIACCS-SCC’13, 2013. [13] H. Wang, “Proxy Provable Data Possession in Public Clouds,” IEEE Transactions on Services Computing, accepted. [14] B. Wang, B. Li, and H. Li, “Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud,” in the Proceedings of IEEE Cloud 2012, 2012, pp. 295–302. [15] S. R. Tate, R. Vishwanathan, and L. Everhart, “Multi-user Dy- namic Proofs of Data Possession Using Trusted Hardware,” in Proceedings of ACM CODASPY’13, 2013, pp. 353–364. [16] B. Wang, B. Li, and H. Li, “Knox: Privacy-Preserving Auditing for Shared Data with Large Groups in the Cloud,” in the Proceedings of ACNS 2012, June 2012, pp. 507–525. [17] M. Blaze, G. Bleumer, and M. Strauss, “Divertible Protocols and Atomic Proxy Cryptography,” in the Proceedings of EUROCRYPT 98. Springer-Verlag, 1998, pp. 127–144. [18] A. Shamir, “How to share a secret,” in Communication of ACM, vol. 22, no. 11, 1979, pp. 612–613. [19] B. Wang, H. Li, and M. Li, “Privacy-Preserving Public Auditing for Shared Cloud Data Supporting Group Dynamics,” in the Proceedings of IEEE ICC 2013, 2013. [20] B. Wang, S. S. Chow, M. Li, and H. Li, “Storing Shared Data on the Cloud via Security-Mediator,” in Proceedings of IEEE ICDCS 2013, 2013. [21] M. Li, N. Cao, S. Yu, and W. Lou, “FindU: Private-Preserving Per- sonal Profile Matching in Mobile Social Networks,” in Proceedings of IEEE INFOCOM, 2011, pp. 2435 – 2443. [22] G. Ateniese and S. Hohenberger, “Proxy Re-signatures: New Definitions, Algorithms and Applications,” in the Proceedings of ACM CCS 2005, 2005, pp. 310–319. [23] M. van Dijk, A. Juels, A. Oprea, R. L. Rivest, E. Stefanov, and N. Triandopoulos, “Hourglass schemes: how to prove that cloud files are encrypted,” in the Proceedings of ACM CCS 2012, 2012, pp. 265–280. [24] X. Liu, Y. Zhang, B. Wang, and J. Yan, “Mona: Secure Multi- Owner Data Sharing for Dynamic Groups in the Cloud,” IEEE Transactions on Parallel and Distributed Systems (TPDS), vol. 24, no. 6, pp. 1182–1191, 2013. [25] A. L. Ferrara, M. Green, S. Hohenberger, and M. Ø. Pedersen, “Practical Short Signature Batch Verification,” in Proc. CT-RSA. Springer-Verlag, 2009, pp. 309–324. [26] L. Xu, X. Wu, and X. Zhang, “CL-PRE: a Certificateless Proxy Re- Encryption Scheme for Secure Data Sharing with Public Cloud,” in the Proceedings of ACM ASIACCS 2012, 2012. [27] Pairing Based Cryptography (PBC) Library. [Online]. Available: http://crypto.stanford.edu/pbc/ [28] The Java Pairing Based Cryptography (jPBC) Library Benchmark. [Online]. Available: http://gas.dia.unisa.it/projects/ jpbc/benchmark.html [29] J. Yuan and S. Yu. Efficient Public Integrity Checking for Cloud Data Sharing with Multi-User Modification. [Online]. Available: http://eprint.iacr.org/2013/484 [30] D. Boneh, B. Lynn, and H. Shacham, “Short Signature from the Weil Pairing,” in the Proceedings of ASIACRYPT 2001. Springer- Verlag, 2001, pp. 514–532. [31] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, “Scalable and Efficient Provable Data Possession,” in the Proceedings of ICST SecureComm 2008, 2008. [32] C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia, “Dynamic Provable Data Possession,” in the Proceedings of ACM CCS 2009, 2009, pp. 213–222. [33] B. Chen, R. Curtmola, G. Ateniese, and R. Burns, “Remote Data Checking for Network Coding-based Distributed Stroage Sys- tems,” in the Proceedings of ACM CCSW 2010, 2010, pp. 31–42. [34] B. Wang, B. Li, and H. Li, “Certificateless Public Auditing for Data Integrity in the Cloud,” in Proceedings of IEEE CNS 2013, 2013, pp. 276–284. [35] A. Juels and B. S. Kaliski, “PORs: Proofs pf Retrievability for Large Files,” in Proceedings of ACM CCS’07, 2007, pp. 584–597. [36] D. Cash, A. Kupcu, and D. Wichs, “Dynamic Proofs of Retriev- ability via Oblivious RAM,” in Proceedings of EUROCRYPT 2013, 2013, pp. 279–295. Boyang Wang is a Ph.D. student from the School of Telecommunications Engineering, Xi- dian University, Xi’an, China. He was a visit- ing Ph.D. student at the Department of Elec- trical and Computer Engineering, University of Toronto, from Sep. 2010 to Aug. 2012. He ob- tained his B.S. in information security from Xi- dian University in 2007. His current research interests focus on security and privacy issues in cloud computing, big data, and applied cryptog- raphy. He is a student member of IEEE. Baochun Li is a Professor at the Department of Electrical and Computer Engineering at the Uni- versity of Toronto, and holds the Bell University Laboratories Endowed Chair in Computer En- gineering. His research interests include large- scale multimedia systems, cloud computing, peer-to-peer networks, applications of network coding, and wireless networks. He is a member of ACM and a senior member of IEEE. Hui Li is a Professor at the School of Telecommunications Engineering, Xidian Uni- versity, Xi’an, China. He received B.Sc. degree from Fudan University in 1990, M.Sc. and Ph.D. degrees from Xidian University in 1993 and 1998. In 2009, he was with Department of ECE, University of Waterloo as a visiting scholar. His research interests are in the areas of cryptog- raphy, security of cloud computing, wireless net- work security, information theory. He is the co- author of two books. He served as TPC co-chair of ISPEC 2009 and IAS 2009, general co-chair of E-Forensic 2010, ProvSec 2011 and ISC 2011.

More Related Content

PDF
Panda: Public Auditing for Shared Data with Efficient User Revocation in the ...
1crore projects
 
DOCX
panda public auditing for shared data with efficient user revocation in the c...
swathi78
 
PDF
Maintaining Data Integrity for Shared Data in Cloud
acijjournal
 
PDF
Maintaining Data Integrity for Shared Data in Cloud
IJERA Editor
 
PPTX
Panda public auditing for shared data with efficient user revocation in the c...
IGEEKS TECHNOLOGIES
 
PDF
CSE-05-27-34
Gayathri Dili
 
PDF
147bc3d2e2ffdb1c4f10d673600dd786.Maintaining Integrity and Security for the D...
Gayathri Dili
 
PDF
Oruta privacy preserving public auditing
shakas007
 
Panda: Public Auditing for Shared Data with Efficient User Revocation in the ...
1crore projects
 
panda public auditing for shared data with efficient user revocation in the c...
swathi78
 
Maintaining Data Integrity for Shared Data in Cloud
acijjournal
 
Maintaining Data Integrity for Shared Data in Cloud
IJERA Editor
 
Panda public auditing for shared data with efficient user revocation in the c...
IGEEKS TECHNOLOGIES
 
CSE-05-27-34
Gayathri Dili
 
147bc3d2e2ffdb1c4f10d673600dd786.Maintaining Integrity and Security for the D...
Gayathri Dili
 
Oruta privacy preserving public auditing
shakas007
 

What's hot (14)

PDF
ORUTA BASE PAPER
suthi
 
PDF
Public integrity auditing for shared dynamic cloud data with group user revoc...
Pvrtechnologies Nellore
 
PDF
Ieeepro techno solutions ieee java project - oruta privacy-preserving public...
hemanthbbc
 
DOC
831 panda public-auditing-for-shared-data-with-efficient-user-revocation-in-t...
Raja Ram
 
DOCX
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...
Nexgen Technology
 
PDF
Public Integrity Auditing for Shared Dynamic Cloud Data with Group User Revoc...
1crore projects
 
PPTX
Oruta
Manasa Chowdary
 
DOC
IEEE 2014 JAVA CLOUD COMPUTING PROJECTS Oruta privacy preserving public audit...
IEEEGLOBALSOFTSTUDENTPROJECTS
 
PDF
Nymble blocking misbehaviouring users in anonymizing networks
Muthu Samy
 
PDF
Centralized Data Verification Scheme for Encrypted Cloud Data Services
Editor IJMTER
 
PDF
A self destruction system for dynamic group data sharing in cloud
eSAT Publishing House
 
PDF
By
Rajulagari RajasekarReddy
 
PDF
That syncing feeling early user experiences with the cloud
Hajin Lim
 
PDF
IRJET- Multiple Keyword Search over Encrypted Cloud Data
IRJET Journal
 
ORUTA BASE PAPER
suthi
 
Public integrity auditing for shared dynamic cloud data with group user revoc...
Pvrtechnologies Nellore
 
Ieeepro techno solutions ieee java project - oruta privacy-preserving public...
hemanthbbc
 
831 panda public-auditing-for-shared-data-with-efficient-user-revocation-in-t...
Raja Ram
 
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...
Nexgen Technology
 
Public Integrity Auditing for Shared Dynamic Cloud Data with Group User Revoc...
1crore projects
 
Oruta
Manasa Chowdary
 
IEEE 2014 JAVA CLOUD COMPUTING PROJECTS Oruta privacy preserving public audit...
IEEEGLOBALSOFTSTUDENTPROJECTS
 
Nymble blocking misbehaviouring users in anonymizing networks
Muthu Samy
 
Centralized Data Verification Scheme for Encrypted Cloud Data Services
Editor IJMTER
 
A self destruction system for dynamic group data sharing in cloud
eSAT Publishing House
 
By
Rajulagari RajasekarReddy
 
That syncing feeling early user experiences with the cloud
Hajin Lim
 
IRJET- Multiple Keyword Search over Encrypted Cloud Data
IRJET Journal
 
Ad

Viewers also liked (16)

PDF
Ieeepro techno solutions 2014 ieee java project - a hybrid cloud approach f...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - balancing performance,accuracy ...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - generalized approach for data
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - oruta privacy-preserving public...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - distributed, concurrent, ...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - vabks verifiable attribute-base...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - infrequent weighted items...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - generalized approach for data
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - balancing performance,accuracy ...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - privacy-preserving multi-keywor...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - nc cloud applying network codi...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - cloud bandwidth and cost ...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project -scalable distributed service int...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - decentralized access cont...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - a hybrid cloud approach f...
hemanthbbc
 
Ieeepro techno solutions ieee java project - balancing performance,accuracy ...
hemanthbbc
 
Ieeepro techno solutions ieee java project - generalized approach for data
hemanthbbc
 
Ieeepro techno solutions ieee java project - oruta privacy-preserving public...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - distributed, concurrent, ...
hemanthbbc
 
Ieeepro techno solutions ieee java project - vabks verifiable attribute-base...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - infrequent weighted items...
hemanthbbc
 
Ieeepro techno solutions ieee java project - generalized approach for data
hemanthbbc
 
Ieeepro techno solutions ieee java project - balancing performance,accuracy ...
hemanthbbc
 
Ieeepro techno solutions ieee java project - privacy-preserving multi-keywor...
hemanthbbc
 
Ieeepro techno solutions ieee java project - nc cloud applying network codi...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - cloud bandwidth and cost ...
hemanthbbc
 
Ieeepro techno solutions ieee java project -scalable distributed service int...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - decentralized access cont...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project -key-aggregate cryptosystem...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
hemanthbbc
 
Ad

Similar to Ieeepro techno solutions 2014 ieee java project -panda public auditing for shared data with efficient user revocation in the cloud (20)

PDF
Survey On: Auditing Public Clouds
IRJET Journal
 
DOCX
PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE ...
I3E Technologies
 
DOCX
PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE ...
Shakas Technologies
 
DOCX
PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE ...
Shakas Technologies
 
PPTX
Panda public auditing for shared data with efficient user revocation in the c...
IGEEKS TECHNOLOGIES
 
PDF
Ieeepro techno solutions ieee dotnet project - oruta privacy-preserving publ...
ASAITHAMBIRAJAA
 
PDF
Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud
Migrant Systems
 
DOCX
Public integrity auditing for shared dynamic cloud data with group user revoc...
Pvrtechnologies Nellore
 
DOCX
JPJ1409 Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud
chennaijp
 
PDF
HOMOMORPHIC AUTHENTICABLE RING SIGNATURE MECHANISM FOR PUBLIC AUDITING ON SHA...
Journal For Research
 
PDF
Integrity Privacy to Public Auditing for Shared Data in Cloud Computing
IJERA Editor
 
PDF
public truthfulness assessment for shared active cloud data storage with grou...
Ijripublishers Ijri
 
PDF
IRJET- Redsc: Reliablity of Data Sharing in Cloud
IRJET Journal
 
PDF
[IJET-V1I3P3]
IJET - International Journal of Engineering and Techniques
 
PDF
SURVEY ON DYNAMIC DATA SHARING IN PUBLIC CLOUD USING MULTI-AUTHORITY SYSTEM
ijiert bestjournal
 
PDF
Privacy preserving public auditing for data storage security in cloud comp
IAEME Publication
 
PDF
Homomorphic authentication with random masking technique ensuring privacy
Shakas Technologies
 
PDF
Oruta project report
Manasa Chowdary
 
PDF
Privacy Preserving Public Auditing and Data Integrity for Secure Cloud Storag...
INFOGAIN PUBLICATION
 
DOC
2014 IEEE JAVA CLOUD COMPUTING PROJECT Oruta privacy preserving public auditi...
IEEEFINALSEMSTUDENTPROJECTS
 
Survey On: Auditing Public Clouds
IRJET Journal
 
PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE ...
I3E Technologies
 
PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE ...
Shakas Technologies
 
PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE ...
Shakas Technologies
 
Panda public auditing for shared data with efficient user revocation in the c...
IGEEKS TECHNOLOGIES
 
Ieeepro techno solutions ieee dotnet project - oruta privacy-preserving publ...
ASAITHAMBIRAJAA
 
Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud
Migrant Systems
 
Public integrity auditing for shared dynamic cloud data with group user revoc...
Pvrtechnologies Nellore
 
JPJ1409 Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud
chennaijp
 
HOMOMORPHIC AUTHENTICABLE RING SIGNATURE MECHANISM FOR PUBLIC AUDITING ON SHA...
Journal For Research
 
Integrity Privacy to Public Auditing for Shared Data in Cloud Computing
IJERA Editor
 
public truthfulness assessment for shared active cloud data storage with grou...
Ijripublishers Ijri
 
IRJET- Redsc: Reliablity of Data Sharing in Cloud
IRJET Journal
 
[IJET-V1I3P3]
IJET - International Journal of Engineering and Techniques
 
SURVEY ON DYNAMIC DATA SHARING IN PUBLIC CLOUD USING MULTI-AUTHORITY SYSTEM
ijiert bestjournal
 
Privacy preserving public auditing for data storage security in cloud comp
IAEME Publication
 
Homomorphic authentication with random masking technique ensuring privacy
Shakas Technologies
 
Oruta project report
Manasa Chowdary
 
Privacy Preserving Public Auditing and Data Integrity for Secure Cloud Storag...
INFOGAIN PUBLICATION
 
2014 IEEE JAVA CLOUD COMPUTING PROJECT Oruta privacy preserving public auditi...
IEEEFINALSEMSTUDENTPROJECTS
 

More from hemanthbbc (10)

PDF
Ieeepro techno solutions ieee java project - balancing performance,accuracy ...
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - generalized approach for data
hemanthbbc
 
PDF
Ieeepro techno solutions ieee java project - budget-driven scheduling algor...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - decreasing impact of sla ...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - a hyper-heuristic scheduling
hemanthbbc
 
PDF
Ieeepro techno solutions 2013 ieee java project -building confidential and ...
hemanthbbc
 
PDF
Ieeepro techno solutions 2011 ieee java project -secure role based data
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - infrequent weighted items...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - deadline based resource p...
hemanthbbc
 
PDF
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
hemanthbbc
 
Ieeepro techno solutions ieee java project - balancing performance,accuracy ...
hemanthbbc
 
Ieeepro techno solutions ieee java project - generalized approach for data
hemanthbbc
 
Ieeepro techno solutions ieee java project - budget-driven scheduling algor...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - decreasing impact of sla ...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - a hyper-heuristic scheduling
hemanthbbc
 
Ieeepro techno solutions 2013 ieee java project -building confidential and ...
hemanthbbc
 
Ieeepro techno solutions 2011 ieee java project -secure role based data
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - infrequent weighted items...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - deadline based resource p...
hemanthbbc
 
Ieeepro techno solutions 2014 ieee java project - query services in cost ef...
hemanthbbc
 

Recently uploaded (20)

PDF
Well-logging-methods_new................
ZafriFarid
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
Well-logging-methods_new................
ZafriFarid
 
Construction Project Organization Group 2.pptx
vj5agdales
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PPT on Performance Review to get promotions
prashant593122
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Project quality management in manufacturing
BarMusaTetik
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
Sustainable Sites - Green Building Construction
mhdumerali
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 

Ieeepro techno solutions 2014 ieee java project -panda public auditing for shared data with efficient user revocation in the cloud

  • 1. Panda: Public Auditing for Shared Data with Efficient User Revocation in the Cloud Boyang Wang, Baochun Li, Member, IEEE, and Hui Li, Member, IEEE Abstract—With data storage and sharing services in the cloud, users can easily modify and share data as a group. To ensure shared data integrity can be verified publicly, users in the group need to compute signatures on all the blocks in shared data. Different blocks in shared data are generally signed by different users due to data modifications performed by different users. For security reasons, once a user is revoked from the group, the blocks which were previously signed by this revoked user must be re-signed by an existing user. The straightforward method, which allows an existing user to download the corresponding part of shared data and re-sign it during user revocation, is inefficient due to the large size of shared data in the cloud. In this paper, we propose a novel public auditing mechanism for the integrity of shared data with efficient user revocation in mind. By utilizing the idea of proxy re-signatures, we allow the cloud to re-sign blocks on behalf of existing users during user revocation, so that existing users do not need to download and re-sign blocks by themselves. In addition, a public verifier is always able to audit the integrity of shared data without retrieving the entire data from the cloud, even if some part of shared data has been re-signed by the cloud. Moreover, our mechanism is able to support batch auditing by verifying multiple auditing tasks simultaneously. Experimental results show that our mechanism can significantly improve the efficiency of user revocation. Index Terms—Public auditing, shared data, user revocation, cloud computing. ! 1 INTRODUCTION WITH data storage and sharing services (such as Dropbox and Google Drive) provided by the cloud, people can easily work together as a group by sharing data with each other. More specifically, once a user creates shared data in the cloud, every user in the group is able to not only access and modify shared data, but also share the latest version of the shared data with the rest of the group. Although cloud providers promise a more secure and reliable environment to the users, the integrity of data in the cloud may still be compromised, due to the existence of hardware/software failures and human errors [2], [3]. To protect the integrity of data in the cloud, a number of mechanisms [3]–[15] have been proposed. In these mechanisms, a signature is attached to each block in data, and the integrity of data relies on the correctness of all the signatures. One of the most significant and common features of these mechanisms is to allow a public verifier to efficiently check data integrity in the cloud without downloading the entire data, referred to as public auditing (or denoted as Provable Data Pos- session [3]). This public verifier could be a client who • Boyang Wang and Hui Li are with the State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an, Shaanxi, 710071, China. E- mail: [email protected]; [email protected]. • Baochun Li is with the Department of Electrical and Computer Engi- neering, University of Toronto, Toronto, ON, M5S 3G4, Canada. E-mail: [email protected]. • This work is supported by the NSF of China (No. 61272457 and 61170251), Fundamental Research Funds for the Central Universities (No. K50511010001), National 111 Program (No. B08038), Doctoral Founda- tion of Ministry of Education of China (No. 20100203110002), Program for Changjiang Scholars and Innovative Research Team in University (PCSIRT 1078). • Most part of this work was done at University of Toronto. A preliminary version [1] of this paper is in Proceedings of the 32nd IEEE International Conference on Computer Communications (IEEE INFOCOM 2013). would like to utilize cloud data for particular purposes (e.g., search, computation, data mining, etc.) or a third- party auditor (TPA) who is able to provide verification services on data integrity to users. Most of the previous works [3]–[13] focus on auditing the integrity of personal data. Different from these works, several recent works [14], [15] focus on how to preserve identity privacy from public verifiers when auditing the integrity of shared data. Unfortunately, none of the above mechanisms, considers the efficiency of user revocation when auditing the correctness of shared data in the cloud. With shared data, once a user modifies a block, she also needs to compute a new signature for the modified block. Due to the modifications from different users, dif- ferent blocks are signed by different users. For security reasons, when a user leaves the group or misbehaves, this user must be revoked from the group. As a result, this revoked user should no longer be able to access and modify shared data, and the signatures generated by this revoked user are no longer valid to the group [16]. Therefore, although the content of shared data is not changed during user revocation, the blocks, which were previously signed by the revoked user, still need to be re-signed by an existing user in the group. As a result, the integrity of the entire data can still be verified with the public keys of existing users only. Since shared data is outsourced to the cloud and users no longer store it on local devices, a straightforward method to re-compute these signatures during user revo- cation (as shown in Fig. 1) is to ask an existing user (i.e., Alice) to first download the blocks previously signed by the revoked user (i.e., Bob), verify the correctness of these blocks, then re-sign these blocks, and finally upload the new signatures to the cloud. However, this straightforward method may cost the existing user a huge amount of communication and computation re- sources by downloading and verifying blocks, and by IEEE TRANSACTIONS ON SERVICE COMPUTING NO:99 VOL:PP YEAR 2014
  • 2. 2 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X re-computing and uploading signatures, especially when the number of re-signed blocks is quite large or the mem- bership of the group is frequently changing. To make this matter even worse, existing users may access their data sharing services provided by the cloud with resource- limited devices, such as mobile phones, which further prevents existing users from maintaining the correctness of shared data efficiently during user revocation. A block signed by Alice A block signed by Bob Before Bob is revoked After Bob is revoked Cloud Cloud Alice 1. Download blocks 4. Upload signatures 3. Re-compute signatures{2. Verify blocks A A A A A B A B B B A A A A A A A A A A A B Fig. 1. Alice and Bob share data in the cloud. When Bob is revoked, Alice re-signs the blocks that were previously signed by Bob with her private key. Clearly, if the cloud could possess each user’s private key, it can easily finish the re-signing task for existing users without asking them to download and re-sign blocks. However, since the cloud is not in the same trusted domain with each user in the group, outsourcing every user’s private key to the cloud would introduce significant security issues. Another important problem we need to consider is that the re-computation of any signature during user revocation should not affect the most attractive property of public auditing — audit- ing data integrity publicly without retrieving the entire data. Therefore, how to efficiently reduce the significant burden to existing users introduced by user revocation, and still allow a public verifier to check the integrity of shared data without downloading the entire data from the cloud, is a challenging task. In this paper, we propose Panda, a novel public au- diting mechanism for the integrity of shared data with efficient user revocation in the cloud. In our mechanism, by utilizing the idea of proxy re-signatures [17], once a user in the group is revoked, the cloud is able to re- sign the blocks, which were signed by the revoked user, with a re-signing key (as presented in Fig. 2). As a result, the efficiency of user revocation can be significantly im- proved, and computation and communication resources of existing users can be easily saved. Meanwhile, the cloud, who is not in the same trusted domain with each user, is only able to convert a signature of the revoked user into a signature of an existing user on the same block, but it cannot sign arbitrary blocks on behalf of either the revoked user or an existing user. By designing a new proxy re-signature scheme with nice properties (described in Section 4), which traditional proxy re- signatures do no have, our mechanism is always able to check the integrity of shared data without retrieving the entire data from the cloud. Moreover, our proposed mechanism is scalable, which Cloud A A A A A A A A A A Cloud re-signs blocks with a re-signing key Cloud A A A A A B A B B B Before Bob is revoked After Bob is revoked A block signed by Alice A block signed by BobA B Fig. 2. When Bob is revoked, the cloud re-signs the blocks that were previously signed by Bob with a re- signing key. indicates it is not only able to efficiently support a large number of users to share data and but also able to han- dle multiple auditing tasks simultaneously with batch auditing. In addition, by taking advantages of Shamir Secret Sharing [18], we can also extend our mechanism into the multi-proxy model to minimize the chance of the misuse on re-signing keys in the cloud and improve the reliability of the entire mechanism. The remainder of this paper is organized as follows: In Section 2, we present the system model, security model and design goals. Then, we introduce several preliminar- ies in Section 3. Detailed design and security analysis of our mechanism are presented in Section 4 and Section 5. We discuss the extension of our mechanism in Section 6, and evaluate the performance of our mechanism in Section 7 and Section 8. Finally, we briefly discuss related work in Section 9, and conclude this paper in Section 10. 2 PROBLEM STATEMENT In this section, we describe the system and security model, and illustrate the design objectives of our pro- posed mechanism. 2.1 System and Security Model As illustrated in Fig. 3, the system model in this paper includes three entities: the cloud, the public verifier, and users (who share data as a group). The cloud offers data storage and sharing services to the group. The public verifier, such as a client who would like to utilize cloud data for particular purposes (e.g., search, computation, data mining, etc.) or a third-party auditor (TPA) who can provide verification services on data integrity, aims to check the integrity of shared data via a challenge-and- response protocol with the cloud. In the group, there is one original user and a number of group users. The original user is the original owner of data. This original user creates and shares data with other users in the group through the cloud. Both the original user and group users are able to access, download and modify shared data. Shared data is divided into a number of blocks. A user in the group can modify a block in shared data by performing an insert, delete or update operation on the block. In this paper, we assume the cloud itself is semi-trusted, which means it follows protocols and does not pollute data integrity actively as a malicious adversary, but it
  • 3. WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 3 Cloud 1. Challenge2. Response Data M ...... σ1 ......σ2 σn mnm1 m2 Signatures Public Verifier Users Shared Data Flow Fig. 3. The system model includes the cloud, the public verifier, and users. may lie to verifiers about the incorrectness of shared data in order to save the reputation of its data services and avoid losing money on its data services. In addition, we also assume there is no collusion between the cloud and any user during the design of our mechanism. Generally, the incorrectness of share data under the above semi- trusted model can be introduced by hardware/software failures or human errors happened in the cloud. Con- sidering these factors, users do not fully trust the cloud with the integrity of shared data. To protect the integrity of shared data, each block in shared data is attached with a signature, which is com- puted by one of the users in the group. Specifically, when shared data is initially created by the original user in the cloud, all the signatures on shared data are computed by the original user. After that, once a user modifies a block, this user also needs to sign the modified block with his/her own private key. By sharing data among a group of users, different blocks may be signed by different users due to modifications from different users. When a user in the group leaves or misbehaves, the group needs to revoke this user. Generally, as the creator of shared data, the original user acts as the group manager and is able to revoke users on behalf of the group. Once a user is revoked, the signatures computed by this revoked user become invalid to the group, and the blocks that were previously signed by this revoked user should be re-signed by an existing user’s private key, so that the correctness of the entire data can still be verified with the public keys of existing users only. Alternative Approach. Allowing every user in the group to share a common group private key and sign each block with it, is also a possible way to protect the integrity of shared data [19], [20]. However, when a user is revoked, a new group private key needs to be securely distributed to every existing user and all the blocks in the shared data have to be re-signed with the new private key, which increases the complexity of key management and decreases the efficiency of user revocation. 2.2 Design Objectives Our proposed mechanism should achieve the follow- ing properties: (1) Correctness: The public verifier is able to correctly check the integrity of shared data. (2) Efficient and Secure User Revocation: On one hand, once a user is revoked from the group, the blocks signed by the revoked user can be efficiently re-signed. On the other hand, only existing users in the group can generate valid signatures on shared data, and the revoked user can no longer compute valid signatures on shared data. (3) Public Auditing: The public verifier can audit the integrity of shared data without retrieving the entire data from the cloud, even if some blocks in shared data have been re-signed by the cloud. (4) Scalability: Cloud data can be efficiently shared among a large number of users, and the public verifier is able to handle a large number of auditing tasks simultaneously and efficiently. 3 PRELIMINARIES In this section, we briefly introduce some prelimi- naries, including bilinear maps, security assumptions, homomorphic authenticators and proxy re-signatures. 3.1 Bilinear Maps Let G1 and G2 be two multiplicative cyclic groups of prime order p, g be a generator of G1. Bilinear map e is a map e: G1 × G1 → G2 with the following properties: 1) Computability: there exists an efficient algorithm for computing map e. 2) Bilinearity: for all u, v ∈ G1 and a, b ∈ Zp, e(ua , vb ) = e(u, v)ab . 3) Non-degeneracy: e(g, g) = 1. 3.2 Security Assumptions The security of our mechanism is based on the follow- ing security assumptions. Computational Diffie-Hellman (CDH) Problem. Let a, b ∈ Z∗ p, given g, ga , gb ∈ G1 as input, output gab ∈ G1. Definition 1: Computational Diffie-Hellman (CDH) Assumption. For any probabilistic polynomial time adver- sary ACDH, the advantage of adversary ACDH on solving the CDH problem in G1 is negligible, which is defined as Pr[ACDH(g, ga , gb ) = (gab ) : a, b R ← Z∗ p] ≤ . For the ease of understanding, we can also say comput- ing the CDH problem in G1 is computationally infeasible or hard under the CDH assumption. Discrete Logarithm (DL) Problem. Let a ∈ Z∗ p, given g, ga ∈ G1 as input, output a. Definition 2: Discrete Logarithm (DL) Assumption. For any probabilistic polynomial time adversary ADL, the advantage of adversary ADL on solving the DL problem in G1 is negligible, which is defined as Pr[ADL(g, ga ) = (a) : a R ← Z∗ p] ≤ . Similarly, we can also say computing the DL problem in G1 is computationally infeasible or hard under the DL assumption. 3.3 Homomorphic Authenticators Homomorphic authenticators [3], also called homo- morphic verifiable tags, allow a public verifier to check the integrity of data stored in the cloud without down- loading the entire data. They have been widely used as building blocks in the previous public auditing mech- anisms [3]–[15], [19], [20]. Besides unforgeability (only a
  • 4. 4 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X user with a private key can generate valid signatures), a homomorphic authenticable signature scheme, which de- notes a homomorphic authenticator scheme based on signatures, should also satisfy the following properties: Let (pk, sk) denote the signer’s public/private key pair, σ1 denote the signature on block m1 ∈ Zp, and σ2 denote the signature on block m2 ∈ Zp. • Blockless verifiability: Given σ1 and σ2, two ran- dom values α1, α2 in Zp and a block m = α1m1 + α2m2 ∈ Zp, a verifier is able to check the correctness of block m without knowing m1 and m2. • Non-malleability: Given m1 and m2, σ1 and σ2, two random values α1, α2 in Zp and a block m = α1m1 + α2m2 ∈ Zp, a user, who does not have private key sk, is not able to generate a valid signature σ on block m by combining σ1 and σ2. Blockless verifiability enables a verifier to audit the correctness of data in the cloud with only a linear com- bination of all the blocks via a challenge-and-response protocol, while the entire data does not need to be down- loaded to the verifier. Non-malleability indicates that other parties, who do not possess proper private keys, cannot generate valid signatures on combined blocks by combining existing signatures. 3.4 Proxy Re-signatures Proxy re-signatures, first proposed by Blaze et al. [17], allow a semi-trusted proxy to act as a translator of signatures between two users, for example, Alice and Bob. More specifically, the proxy is able to convert a signature of Alice into a signature of Bob on the same block. Meanwhile, the proxy is not able to learn any private keys of the two users, which means it cannot sign any block on behalf of either Alice or Bob. In this paper, to improve the efficiency of user revocation, we propose to let the cloud to act as the proxy and convert signatures for users during user revocation. 3.5 Shamir Secret Sharing An (s, t)-Shamir Secret Sharing scheme [18] (s ≥ 2t − 1), first proposed by Shamir, is able to divide a secret π into s pieces in such a way that this secret π can be easily recovered from any t pieces, while the knowledge of any t − 1 pieces reveals absolutely no information about this secret π. The essential idea of an (s, t)-Shamir Secret Sharing scheme is that, a number of t points uniquely defines a t−1 degree polynomial. Suppose we have the following t − 1 degree polynomial f(x) = at−1xt−1 + · · · + a1x + a0, where at−1, ..., a1 R ←∈ Z∗ p. Then, the secret is π = a0, and each piece of this secret is actually a point of polynomial f(x), i.e. (xi, f(xi)), for 1 ≤ i ≤ s. The secret π can be recovered by any t points of this t−1 degree polynomial f(x) with Lagrange polynomial interpolation. Shamir Se- cret Sharing is widely used in key management schemes [18] and secure multi-party computation [21]. 4 A NEW PROXY RE-SIGNATURE SCHEME In this section, we first present a new proxy re- signature scheme, which satisfies the property of block- less verifiability and non-malleability. Then, we will de- scribe how to construct our public auditing mechanism for shared data based on this proxy re-signature scheme in the next section. 4.1 Construction of HAPS Because traditional proxy re-signature schemes [17], [22] are not blockless verifiable, if we directly apply these proxy re-signature schemes in the public auditing mech- anism, then a verifier has to download the entire data to check the integrity, which will significantly reduce the efficiency of auditing. Therefore, we first propose a homomorphic authenticable proxy re-signature (HAPS) scheme, which is able to satisfy blockless verifiability and non-malleability. Our proxy re-signature scheme includes five algo- rithms: KeyGen, ReKey, Sign, ReSign and Verify. De- tails of each algorithm are described in Fig. 4. Similar as the assumption in traditional proxy re-signature schemes [17], [22], we assume that private channels (e.g., SSL) exist between each pair of entities in Rekey, and there is no collusion between the proxy and any user. Based on the properties of bilinear maps, the correctness of the verification in Verify can be presented as e(σ, g) = e((H(id)wm )a , g) = e(H(id)wm , pkA). 4.2 Security Analysis of HAPS Theorem 1: It is computationally infeasible to generate a forgery of a signature in HAPS as long as the CDH assumption holds. Proof: Following the standard security model de- fined in the previous proxy re-signature scheme [22], the security of HAPS includes two aspects: external security and internal security. External security means an exter- nal adversary cannot generate a forgery of a signature; internal security means that the proxy cannot use its re- signature keys to sign on behalf of honest users. External Security: We show that if a (t , )-algorithm A, operated by an external adversary, can generate a forgery of a signature under HAPS with the time of t and advantage of after making at most qH hash queries, qS signing queries, qR re-signing queries, and requesting at most qK public keys, then there exists a (t, )-algorithm B that can solve the CDH problem in G1 with t ≤ t + qHcG1 + qScG1 + 2qRcP , ≥ /qHqK, where one exponentiation on G1 takes time cG1 and one pairing operation takes time cP . Specifically, on input (g, ga , gb ), the CDH algorithm B simulates a proxy re- signature security game for algorithm A as follows: Public Keys: As A requests the creation of system users, B guesses which one A will attempt a forgery against. Without loss of generality, we assume the target public key as pkv and set it as pkv = ga . For all other
  • 5. WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 5 Scheme Details: Let G1 and G2 be two groups of order p, g be a generator of G1, e : G1 × G1 → G2 be a bilinear map, w be another generator of G1. The global parameters are (e, p, G1, G2, g, w, H), where H is a hash function with H : {0, 1}∗ → G1. KeyGen. Given global parameters (e, p, G1, G2, g, w, H), a user uA selects a random a ∈ Z∗ p, and outputs public key pkA = ga and private key skA = a. ReKey. The proxy generates a re-signing key rkA→B as follows: (1) the proxy generates a random r ∈ Z∗ p and sends it to user uA; (2) user uA computes and sends r/a to user uB, where skA = a; (3) user uB calculates and sends rb/a to the proxy, where skB = b; (4) the proxy recovers rkA→B = b/a ∈ Z∗ p. Sign. Given private key skA = a, block m ∈ Zp and block identifier id, user uA outputs the signature on block m as: σ = (H(id)wm )a ∈ G1. ReSign. Given re-signing key rkA→B, public key pkA, signa- ture σ, block m ∈ Zp and block identifier id, the proxy checks that Verify(pkA, m, id, σ) ? = 1. If the verification result is 0, the proxy outputs ⊥; otherwise, it outputs σ = σrkA→B = (H(id)wm )a·b/a = (H(id)wm )b . Verify. Given public key pkA, block m, block identifier id, and signature σ, a verifier outputs 1 if e(σ, g) = e(H(id)wm , pkA), and 0 otherwise. Fig. 4. Details of HAPS. public keys, we set pki = gxi for a random xi ∈ Z∗ p. The total number of public keys requested is qK. Oracle Queries: There are three types of oracle queries that B must answer: hash query Qhash, signing query Qsign and re-signing query Qresign. For each hash query Qhash on input (idi, mi), check if there is an entry in table TH. If so, output the cor- responding value; otherwise guess if (idi, mi) is the identifier id∗ and block m∗ that A will attempt to use in a forgery. If idi = id∗ and mi = m∗ , output H(idi)wmi = gb ; otherwise, select a random yi ∈ Z∗ p and output H(idi)wmi = gyi . Record (idi, mi, yi) in the table TH for each idi = id∗ or mi = m∗ . For each signing query Qsign on input (pkj, idi, mi), if j = v, output the signature as σ = (H(idi)wmi )xj (via calling hash query). If j = v and idi = id∗ , or j = v and mi = m∗ , return the signature as σ = (gyi )a = (ga )yi ; otherwise, abort. For each re-signing query Qresign on input (pki, pkj, idk, mk, σ), if Verify(pki, mk, idk, σ)=1, output ⊥. Otherwise, output Qsign(pkj, idk, mk) (via calling signing query). Forgery: Eventually A outputs a forgery (pkj, id, m, σ). If v = j, then B guessed the wrong target user and must abort. If Verify(pkj, m, id, σ)=1 or (id, m,σ ) is the result of any Qsign or Qresign, B also aborts. Otherwise, B outputs σ = (H(id)wm )a = (gb )a = gab as the proposed CDH problem. The probability that B will guess the target user correctly is 1/qK, and the probability that B will guess the forged block identifier id∗ and forged block m∗ is 1/qH . Therefore, if A generates a forgery of a signature with probability , then B solves the CDH problem with probability /qH qK. Algorithm B requires one exponen- tiation on G1 for each hash query, one extra exponentia- tion on G1 for each signing query and two extra pairing operations for each re-signing query, so its running time is A’s running time plus qHcG1 + qScG1 + 2qRcP . Internal Security: We now prove that, if a (t , )- algorithm A, operated by the proxy, can generate a forgery of a signature with the time of t and advantage of after making at most qH hash queries and qS signing queries, then there exists a (t, )-algorithm B that can solve the CDH problem in G1 with t ≤ t + qHcG1 + qScG1 , ≥ /qHqK. On input (g, ga , gb ), the CDH algorithm B simulates a proxy re-signature security game for algorithm A as follows: Public Keys: Without loss of generality, we set the target key as pkv = ga . For each key i = v, choose a random xi ∈ Z∗ p, and set pki = (ga )xi . The total number of public keys requested is qK. Oracle Queries: There are three types of queries that B must answer: hash query Qhash, signing query Qsign and rekey query Qrekey. For each hash query Qhash on input (idi, mi), check if there is an entry in table TH. If so, output the cor- responding value; otherwise guess if (idi, mi) is the identifier id∗ and block m∗ that A will attempt to use in a forgery. If idi = id∗ and mi = m∗ , output H(idi)wmi = gb ; otherwise, select a random yi ∈ Z∗ p and output H(idi)wmi = gyi . Record (idi, mi, yi) in the table TH for each idi = id∗ or mi = m∗ . For each signing query Qsign on input (pkj, idi, mi), if idi = id∗ or mi = m∗ , return the signature as σ = (pkj)yi (via calling hash query); else abort. For each rekey query Qrekey on input (pki, pkj), if i = v or j = v, abort; else return rki→j = (xj/xi). Forgery: Eventually A outputs a forgery (pkj, id, m, σ). If v = j, then B guessed the wrong target user and must abort. If Verify(pkj, m, id, σ)=1 or (id, m,σ ) is the result of any Qsign, B also aborts. Otherwise, B outputs σ = (H(id)wm )a = (gb )a = gab as the proposed CDH problem. Similarly as external security, the probability that B will guess the target user correctly is 1/qK, and the prob- ability that B will guess the forged block identifier id∗ and forged block m∗ is 1/qH . Therefore, if A generates a forgery of a signature with probability , then B solves the CDH problem with probability /qHqK. Algorithm B requires one exponentiation on G1 for each hash query, one extra exponentiation on G1 for each signing query, so its running time is A’s running time plus qHcG1 + qScG1 . According to what we analyzed above, if the ad- vantage of an adversary for generating a forgery of a signature under the external or internal security game is
  • 6. 6 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X non-negligible, then we can find an algorithm to solve the CDH problem in G1 with a non-negligible probabil- ity, which contradicts to the assumption that the CDH problem is computationally infeasible in G1. Therefore, it is computationally infeasible to generate a forgery of a signature in HAPS under the CDH assumption. Theorem 2: HAPS is a homomorphic authenticable proxy re-signature scheme. Proof: As we introduced in Section 3, to prove HAPS is homomorphic authenticable, we need to show HAPS is not only blockless verifiable but also non-malleable. Moreover, we also need to prove that the re-signing per- formed by the proxy does not affect these two properties. Blockless Verifiability. Given user ua’s public key pkA, two random numbers y1, y2 ∈ Z∗ p, two identifiers id1 and id2, and two signatures σ1 and σ2 signed by user ua, a verifier is able to check the correctness of a block m = y1m1 + y2m2 by verifying e(σy1 1 · σy2 2 , g) ? = e(H(id1)y1 H(id2)y2 wm , pkA), (1) without knowing block m1 and block m2. Based on the properties of bilinear maps, the correctness of the above equation can be proved as: e(σy1 1 · σy2 2 , g) = e(H(id1)y1 wy1m1 H(id2)y2 wy2m2 , ga ) = e(H(id1)y1 H(id2)y2 wm , pkA). It is clear that HAPS can support blockless verifiability. Non-malleability. Meanwhile, an adversary, who does not have private key skA = a, cannot generate a valid signature σ for a combined block m = y1m1 + y2m2 by combining σ1 and σ2 with y1 and y2. The hardness of this problem lies in the fact that H must be a one-way hash function (given every input, it is easy to compute; however, given the image of a random input, it is hard to invert). More specifically, if we assume this adversary can generate a valid signature σ for the combined block m by combining σ1 and σ2, we have    σ = σy1 1 · σy2 2 σy1 1 · σy2 2 = (H(id1)y1 H(id2)y2 wm )a σ = (H(id )wm )a and we can further learn that H(id ) = H(id1)y1 H(id2)y2 . Then, that means, given a value of h = H(id1)y1 H(id2)y2 , we can easily find a block identifier id so that H(id ) = h, which contradicts to the assumption that H is a one- way hash function. Because the construction and verification of the sig- natures re-signed by the proxy are as the same as the signatures computed by users, we can also prove that the signatures re-signed by the proxy are blockless verifiable and non-malleable in the same way illustrated above. Therefore, HAPS is a homomorphic authenticable proxy re-signature scheme. 5 PANDA 5.1 Overview Based on the new proxy re-signature scheme and its properties in the previous section, we now present Panda — a public auditing mechanism for shared data with efficient user revocation. In our mechanism, the original user acts as the group manager, who is able to revoke users from the group when it is necessary. Meanwhile, we allow the cloud to perform as the semi-trusted proxy and translate signatures for users in the group with re- signing keys. As emphasized in recent work [23], for security reasons, it is necessary for the cloud service providers to storage data and keys separately on dif- ferent servers inside the cloud in practice. Therefore, in our mechanism, we assume the cloud has a server to store shared data, and has another server to manage re- signing keys. To ensure the privacy of cloud shared data at the same time, additional mechanisms, such as [24], can be utilized. The details of preserving data privacy are out of scope of this paper. The main focus of this paper is to audit the integrity of cloud shared data. 5.2 Support Dynamic Data To build the entire mechanism, another issue we need to consider is how to support dynamic data during public auditing. Because the computation of a signature includes the block identifier, conventional methods — which use the index of a block as the block identifier (i.e., block mj is indexed with j) — are not efficient for supporting dynamic data [8], [14]. Specifically, if a single block is inserted or deleted, the indices of blocks that after this modified block are all changed, and the change of those indices requires the user to re-compute signatures on those blocks, even though the content of those blocks are not changed. mi σi idi si Block Signature Block Identifier Signer Identifier Fig. 6. Each block is attached with a signature, a block identifier and a signer identifier. By leveraging index hash tables [8], [14], we allow a user to modify a single block efficiently without chang- ing block identifiers of other blocks. The details of index hash tables are explained in Appendix A. Besides a block identifier and a signature, each block is also attached with a signer identifier (as shown in Fig. 6). A verifier can use a signer identifier to distinguish which key is required during verification, and the cloud can utilize it to determine which re-signing key is needed during user revocation. 5.3 Construction of Panda Panda includes six algorithms: KeyGen, ReKey, Sign, ReSign, ProofGen, ProofVerify. Details of Panda are presented in Fig. 5. In KeyGen, every user in the group generates his/her public key and private key. In ReKey, the cloud com- putes a re-signing key for each pair of users in the group. As argued in previous section, we still assume that private channels exist between each pair of entities
  • 7. WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 7 Scheme Details: Let G1 and G2 be two groups of order p, g be a generator of G1, e : G1 × G1 → G2 be a bilinear map, w be another generator of G1. The global parameters are (e, p, G1, G2, g, w, H), where H is a hash function with H : {0, 1}∗ → G1. The total number of blocks in shared data is n, and shared data is described as M = (m1, ..., mn). The total number of users in the group is d. KeyGen. User ui generates a random πi ∈ Z∗ p, and outputs public key pki = gπi and private key ski = πi. Without loss of generality, we assume user u1 is the original user, who is the creator of shared data. The original user also creates a user list (UL), which contains ids of all the users in the group. The user list is public and signed by the original user. ReKey. The cloud generates a re-signing key rki→j as fol- lows: (1) the cloud generates a random r ∈ Zp and sends it to user ui; (2) user ui sends r/πi to user uj, where ski = πi; (3) user uj sends rπj/πi to the cloud, where skj = πj; (4) the cloud recovers rki→j = πj/πi ∈ Z∗ p. Sign. Given private key ski = πi, block mk ∈ Zp and its block identifier idk, where k ∈ [1, n], user ui outputs the signature on block mk as: σk = (H(idk)wmk )πi ∈ G1. ReSign. Given re-signing key rki→j, public key pki, signa- ture σk, block mk and block identifier idk, the cloud first checks that e(σk, g) ? = e(H(idk)wmk , pki). If the verification result is 0, the cloud outputs ⊥; otherwise, it outputs σk = σ rki→j k = (H(idk)wmk )πi·πj /πi = (H(idk)wmk )πj . After the re-signing, the original user removes user ui’s id from UL and signs the new UL. ProofGen. A public verifier generates an auditing message as follows: 1) Randomly picks a c-element subset L of set [1, n] to locate the c selected random blocks that will be checked in this auditing task. 2) Generates a random ηl ∈ Z∗ q , for l ∈ L and q is a much smaller prime than p. 3) Outputs an auditing message {(l,η l)}l∈L, and sends it to the cloud. After receiving an auditing message, the cloud generates a proof of possession of shared data M. More concretely, 1) According to the signer identifier of each selected block, the cloud divides set L into d subset L1, ..., Ld, where Li is the subset of selected blocks signed by user ui. The number of elements in subset Li is ci. Clearly, we have c = d i=1 ci, L = L1 ∪...∪Ld and Li ∩Lj = ∅, for i = j. 2) For each subset Li, the cloud computes αi = l∈Li ηlml ∈ Zp and βi = l∈Li σηl l ∈ G1. 3) The cloud outputs an auditing proof {ααα,βββ, {idl, sl}l∈L}, and sends it to the verifier, where ααα = (α1, ..., αd) and βββ = (β1, ..., βd). ProofVerify. Given an auditing message {(l,η l)}l∈L, an au- diting proof {ααα,βββ, {idl, sl}l∈L}, and all the existing users’ public keys (pk1, ..., pkd), the public verifier checks the cor- rectness of this auditing proof as e( d i=1 βi, g) ? = d i=1 e( l∈Li H(idl)ηl · wαi , pki). (2) If the result is 1, the verifier believes that the integrity of all the blocks in shared data M is correct. Otherwise, the public verifier outputs 0. Fig. 5. Details of Panda. during the generation of re-signing keys, and there is no collusion. When the original user creates shared data in the cloud, he/she computes a signature on each block as in Sign. After that, if a user in the group modifies a block in shared data, the signature on the modified block is also computed as in Sign. In ReSign, a user is revoked from the group, and the cloud re-signs the blocks, which were previously signed by this revoked user, with a re- signing key. The verification on data integrity is per- formed via a challenge-and-response protocol between the cloud and a public verifier. More specifically, the cloud is able to generate a proof of possession of shared data in ProofGen under the challenge of a public verifier. In ProofVerify, a public verifier is able to check the correctness of a proof responded by the cloud. In ReSign, without loss of generality, we assume that the cloud always converts signatures of a revoked user into signatures of the original user. The reason is that the original user acts as the group manager, and we assume he/she is secure in our mechanism. Another way to decide which re-signing key should be used when a user is revoked from the group, is to ask the original user to create a priority list (PL). Every existing user’s id is in the PL and listed in the order of re-signing priority. When the cloud needs to decide which existing user the signatures should be converted into, the first user shown in the PL is selected. To ensure the correctness of the PL, it should be signed with the private key of the original user (i.e., the group manager). Based on the properties of bilinear maps, the correct- ness of our mechanism in ProofVerify can be explained as follows. e( d i=1 βi, g) = d i=1 e( l∈Li σηl l , g) = d i=1 e( l∈Li (H(idl)wml )πiηl , g) = d i=1 e( l∈Li H(idl)ηl · l∈Li wmlηl , gπi ) = d i=1 e( l∈Li H(idl)ηl · wαi , pki). 5.4 Security Analysis of Panda Theorem 3: For the cloud, it is computationally infeasible to generate a forgery of an auditing proof in Panda as long as the DL assumption holds. Proof: Following the security game defined in [4], [14], we can prove that, if the cloud could win a security game, named Game 1, by forging an auditing proof on incorrect shared data, then we can find a solution to the DL problem in G1 with a probability of 1 − 1/p, which contradicts to the DL assumption (the advantage of solv- ing DL problem G1 should be negligible). Specifically, we define Game 1 as follows:
  • 8. 8 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X Game 1: The public verifier sends an auditing mes- sage {(l,ηl)}l∈L to the cloud, the auditing proof on correct shared data M should be {ααα,βββ, {idl}l∈L}, which should pass the verification with Equation (2). How- ever, the cloud generates a proof on incorrect shared data M as {ααα ,βββ, {idl}l∈L}, where ααα = (α1, ..., αd), αi = l∈Li ηlml, for i ∈ [1, d], and M = M . Define ∆αi = αi − αi for 1 ≤ i ≤ d, and at least one element of {∆αi}1≤i≤d is nonzero. If this proof still pass the verification performed by the public verifier, then the cloud wins this game. Otherwise, it fails. We first assume that the cloud wins the game. Then, according to Equation (2), we have e( d i=1 βi, g) = d i=1 e( l∈Li H(idl)ηl · wαi , pki). Because {ααα,βββ, {idl}l∈L} is a correct auditing proof, we have e( d i=1 βi, g) = d i=1 e( l∈Li H(idl)ηl · wαi , pki). Based on the properties of bilinear maps, we learn that d i=1 wαiπi = d i=1 wαiπi , d i=1 wπi∆αi = 1. Because G1 is a cyclic group, then for two elements u, v ∈ G1, there exists x ∈ Zp that v = ux . Without loss of generality, given u, v, each wπi can generated as wπi = uξi vγi ∈ G1, where ξi and γi are random values of Zp. Then, we have 1 = d i=1 (uξi vγi )∆αi = u d i=1 ξi∆αi · v d i=1γi∆αi . Clearly, we can find a solution to the DL problem. Given u, v = ux ∈ G1, we can output v = u − d i=1 ξi∆αi d i=1 γi∆αi , x = − d i=1 ξi∆αi d i=1 γi∆αi , unless the denominator is zero. However, as we defined in Game 1, at least one of element in {∆αi}1≤i≤d is nonzero, and γi is a random element of Zp, therefore, the denominator is zero with a probability of 1/p, which is negligible because p is a large prime. Then, we can find a solution to the DL problem with a non-negligible probability of 1 − 1/p, which contradicts to the DL assumption in G1. 5.5 Efficient and Secure User Revocation We argue that our mechanism is efficient and secure during user revocation. It is efficient because when a user is revoked from the group, the cloud can re-sign blocks that were previously signed by the revoked user with a re-signing key, while an existing user does not have to download those blocks, re-compute signatures on those blocks and upload new signatures to the cloud. The re-signing preformed by the cloud improves the efficiency of user revocation and saves communication and computation resources for existing users. The user revocation is secure because only existing users are able to sign the blocks in shared data. As analyzed in Theorem 1, even with a re-signing key, the cloud cannot generate a valid signature for an arbitrary block on behalf of an existing user. In addition, after being revoked from the group, a revoked user is no longer in the user list, and can no longer generate valid signatures on shared data. 5.6 Limitations and Future Work Remind that in Section 2, we assume there is no collusion between the cloud and any user in the design of our mechanism as the same as the assumption in some traditional proxy re-signatures [17], [22]. The reason is that, in our current design, if a revoked user (e.g., Bob with private key skb) is able to collude with the cloud, who possesses a re-signing key (e.g., rka→b = ska/skb, then the cloud and Bob together are able to easily reveal the private key of an existing user (e.g., Alice’s private key ska). To overcome the above limitation, some proxy re- signature schemes with collusion resistance in [22], which can generate a re-signing key with a revoked user’s public key and an existing user’s private key, would be a possible solution. Specifically, a resigning key is computed as rka→b = pkska b by Alice, then even the cloud (with rka→b) and Bob (with pkb) collude together, they cannot compute the private key of Alice (i.e., ska) due to the hardness of computing the DL problem in G1. Unfortunately, how to design such type of collusion- resistant proxy re-signature schemes while also sup- porting public auditing (i.e., blockless verifiability and non-malleability) remains to be seen. Essentially, since collusion-resistant proxy re-signature schemes generally have two levels of signatures (i.e., the first level is signed by a user and the second level is re-signed by the proxy), where the two levels of signatures are in different forms and need to be verified differently, achieving blockless verifiability on both of the two levels of signatures and verifying them together in a public auditing mechanism is challenging. We will leave this problem for our future work. 6 EXTENSION OF PANDA In this section, we will utilize several different meth- ods to extend our mechanism in terms of detection probability, scalability and reliability. 6.1 Detection Probability of Panda As presented in our mechanism, a verifier selects a number of random blocks instead of choosing all the blocks in shared data, which can improve the efficiency of auditing. Previous work [3] has already proved that a verifier is able to detect the polluted blocks with a high probability by selecting a small number of random blocks, referred to as sample strategies [3]. More specif- ically, when shared data contains n = 1, 000, 000 blocks,
  • 9. WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 9 if 1% of all the blocks are corrupted, a verifier can detect these polluted blocks with a probability greater than 99% or 95%, where the number of selected blocks c is 460 or 300, respectively. Further discussions and analyses about sample strategies can be found in [3]. To further reduce the number of the undetected pol- luted blocks in shared data and improve the detection probability, besides increasing the number of random selected blocks in one auditing task mentioned in the last paragraph, a verifier can also perform multiple auditing tasks on the same shared data. If the detection probability in a single auditing task is PS, then the total detection probability for a number of t multiple auditing tasks is PM = 1 − (1 − PS)t . For instance, if the detection probability in a single auditing task is PS = 95%, then the total detection probability with two different auditing tasks on the same shared data is PM = 99.75%. Note that to achieve a higher detection probability, both of the two methods require a verifier to spend more communication and computation cost during auditing. 6.2 Scalability of Panda Now we discuss how to improve the scalability of our proposed mechanism by reducing the total number of re- signing keys in the cloud and enabling batch auditing for verifying multiple auditing tasks simultaneously. Reduce the Number of Re-signing Keys. As de- scribed in Panda, the cloud needs to establish and main- tain a re-signing key for each pair of two users in the group. Since the number of users in the group is denoted as d, the total number of re-signing keys for the group is d(d − 1)/2. Clearly, if the cloud data is shared by a very large number of users, e.g. d = 200, then the total number of re-signing keys that the cloud has to securely store and manage is 19, 900, which significantly increases the complexity of key management in cloud. To reduce the total number of re-signing keys required in the cloud and improve the scalability of our mech- anism, the original user, who performs as the group manager, can keep a short priority list (PL) with only a small subset of users instead of the entire PL with all the users in the group. More specifically, if the total number of users in the group is still d = 200 and the size of a short PL is d = 5, which means the cloud is able to convert signatures of a revoked user only into one of these five users shown in the short PL, then the total number of re-signing keys required with the short PL of 5 users is 990. It is only 5% of the number of re-signing keys with the entire PL of all the 200 users. Batch Auditing for Multiple Auditing Tasks. In many cases, the public verifier may need to handle multiple auditing tasks in a very short time period. Clearly, asking the public verifier to perform these au- diting requests independently (one by one) may not be efficient. Therefore, to improve the scalability of our public auditing mechanism in such cases, we can further extend Panda to support batch auditing [7] by utilizing the properties of bilinear maps. With batch auditing, a public verifier can perform multiple auditing tasks simultaneously. Compared to the batch auditing in [7], where the verification metadata (i.e, signatures) in each auditing task are generated by a single user, our batch auditing method needs to perform on multiple auditing tasks where the verification metadata in each auditing task are generated by a group of users. Clearly, designing batch auditing for our mechanism is more complicated and challenging than the one in [7]. More concretely, if the total number of auditing tasks received in a short time is t, then the size of the group for each task is dj, for j ∈ [1, t], each auditing message is represented as {(l,ηj|l)}l∈Lj , for j ∈ [1, t], each au- diting proof is described as {αααj,βββj, {idj|l}l∈Lj }, where αααj = (αj|1, ..., αj|dj ) and βββj = (βj|1, ..., βj|dj ), for j ∈ [1, t], and all the existing users’ public keys for each group are denoted as (pkj|1, ..., pkj|dj ), for j ∈ [1, t]. Based on the properties of bilinear maps, the public verifier can perform batch auditing as below e( t j=1 dj i=1 β θj j|i, g) ? = t j=1 dj i=1 e( l∈Lj|i H(idj|l)ηj|l ·wαj|i , pkj|i)θj , (3) where θj ∈ Z∗ p, for j ∈ [1, t], is a random chosen by the public verifier. The correctness of the above equation is based on all the t auditing proofs are correct. The left hand side (LHS) of this equation can be expended as LHS = t j=1 e( dj i=1 βj|i, g)θj = t j=1 dj i=1 e( l∈Lj|i H(idj|l)ηj|l wαj|i , pkj|i)θj . According to the security analysis of batch verification in [25], the probability that the public verifier accepts an invalid auditing proof with batch auditing is 1/p (since randoms (θ1, ..., θt) are elements of Zp), which is negligible. Therefore, if the above equation holds, then the public verifier believes all the t auditing proofs are correct. One of the most important advantages of batch au- diting is that it is able to reduce the total number of pairing operations, which are the most time consuming operations during verification. According to Equation (3), batch auditing can reduce the total number of pairing operations for t auditing tasks to td + 1, while verifying these t auditing tasks independently requires td + t pairing operations. Moreover, if all the t auditing tasks are all from the same group, where the size of the group is d and all the existing users’ public keys for the group are (pk1, ..., pkd), then batch auditing on t auditing tasks can be further optimized as follows e( t j=1 d i=1 β θj j|i, g) ? = d i=1 e( t j=1 ( l∈Lj|i H(idj|l)ηj|l ·wαj|i )θj , pki). In this case, the total number of pairing operations during batch auditing can be significantly reduced to
  • 10. 10 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X ReKey∗ . Given private key skj = πj, user uj generates a random t − 1 degree polynomial fj(x) as fj(x) = aj,t−1xt−1 + aj,t−2xt−2 + · · · + aj,1x + aj,0, where (aj,t−1, ..., aj,1) R ← Z∗ p and aj,0 = πj. Then, user uj computes s points (x1, yj,1), ..., (xs, yj,s) based on polyno- mial fj(x), where yj,l = fj(xl), for l ∈ [1, s], is a piece of user uj’s private key and (x1, ..., xs) are public. Proxy Pl generates a piece of a re-signing key as follows: (1) proxy Pl generates a random r ∈ Z∗ p and sends it to user ui; (2) user ui computes and sends r/πi to user uj, where ski = πi; (3) user uj computes and sends ryj,l/πi to server Sl, where yj,l = fj(xl) is a piece of private key skj = πj; (4) proxy Pl recovers rki→j,l = yj,l/πi ∈ Zp, where rki→j,l is a piece of re-signing key rki→j. ReSign∗ . Given public key pki, signature σk, block mk and block identifier idk, the cloud first checks e(σk, g) ? = e(H(idk)wmk , pki). If the equation does not hold, the cloud outputs ⊥; other- wise, each proxy converts this signature σk with its own piece of the corresponding re-signing key. Specifically, proxy Pl converts its part of signature σk as σk,l = σ rki→j,l k = (H(idk)wmk )yj,l . Finally, as long as t or more proxies are able to convert their parts correctly, the cloud is able to recover signature σk based on the t parts (σk,1, ..., σk,t) as σk = t l=1 σk,l Fj,l(0) , (4) where σk,l is computed by proxies Pl, and Fj,l(x) is a Lagrange basis polynomial of polynomial fj(x) and can be pre-computed as Fj,l(x) = 0<h≤t,h=l x − xh xl − xh , 1 ≤ l ≤ t. Similar as in Algorithm ReSign in single proxy model, after the re-signing process in the cloud, the original user removes user ui’s id from the user list (UL) and signs the new UL. Fig. 7. Details of ReKey∗ and ReSign∗ . only d + 1, which can further improve the efficiency of batch auditing. The correctness of the above equation can be proved as LHS = t j=1 e( d i=1 βj|i, g)θj = t j=1 d i=1 e( l∈Lj|i H(idj|l)ηj|l wαj|i , pki)θj = d i=1 e( t j=1 ( l∈Lj|i H(idj|l)ηj|l · wαj|i )θj , pki). 6.3 Reliability of Panda In our mechanism, it is very important for the cloud to securely store and manage the re-signing keys of the group, so that the cloud can correctly and successfully convert signatures from a revoked user to an existing user when it is necessary. However, due to the existence of internal attacks, simply storing these re-signing keys in the cloud with a single re-signing proxy may some- times allow inside attackers to disclose these re-signing keys and arbitrarily convert signatures on shared data, even no user is revoking from the group. Obviously, the arbitrary misuse of re-signing keys will change the own- ership of corresponding blocks in shared data without users’ permission, and affect the integrity of shared data in the cloud. To prevent the arbitrary use of re-signing keys and enhance the reliability of our mechanism, we propose an extended version of our mechanism, denoted as Panda∗ , in the multi-proxy model. By leveraging an (s, t)-Shamir Secret Sharing (s ≥ 2t − 1) [18] and s multiple proxies, each re-signing key is divided into s pieces and each piece is distributed to one proxy. These multiple proxies belong to the same cloud, but store and manage each piece of a re-signing key independently (as described in Fig. 8). Since the cloud needs to store keys and data separately [23], the 2. Blocks 1. Re-signing Requests Proxy P1 Proxy Ps ... Data Server 3. Re-signed Signatures User Cloud Fig. 8. Multiple re-signing proxies in the cloud. cloud also has another server to store shared data and corresponding signatures. In Panda∗ , each proxy is able to convert signatures with its own piece, and as long as t or more proxies (the majority) are able to correctly convert signatures when user revocation happens, the cloud can successfully convert signatures from a revoked user to an existing user. Similar multi-proxy model was also recently used in the cloud to secure the privacy of data with re-encryption techniques [26]. According to the security properties of an (s, t)-Shamir Secret Sharing, even up to t−1 proxies are compromised by an inside attacker, it is still not able to reveal a re- signing key or arbitrarily transform signatures on shared data. For Panda∗ , most of algorithms are as the same as in Panda, except the two algorithms for generating re-signing keys and re-signing signatures, denoted as ReKey∗ and ReSign∗ respectively. We use ∗ to distin- guish them from the corresponding algorithms in the single proxy model. Details of Algorithm ReKey∗ and ReSign∗ are described in Fig. 7. According to polynomial interpolation, we have fj(x) = t l=1 yj,l ·Fj,l(x). The correctness of the recovery and transformation of signature σk (i.e., Equation 4) can be explained as t l=1 σk,l Fj,l(0) = t l=1 (H(idk)wmk )yj,lFj,l(0) = (H(idk)wmk ) t l=1 yj,lFj,l(0) = (H(idk)wmk )fj (0) = (H(idk)wmk )πj = σk.
  • 11. WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 11 7 OVERHEAD ANALYSIS Communication Overhead. According to the descrip- tion in Section 5, during user revocation, our mechanism does not introduce communication overhead to existing users. The size of an auditing message {(l, yl)}l∈L is c·(|n|+|q|) bits, where c is the number of selected blocks, |n| is the size of an element of set [1, n] and |q| is the size of an element of Zq. The size of an auditing proof {ααα,βββ, {idl, sl}l∈L} is 2d · |p| + c · (|id|) bits, where d is the number of existing users in the group, |p| is the size of an element of G1 or Zp, |id| is the size of a block identifier. Therefore, the total communication overhead of an auditing task is 2d · |p| + c · (|id| + |n| + |q|) bits. Computation Overhead. As shown in ReSign of our mechanism, the cloud first verifies the correctness of the original signature on a block, and then computes a new signature on the same block with a re-signing key. The computation cost of re-signing a block in the cloud is 2ExpG1 + MulG1 + 2Pair + HashG1 , where ExpG1 denotes one exponentiation in G1, MulG1 denotes one multiplication in G1, Pair denotes one pairing opera- tion on e : G1 × G1 → G2, and HashG1 denotes one hashing operation in G1. Moreover, the cloud can further reduce the computation cost of the re-signing on a block to ExpG1 by directly re-signing it without verification, because the public auditing performed on shared data ensures that the re-signed blocks are correct. Based on Equation (2), the computation cost of an auditing task in our mechanism is (c + d)ExpG1 + (c + 2d)MulG1 + (d + 1)Pair + dMulG2 + cHashG1 . 8 PERFORMANCE EVALUATION In this section, we evaluate the performance of our mechanism in experiments. We utilize Pairing Based Cryptography (PBC) Library [27] to implement crypto- graphic operations in our mechanism. All the experi- ments are tested under Ubuntu with an Intel Core i5 2.5 GHz Processor and 4 GB Memory over 1, 000 times. In the following experiments, we assume the size of an element of G1 or Zp is |p| = 160 bits, the size of an element of Zq is |q| = 80 bits, the size of a block identifier is |id| = 80 bits, and the total number of blocks in shared data is n = 1, 000, 000. By utilizing aggregation methods from [4], [14], the size of each block can be set as 2 KB, then the total size of shared data is 2 GB. As introduced in Section 1, the main purpose of Panda is to improve the efficiency of user revocation. With our mechanism, the cloud is able to re-sign blocks for existing users during user revocation, so that an existing user does not need to download blocks and re-compute signatures by himself/herself. In contrast, to revoke a user in the group with the straightforward method extended from previous solutions, an existing user needs to download the blocks were previously signed by the revoked user, verify the correctness of these blocks, re- compute signatures on these blocks and upload the new signatures. In the following experiments, the perfor- mance of the straightforward solution is evaluated based on [4] (denoted as SW in this paper), because it is also a public auditing mechanism designed based on bilinear maps. 8.1 Performance of User Revocation Comparison with the Same Computation Ability. In this experiment, we assume the cloud and an existing user have the same computation ability (Intel Core i5 2.5 GHz Processor and 4 GB Memory) to perform user revocation. We also assume the download speed and upload speed for the data storage and sharing services is 1Mbps and 500Kbps, respectively. Let k denote the number of re-signed blocks during user revocation. Fig. 9. Impact of k on revocation time (s). Fig. 10. Impact of the download speed (Mbps) on revocation time (s). The performance comparison between Panda and the straightforward method during user revocation is pre- sented in Fig. 9. With our mechanism, the cloud is able to not only efficiently re-sign blocks but also save existing users’ computation and communication resources. As shown in Fig. 9, when the number of re-signed blocks is 500, which is only 0.05% of the total number of blocks, the cloud in Panda can re-sign these blocks within 15 seconds. In contrast, without our mechanism, an existing user needs about 22 seconds to re-sign the same number of blocks by herself. Both of the two revocation time are linearly increasing with an increase of k—the number of re-signed blocks. Since we assume the cloud and an existing user have the same level of computation ability in this experiment, it is easy to see that the gap in terms of revocation time between the two lines in Fig. 9 is mainly introduced by downloading the re-signed blocks. It is clear that if an existing user could have a faster download speed, the gap in terms of revocation time be- tween our mechanism and the straightforward method can be significantly reduced. We can observe from Fig. 10 that, if we assume the number of re-signed blocks is fixed (k = 500), the revocation time performed independently by an existing user is approaching to the revocation time of our mechanism when the download speed of data storage and sharing services is increasing. Unfortunately, it is generally impractical for a normal user to maintain or reserve a very high download speed for only a single service on his/her computer. Even if it is possible, with the straightforward method, this user still has to download those 500 re-signed blocks first, which costs him/her additional bandwidth during user revocation compared to our mechanism. As we analyzed before, the cloud can even directly re-sign data without verification, which can further im- prove the efficiency of re-signing about 100 times ac- cording to our experiments. More specifically, the re- signing time on one block with verification is 28.19
  • 12. 12 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X milliseconds while the one without verification is only 0.28 milliseconds. Note that due to the existence of transmission errors in networks, it is not a good idea to allow an existing user to re-sign the blocks without verifying them in the straightforward solution. Even if an existing user directly re-signs the blocks without verification, compared to Panda, this user still needs to spend some extra time to download the blocks. As illustrated in Fig. 11, when the number of re-signed blocks is still 500, the cloud in Panda can re-sign these blocks in about 0.14 seconds; while an existing user needs about 8.43 seconds by himself/herself with the straightforward solution. Similarly, as presented in Fig. 12, the revocation time of Panda is independent with the download speed while an existing user with the straightforward method is able to re-sign the blocks sooner if the download speed is faster. With the comparison between Fig. 9 and Fig. 11, we can see that the verification on original signatures before re-signing is one of the main factors that can slow down the entire user revocation process. As shown in Fig. 9 and Fig. 11, the key advantage of Panda is that we can improve the efficiency of user revocation and release existing users from the communication and computation burden introduced by user revocation. Fig. 11. Impact of k on re- vocation time (s) without verification. Fig. 12. Impact of of the download speed (Mbps) on revocation time (s) without verification. Comparison with Different Computation Abilities. In the previous experiment, we assume an existing user and the cloud have the same level of computation ability. Unfortunately, in practical cases, it is common that an existing user may use devices with limited computation resources, such as mobile phones, to access his/her shared data in the cloud. Thus, the computation abilities between the cloud and an existing user are not symmetric in data sharing services. In these cases, Panda can save even more revocation time for an existing user than asking this user to re-signing blocks by himself/herself with the straightforward method. To demonstrate the performance advantage of our mechanism in those cases, we use the same parameters as in the previous ex- periment, except that we assume the existing user is using a resource limited device (e.g., a mobile phone), which has a weaker computation ability than the cloud. Specifically, by leveraging jPBC library [28], we evaluate the performance of the straightforward method on a mobile phone (Motorola MB860, OS: Android 2.3; CPU: Dual-core 1 GHz). As we can see from Fig. 13 and Fig. 14, the revoca- tion time with the straightforward solution on a mobile phone is dramatically and linearly increasing with the number of re-signed blocks. Specifically, when the num- ber of revoked blocks is 500, the revocation time with the straightforward method on a mobile phone is over 350 seconds, while the revocation time with our mechanism is only less than 4% of it. If both of the cloud and an existing user directly re-sign blocks without verification, our mechanism is also able to save amount of time for an existing user when user revocation happens. Fig. 13. Impact of k on revocation time (s) on mo- bile. Fig. 14. Impact of k on re- vocation time (s) without verification on mobile. Comparison with the Multi-Proxy Model. In Section 6, we proposed to utilize an (s, t)-Shamir Secret Sharing and a number of s multiple proxies to improve the reliability of our mechanism. With Panda∗ in the multi- proxy model, even if t − 1 proxies are compromised by adversaries, our mechanism is still able to successfully to convert signatures during user revocation and prevent the arbitrary use of re-signing keys. Clearly, the increase of t will increase the reliability of our mechanism. As a necessary trade-off, the increase of t will inevitably decrease the performance of our mechanism in terms of revocation time. As show in Fig. 15 and Fig. 16, the revocation time of our mechanism in multi-proxy model is linearly increasing with an increase of k and an increase of t. However, these efficiency losses introduced by the multi-proxy model is still acceptable. Fig. 15. Impact of k on re- vocation time (s) in multi- proxy model. Fig. 16. Impact of t on re- vocation time (s) in multi- proxy model (k = 500). 8.2 Performance of Auditing Independent Auditing. We can see from Fig. 17 and Fig. 18 that, in order to maintain a higher detection probability for a single independent auditing, a verifier needs more time and communication overhead to finish the auditing task on shared data. Although the auditing time (the time that a public verifier needs to verify the correctness of an auditing proof based on Equation (5)) and communication cost are linearly increasing with the number of existing users in the group, our mechanism is still quite efficient for supporting large groups. Specifi- cally, as we can observed from Fig. 17 and Fig. 18, when the number of existing users is d = 50, our mechanism
  • 13. WANG et al.: PANDA: PUBLIC AUDITING FOR SHARED DATA WITH EFFICIENT USER REVOCATION IN THE CLOUD 13 can finish an auditing task with only 14 KB and 860 milliseconds by choosing c = 460. In order to further reduce such kind of increases on computation and communication overhead introduced by a larger number of users, some recent work [29] motivated by our mechanism can be utilized. Particu- larly, by performing aggregation on signatures generated by different users, the computation and communication overhead in [29] is independent with regard to the number of users in the group. Further details about this aggregation can be found in [29]. Fig. 17. Impact of d on auditing time (ms). Fig. 18. Impact of d on communication cost (KB). Batch Auditing. As introduced in Section 6, when a public verifier receives amount of auditing requests in a very short time, our mechanism allows this verifier to perform batch auditing to improve the performance on multiple auditing tasks. We can see from Fig. 19 and Fig. 20 that, with batch auditing, the average auditing time spent on each auditing task can be efficiently re- duced. Specifically, according to Fig. 19, if there are 20 auditing tasks, the average auditing time per auditing task with batch auditing is around 270 milliseconds while the average auditing time per task with indepen- dent auditing is 295 milliseconds. Moreover, as shown in Fig. 20, if those multiple tasks are all from the same group, then the performance of batch auditing can be significantly improved due to the dramatic decrease on the number of pairing operations, which we discussed in Section 6. Fig. 19. Impact of t on av- erage auditing time (ms) per task where d = 10. Fig. 20. Impact of t on av- erage auditing time (ms) per task where d = 10. 9 RELATED WORK Provable Data Possession (PDP), first proposed by Ateniese et al. [3], allows a public verifier to check the correctness of a client’s data stored at an untrusted server. By utilizing RSA-based homomorphic authenti- cators and sampling strategies, the verifier is able to publicly audit the integrity of data without retrieving the entire data, which is referred to as public verifiability or public auditing. Shacham and Waters [4] designed an improved PDP scheme based on BLS (Boneh-Lynn- Shacham) signatures [30]. To support dynamic operations on data during audit- ing, Ateniese et al. [31] presented another PDP mech- anism based on symmetric keys. However, it is not publicly verifiable and only provides a user with a limited number of verification requests. Wang et al. [6] utilized the Merkle Hash Tree to support fully dynamic operations in a public auditing mechanism. Erway et al. [32] introduced Dynamic Provable Data Possession by using authenticated dictionaries, which are based on rank information. Zhu et al. [8] exploited the fragment structure to reduce the storage of signatures in their public auditing mechanism. In addition, they also used index hash tables to provide dynamic operations for users. Wang et al. [5] leveraged homomorphic tokens to ensure the correctness of erasure code-based data dis- tributed on multiple servers. To minimize the commu- nication overhead in the phase of data repair, Chen et al. [33] introduced a mechanism for auditing the correctness of data with the multi-server scenario, where these data are encoded with network coding. More recently, Cao et al. [11] constructed an LT code-based secure cloud storage mechanism. Compared to previous mechanisms [5], [33], this mechanism can avoid high decoding computation costs for data users and save com- putation resources for online data owners during data repair. Recently, Wang et al. [34] proposed a certificateless public auditing mechanism to reduce security risks in certificate management compared to previous certificate- based solutions. When a third-party auditor (TPA) is introduced into a public auditing mechanism in the cloud, both the content of data and the identities of signers are private information to users, and should be preserved from the TPA. The public mechanism proposed by Wang et al. [7] is able to preserve users’ confidential data from the TPA by using random maskings. In addition, to operate multiple auditing tasks from different users efficiently, they also extended their mechanism to support batch auditing. Our recent work [14] first proposed a mecha- nism for public auditing shared data in the cloud for a group of users. With ring signature-based homomorphic authenticators, the TPA can verify the integrity of shared data but is not able to reveal the identity of the signer on each block. The auditing mechanism in [16] is designed to preserve identity privacy for a large number of users. However, it fails to support public auditing. Proofs of Retrievability (POR) [35] is another direction to check the correctness of data stored in a semi-trusted server. Unfortunately, POR and its subsequent work [36] do not support public verification, which fails to satisfy the design objectives in our paper. 10 CONCLUSIONS In this paper, we proposed a new public auditing mechanism for shared data with efficient user revocation in the cloud. When a user in the group is revoked, we allow the semi-trusted cloud to re-sign blocks that were
  • 14. 14 IEEE TRANSACTIONS ON XXXXXX, VOL. X, NO. X, XXXX 201X signed by the revoked user with proxy re-signatures. Experimental results show that the cloud can improve the efficiency of user revocation, and existing users in the group can save a significant amount of computation and communication resources during user revocation. REFERENCES [1] B. Wang, B. Li, and H. Li, “Public Auditing for Shared Data with Efficient User Revoation in the Cloud,” in the Proceedings of IEEE INFOCOM 2013, 2013, pp. 2904–2912. [2] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A View of Cloud Computing,” Communications of the ACM, vol. 53, no. 4, pp. 50–58, Apirl 2010. [3] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peter- son, and D. Song, “Provable Data Possession at Untrusted Stores,” in the Proceedings of ACM CCS 2007, 2007, pp. 598–610. [4] H. Shacham and B. Waters, “Compact Proofs of Retrievability,” in the Proceedings of ASIACRYPT 2008. Springer-Verlag, 2008, pp. 90–107. [5] C. Wang, Q. Wang, K. Ren, and W. Lou, “Ensuring Data Storage Security in Cloud Computing,” in the Proceedings of ACM/IEEE IWQoS 2009, 2009, pp. 1–9. [6] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, “Enabling Public Verifiability and Data Dynamic for Storage Security in Cloud Computing,” in the Proceedings of ESORICS 2009. Springer-Verlag, 2009, pp. 355–370. [7] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing,” in the Proceedings of IEEE INFOCOM 2010, 2010, pp. 525–533. [8] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S. S. Yau, “Dynamic Audit Services for Integrity Verification of Outsourced Storage in Clouds,” in the Proceedings of ACM SAC 2011, 2011, pp. 1550–1557. [9] C. Wang, Q. Wang, K. Ren, and W. Lou, “Towards Secure and Dependable Storage Services in Cloud Computing,” IEEE Trans- actions on Services Computing, vol. 5, no. 2, pp. 220–232, 2011. [10] Y. Zhu, G.-J. Ahn, H. Hu, S. S. Yau, H. G. An, and S. Chen, “Dynamic Audit Services for Outsourced Storage in Clouds,” IEEE Transactions on Services Computing, accepted. [11] N. Cao, S. Yu, Z. Yang, W. Lou, and Y. T. Hou, “LT Codes-based Secure and Reliable Cloud Storage Service,” in the Proceedings of IEEE INFOCOM 2012, 2012, pp. 693–701. [12] J. Yuan and S. Yu, “Proofs of Retrievability with Public Verifiabil- ity and Constant Communication Cost in Cloud,” in Proceedings of ACM ASIACCS-SCC’13, 2013. [13] H. Wang, “Proxy Provable Data Possession in Public Clouds,” IEEE Transactions on Services Computing, accepted. [14] B. Wang, B. Li, and H. Li, “Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud,” in the Proceedings of IEEE Cloud 2012, 2012, pp. 295–302. [15] S. R. Tate, R. Vishwanathan, and L. Everhart, “Multi-user Dy- namic Proofs of Data Possession Using Trusted Hardware,” in Proceedings of ACM CODASPY’13, 2013, pp. 353–364. [16] B. Wang, B. Li, and H. Li, “Knox: Privacy-Preserving Auditing for Shared Data with Large Groups in the Cloud,” in the Proceedings of ACNS 2012, June 2012, pp. 507–525. [17] M. Blaze, G. Bleumer, and M. Strauss, “Divertible Protocols and Atomic Proxy Cryptography,” in the Proceedings of EUROCRYPT 98. Springer-Verlag, 1998, pp. 127–144. [18] A. Shamir, “How to share a secret,” in Communication of ACM, vol. 22, no. 11, 1979, pp. 612–613. [19] B. Wang, H. Li, and M. Li, “Privacy-Preserving Public Auditing for Shared Cloud Data Supporting Group Dynamics,” in the Proceedings of IEEE ICC 2013, 2013. [20] B. Wang, S. S. Chow, M. Li, and H. Li, “Storing Shared Data on the Cloud via Security-Mediator,” in Proceedings of IEEE ICDCS 2013, 2013. [21] M. Li, N. Cao, S. Yu, and W. Lou, “FindU: Private-Preserving Per- sonal Profile Matching in Mobile Social Networks,” in Proceedings of IEEE INFOCOM, 2011, pp. 2435 – 2443. [22] G. Ateniese and S. Hohenberger, “Proxy Re-signatures: New Definitions, Algorithms and Applications,” in the Proceedings of ACM CCS 2005, 2005, pp. 310–319. [23] M. van Dijk, A. Juels, A. Oprea, R. L. Rivest, E. Stefanov, and N. Triandopoulos, “Hourglass schemes: how to prove that cloud files are encrypted,” in the Proceedings of ACM CCS 2012, 2012, pp. 265–280. [24] X. Liu, Y. Zhang, B. Wang, and J. Yan, “Mona: Secure Multi- Owner Data Sharing for Dynamic Groups in the Cloud,” IEEE Transactions on Parallel and Distributed Systems (TPDS), vol. 24, no. 6, pp. 1182–1191, 2013. [25] A. L. Ferrara, M. Green, S. Hohenberger, and M. Ø. Pedersen, “Practical Short Signature Batch Verification,” in Proc. CT-RSA. Springer-Verlag, 2009, pp. 309–324. [26] L. Xu, X. Wu, and X. Zhang, “CL-PRE: a Certificateless Proxy Re- Encryption Scheme for Secure Data Sharing with Public Cloud,” in the Proceedings of ACM ASIACCS 2012, 2012. [27] Pairing Based Cryptography (PBC) Library. [Online]. Available: http://crypto.stanford.edu/pbc/ [28] The Java Pairing Based Cryptography (jPBC) Library Benchmark. [Online]. Available: http://gas.dia.unisa.it/projects/ jpbc/benchmark.html [29] J. Yuan and S. Yu. Efficient Public Integrity Checking for Cloud Data Sharing with Multi-User Modification. [Online]. Available: http://eprint.iacr.org/2013/484 [30] D. Boneh, B. Lynn, and H. Shacham, “Short Signature from the Weil Pairing,” in the Proceedings of ASIACRYPT 2001. Springer- Verlag, 2001, pp. 514–532. [31] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, “Scalable and Efficient Provable Data Possession,” in the Proceedings of ICST SecureComm 2008, 2008. [32] C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia, “Dynamic Provable Data Possession,” in the Proceedings of ACM CCS 2009, 2009, pp. 213–222. [33] B. Chen, R. Curtmola, G. Ateniese, and R. Burns, “Remote Data Checking for Network Coding-based Distributed Stroage Sys- tems,” in the Proceedings of ACM CCSW 2010, 2010, pp. 31–42. [34] B. Wang, B. Li, and H. Li, “Certificateless Public Auditing for Data Integrity in the Cloud,” in Proceedings of IEEE CNS 2013, 2013, pp. 276–284. [35] A. Juels and B. S. Kaliski, “PORs: Proofs pf Retrievability for Large Files,” in Proceedings of ACM CCS’07, 2007, pp. 584–597. [36] D. Cash, A. Kupcu, and D. Wichs, “Dynamic Proofs of Retriev- ability via Oblivious RAM,” in Proceedings of EUROCRYPT 2013, 2013, pp. 279–295. Boyang Wang is a Ph.D. student from the School of Telecommunications Engineering, Xi- dian University, Xi’an, China. He was a visit- ing Ph.D. student at the Department of Elec- trical and Computer Engineering, University of Toronto, from Sep. 2010 to Aug. 2012. He ob- tained his B.S. in information security from Xi- dian University in 2007. His current research interests focus on security and privacy issues in cloud computing, big data, and applied cryptog- raphy. He is a student member of IEEE. Baochun Li is a Professor at the Department of Electrical and Computer Engineering at the Uni- versity of Toronto, and holds the Bell University Laboratories Endowed Chair in Computer En- gineering. His research interests include large- scale multimedia systems, cloud computing, peer-to-peer networks, applications of network coding, and wireless networks. He is a member of ACM and a senior member of IEEE. Hui Li is a Professor at the School of Telecommunications Engineering, Xidian Uni- versity, Xi’an, China. He received B.Sc. degree from Fudan University in 1990, M.Sc. and Ph.D. degrees from Xidian University in 1993 and 1998. In 2009, he was with Department of ECE, University of Waterloo as a visiting scholar. His research interests are in the areas of cryptog- raphy, security of cloud computing, wireless net- work security, information theory. He is the co- author of two books. He served as TPC co-chair of ISPEC 2009 and IAS 2009, general co-chair of E-Forensic 2010, ProvSec 2011 and ISC 2011.