certificateless public auditing with privacy preserving...

Research ArticleCertificateless Public Auditing with Privacy Preserving forCloud-Assisted Wireless Body Area Networks

Baoyuan Kang JiaqiangWang and Dongyang Shao

School of Computer Science and Software Tianjin Polytechnic University Tianjin 300387 China

Correspondence should be addressed to Baoyuan Kang baoyuankangaliyuncom

Received 9 January 2017 Accepted 11 April 2017 Published 6 July 2017

Academic Editor Stefania Sardellitti

Copyright copy 2017 Baoyuan Kang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

With cloud computing being integrated with wireless body area networks the digital ecosystem called cloud-assisted WBAN wasproposed In cloud-assisted medical systems the integrity of the stored data is important Recently based on certificateless publickey cryptography He et al proposed a certificateless public auditing scheme for cloud-assisted WBANs But He et alrsquos schemeis not a scheme with privacy preserving After many checks on some of the same data blocks the auditor can derive these datablocks In this paper we propose a certificateless public auditing scheme with privacy preserving for cloud-assistedWBANs In theproof phase of the proposed scheme the proof information is protected from being directly exposed to the auditor So the curiousauditor could not derive the data blocks We also prove that the proposed scheme is secure in the random oracle model under theassumption that the Diffie-Hellman problem is hard and we give a comparison of the proposed scheme with He et alrsquos scheme interms of security and computation cost

1 Introduction

Advances in wireless communication technologies micro-controller systems and sensor technologies have enabledthe design and development of wireless body area networks(WBANs) that are playing an increasingly important role inhealthcare systems because of their ability to provide continu-ous measurements and to monitor a patientrsquos health status byusing medical sensors implanted inside the patientrsquos body [1]

To make a fast diagnosis and store and process sensingdata in real time cloud computing is being integrated withtraditional WBANs to propose the digital ecosystem calledcloud-assistedWBAN In cloud-assistedmedical systems thedata stored in the cloud-based store resource are the basis ofall diagnoses So the integrity of the stored data is importantAs a cryptographic technique public auditing scheme [2]could provide effective data integrity check service in cloud-assistedWBANs In a typical public auditing scheme in cloudservice there are three entities a data user a cloud serverand a third-party auditor Data file from the data user isoutsourced to the cloud server and the auditor provides thedata integrity check service for the data userThe data user is a

resource-constrained entity but the auditor has certain com-putation ability and expertise for integrity checking AfterAteniese et alrsquos pioneering work [2] many auditing schemeswere proposed [3ndash18] But these schemeswere constructed ona public key cryptographic system data users and the auditorneed more storage space or computation cost in key manage-ment and verification

In ID-based cryptography [19] the public key of any useris hisher identity So it is clear that the auditing schemeson the ID-based cryptography system will reduce the costsof the data users and the auditor Many ID-based publicauditing schemes are proposed [20ndash23] But in ID-basedpublic auditing schemes the PKG (private key generator)knows any userrsquos private key It is clear that for patient privacyinformation process in cloud-assisted medical systems ID-based public auditing schemes are not secure Recently basedon certificateless public key cryptography [24] He et alproposed a certificateless public auditing scheme for cloud-assisted WBANs [1] In certificateless public key cryptogra-phy the private key of a user consists of two parts One isthe partial private key generated by the PKG and the otheris a secret key generated by the user So certificateless public

HindawiMobile Information SystemsVolume 2017 Article ID 2925465 5 pageshttpsdoiorg10115520172925465

2 Mobile Information Systems

key cryptography simultaneously overcomes the drawbackof public key cryptography and ID-based cryptographyCertificateless public auditing scheme is very applicable forcloud-assisted WBANs with energy-limited sensors and alarge amount of personal sensitive information In [1] theproposed certificateless public auditing scheme is proved tobe secure and very suitable for use in cloud-assistedWBANsButHe et alrsquos scheme is not a schemewith privacy preservingAfter many checks on some of the same data blocks theauditor can derive these data blocks from the proof informa-tion that the cloud server submitted

In this paper we propose a certificateless public auditingscheme with privacy preserving In the proof phase of theproposed scheme the proof information is protected frombeing directly exposed to the auditor So the curious auditorcould not derive the data blocks We also prove that theproposed scheme is secure in the randomoraclemodel underthe assumption that the Diffie-Hellman problem is hard

The rest of the paper is organized as follows In Section 2we propose the system and security model In Section 3we review bilinear pairing and computational Diffie-Hellmanproblem relevant to the security of the proposed scheme Acertificateless public auditing schemewith privacy preservingis proposed in Section 4 In Section 5 we provide securityproofs of the proposed scheme In Section 6 we compare theproposed scheme with He et alrsquos scheme in terms of securityand computation cost Conclusion is given in Section 7

2 The System and Security Model

21 The System Model There are four entities included in acertificateless public auditing scheme

(1) A data user (DU) who possesses a data file needed tobe stored on the cloud

(2) A cloud server (CS) that provides data storage serviceto the data user

(3) A third-party auditor (AU) who has capacities tocheck data integrity on behalf of the data user

(4) A private key generator (PKG) that is responsible forsetting up the system parameter and generating thepartial private key for any entity by using the entityrsquosidentity information

To reduce the burden of data file storage the data user(DU) uploads hisher data file to the cloud server (CS) forstorage and the DU no longer possesses hisher data filelocally To ensure the data file is correctly stored in thecloud server DU entrusts the trusted third-party AUwho hasexpertise and computation capabilities to periodically checkhisher data file integrity

22 The Security Model In a certificateless public auditingscheme PKG is a trusted authority DU is honest and AUis honest but curious CS is a semitrusted party heshemight change or delete the data userrsquos file for hisher benefitand forge the proof information for passing data integritychecking We will also investigate whether AU can get any

information about the data file content during the auditingprocess

Our design goals are three aspects

(1) Public auditability AU can verify the correctnessof the cloud data file blocks on demand withoutretrieving a copy of the whole data file or introducingadditional online burden to the cloud users

(2) Storage correctness no cheating cloud server can passAUrsquos audit

(3) Privacy preserving AU cannot derive data userrsquos filecontent from the information collected during theauditing process

3 Preliminary

31 The Bilinear Pairing Let 1198661 be a cyclic additive groupgenerated by119875 whose order is a prime 119902 and let1198662 be a cyclicmultiplicative group of the same order Let 119890 1198661 times 1198661 rarr 1198662be a pairing map which satisfies the following conditions

(1) Bilinearity For any 119875119876 119877 isin 1198661 then119890 (119875 + 119876 119877) = 119890 (119875 119877) 119890 (119876 119877) 119890 (119875 119876 + 119877) = 119890 (119875 119876) 119890 (119875 119877) (1)

In particular for any 119886 119887 isin 119885119902 119890(119886119875 119887119875) = 119890(119875 119886119887119875) =119890(119886119887119875 119875) = 119890(119875 119875)119886119887(2) NondegeneracyThere exists119875119876 isin 1198661 such that 119890(119875 119876) =1(3) Computability There is an efficient algorithm to compute119890(119875 119876) for all 119875119876 isin 119866132 Computational Diffie-Hellman (CDH) Problem There isa generator 119875 of an additive cyclic group 119866 with order 119902 andthere is (119886119875 119887119875) for unknown 119886 119887 isin 119885lowast119902 to compute 1198861198871198754 The Proposed Scheme

The proposed certificateless public auditing scheme consistsof seven algorithms setup partial-private-key extraction set-public key tag generation challenge phase prove phase andverify phase

Setup Given a security parameter 119896 isin 119885 the algorithmworksas follows

(1) Run the parameter generator on input 119896 to generate aprime 119902 an additive cyclic group1198661 and a multiplica-tive cyclic group 1198662 of the same order 119902 a generator119875 of 1198661 and a bilinear map 119890 1198661 times 1198661 rarr 1198662

(2) Pick a random 119904 isin 119885lowast119902 as master key of PKG and setsystem public key 119875pub = 119904 sdot 119875

Mobile Information Systems 3

(3) Choose four cryptographic hash functions

1198671 0 1lowast 997888rarr 11986611198672 0 1lowast 997888rarr 1198851199021198673 0 1lowast 997888rarr 11986611198674 0 1lowast 997888rarr 1198661

(2)

The system parameters are ⟨119902 1198661 1198662 119890 119875 119875pub 1198671 11986721198673 1198674⟩Partial-Private-Key Extraction When any one wants to reg-ister hisher identity ID119894 to PKG the algorithm works asfollows

(1) Compute 119876119894 = 119867(ID119894) isin 1198661(2) Set the partial private key 119878119894 = 119904 sdot 119876119894 where 119904 is the

master key of PKG

Set-Public Key Given a userrsquos identity ID119894 this algorithmpicks a random 119909119894 isin 119885lowast119902 as the userrsquos secret value and com-putes hisher public key as 119875119894 = 119909119894119875Tag Generation For a data file 119872 = 1198981 sdot sdot sdot 119898119899 119898119894 isin 119885119902this algorithm works as follows

(1) For each data block119898119894 choose 119903119894 isin119877119885lowast119902 and compute

119877119894 = 119903119894 sdot 119875ℎ119894 = 1198672 (119898119894 119877119894 IDDU 119875DU) 119885119894 = 1198673 (119898119894 119877119894 IDDU 119875DU) 119879 = 1198674 (119875pub)

(3)

(2) Compute

120590119898119894 = ℎ119894119878DU + 119909DU119885119894 + (119903119894 + 119898119894) 119879 (4)

Let 120593 = ((1205901198981 1198771) (120590119898119899 119877119899))(3) DU sends (IDDU119872 120593) to CS(4) DU sends

REDU

= (IDDU IDCS 120596 = ((ℎ1 1198851 1198771) (ℎ119899 119885119899 119877119899))) (5)

to AU

Challenge Phase To check the integrity of the outsourced datafile 119872 AU randomly chooses a set 119868 sube [1 119899] and a number119886 isin 119885119902 to generate the challenging information

Chall = [IDDU 119886 119868] (6)

and sends it to the CS

Prove Phase Upon receiving Chall = [IDDU 119886 119868] CS pro-duces set 120596 = (119894 V119894) 119894 isin 119868

Here V119894 = 119886119894mod 119902 Then using 119872 = 1198981 sdot sdot sdot 119898119899 and120593 CS picks a random number 119897 isin 119885lowast119902 computes

120590 = sum119894isin119868

V119894120590119898119894

120583 = (sum119894isin119868

V119894119898119894 minus 119897 sdot 1198672 (119871))mod 119902(7)

and sends proof information (120590 120583 119871) to theAUHere119871 = 119897sdot119875Verify Phase Upon receiving the proof information (120590 120583 119871)based on stored information REDU AU computes

ℎ = sum119894isin119868

V119894ℎ119894119885 = sum119894isin119868

V119894119885119894119877 = sum119894isin119868

V119894119877119894(8)

Then it checks the equation

119890 (120590 119875) = 119890 (ℎ119876DU 119875pub) sdot 119890 (119885 119875DU)sdot 119890 (119877 + 120583 sdot 119875 + 1198672 (119871) sdot 119871 119879)

(9)

If the equation holds AU accepts the proofThe correctness of the above verification equation can be

demonstrated as follows

119890 (120590 119875) = 119890(sum119894isin119868

V119894120590119898119894 119875) = prod119894isin119868

119890 (V119894120590119898119894 119875)

= prod119894isin119868

119890 (V119894ℎ119894119878DU + V119894119909DU119885119894 + V119894 (119903119894 + 119898119894) 119879 119875)

= 119890(sum119894isin119868

V119894ℎ119894119878DU 119875) sdot 119890(sum119894isin119868

V119894119909DU119885119894 119875)

sdot 119890(sum119894isin119868

V119894 (119903119894 + 119898119894) 119879 119875)

= 119890 (ℎ119876DU 119875pub) sdot 119890 (119885 119875DU)sdot 119890 (119877 + 120583119875 + 1198672 (119871) sdot 119871 119879)

(10)

5 Security

In this section we discuss the security of the proposedscheme in unforgeability and privacy preserving


51 Unforgeability

Theorem 1 If the CDH assumption is hard then the proposedscheme is secure against proof information existential forgeryattack from the CS

Proof of Theorem 1 We will show that if CS can forge validproof information the challenger will use the forged proofinformation to solve the CDH problem

Because CS has the signature of any one file block CSneeds not do tag oracle So we only look at hash functions1198671 1198672 as random oracles For given CDH problem instance(119886119875 119887119875) the challenger lets the system public key 119875pub =119886119875 and in partial-private-key-extract phase for two timesoracles let 119876119894 = 1198671(ID119894) = 120573119895(119887119875) 119895 = 1 2 120573119895 selected bythe challenger is a random number In the proof process forthe same Chall information and same random number 119897 let(1205901 1205831 119871) and (1205902 1205832 119871) be two pieces of valid proof informa-tion under two times different1198672 oracles1198672(119871) = 120578119894 119894 = 1 2Then the following two equations hold

119890 (1205901 119875) = 119890 (ℎ1205731 (119887119875) 119886119875) sdot 119890 (119885 119875DU)sdot 119890 (119877 + 1205831 sdot 119875 + 1205781 sdot (119897119875) 119879)


(11)

Then

119890 (1205902 minus 1205901 119875)= 119890 (ℎ (1205732 minus 1205731) (119887119875) 119886119875)

sdot 119890 ((1205832 minus 1205831) sdot 119875 + (1205782 minus 1205781) sdot (119897119875) 119879) (12)

So

1205902 minus 1205901 = ℎ (1205732 minus 1205731) (119886119887119875)+ ((1205832 minus 1205831) + (1205782 minus 1205781) 119897) sdot 119879 (13)

The challenger derives

119886119887119875 = (ℎ (1205732 minus 1205731))minus1sdot (1205902 minus 1205901 minus ((1205832 minus 1205831) + (1205782 minus 1205781) 119897) sdot 119879)

(14)

52 Privacy Preserving

Theorem 2 In the proposed scheme AU cannot derive anyinformation about DUrsquos data blocks during the whole auditingprocedure

Table 1 Comparison of security

Unforgeability Privacy preservingHe et al [1] Yes NoOurs Yes Yes

Proof ofTheorem 2 In the whole auditing procedure AU canget information

REDU

= (IDDU IDCS 120596 = ((ℎ1 1198851 1198771) (ℎ119899 119885119899 119877119899))) Chall = [IDDU 119886 119868] 120590 = sum119894isin119868

V119894120590119898119894

120583 = (sum119894isin119868

V119894119898119894 minus 119897 sdot 1198672 (119871))mod 119902

(15)

But Chall = [IDDU 119886 119868] are irrelevant to the file content andAU cannot derive any information about the data blocks fromℎ119894 119885119894 since the hash functions are secure

AU cannot derive any information about the data blocksfrom equation 120583 = (sum119894isin119868 V119894119898119894 minus 119897 sdot1198672(119871))mod 119902 since there isan unknown random number 119897

Finally AU cannot derive file content information from1205906 Comparisons

In this section we compare the proposed scheme with Heet alrsquos scheme [1] in terms of security and computation costIn the comparison of computation cost we use 119875 119867 and119864 as scalar multiplication computation hash computationand bilinear pairings computation respectively We show thecomparison results in Tables 1 and 2 According to Table 1our scheme demonstrates better security and according toTable 2 there is notable low hash computation cost in theproposed scheme Of course in some phases there are highcomputation costs in multiplication and bilinear pairingscomputation

7 Conclusion

In this paper we propose a certificateless public auditingscheme with privacy preserving for cloud-assisted wirelessbody area networks In the proof phase of the proposedscheme the proof information is protected from beingdirectly exposed to the auditor So the curious auditor couldnot derive the data blocks We also prove that the proposedscheme is secure in the random oracle model under theassumption that the Diffie-Hellman problem is hard Thecomparison indicates that the proposed scheme is moresecure and suitable for cloud-assisted wireless body areanetworks


Table 2 Comparison of computation cost

1198601 1198602 1198603 1198604 1198605 1198606He et al [1] 1119875 1119875 + 1119867 1119901 2119875 + 3119867 |119868|119875 (|119868| + 3)119875 + (|119868| + 3)119867 + 2119864Ours 1119875 1119875 + 1119867 1119875 4119875 + 3119867 |119868|119875 + 1 (2|119868| + 3)119875 + 1119867 + 41198641198601 setup 1198602 partial-private-key extraction 1198603 set-public key 1198604 tag generation 1198605 proof phase 1198606 verify phase

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)

References

[1] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal no 99 2015

[2] G Ateniese R Burns R Curtmola et al ldquoProvable data posses-sion at untrusted storesrdquo in Proceedings of the 14th ACM Con-ference on Computer and Communications Security (CCS rsquo07)pp 598ndash609 Virginia Va USA November 2007

[3] G Ateniese S Kamara and J Katz ldquoProofs of storage fromhomomorphic identification protocolsrdquo in Proceedings of theInternational Conference on Theory and Application of Cryptol-ogy and Information Security Advances in Cryptology pp 319ndash333 2009

[4] R Lu X Lin T H Luan X Liang and X Shen ldquoPseudonymchanging at social spots an effective strategy for location pri-vacy in VANETsrdquo IEEE Transactions on Vehicular Technologyvol 61 no 1 pp 86ndash96 2012

[5] N Kaaniche A Boudguiga and M Laurent ldquoID based cryp-tography for cloud data storagerdquo in Proceedings of the IEEE 6thInternational Conference on Cloud Computing pp 375ndash382 July2013

[6] Q-A Wang C Wang K Ren W-J Lou and J Li ldquoEnablingpublic auditability and data dynamics for storage security incloud computingrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 22 no 5 pp 847ndash859 2011

[7] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFOCOM pp 525ndash533 2010

[8] J Yuan and S Yu ldquoPublic integrity auditing for dynamic datasharing with multiuser modificationrdquo IEEE Transactions onInformation Forensics and Security vol 10 no 8 pp 1717ndash17262015

[9] J H Zhang and X B Zhao ldquoPrivacy-preserving public auditingscheme for shared data with supporting multi-functionrdquo Jour-nal of Communications vol 10 no 7 pp 535ndash542 2015

[10] K Zeng ldquoPublicly verifiable remote data integrityrdquo in Proceed-ings of the 10th International Conference on Information andCommunications Security pp 419ndash434 2008

[11] Y ZhuHHuG-J Ahn andMYu ldquoCooperative provable datapossession for integrity verification inmulticloud storagerdquo IEEE

Transactions on Parallel and Distributed Systems vol 23 no 12pp 2231ndash2244 2012

[12] Y Zhu H Wang Z Hu G J Ahn H Hu and S S YauldquoDynamic audit services for integrity verification of outsourcedstorages in cloudsrdquo in Proceedings of the ACM Symposium onApplied Computing pp 1550ndash1557 2011

[13] S G Worku C Xu J Zhao and X He ldquoSecure and efficientprivacy-preserving public auditing scheme for cloud storagerdquoComputers and Electrical Engineering vol 40 no 5 pp 1703ndash1713 2014

[14] Y Li Y Yu B Yang G Min and H Wu ldquoPrivacy preservingcloud auditing with efficient key updaterdquo Future GenerationComputer Systems 2016

[15] L Xue J Ni Y Li and J Shen ldquoProvable data transfer fromprovable data possession and deletion in cloud storagerdquo Com-puter Standard amp Interfaces 2016

[16] D He H Wang J Zhang and L Wang ldquoInsecurity of anidentity-based public auditing protocol for the outsourced datain cloud storagerdquo Information Sciences vol 375 pp 48ndash53 2017

[17] D Kim H Kwon C Hahn and J Hur ldquoPrivacy-preservingpublic auditing for educational multimedia data in cloud com-putingrdquo Multimedia Tools and Applications vol 75 no 21 pp13077ndash13091 2016

[18] T Yang B Yu H Wang J Li and Z Lv ldquoCryptanalysis andimprovement of Pandamdashpublic auditing for shared data incloud and internet of thingsrdquo Multimedia Tools and Applica-tions vol 8 2015

[19] H Jin K ZhouH Jiang D Lei RWei andC Li ldquoFull integrityand freshness for cloud datardquo Future Generation ComputerSystems 2015

[20] B Kang and D Xu ldquoSecure electronic cash scheme withanonymity revocationrdquo Mobile Information Systems vol 2016Article ID 2620141 10 pages 2016

[21] H Wang J Domingo-Ferrer Q Wu and B Qin ldquoIdentity-based remote data possession checking in public cloudsrdquo IETInformation Security vol 8 no 2 pp 114ndash121 2014

[22] J Zhang and Q Dong ldquoEfficient ID-based public auditing forthe outsourced data in cloud storagerdquo Information Sciences vol343-344 pp 1ndash14 2016

[23] Y Yu L Xue M H Au et al ldquoCloud data integrity checkingwith an identity-based auditing mechanism from RSArdquo FutureGeneration Computer Systems vol 62 pp 85ndash91 2016

[24] S AI-Riyami and K Paterson ldquoCertificateless public key cryp-tographyrdquo in Proceedings of the Annual International Conferenceon the Theory and Applications of Cryptology and InformationSecurity pp 452ndash473 2003

Submit your manuscripts athttpswwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



key cryptography simultaneously overcomes the drawbackof public key cryptography and ID-based cryptographyCertificateless public auditing scheme is very applicable forcloud-assisted WBANs with energy-limited sensors and alarge amount of personal sensitive information In [1] theproposed certificateless public auditing scheme is proved tobe secure and very suitable for use in cloud-assistedWBANsButHe et alrsquos scheme is not a schemewith privacy preservingAfter many checks on some of the same data blocks theauditor can derive these data blocks from the proof informa-tion that the cloud server submitted

In this paper we propose a certificateless public auditingscheme with privacy preserving In the proof phase of theproposed scheme the proof information is protected frombeing directly exposed to the auditor So the curious auditorcould not derive the data blocks We also prove that theproposed scheme is secure in the randomoraclemodel underthe assumption that the Diffie-Hellman problem is hard

The rest of the paper is organized as follows In Section 2we propose the system and security model In Section 3we review bilinear pairing and computational Diffie-Hellmanproblem relevant to the security of the proposed scheme Acertificateless public auditing schemewith privacy preservingis proposed in Section 4 In Section 5 we provide securityproofs of the proposed scheme In Section 6 we compare theproposed scheme with He et alrsquos scheme in terms of securityand computation cost Conclusion is given in Section 7

2 The System and Security Model

21 The System Model There are four entities included in acertificateless public auditing scheme

(1) A data user (DU) who possesses a data file needed tobe stored on the cloud

(2) A cloud server (CS) that provides data storage serviceto the data user

(3) A third-party auditor (AU) who has capacities tocheck data integrity on behalf of the data user

(4) A private key generator (PKG) that is responsible forsetting up the system parameter and generating thepartial private key for any entity by using the entityrsquosidentity information

To reduce the burden of data file storage the data user(DU) uploads hisher data file to the cloud server (CS) forstorage and the DU no longer possesses hisher data filelocally To ensure the data file is correctly stored in thecloud server DU entrusts the trusted third-party AUwho hasexpertise and computation capabilities to periodically checkhisher data file integrity

22 The Security Model In a certificateless public auditingscheme PKG is a trusted authority DU is honest and AUis honest but curious CS is a semitrusted party heshemight change or delete the data userrsquos file for hisher benefitand forge the proof information for passing data integritychecking We will also investigate whether AU can get any

information about the data file content during the auditingprocess

Our design goals are three aspects

(1) Public auditability AU can verify the correctnessof the cloud data file blocks on demand withoutretrieving a copy of the whole data file or introducingadditional online burden to the cloud users

(2) Storage correctness no cheating cloud server can passAUrsquos audit

(3) Privacy preserving AU cannot derive data userrsquos filecontent from the information collected during theauditing process

3 Preliminary

31 The Bilinear Pairing Let 1198661 be a cyclic additive groupgenerated by119875 whose order is a prime 119902 and let1198662 be a cyclicmultiplicative group of the same order Let 119890 1198661 times 1198661 rarr 1198662be a pairing map which satisfies the following conditions

(1) Bilinearity For any 119875119876 119877 isin 1198661 then119890 (119875 + 119876 119877) = 119890 (119875 119877) 119890 (119876 119877) 119890 (119875 119876 + 119877) = 119890 (119875 119876) 119890 (119875 119877) (1)

In particular for any 119886 119887 isin 119885119902 119890(119886119875 119887119875) = 119890(119875 119886119887119875) =119890(119886119887119875 119875) = 119890(119875 119875)119886119887(2) NondegeneracyThere exists119875119876 isin 1198661 such that 119890(119875 119876) =1(3) Computability There is an efficient algorithm to compute119890(119875 119876) for all 119875119876 isin 119866132 Computational Diffie-Hellman (CDH) Problem There isa generator 119875 of an additive cyclic group 119866 with order 119902 andthere is (119886119875 119887119875) for unknown 119886 119887 isin 119885lowast119902 to compute 1198861198871198754 The Proposed Scheme

The proposed certificateless public auditing scheme consistsof seven algorithms setup partial-private-key extraction set-public key tag generation challenge phase prove phase andverify phase

Setup Given a security parameter 119896 isin 119885 the algorithmworksas follows

(1) Run the parameter generator on input 119896 to generate aprime 119902 an additive cyclic group1198661 and a multiplica-tive cyclic group 1198662 of the same order 119902 a generator119875 of 1198661 and a bilinear map 119890 1198661 times 1198661 rarr 1198662

(2) Pick a random 119904 isin 119885lowast119902 as master key of PKG and setsystem public key 119875pub = 119904 sdot 119875




(2)



master key of PKG




(3)

(2) Compute

120590119898119894 = ℎ119894119878DU + 119909DU119885119894 + (119903119894 + 119898119894) 119879 (4)


REDU

= (IDDU IDCS 120596 = ((ℎ1 1198851 1198771) (ℎ119899 119885119899 119877119899))) (5)

to AU


Chall = [IDDU 119886 119868] (6)




120590 = sum119894isin119868

V119894120590119898119894

120583 = (sum119894isin119868

V119894119898119894 minus 119897 sdot 1198672 (119871))mod 119902(7)


ℎ = sum119894isin119868

V119894ℎ119894119885 = sum119894isin119868

V119894119885119894119877 = sum119894isin119868

V119894119877119894(8)



(9)



119890 (120590 119875) = 119890(sum119894isin119868

V119894120590119898119894 119875) = prod119894isin119868

119890 (V119894120590119898119894 119875)

= prod119894isin119868

119890 (V119894ℎ119894119878DU + V119894119909DU119885119894 + V119894 (119903119894 + 119898119894) 119879 119875)

= 119890(sum119894isin119868


V119894119909DU119885119894 119875)

sdot 119890(sum119894isin119868

V119894 (119903119894 + 119898119894) 119879 119875)


(10)

5 Security



51 Unforgeability






(11)

Then

119890 (1205902 minus 1205901 119875)= 119890 (ℎ (1205732 minus 1205731) (119887119875) 119886119875)


So




(14)






REDU


V119894120590119898119894

120583 = (sum119894isin119868

V119894119898119894 minus 119897 sdot 1198672 (119871))mod 119902

(15)





7 Conclusion







Acknowledgments


References

































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in






(2)



master key of PKG




(3)

(2) Compute

120590119898119894 = ℎ119894119878DU + 119909DU119885119894 + (119903119894 + 119898119894) 119879 (4)


REDU

= (IDDU IDCS 120596 = ((ℎ1 1198851 1198771) (ℎ119899 119885119899 119877119899))) (5)

to AU


Chall = [IDDU 119886 119868] (6)




120590 = sum119894isin119868

V119894120590119898119894

120583 = (sum119894isin119868

V119894119898119894 minus 119897 sdot 1198672 (119871))mod 119902(7)


ℎ = sum119894isin119868

V119894ℎ119894119885 = sum119894isin119868

V119894119885119894119877 = sum119894isin119868

V119894119877119894(8)



(9)



119890 (120590 119875) = 119890(sum119894isin119868

V119894120590119898119894 119875) = prod119894isin119868

119890 (V119894120590119898119894 119875)

= prod119894isin119868

119890 (V119894ℎ119894119878DU + V119894119909DU119885119894 + V119894 (119903119894 + 119898119894) 119879 119875)

= 119890(sum119894isin119868


V119894119909DU119885119894 119875)

sdot 119890(sum119894isin119868

V119894 (119903119894 + 119898119894) 119879 119875)


(10)

5 Security



51 Unforgeability






(11)

Then

119890 (1205902 minus 1205901 119875)= 119890 (ℎ (1205732 minus 1205731) (119887119875) 119886119875)


So




(14)






REDU


V119894120590119898119894

120583 = (sum119894isin119868

V119894119898119894 minus 119897 sdot 1198672 (119871))mod 119902

(15)





7 Conclusion







Acknowledgments


References

































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




51 Unforgeability






(11)

Then

119890 (1205902 minus 1205901 119875)= 119890 (ℎ (1205732 minus 1205731) (119887119875) 119886119875)


So




(14)






REDU


V119894120590119898119894

120583 = (sum119894isin119868

V119894119898119894 minus 119897 sdot 1198672 (119871))mod 119902

(15)





7 Conclusion







Acknowledgments


References

































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in








Acknowledgments


References

































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in



certificateless public auditing with privacy preserving...

Documents