ipanm: incentive public auditing scheme for non-manager ...€¦ · 4.2 public auditing model. the...

1545-5971 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2020.3004827, IEEETransactions on Dependable and Secure Computing

JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 1

IPANM: Incentive Public Auditing Scheme forNon-Manager Groups in Clouds

Longxia Huang, Junlong Zhou, Gongxuan Zhang, Senior Member, IEEE, Jin Sun, Tongquan Wei, SeniorMember, IEEE, Shui Yu, Senior Member, IEEE, and Shiyan Hu, Senior Member, IEEE

Abstract—Cloud storage services give users a great facility in data management such as data collection, storage and sharing, but alsobring some potential security hazards. An utmost importance is how to ensure the integrity of data files stored in the cloud, particularfor user groups without trusted managers. Existing literature focuses on integrity checking for groups with managers who have lots ofpermissions. To overcome the shortage of public auditing for non-manager user groups in clouds, we develop a novel framework IPANMthat integrates (t, n) threshold technology, blinding technology, and incentive mechanism to realize an incentive privacy-preserving publicauditing scheme. In IPANM, the data integrity is guaranteed by our (t, n) threshold signature based public auditing and the data privacyduring public auditing is protected by the blinding technology. The generation of signatures can be accelerated by our blockchain-aidedincentive mechanism that mobilizes the initiative of signers in the signature generation by rewarding the contributed signers. We formallyprove the security of our IPANM and conduct numerical analysis and evaluation study to validate its high efficiency. The experimentalresults demonstrate that IPANM has lower overheads of storage, communication, and computation as compared to the state-of-the-arttechnique IAID-PDP and NPP.

Index Terms—incentive, threshold signature, public auditing, blockchain, cloud computing.

F

1 INTRODUCTION

W ITH the help of crowd sensing [1], the users of smartend-devices in the community are able to collect data

about the surrounding environment such as noise levels andmapping. These users have the same power in providing asafe and comfortable living environment for the community.After data collection, the users need to share the data withother members by cloud services. To ensure the correct-ness of the shared data, integrity check is needed. Dueto its massive data storage and processing capacity, cloudcomputing has become a ubiquitous computing service [2]and it can be used in crowd sensing to store the messagescollected by users. As we know, the users that use the cloudservice are in general resource-constrained [3] and theyparticipate in the generation of information together withother devices in the same group to provide high-quality andhigh-coverage measurements of crowd sensing [1]. In sucha scenario, the presence of group managers prevents usersfrom participating in data sharing with equal power. Thus,the power centralization problem of managers needs to be

This work was partially supported by National Natural Science Foundationof China under Grants 61802185 and 61272420, Natural Science Foundationof Jiangsu Province under Grant BK20180470, the National Key Researchand Development Program of China under Grant 2018YFB2101301, theFundamental Research Funds for the Central Universities under Grant30919011233, and China Scholarship Council under Grant 201706840115.Corresponding author: Junlong Zhou. E-mail: [email protected].

• L. Huang, J. Zhou, G. Zhang, and J. Sun are with the School of ComputerScience and Engineering, Nanjing University of Science and Technology,Nanjing 210094, China.

• T. Wei is with the Department of Computer Science and Technology, EastChina Normal University, Shanghai 200241, China.

• S. Yu is with the School of Computer Science, Guangzhou University,Guangzhou 510006, China and the School of Software, University ofTechnology Sydney, Broadway NSW 2007, Australia.

• S. Hu is with School of Electronics and Computer Science, University ofSouthampton, Southampton, SO17 1BJ, United Kingdom.

solved. In addition, if group users are assigned equal power,the low enthusiasm issue of users in crowd sensing cannotbe ignored. Overall, for the above-mentioned scenario weneed to ensure the integrity of stored data, solve the problemof power centralization, and improve users’ enthusiasm.

Cloud storage service allows the devices frequently re-sort to the cloud for outsourced data storage and sharing,which would bring a series of security challenges inevitably[4]. Among all the challenges, the primary concern is the in-tegrity of outsourced files since the data stored in the cloudmay be spoiled by hardware failures, manual operationerrors, or external attack [5]. What’s worse, the cloud mayconceal the fact that the data has been damaged to main-tain its reputation [6]. Beside using hardware to preventmalicious behavior, public auditing has been a widely usedtechnique to ensure the integrity of outsourced data due toits efficiency in verification. Different from the traditionalintegrity checking scheme, there is no need to downloadall file message for verification in public auditing sincepublic auditing runs a challenge-and-response protocol thatcan realize sampling inspection with a high detection rate.What’s more, in public auditing the verification of integrityis run by a third party, which greatly reduces the workloadof group users. However, an inherent problem of publicauditing is that the third party attempts to acquire the dataprivacy during this process [7], [8]. Solving this problem ne-cessitates privacy protection in designing a public auditingscheme for data integrity verification [9], [10].

In addition to utilizing homomorphic authentication [11]in verification to protect the challenged data, we introduceblinding technology in verification to protect data privacysince it supports confidentiality [12]. Note that traditionalmethod only masks the message with random numberswhich still may lead to the leakage of sensitive data [13]. In

Authorized licensed use limited to: East China Normal University. Downloaded on June 27,2020 at 01:53:48 UTC from IEEE Xplore. Restrictions apply.




this paper, the messages got by the auditor are further blind-ed by blinding factors. Since blinding technology supportsconfidentiality, the auditor cannot get the information of theoriginal messages without knowing the blinding factors.It’s worth noting that blinding operation does not affectthe correctness of validation with the aid of bilinear pairtechnology.

Apparently, the manager in a group is assigned too muchpower and may abuse the power to frame an innocentuser or harbor a malicious user [14], which will frustrateusers. The (t, n) threshold signature technique can be usedto mitigate the abuse of single-authority power, where t isthe minimum number of valid participants and n is thenumber of total participants. NPP [14] is a method that uses(t, n) threshold signature to eliminate the abuse of single-authority power by distributing the power to multiple man-agers in the group. However, NPP only partially addressesthe power concentration problem since the multiple man-agers still have higher power than users. Unlike NPP, wepropose to use (t, n) threshold signature in public auditingto solve the power concentration problem by eliminatinggroup managers and assigning each group member thesame power in generating the keys and signatures.

The new problem along with the elimination of groupmanager is that users in the non-manager group may beinactive in the generation of keys and signatures, resultingin an inefficient signature generation. Thus, to aggregate thefinal signature as quickly as possible, our public auditingscheme adopts an incentive mechanism that uses rewardsto stimulate users to take an active part in the generationof final signature. To be specific, the blockchain technology[15] is used to decide which user should be rewarded byrecording the information of signers. The reason we chooseblockchain is that it has the advantages of decentralization,tamper-resistant, and traceability [16], where decentraliza-tion provides users with an equal environment, tamper-resistant ensures users correct and trusted records, andtraceability enables users to verify the recording history.Inspired by that the incentive mechanism in blockchain is toreduce reward by half periodically, we propose a simple yeteffective incentive mechanism that determines the numbersof awards and gives more rewards to the users who generatesignatures earlier in IPANM to solve the negative attitudecaused by non-manager.

In this paper, we aim to design an incentive privacy-preserving public auditing scheme IPANM for user groupswithout a trusted manager. In our IPANM, users are as-signed the same signing power and encouraged to takepart in the generation of signatures with rewards, such thatthe final signature can be derived as soon as possible. Theprivacy of data is preserved using the blinding technologyduring the check of files stored in the cloud. The majorcontributions of this paper are summarized as follows.

1) We propose a privacy-preserving (t, n) thresholdsignature based public auditing scheme IPANM fornon-manager groups. IPANM can achieve an easyauditing since it utilizes the same public key definedby all group users to verify the integrity of files, andensure the signing without a trusted manager bydistributing the power of manager to group users.

Data privacy during public auditing is protectedusing blinding technology.

2) We deploy a novel incentive mechanism in IPANM,which encourages the users in the group to signthe message with rewards. To realize the incentivemechanism, blockchain is used to record the in-formation of signers and determine the users whoshould be awarded.

3) We verify the effectiveness of the IPANM throughtheoretical analyses with respect to incentive, homo-morphic authentication, correctness, public audit-ing, robustness, unforgeability, collusion resistance,file privacy, and auditing efficiency.

4) We carry out extensive experiments to evaluate theperformance of the IPANM in reducing the over-head of storage, computation, and communication.Simulation results demonstrate that the IPANM out-performs the state-of-the-art technique IAID-PDP.

The remainder of this paper is organized as follow.Section 2 introduces the related work and Section 3 reviewsthe preliminary knowledge used in our method IPANM.Section 4 presents the system model and our design ob-jective, and Section 5 describes the IPANM in detail. Tohave a full investigation of the effectiveness of the IPANM,we provide the theoretical analysis in Section 6 and showthe experimental results in Section 7. Concluding remarksand discussions on future work are given in Section 8 andSection 9 separately.

2 RELATED WORK

Considerable research efforts have been devoted to thedesign of public auditing schemes for verifying the integrityof files stored in the cloud. Most of these schemes aredesigned based on Provable Data Possession (PDP) thatallows both a data owner and a public verifier to operateintegrity auditing without downloading the entire data fromthe cloud. For example, Wang et al. [13] proposed a PDP-based mechanism, Oruta, which allows public auditing fordata shared in the cloud. Wang et al. [17] then pointed thatOruta is able to calculate the verification information forauditing the integrity of shared data, but it cannot resistthe group members changing attack. Hence, the authorsdeveloped a new scheme called IAID-PDP [17] that not onlyresists the attack but also gives awards to the crime-reporter.However, due to the adoption of ring signature, the auditingtime of Oruta and IAID-PDP linearly increase with the sizeof user group, thus cannot audit data shared among a largenumber of users.

To tackle this issue induced by ring signature, groupsignature is utilized in the proposed method Knox [18] toconstruct homomorphic authenticators, such that the au-diting time using Knox is independent of the group size.However, Knox uses a group manager that is assigned ahigher authority than users, thus does not support pub-lic auditing and is not suitable for groups of memberswith mutual equality. To solve this problem, NPP [14]uses (t, n) threshold signature to eliminate the abuse ofsingle-authority power by distributing the power to multi-manager. In this paper, we employ the (t, n) threshold signa-ture that not only supports public auditing but also allows n





equal members to take part in generating a valid signature.However, inefficient signature generation may occurs as theequal members may be inactive in the generation of keysand signatures. In addition, the incentive mechanism isintegrated into our (t, n) threshold signature based publicauditing scheme, in order to generate the signature as soonas possible. The incentive mechanism encourages users totake part in signature generation with rewards, which aregranted using the technology of blockchain [15] with decen-tralization, tamper-resistant and traceability. What’s more,the effectiveness of blockchain-based incentive mechanismthat users are encouraged to forward and receive packetswith the incentive to increase their coins has been proved[19]. Inspired by the incentive mechanism in blockchainwhich reduces reward by half periodically, we propose asimple yet effective incentive mechanism that the numbersof awards are defined and gives more rewards to the userswho generate signatures earlier in IPANM to solve thenegative attitude caused by non-manager.

Public auditing schemes must take privacy protectioninto account due to its inherent problem that the public ver-ifier is naturally curious about the sensitive information onthe files and will attempt to obtain private information fromthe message received during the auditing. To this end, a lotof studies have focused on the design of privacy-preservingpublic auditing to support the privacy protection. To realizesensitive information hiding, Shen et al. [9] introduced asanitizer to sanitize the sensitive data blocks and furthertransform the corresponding signatures for auditing. Xueet al. [5] utilized blockchain to directly replace the publicverifier by employing the nonces in a blockchain for theautomatic verification of challenge messages. Wang et al.[15] also discarded the public verifier and used blockchain todesign the smart contract for public cloud storage auditingbased on the non-interactive public PDP. For public auditingschemes with the public verifier, a privacy-aware protocol[20] is proposed to realize the privacy protection by guar-anteeing that the third party auditor is not allowed to learnany knowledge about the data content stored in the cloudserver during the efficient auditing process. Similarly, torealize the privacy protection of multisource IoT data, Tianet al. [2] developed a “zero-knowledge privacy” technique toachieve the privacy protection by ensuring that the verifiercannot obtain any information from publicly available data.However, public auditing using the above methods are notefficient due to their high communication and computationcost. In this paper, we utilize blinding technology to achieveprivacy protection.

3 PRELIMINARIES

Before showing the details of our proposed IPANM, we firstintroduce cryptographic primitives and their correspondingproperties from existing literatures that we evaluate in I-PANM.

3.1 Bilinear Map and Security AssumptionIn IPANM, the integrity checking of files is based on theproperties of bilinear map and the security proof is underComputational Diffie-Hellman assumption in random ora-cle model 2.

Definition 1. (Bilinear Map) [21]. Let G1 and G2 be twomultiplicative cyclic groups of prime order q, and g be a gen-erator of group G1. Then a bilinear map can be represented bye : G1 ×G1 → G2, which has the following properties.

1) For any elements u, v ∈ G1 and any primes a, b ∈ Zq ,the equation e(ua, vb) = e(u, v)ab holds, where Zq isthe set of prime numbers.

2) For any elements u1, u2, v ∈ G1, the equatione(u1 ·u2, v) = e(u1, v) · e(u2, v) holds.

3) There must exist a method that can calculate the map eefficiently, which is non-trivial in the form of e(g, g) 6= 1.

Given a certain elliptic curve, the bilinear maps definedabove can be easily built. To understand our proposedscheme IPANM, the readers only need to know the proper-ties of bilinear maps given in Definition 1. Thus, the detailson how to construct bilinear maps from elliptic curvesare omitted, which can be found in the literature [21]. Inaddition, the security analysis of our IPANM is based on theComputational Diffie-Hellman (CDH) assumption, which isdescribed in Definition 2.

Definition 2. (CDH Assumption). The CDH assumption isbased on CDH problem, which is defined as: given g, gx, gxy ∈ Gas input, where x, y ∈ Zq are unknown, outputs gy . The CDHassumption indicates that for any probabilistic polynomial timealgorithm A, the probability of using A to solve the CDH problemis negligible, which is represented by

AdvCDHA = Pr[A(g, gx, gxy) = gy : x, y ← Zq, g ← G].

3.2 Homomorphic Verifiable Tags

Homomorphic verifiable tags [13], which enable a verifi-er to check the integrity of a file without downloadingthe entire file, are fundamental to develop public auditingmechanisms. In addition to unforgeability, a homomorphicverifiable signature scheme should satisfy the propertiesof blockless verification and non-malleability. Let (pk, sk)represent a pair of the signer’s public and private key,and σ1 and σ2 represent the signatures on block m1 andm2, respectively, where m1,m2 ∈ Zp. After defining thesevariables, the three properties are described as below.

• Unforgeability: only the users with the right privatekey can generate valid signatures.

• Blockless verification: without downloading the da-ta, a verifier can verify the correctness of data inthe cloud with a linear combination of blocks via achallenge-and-response protocol. Specifically, givenσ1 and σ2, random values y1, y2 ∈ Zq , and a linearcombined block m′ = y1m1 + m2y2, the verifier isable to check the correctness of m′ without knowingm1 and m2.

• Non-malleability: given the signatures, a user whodoes not have the valid secret keys cannot generatea valid signature on the combined blocks by usingthe given signatures. Specifically, given σ1 and σ2,random primes y1, y2 ∈ Zq , and a linear combinedblock m′ = y1m1 +m2y2, the user cannot generate avalid σ′ by combining σ1 and σ2 if he/she does nothave sk.





3.3 (t, n) Threshold SignatureAs pointed out earlier, t valid and honest users are requiredto generate a signature on a message. The generation of(t, n) threshold signature is implemented at two steps. Atthe first step, each user gets his/her secret key sharingsto produce a partial signature, and public key sharings toverify the correctness of the produced partial signature. Atthe second step, t valid partial signatures are collected andused to aggregate a final signature on the message. Notethat the generated final signature should have the propertyof unforgeability, which indicates that the probability ofan adversary A winning a game with the help from achallenger C is no larger than an arbitrarily small value ε[22]. The game operates as follows.

1) A selects t − 1 members to corrupt and the othern − t + 1 members always keep honest during thewhole game.

2) A is also allowed to query signing oracle and hashoracle to obtain the public key sharings of users andsignatures of files during the game.

3) A submits hash query on the pair of identifierand block (id′,m′) that has never been presentedto the signing oracle, and generates the signature(id′,m′, σ′) of (id′,m′) with the results receivedfrom C.

The probability that A outputs a valid signature is formu-lated as SuccA(k) = Pr[V erify(id′,m′, σ′) = 1] < ε, wherek is the security parameter.

3.4 Blinding TechnologyIn the traditional public auditing schemes, the auditor s-elects several random numbers {v1, v2, ..., vc} and sendsthem to the cloud server for checking file integrity. Oncegetting these random numbers, the cloud server computesthe proof message as p =

Pi∈[1,c] vimi with the stored file

message mi and returns it to the auditor. The challenge-and-response protocol ensures the cloud server cannot usethe previous proof message to pass the auditing. However,the auditor may try to get the file message with the help ofthe protocol as the auditor is semi-trusted [2]. For example,in the first auditing, the auditor requires the cloud serverto generate the proof message p1 =

Pi∈[1,c] vimi with

a random number set as {v1, v2, ..., vi, ..., vc}. Then, theauditor initiates the second validation with the randomnumber set as {v1, v2, ..., v

′i, ..., vc} to challenge the same

file message. Finally, the auditor has two proof messages asp1 = v1m1+...+vimi+...+vcmc and p2 = v1m1+...+v′imi+...+vcmc. Using the two proof messages, the auditor is ableto compute the file message as mi = (p2 − p1)/(v′i − vi).

To be against the leakage of data privacy, the auditorcan adopt encryption techniques to encrypt the messages.In this paper, we adopt a commonly accepted encryptiontechnique, blinding technology, to protect the sensitive in-formation in the files during the integrity verification. Blind-ing technology is extracted from blind signature, a formof digital signature in which the content of a message isdisguised (blinded) before it is signed [23]. It is a commonlyaccepted encryption technique and has been widely used inapplications where sender privacy is important, and exists

for many public key signing protocols [23]. The philosophybehind blind signature is using a randomly selected blind-ing factor (typically in the form of random number) to en-crypt the transmitted message [23]. Specifically, the blindingprocess is described as follows. In each public auditing, theverifier selects a fresh random number v and sends it tothe cloud to prevent the cloud from passing the integritychecking using the previously transmitted messages [13]. Inaddition, to ensure the verifier cannot get the informationin the obtained message vm, the cloud further chooses arandom factor b and blinds the message by

m′ = vm+ b. (1)

Using the blinded message m′, the verifier cannot get anyinformation about the original messagem but still can verifythe integrity.

3.5 EthereumEthereum is a global, open-source and decentralized appli-cation platform with Turing complete scripting languagethat allows users to create, deploy, and run smart contracts[24]. The smart contract is a tiny executable code that canbe automatically executed without a trusted third partyonce the smart contract is deployed. The properties of smartcontract such as decentralization and self executability makeit possible to guarantee the fairness of incentive in ourscheme. In this paper, we design a simple yet effectiveincentive mechanism and use the Ethereum blockchain torealize it.

4 SYSTEM MODEL AND DESIGN OBJECTIVE

A secure cloud storage is consisted of public auditingscheme and signature scheme, where the former one isbased on the second one. Therefore, in this section, wefirst introduce our proposed signature generation modelthat realizes the generation of keys and signatures, thenpresent the public auditing model which is used to verifythe integrity of files stored in the cloud, and finally describethe design objectives of our scheme.

4.1 Signature Generation ModelTo realize a robust incentive public auditing scheme, wepropose a model of signature generation that is carried outat three major steps: threshold key generation, signaturesharing generation, and signature generation. In the firststep, each user in the group is allowed to take part in thegeneration of keys. During this process, users who take partin and make contributions to key generation by generatingright sharings, are selected as members in qualified usergroup QU to generate the secret key sharings for all users.Clearly, the qualified user group QU is a sub-group of theuser group. In the second step, each user is able to generatethe signature sharing on files after getting the secret keysharing. Any t signers (users in the group) producing thesignature sharings constitute a sign group SG. Note that asigner can belong to multiple signer groups. In the last step,the aggregator selects a signer group and uses their signa-ture sharings to generate the final signature. The flowchartof signature generation is shown in Fig. 1.





...

U1

Ui Ud

User

Group

Un Um

Qualified User Group (QU)

...

...

...

... . . .

Signer Group (SG)

. . . User

Group

t

t

Threshold

Key

Generation

Signature

Sharing

Generation

Signature

Generation

aggregator Ua . . .

... t

aggregator Ub

t

Data files

Signature

Fig. 1: The flowchart of signature generation.

As one can see from Fig. 1, the robustness of the system isgained from two aspects. First, not all the users (i.e., only thequalified users) are needed to participate in the generationof secret key and secret key sharings. Second, the systemhas multiple signer groups and all of them can be used togenerate the signature. In addition to robustness, the systemhas the advantage of being incentive. That is, the server firstemploys blockchains to record the signatures uploaded byaggregators in a chronological order, then selects the earliestvalid signature recorded as the final signature, and rewardsthe users who contribute to the selected signature in the end.

4.2 Public Auditing ModelThe cloud data storage is composed of three entities: 1) agroup of users, who have a large quantity of files to bestored in the cloud or have the right to download these files;2) the cloud server, which has sufficient storage capacity andcomputation resources but may inadvertently modify anddelete the stored data due to hardware failures or manualoperation errors. To maintain its reputation, the cloud mayconceal the fact that the data is damaged [7]. In this case,the cloud is not-fully-trusted [25]; 3) a verifier (e.g., a thirdparty auditor providing expert data auditing services), whois capable of checking the integrity of shared data storedin the server through a challenge-and-response protocol,but is semi-trusted (honest-but-curious [2]) since he/shemay launch passive attacks, such as data theft and analysis,rather than active attacks. There are n members in the usergroup, where each user has the access to group files and isentitled to check the integrity of files stored in the cloud.

Public auditing can greatly mitigate users’ burden onchecking the integrity of shared data, thus has been widelyused in cloud computing and big data analysis. In general,public auditing operates as follows. At first, a user sends anauditing request to the public verifier, which immediatelysends an auditing challenge message to the cloud serveronce receiving the request. Based on the data stored, thecloud server will reply an auditing proof of the possessionof shared data to the public verifier after receiving thechallenge. Finally, the public verifier validates the data bychecking the correctness of the proof and then returns the

U1 Ui

Un

. . .

User Group

Verifier

Cloud

file

download

request

file

Fig. 2: The process of public auditing.

result back to the user. The process of public auditing isdescribed in Fig. 2.

4.3 Security Threat Model

The security of data stored in the cloud server may be bro-ken by two types of threats. That is, the integrity threat fromthe cloud and the data privacy threat in public auditing.Both threats are described in detail as below.

• Integrity Threat [9]: Data integrity should be guar-anteed to persuade users of using cloud storage. Asdata owners will no longer have access to their filesif they delete their local files after uploading them tothe cloud, the data stored in the cloud suffers fromboth internal and external threats. Internal threats in-clude inadvertently modification and deletion by thecloud due to hardware failures or manual operationerrors. Outside attackers also break the integrity ofdata. What’s worse, the cloud can conceal the factthat the data has been damaged, in order to maintaintheir interests and reputation. Therefore, to ensurethe retrievability of the data, integrity verification forthe data in the cloud is an important issue.

• Data Privacy Threat [2]: Data privacy threat meansthe data leakage occurring in the public auditing.This threat is induced by the employment of a semi-trusted verifier who may attempt to obtain the fileinformation, including sensitive data, from the re-ceived verification message.

4.4 Design Goals of IPANM

To realize an incentive file storage system in the cloud, ourproposed scheme IPANM needs to achieve the followingsecurity and performance guarantees.

1) Incentive: ensure that members who contribute tothe signature stored in the cloud will get theirawards fairly.

2) Correctness: ensure that valid public key sharings,valid signature sharings, and valid signatures gen-erated by group users can pass the verification.





3) Public auditing: enable an auditor to verify the in-tegrity of data stored in the cloud without retrievingthe whole data and knowing users’ secret key.

4) Robustness: tolerate the participation of inactive orhonest signers in the generation of signature.

5) Unforgeability and collusion resistance: only groupmembers with valid secret key sharings are able togenerate the correct signatures on the shared data.

6) File privacy: guarantee that a verifier cannot learnany knowledge of blocks from the received messageduring the verification of data integrity.

7) Efficiency: allow a verifier to perform auditing withthe minimal communication and computation over-head.

5 DESIGN OF OUR PROPOSED IPANMThis section first briefly describes the proposed IPANM,then presents the details on how to construct IPANM.

5.1 Overview of IPANM

As an integration of (t, n) threshold signature, blindingtechnology, and blockchain-aided incentive mechanism,the proposed IPANM can provide an incentive privacy-preserving public auditing for non-manager user groups inclouds. At a high level, the proposed IPANM is composedof three systems: signature generation system, verificationsystem, and incentive system. The signature generation sys-tem is built to provide signatures on files for checking dataintegrity, which is realized by five steps: Set-up, ThresholdKey Generation, Signature Sharing Generation, Signature Shar-ing Aggregation, and Signature Verification. The verificationsystem is deployed to verify the correctness of files storedin the cloud, which is realized by Public Auditing. Theincentive system is developed to encourage signers to takepart in signing, which is realized by an Incentive Mechanismthat grants rewards to contributed signers. The high-leveloverview of IPANM is shown in Fig. 3, and the details ofIPANM are given in the following subsections.

Public

Auditing

Signature

Signature

Generation

System

SignatureVerification

System

Signatures

Challenge

Proof

SignatureIncentive

System

Incentive

MechanismID sets

1.Set-up

2.Threshold

Key

Generation

3.Signature

Sharing

Generation

4.Signature

Sharing

Aggregation

5.Signature

Verification

Fig. 3: Overview of IPANM.

5.2 Construction of IPANM

5.2.1 Set-upThis initialization algorithm is run by the system. Let pdenote a sufficient large prime and e : G1 × G1 → G2

denote a bilinear pairing, where G1 and G2 are two cyclicmultiplicative groups with the same prime order p. LetH and H1 denote two one-way hash functions, which aredefined as H : {0, 1}∗ → G1 and H1 : {0, 1}∗ → Zp,respectively. Let f denote a pseudo-random function andπ denote a pseudo-random permutation, which are definedas f : Zp×{1, 2, · · · , n} → Zp and π : Zp×{1, 2, · · · , n} →{1, 2, · · · , n}, respectively. Two generators g and g1 are bothselected from group G1, then the global public parameterset SP = (p,G1, G2, e, g, g1, H,H1, f, π) can be constructed.

5.2.2 Threshold Key GenerationDuring this stage, the secret key sharing αi and public keysharing pi of each user Ui are generated with the help of allgroup users. Note that only qualified users (i.e., Ud in Fig. 1)in IPANM are allowed to generate the secret value sharingand public key sharing. Qualified users are the participatorswhose behavior is honest. It’s clear that not all the usersare needed to participate in this process and any t qualifiedusers form a qualified group. Thus IPANM can tolerate thefaults made by users in the generation of the two sharings.The generation of the two sharings is described below.

• Generate secret key α and secret key sharing αi. Sinceonly qualified users are allowed to participate inthe generation of secret key and secret key sharing,we need to identify the qualified users at first. Theidentification operates as follows. First, each user Uiselects a random polynomial fi(x) = ai0 + ai1x +ai2x

2 + · · ·+ ai(t−1)xt−1, where aik (1 ≤ i ≤ n, 0 ≤

k ≤ t−1) is coefficient. Subsequently, user Ui broad-casts variable Cik which is equal to gaik , calculatesthe secret value sharing sij by sij = fi(j), and sendssij to user Uj secretly where j 6= i. After receivingsij from user Ui, user Uj verifies the validity of sij by

gsij =t−1Yk=0

(Cik)jk, 1 ≤ i ≤ n. (2)

When there is something wrong with the secret keysharing, it results in false of Eq. (2). Thus the userwith the wrong sharing key should be warned andthis bad behavior of user Ui will be broadcast to allusers to abandon the message generated by the user.Clearly, user Ui cannot be regarded as a qualifiedone. Finally, a user is deemed as disqualified if theuser has been reported by no less than t other user-s, and qualified otherwise. The group of qualifiedusers is represented by QU . Afterwards, the secretkey α and secret key sharing αi of user Ui can bederived by

α =Xi∈QU

ai0 (mod p), (3)

αi =Xj∈QU

sji (mod p). (4)





• Generate final public key sharing pi and public key pk.First, each user Ui in group QU computes the ver-ification parameter Aik = gaik and broadcasts it toall the other users who (e.g., user Uj) will check thevalidity of Aik using

gsij =t−1Yk=0

Aikjk. (5)

If Eq. (5) does not hold, the invalidity of Aik willbe recorded and t valid users will cooperate toreconstruct the right Aik and re-broadcast it. Notethat we introduce two kinds of blockchains in thispaper. One is used to record invalid operations inthe process of signature generation, and the otherone is for incentive. Second, each user Ui in the usergroup broadcasts his/her public key sharing pi toall the other users who (e.g., user Uj) will check thecorrectness of pi using

pi =Yj∈QU

t−1Yk=0

Ajkik. (6)

Iff Eq. (6) holds, the key sharing is valid and accept-ed. Otherwise, the user must send a wrong param-eter pi but the right parameter pi will be calculatedusing the same equation Eq. (6). In addition, this badbehavior will be sent to the system to record. Thecorrect public key sharing that passes the verificationor the one re-generated by Eq. (6) is set as the finalpublic key sharing pi. The public key pk is computedas pk = gα. In this step, the identity informationof the users who generate the valid key sharings isrecorded in the blockchain in chronological order.The content is used to realize incentive which en-courages users to take part in and then improves thestability of the system.

5.2.3 Signature Sharing Generation

Each user is allowed to run this algorithm to generatesignature sharing. During this stage, each user Ui generateshis/her own signature sharing σis for each file block ms

with an identifier ids using

σis = (H(ids) · gms1 )αi , (7)

where the block ms is a part of files stored in the cloud,represented by M = {m1,m2, · · · ,m`}ms∈Zp,1≤s≤`. Thesignature sharings of t qualified users can be used to gener-ate the signature of each file block ms.

5.2.4 Signature Sharing Aggregation

After getting enough signature sharings, an aggregator gen-erates the final signature with this algorithm. During thisstage, an aggregator Ua who comes from the user group,aggregates the final signature of block ms when he/shereceives t valid signature sharings. Before aggregating thefinal signature, Ua needs to check the correctness of thereceived signature sharings using

e(σis, g) = e(H(ids) · gms1 , pi). (8)

The aggregator records the identity information of signerswho generate the valid signature sharings in chronologicalorder. Once no less than t valid signature sharings are re-ceived, the aggregator uses the set SG to record the signersof these sharings and aggregates the final signature using

σs =Yi∈SG

σisλi = (H(ids) · gms1 )α, (9)

where λi =Q

(j∈SG,j 6=i)−ji−j is a Lagrangian interpolation

coefficient. Finally, the aggregator records the signature σsthe identity {idi}i∈SG of signers in the blockchain.

5.2.5 Signature Verification

To ensure the validity of the signature, each user is allowedto run this verification algorithm. The correctness of finalsignature of file block ms can be checked by a verifier using

e(σs, g) = e(H(ids) · gms1 , pk). (10)

However, each file block may have multiple signatures sinceall the users are entitled to select t valid sharings andgenerate the signature. To address this issue, this algorithmselects only the earliest valid signature recorded in theblockchain, and sends it with its file to the cloud in theformat of {(ms, ids, σs)}s∈[1,`].

5.2.6 Public Auditing

The public auditing algorithm realizes the challenge-and-answer protocol operated by a verifier and the cloud serv-er. When user Ui attempts to check the integrity of fileM , the user or a verifier (if the verifier is delegated bythe user) will send a challenging set chal to the cloud.Subsequently, based on the data in set chal and the fileM = {m1,m2, · · · ,m`}, block identifier {id1, id2, · · · , id`}and signature {σ1, σ2, · · · , σ`} stored in the server, the cloudgenerates a file possession proof Pro and sends it to theuser or the verifier. Finally, the user or the verifier can verifythe integrity of file M with the proof Pro. The details ofgenerating and verifying the proof are shown below.

1) Generate file possession proof Pro. User Ui or a verifiersends challenge message chal = {c, k1, k2} to thecloud, where c ∈ [1, `] is the number of challengedblocks and k1, k2 ∈ Zq are two random numbers.After receiving the chal, the cloud first calculatesι = πk1(j), vι = fk2(j), where 1 ≤ j ≤ c. The cloudthen aggregates all the blocks’ tags ϕ = Πι∈Tσ

vιι ∈

G1. At last, the cloud picks a random numberr → Zp, calculates R = e(g1, pk)r, γ = H1(R), µ =(r+γ ·

Pι∈T vιmι) (mod p), and sends audit proof

Pro = {{idi}i∈I , µ, ϕ,R} to the user or verifier.2) Verify file possession proof Pro. After getting the proof

Pro, the verifier first computes

ι = πk1(j), vι = fk2(j), 1 ≤ j ≤ c

and then checks the proof by

R · e(ϕγ , g) = e((Πi∈IH(idi)vi)γ · gµ1 , pk). (11)

If the equation holds, the file M stored in the cloudis deemed as valid.





5.2.7 Incentive MechanismWith the elimination of group managers, the group users aregiven equal power in the generation of keys and signatures.However, the equal group members may be inactive in thegeneration of keys and signatures, leading to an inefficientsignature generation. This motivates this paper to proposean incentive mechanism. Due to its transparency and im-mutability nature, blockchain is utilized in the proposedincentive mechanism to record the information for fairrewards. To avoid inducing large overhead, the proposedincentive mechanism only uses blockchain to record identityinformation for incentive and only allows the file owner todeploy a smart contract.

The proposed incentive mechanism operates as follows.The server searches the blockchain from its head to end, inorder to find the earliest valid signature that is selected asthe final signature. As the identity information of signerswho make contribution to the final signature and the userswho generate the valid key sharing are recorded in theblockchain, it’s easy to find and reward these signers andusers. The server would give awards to the users whocontribute to the final signature and key. In the proposedincentive mechanism, the reward received by the user willdecrease with the increase of time. In other words, the earlierthe contributors generate valid message, the more rewardsthey will get. The file owner deploys a smart contract toexecute the incentive operation as below.

1) Initialization. The file owner Ui of file ms sets thetotal incentive fee as a coin and the number ofcontributors that the owner needs as t.

2) Incentive. The message in the blocks of blockchainis set as {(ids, pka, Noa)}s∈[1,t] where ids is the fileblock identifier, pka is the file block identifier, andNoa is the sequence number. When the sequencenumber Noa is equal to 1, the contributor withthe public key pka gets the incentive fee of a

log2 t.

When the sequence number Noa is in the rangeof [2, 3], the contributor gets the incentive fee of

a2 log2 t

. This repeats until the sequence number Noabelongs to the range of [t/2, t] in which case thecontributor gets the incentive fee of a

(t/2+1) log2 t.

Owing to its tamper-resistant property, blockchaincan ensure that only the real signers of signaturesharings get rewards from the server.

6 SECURITY ANALYSIS OF IPANMThis section provides an in-depth analysis on the securityof the proposed scheme IPANM from seven perspectives:incentive, homomorphic authentication for providing publicauditing, correctness, public auditing, robustness, unforge-ability, collusion resistance and data privacy against curiousverifiers. Collusion resistance is not analyzed since collusionattack is assumed not to happen when only qualified usersare allowed to take part in the generation of keys andsignatures. The analysis of incentive is briefly introducedbelow since it is clear to find, whereas the analyses of othersix perspectives are described in detail.

The incentive property of IPANM is guaranteed by itsundeniableness, fairness, and initiative. The undeniableness

is realized by recording the identities of signers who con-tribute to the final signatures in the blockchain, where therecords are unchangeable. The fairness is maintained byallowing each user to take part in the signature generationand always picking the earliest generated valid signature.The initiative of participating in the signature generation ismobilized by rewarding the signers who contribute to thefinal signatures.

6.1 Homomorphic AuthenticationHomomorphic authentication is the basic tool to constructpublic auditing mechanism [18], and it meets the demandsof blockless verifiability and non-malleability.

Theorem 1. The proposed scheme IPANM supports homomor-phic authentication.

Proof. According to the properties of homomorphic au-thentication, the proposed scheme is required to supportblockless verifiability and non-malleability [13]. We discussblockless verification first. For two blocks m1 and m2,given the public key pk, their identifiers id1 and id2, theirsignatures σ1 and σ2, and two random numbers y1 and y2, averifier would have the ability to check the correctness of ablock m′ = y1m1 +y2m2 by checking whether the followingequation holds:

e

2Yi=1

σyii , g

!= e

2Yi=1

�H(idi)

yi · gm′

1

�, pk

!. (12)

Note that this checking procedure does not require knowingin advance the value of blocks m1 and m2. Based on theproperties of bilinear maps, the proof of Eq. (12) is describedas follows:

e

2Yi=1

σyii , g

!= e

2Yi=1

(H(idi) · gmi1 )α · yi , g

!

= e

2Yi=1

(H(idi) · gmi1 )yi , gα

!(13)

= e

2Yi=1

�H(idi)

yi · gm′

1

�, pk

!.

It is clear that IPANM supports blockless verification.We then prove that an attacker not having the privatekey cannot generate a valid signature σ′ for a combinedblock m′ = y1m1 + y2m2 by combining σ1 and σ2 withy1 and y2. The difficulty of this step lies in the fac-t that hash function H is a one-way hash function. Letθ = [H(id′)gm

′]α denote the signature of block m′. As we

have σy11 ·σy22 = [

Q2i=1(H(idi)

yi · gm′1 )]α, if θ can pass theverification, apparently we have

Q2i=1H(idi)

yi = H(id′),which contradicts to the assumption that H is a one-wayhash function.

Therefore, IPANM is a homomorphic authenticablescheme.

6.2 Correctness AnalysisWe analyze the correctness [26] from three respects: validpublic key sharings, valid signature sharings and signaturesare able to pass the verification. According to [13], proving





the correctness is equivalent to proving the formation of Eqs.(5), (8) and (10) as follows.

Theorem 2. A valid public key sharing pi is capable of passingthe verification in Eq. (5).

Proof. As the secret key sharing of user Ui is αi =Pi∈QU sji (mod p) and the secret value sharing of user Ui

is sji = fj(i) =Pt−1k=0 ajk · ik, we can derive

gαi = g

� Pj∈QU

sji

�=Yj∈QU

gsji

=Yj∈QU

gfj(i) =Yj∈QU

g

�t−1Pk=0

ajk · ik�

=Yj∈U

t−1Yk=0

(gajk)ik

=Yj∈QU

t−1Yk=0

Ajkik.

Theorem 3. A valid signature sharing σis is capable of passingthe verification in Eq. (8).

Proof. As user Ui’s signature sharing of block ms is σis =(H(ids) · gms1 )αi and Ui’s public key sharing is pi = gαi , wecan derive

e (σis, g) = e ((H(ids) · gms1 )αi , g)

= e ((H(ids) · gms1 ) , gαi)

= e (H(ids) · gms1 , pi) .

Theorem 4. A valid signature is capable of passing the verifica-tion in Eq. (10).

Proof. As the signature of block ms is σs = (H(ids) · gms1 )α

and the public key is pk = gα, we can derive

e (σs, g) = e ((H(ids) · gms1 )α, g)

= e ((H(ids) · gms1 ) , gα)

= e (H(ids) · gms1 , pk) .

6.3 Public Auditing

Public auditing ensures a verifier to check the integrity offiles stored in the cloud with the received message.

Theorem 5. If the cloud does store the valid file M andfollow the phases of verification, a verifier is able to correctlycheck the integrity of shared data M with the proof messagePro = {{idi}i∈I , µ, ϕ,R}.

Proof. With storing the valid file M = {m1,m2, · · · ,m`},block identifier {id1, id2, · · · , id`} and block signature{σ1, σ2, · · · , σ`}, the cloud generates file possession proofPor. Based on the knowledge in Theorem 1 and giventhe proof message Pro = {{idi}i∈I , µ, ϕ,R} calculated bythe cloud, the verifier is able to check the integrity of filesusing Eq. (11). The reason is that if the proof message is

computed by the corresponding files, the cloud can pass theverification which is proven as follows.

R · e(ϕγ , g) = R · e(ϕγ , g)

= R · e ((Πi∈Iσvii )

γ, g)

= e (g1, pk)r · e

�(Πi∈I (H(idi) · gmi1 )

αvi)γ, g�

= e (gr1, pk) · e�(Πi∈I (H(idi) · gmi1 )

vi)γ, gα�

= e (gr1, pk) · e��

Πi∈IH(idi)vi · g(Σi∈Ivimi)

1

�γ, pk�

= e (gr1, pk) · e�Πi∈IH(idi)

vi · gγµ′

1 , pk�

= e�Πi∈IH(idi)

γvi · gγµ′

1 · gr1, pk�

= e ((Πi∈IH(idi)vi)

γ · gµ1 , pk) .

6.4 RobustnessRobustness means that IPANM is flexible and tolerates theparticipation of some inactive parties in the generation ofkey sharings and signatures. Firstly, we show the flexibilityof IPANM. Specifically, in key sharings generation, we de-fine a setQU which determines the value of the global secretkey. On one hand, the size of QU is set as required, whichallows the participation of inactive users. On the other hand,as different set QU generates different secret key, it’s easyfor an organization to sign different levels of files withdifferent secret keys. Specifically, when two different officesa and b have two files A and B to generate signature,members in office a construct a set QUa which correspondsto ska and that of office b is skb. The phases of signing fileA is independent of signing file B and each user in theorganization is able to take part in both tasks. Therefore,IPANM is flexible. Then, we prove that IPANM toleratesinactive parties in key sharings generation as follows.

Theorem 6. The signature scheme is robust when less than tusers are corrupted by an adversary [22].

Proof. A user corrupted by an adversary is under the controlof this adversary. Instead of following the right phases de-scribed in Section 5, the user can have only two operations:reject results outputting or broadcast wrong results.

A robust threshold signature scheme tolerates somedishonest signers’ participation during the signature gen-eration. Assume that X = {Ui}i∈[1,t−1] denotes the set ofcorrupted users, and Y = {Ui}i∈[t,n] (n ≥ 2t − 1) denotesthe set of honest users. First, during the generation of publickey sharing, if one corrupted user Ui ∈ X does not generatethe sharing, the other honest users collaborate to reconstructUi’s polynomial since each honest user Uj ∈ Y owns sij .Then, the honest users compute Aik (0 ≤ k ≤ t− 1) and thecorrect pi = gαi according to Eq. (6). It can be observed thatthe number of honest users is at least t. That is the reasonwhy n ≥ 2t − 1 is required. Otherwise, if Aik broadcastedby user Ui is wrong, Ui cannot pass the verification inEq. (5), and then the honest users reconstruct it. If user Uibroadcasts a wrong pi, Ui cannot pass the verification in Eq.(6), and then the right one can be reconstructed by the sameEq. (6).

To conclude, valid public key sharings can be generatedwhen less than t users are corrupted by adversaries. Then,





in the phase of signature sharing generation, the number ofhonest users is greater than n− (t−1) ≥ t when users in setX refuse to broadcast their sharings. Thus, a valid signaturecan be aggregated with the remaining valid signature shar-ings. If users in set X broadcast invalid signature sharings,they cannot pass the verification and would not be usedin signature aggregation. Therefore, the signature scheme isrobust.

6.5 UnforgeabilityUnforgeability is an essential requirement in (t, n) thresholdsignature which ensures that only legal parties can generatevalid signatures.

Theorem 7. The proposed scheme is unforgeable if there is nosuch adversary that gets the public key pk as well as the adaptivelychosen signatures of k messages {m1, · · · ,mk}, can producea valid signature on a new message m that is different from{m1, · · · ,mk} with non-negligible probability.

Proof. Suppose that we have an adversary A who is ableto corrupt less than t users and a challenger C who answersadversaryA’s query to hash function and signing oracle. Wedefine a sequence of games, Game0, Game1, · · · , Game5,where Game0 is an actual game and the rest games aremodified attack games. Let Forgei denote the event that theadversary wins inGamei in this proving process. With thesegames, we show that adversary A forges a valid thresholdsignature by solving the CDH problem in G.

Game0: Adversary A is able to access a random oracleOH and a signing oracle OS , as well as to corrupt t − 1users in set X defined in Theorem 6. The goal of A is toforge a signature sharing which is capable of passing theverification. We use Forge0 to denote the event that theforged signature passes the verification. Accordingly, wehave

ε = SuccA = Pr[Forge0]. (14)

Game1: The corrupted users in set X areU1, U2, · · · , Ut−1. Referring to the probability of guessingright defined in [22], we have

Pr[Forge1] =(t− 1)! · (n− t+ 1)!

n!Pr[Forge0]. (15)

Game2: First, challenger C selects a number a ← Zprandomly and replaces the public key pk = ga and secretkey α = a. Then, we perform the following steps for eachuser in set X.

1) For all users in set X, challenger C randomly selectsα′1, α

′2, · · · , α′t−1 ∈ Zp as their secret key sharings

and set their public key sharings as pi = gα′i . The

public key is set as pk = gα′.

2) For other honest users in set Y, we compute

p′i =1

L(i, i) · (pk −Pt−1j=1 L(j, i)pj)

,

where L(x, y) is defined in [27] and x, y ∈ [1, n].3) The challenger selects another t−1 random numbers

α1, α2, · · · , αt−1 ∈ Zp to set the corrupted users’public key sharings pi = gαi and secret key sharingαi = xi.

4) For honest users in set Y, challenger C selectspt, pt+1, · · · , pn−1 ∈ G1 as their public key shar-ings, and selects pn = pk −

Pi∈[1,n−1] pi as the

public key sharing of user Un.5) Finally, challenger C aggregates the secret key and

public key by integrating αi and pi to obtain α andp, respectively.

With the preceding construction, the distributions ofthese values keep identical to the distribution inGame1. Theadversary cannot distinguish the corrupting t− 1 membersfrom the real game. Thus, we have

Pr[Forge2] = Pr[Forge1]. (16)

Game3: AdversaryA is allowed to query qh times in thisgame. On a hash query issued by A, in order to embed thechallenge ga into an oracle answer, challenger C selects arandom number r → Zp and computes H(id)gm1 = (gab1 )r

when a fresh query (id,m) is created. Then, we store(id,m, r, (gab1 )r) in the hash list and return H(id)gm as theanswer to hash query. As r is randomly selected from Zp,this game is therefore perfectly indistinguishable from theprevious one. As a result, we have

Pr[Forge3] = Pr[Forge2]. (17)

Game4: In this game, if and only if (id,m) has not beenqueried before, and the outputs of (id,m) passes the verifi-cation, challenger C would keep executions. As H(id)gm1 isunformed in G1, the probability of this event in this game is1/p. Therefore, we have��Pr[Forge4]− Pr[Forge3]

�� ≤ 1

p. (18)

Game5: In this game, adversary A is allowed to queryqs times. For any message which has not been queriedbefore, challenger C returns H(id)gm1 = (ga1 )r. We useσ = (H(id)gm1 )1/r to pass the verification. Given gab1 andga1 , C is able to output gb1 with an adversary of Pr[Forge5]:��Pr[Forge5]− Pr[Forge4]

�� ≤ qh · qsp

. (19)

Putting Eqs. (14)-(19) all together, we conclude that theadvantage of adversary A to win all the games is ε′. Clearly,if adversaryA has a non-negligible advantage of generatinga forgery, AdvCDHA = ε′ is an non-negligible advantageto solve the CDH problem, which contradicts to the CDHassumption on G1.

ε′ ≤ (t− 1)! · (n− t+ 1)!

n!· ε− 1

p− qh · qs

p. (20)

Therefore, it is computationally infeasible for adversary Ato generate a forgery. In other words, an adversary is unableto forge a valid signature in IPANM.

6.6 Data Privacy

Public auditing scheme should protect the data from con-cealing to the verifier.

Theorem 8. A public auditor cannot learn the knowledge ofblocks during the verification of data integrity.





Proof. During the verification, the public auditor sends chal-lenge message chal = {(i, vi)}i∈I to the cloud and receivesproof message Pro = {{idi}i∈I , µ, ϕ,R}. If a public verifiergets the combined message µ′ =

Pi∈I vimi, the verifier

can get the content of data by collecting a sufficient numberof linear combinations of message signatures and solvingthe resultant linear equations. For this reason, we execute ablind operation on it as µ = r + γµ′, which masks µ′ witha random element r ← Zp by random masking technology.If the public auditor wants to solve bilinear equations, theauditor must get the value of r. In addition to guessingit with the probability 1/p, the auditor can alternativelyobtain r from R = e(g1, pk)r through computing the val-ue of e(g1, pk). However, computing r is as difficult assolving the Discrete Logarithm problem [13] in G1, whichhas been demonstrated to be computationally infeasible. Inother words, the attacker cannot get the m by solving a setof linear equations. In this manner, IPANM protects dataprivacy.

7 PERFORMANCE ANALYSIS AND EVALUATION

In this section, we first analyze the storage, computation,and communication costs of IPANM, and then evaluate theperformance of IPANM in experiments.

7.1 Storage Overhead Analysis

TABLE 1 lists the storage overhead of each party in theproposed scheme, where “User U (B)” means the statementof the user who hasn’t got the secret key sharing. As shownin TABLE 1, t is the threshold value, n denotes the numberof users, ` is the number of file blocks, and | | means thelength.

TABLE 1: Storage overhead of each party in IPANM.

Storage overhead

User U (B) t|Zp|+ (t+ 2)(n− 1)|G1|User U |Zp|+ |G1|

Aggregator (t+ 1)(|ID|+ 2|G1|) + |Zp|Cloud `|Zp|+ `|id|+ `|G1|

In the generation of threshold key, each user needs tochoose a random polynomial. Accordingly, the user has tostore the coefficients with a storage overhead of t|Zp|. Inaddition, the secret value sharings sij (j ∈ [1, n], i 6= j) leadto (n − 1)|G1| storage overhead. Each user Ui will receivesji and Cjk from other users, which requires (n−1)|G1| andt(n − 1)|G1| storage spaces, respectively. Moreover, beforeuser Ui generates the secret key sharing with the list of QU ,Ui requires a storage space of t|Zp|+ (t+ 2)(n− 1)|G1| forverification and generation of sharing. Finally, when userUi generates the secret key sharing and public key sharing,Ui only needs to store these two sharings αi and pi with astorage overhead of |Zp|+ |G1|.

As an aggregator, user Ua who aggregates thesignature σi of block mi has to store t IDs ofvalid signature sharings’ signers for distributing awardwhen σi is accepted. Since user Ua needs to store{σi, (σ1i, · · · , σti), (ID1i, · · · , IDti), idi} for block mi, anadditional storage space (t + 1)(|ID| + |G1|) is required.

The cloud only needs to store file blocks and their corre-sponding identifiers and signatures. Thus, for a fileM with `blocks, storing {(m1, · · · ,m`), (id1, · · · , idr), (σ1, · · · , σr)}on cloud has the cost of `|Zp| + `|id| + `|G1| storage space.In our scheme, all signatures are generated by an identicalsecret key α and the integrity verification only needs publickey pk. As a result, the cloud does not need to store signerinformation, which is different from existing public auditingschemes [13], [17].

7.2 Communication Overhead Analysis

Based on the generation of signature and challenge-and-response interaction in public auditing, we give the com-munication cost of the proposed protocol from three parts:threshold key generation, signature aggregation and publicauditing which can be further divided into two steps. Beforedetailing the simulation, we introduce the meanings of thenotations: n denotes the number of users, t is the thresholdvalue, d is the number of users in set QU generating secretkey sharings, c is the number of challenging blocks, and | |means the length.

In the step of threshold key generation, first, each user Uibroadcasts Cik (k ∈ [0, t− 1]) and sends sij (1 ≤ j ≤ n, j 6=i) to user Uj secretly. The valid user Uj in set QU sends Ajk(k ∈ [0, t − 1]) to help other users verify the correctness oftheir public key sharings. At last, each userUi broadcasts thepublic key sharing. Assume that the number of valid usersis d, the communication overhead in this step is determinedas nt|G1|+ n(n− 1)|Zp|+ dt|G1|+ n|G1|.

In the step of signature aggregation, a signature aggrega-tor requires t valid signature sharings to generate the finalsignature σs for block ms. Each user Ui in set SG sends(ids, σs, IDi) to the aggregator. Therefore, the communica-tion cost of signature aggregation is t(|id|+ |ID|+ |G1|).

The public auditing consists of two steps: proof gener-ation and proof verification. In the first step, the verifiersends challenge chal = {(i, vi)}i∈I to the cloud while inthe second step, the verifier receives audit proof Pro ={{idi}i∈I , µ, ϕ,R} from the cloud. Thus, the communica-tion cost of these two steps are 2c|Zp| and c|Zp| + 2|G1| +|G2|, respectively.

TABLE 2 lists the communication cost (size of messagesfrom senders to receivers) of four steps in IPANM.

TABLE 2: Communication overhead of each step in IPANM.

Communication overhead

Key generation nt|G1|+ n(n− 1)|Zp|+ dt|G1|+ n|G1|Signature aggregation t(|id|+ |ID|+ |G1|)

Proof generation 2c|Zp|Proof verification c|Zp|+ 2G1|+ |G2|

7.3 Computation Overhead Analysis

In the computation overhead analysis, we use EZp , EG1 ,and EG2 to denote the computation time of exponentiationoperation in Zp, G1, and G2, respectively, MZp , MG1 , andMG2 to denote the computation time of multiplication op-eration in Zp, G1, and G2, respectively, Hash to denote thecomputation cost of a Hash operation in G1, and Pair to





denote the computation cost of a pair operation. We analyzethe computation overhead from the following two aspects:signature generation and public auditing.

7.3.1 Signature GenerationDuring the secret key sharing generation, each user Ui(i ∈ [1, n]) is required to compute Cik (k ∈ [0, t]) and sij(1 ≤ j ≤ n, j 6= i). The computation costs are tEG1 and(n− 1)[(t− 2)EZp + (t− 1)MZp ], respectively. The cost forverifying a single sij is EG1 + (t− 1)(MG1 + EZp). Duringpublic key sharing generation, each user Ui in setQU has al-ready computed Cik, which is equal to Aik. The verificationofAik costsEG1+(t−1)MG1+(2t−1)EZp . The computationcost of generating a final public key sharing pi and verifyingthe correctness of pi is EG1 and (dt+t−1)MG1 +(t−1)EZprespectively. Each user Ui is able to generate a signaturesharing with an overhead of 2EG1 +MG1 +Hash. Verifyinga signature sharing costs 2Pair + EG1 + MG1 + Hash.In addition, t signature sharings which pass the verifica-tion are aggregated to generate the final signature with acost of (2t − 1)MG1 . Verifying the final signature leads to2Pair + EG1 + MG1 + Hash computation overhead. Asat least d users are active in secret key sharing generation,d users participate in public key sharing generation andt users are responsible for final signature generation, thetotal overhead of generating a valid signature is at least2(t+1)Pair+(2t+1)Hash+d(n−1)(t−1)(MZp +EZp)+4tMG1 + (dt + 3t + 1)EG1 when the chosen d users and tsignature sharings are all valid.

TABLE 3 lists the computation overheads of all signaturegeneration steps, where SK denotes secret key, PK is shortfor public key, G means generation, V means verification,and SS stands for signature sharing.

TABLE 3: Computation overhead of signature generation.

Computation overhead

SK sharing G tEG1+ (n− 1)[(t− 2)EZp + (t− 1)MZp ]

SK sharing V EG1+ (t− 1)MG1

+ (2t− 1)EZpPK sharing G EG1

PK sharing V (dt+ t− 1)MG1+ (t− 1)EZp

SS G 2EG1 +MG1 +HashSS V 2Pair + EG1 +MG1 +Hash

Signature G (2t− 1)MG1

Signature V 2Pair + EG1 +MG1 +Hash

TABLE 4: Computation overhead of public auditing.

Step Computation overhead

Proof generationPair + 2MZp + (c− 1)MG1

+cEG1+ EG2

+HashProof verification 2Pair + (c+ 1)MG1

+ (c+ 3)EG1+ cHash

7.3.2 Public AuditingDuring the proof generation, the verifier generates a chal-lenge message once getting the verify request from a user.According to the received challenge message, the cloudfirst generates audit proof Pro = {{idi}i∈I , µ, ϕ,R}. Thecomputation overheads for generating the audit proof isPair+2MZp +(c−1)MG1 +cEG1 +EG2 +Hash. After get-ting the proof message, the verifier spends the computation

overhead of 2Pair + (c+ 1)MG1+ (c+ 3)EG1

+ cHash tocheck the correctness. The computation overhead of publicauditing is summarized in TABLE 4.

7.4 Experimental ResultsIn addition to the performance analysis, we also carry outextensive experiments to evaluate the effectiveness of ourIPANM by comparing it with IAID-PDP [17] and NPP [14].IAID-PDP and NPP both solve the problem of centralizationcaused by group managers. Specifically, IAID-PDP utilizesring signature to construct a public auditing scheme withincentive and provides group users with equal power andNPP distributes the power of management to multiple man-agers. In order to make a fair comparison, we adopt thesame simulation settings in comparison of IPANM, IAID-PDP and NPP. Note that NPP belongs to group signaturebased scheme, we only show the differences between themin the process of public auditing.

We adopted the Pairing Based Cryptography (PBC) [27]library to simulate the cryptographic operations in ourscheme IPANM. All the experiments are tested on an IntelCore i7 processor of 3.40 GHz, and the Ubuntu operatingsystem. Without loss of generality, we test our scheme over1,000 times. For the setup of benchmarking schemes [13],[14], the size of ID, G1, G2, and Zp are all set to 160bit, andthe size of block tag id is set to 40bit. We assume the sizeof a file is 10M, thus the number ` of blocks in the shareddata is set to 524,288 when the size of block ms is set to160bit. According to the observation of our previous work[6], we need to set the number c of selected blocks in anauditing task to 460, in order to ensure that the detectionprobability is greater than 99%. Note that the detectionprobability is greater than 95% when c = 300. Since theproposed scheme IPANM consists of an incentive mecha-nism and a public auditing method, we implement two setsof simulation experiments to evaluate IPANM. In the firstset of simulation experiments, to show the performance ofthe incentive mechanism, we compare the storage overheadof IPANM and IAID-PDP [17], analyze the communicationoverhead of generating keys and signatures, and comparethe computation overhead of IPANM and IAID-PDP [17]in the signature generation. In the second set of simulationexperiments, to demonstrate the performance of the publicauditing method, we compare the communication and com-putation overheads of IPANM with that of IAID-PDP [17]and NPP [14].

To estimate the gas cost of the proposed incentive mech-anism, we deploy it on the locally simulated Ethereumnetwork built by Ganache [28]. Ganache provides a fast andflexible way to build a virtual blockchain which makes de-velopers more focus on the performance of the deployed s-mart contracts without considering the influence of complexnetwork circumstances. In the implementation, the Ganacheruns on a laptop with 2.5GHz Intel(R) Core(TM) i5-3210MCPU, 8GB memory, and Windows 10 operating system. Thesize of the elements in records such as (ids, pka, Noa) is setto 40bit, 160bit, and 40bit, respectively.

7.4.1 Evaluation of Incentive MechanismIn IPANM, we employ blockchian to record the signaturesfor further incentive, which will bring extra overhead such





TABLE 5: Storage overhead of the cloud using IAID-PDP [17], IPANM-1, and IPANM-2.

t1 = n/2t2 = n/3

n = 12t1 = 6t2 = 4

n = 24t1 = 12t2 = 8

n = 36t1 = 18t2 = 12

n = 48t1 = 24t2 = 16

n = 60t1 = 30t2 = 20

n = 72t1 = 36t2 = 24

n = 84t1 = 42t2 = 28

n = 96t1 = 48t2 = 32

IAID-PDP (MB) 142.5 262.5 382.5 502.5 622.5 742.5 862.5 982.5IPANM-1 (MB) 37.5 52.5 67.5 82.5 97.5 112.5 127.5 142.5

Advantage-1 (%) 73.684 80 82.353 83.582 84.337 84.848 85.217 85.496IPANM-2 (MB) 32.5 42.5 52.5 62.5 72.5 82.5 92.5 102.5

Advantage-2 (%) 77.193 83.810 86.275 87.562 88.353 88.889 89.275 89.567

0 20 40 60 80 100t

0.00.20.40.60.81.01.21.4

Com

mun

icatio

n ov

erhe

ad (M

B)

Key generationSignature aggregation

(a) n = 2t− 1, d = t

0 20 40 60 80 100t

0.00.20.40.60.81.01.21.4

Com

mun

icatio

n ov

erhe

ad (M

B)


(b) n = 200, d = t

0 20 40 60 80 100t

0.00.20.40.60.81.01.21.4

Com

mun

icatio

n ov

erhe

ad (M

B)


(c) d = n = 200

Fig. 4: Communication overhead of key generation and signature aggregation.

TABLE 6: Comparison of computation overhead in signature generation.

t1 = n/2t2 = n/3

n = 12t1 = 6t2 = 4

n = 24t1 = 12t2 = 8

n = 36t1 = 18t2 = 12

n = 48t1 = 24t2 = 16

n = 60t1 = 30t2 = 20

n = 72t1 = 36t2 = 24

n = 84t1 = 42t2 = 28

n = 96t1 = 48t2 = 32

IAID-PDP (ms) 0.482 0.986 1.49 1.994 2.498 3.002 3.506 4.01IPANM-1 (ms) 0.233 0.473 0.713 0.953 1.193 1.433 1.673 1.913

Advantage-1 (%) 51.660 52.028 52.148 52.207 52.242 52.265 52.282 52.294IPANM-2 (ms) 0.153 0.313 0.473 0.663 0.793 0.953 1.113 1.273

Advantage-2 (%) 68.257 68.2556 68.255 68.255 68.255 68.254 68.254 68.254

as storage overhead, communication overhead, computa-tion overhead and gas cost. To show the performance of in-centive mechanism, we compare the cloud storage overheadof IPANM and IAID-PDP [17], analyze the communicationoverhead of generating keys and signatures, and comparethe computation overhead of IPANM with that of IAID-PDP[17] and NPP [14].

Comparison of the Storage Overhead: In the evaluation ofstorage overhead, we compare the cloud storage overheadof IPANM and IAID-PDP under the varying size n of usergroups (n is set to 12, 24, 36, 48, 60, 72, 84, 96). Due to theblockchain based incentive mechanism in IPANM, in addi-tion to storing file blocks and their corresponding identifiersand signatures such as {(ms, ids, σs)}s∈[1,`], which costs480` bits in IPANM, we also need to store the message gen-erated during the process of key generation and signaturegeneration. In the generation of threshold key, each user firstselects a random polynomial which costs 160t bits and thesecret value sharings sij (j ∈ [1, n], i 6= j) lead to 160(n−1)bits. Each user then spends 160(n− 1) bits and 160t(n− 1)bits storage spaces to store the received sji and Cjk fromother users, respectively. Moreover, user Ui requires a stor-age space of 160tn+320n−320 bits for verification and gen-eration of sharing. Finally, when user Ui generates the secretkey sharing and public key sharing, Ui needs to store these

two sharings αi and pi with a storage overhead of 320 bits.In the generation of signature, the aggregator Ua needs tostore {σi, (σ1i, · · · , σti), (ID1i, · · · , IDti), idi} for block mi,an additional storage space 320(t + 1) bits is required. Thecloud only needs to store file blocks and their correspondingidentifiers and signatures. The storage overhead is 480` bits.We let IPANM-1 and IPANM-2 denote the IPANM methodwhen t is set to n/2 and n/3, respectively. We calculate thestorage overheads of the cloud using IPANM-1, IPANM-2,and IAID-PDP when the size of user group is increased from12 to 96.

The results listed in TABLE 5 demonstrate that thestorage cost savings of IPANM-1 and IPANM-2 can be upto 85.496% and 89.567%, respectively, even if we introduceblockchain into IPANM to record the relevant informationproduced during the process of key and signature gen-eration. The overhead savings achieved by IPANM-1 andIPANM-2 is due to that IAID-PDP needs to store n−1 moresignatures than IPANM. The results also indicate that thecloud storage overhead grows with the increase in the size ofuse group. This is because that the storage overhead highlydepends on the number t of signers coming from use group.

Analysis of the Communication Overhead: Considering thatIPANM requires group users to communicate with eachother for key generation and signature aggregation whileIAID-PDP [17] and NPP [14] generate the final signature





without communication overhead since its signature is onlydetermined by the signer, we only show the communicationoverhead of IPANM in the generation of keys and signatureswithout comparison. For each operation, the communica-tion overhead is measured by the size of messages fromsenders to receivers.

In the evaluation of communication overhead, we firstcompute the communication overhead of IPANM in thegeneration of keys and signatures. Assume that each userUi broadcasts Cik and sends sij to user Uj secretly duringthe threshold key generation. The valid user Uj in set QUneeds to send Ajk for the verification of their public keysharings. At last, each user Ui broadcasts the public keysharing. Thus, the communication overhead of thresholdkey generation is 160(nt + n2 + dt) bits where d is thenumber of valid users. In signature aggregation, the aggre-gator costs 40t + 320 bits to get t valid signature sharingsand the information of the signed block for generating thefinal signature. Since the communication overhead of keygeneration and signature aggregation in IPANM dependson the size d of qualified group QU and the value of t, weinvestigate the communication overhead in the scenario ofd = t = n+1

2 , d = t, and d = n where t increases 0 to 100.Fig. 4 plots the communication overhead of key generationand signature aggregation. The results in the figure indicatethat the communication overhead of signature aggregationis practically negligible regardless of the value of t, whereasthe communication overhead of key generation is non-negligible and grows with the increase of the value of t.

Comparison of the Computation Overhead: In the evaluationof computation overhead in incentive mechanism, we com-pare the computation overhead of IPANM and IAID-PDP inthe signature generation. Same to the evaluation of storageoverhead, we let IPANM-1 and IPANM-2 denote the IPANMmethod when t is set to n/2 and n/3, respectively. n takesthe value of {12, 24, 36, 48, 60, 72, 84, 96}. The comparisonresults (see TABLE 6) clearly demonstrate that the compu-tation overhead of IPANM-1 and IPANM-2 are both lowerthan that of IAID-PDP. Same to the evaluation of storageoverhead, IPANM-1 and IPANM-2 are utilized to denotethe IPANM when t is set as n/2 and n/3, respectively,and Advantage-1 and Advantage-2 are utilized to representthe reduction (%) of computation overhead achieved byIPANM-1 and IPANM-2, respectively. TABLE 6 presentsthe computation overhead of signature generation usingIAID-PDP, IPANM-1, and IPANM-2 under the varying sizen of user group. The results clearly show that IPANM-1and IPANM-2 are both computation-efficient as comparedto IAID-PDP. Specifically, the computation overhead ofIPANM-1 and IPANM-2 are about 52% and 68% lower thanthat of IAID-PDP, respectively.

Overhead of Blockchain: We evaluate the overhead (quanti-fied by gas cost) of the proposed blockchain based incentivemechanism from two aspects: recording and reward. Dur-ing the recording process, the system reords the messageof {(ids, pka, Noa)}s∈[1,t] in the blocks of blockchain. Asdemonstrated in Fig. 5, the gas cost is 539932, 1079928,2159920, 4319840, and 8639744 when the number of con-tributors t is set to 4, 8, 16, 32 and 64, respectively. For thereward process, the gas cost is 58384, 94838, 167512, 312626,and 589220 when the number of contributors t is set to 4,

8, 16, 32, and 64, respectively. Compared to the gas cost ofdata management [29], it’s obvious that the gas cost of theproposed incentive mechanism is acceptable.

8 16 24 32 40 48 56 64t

0123456789

Gas c

ost (

10^6

) RecordingReward

Fig. 5: The gas cost of recording and reward.

7.4.2 Evaluation of Public AuditingIn this section, we compare our scheme IPANM with IAID-PDP and NPP from two parts: communication overhead andcomputation overhead to show the performance of publicauditing.

Comparison of the Communication Overhead: In this step,we compare the communication overhead of IPANM withthat of IAID-PDP and NPP in public auditing. The publicauditing includes proof generation and proof verification.In proof generation, the challenge message costs 320c bits.The proof verification needs 480 + 160c bits to transmitthe proof message. For one time interaction, the wholecommunication overhead of public auditing is (160 ∗ (c +5+0∗d)+20)/8/1024 KB. Fig. 6 shows the communicationoverhead of public auditing in IPANM, IAID-PDP and NPPwhen the number c of selected blocks takes the value of 300and 460. As can be seen from the figure, the communicationoverhead of public auditing using IPANM is much lowerthan that of IAID-PDP and NPP. This is because that IAID-PDP needs to send n− 1 more elements for a message blockand the auditing in NPP uses a lot of auxiliary informationas compared to IPANM. We can also find from Fig. 6 (a)-(b)that the communication overhead of public auditing usingIPANM and NPP is independent of the number of userswhile the communication overhead of public auditing usingIAID-PDP is linearly increased with the size of use group asshown in Fig. 6 (c)-(d). Fig. 6 (c) and (d) are extracted fromFig. 6 (a) and (b) respectively for clearer comparison.

Comparison of the Computation Overhead: To evaluate theperformance, we compare the computation overhead ofIPANM, IAID-PDP and NPP in public auditing. The publicauditing includes proof generation and proof verification.During the proof generation, the verifier generates a chal-lenge message once getting the verification request from auser. According to the received challenge message, the cloudgenerates the proof message Pro = {{idi}i∈I , µ, ϕ,R}. Thecomputation overhead of generating this proof message isPair + 2MZp + (c − 1)MG1 + cEG1 + EG2 + Hash. Aftergetting the proof message, the verifier checks the correctness





0 20 40 60 80 100n

0

20

40

60

80

100Co

mm

unica

tion

cost

(KB)

IPANMIAID-PDPNPP

(a) c = 300

0 20 40 60 80 100n

020406080

100120140160

Com

mun

icatio

n co

st (K

B)

IPANMIAID-PDPNPP

(b) c = 460

0 20 40 60 80 100n

0

2

4

6

8

10

Com

mun

icatio

n co

st (K

B)

IPANMIAID-PDP

(c) c = 300

0 20 40 60 80 100n

02468

1012

Com

mun

icatio

n co

st (K

B)

IPANMIAID-PDP

(d) c = 460

Fig. 6: Communication overhead of public auditing.

0 2 4 6 8 10 12 14 16 18 20n

020406080

100120140160180

Com

puta

tion

cost

(ms)

IPANMIAID-PDPNPP

(a) c = 300

0 2 4 6 8 10 12 14 16 18 20n

0255075

100125150175200225250

Com

puta

tion

cost

(ms) IPANM

IAID-PDPNPP

(b) c = 460

0 80 160 240 320 400 480c

0306090

120150180210240270

Com

puta

tion

cost

(ms) IPANM

IAID-PDPNPP

(c) n = 10

Fig. 7: Comparison of computation overhead in public auditing.

with the computation overhead of 2Pair + (c + 1)MG1+

(c + 3)EG1+ cHash. The results in Fig. 7(a)-(b) show that

the computation overhead of public auditing using IPANMis a small constant and is independent of the size n ofuser group. Unlike IPANM and NPP, IAID-PDP is linearlyincreased with the size n of use group, thus has a highercomputation overhead in the most cases (n ≥ 4) thanIPANM. Although the overhead of NPP is also constant,it needs more intermediate steps than IPANM to calculateauxiliary information. Fig. 7(c) plots the total computationoverhead of public auditing under a fixed number of usergroup and the varying number c of selected blocks. Theresults demonstrate that the total computation overhead ofIPANM, IAID-PDP and NPP are all linearly increased withthe number of blocks, and IPANM is the most computation-efficient as compared to IAID-PDP and NPP.

8 SUMMARY

In this paper, we propose a fair and incentive privacy-preserving public auditing scheme IPANM that support-s non-manager groups and encourages all users to takepart in the generation of signatures, especially for usersin crowd sensing. The main contribution of IPANM is ourdevelopment of an incentive based (t, n) threshold signaturescheme, which enables the verifier to utilize the same publickey to audit the integrity of files stored in the cloud andensures each group user to take part in the generation ofsignature without a trusted manager by equally distributingthe power of manager to group users. During the integritychecking of files, IPANM adopts the blinding technologyto protect data privacy against the semi-trusted verifier. Inorder to ensure the stability of the system, with the aid ofblockchain technology, the incentive property of IPANM

is realized by fairly granting awards to the users whocontribute to the generation of the final signature. Exten-sive theoretical analyses and experimental results show theeffectiveness of IPANM.

The novelty of our scheme IPANM can be summarizedas follows. 1) Unlike the traditional public auditing methodsdesigned for groups with managers, we propose a (t, n)threshold signature based public auditing scheme for non-manager groups where users are assigned the same powerin the generation of keys and signatures. 2) Unlike thetraditional (t, n) threshold signature based public auditingmethods, we introduce an incentive mechanism to mobilizethe initiative of users in the key and signature generation. 3)Unlike the traditional public auditing methods that ignorethe data leakage problem, we use blinding technology toprotect data privacy during the verification in public au-diting. In a nutshell, we design a novel incentive basedprivacy-preserving (t, n) threshold signature and furtherpropose a public auditing scheme based on the signaturefor non-manager groups in the cloud.

9 FUTURE WORK

In this paper, the proposed fair and incentive privacy-preserving public auditing scheme IPANM is designed forstatic groups without managers. IPANM is able to achievethe security and performance guarantees such as incentive,correctness, public auditing, robustness, unforgeability, aswell as file privacy and efficiency. However, it does notsupport dynamic groups that allow group users to leaveand new members to join. What’s more, considering thatdynamic groups are also very common in real-world appli-cations, they should also be taken into account in the futurework. The main challenge in designing a public auditing





scheme for dynamic groups is to realize secure and efficientgroup dynamic. Therefore, in the future we will extendour proposed public auditing scheme IPANM to dynamicgroups from the perspectives of security and efficiency asdescribed below.

1) Security: secure dynamic groups should ensure for-ward security and backward security in secure keyupdates. Forward security requires that the revokedusers cannot participate in the signature generationwith the previous keys, and backward security re-quires that the newly added users cannot use thecurrent key to crack the group information beforejoining in the group. In addition to providing for-ward and backward security, implementing securekey updates in dynamic groups without managersneeds to be realized.

2) Efficiency: users in the dynamic groups are allowedto leave. For these leaving users, the system needsto update their associated file messages and re-signthese file messages, both of which have a largecomputation overhead. To reduce the computationoverhead, designing an efficient file message andsignature updating method for leaving users of dy-namic groups is a necessity.

Undeniably, group dynamic has been supported in alot of auditing schemes (e.g., [6], [25], [30], [31]). However,most of the existing schemes either focus on re-signing thefiles belonging to the revoked user (e.g., [6], [25]) efficientlyor aim at solving the problem of the collusion betweenthe cloud and the revoked group users (e.g., [30], [31]). Inaddition, they do not consider forward security, backwardsecurity, and non-manager groups. Therefore, these schemesare not suitable for our future work of designing a publicauditing scheme that supports forward security, backwardsecurity, and group dynamic for non-manager groups.

REFERENCES

[1] K. Ota, M. Dong, J. Gui, and A. Liu, “Quoin: Incentive mechanismsfor crowd sensing networks,” IEEE Network, vol. 32, no. 2, pp. 114–119, 2018.

[2] H. Tian, F. Nan, C.-C. Chang, Y. Huang, J. Lu, and Y. Du, “Privacy-preserving public auditing for secure data storage in fog-to-cloudcomputing,” Journal of Network and Computer Applications, vol. 127,pp. 59–69, 2019.

[3] O. Arias, J. Wurm, K. Hoang, and Y. Jin, “Privacy and securityin internet of things and wearable devices,” IEEE Transactions onMulti-Scale Computing Systems, vol. 1, no. 2, pp. 99–109, 2017.

[4] Z. Yue, Y. Jia, H. Rong, W. Cong, and K. Ren, “Enabling efficientuser revocation in identity-based cloud storage auditing for sharedbig data,” IEEE Transactions on Dependable & Secure Computing,vol. PP, no. 99, pp. 1–1, 2018.

[5] J. Xue, C. Xu, J. Zhao, and J. Ma, “Identity-based public au-diting for cloud storage systems against malicious auditors viablockchain,” Science China Information Sciences, vol. 62, no. 3, p.32104, 2019.

[6] L. Huang, G. Zhang, S. Yu, A. Fu, and J. Yearwood, “Seshare: Se-cure cloud data sharing based on blockchain and public auditing,”Concurrency & Computation Practice & Experience, vol. 31, no. 22,2019.

[7] S. Yu, “Big privacy: Challenges and opportunities of privacy studyin the age of big data,” IEEE Access, vol. 4, pp. 2751–2763, 2017.

[8] H. Yan, J. Li, J. Han, and Y. Zhang, “A novel efficient remote datapossession checking protocol in cloud storage,” IEEE Transactionson Information Forensics & Security, vol. 12, no. 1, pp. 78–88, 2017.

[9] W. Shen, J. Qin, J. Yu, R. Hao, and J. Hu, “Enabling identity-basedintegrity auditing and data sharing with sensitive informationhiding for secure cloud storage,” IEEE Transactions on InformationForensics & Security, vol. 14, no. 2, pp. 331–346, 2018.

[10] W. Ding, Z. Yan, and R. H. Deng, “Privacy-preserving data pro-cessing with flexible access control,” IEEE Transactions on Depend-able and Secure Computing, vol. 17, no. 2, pp. 363–376, 2020.

[11] H. Tian, Y. Chen, H. Jiang, Y. Huang, F. Nan, and Y. Chen,“Public auditing for trusted cloud storage services,” IEEE Security& Privacy, vol. 17, no. 1, pp. 10–22, 2019.

[12] D. Chaum, “Blind signature, system,” Crypto, p. 153, 1983.[13] B. Wang, B. Li, and H. Li, “Oruta: privacy-preserving public

auditing for shared data in the cloud,” IEEE Transactions on CloudComputing, vol. 2, no. 1, pp. 43–56, 2014.

[14] A. Fu, S. Yu, Y. Zhang, H. Wang, and C. Huang, “Npp: A newprivacy-aware public auditing scheme for cloud data sharing withgroup users,” IEEE Transactions on Big Data, vol. PP, no. 99, pp.1–1, 2017.

[15] H. Wang, H. Qin, M. Zhao, X. Wei, H. Shen, and W. Susilo,“Blockchain-based fair payment smart contract for public cloudstorage auditing,” Information Sciences, vol. 519, pp. 348–362, 2020.

[16] A. Gervais, G. O. Karame, V. Glykantzis, H. Ritzdorf, andS. Capkun, “On the security and performance of proof of workblockchains,” in ACM Sigsac Conference on Computer and Communi-cations Security, 2016, pp. 3–16.

[17] H. Wang, D. He, J. Yu, and Z. Wang, “Incentive and uncondition-ally anonymous identity-based public provable data possession,”IEEE Transactions on Services Computing, vol. 12, no. 5, pp. 824–835,2019.

[18] B. Wang, B. Li, and H. Li, “Knox: privacy-preserving auditingfor shared data with large groups in the cloud,” in InternationalConference on Applied Cryptography and Network Security, 2012, pp.507–525.

[19] L. Li, J. Liu, L. Cheng, S. Qiu, W. Wang, X. Zhang, and Z. Zhang,“Creditcoin: A privacy-preserving blockchain-based incentive an-nouncement network for communications of smart vehicles,” IEEETransactions on Intelligent Transportation Systems, vol. 19, no. 7, pp.2204–2220, 2018.

[20] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public auditing for secure cloud storage,” IEEE Trans-actions on Computers, vol. 62, no. 2, pp. 362–375, 2013.

[21] B. Dan, B. Lynn, and H. Shacham, “Short signatures from the weilpairing,” in International Conference on the Theory and Application ofCryptology and Information Security, 2001, pp. 514–532.

[22] R. Lu, X. Lin, Z. Cao, J. Shao, and X. Liang, “New (t,n) thresholddirected signature scheme with provable security,” InformationSciences, vol. 178, no. 3, pp. 756–765, 2008.

[23] Wikipedia, “Blind signature,” https://en.wikipedia.org/wiki/Blind signature.

[24] G. Wood et al., “Ethereum: A secure decentralised generalisedtransaction ledger,” Ethereum project yellow paper, vol. 151, no. 2014,pp. 1–32, 2014.

[25] X. Liu, Y. Zhang, B. Wang, and J. Yan, “Mona: Secure multi-ownerdata sharing for dynamic groups in the cloud,” IEEE transactionson parallel and distributed systems, vol. 24, no. 6, pp. 1182–1191, 2012.

[26] J. Camenisch and M. Michels, “Separability and efficiency forgeneric group signature schemes,” in International Cryptology Con-ference on Advances in Cryptology. Springer, 1999.

[27] B. Lynn. (2013) The pairing-based cryptography library@ONLINE. [Online]. Available: http://crypto.stanford.edu/pbc

[28] W.-M. Lee, “Testing smart contracts using ganache,” in BeginningEthereum Smart Contracts Programming. Springer, 2019, pp. 147–167.

[29] L. Zhu, Y. Wu, K. Gai, and K. R. Choo, “Controllable and trustwor-thy blockchain-based cloud data management,” Future GenerationComputer Systems, vol. 91, pp. 527–535, 2019.

[30] T. Jiang, X. Chen, and J. Ma, “Public integrity auditing for shareddynamic cloud data with group user revocation,” IEEE Transac-tions on Computers, vol. 65, no. 8, pp. 2363–2373, 2016.

[31] R. Rabaninejad, M. Ahmadian, M. R. Asaar, and M. reza Aref, “Alightweight auditing service for shared data with secure user revo-cation in cloud storage,” IEEE Transactions on Services Computing,2019.


https://en.wikipedia.org/wiki/Blind_signature

https://en.wikipedia.org/wiki/Blind_signature

http://crypto.stanford.edu/pbc




Longxia Huang received the Ph.D. degree inComputer Science and Technology from Nan-jing University of Science and Technology, Jiang-su, China, in 2019. She was a Visiting Schol-ar with the Deakin University, Melbourne, Aus-tralia, in 2018.She is currently a Lecture withthe School of Computer Science & Communi-cation Engineering, Jiangsu University, Jiangsu,China. Her current research interests includeblockchain technology, privacy protection, datasharing and cloud computing.

Junlong Zhou (S’15-M’17) received the Ph.D.degree in Computer Science from East ChinaNormal University, Shanghai, China, in 2017.He was a Visiting Scholar with the University ofNotre Dame, Notre Dame, IN, USA, during 2014-2015. He is currently an Assistant Professor withthe School of Computer Science and Engineer-ing, Nanjing University of Science and Technol-ogy, Nanjing, China. His research interests in-clude embedded systems, edge computing andInternet-of-Things, and cyber physical systems,

where he has published over 60 refereed papers. He has been programvice-chairs, publication chairs, publicity chairs, section chairs, and TPCmembers for numerous conferences. Dr. Zhou serves as an AssociateEditor for the Journal of Circuits, Systems, and Computers and the IETCyber-Physical Systems: Theory & Applications, a Subject Area Editorfor the Journal of Systems Architecture: Embedded Software Design,and a Guest Editor for 5 ACM/IET/Elsevier/Wiley Journals.

Gongxuan Zhang (SM’12) received the B.S. de-gree in electronic computer from Tianjin Univer-sity in 1983 and the M.S. and Ph.D. degrees inComputer Application from the Nanjing Universi-ty of Science and Technology in 1991 and 2005,respectively. He was a Senior Visiting Scholarin Royal Melbourne Institute of Technology from2001.9 to 2002.3 and University of Notre Damefrom 2017.7 to 2017.10. Since 1991, he hasbeen with the Nanjing University of Science andTechnology, where he is currently a professor in

the School of Computer Science and Engineering. His current researchinterests include multicore and parallel processing and distributed com-puting, and cyber space security. He has served on the program com-mittees in a couple of conferences. He has over 80 publications and hasled or participated in 40 research projects.

Jin Sun (M’17) received the B.S. and M.S. de-grees in computer science from Nanjing Univer-sity of Science and Technology, Nanjing, China,in 2004 and 2006, respectively, and the Ph.D.degree in electrical and computer engineeringfrom the University of Arizona in 2011. BetweenJanuary 2012 and September 2014, he was withOrora Design Technologies, Inc. as a memberof technical staff. He is currently an AssociateProfessor with the School of Computer Scienceand Engineering, Nanjing University of Science

and Technology, Nanjing, China. His research interests include high-performance computing, integrated circuit modeling and analysis, andcomputer-aided design.

Tongquan Wei (M’11) received the Ph.D. de-gree in electrical engineering from MichiganTechnological University, Houghton, MI, USA,in 2009. He is currently an Associate Profes-sor with the Department of Computer Scienceand Technology, East China Normal University,Shanghai, China. His current research interestsinclude real-time embedded systems, green andreliable computing, cloud computing and Inter-net of Things. Dr. Wei has been a RegionalEditor for the Journal of Circuits, Systems, and

Computers since 2012. He served as a Guest Editor for several specialsections of the IEEE Transactions on Industrial Informatics and ACMTransactions on Embedded Computing Systems.

Shui Yu (SM’12) received the Ph.D. degree fromDeakin University, Burwood, VIC, Australia, in2004. He currently a Professor with the Schoolof Software, University of Technology Sydney,Broadway NSW 2007, Australia. He has pub-lished over 150 fully reviewed papers, includingtop journal papers and top conference papers.He has authored one monograph entitled Dis-tributed Denial of Service Attack and Defence(Springer) and edited a book entitled Networkingfor Big Data (CRC, 2015). His current research

interests include big data, network security, privacy and forensics, net-working theory, and mathematical modeling. He targets on narrowingthe gap between theory and applications using mathematical tools. Dr.Yu is active in research services in various roles. He serves on theeditorial board of IEEE Transactions of Parallel and Distributed Systems,IEEE Communications Surveys and Tutorials, IEEE Access, and threeother international journals. He served as a leading Guest Editor for anumber of special issues, including Networking for Big Data in IEEENetwork in 2014 and Big Data for Networking on IEEE Network in 2015.He is also involved in organizing international conferences, such as theTPC Co-Chair of IEEE Big Data Computing Service and Application in2015, the Founder of International Workshop on Security and Privacyin Big Data (usually with the IEEE INFOCOM), the Symposium Co-Chair for CISS of IEEE ICC 2014 and IEEE ICNC 2014, the PublicationChair for IEEE Globecom 2015 and IEEE INFOCOM 2016, and a TPCMember for INFOCOM 2012-15.

Shiyan Hu (SM’10) received his Ph.D. in Com-puter Engineering from Texas A&M Univer-sity in 2008. He is Professor and Chair inCyber-Physical System Security at Universityof Southampton. His research interests includeCyber-Physical Systems and Cyber-PhysicalSystem Security, where he has published morethan 100 refereed papers. He is an ACM Dis-tinguished Speaker, an IEEE Systems CouncilDistinguished Lecturer, an IEEE Computer Soci-ety Distinguished Visitor, a recipient of the 2017

IEEE Computer Society TCSC Middle Career Researcher Award, the2014 U.S. National Science Foundation (NSF) CAREER Award, andthe 2009 ACM SIGDA Richard Newton DAC Scholarship. His publica-tions have received a few distinctions, which includes the 2018 IEEESystems Journal Best Paper Award, the 2017 Keynote Paper in IEEETransactions on Computer-Aided Design, and the Front Cover in IEEETransactions on Nanobioscience in March 2014. He is the Chair forIEEE Technical Committee on Cyber-Physical Systems. He is the Editor-In-Chief of IET Cyber-Physical Systems: Theory & Applications. Heserves as an Associate Editor for IEEE Transactions on Computer-AidedDesign, IEEE Transactions on Industrial Informatics, IEEE Transactionson Circuits and Systems, ACM Transactions on Design Automation forElectronic Systems, and ACM Transactions on Cyber-Physical Systems.He has served as a Guest Editor for 8 IEEE/ACM Journals such asProceedings of the IEEE and IEEE Transactions on Computers. He hasheld chair positions in many IEEE/ACM conferences. He is a Fellow ofIET and a Fellow of British Computer Society.


ipanm: incentive public auditing scheme for non-manager ...€¦ · 4.2 public auditing model. the...

Documents