npp: a new privacy-aware public auditing scheme for cloud ......auditing schemes, hence anyone can...

2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TBDATA.2017.2701347, IEEETransactions on Big Data

1

NPP: A New Privacy-Aware Public AuditingScheme for Cloud Data Sharing with Group Users

Anmin Fu, Member, IEEE, Shui Yu, Senior Member, IEEE, Yuqing Zhang, Huaqun Wang, and Chanying Huang

Abstract—Today, cloud storage becomes one of the criticalservices, because users can easily modify and share data withothers in cloud. However, the integrity of shared cloud data is vul-nerable to inevitable hardware faults, software failures or humanerrors. To ensure the integrity of the shared data, some schemeshave been designed to allow public verifiers (i.e., third partyauditors) to efficiently audit data integrity without retrieving theentire users’ data from cloud. Unfortunately, public auditing onthe integrity of shared data may reveal data owners’ sensitiveinformation to the third party auditor. In this paper, we proposea new privacy-aware public auditing mechanism for shared clouddata by constructing a homomorphic verifiable group signature.Unlike the existing solutions, our scheme requires at least tgroup managers to recover a trace key cooperatively, whicheliminates the abuse of single-authority power and provides non-frameability. Moreover, our scheme ensures that group userscan trace data changes through designated binary tree; andcan recover the latest correct data block when the current datablock is damaged. In addition, the formal security analysis andexperimental results indicate that our scheme is provably secureand efficient.

Index Terms—Data Integrity; Homomorphic Verifiable; Non-frameability; Provable Security.

I. INTRODUCTION

DUE to the increasing number of applications of shareddata, such as iCloud, Google Docs, and so on, users can

upload their data to a cloud and share it with other peers asa group. Unfortunately, since cloud servers are vulnerable toinevitable hardware faults, software failures or human errors,data stored in the cloud may be spoiled or lost [1]. In the worstcases, a cloud owner may even conceal data error accidents inorder to preserve its reputation or avoid profit losses [2],[3]. Inaddition, users who lose direct control over their data are notsure whether their cloud-stored data is intact or not. Therefore,integrity verification for the shared data in the cloud is animportant, yet timely issue for a large number of cloud users.

To ensure the integrity of data stored in cloud servers, anumber of mechanisms based on various techniques have been

This work is supported by National Science Foundation of Chi-na (61572255), Natural Science Foundation of Jiangsu Province, China(BK20141404 and BK20150787), and Six Talent Peaks Project of JiangsuProvince, China (XYDXXJS-032).

Anmin Fu and Chanying Huang are with the School of Computer Scienceand Engineering, Nanjing University of Science and Technology, Nanjing, PRChina.

Shui Yu is with the School of Information Technology, Deakin University,Melbourne, Australia.

Yuqing Zhang is with the National Computer Network Intrusion ProtectionCenter, UCAS, Beijing, PR China.

Huaqun Wang is with the Jiangsu Key Laboratory of Big Data Security &Intelligent Processing, School of Computer Science, Nangjing University ofPosts and Telecommunications, Nanjing, PR China.

proposed. In particular, in order to reduce the burden on users,a trusted third-party auditor (TPA) is engaged to conduct theverification, which is called public auditing [4]. However, theTPA may have unnecessary access to private information dur-ing the auditing process [5]. Therefore, researchers proposedsome new schemes to protect privacy, including data privacy[6], and identity privacy [7]-[9]. To be specific, the TPA cannotlearn each block that is signed by a particular user in the groupby constructing homomorphic authenticable ring signatures[7] or computing tags based on common group private key[8]. However, since both methods concern about unconditionalprivacy, the real identity of the signer can no longer be traced.A later development is the homomorphic authenticable groupsignature scheme based on group signatures [9], which isdesigned to protect privacy. On one hand, the identity of eachsigner is anonymous; and on the other hand, the group managercan trace a signer’s real identity after a dispute. Unfortunately,in all existing public auditing schemes, the tracing process isaccomplished by a single entity. As a result, that entity hasthe privilege of tracing, which may lead to abuse of single-authority power. Therefore, an innocent user may be framedor a malicious user may be harbored.

Meanwhile, to support data dynamics, the data structurebased on index hash table [7]-[11] or Merkle Hash Tree(MHT) has been utilized [12], [15]. However, this kind ofdata structure merely records the newest data block with thecorresponding signature, which prevents users from tracing thechanges of the data blocks. When the current data has beencorrupted, users cannot recover the old data from the records.Therefore, the problem of data traceability and recoverabilityalso should be considered.

Moreover, a necessary authentication process is missingbetween the auditor and the cloud in most existing publicauditing schemes, hence anyone can challenge the cloud forthe auditing proofs. This problem will trigger network conges-tion and unnecessary waste of cloud resources. Although Liuet al. [12] designed an authorized public auditing scheme tosolve the problem, it is only suitable for a single client, andcannot be applied to group-shared data. Since the malicious orpretended auditors/users might constantly request cloud accessfor the auditing proof by utilizing TPA, unauthorized auditingis another important issue that should be addressed in integrityverification for shared cloud data.

At present, all the existing public auditing schemes onlyconsider a single group manager when applied to shared datawith group users. However, in real-world applications, theremight be multiple managers in a group.For instance, the shareddata of a project team is created by multiple managers together,



2

whats more, any of them can maintain the shared data. Anotherimportant practical problem is that the group users should beable to dynamically enroll and revoke the group, which willbe managed by the group managers. And significantly, whentracing the real identity of the signer, a specified number ofmanagers can work together, which ensures the fairness of thetracing process.

In this paper, we propose a new privacy-aware publicauditing mechanism, called NPP, for the shared cloud datawith multiple group managers. Our contributions can be sum-marized as follows.

1) We establish a model for data (in a group) sharedwith multiple group managers, and propose a new privacy-preservation public auditing scheme for multiple group man-agers in shared cloud storage. Our proposed scheme cannot only provide multi-levels privacy-preservation abilities(including identity privacy, traceability and non-frameability),but also can well support group user revocation.

2) We design a data structure based on a binary tree forclouds to record all the changes of data blocks. Group userscan trace the data changes through the binary tree and recoverthe latest correct data block when the current data block isdamaged.

3) We utilize an authorized authenticate process to verifyTPA’s challenge messages. Therefore, only the TPA who hasbeen authorized by the group users can pass the authenticationand then challenge the cloud, which protects clouds frommalicious challenges.

4) Our formal security analysis and experimental resultsshow that NPP is provably secure and efficient.

The rest of this paper is organized as follows. Section IIpresents a review of related work on public auditing schemesin cloud storage. Then we introduce our system model,threat model and design objectives in Section III. Section IVbriefly introduces the cryptographic knowledge applied in ourscheme. In Section V, we describe the proposed public auditingscheme NPP in detail. Section VI analyzes its security andSection VII evaluates its performance. Finally, this paper isconcluded in Section VIII.

II. RELATED WORK

Ateniese et al. [16] firstly proposed the Provable DataPossession (PDP) model, utilizing homomorphic verifiabletags, and the process of data integrity checking was a kindof “challenge-response” protocol. In order to support dataretrievability, Juels et al. [17] proposed the Proofs of Retriev-ability (POR) model. Many extended schemes based on PDPor POR have been proposed to solve different problems inpublic auditing [7]-[14], [18]-[23].

Considering the application of cloud data shared by groupusers, Wang et al. [7] proposed a privacy-preserving publicauditing scheme, called Oruta, for shared data in the cloud.Their scheme was based on a homomorphic authenticable ringsignature, which allows a public auditor to audit the shareddata without retrieving all data from the cloud. However, theauditing overhead linearly increases with the number of groupusers, hence it is not suitable for large groups in the cloud. To

support large groups, Wang et al. [8] proposed a new auditingscheme, called Knox. The auditing overhead is independent ofthe number of group users, hence Knox can support shared datawith large groups. Moreover, any group manager can revealthe identity of the signer. Unfortunately, the scheme cannotsupport user revocation.

Many schemes have been proposed in order to deal withthis problem. In [9]-[11], homomorphic authentications basedon proxy re-signature were constructed. With the cooperationof cloud and revoked users, these schemes converted thesignatures of the revoked users into those of the existing users.As the cloud has powerful computation ability, this method hasno effect on the existing users. The problem is that it cannotresist collusion attacks. If a revoked user colludes with thecloud, the private keys of the existing users can be obtainedby the cloud. Therefore, the cloud can tamper with the shareddata stored in it arbitrarily. Besides, Yu et al. [15] pointed outthat the scheme in [11] is vulnerable to replace attacks.

Recently, to solve the problem of collusion attacks, Yuanet al. designed polynomial-based authentication tags, allowingaggregation of tags for different data blocks [19]. Their schemeallows secure delegation of user revocation operations to thecloud, permitting the cloud itself to conduct revocation withoutthe participation of revoked users. Unfortunately, their schemeis also vulnerable to resist collusion attacks. If a revoked usercolludes with the cloud, the cloud server can update the data asmany times as the revoked user requests until it finally returnsa legal data [22], [24]. Another attempt to solve the issue is thecombination of vector commitments and group signatures withverifier-local revocation [22]. However, the computation costof user revocation grows with the number of revoked users.

In addition, to eliminate threats of unauthorized audit chal-lenges from malicious or pretended third-party auditors, Liu etal. [12] proposed an authorized auditing scheme by adding anadditional authentication process between the cloud and theTPA. Additionally, to support fine-grained update requests,the authorized scheme employed BLS signatures and MHT.However, the scheme can only be applied to a single client.

III. PROBLEM STATEMENT

In this section, we describe the system model and the threatmodel of this paper, and give the design objectives of ourpublic auditing scheme.

A. System Model

As shown in Fig. 1, the system model contains four entities:cloud, TPA, trusted private key generator (PKG), and groupusers. The cloud has powerful storage space and computingcapacity, and provides services (e.g., data storage, data sharing,etc.) for group users. The TPA can verify the integrity of theshared data on behalf of the group users. The PKG generatesthe system public parameters and group key pair for groupusers. The group users include two types of users: GMs (GroupManagers) and ordinary members.

Unlike existing system models, the GMs contain multiplemembers who create the shared data together and share themwith the ordinary members through the cloud. Therefore, the



3

GMs act as the common owners of the original data, andtheir identities are equal. Meanwhile, any of the GMs can addnew members or revoke members from the group. In addition,either a GM or an ordinary member can access, download,and modify the shared data in the cloud. Note that multiplemanagers in a group is very common in practice. For instance,the shared data of a project team is created by multiplemanagers together. Later, any of the GMs can maintain theshared data and manage the group users. When tracing thereal identity of the signer, a given number of managers cancooperate to trace the real identity, which ensures the fairnessof the tracing process.

When a group user wants to check the integrity of the shareddata, she/he first submits an auditing request message to theTPA. After receiving the request, the TPA challenges the cloudfor an auditing proof. Once the cloud receives the auditingchallenge, it firstly authenticates the TPA. If valid, the cloudwill return the auditing proof to the TPA. Otherwise the cloudwill refuse the request. Finally, the TPA verifies the validityof the proof and sends an auditing response to the group user.

B. Threat Model

1) Integrity Threat. There are two kinds of threats relatedto shared data integrity. One is that external attackers mightcorrupt the shared data in the cloud, so that group users can nolonger access the correct data. The other is that the cloud maycorrupt or delete the shared data due to the hardware/softwarefaults or human errors. What’s worse, the cloud may concealthe fact of data damage from users in order to maintain self-interest and service reputation.

2) Privacy Threat. As a trusted and inquisitive verifier, aTPA might obtain some privacy information from the verifi-cation metadata during the auditing process. For instance, theTPA might analyze which data block has been modified mostor which user has modified the data most, and finally concludewhich particular data block or which group user is of a highervalue than the others. Then the TPA might directly obtain thedata or the identity of the group user from the signatures ofthe data blocks.

3) Challenge Threat. Because the auditing challenge mes-sage is very simple and has not been authorized, any otherentity can utilize the TPA to challenge the cloud for auditing

Fig. 1. The system model of NPP.

TABLE INOTIONS

Notions Descriptionmpk shared group public keymskl the secret key of GMl

spk,ssk public/private key pairuski user signing keyupki user membership keyrvki user revocation key

(Vj,1, Vj,2, θj) the signature of the block mj

AUTH authorizationt timestamp

proofs. In this case, a malicious entity might launch denialof service attacks on the cloud by sending massive challengemessages continuously, which will lead to network congestionand unnecessary waste of the clouds resources.

C. Design Objectives

To achieve integrity checking of the shared data in thecloud, NPP is expected to the following design objectives: 1)Public auditing: Besides the group users, the TPA can alsocorrectly check the integrity of the shared data in the cloudwithout retrieving entire users’ data from cloud. 2) Authorizedauditing: Only the TPA that has been authorized by the groupusers can challenge the cloud. 3) Identity privacy: Duringthe process of auditing, the TPA cannot learn the identityof the group user from the signatures of the data blocks. 4)Traceability: Under certain conditions, the group managerscan reveal the signer’s identity from the signatures and decidewhich group user has modified the data block. 5) Non-frameability: Group managers can guarantee the fairness ofthe tracing process, i.e., innocent group user won’t be framedand the misbehaved user won’t be harbored by the groupmanagers. 6) Support data traceability and recoverability:Group users can easily trace the data changes and recover thelatest correct data once current data is damaged. 7) Supportgroup dynamics: Group dynamics include two aspects. Oneis that GMs can easily join or leave the group, the other is thatnew users can be easily added into the group and misbehavedusers can be efficiently excluded from the group.

IV. PRELIMINARIES

In this section, we briefly introduce the cryptographicknowledge applied in NPP. The main notations used in thispaper are described in Table I.

A. Homomorphic Verifiable Tags

Homomorphic Verifiable Tags [16] (HVTs) acting as theverification metadata of file blocks have been widely used inintegrity checking for data stored in the cloud.

Definition 1 (Homomorphic verifiable signature). If anHVT based on signatures can satisfy the following twoproperties simultaneously, then the signature scheme is ahomomorphic verifiable signature scheme [7], [11].

Supposing (pk,sk) are the public/private key pair of thesigner, σ1 and σ2 denote the tags of data block m1,m2 ∈ Zq ,respectively.



4

1) Blockless verification: A verifier can judge the cor-rectness of all data through the linear combination of thedata without retrieving it from the cloud. Specifically, givenσ1, σ2, two random numbers y1, y2 ∈ Zp and data blockm = y1m1 + y2m2, a verifier can check the correctness ofm without knowing m1, m2.

2) Non-malleability: Any entity without the secret keycannot generate a new and valid tag through combining theknown tags. Specifically, given σ1, σ2, two random numbersy1, y2 ∈ Zp and data block m = y1m1+ y2m2, an entity whohas no sk cannot generate the valid tag σ for m by combiningσ1 and σ2.

B. Discrete Logarithm (DL) Problem

Definition 2 (DL Problem). Let a ∈ Z∗p , given g, ga ∈ G1

as input, output a. The advantage of probabilistic polynomialtime algorithm A in solving the DL problem in G1 is definedas AdvDL

A= Pr[A(g, ga) = a : a

R←− Z∗p ], where the

probability is over the choice of a, and the coin tosses of A.In this case, for any probabilistic polynomial time algorithm A,the advantage of solving the DL problem in G1 is negligible.

V. THE NPP SCHEME

A. Overview

We assume that there is S group managers GMl(1 < l ≤ S),and d users Ui(1 ≤ i ≤ d) in NPP. The shared data Mis divided into w data blocks, i.e. M = m1,m2, · · · ,mw.In order to support dynamic operations on the shared data,we index each data block by leveraging index hash table [9].Specifically, NPP consists of eight algorithms: Setup, Enroll,Revoke, Sign, Authorize, ProofGen, ProofVerify, Open.

In Setup phase, the PKG sets parameters for the entiresystem, distributes the group key pair mpkl,mskl and ashared public/private key pair spk,ssk used to authorize eachGMl, and initializes the membership information Ω . Then,any GM generates a user signing key uski, a (public) usermembership key upki, and a user revocation key rvki for Ui.GM also shares the authorization key pair spk, ssk with Ui

in the Enroll procedure. Once a group user is revoked, GMinvokes the Revoke algorithm to update Ω. The group usercan compute the signatures of the shared data block from theissued keys in the Sign process. With the Authorize algorithm,the group authorizes TPA to generate authorized auditingchallenges, and then the valid TPA can check the integrityof the shared data on behalf of the group user. Once the cloudreceives a challenge from TPA, the cloud verifies whether thechallenge has been authorized and decides whether to generatethe audit proof via ProofGen. TPA checks the correctness ofthe proof via ProofVerify. Finally, in the Open process, at leastt GMs work together to trace the real identity of the signer.

B. Support Data Traceability and Recoverability

Since the identity of each data block can be described bythe index hash table, i.e., idj = vj , rj, where vj is denotedas the virtual index of block mj , and rj is a random numbergenerated by a collision-resistant hash function, every group

0

1

0

1

m

s

0

0

i

i

m

s

0

0

w

w

m

s

Fig. 2. The original records.

0

0

w

w

m

s

0

1

0

1

m

s

0

0

i

i

m

s

0

0

w

w

m

s

0

1

0

1

m

s

0

0

i

i

m

s

1

1

i

i

m

s

0

0

w

w

m

s

2

2

i

i

m

s

0

1

0

1

m

s

0

0

i

i

m

s

1

1

i

i

m

s

0

0

w

w

m

s

3

3

i

i

m

s

0

1

0

1

m

s

0

0

i

i

m

s

1

1

i

i

m

s

2

2

i

i

m

s

Fig. 3. The records when the ith block has been updated three times.

user can easily perform dynamic operations on the shared data,the details of which can be found in [7]. However, if the datablock has been changed maliciously, the group user cannottrace the changes and recover the right data.

To support data tracing and recovery, we have designed anadditional data structure based on binary tree for the cloudserver to record every change of data block. Through therecords, group users can easily trace data changes. When thedamaged has been found, group users can recover the rightdata by the records. As the group users can verify the olderblocks one by one until discover the latest correct block. Asshown in Fig. 2, original data blocks m1,m2, · · · ,mw withthe corresponding signatures σ1, σ2, · · · , σw are stored asthe roots of w binary trees respectively. mj

i , σji (1 ≤ i ≤

w) denotes the ith block has been modified j times, hencem0

i , σ0i means the data block is the original one. We will

use some examples to show different records when group usersperform dynamic operations on the shared data later. Fig. 3 and4 describe update operation and insert operation respectively.In addition, when group users want to delete a block, the cloudserver still keeps the records related to this block, without anyother additional operations. Whats more, the cloud server doesnot need to know which block has been deleted.

As shown in Fig. 3, the ith block has been updated for threetimes, and the latest one is always the root of the binary tree;the old ones are the nodes of the binary tree. If we definethe depth of the binary tree as N , then the number of nodes



5

0

1

0

1

m

s

0

1

0

1

i

i

m

s

-

-

0

0

w

w

m

s

0

0

i

i

m

s

¢

¢

0

0

i

i

m

s

Fig. 4. The record when a block has been inserted.

belongs to range [2N−1, 2N − 1], and the number of timesfor the cloud to record the updates belongs to range [2N−1 −1, 2N − 2].

Once the current signature σ3i has been damaged, group

users can trace the changes (m2i , σ

2i ), (m

1i , σ

1i ), (m

0i , σ

0i ) by

implementing the postorder traversal to the final binary tree.As the damaged signature cannot pass the verification, thegroup users are able to verify the signature σ2

i , if it can passthe verification, then the latest right block has been found.Otherwise, the group users continue verifying the signaturesone by one according to the order of traversal tree with thehelp of TPA until the latest right block is discovered. Theverification algorithm can be found in the next section.

As shown in Fig. 4, when group users want to inserta block, for example a new block m′

i is inserted betweenthe block mi−1 and the block mi, and id′i = v′i, r′i =⌊(vi−1 + vi)/2⌋, r′i, the cloud server will create a new root(i.e., m0

i′ , σ0i′) for this new block.

C. Construction of NPPIn this section, we describe the details of the eight al-

gorithms included. To protect data privacy, the data can beencrypted by the means of symmetrical encryption technologyand attribute-based encryption technology before shared datais outsourced to the cloud [25]; however, this is outside thescope of our paper.

1) Setup: With the input security parameters ε > 1, k, lp ∈N , PKG randomly chooses parameters λ1, λ2, γ1 and γ2 suchthat λ1 > ε(λ2 + k) + 2, λ2 > 4lp, γ1 > ε(γ2 + k) + 2 andγ2 > λ1 + 2, two multiplicative cyclic groups G1, G2 withthe same order q, and g0 is the generator of G1. Then PKGchooses a bilinear map e : G1 × G1 −→ G2 and two one-way hash functions: H10, 1∗ −→ Zq,H20, 1∗ −→ G1,and defines two intervals: A = [2λ1 − 2λ2 , 2λ1 + 2λ2 ], B =[2γ1 − 2γ2 , 2γ1 + 2γ2 ]. The parameters above are all public.

Then, PKG computes the shared group public key mpk =(n, a, a0, Y, g0, g, h, g1, g2, η1, η2) and each GMl’s secret keymskl = (p′, q′, Xl) as follows:

• Select lp-bit primes p′, q′ such that P = 2p′ + 1 , andQ = 2q′ + 1 . Set the modulus n = PQ (Note that allthe following arithmetic operations are modulo n unlessspecified otherwise).

• Choose random elements a, a0, g, h, g1, g2, η1, η2 ∈RQR(n) (of order q ), where QR(n) denotes the set ofquadratic residues of group Z∗

n .• Choose a random secret X ∈R Z∗

q , and set Y = gX .• Choose a t-1 degree polynomial f(x) = b0 + b1x +· · ·+bt−1x

t−1 with b0 = X, b1, · · · , bt−1 ∈ Zq , computeXl = f(l)(l = 1, 2, · · · , S and 2t − 1 ≥ S), i.e. X isdivided into S pieces Xl [26].

• Initialize the membership information Ω = (c, u), wherec is initialized to g1, and u is initialized to 1.

Next, PKG chooses a public/private key pair spk, ssk usedfor authorization only.

Finally, PKG sends mpk,mskl along with spk, ssk toGMl securely.

2) Enroll: The uski, rvki, and upki of a new member Ui

are generated as follows:

• Ui generates a secret exponent xi ∈R [0, 2λ2 ], a randominteger ri ∈R [0, n], computes C1 = gxihri and broad-casts C1 to any GM.

• GM who has received C1 checks whether C1 ∈ QR(n).If this is the case, the GM chooses αi, βi ∈R [0, 2λ2 ] andsends αi, βi to Ui.

• Ui computes xi = 2λ1 +(αixi+βi mod 2λ2), C2 = axi

and broadcasts C2 to the GM.• GM checks whether C2 ∈ QR(n). If this is the case,

GM chooses ei, π ∈R B, computes Ai = (C2a0)1/ei =

(axia0)1/ei , ρ = g0

π(ρ is public) and sends Ai, ei, πalong with spk, ssk to Ui.

• Ui checks axia0?= Aei

i . If the equation holds, Ui setsuski = (xi, π), rvki = ei, upki = Ai and shares the keypair spk, ssk with all the GMs.

• GM maintains a users-list, which contains all related keysand the valid time of the group users. Different users maybe assigned with different valid times. Finally, GM addsUi, Ui’s related keys and valid time to the list.

3) Revoke: Supposing user Uk(1 ≤ k ≤ d) is to berevoked, the revocation key is rvkk and the current member-ship information is Ω = (c, u), then any GM should updatec = crvkk , u = u · rvkk.

Suppose there are revoked users Ue, · · · , Uk(1 ≤ e <

k ≤ d), the latest c = c∏k

i=e rvki , u =∏k

i=e rvki.Then PKG distributes a new key pair spk’, ssk’ to all

GMs, and the GM shares it with the existing group users.Meanwhile, the GM updates the revoked users’ valid time asa negative value in the users-list.

4) Sign: Group user Ui computes the signature σj =(Vj,1, Vj,2, θj) [27] for block mj ∈ Zq(1 ≤ j ≤ w, idj isthe identifier ) as follows:

i. Compute Vj,1.

• Randomly choose rj∈R0, 12lp and compute Tj,1 =Y rjAj , Tj,2 = grj , Tj,3 = grvki·hrj .

• Randomly choose rj,1∈R ± 0, 1ε(γ2+k), rj,2∈R ±0, 1ε(λ2+k), rj,3∈R ± 0, 1ε(γ1+2lp+k+1), rj,4∈R ±0, 1ε(2lp+k) and then compute dj,1 = T

rj,1j,1 /(arj,2 ·

Y rj,3), dj,2 = Trj,1j,2 /grj,3 , dj,3 = grj,4 , dj,4 = grj,1 ·hrj,4 .

• Compute vj,1 = ηmj

1 H1(g∥h∥Y ∥a0∥a∥Tj,1∥Tj,2∥Tj,3

∥dj,1∥dj,2∥dj,3∥dj,4).• Compute sj,1 = rj,1 − vj,1(rvki − 2γ1), sj,2 = rj,2 −

vj,1(xi − 2λ1), sj,3 = rj,3 − vj,1 · rvki · rj , sj,4 = rj,4 −vj,1 · rj .

• Output Vj,1 = (vj,1, sj,1, sj,2, sj,3, sj,4, Tj,1, Tj,2, Tj,3).

ii. Compute Vj,2.

• Find f, b ∈ Z such that f · u+ b · rvki = 1, and then setd = g−b

1 (because Ui has not been revoked, rvki is notincluded in u =

∏ki=1 rvki and gcd(rvki, u) = 1).

• Compute Tj,4 = d · grj2 .



6

• Randomly choose rj,5∈R ± 0, 1ε(γ2+k), rj,6∈R ±0, 1ε(λ2+k), rj,7∈R ± 0, 1ε(γ1+2lp+k+1), rj,8∈R ±0, 1ε(2lp+k) and compute dj,5 = T

rj,5j,4 /(crj,6 · grj,72 ),

dj,6 = grj,5 · hrj,8 .• Compute vj,2 = η

mj

2 H1(g∥h∥g1∥g2∥c∥Tj,3∥Tj,4∥dj,5∥dj,6).

• Compute sj,5 = rj,5 − vj,2(rvki − 2γ1), sj,6 = rj,6 −vj,2(f − 2λ1), sj,7 = rj,7 − vj,2 · rvki · rj , sj,8 = rj,8 −vj,2 · rj .

• Output Vj,2 = (vj,2, sj,5, sj,6, sj,7, sj,8, Tj,3, Tj,4).iii. Compute tag θj = [H2(idj)g

mj

0 ]π.iv. Output the signature σj = (Vj,1, Vj,2, θj).5) Authorize: Any group member can authorize the TPA on

behalf of the group to challenge the cloud through the sharedkey pair spk, ssk as follows:

• The group member asks the ID of the TPA (for security,the ID is used for authorization only). Then the TPAreturns its ID encrypted with the public key spk.

• The group member decrypts it with ssk to get ID,computes sigAUTH = Sigssk(AUTH∥t∥ID) (AUTHmeans authorization and t is the timestamp), and sendssigAUTH as the auditing authorization message to theTPA. Then the TPA can challenge the cloud on behalf ofthe group users.

Note that after message AUTH, t, sigAUTH is stored inthe cloud along with the signatures of the data blocks, it willbe deleted from local storage.

6) ProofGen: In this phase, the TPA first sends a challengemessage to the cloud, and then the cloud generates a auditingproof message if the TPA is authorized.

i. The TPA challenges the cloud as follows:• Randomly choose a subset Γ from the set [1, w], where

Γ contains D elements, i.e. |Γ| = D.• Generate random numbers yj ∈ Zq, j ∈ Γ.• Send an auditing challenge messagesigAUTH , IDPKcloud

, (j, yj)j∈Γ to the cloud.Because the PKcloud is the public key of the cloud, thecloud can decrypt IDPKcloud

with the correspondingprivate key SKcloud to get ID.

ii. The cloud checks whether the TPA has been authorizedas follows:

• Compute ID by decrypting IDPKcloudwith its private

key SKcloud.• Decrypt sigAUTH with the group’s public key spk to get

ID,AUTH and t. If ID = ID′, the computed AUTHis equal to the AUTH stored in the cloud and t is valid,the cloud will generate the auditing proof. Otherwise, thecloud will refuse to generate the proof.

iii. The cloud generates the auditing proof message to theTPA as follows:

• Compute λ =∑

i∈Γ yjmj ∈ Zq and aggregate theselected tags as Θ =

∏j∈Γ θ

yj

j ∈ G1.• Output Φj = Vj,1, Vj,2j∈Γ based on the selected block-

s, where Vj,1 = (vj,1, sj,1, sj,2, sj,3, sj,4, Tj,1, Tj,2, Tj,3),Vj,2 = (vj,2, sj,5, sj,6, sj,7, sj,8, Tj,3, Tj,4).

• Send the auditing proof idjj∈Γ, Φjj∈Γ, λ,Θ to theTPA.

7) ProofVerify: The TPA checks the correctness of theproof as follows.

• Compute d′j,1 ∼ d′j,6 as follows:

d′j,1 = (avj,1

0 · T sj,1−vj,1·2γ1j,1 )/(asj,2−vj,1·2λ1 · Y sj,3) (1)

d′j,2 = Tsj,1−vj,1·2γ1j,2 /gsj,3 (2)

d′j,3 = Tvj,1

j,2 · gsj,4 (3)

d′j,4 = Tvj,1j,3 · g

sj,1−vj,1·2γ1 · hsj,4 (4)

d′j,5 = ((g−11 )vj,2 · T sj,5−vj,2·2γ2

j,4 )/(csj,6−vj,2·2λ1 · gsj,72 )(5)

d′j,6 = Tvj,2j,3 · g

sj,5−vj,2·2γ1 · hsj,8 (6)

• Verify the correctness of the following equations:∏j∈Γ

vyj

j,1?= ηλ1

∏j∈Γ

H1(g∥ · · · ∥d′j,4)yj (7)

∏j∈Γ

vyj

j,2?= ηλ2

∏j∈Γ

H1(g∥ · · · ∥d′j,6)yj (8)

e(Θ, g0)?= e(

∏j∈Γ

H2(idj)yj ·gλ0 , ρ) (9)

Note that for simplicity, we useH1(g∥h∥ · · · ∥d′j,4) and H1(g∥ · · · ∥d′j,6) instead ofH1(g∥h∥Y ∥a0∥a∥Tj,1∥Tj,2∥Tj,3∥d′j,1∥d′j,2∥d′j,3∥d′j,4) andH1(g∥h∥g1∥g2∥c∥Tj,3∥Tj,4∥d′j,5∥d′j,6), repetitively, in thefollowing parts.

• If the equations (7) (8) (9) all hold, then the auditingproof is valid. Otherwise, it is not.

• If the proof is valid, TPA will send a positive report tothe user. Otherwise, a negative report will be sent instead.

8) Open: When users have performed malicious actions onthe shared data, at least t GMs work together to trace the realidentity of the group user as follows:

• Negotiate with each other to construct a polynomi-al y(x) =

∑tl=1 f(l) · Fl(x) =

∑tl=1 X(l) · Fl(x),

where the Lagrange polynomial interpolation Fl(x) =∏0≤h′≤t,h′ =l

x− h′

l − h′ .

• Compute the trace key X = y(0) =∑t

l=1 X(l) · Fl(0).• Compute upki = Tj,1/T

Xj,2 = Ai, and then reveal the real

identity of the signer through upki.

This procedure guarantees the current user can be found.When GMs need to find previous users who have affected theshared data, they can trace the data changes by implementingthe postorder traversal to the additional binary tree, and thenreveal the real user identities of each data change through theabove procedure.



7

D. Discussions1) Group Managers Dynamics:• GM joiningIf a new GM wants to join the group, the PKG computes

S′ = S+1, and tests whether 2t−1 ≥ S′. If it holds, the PKGwill compute a new piece (S′, Xs′ ) with polynomial f(x) anddistribute it to the new GM′

S ; otherwise, the PKG choosesa new (t′ − 1)-degree polynomial f ′(x) = b′0 + b′1x + · · · +b′t′−1x

t′−1, where 2t′ − 1 ≥ S′, b′0 = X, b′1, · · · , b′t′−1 ∈ Zq ,and computes X ′

l = f ′(l)(l = 1, 2, · · · , S′), i.e. X is dividedinto S′ pieces X ′

l and then distributed to GMl.In addition, the PKG generates a new key pair spk’, ssk’,

and broadcasts it to all the GMs, who can then share it with theexisting group users. Note that the process of updating spk,ssk has no effect on auditing, because the signing keys, themembership keys and the revocation keys of the existing usersdo not need to be updated. Nor do the signatures of the datablocks.

• GM leavingIf an existing GMl wants to leave the group, the PKG first

sets S′ = S − 1, chooses a new (t′ − 1)-degree polynomialf ′(x) = b′0+ b′1x+ · · ·+ b′t′−1x

t′−1, where 2t′−1 ≥ S′, b′0 =X, b′1, · · · , b′t′−1 ∈ Zq , and then computes and distributes newX ′

l = f ′(l)(l = 1, 2, · · · , S′) to each GMl.In addition, the PKG generates a new key pair spk’, ssk’,

and broadcasts it to all the GMs, who can then share it withthe existing group users.

2) User Revocation: GMs maintain a users-list, which iscomposed of each user’s related key and expiration time. Oncea user’s service subscription expires, their signing key shouldbecome invalid from then on. In this case, any GM can invokethe Revoke algorithm by updating the membership informationΩ and the key pair spk, ssk and setting the value of therevoked user’s expiration time to be negative.

There might be misbehaving users in the group. In this case,any GM can invoke the Revoke algorithm as mentioned above.Note that when a user is revoked from a group, GMs do notneed to re-compute and re-distribute new keys to the validusers, since the revoked user Ui cannot find f, b ∈ Zq suchthat f ·u+b·rvki = 1, Ui cannot compute the partial signatureV2 any more.

If the revoked user Ui maliciously reveals their signing keyuski = (xi, π), then the partial signature of other users can bediscerned because of the common key π. However, it is notenough to forge a valid signature as the secret key xj of theother users is still unknown. Therefore, the partial signatureV1 cannot be computed.

As we have demonstrated, valid users do not need to updatetheir keys and the existing signatures. Signatures belonging tothe revoked users can be re-computed by the GMs. Specifical-ly, the existing user interacts with GMs to generate a proxysignature key, then GMs use the proxy key to compute thesignatures of the revoked users. That transforms them into thesignatures which sign by the private key of the existing user.

VI. SECURITY ANALYSISThe correctness analysis and security analysis of our pro-

posed NPP protocol are established by the following theorems:

Lemma 1. NPP is a homomorphic authenticable groupsignature scheme.

Proof: According to the Definition 1, if NPP is a homo-morphic verifiable, it must satisfy both blockless verificationand non-malleability.

• Blockless verificationWhen TPA selects the subset Γ = 1, 2 and computes

λ = y1m1 + y2m2, Equations (7), (8) and (9) are all correct(the specific proof process can be referred to Equations (10),(11) and (12) below). Therefore, NPP satisfies the property ofblockless verification.

• Non-malleabilityAn attacker without the private key cannot generate the valid

tag σ′ of m′ by combining σ1 and σ2, because θy1

1 · θy2

1 =[H2(id1)

y1 ·H2(id2)y2 · gm′

0 ]π , θ′ = [H2(id′) · gm′

0 ]π. If θ′ =θy1

1 · θy2

1 , then H2(id′) = H2(id1)

y1 · H2(id2)y2 = C. Once

a value id′ can be found such that H2(id′) = C, it disproves

that H2 is a one-way hash function. Therefore, NPP has theproperty of non-malleability.

Therefore, from Lemma 1, we can demonstrate that NPPhas the properties of public auditing and correctness.

Theorem 1 (Public Auditing). Given a message M and itsgroup signature σ, the TPA is able to publicly and correctlycheck the integrity of message M under NPP.

Proof: Besides the group users, the TPA can executeauditing by randomly choosing a subset Γ of [1, w] withoutthe need of retrieving all data blocks from the cloud, whichsatisfies the object of public auditing.

The correctness of the verifying process relies on thecorrectness of Equations (7), (8) and (9). Specific proofs areas follows:∏

j∈Γ

vyj

j,1 =∏j∈Γ

(ηyjmj

1 ·H1(g∥ · · · ∥d′j,4)yj )

= η∑

j∈Γ yjmj

1 ·∏j∈Γ

H1(g∥ · · · ∥d′j,4)yj (10)

= ηλ1 ·∏j∈Γ

H1(g∥ · · · ∥d′j,4)yj

∏j∈Γ

vyj

j,2 =∏j∈Γ

(ηyjmj

2 ·H1(g∥ · · · ∥d′j,6)yj )

= η∑

j∈Γ yjmj

2 ·∏j∈Γ

H1(g∥ · · · ∥d′j,6)yj (11)

= ηλ2∏j∈Γ

H1(g∥ · · · ∥d′j,6)yj

e(Θ, g0) = e(∏j∈Γ

θyj

j , g0)

= e(∏j∈Γ

(H2(idj)gmj

0 )yjπ, g0) (12)

= e(∏j∈Γ

H2(idj)yj ·gλ0 , ρ)

From Equations (10), (11) and (12), we conclude that TPAcan correctly check the integrity of the shared data withoutretrieving all the data blocks on behalf of the group users.



8

Theorem 2 (Unforgeability). Given shared data M and itsgroup signatures σ, it is computationally unfeasible that anuntrusted cloud or adversary can generate an invalid auditingproof that can pass the verification under NPP.

Proof: According to the security game defined in [7], wefirstly define Game 1 as follows:

Game 1: TPA sends auditing challenge message(j, yj)j∈Γ of shared data M to the cloud, and thecorrect auditing proof should be idj ,Φj , λ,Θj∈Γ, whichcan pass the verification. Now, instead of generating thecorrect auditing proof, the untrusted cloud generates aninvalid auditing proof of idj ,Φj , λ

′,Θj∈Γ based on thecorrupted shared data M’, where λ′ =

∑j∈Γ yjm

′j . Define

∆mj = m′j − mj for j ∈ Γ, and at least one element of

∆mjj∈Γ is nonzero (because M ′ = M ). If the invalidproof still can pass the verification performed by the TPA,then the cloud wins this game. Otherwise, it fails.

Now we show that, if the untrusted cloud wins the abovegame, we can find a solution to the DL problem. We firstassume the untrusted cloud could win Game 1. Then, accord-ing to Equation (6), we have e(Θ, g0) = e(

∏j∈Γ H2(id)

yj ×gλ

′

0 , ρ), where λ′ =∑

y∈Γ yjm′j . Since idj ,Φj , λ,Θj∈Γ

is the correct auditing proof, we also have e(Θ, g0) =e(∏

j∈Γ H2(id)yj × gλ0 , ρ)

Then we learn that gλ′

0 = gλ0 , g∑

j∈Γ yjmj

0 = g∑

j∈Γ yjm′j

0 ,g∑

j∈Γ yj∆mj

0 =∏

j∈Γ(gyj

0 )∆mj = 1.As G1 is a cyclic group, given two random elements

g, h ∈ G1, there exists x ∈ Zp such that g = hx. Withoutloss of generality, given g, h ∈ G1, each g

yj

0 can be ran-domly and correctly generated by computing g

yj

0 = gεjhγj ,where εj and γj are random values of Zp. Then, we have1 =

∏j∈Γ(g

yj

0 )∆mj =∏

j∈Γ(gεjhγj )∆mj = g

∑j∈Γ εj∆mj ·

h∑

j∈Γ γj∆mj .Clearly, we can find a solution to the DL problem. More

specifically, given h, g = hx ∈ G1, we can output g =

hx = h−

∑j∈Γ γj∆mj∑j∈Γ εj∆mj , x = −

∑j∈Γ γj∆mj∑j∈Γ εj∆mj

, unless the

denominator is zero. However, as we defined in Game 1, atleast one element of ∆mjj∈Γ is nonzero, and εj is a randomelement of Zp; therefore, the probability of the denominatorbeing zero is 1/p, which is negligible because p is a largeprime. It means that once the untrusted cloud wins Game 1,we can find a solution to the DL problem with a probabilityof 1 − 1/p, which contradicts the assumption that the DLproblem is computationally unfeasible in G1. Therefore, it iscomputationally unfeasible for the untrusted cloud to generatean invalid auditing proof that can pass the verification.

Theorem 3 (Authorized Auditing). NPP supports autho-rization verification.

Proof: Since the ID of the TPA is encrypted with thepublic key spk, any other entity excluded by the group cannotobtain the valid ID without the private key ssk. Therefore, theycannot forge a valid message sigAUTH to pass the authentica-tion. In addition, the timestamp t included in sigAUTH ensuresthat a previous authorization message cannot be utilized asa valid message. Therefore, only the TPA who has been

authorized by the group can challenge the cloud.Theorem 4 (Identity Privacy). Given a message M and

its group signature σ, it is computationally unfeasible for averifier to reveal the identity of the signer.

Proof: Because TPA cannot infer the secret value X fromthe known Y = gX and g, it is computationally unfeasible forthe TPA to infer the real identity of the signer from signaturesVj,1 and Vj,2. In addition, although ρ, used to verify the partialsignature θ, is public, users in the group share the same secretvalue π, hence the partial signatures θ of all users in the groupare the same. Therefore, TPA cannot infer the real identity ofthe signer from the signature θ.

Theorem 5 (Traceability and Non-frameability). At leastt GMs can work together to recover the identity of the signerfrom the signatures.

Proof: The secret value X is divided into S pieces by thePKG based on (t, s) secret sharing scheme, and the S piecesare distributed to S GMs respectively. GMl owns piece Xl

of X . By Lagrange polynomial interpolation, at least t GMswork together to recover X = y(0) =

∑tl=1 Xl · Fl(0) and

then compute upki = Tj,1/TXj,2 = Ai. Therefore, the identity

of the signer can be traced by at least t GMs after recoveringupki. That means at least t GMs work together, the groupmanagers can expose the signers identity from the signatures.Note that since the tracing process is performed by multipleGMs instead of a single entity, it eliminates the potential risksbrought by power centralization and ensures non-frameabilityduring the tracing process.

Moreover, by implementing the postorder traversal to theadditional binary tree and revealing the real identities fromthe signatures, GMs can trace each user who has performedactions on the shared data. Finally, if the current data block hasbeen damaged, through postorder traversal, GMs can verify allthe previous records of this data block one by one with thehelp of TPA until they find the latest right data block.

Theorem 6 (Data Traceability and Recoverability). NPPsupports data traceability and recoverability.

Proof: According to the data structure based on the binarytree, the cloud server can record every change of the shareddata blocks. Through the records, the group users can trace thedata changes. Even if the current data block has been damaged,the users can recover the latest right data by verifying the olderblocks one by one in the records.(We have made a detaileddescription in the subsection V.B)

VII. EVALUATIONA. Functionality Comparison

Table II lists the features of NPP compared with otherauditing schemes Knox [8] and PDM [19] for shared data inthe cloud. As Table II shows, the two very important propertiesnon-frameability and data traceability and recoverability are allnot found in other two schemes. Whats more, comparing totheir schemes, NPP adds a lot of features. Hence, NPP haswider application than Knox and PDM.

B. Performance AnalysisIn our experiments, we utilize Pairing Based Cryptography

(PBC) library [28] to simulate the cryptographic operations in



9

TABLE IIFUNCTIONALITY COMPARISON

Knox [8] PDM [19] NPPPublic Auditing Yes Yes Yes

Authorized Auditing Yes No YesIdentity Privacy Yes No Yes

Traceability Yes No YesNon-frameability No No Yes

Data Traceabilityand Recoverability No No Yes

User Revocation No Yes Yes

TABLE IIICOMMUNICATION COST COMPARISON

Scheme Communication Cost(KB)Knox [8] D|w|+ (10D + k + 1)|q|+D(|id|+ |T |) = 106.4

PDM [19] (d+ 5)|q|+D|id| = 4.6 + 0.02dNPP D|w|+ (16D + 2)|q|+D|id| = 149.4

TABLE IVCOMPUTATION COST COMPARISON

Scheme Computation Cost(s)

Knox [8]D(2ExpZq + 4MulZq ) + kMulZq +D(17ExpG1

+11MulG1 ) +D(ExpGT+MulGT

) + 4Pair= 1.351

PDM [19] (k + 6)ExpG1 + (k +D + 3)MulG1 + (D + 3)Pair= 1.446

NPPD(22ExpZq + 14MulZq ) +D(2ExpG1 + 2MulG1 )+2Pair = 0.236

EXPZq and MULZq are one exponentiation operation and onemultiplication operation on Zq respectively; EXPG1 and MULG1 are oneexponentiation operation and one multiplication operation on Group G1

respectively; EXPGTand MULGT

are one exponentiation operation andone multiplication operation on Group GT respectively; Pair is a bilinearpairing operation.

the schemes. All tests are applied to a Ubuntu system with i73.40GHz-Intel Core and 4GB-memory over 1,000 times. Weset the size of elements in G1, G2, GT , Zq as 160 bits (i.e.,|q| = 160bit, |T | = 160bit), the identity of each data block as50 bits (i.e., |id| = 50bit), and the number of the shared datablocks as 1,000,000 (i.e., w = 1, 000, 000 and |w| = 20bit).Each data block contains 100 elements (i.e., k = 100), the sizeof each data block is 2KB and the shared data is 2GB in allthe experiments. Based on random sampling method [7], if theTPA select D = 460 data blocks, the detection probability isgreater than 99%, and if D = 300, the detection probability isgreater than 95%. To keep a higher detection probability, wechose D = 460. The performance analysis and the experimentresults are as follows.

1) Communication cost: As Table III shows, the commu-nication costs of NPP and Knox are both constant, but that ofPDM linearly increases with the number of the group users. Tosupport user revocation, NPP adds V2 as a partial signature,which brings additional overhead |V2| = 7D|q| = 62.89KBcompared with Knox. However, compared with the shared datasize of 2GB, the additional communication cost of 62.89KBis small and acceptable.

2) Computation cost: As Table IV shows, the computationcosts of all the three schemes are constant, which are inde-pendent of the number of the group users. Obviously, NPPoutperforms Knox and PDM. Because the operations on GT

and the pairing operations are time-consuming, NPP has nooperations on GT and has the fewest pairing operations. Incontrast, Knox has several operations on GT and more pairingoperations. Although the PDM has no operations on GT , thenumber of pairing operations in PDM linearly increase withD.

3) Performance results: From the above analysis, NPP hasthe lowest computation cost compared with Knox and PDM.Specifically, the computation cost of Knox is almost 5.7 timesthat of NPP, and PDM is almost 6.1 times that of NPP.Therefore, in terms of computation cost, NPP significantlyoutperforms Knox and PDM. As for communication cost,although the cost of NPP is a bit more than that of Knox, theadditional overhead 63KB is small and acceptable comparedto the size of shared data with 2GB.

VIII. CONCLUSION

In this paper, we propose a novel multi-level privacy pre-serving public auditing scheme for cloud data sharing withmultiple managers. During the process of auditing, the TPAcannot obtain the identities of the signers, which ensuresthe identity privacy of the group users. Moreover, unlikethe existing schemes, the proposed NPP requires at least tgroup managers to work together to trace the identity of themisbehaving user. Therefore, it eliminates the abuse of single-authority power and ensures non-frameability. Exceptionally,group users can trace the data changes through the designedbinary tree and recover the latest correct data block when thecurrent data block is damaged. In addition, the analysis andthe experimental results show that NPP is provably secure andefficient.

REFERENCES

[1] D. Fernandes, L. Soares, J. Gomes, et al, “Security issues in cloudenvironments: a survey,” International Journal of Information Security,vol. 12, no. 2, pp. 113-170, 2014.

[2] W. Hsien, C. Yang, and M. Hwang, “A survey of public auditing forsecure data storage in cloud computing,” International Journal of NetworkSecurity, vol.18, no.1, pp. 133-142, 2016.

[3] J. Yu, K. Ren, C. Wang, et al, “Enabling Cloud Storage Auditing withKey-Exposure Resistance,” IEEE Transactions on Information Forensicsand Security, vol.10, no.6, pp. 1167-1179, 2015.

[4] Q. Wang, C. Wang, K. Ren, et al, “Enabling public auditability and datadynamics for storage security in cloud computing,” IEEE Transactionson Parallel and Distributed Systems, vol. 22, no. 5, pp. 847-859, 2011.

[5] S. Yu, “Big privacy: challenges and opportunities of privacy study in theage of big data,” IEEE Access, vol. 4, no. 6, pp. 2751-2763, 2016.

[6] C. Wang, Q. Wang, K. Ren, et al, “Privacy-preserving public auditingfor data storage security in cloud computing,” Proceedings of IEEEINFOCOM, pp. 1-9, 2010.

[7] B. Wang, B. Li, and H. Li, “Oruta: privacy-preserving public auditingfor shared data in the cloud,” IEEE Transactions on Cloud Computing,vol.2, no.1, pp.43-56, 2014.

[8] B. Wang, B. Li, and H. Li, “Knox: privacy-preserving auditing for shareddata with large groups in the cloud,” Applied Cryptography and NetworkSecurity. Springer Berlin Heidelberg, pp. 507-525, 2012.

[9] B. Wang, H. Li, and M. Li, “Privacy-preserving public auditing for sharedcloud data supporting group dynamics,” Proceedings of IEEE ICC, pp.1946-1950, 2013.

[10] B. Wang, B. Li, and H. Li, “Public auditing for shared data with efficientuser revocation in the cloud,” Proceedings of IEEE INFOCOM, pp. 2904-2912, 2013.

[11] B. Wang, B. Li, and H. Li, “Panda: Public auditing for shared data withefficient user revocation in the cloud,” IEEE Transactions on ServicesComputing, vol.8, no.1, pp. 92-106, 2015.



10

[12] C. Liu, J. Chen, L. Yang, et al, “Authorized public auditing of dynamicbig data storage on cloud with efficient verifiable fine-grained updates,”IEEE Transactions on Parallel and Distributed Systems, vol.25, no.9, pp.2234-2244, 2014.

[13] H. Wang, and Y. Zhang, “On the Knowledge Soundness of a CooperativeProvable Data Possession Scheme in Multicloud Storage,” IEEE Trans-actions on Parallel and Distributed Systems, vol.25, no.1, pp. 264-267,2014.

[14] L. Huang, G. Zhang, and A. Fu, “Privacy-preserving public auditing fordynamic group based on hierarchical tree,” Journal of Computer Researchand Development, vol.53, no.10, pp. 2334-2342, 2016.

[15] Y. Yu, J. Ni, M. Au, et al, “Comments on a public auditing mechanismfor shared cloud data service,” IEEE Transactions on Services Comput-ing,vol.8, no.6, pp. 998-999 2015.

[16] G. Ateniese, R. Burns, R. Curtmola, et al, “Provable data possession atuntrusted stores,” Proceedings of ACM CCS, pp. 598-609, 2007.

[17] A. Juels, and B. Kaliski, “PORs: Proofs of retrievability for large files,”Proceedings of ACM CCS, pp. 584-597, 2007.

[18] Y. Yu, M. H. Au, and Y. Mu, “Enhanced privacy of a remote dataintegrity-checking protocol,” International Journal of Information Secu-rity, vol. 14, no. 4, pp. 307-318, 2015.

[19] J. Yuan, and S. Yu, “Efficient public integrity checking for cloud datasharing with multi-user modification,” Proceedings of IEEE INFOCOM,pp. 2121-2129, 2014.

[20] H. Wang, “Identity-based distributed provable data possession in multi-cloud storage,” IEEE Transactions on Services Computing, vol.8, no.2,pp.328-340, 2015.

[21] L. Huang, G. Zhang, A. Fu, “Certificateless Public Verification Schemewith Privacy-preserving and Message Recovery for Dynamic Group,”Proceedings of ACSW, 2017.

[22] T. Jiang, X. Chen, and J. Ma, “Public integrity auditing for shareddynamic cloud data with group user revocation,” IEEE Transactions onComputers, vol.65, no.8, pp.2363-2373, 2016.

[23] H. Wang, “Proxy Provable Data Possession in Public Clouds,” IEEETransactions on Services Computing, vol.6, no.4, pp.551-559, 2013.

[24] Y. Yu, Y. L, J. N, et al, “Comments on public integrity auditing fordynamic data sharing with multiuser modification,” IEEE Transactionson Information Forensics and Security, vol.11, no.3, pp.658-659, 2016.

[25] H. Jin, D. Wong, and Y. Xu, “Efficient group signature with forwardsecure revocation,” Security Technology. Springer Berlin Heidelberg, pp.124-131, 2009.

[26] A. Shamir, “How to share a secret?” Communications of the ACM,vol.22, no.11, pp. 612-613, 1979.

[27] S. Yu, C. Wang, K. Ren, et al, “Achieving secure, scalable, and fine-grained data access control in cloud computing,” Proceedings of IEEEINFOCOM, pp. 1-9, 2010.

[28] Pairing Based Cryptography (PBC) Library [Online]. Available:http://crypto.stanford.edu/pbc/.

Anmin Fu is an associate professor and supervisorof Ph.D. students of Nanjing University of Scienceand Technology, China. He received his B.S. de-gree in Communication Engineering from LanzhouUniversity of Technology, China, in 2005. He re-ceived his M.S. and Ph.D. degrees in Cryptographyand Information Security from Xidian University in2008 and 2011, respectively. His research interestsinclude cloud computing security, wireless securityand applied cryptography.

Shui Yu (M’05-SM’12) is currently a Senior Lec-turer of School of Information Technology, DeakinUniversity. He is a Senior Member of IEEE, anda member of AAAS and ACM, the Vice Chairof Technical Committee on Big Data Processing,Analytics, and Networking of IEEE CommunicationSociety.

Dr Yu’s research interest includes Cybersecurity,Networking Theory, Big Data, and MathematicalModelling. He has published two monographs andedited two books on big data, more than 150 techni-

cal papers, including top journals and top conferences, such as IEEE TPDS,IEEE TCC, IEEE TCSS, IEEE TC, IEEE TIFS, IEEE TMC, IEEE TKDE,IEEE TETC, and IEEE INFOCOM. Dr Yu initiated the research field ofNetworking for Big Data in 2013. His h-index is 25.

Dr Yu actively serves his research communities in various roles. He servedIEEE Transactions on Parallel and Distributed Systems as an AE (2013-2015),and is currently serving the editorial boards of IEEE Communications Surveysand Tutorials (exemplary editor for 2014), IEEE Access, IEEE Internet ofThing Journal, IEEE Communications Letters (exemplary editor for 2016),and a number of other international journals. Moreover, he has organizedseveral Special Issues either on big data or cybersecurity. He has served morethan 70 international conferences as a member of organizing committee, suchas publication chair for IEEE Globecom 2015 and IEEE INFOCOM 2016and 2017, TPC co-chair for IEEE BigDataService 2015, IEEE ITNAC 2015,and General chair for ACSW 2017.

Yuqing Zhang is a professor and supervisor ofPh.D. students of Graduate University of ChineseAcademy of Sciences, China. He received his B.S.and M.S. degrees in computer science from XidianUniversity, China, in 1987 and 1990 respectively.He received his Ph.D. degree in Cryptography fromXidian University in 2000. His research interestsinclude cryptography and network security.

Huaqun Wang received the BS degree in mathemat-ics education from the Shandong Normal Universityand the MS degree in applied mathematics from theEast China Normal University, both in China, in1997 and 2000, respectively. He received the Ph.D.degree in Cryptography from Nanjing University ofPosts and Telecommunications in 2006. Now, he isa full professor in Nanjing University of Posts andTelecommunications. His research interests includeapplied cryptography, network security, blockchain,and cloud computing security. He has published

more than 70 papers. He has served in the program committee of severalinternational conferences and the editor board of international journals.

Chanying Huang received the BS degree in Schoolof Computer Science & Technology from HarbinInstitute of Technology (HIT) in July 2009, and thePhD in Graduate School of Information Securityfrom Korea University (KU) in February 2015. Sheis a lecturer in School of Computer Science &Engineering, Nanjing University of Science & Tech-nology. Her research focuses on Sensor NetworkSecurity, Security and Privacy issues in BANs, andSecurity and Privacy issues in eHealth/mHealth.

npp: a new privacy-aware public auditing scheme for cloud ......auditing schemes, hence anyone can...

Documents