Certificateless Public Auditing with Privacy Preserving for Cloud-Assisted Wireless Body Area Networks

With cloud computing being integrated with wireless body area networks, the digital ecosystem called cloud-assisted WBAN was proposed. In cloud-assisted medical systems, the integrity of the stored data is important. Recently, based on certificateless public key cryptography, He et al. proposed a certificateless public auditing scheme for cloud-assisted WBANs. But He et al.’s scheme is not a scheme with privacy preserving. After many checks on some of the same data blocks, the auditor can derive these data blocks. In this paper, we propose a certificateless public auditing scheme with privacy preserving for cloud-assistedWBANs. In the proof phase of the proposed scheme, the proof information is protected from being directly exposed to the auditor. So, the curious auditor could not derive the data blocks. We also prove that the proposed scheme is secure in the random oracle model under the assumption that the Diffie-Hellman problem is hard, and we give a comparison of the proposed scheme with He et al.’s scheme in terms of security and computation cost.


Introduction
Advances in wireless communication technologies, microcontroller systems, and sensor technologies have enabled the design and development of wireless body area networks (WBANs) that are playing an increasingly important role in healthcare systems because of their ability to provide continuous measurements and to monitor a patient's health status by using medical sensors implanted inside the patient's body [1].
To make a fast diagnosis and store and process sensing data in real time, cloud computing is being integrated with traditional WBANs to propose the digital ecosystem called cloud-assisted WBAN.In cloud-assisted medical systems, the data stored in the cloud-based store resource are the basis of all diagnoses.So, the integrity of the stored data is important.As a cryptographic technique, public auditing scheme [2] could provide effective data integrity check service in cloudassisted WBANs.In a typical public auditing scheme in cloud service, there are three entities: a data user, a cloud server, and a third-party auditor.Data file from the data user is outsourced to the cloud server, and the auditor provides the data integrity check service for the data user.The data user is a resource-constrained entity, but the auditor has certain computation ability and expertise for integrity checking.After Ateniese et al. 's pioneering work [2], many auditing schemes were proposed [3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18].But these schemes were constructed on a public key cryptographic system; data users and the auditor need more storage space or computation cost in key management and verification.
In ID-based cryptography [19], the public key of any user is his/her identity.So, it is clear that the auditing schemes on the ID-based cryptography system will reduce the costs of the data users and the auditor.Many ID-based public auditing schemes are proposed [20][21][22][23].But, in ID-based public auditing schemes, the PKG (private key generator) knows any user's private key.It is clear that, for patient privacy information process in cloud-assisted medical systems, IDbased public auditing schemes are not secure.Recently, based on certificateless public key cryptography [24], He et al. proposed a certificateless public auditing scheme for cloudassisted WBANs [1].In certificateless public key cryptography, the private key of a user consists of two parts.One is the partial private key generated by the PKG, and the other is a secret key generated by the user.So, certificateless public 2 Mobile Information Systems key cryptography simultaneously overcomes the drawback of public key cryptography and ID-based cryptography.Certificateless public auditing scheme is very applicable for cloud-assisted WBANs with energy-limited sensors and a large amount of personal sensitive information.In [1], the proposed certificateless public auditing scheme is proved to be secure and very suitable for use in cloud-assisted WBANs.But He et al. 's scheme is not a scheme with privacy preserving.After many checks on some of the same data blocks, the auditor can derive these data blocks from the proof information that the cloud server submitted.
In this paper, we propose a certificateless public auditing scheme with privacy preserving.In the proof phase of the proposed scheme, the proof information is protected from being directly exposed to the auditor.So, the curious auditor could not derive the data blocks.We also prove that the proposed scheme is secure in the random oracle model under the assumption that the Diffie-Hellman problem is hard.
The rest of the paper is organized as follows.In Section 2, we propose the system and security model.In Section 3, we review bilinear pairing and computational Diffie-Hellman problem relevant to the security of the proposed scheme.A certificateless public auditing scheme with privacy preserving is proposed in Section 4. In Section 5, we provide security proofs of the proposed scheme.In Section 6, we compare the proposed scheme with He et al. 's scheme in terms of security and computation cost.Conclusion is given in Section 7.

The System Model.
There are four entities included in a certificateless public auditing scheme: (1) A data user (DU) who possesses a data file needed to be stored on the cloud.
(2) A cloud server (CS) that provides data storage service to the data user.
(3) A third-party auditor (AU) who has capacities to check data integrity on behalf of the data user.
(4) A private key generator (PKG) that is responsible for setting up the system parameter and generating the partial private key for any entity by using the entity's identity information.
To reduce the burden of data file storage, the data user (DU) uploads his/her data file to the cloud server (CS) for storage, and the DU no longer possesses his/her data file locally.To ensure the data file is correctly stored in the cloud server, DU entrusts the trusted third-party AU who has expertise and computation capabilities to periodically check his/her data file integrity.

The Security Model.
In a certificateless public auditing scheme, PKG is a trusted authority, DU is honest, and AU is honest but curious.CS is a semitrusted party; he/she might change or delete the data user's file for his/her benefit and forge the proof information for passing data integrity checking.We will also investigate whether AU can get any information about the data file content during the auditing process.
Our design goals are three aspects: (1) Public auditability: AU can verify the correctness of the cloud data file blocks on demand without retrieving a copy of the whole data file or introducing additional online burden to the cloud users.
(2) Storage correctness: no cheating cloud server can pass AU's audit.
(3) Privacy preserving: AU cannot derive data user's file content from the information collected during the auditing process.

Preliminary
3.1.The Bilinear Pairing.Let  1 be a cyclic additive group generated by , whose order is a prime , and let  2 be a cyclic multiplicative group of the same order.Let  :  1 ×  1 →  2 be a pairing map which satisfies the following conditions.

Computational Diffie-Hellman (CDH) Problem.
There is a generator  of an additive cyclic group  with order , and there is (, ) for unknown ,  ∈  *  to compute .

The Proposed Scheme
The proposed certificateless public auditing scheme consists of seven algorithms: setup, partial-private-key extraction, setpublic key, tag generation, challenge phase, prove phase, and verify phase.
Setup.Given a security parameter  ∈ , the algorithm works as follows: (1) Run the parameter generator on input  to generate a prime , an additive cyclic group  1 and a multiplicative cyclic group  2 of the same order , a generator  of  1 , and a bilinear map  :  1 ×  1 →  2 .
(2) Pick a random  ∈  *  as master key of PKG and set system public key  pub =  ⋅ .
Partial-Private-Key Extraction.When any one wants to register his/her identity ID  to PKG, the algorithm works as follows: (1) Compute   = (ID  ) ∈  1 .
(2) Set the partial private key   =  ⋅   , where  is the master key of PKG.
Set-Public Key.Given a user's identity ID  , this algorithm picks a random   ∈  *  as the user's secret value and computes his/her public key as   =   .
and sends it to the CS.
Verify Phase.Upon receiving the proof information (, , ), based on stored information RE DU , AU computes Then, it checks the equation If the equation holds, AU accepts the proof.The correctness of the above verification equation can be demonstrated as follows:

Security
In this section, we discuss the security of the proposed scheme in unforgeability and privacy preserving.

Unforgeability
Theorem 1.If the CDH assumption is hard, then the proposed scheme is secure against proof information existential forgery attack from the CS.
Proof of Theorem 1.We will show that if CS can forge valid proof information, the challenger will use the forged proof information to solve the CDH problem.
Because CS has the signature of any one file block, CS needs not do tag oracle.So, we only look at hash functions  1 ,  2 as random oracles.For given CDH problem instance (, ), the challenger lets the system public key  pub = , and in partial-private-key-extract phase, for two times oracles, let   =  1 (ID  ) =   (),  = 1, 2.   , selected by the challenger, is a random number.In the proof process, for the same Chall information and same random number , let ( 1 ,  1 , ) and ( 2 ,  2 , ) be two pieces of valid proof information under two times different  2 oracles,  2 () =   ,  = 1, 2. Then, the following two equations hold: The challenger derives

Privacy Preserving
Theorem 2. In the proposed scheme, AU cannot derive any information about DU's data blocks during the whole auditing procedure.
But Chall = [ID DU , , ] are irrelevant to the file content, and AU cannot derive any information about the data blocks from ℎ  ,   since the hash functions are secure.AU cannot derive any information about the data blocks from equation  = (∑ ∈ V    −  ⋅  2 ())mod , since there is an unknown random number .
Finally, AU cannot derive file content information from .

Comparisons
In this section, we compare the proposed scheme with He et al. 's scheme [1] in terms of security and computation cost.In the comparison of computation cost, we use , , and  as scalar multiplication computation, hash computation, and bilinear pairings computation, respectively.We show the comparison results in Tables 1 and 2. According to Table 1, our scheme demonstrates better security, and according to Table 2 there is notable low hash computation cost in the proposed scheme.Of course, in some phases, there are high computation costs in multiplication and bilinear pairings computation.

Conclusion
In this paper, we propose a certificateless public auditing scheme with privacy preserving for cloud-assisted wireless body area networks.In the proof phase of the proposed scheme, the proof information is protected from being directly exposed to the auditor.So, the curious auditor could not derive the data blocks.We also prove that the proposed scheme is secure in the random oracle model under the assumption that the Diffie-Hellman problem is hard.The comparison indicates that the proposed scheme is more secure and suitable for cloud-assisted wireless body area networks.