Comparable Encryption Scheme over Encrypted Cloud Data in Internet of Everything

,


Introduction
With the new era of Internet of Everything (IOE) [1] and cloud computing [2,3], smaller and smarter computing devices have begun to be integrated into our lives such as e-Health [4,5], online shopping [6], and image retrieval [7].Authentication is regarded as a first line of defense and has been widely used to prevent unauthorized access.Series of research efforts [8][9][10][11][12][13][14][15][16][17] have been made.User authentication can be password-based authentication [18,19], biometricbased authentication [20,21], and others [22][23][24].However, security issues of user authentication, especially issues of data security and the availability of ciphertext data, are rather challenging tasks in IOE.When user passes the legal authentication, he/she can do comparable queries over ciphertexts.On the premise of ensuring safety, we concern how to make comparable queries over ciphertexts for authorized users.
As the cloud service provider is not a completely trusted entity, data usually utilize encryption technique by authorized users to guarantee security before being outsourced to the cloud service provider.There exist some scenes such as e-Health and stock exchange, which need to compare numeric data [25] over encrypted data.Unfortunately, what is of prime importance is how to make comparable operations over ciphertexts as well as data integrity without leaking any information.
To ensure comparable query operations over ciphertexts, series of research efforts [26][27][28][29][30][31] have been made.Among these efforts, one of popular works is a request-based comparable encryption scheme [31] which utilizes the idea of Prefix Preserving Encryption (PPE).Although this scheme can make comparable query operations over ciphertexts, it brings in high computational and storage burden.To this end, an efficient request-based comparable encryption scheme was discussed by Chen et al. [32] through utilizing sliding window method to reduce computational and storage burden.To further relief ciphertexts storage space, SCE scheme was presented by Furukawa through using PPE idea [33].Compared with request-based comparable encryption scheme, SCE scheme encrypts each bit into 3-ary, thereby dramatically reducing ciphertexts space and improving work efficiency.As the semitrusted cloud service provider may maliciously conduct a fraction of operations and forge some ciphertexts, we should verify the correctness of outsourced data for the purpose of ensuring data integrity.
To ensure data integrity without maliciously being forged, large amount of work [34][35][36][37] aimed to verify the integrity of static and dynamic outsourced data.For example, a remote integrity checking scheme which is based on modularexponentiation cryptographic techniques was introduced by Deswarte et al. [38] Unfortunately, the new scheme has high computing complexity.To tackle this problem, Gazzoni Filho and Barreto [39] proposed a scheme by utilizing an RSAbased secure hash function in order to achieve safe data transfer transaction through a trusted third party.However, this protocol is still vulnerable to the collusion attack in a P2P environment [39] as most of existing schemes cannot prevent the user data from being leaked to external auditors.After that, Wang et al. [36] proposed a scheme known as privacypreserving public auditing for data storage security in cloud computing, which was the first privacy-preserving auditing protocol to support scalable and public auditing in the cloud computing.In Wang et al. protocol, computational overhead came from several time-consuming operations.Aiming at reducing high computational and storage overhead, we use position-aware Merkle tree (PMT) [40] to ensure data integrity.
Inspired by the aforementioned sliding window method and PMT, we first propose a basic scheme called SCESW scheme which is based on the sliding window method to reduce computational and storage overhead.Since the cloud service provider is a semitrusted entity which can obtain some sensitive information and then derive plaintexts, we further present an enhanced scheme named PT-SCESW scheme according to PMT to verify the stored data integrity.The main contributions of our work are listed as follows.
(i) SCESW scheme: inspired by sliding window method and SCE scheme, we first put forward the basic SCESW scheme to relief computational burden and storage overhead as well as enhance work efficiency.(ii) PT-SCESW scheme: to further protect data integrity for authorized users, we then introduce the enhanced lightweight PT-SCESW scheme based on PMT, which allows the authorized verifier to check the correctness of stored cloud data.Table 1 shows comparisons among various schemes.(iii) Security and efficiency: formal security analysis demonstrates that PT-SCESW and SCESW schemes can guarantee data security and integrity as well as weak indistinguishability in standard model and experimental results using real-world dataset show its efficiency in practice.The reminder of this paper is organized as follows.Section 2 depicts some preliminaries which will be used in our paper.Section 3 gives a detailed description of the proposed basic and enhanced schemes.Section 4 shows security analysis and Section 5 illustrates the performance of proposed schemes.

Preliminaries
In this section, we will give some descriptions of sliding window method and position-aware Merkle tree.
In our schemes, numeric numbers are considered as a sequence of the binary codes.However, we suppose that all the windows have the same window size without distinguishing zero windows or nonzero windows.The fixed window size is chosen by the user's security level requirements.Hence, security and efficiency can be trade-off in practice.

Position-Aware Merkle
Tree.Merkle hash tree [42] is extensively utilized in data integrity [43].The structure of Merkle tree [44] contains a root on the top of the tree, nonleaf nodes, and leaf nodes, which is shown in Figure 1.Every nonleaf node is labeled as the hash value of its children nodes and every leaf node is defined as the hash value of a file block.Λ = {  |   = ℎ(  ), 1 ≤  ≤ 15}, where ℎ(⋅) represents a hash function.The root node of the Λ is regarded as  root .For a node   , Auxiliary Authentication Information (AAI) is used to depict the smallest order node set Υ  = {  1 ≫   2 ≫ ⋅ ⋅ ⋅ }.Given a node   , AAI contains all the brother nodes related to   through root path from   to root node  root .For example, the AAI of node  3 is Υ  = { 4 ≫  9 ≫  14 }, as shown in Figure 1.
In the PMT structure, every node is noted as   .Besides,   is presented by a 3-tuple   = (  ⋅ ;   ⋅ ;   ⋅ V), where   ⋅ represents node   's relative position to its parents node;   ⋅  represents the number of node   's leaf nodes;   ⋅ V represents the value of the node   .We label nodes from left Input: two numbers  and  where  represents base and  represents exponent Output:  =   (1) for all ,  = 3, 5, 7, . . ., 2  − 1 do (2) Compute and store   ; (3)  is divided into zero windows and non-zero windows   of length (  ) where (  ) represents the length of windows; (4) for  =  − 1, . . ., 0 do (5) Compute the value of  fl   −1 ; (6) for 0 ≤  ≤  − 2 do (7) Compute and store  fl   to right in each layer with   ⋅ ,   ⋅ , and   ⋅ V defined as follows, where set Ω  represents the set of left subtrees, set Ω  represents the set of right subtrees, set Ω root represents the root of tree, and set Θ represents the set of leaf nodes.
From Figure 1, we know that node  3 is a leaf node that relates to the block  3 and  3 is located in the left of its parent Table 2: Nodes of position-aware Merkle tree in Figure 1.

Proposed Basic and Enhanced Schemes
Before presenting concrete constructions of SCESW and PT-SCESW schemes outlined above, we give some notations which will be utilized in the whole paper, as shown in Notations.

System Model.
We first describe the system model of PT-SCESW scheme which mainly involves four entities, namely, Data Owner (DO), cloud service provider (CSP), user, and Third-Party Auditor (TPA), as shown in Figure 2.
When user passes the legal authentication, he/she can do comparable queries operations over encrypted data.First, Output correct,    ,  = {null,    , V   }; (15) else (16) Output ⊥. the DO encrypts files by using SCESW scheme and finally sends the file CP and the corresponding  to the CSP.When user wants to issue the search query over encrypted cloud data, he/she needs to submit a search query to CSP.
The CSP returns the result of the query to the user.If the verifier wants to check the outsourced data integrity, she/he sends an auditing request to the TPA and the TPA submits the auditing challenge CL to the CSP.Upon receiving the auditing challenge CL, CSP computes P 1 , P 2 and sends the auditing proof to the TPA.Then TPA conducts the integrity verification algorithm (Algorithm 2) to check the data integrity and returns the auditing report to the verifier.Figure 2 depicts the task of each entity, with an assumption that the DO is the verifier.
(1) DO: it has twofold responsibilities.Firstly, data files are encrypted through SCESW scheme and then outsourced to the CSP, as shown in step A. Secondly, the DO sends auditing request to the TPA in order to check ciphertexts integrity, as illustrated in step B.
(2) CSP: it can provide infinite storage and computation resources to the DO and the user.After executing auditing challenge, the CSP sends auditing proof to the TPA, as shown in step D.
(3) User: it has the following responsibilities.Firstly, the user submits a query to compare a pair of ciphertexts CP and CP * , as shown in step F. Secondly, upon doing Cmp operation, the CSP returns the relationship of two numeric ciphertexts, as illustrated in step G. otherwise, the scheme demonstrates that ciphertexts are not with integrity and system stops working.

The SCESW Scheme.
Let  be the window size, which means each block file has  bits.We assume arbitrary number  is a multiple of .If  is not a multiple of , we make  a multiple of  by adding zero in the end of the 's binary code.SCESW scheme consists of five algorithms, namely, KeyGen, Par, Der, Enc, and Cmp.When user passes the legal authentication, he/she can do comparable queries operations over encrypted data.Thus, we mainly consider data security and comparable queries operations over ciphertexts.
A detailed construction of SCESW scheme is depicted as follows.
(1) Definitions of SCESW Scheme.The SCESW scheme is composed of five algorithms involving KeyGen, Par, Der, Enc, and Cmp.SCESW system definition can be defined in Algorithm 3.
(2) Details of SCESW Scheme.Concrete construction of SCESW scheme can be defined as follows.
Finally, KeyGen algorithm outputs a public parameter PP and a master key MSK.

Security and Communication Networks
PT-SCESW is a series of algorithms namely Setup, Encryption, Auditing, Comparison phases, which are shown as follows: Setup Phase.The DO chooses a security parameter  ∈ N, range parameter  ∈ N and master key MSK to generate a public parameter PP.The DO runs KeyGen to produce the secret key SK and public key PK.Setup phase outputs the secret key SK, public key PK, public parameter PP and master key MSK.Setup phase contains KeyGen algorithm in SCESW scheme.The DO shares PK with others and preserves SK as a secret.

Encryption Phase
(i) Par(N), Der(PP, MSK, N): system definitions are similar to SCESW scheme, as shown in Algorithm 3. (ii) Enc(PP, MSK, N): given a security parameter  ∈ N, range parameter  ∈ N, master key MSK, public key PK, private key SK and num 0 ≤ N ≤ 2  , the DO runs the algorithm to output a ciphertext CP, set  and the metadata.Then file CP and set  will be sent by the DO to the CSP.The metadata might be signed and kept by the DO.

Auditing Phase
(i) ChalGen() → (CL): given the secret parameter , the verifier outputs auditing challenge CL for the query.(ii) ProofGen(  , , , CL) → (P): given the DO's public parameter   , file , set  and auditing challenge CL, the TPA outputs the auditing proof P to verify that the CSP owns the outsourced file correctly.(iii) ProofCheck(PK, CL, , P) → (, ⊥): given the DO's public key PK, evidence P, metadata and auditing challenge CL, the TPA outputs correct or ⊥.
If the proof P passes the verification, the function outputs correct; otherwise, the function outputs ⊥ and the system stops to work.At last, TPA sends the auditing report to the verifier.

Comparison Phase
(i) Cmp(CP, CP * , TK): system definition is similar to SCESW scheme, as illustrated in Algorithm 3.

The PT-SCESW Scheme
(1) Definitions of PT-SCESW Scheme.To efficiently support public auditing, we propose an enhanced SCESW scheme called PT-SCESW scheme.PT-SCESW scheme consists of four phases Setup, Encryption, Auditing and Comparison, defined in Algorithm 4. When user passes the legal authentication, he/she can do comparable queries operations over encrypted data.Thus, we mainly consider data security and comparable queries operations over ciphertexts.
(2) Details of PT-SCESW Scheme.Concrete construction of PT-SCESW scheme is defined as follows.
Setup Phase.This phase contains the KeyGen algorithm, which is utilized by the DO to initialize system.
The DO chooses a security parameter  ∈ N, range parameter  ∈ N, master key MSK ∈ {0, 1} * , and hash functions  1 ,  2 ,  3 .Then he/she calculates the secret key SK = (,) and public key PK = ( =  ⋅ , ), where ,  are two large primes and  is the generator of a high-order cyclic group.Besides, he/she defines PP = (,  1 ,  2 ,  3 ).The DO runs KeyGen algorithm to generate the public parameter PP and secret key SK.Setup phase contains KeyGen algorithm in SCESW scheme.
Setup phase outputs the secret key SK, public key PK, public parameter PP, and master key MSK.
Encryption Phase.Par algorithm is run by the DO to generate the num N which adopts the sliding window method.Der algorithm is used by the DO to produce the token of the num N. Enc algorithm is run by the DO to generate ciphertexts of the num N. algorithms are similar to SCESW scheme.
Auditing Phase.ChalGen algorithm is run by the verifier to produce the auditing challenge CL.ProofGen algorithm is used by the TPA to generate the auditing proof P. ChalGen algorithm is conducted by the TPA to produce auditing results.(ii) ProofGen(  , , , CL) → (P): upon receiving the CL = {  , } sent by the verifier, the CSP computes mod  , P 2 = {   , Υ   } =1,..., .Then the CSP returns auditing proof P = (P 1 , P 2 ) to the TPA.(iii) ProofCheck(, CL, , P) → (, ⊥): upon receiving the auditing proof P = (P 1 , P 2 ), the TPA conducts Algorithm 2 to verify (,    , Υ   ) → {correct, ⊥}, in which  = 1, . . ., .If Algorithm 2 outputs correct, it means tags corresponding to the auditing request are correct.Then, the TPA computes P 3 = ∏  =1 (   )   mod .If P  3 = P 1 holds, it outputs correct, which means the auditing challenge CL passes the verification and the system continues the Cmp algorithm; otherwise, it outputs ⊥, which means the outsourced file was forged at the CSP side and the system stops the Cmp algorithm.
Comparison Phase.Cmp algorithm is employed by the user to compare the relationship of the numbers N and N * from CP and CP * .

Security Analysis
In this section, we will give properties of completeness and weak indistinguishability in PT-SCESW scheme by theoretical analysis, which are similar to SCESW scheme.
Theorem 1.The PT-SCESW scheme is complete as long as  1 ,  2 , and  3 are pseudorandom functions and the CSP honestly performs operations according to the auditing challenge.
Proof.We denote that CP and CP * are generated from N and N * , respectively.
where  is the window size;  = / is the number of blocks via utilizing sliding window technology.Hence, the PA-SCESW scheme is complete., = 1)| ≥  in the weak distinguishing game.Then, we know that hash function is distinguishable from the random function, which is against the assumption that they are pseudorandom functions.In particular, we consider a sequence of games by challengers ,   , and   and then prove the theorem by the hybrid argument.From literature [33], we know that |Adv , − Adv   , | <  as long as hash is a pseudorandom function as well as Adv   , = 0. Hence, Adv , <  and Theorem 2 is proved.

Performance
In this section, we first compare our schemes with SCE scheme in Encryption Phase, Comparison Phase, and Auditing Phase in experiments, as shown in Tables 3 and 4, respectively.In Auditing Phase, auditing costs of [40] are almost of PT-SCESW scheme, so we just evaluate the actual performance of PT-SCESW scheme in experiments.These experiments are conducted using C on a Ubuntu Server 15.04 with Intel Core i5 Processor 2.3 GHz and Paring Based Cryptography (PBC).In Table 3,  is the  bit of numbers N 1 = ( 0 , . . .,  −1 ), N 2 = ( 0 , . . .,  −1 ) such that (  , . . .,  −1 ) = (  , . . .,  −1 ),  −1 <  −1 for two numbers.We randomly choose  and , where  = 160 bits,  = 1024 bits in experimental simulations.Experimental tests are conducted for 100 times.
We will mainly focus on the computational and storage overhead.Due to the fact that SCESW scheme utilizes sliding window method, a comparison in computational and storage overhead between SCESW scheme and SCE scheme is made, which shows that SCESW scheme is cost-effective.Analysis can demonstrate that PT-SCESW scheme by using sliding window technology can relief the high computational and storage overhead.To largely reduce storage overhead, ( 0 ,  1 , . . .,  −1 ) can be encoded into an integer   to make ciphertexts shorter in SCESW scheme and PT-SCESW scheme, shown in Table 4, where Considering computational costs, we just only consider several time-consuming operations, such as exponentiation operation "" and Hash  ( = 1, 2, 3, 4, 5) operations.Table 3 shows the theoretical analysis of these schemes.Now we give detailed theoretical analysis of PT-SCESW scheme as an example.
In Figure 3, we set  = 1024 bits and vary numbers of sliding windows  from 4 to 512, and then we notice that the encryption time in PT-SCESW scheme approximately increases with .For example, when we set  = 32, encryption costs of SCESW scheme and PT-SCESW scheme are 1.214 ms and 2.034 ms, respectively, which is much more smaller than SCE scheme.Due to using sliding window method, PT-SCESW scheme and SCESW scheme can significantly reduce encryption costs.
In Figure 4, we set  = 1024 bits and  = 256, and then we notice that the comparable time in PT-SCESW scheme approximately decreases with .For example, when setting  = 63, our scheme needs 4.674 ms to compare ciphertexts.In Comparison Phase, the PT-SCESW scheme and SCESW scheme have similar computational burden.Based on sliding window method, our PT-SCESW scheme and SCESW scheme can significantly reduce the computational overhead when these schemes are compared with SCE scheme.
In Figure 5, we set  = 1024 bits and vary number of windows for verification presented by  from 2 to 256, and then we notice that the auditing time in PT-SCESW scheme approximately increases with .For example, when setting  = 16, our scheme needs 2.472 ms to make  auditing.Therefore, our PT-SCESW scheme is still acceptable in practice, especially for users with constrained computing resources and capacities.In summary, actual performance results are completely in accord with the theoretical analysis shown in Tables 3 and 4. Exploring PT-SCESW scheme mainly focuses on achieving one property that is auditing.PT-SCESW scheme is feasible and efficient in practice applications, especially for users with constrained computing resources and capacities.

Conclusion
In this paper, a basic scheme named SCESW scheme is proposed for relief of the computational and storage overhead by using sliding window method.Furthermore, PT-SCESW scheme is presented for authorized users to support public

( 4 ) 1 𝑏 1 𝐵
TPA: it has twofold responsibilities.Firstly, the TPA submits auditing challenge to the CSP, as shown in step C. Secondly, the TPA returns the auditing report to the verifier shown in step E. If the result of auditing is correctness, system continues the Cmp step; SCESW scheme is a tuple of algorithms including KeyGen, Par, Der, Enc, Cmp, which are shown as follows: (i) KeyGen(1  ): given the security parameter  ∈ N, range parameter  ∈ N and master key MSK, the DO runs the algorithm to output the master key MSK and public parameter PP. (ii) Par(N): given the number N, the DO runs the algorithm to output the number N  rewritten through its binary code by utilizing sliding window method, where  represents the window size,  = / is the number of blocks and N = N  N = ( 0 , . . .,  −1 ) = ∑ 0≤≤− 2  ; N  = ( 0 , . . .,  −1 ) = ∑ 0≤≤− (2  )  .(iii) Der(, , MSK, N): given the security parameter  ∈ N, range parameter  ∈ N, master key MSK and num 0 ≤ N ≤ 2  , the DO runs the algorithm to output a token TK. (iv) Enc(, , MSK, N): given the security parameter  ∈ N, range parameter  ∈ N, master key MSK and num 0 ≤ N ≤ 2  , the DO runs the algorithm to generate the ciphertext CP and submits it to the CSP.(v) Cmp(PP, CP, CP * , TK): given the public parameter PP, two ciphertexts CP and CP * , and token TK, the CSP outputs −1, 0, 1, then it returns the relevant search results to the user.Algorithm 3: Definition of SCESW scheme.

Table 1 :
Comparisons among various schemes.

Table 3 :
Comparison of computational cost in various schemes.Note., , , , ,   ,  represent sliding window numbers of N, original window numbers of N, hash operations, number of windows for verification, numbers of corresponding nodes in Υ  , and exponentiation operation, respectively.

Table 4 :
Comparison of storage overhead in various schemes.Let ,   , and   represent challengers.Suppose that there exists an adversary  such that Adv , fl |Pr(Exp  , = 0) − Pr(Exp Note. , ,  represent sliding window numbers of N, original window numbers of N, and output bits of hash operations, respectively.Theorem 2. The PT-SCESW scheme is weakly indistinguishable if  1 ,  2 , and  3 are pseudorandom functions.Proof.