Certificateless Public Auditing Protocol with Constant Verification Time

To provide the integrity of outsourced data in the cloud storage services, many public auditing schemes which allow a user to check the integrity of the outsourced data have been proposed. Since most of the schemes are constructed on Public Key Infrastructure (PKI), they suffer from several concerns like management of certificates. To resolve the problems, certificateless public auditing schemes also have been studied in recent years. In this paper, we propose a certificateless public auditing scheme which has the constant-time verification algorithm.Therefore, our scheme is more efficient than previous certificateless public auditing schemes. To prove the security of our certificateless public auditing scheme, we first define three formal securitymodels and prove the security of our scheme under the three security models.


Introduction
Cloud storage is an essential service of cloud computing, which allows users to outsource their data to a cloud server.It is an easy and reliable way to handle a large amount of data due to the characteristics of cloud computing such as ubiquitous network access, location-independent resource pooling, and elasticity [1].However, there exist challenging security threats with respect to the outsourced data.An untrusted server might discard the data to save a disk space or modify the data for personal gains.Therefore, the users need to be convinced that their data are stored in the cloud server without any loss or modification.That is, the cloud server should ensure the data integrity to the users.
To check the integrity of the outsourced files efficiently, many solutions have been proposed in recent years.When the user wishes to check the integrity, the third-party auditor (TPA) executes auditing algorithms in place of the user without downloading the whole files.If the TPA performs auditing process without any secret values delegated from the user, we called it public auditing.Most of the public auditing schemes are based on Public Key Infrastructure (PKI) [2][3][4][5][6][7][8][9][10].In traditional PKI, Certificate Authority (CA) issues the private/public keys for the users and certificates to bind the users with their public keys.These certificates are generated and managed by the CA.Even though PKI has been widely used in public key cryptography (PKC), it has some security issues related to the management of the certificates, such as revocation, distribution, storage, and the computational cost of the certificates verification as described in [11,12].
Identity-based public key cryptography was introduced to overcome the above issues of PKI by Shamir in [13].In the identity-based public key cryptography, the users use identity as their public key (e.g., e-mail address) which is assumed to be publicly known, so there is no need to consider the management of the certificates [13][14][15][16][17].A trusted third party called Key Generation Center (KGC) generates a master secret key and publishes a master public key corresponding to the master secret key.Then the KGC issues users' private key corresponding to the identity (public keys) using the master secret key.Unfortunately, this approach causes a new inherent problem known as key escrow.Since the users' private key is entirely generated by the KGC and it is not fully trusted, it can impersonate any valid user whenever it wants.The condition that the KGC is fully trusted has to be assumed to resolve the above inherent problem.The problem also should be considered for the identity-based public auditing schemes [18][19][20].
Al-Riyami and Paterson proposed certificateless cryptosystem that preserves the advantages of the identity-based public key cryptography and eliminates the vulnerability of it [21].In other words, certificateless public key cryptography does not require certificates to authenticate the users' public key and the strong assumption.In the certificateless public cryptography, the KGC cannot know the user's full secret key unlike the ID-PKC, because the user's full secret key is generated by combining a partial private key generated by the KGC with a secret value chosen by the user [21][22][23].As the related works, many certificateless signature schemes are also proposed [24][25][26][27].
In [28], the authors proposed the secure certificateless public auditing scheme based on a new certificateless signature scheme constructed by them.However, He et al. pointed out that the certificateless signature scheme cannot withstand the public key replacement attack, where the adversary can replace user's public key with a manipulated public key [29].They also proposed the certificateless public auditing scheme suitable for a cloud-assisted Wireless Body Area Networks (WBAN).Even though many authentication schemes are proposed, they are not suitable because they suffer from the certificate management and key escrow problem [30][31][32][33][34][35].The certificateless public auditing scheme is constructed to withstand the attack and also ensures the integrity of stored data which is an important issue for the cloud-assisted WBAN, therefore the certificateless public auditing scheme is an essential technology to construct WBAN.

Our Contributions
(1) We first design a certificateless public auditing (CL-PA) scheme which has the constant computation cost in verification.The previous certificateless public auditing schemes require the linearly increasing verification time with respect to the number of the challenged message blocks.
(2) We define the three formal security models which ensures the security against the public key replacement attack, malicious-but-passive-KGC attack, and proof-forgery.
(3) We show that our certificateless scheme is secure against existential forgery by proving the security under the models.
The rest of paper is organized as follows.In Section 2, we describe the formal security models and we review some preliminaries in Section 3. We construct our scheme and prove the securities in Section 4. We conclude the paper in Section 5.  (3) It is easy to compute (  ,   ) for all ∈.

Complexity Assumptions
Computational Diffie-Hellman (CDH) Assumption.Given a tuple ,   ,   ∈ G, an algorithm A tries to compute   ∈ G.We assume that there is no algorithm A with a nonnegligible probability  such that where the probability is over the random choice of  ∈ G, the random choice of ,  ∈ Z *  , and the random bits of A.
Divisible Computational Diffie-Hellman (DCDH) Assumption [36].Given a tuple ,   ,   ∈ G, an algorithm A tries to compute   −1  ∈ G.We assume that there is no algorithm A with a nonnegligible probability  such that where the probability is over the random choice of  ∈ G, the random choice of ,  ∈ Z *  , and the random bits of A.

Models
3.1.System Model.We consider a system model that has four entities, KGC (Key Generation Center), a user, a cloud server, and a third-party auditor (TPA) as shown Figure 1.
The KGC is responsible for the generation of a master key and a set of public keys for the system and issuing the partial private key for an identity (ID).Unlike the PKG in identitybased system, the KGC cannot issue the user's full secret key that will be used in the system.The full secret key is generated by combining the partial private key with some random secret values chosen from the user.With this key, the user generates authenticated tags for the file blocks and uploads them to the cloud server.When the user wishes to check the integrity of the stored files, TPA performs it on behalf of the user.For checking the integrity of the stored files, TPA sends a challenge message to the cloud server, and then the server responds with the proof corresponding to the challenge message.TPA is able to check the integrity of them by verifying the validity of the received proof.We define the algorithms for our certificateless public auditing scheme as follows: (i) Setup takes a security parameter and returns a master key (MK) and a public parameter (PP).
(ii) Partial-Private-Key-Extract takes an identity (ID), the master key (MK), and the public parameter (PP).It outputs a partial private key (ppk) for the identity (ID).
(iii) KeyGen takes an identity (ID), the public parameter (PP), and the partial private key (psk).It outputs a set of public keys (PK) and a secret key (sk) of the identity (ID).
(iv) TagGen takes as an input the public parameter (PP), a secret key (sk) of a user, and a file  = ( 1 , . . .,   ), where  is the number of the file blocks.It outputs tags {  } 1≤≤ for the file blocks.
(v) Challenge takes as an input the public parameters pp and returns a challenge message .
(vi) Prove takes as an input the public parameter (PP) and the challenge message  and the pairs of message and tag {  ,   } 1≤≤ .It outputs a proof (Prf) for the challenge message .
(vii) Verify takes as an input the public parameter (PP), the set of public keys (PK), the challenge message , and the proof (Prf).It outputs Accept or Reject.

Security Models.
We assume that three types of adversaries in our certificateless public auditing scheme, that is, Type I adversary A 1 , Type II adversary A 2 , and Type III adversary A 3 , and define the adversaries as follows: (i) Type I adversary A 1 cannot access the master key, but he can replace user's public key with a manipulated public key and generate a forged pair of message and tag.
(ii) Type II adversary A 2 , which represents a malicious KGC, can access the master key and generate a forged pair of message and tag, but he cannot replace user's public key.
(iii) Type III adversary A 3 , which represents a malicious server, can forge a proof for the challenge message without knowing any secret values.
Type I adversary and Type II adversary aim to forge the pair of message and tag and are classed as the normal, strong, and super adversaries (ordered by the capability of the adversaries).If the scheme is secure against the super adversary, it is also secure against the normal and strong adversaries.Therefore, we just consider the super Type I adversary and the super Type II adversary in Game I and Game II, respectively.We define three security models using the following games between a challenger and the defined adversaries.
Game I.If Type I adversary A 1 cannot forge a pair of message and tag, then we consider that a certificateless public auditing scheme is secure against a tag-forgery by the public key replacement attack.It is defined using the following game between a challenger C and Type I adversary A 1 : (1) Type I adversary outputs an identity ID  where it wishes to be forged.
(2) The challenger C runs algorithm Setup to generate a public parameter (PP) and the master key (MK) and sends PP to Type I adversary A 1 .
(3) Type I adversary A 1 is allowed to access the hash oracles, KeyGen, Partial-Private-Key-Extract, Public-Key-Replacement, Secret-Value-Extract, and TagGen oracle, adaptively.For KeyGen oracle, Type I adversary A 1 sends ID  to the challenger C, and then the public key pk  is returned.For Partial-Private-Key-Extract oracle, Type I adversary A 1 sends ID  to the challenger C, and then the partial private key psk  is returned.For Public-Key-Replacement oracle, Type I adversary A 1 sends (ID  , pk   ) to the challenger C. For Secret-Value-Extract oracle, Type I adversary A 1 sends ID  to the challenger C, and then the secret value sv ID  is returned.For TagGen oracle, Type I adversary A 1 sends (ID  , id  ,   ), where id  is the block identifier, to the challenger C. The challenger C responds with a pair of message and tag (  ,   ), where   = TagGen(sk  , ID  , id  ,   ).
(4) Finally, Type I adversary A 1 outputs a forged pair of message and tag (id  ,  * ,  * ) for an identity ID  .
If the pair (id  ,  * ,  * ) is valid pair of message and tag and  * has not queried TagGen oracle, then Type I adversary A 1 wins the game.Definition 1. Type I adversary A 1 (,  ℎ ,   ,  ppk ,  pkr ,  sv ,   , )-breaks a certificateless public auditing scheme, if A 1 runs in time at most , makes at most  ℎ hash queries,   KeyGen queries,  ppk Partial-Private-Key-Extract queries,  pkr Public-Key-Replacement queries,  sv Secret-Value-Extract queries, and   TagGen queries, and wins the game with the probability .A certificateless public auditing scheme is secure against a tag-forgery by the public key replacement attack, if there is no tag-forger which (,  ℎ ,   ,  ppk ,  pkr ,  sv ,   , )-breaks the scheme with a nonnegligible probability .
Game II.If Type II adversary A 2 cannot forge a pair of message and tag, then we consider that a certificateless public auditing scheme is secure against a tag-forgery by the malicious-but-passive-KGC attack.It is defined using the Security and Communication Networks following game between a challenger C and Type II adversary A 2 .
(1) Type II adversary outputs an identity ID  where it wishes to be forged.
(2) The challenger C runs algorithm Setup to generate a public parameter (PP) and the master key (MK) and sends "PP and MK" to Type II adversary A 2 .
( (4) Finally, Type II adversary A 2 outputs a forged pair of message and tag (id  ,  * ,  * ) for an identity ID  .
If the pair (id  ,  * ,  * ) is valid pair of message and tag and  * has not queried TagGen oracle, then Type II adversary A 2 wins the game.Definition 2. Type II adversary A 2 (,  ℎ ,   ,  ppk ,  sv ,   , )breaks a certificateless public auditing scheme, if A 2 runs in time at most , makes at most  ℎ hash queries,   KeyGen queries,  ppk Partial-Private-Key-Extract queries,  sv Secret-Value-Extract queries, and   TagGen queries, and wins the game with the probability .A certificateless public auditing scheme is secure against a tag-forgery by the malicious-but-passive-KGC attack, if there is no tagforger which (,  ℎ ,   ,  ppk ,  sv ,   , )-breaks the scheme with a nonnegligible probability .
Game III.Type III adversary A 3 cannot generate a valid proof for the blocks modified or deleted by Type III adversary A 3 , and then we say that a public auditing scheme satisfies a proof-unforgeability (soundness).It is defined using the following game between a challenger C and Type III adversary A 3 : (1) The challenger C runs algorithm Setup to generate a public parameter (PP) and the master key (MK) and sends PP to Type III adversary A 3 .
(2) Type III adversary A 3 is allowed to access the hash oracles, KeyGen, Partial-Private-Key-Extract, Secret-Value-Extract, and TagGen oracle, adaptively.For KeyGen oracle, Type III adversary A 3 sends ID  to the challenger C, and then the public key pk  is returned.For Partial-Private-Key-Extract oracle, Type III adversary A 3 sends ID  to the challenger C, and then the partial private key psk  is returned.For Secret-Value-Extract oracle, Type III adversary A 3 sends ID  to the challenger C, and then the secret value sv ID  is returned.For TagGen oracle, Type III adversary A 3 sends (ID  , id  ,   ), where id  is the block identifier, to the challenger C.
The challenger C responds with a pair of message and tag (  ,   ), where   = TagGen(sk  , ID  , id  ,   ).
(3) The challenger C generates the challenge message  = Challenge(PP) and sends it to Type III adversary A 3 .
If the equation Verify(Prf * ) =  holds and the challenge message  includes the index which is not queried in TagGen queries, then Type III adversary A 3 wins the game.
Definition 3. Type III adversary A 3 (,  ℎ ,   ,  ppk ,  sv ,   , )breaks a certificateless public auditing scheme, if A 3 runs in time at most , makes at most  ℎ hash queries,   KeyGen queries,  ppk Partial-Private-Key-Extract queries,  sv Secret-Value-Extract queries, and   TagGen queries, and wins the game with the probability .A certificateless public auditing scheme is proof-unforgeable (sound), if there is no proof-forger which (,  ℎ ,   ,  ppk ,  sv ,   , )-breaks the scheme with a nonnegligible probability .

Our Certificateless Public Auditing (CL-PA) Scheme
In this section, we propose a provably secure certificateless public auditing scheme.Our scheme consists of the seven algorithms, SetUp, Partial-Private-Key-Extract, KeyGen, TagGen, Challenge, Prove, and Verify.The details of the algorithms are as follows.
KeyGen: given the public parameters and the partial private keys, the user  generates his/her secret keys and public keys.The user  chooses ,  ← Z *  and computes The user sets sk  = (, ) as a set of secret keys and pk  = ( 0 ,  1 ,  2 ,  3 ,  2 ) as a set of public keys.
Challenge: to check the integrity of , TPA randomly chooses random number   ← Z *  and -elements subset  of [1, 𝑛].Then, TPA sends the challenge messages (  , ) to the server.
Verify: upon receiving the proof (, , , ), TPA checks the validity of the proof.TPA computes  = ∑ ∈ H(ID  , pk  , id  )  and checks the equation where and . If the equation holds, TPA outputs Accept; otherwise it outputs Reject.
The correctness of our scheme can be proved as follows:

Security Analyses.
In this section, we analyze the security of our certificateless public auditing scheme.If the scheme is secure against the tag-forgery by Type I adversary and Type II adversary and the proof-forgery by Type III adversary under adaptive chosen message attacks, then we consider that the scheme is secure against existential forgery.

Theorem 4. The proposed certificateless public auditing scheme is secure against the tag-forgery by Type I adversary under chosen message attacks in the random oracle model, if the CDH assumption holds in G.
Proof of Theorem 4. Suppose Type I adversary A 1 is the forger that could break the scheme by generating a valid pair of message and tag under user's secret key with a probability .
Then we can construct an algorithm B that solves the CDH problem on G.
Given an instance (,   ,   ) ∈ G of the CDH problem, the algorithm B simulates the challenger and interacts with the forger A 1 in Game I.
(4) The algorithm B simulates the hash oracles as follows: For Hash Oracle .At any time the forger A 1 can query the random oracle  for (ID  ,  ,1 ).To respond to the hash queries, the algorithm B retrieves the tuple which includes the queried identity ID  in Tab1.
Then the algorithm B returns (ID  ,  ,1 ) =   in Tab1 to the forger A 1 .
For Hash Oracle H.At any time the forger A 1 can query the random oracle H for (ID  , pk  , id  ).
To respond to the hash queries, the algorithm B maintains a table Tab2 = (ID  , pk  , id  ,  , ), where Tab2 is initially empty.When the forger A 1 queries (ID  , pk  , id  ), the algorithm B responds as follows: (a) If (ID  , pk  , id  ) ∉ Tab2, the algorithm B picks a random number  , ∈ Z *  and sets the hash value H, =  , .Then the algorithm B stores the tuple Tab2 = (ID  , pk  , id  ,  , ) and responds with (pk  , id  ) =  , to the forger A 1 .
For Hash Oracle ℎ.At any time the forger A 1 can query the random oracle ℎ for (fname, id  ).To respond to the hash queries, the algorithm B maintains a table Tab3 = (fname, id  ,   ,   , ℎ  ), where Tab3 is initially empty.When the forger A 1 queries (fname, id  ), the algorithm B responds as follows:  ,  ,0 ⋅  ,1 ⋅ By using the oracle-replay technique [37]  ,  ,0 ⋅  ,1 ⋅ With the above equations, the algorithm B could compute , ) . ( From the right-hand-side of the above equation, the algorithm B could get  ( Then the algorithm B outputs where C = (   1 H, +  2  →  *  ())(  −    ).From now on, we define three events related to the success probability of B and analyze it as follows: (i)  1 : the algorithm B does not abort in the Partial-Private-Key-Extract queries and TagGen queries.
(ii)  2 : the forger A 1 outputs a valid pair of message and tag (ID * , id  ,  *  ,  *  ), which has not been queried before.
(iii)  3 : event  2 occurs and   = 0 for the tuple containing id  on Tab3.
In the case that the all events happen, the algorithm B can solve the CDH problem.Thus, the probability of success is Pr[ 1 ∧  3 ], and we can compute it as We analyze the lower bounds of Pr (i) The distribution of PK given to the forger A 1 in the simulation is identical with the distribution of PK given to the forger A 1 in the real game.(ii) The distribution of the hash values of the hash function in the simulation is identical with the distributions of the hash values of the hash function in the real game.(iii) The distribution of the responses to the TagGen oracle in the simulation is identical with the distribution of the responses to the TagGen oracle in the real game under the conditional probability.
Thus, the forger A 1 will generate a valid pair of message and tag with a probability at least .Claim 3. The probability Pr[ 3 |  1 ∧  2 ] that the algorithm B does not abort after the forger A 1 outputs a valid pair of message and tag is at least 1/(  + 1).
Proof of Claim 3. When the events  1 and  2 have occurred, the algorithm B will abort only in the case that   = 0 for the tuple containing  corresponding to a forged pair of message and tag (id  ,  *  ,  *  ) in Tab1.Since the value   is randomly chosen with the probability Pr[  = 0] = 1/(  + 1), the probability Pr[ 3 |  1 ∧  2 ] is at least 1/(  + 1).
With the above claims, the success probability of B is /( 2 ⋅ (  + 1)).Thus we can conclude that if the CDH assumption holds in G, there exists no algorithm which breaks the tag-unforgeability of our scheme by the public key replacement attack with a nonnegligible probability.

Theorem 5. The proposed certificateless public auditing scheme is secure against the tag-forgery by Type II adversary under chosen message attacks in the random oracle model, if the CDH assumption holds in G.
Proof of Theorem 5. Suppose Type II adversary A 2 is the tagforger that could break the scheme by generating a valid pair of message and tag under user's secret key with a probability .Then we can construct an algorithm B that solves the CDH problem on G.
Given an instance (,   ,   ) ∈ G of the CDH problem, the algorithm B simulates the challenger and interacts with the forger A 2 in Game II.
(1) The forger A 2 outputs an identity ID  where it wishes to be forged. ( The algorithm B sends pk  = ( ,0 ,  ,1 ,  ,2 ,  ,3 ,  ,2 ) to the forger A 2 as the set of public keys for the identity ID  and updates Tab1.
(4) The algorithm B simulates the hash oracles as follows.
For Hash Oracle .At any time the forger A 2 can query the random oracle  for (ID  ,  ,1 ).To respond to the hash queries, the algorithm B retrieves the tuple which includes the queried identity ID  in Tab1.
Then the algorithm B returns (ID  ,  ,1 ) =   in Tab1 to the forger A 2 .
For Hash Oracle H.At any time the forger A 2 can query the random oracle H for (ID  , pk  , id  ).
To respond to the hash queries, the algorithm B maintains a table Tab2 = (ID  , pk  , id  ,  , ), where Tab2 is initially empty.When the forger A 2 queries (ID  , pk  , id  ), the algorithm B responds as follows: (a) If (ID  , pk  , id  ) ∉ Tab2, the algorithm B picks a random number  , ∈ Z *  and sets the hash value H =  , .Then the algorithm B stores the tuple Tab2 = (ID  , pk  , id  ,  , ) and responds with (pk  , id  ) =  , to the forger A 2 .(b) If (ID  , pk  , id  ) ∈ Tab2, the algorithm B returns H(pk  , id  ) =  , in Tab2 to the forger A 2 .
For Hash Oracle ℎ.At any time the forger A 2 can query the random oracle ℎ for (fname, id  ).
(  For TagGen Oracle.At any time the forger A 2 can query the oracle for the tuple (ID  , id  ,   ).The algorithm B stores Tab4 = (ID  , id  ,   ,   ,   ,   ,   ,   ,  , ,   , ℎ  ,   ,   ), where Tab4 is initially empty.When the forger A 2 queries ID  , the algorithm B responds as follows: (a) If ID  ̸ = ID  , the algorithm B retrieves the tuple which is corresponding to the queried tuple (ID  , id  ) and computes the tag   for the queried message   , where  ) .The algorithm B responds with   and updates Tab4.Otherwise, the algorithm B reports failure.
(6) Finally, the forger A 2 outputs the forged pair of message and tag (ID * , id  ,  *  ,  *  ) such that no TagGen query was issued for  *  .If id  ∈ Tab3,   = 0, and ID * = ID  ,  *  satisfies the equation From the right-hand-side of the above equation, the algorithm B could compute Then the algorithm B outputs where From now on, we define three events related to the success probability of B and analyze it as follows: (i)  4 : the algorithm B does not abort in the Secret-Value-Extract queries and TagGen queries.
(ii)  5 : the forger A 2 outputs a valid pair of message and tag (ID * , id  ,  *  ,  *  ), which has not been queried before.
(iii)  6 : event  5 occurs and   = 0 for the tuple containing id  on Tab3.

Security and Communication Networks
In the case that the all events happen, the algorithm B can solve the CDH problem.Thus, the probability of success is Pr[ 4 ∧  6 ], and we can compute it as We analyze the lower bounds of Pr  By the similar analysis method in Theorem 4, we can easily compute B's success probability, thus we omit the detailed probability analyses.With the above claims, the success probability of B is /( 2 ⋅ (  + 1)).Thus we can conclude that if the CDH assumption holds in G, there exists no algorithm which breaks the tag-unforgeability of our scheme by the malicious-but-passive-KGC attack with a nonnegligible probability.

Theorem 6. The proposed certificateless public auditing scheme is secure against the proof-forgery by Type III adversary under chosen message attacks in the random oracle model, if the DCDH assumption holds in G.
Proof of Theorem 6. Suppose Type III adversary A 3 is the proof-forger that could break the scheme by generating a fake proof for an arbitrary challenge message with a probability .We does not consider the case that the fake proof was generated by the forged tags, since we proved it in the above theorems (even though the theorems ensure the security against the tag-forgery by Type I adversary A 1 and Type II adversary A 2 , it can be easily applied to Type III adversary A 3 by eliminating the oracles related to the key extraction in the proof of Theorems 4 and 5).Using the proof-forger, we can construct an algorithm B that solves the DCDH problem on G.
Given an instance (,   ,   ) ∈ G of the DCDH problem, the algorithm B simulates the challenger and interacts with the forger A 3 in Game III.
(1) The forger A 3 outputs an identity ID  where it wishes to be forged.
( ) to the forger A 3 as the set of public keys for the identity ID  and updates Tab1.
(4) The algorithm B simulates the hash oracles as follows.
For Hash Oracle .At any time the forger A 3 can query the random oracle  for (ID  ,  ,1 ).The algorithm B retrieves the tuple which includes the queried identity ID  in Tab1.Then the algorithm B returns (ID  ,  ,1 ) =   in Tab1 to the forger A 3 .
For Hash Oracle H.At any time the forger A 3 can query the random oracle H for (ID  , pk  , id  ).
To respond to the hash queries, the algorithm B maintains a table Tab2 = (ID  , pk  , id  ,  , ), where Tab2 is initially empty.When the forger A 3 queries (ID  , pk  , id  ), the algorithm B responds as follows: (a) If (ID  , pk  , id  ) ∉ Tab2, the algorithm B picks a random number  , ∈ Z *  and sets the hash value H, =  , .Then the algorithm B stores the tuple Tab2 = (ID  , pk  , id  ,  , ) and responds with (pk  , id  ) =  , to the forger A 3 .(b) If (ID  , pk  , id  ) ∈ Tab2, the algorithm B returns H(pk  , id  ) =  , in Tab2 to the forger A 3 .
For Hash Oracle ℎ.At any time the forger A 3 can query the random oracle ℎ for (fname, id  ).
To respond to the hash queries, the algorithm B maintains a table Tab3 = (fname, id  ,   ,   , ℎ  ), where Tab3 is initially empty.When the forger A 2 queries (fname, id  ), the algorithm B responds as follows: For TagGen Oracle.At any time the forger A 3 can query the oracle for the tuple (ID  , id  ,   ).The algorithm B stores Tab4 = (ID  , id  ,   ,   ,   ,   ,   ,   ,   ,  , ,   , ℎ  ,   ), where Tab4 is initially empty.When the forger A 3 queries ID  , the algorithm B responds as follows: (a) If ID  ̸ = ID  , the algorithm B retrieves the tuple which is corresponding to the queried tuple (ID  , id  ) and computes the tag   for the queried message   , where   = ( (7) Finally, the forger A 3 outputs a forged proof for the challenge message (,  * ,  * ,  * ).We assume that  is not able to be forged by the forger A 3 , since we proved the tag-unforgeability in the previous theorems.Then the algorithm checks the validity of the forged proof by the following equation: The algorithm B could compute the right-hand-side of the above equation as To satisfy (18), the value , where   = ∑ ∈   ,   .Thus, we can compute   −1  as where C = ∑ ∈     +  2  ⃗  ().From now on, we define two events related to the success probability of B and analyze it as follows: (i)  7 : the algorithm B does not abort in the Partial-Private-Key-Extract queries and Secret-Value-Extract queries.
In the case that the both events happen, the algorithm B can solve the DCDH problem.Thus, the probability of success is Pr[ With the above claim, the success probability of B is / 2 , since the probability Pr[ 8 ] = .Thus we can conclude that if the DCDH assumption holds in G, there exists no algorithm which breaks the proof-unforgeability of our scheme with a nonnegligible probability.
According to Theorems 4, 5, and 6, we can get Theorem 7 for the security of our proposed scheme.The comparison of the security levels for the certificateless public auditing schemes are explained in Table 1.
Theorem 7. The proposed certificateless public auditing scheme is secure against the existential forgery under chosen message attack in the random oracle model, if the CDH and DCDH assumption hold in G.
Proof of Theorem 7. By proving Theorems 4, 5, and 6, we have proved that our certificateless public auditing scheme is secure against Type I, Type II, and Type III adversaries, respectively.Thus, our certificateless public auditing scheme is secure against the existential forgery attacks defined in Section 3.2.

Efficiency Analysis.
In this section, we compare the computation cost of our scheme with two certificateless public auditing schemes in [28,29], when TPA performs the auditing in the verification algorithm.Since we aim to construct the scheme which can efficiently verify the proof for the challenge message, we just compare the verification time of the proof in Table 3 (in reality, the computing power of the server is sufficiently larger than that of the TPA (user), so we made an effort to reduce the TPA's computational cost).
Let  be the bilinear pairing computation and Mul G be the multiplication in group G. Let Hash G and Exp G be the hash-to-point computation and the exponentiation in group G, respectively.Scott et al. released implementation results for the operations with 3 GHz-Pentium IV using the MIRACL multiprecision library (ver.5.01) [38].Their results are shown in Table 2.In [2], Ateniese et al. proved that TPA is able to detect any modification of the outsourced data with 95% or 99% probability by selecting 300 or 460 challenge blocks, respectively.In Table 3, we computed the execution time of the verification algorithm in the case of  = 300 and  = 460.Note that the computational cost of TPA in [28,29] is linearly increasing by the number of challenged blocks .On the other hand, the computational cost of TPA in our scheme is constant with respect to the number of challenged blocks .In the case of  = 300, our scheme is approximately 57.8 times and 35.4 times faster than the schemes in [28] and [29], respectively.In the case of  = 460, our scheme is approximately 88.5 times and 54.1 times faster than the schemes in [28] and [29], respectively.

Conclusions
In the paper, we proposed a provably secure certificateless public auditing scheme with the constant verification time.We also defined the three security models and proved the security of our scheme under the security models.
To the best of our knowledge, no certificateless public auditing scheme for shared data with the constant verification time has been proposed.The shared data system means that the authorized users can share their data in the cloud storage systems.Thus, it would be interesting to construct a certificateless public auditing scheme with the constant verification time for shared data.

𝑞:
A prime order G, G  : Multiplicative cyclic groups of prime order  Security and Communication Networks 13 : Ab i l i n e a rm a p : G × G → G  ,  1 ,  2 : Generators of group G ID  : A user identity psk  : A set of partial private keys for the identity ID  sk  : A set of secret keys for the identity ID  pk  : A set of public keys for the identity ID  : Afil e = {

Figure 1 :
Figure 1: System model for our CL-PA protocol.
(a) If (fname, id  ) ∉ Tab3, the algorithm B flips a random coin   ∈ {0, 1} with a probability Pr[  = 0] = 1/(  +1), where   is the maximum number of TagGen queries.The algorithm B picks a random number   ∈ Z *  and computes ℎ  = (  ) (1−  ) ⋅    .Then the algorithm B stores the tuple Tab3 = (fname, id  ,   ,   , ℎ  ) and returns ℎ(fname, id  ) = ℎ  to the forger A 1 .(b) If (fname, id  ) ∈ Tab3, the algorithm B responds with ℎ(fname, id  ) = ℎ  in Tab3.(5) The algorithm B simulates Partial-Private-Key-Extract oracle, Public-Key-Replacement oracle, Secret-Value-Extract oracle, and TagGen oracle as follows.For Partial-Private-Key-Extract Oracle.At any time the forger A 1 can request a partial private key for ID  to the oracle.When the forger A 1 queries ID  to the oracle, the algorithm B responds as follows: (a) If ID  ̸ = ID  , the algorithm B retrieves the tuple which contains the queried ID  in Tab1 and returns psk  = ( ,1 , R,2 ,   ) to the forger A 1 .(b) If ID  = ID  , the algorithm B reports failure.
on hash function , the algorithm B can obtain another forged tag  *   for the same message  *  .The forged tag  *   also satisfies the following equation:  ( *   , ) =  ( 1 H, ,  ,3 ⋅ (a) If ID  ̸ = ID  , the algorithm B retrieves the tuple which contains the queried ID  in Tab1 and returns (  ,   ) to the forger A 2 .(b) If ID  = ID  , the algorithm B reports failure.
) )   .The algorithm B responds with   and updates Tab4.(b) If ID  = ID  , the algorithm B retrieves the tuple which is corresponding to the queried tuple (ID  , id  ).If   = 1, the algorithm B computes the tag   for the queried message   , where [ 4 ], Pr[ 5 |  4 ], and Pr[ 6 |  4 ∧  5 ] in the following claims.

Claim 4 .Claim 5 .Claim 6 .
The probability Pr[ 4  ] that the algorithm B does not abort in the Secret-Value-Extract queries and the TagGen queries by the forger A 2 is at least 1/ 2 .The probability Pr[ 5 |  4 ] that the forger A 2 outputs a valid pair of message and tag under the condition that the event  4 has occurred is at least .The probability Pr[ 6 |  4 ∧  5 ] that the algorithm B does not abort after the forger A 3 outputs a valid pair of message and tag is at least 1/(  + 1).

( 5 )
(a) If (fname,   ) ∉ Tab3, the algorithm B picks a random number   ∈ Z *  and computes ℎ  =    .Then the algorithm B stores the tuple Tab3 = (fname, id  ,   , ℎ  ) and returns ℎ(fname, id  ) = ℎ  to the forger A 3 .(b) If (fname, id  ) ∈ Tab3, the algorithm B responds with ℎ(fname, id  ) = ℎ  in Tab3.The algorithm B simulates the Partial-Private-Key-Extract oracle, Secret-Value-Extract oracle, and TagGen oracle as follows.For Partial-Private-Key-Extract Oracle.At any time the forger A 3 can request a partial private key for ID  to the oracle.When the forger A 3 queries ID  to the oracle, B responds as follows: (a) If ID  ̸ = ID  , the algorithm B retrieves the tuple which contains the queried ID  in Tab1 and returns ( ,1 , R,2 , σ ) to the forger A 3 .(b) If ID  = ID  , the algorithm B reports failure.For Secret-Value-Extract Oracle.At any time the forger A 3 is able to request a secret value for ID  to the oracle.When the forger A 3 queries ID  to the oracle, B responds as follows: (a) If ID  ̸ = ID  , the algorithm B retrieves the tuple which contains the queried ID  in Tab1 and returns (  ,   ) to the forger A 3 .(b) If ID  = ID  , the algorithm B reports failure.
Type II adversary A 2 sends ID  to the challenger C, and then the partial private key psk  is returned.For Secret-Value-Extract oracle, Type II adversary A 2 sends ID  to the challenger C, and then the secret value sv ID  is returned.For TagGen oracle, Type II adversary A 2 sends (ID  , id  ,   ), where id  is the block identifier, to the challenger C. The challenger C responds with a pair of message and tag (  ,   ), where   = TagGen(sk  , ID  , id  ,   ).
) The algorithm B chooses random numbers ,  1 ,  2 ← Z *  and computes { 2   } 0≤≤+1 , where  2 =   2 .The algorithm B sets  1 =   and  1 =   1 and sends PP to the forger A 1 .(3) For KeyGen oracle, at any time the forger A 1 can query the KeyGen oracle for an identity ID  .The algorithm B stores Tab1 = (ID  ,   ,   , σ ,   ,   ,   , R,2 , pk  ), where Tab1 is initially empty.When the forger A 1 queries ID  , the algorithm B responds as follows: (a) If ID  ̸ = ID  , the algorithm B chooses random number   , σ ,   ,   ← Z *  and calculates For Public-Key-Replacement Oracle.At any time the forger A 1 can replace a set of public keys for ID  .Upon receiving a public key replacement query (ID  , pk   ), A 1 retrieves the tuple which contains ID  in Tab1 and replaces pk  with pk   .For Secret-Value-Extract Oracle.At any time the forger A 1 is able to request a secret value for ID  to the oracle.When the forger A 1 queries ID  to the oracle, A 1 retrieves the tuple which contains ID  in Tab1 and responds with (  ,   ).TagGen Oracle.At any time the forger A 1 can query the oracle for the tuple (ID  , id  ,   ).The algorithm B stores Tab4 = (ID  , id  ,   ,   ,   ,   ,   ,   ,  , ,   , ℎ  ,   ,   ), where Tab4 is initially empty.When the forger A 1 queries ID  , the algorithm B responds as follows: (a) If ID  ̸ = ID  , the algorithm B retrieves the tuple which is corresponding to the queried tuple (ID  , id  ) and computes the tag   for the Security and Communication Networks 7 queried message   , where   = ( 1    , ⋅ ℎ  ⋅ )   .The algorithm B responds with   and updates Tab4.(b) If ID  = ID  , the algorithm B retrieves the tuple which is corresponding to the queried tuple (ID  , id  ).If   = 1, the algorithm B computes the tag   for the queried message   , where   = ( 1    , ⋅ ℎ  ⋅   +  ⋅ ((  )    1  , +  + →   () )   .The algorithm B responds with   and updates Tab4.Otherwise, the algorithm B reports failure.(6) Finally, the forger A 1 outputs the forged pair of message and tag (ID * , id  ,  *  ,  *  ) such that no TagGen query was issued for  *  .If id  ∈ Tab3,   = 0, and ID * = ID  ,  *  satisfies the following equation: 1 H, (  −    (  −   ) , ) ⋅  ((  ) 1 ) =  ((  1 ) H, , (  )   (  −   ) ) ⋅  ((  ) , (  )   −   ) =  ((  )    1 H, (  −   ) , ) ⋅  ((  )   ⋅    (  −   ) , ) .
The probability Pr[ 1 ] that the algorithm B does not abort in the Partial-Private-Key-Extract queries and the TagGen queries by the forger A 1 is at least 1/ 2 .Proof of Claim 1.We assume that the forger A 1 does not query for the same index twice.At first, in the Partial-Private-Key-Extract oracle the algorithm B cannot respond to the forger A 1 's query, if ID  = ID  .This probability is equal to 1/  , where   is the number of KeyGen queries.Therefore, the probability that the algorithm B does not abort is 1−1/  for each Partial-Private-Key-Extract query.Since the Partial-Private-Key-Extract queries are issued at most    ≥ 1/.Thus, the probability Pr[ 1 ] that the algorithm B does not abort in the forger A 1 's Partial-Private-Key-Extract queries and TagGen queries is at least (1−1/  )   ⋅(1−1/(  + 1))   ≥ 1/ 2 .The probability Pr[ 2 |  1 ] that the forger A 1 outputs a valid pair of message and tag under the condition that the event  1 has occurred is at least .Proof of Claim 2. When the event  1 has occurred, the probability Pr[ 2 |  1 ] depends on the information gathered by the forger A 1 .The views of A 1 in the simulation and the real game are identical as follows: [ 1 ], Pr[ 2 |  1 ], and Pr[ 3 |  1 ∧  2 ] in the following claims.Claim 1.  times, the probability that the algorithm B does not abort is at least (1 − 1/  )   ≥ 1/.In the TagGen oracle, the algorithm B only aborts if   = 0, where   is the random value with the probability Pr[  = 0] = 1/(  + 1) corresponding to the TagGen query id  in Tab3.By the probability of   , the probability that the algorithm B does not abort is 1 − 1/(  + 1).Similarly, the probability that the algorithm B does not abort in the TagGen oracle is at least (1 − 1/(  + 1)) 2) The algorithm B chooses random numbers , ,  1 ,  2 ← Z *  and computes { 2   } 0≤≤+1 , where  2 =   2 .The algorithm B sets  1 =   and  1 =   1 and sends "PP and MK" to the forger A 2 .(3) For KeyGen oracle, at any time the forger A 2 can query the KeyGen oracle for an identity ID  .The algorithm B stores Tab1 = (ID  ,   ,   , σ ,   ,   ,   , R,2 , pk  ), where Tab1 is initially empty.When the forger A 2 queries ID  , the algorithm B responds as follows: (a) If ID  ̸ = ID  , the algorithm B chooses random number   ,   ,   ,   ← Z *  and calculates  ,0 =    ,  ,1 =    , σ =   +   ,   =   +   +   , R,2 =  σ  ,  ,2 =    ,  ,3 = ( ,1 ⋅  ,0 )   , and  ,2 =    1 .The algorithm B sends pk  = ( ,0 ,  ,1 ,  ,2 ,  ,3 ,  ,2 ) to the forger A 2 as the set of public keys for the identity ID  and updates Tab1.(b) If ID  = ID  , the algorithm B chooses random number   ,   ,   ← Z *  and calculates σ =   +  ,  ,0 The algorithm B simulates the Partial-Private-Key-Extract oracle, Secret-Value-Extract oracle, and TagGen oracle as follows.For Partial-Private-Key-Extract Oracle.At any time the forger A 2 can request a partial private key for ID  to the oracle.When the forger A 2 queries ID  to the oracle, B retrieves the tuple which contains ID  in Tab1 and responds with ( ,1 , R,2 , σ ).

Table 1 :
7 ∧  8 ] = Pr[ 7 ] ⋅ Pr[ 8 ].We analyze the lower bounds of Pr[ 7 ] in the following claim.The probability Pr[ 7 ] that the algorithm B does not abort in the Partial-Private-Key-Extract queries and the Secret-Value-Extract queries by the forger A 1 is at least 1/ 2 .Proof of Claim 7. We assume that the forger A 3 does not query for the same index twice.In the Partial-Private-Key-Extract oracle, the algorithm B aborts only if ID  = ID  .This probability is equal to 1/  , where   is the number of Partial-Private-Key-Extract queries.Therefore, the probability that the algorithm B does not abort is 1 − 1/  for each Partial-Private-Key-Extract query.Since the Partial-Private-Key-Extract queries are issued at most  Security levels of certificateless public auditing schemes.Let A 1 , A 2 , and A 3 be a Type I adversary, Type II adversary, and Type III adversary as defined in Section 3, respectively.Type I adversary and Type II adversary are classed as the normal, strong, and super adversaries (ordered by the capability of the adversaries).Secure in the Secret-Value-Extract oracle is at least (1−1/  )   ≥ 1/.Thus, the probability Pr[ 7 ] that the algorithm B does not abort in the forger A 3 's Partial-Private-Key-Extract queries and Secret-Value-Extract queries is at least times, the probability that the algorithm B does not abort is at least (1 − 1/  )   ≥ 1/.In the Secret-Value-Extract oracle, the algorithm B only aborts if ID  = ID  .The probability that the algorithm B does not abort is 1 − 1/  .Similarly, the probability that the algorithm B does not abort

Table 2 :
Computational cost: let  be the bilinear pairing computation and Mul G be the multiplication in group G. Let Hash G and Exp G be the hash-to-point computation and the exponentiation in the group G, respectively.

Table 3 :
Comparison between certificateless public auditing schemes.Let  be the bilinear pairing computation and Mul G be the multiplication in group G. Let Hash G and Exp G be the hash-topoint computation and the exponentiation in group G, respectively.Let  be the number of the challenged blocks.
1 , . . .,   }   : Anth block of the file  id  : A block identifier of the block   fname: A file name  →