A Secure and Effective Anonymous Integrity Checking Protocol for Data Storage in Multicloud

How to verify the integrity of outsourced data is an important problem in cloud storage. Most of previous work focuses on three aspects, which are providing data dynamics, public verifiability, and privacy against verifiers with the help of a third party auditor. In this paper, we propose an identity-based data storage and integrity verification protocol on untrusted cloud. And the proposed protocol can guarantee fair results without any third verifying auditor.The theoretical analysis and simulation results show that our protocols are secure and efficient.


Introduction
With the growing popularity of clouds, the tools and technologies for hybrid clouds have been emerging recently; cloud storage has become a hot research topic that aims to provide a comparably low cost, scalable, positionindependent platform for data owners data [1].However, this new paradigm of data hosting service also introduces new security challenges [2].A list of security threats to cloud computing is presented in [3].These issues range from the required trust in the cloud server for storage and attacks on cloud interfaces to misusing the cloud services for attacks in the complex systems.When considering using the complex cloud service, the data owner must be aware of the fact that all data given to the cloud server leave the owner control protection sphere [4].Huge measurement data, huge environment monitoring data, hydrological data, marine biological data, and GIS information are provided by the complex multicloud.In this situation, it is a strong demand that the data owners can check the data integrity confidentially, dynamically, and publicly; besides, the anonymous is also demanded for smart phone users.
In the past few years, some work has been done on insuring remote data integrity checking, which allows data integrity to be checked without completely downloading the data.Prior studies were based on two-party storage checking protocols that the data owner can check the data integrity [4][5][6][7][8][9][10][11][12].Deswarte et al. [5] and Filho and Barreto [9] introduced RSA-based methods for solving remote data integrity checking.After that Shah et al. [12] proposed a remote storage auditing method based on precomputed challengeresponse pairs.In practical application, to guarantee fair results, neither the cloud service provider nor the data owner should be the auditor in a cloud storage system.In this case, the protocols [13][14][15] employed the third party audit (TPA) performing the verification.However, none of them provided privacy against third party verifiers under the condition of introducing TPA.Wang et al. [14,16] recognized the need of privacy against third party verifiers and proposed a random masking technique to cope with this problem.Scheme [17][18][19][20][21] required an additional trusted organizer to send a commitment to the auditor to ensure data privacy during auditing.The auditing protocol may make a performance bottleneck for the auditor.On some cases, without requiring any trusted organizer during the batch auditing for multiple clouds the client may delegate the remote data integrity checking task to the third party.It results in the untrusted third party auditing in cloud computing [22,23].Yang and Jia [22] introduced an index table (ITable) to record the abstract information of the data; they proposed that the cloud server could be dishonest and may launch attacks just like replay attack, forge attack, and replace attack but only used ITable with time stamps to solve the problems.Wang [23] introduced identity-based distributed provable data possession in multicloud storage to check the certificate when it checks the remote data integrity.Chen et al. [24] also propose a new secure outsourcing algorithm for (variableexponent, variable-base) exponentiation modulo a prime in the two untrusted program models.
However, one of benefits of cloud storage is to enable universal data access with independent geographical locations.This implies that the end devices may be mobile and limited in computation and storage.Efficient integrity checking protocols are more suitable for cloud clients equipped with mobile end devices.Meanwhile, when a mobile user remotes into a foreign network, mutual authentication must first be solved to prevent illegal use from accessing services and to ensure that mobile users are connected to trusted networks [25].Both Zhao and Liu used smart-card to resolve the authentication.To compensate for these shortcomings, our construction can be observed as an adaptation of the protocol of [20,22,23,25,26].
This paper aims to fill the gap on a secure and effective anonymous authentication protocol for remote verification protocol in multicloud storage based on complex system.To the best of our knowledge, our scheme is the first to provide the authentication and establishment of remote verification scheme when mobile user is located in his/her home network; therefore it is more practical and universal for complex multicloud storage system.The scheme does not use timestamp; thus it avoids the clock synchronization problem.Additionally, the performance and cost analysis also show that our scheme is more suitable for low-power and resource-limited mobile devices and thus availability for real implementation.
The rest of the paper is organized as follows.The layered security architecture and definitions are present in Section 2. In Section 3, a novel anonymous authentication protocol for remote verification user authentication scheme is proposed in multicloud storage.In Section 4, we analyze the security of our proposed scheme.Next, we analyze the functionality and performance of our proposed scheme and make comparisons with other related schemes in Section 5. Finally, Section 6 gives the concluding remark of the whole paper.

Definitions and Preliminiaries
In this section, we present our system model and briefly introduce the elliptic curve cryptosystem and some related mathematical assumptions.Figure 1.Three different network entities can be identified as follows.

Definitions of System
(1) The data owner, that has massive data to be stored on the multicloud for maintenance and computation, can be either individual consumer or corporation who has large amount of data files to be stored in the cloud.DO has the ability to check the storage integrity of their outsourced data, while hoping to keep their data private from any entity which is untrusted.The checking devices may be mobile and limited in computation and storage, which need a secure and effective anonymous integrity checking protocol.
(2) The data user/client/requested (DU), who accesses the CS or downloads the data from CS, has capabilities to check the integrity of data.
(3) Data stakeholder (DS): we define both DO and DU as data stakeholder.
(4) The multicloud server (MCS), which has significant storage space and computation resources to store the owners data and provides the data access to data users (data client/requesters), stores its whole data on the different cloud servers according to their importance and sensitivity.
(5) The HV (Home Verifier) is a home third party that has expertise and capabilities to provide data storage auditing service for both the DS and DU.The HV can provide unbiased result for both the DO and the CS.

Notation and Preliminaries.
Let  be a pseudorandom function and let  be a pseudorandom permutation.They can be described in detail as follows: in which  and  are two security parameters.Furthermore, denote the length of  in bits by ||.We now introduce some necessary cryptographic background for our proposed scheme.
Bilinear Map.Let  1 be a cyclic additive group generated by  and let  2 be a cyclic multiplicative group generated by  with a bilinear map ê : (b) Nondegenerate: there exists ,  ∈  1 , such that ê(, ) ̸ =   , where denotes the identity element of the group  2 .
(c) Computational discrete logarithm (CDL) problem: given  = , where ,  ∈  1 .It is easy to calculate  given  and , but it is hard to determine  given  and .
(d) Computational co-Diffie-Hellman: given ,  ∈  1 , and For providing high insecurity level of the proposed scheme, some important mathematical assumptions are introduced for bilinear pairings defined on elliptic curves.
(e) Define  = ,  = , and  = ; the computational bilinear Diffie-Hellman (CBDH) problem is computing the value bdh(, , ) given randomly.The CBDH assumption asserts that the CBDH problem is hard that is for all PPT algorithms .
(f) Decision co-Diffie-Hellman: given ,  ∈  1 , and ,  ∈  2 , output is yes if  =  and no otherwise.When the answer is yes we say that it is a co-Diffie-Hellman tuple.

The Proposed Schemes
In this section, we propose a novel anonymous dynamics integrity checking protocol for data storage in multicloud (SA-DVCP), using elliptic curve cryptosystem to not only protect the scheme from security breaches but also emphasize the efficient features.Before describing the auditing protocol definition, some notations are defined as in Notations and Descriptions section.Suppose a file  has  data components as  = ( 1 , . . .,   ).Each data component has its physical meanings and can be updated dynamically by the data owners.For public data components, the data owner does not need to encrypt it, but for private data component, the DO needs to encrypt it with its corresponding key.
For simplicity, we only consider one data component in our construction and constant number of sectors for each data block.Suppose there is a data component , which is divided into  data blocks, and each data block is further split into  sectors.For data blocks with different sector number.
TagGen (, , , ) →   .The tag generation algorithm takes as inputs each data component  and a set of CSP = {CS  }, the private key sk.For each data block   , it computes a data tag   as   = ℎ(  , CS  ) ⋅ ∏  =1   ⋅ .Where   = name ‖  and name is chosen by the DO uniformly at random from   as the identifier of file  and  represents the block number of   .It outputs the set of data tags   = { 1 ,  2 ,  3 , . . .,   }.Without loss of generality, we suppose that every block has its uniqueness.After finishing computing all the block tags, the DO sends the file  to MCS and releases   to be publicly known to everyone.

Proof (P, C (MCS), V (Home Verifier))
. SA-DVCP is a protocol among , , and .At the end of the interactive protocol, HV outputs the auditing result as 0 or 1.If DS delegates the verification task to HV, it needs to register himself/herself to his/her HV.
(1) Registration.The details of DS registration phase are shown in Figure 2.
The interaction protocol can be given in detail as follows.
Step R1.DS freely chooses his/her identity ID DS and password PW DS and generates a random number  DS .Then DS submits {ID DS , ℎ(PW DS ‖  DS )} to HV for registration via a secure channel.
Step (2) The Authentication and Proof.The details of the authentication and proof DS registration phase are shown in Figure 3.When roaming into a foreign network MCS, DS needs to verify the validity of MCS and proves to DS that he is a legitimate user.The authentication and proof phase used to solve the above issue in our proposed scheme is described as follows. Step Compare W 2 with W * 2 = h(N‖R AC ‖ID MCS ‖A‖C‖ID HV ) If the above verification equation holds, DS sends the request message {, , DID DS , ID HA ,  1 , chal} to MCS over a public channel.

Security Analysis of the Proposed Scheme
In this section, we show that the proposed scheme can withstand all possible security attacks.

Storage Correctness Guarantee
Theorem 1.A SA-DVCP protocol must be workable and correct.That is, if the DS, MCS, and HV are honest and follow the specified procedures, the response {, M } can pass HV's checking.The correctness follows from ( This completes the proof.

Privacy-Preserving Guarantee
Theorem 2. The proposed protocol can provide users privacypreserving.
Proof.In our proposed scheme, the DS sends the login request message {, , DID DS , ID HA ,  Proof.Our proposed scheme can efficiently prevent impersonation attacks by considering the following scenarios.
(1) Any attacker cannot impersonate DS to cheat MCS and HV.In the proposed scheme, whether DS is located in a foreign network or in his/her home

Forward Secerecy
Theorem 3. The proposed protocol meets the security requirement for perfect forward secrecy.
Proof.Perfect forward secrecy means that even if an attacker compromises all the passwords of the entities of the system, he/she still cannot compromise the session key.In the proposed scheme, these three one-time random numbers , , and  are only held by the DS, MCS, and HV, respectively, and cannot be retrieved from  = ,  = ,   =  = , and   =  =  based on the security of CDL and CDH problem.Thus, even if an adversary obtains all the passwords of the entities, previous session keys, and all the transmitted messages, he/she still cannot compromise other session keys.Hence, the proposed scheme achieves perfect forward secrecy.

Performance Comparison and Functionality Analysis
It is well known that most of the mobile devices have limited energy resources and computing capability.Hence, one of the most important issues in wireless networks is power consumption caused by communication and computation.In fact, the communication cost in the GLOMONET is higher than computation cost in terms of power consumption.In Table 1, we list the numbers of the TagGen, Verify and the  +  phases of our scheme and some related previous schemes.
Computation.Suppose there are  message blocks which will be stored in  cloud servers.The blocks sector number is  and the challenged block number is .We will consider the computation overhead in the different phases.On group   , bilinear pairings, exponentiation, multiplication, and the hash function ℎ 1 contribute most computation cost.Compared with them, the hash function ℎ and the operations on   and   are faster; the hash function  can be done once for all.On the DS, the computation cost mainly comes from the procedures of TagGen and verification (i.e., phase 5 in the protocol proof (, , )).In the phase TagGen, the client performs ns multiplication on   , , and hash function ℎ 1 .At the same time, for every file, the corresponding record   is stored by DS and CS.This stored metadata is small.In the phase proof, in order to respond the challenge chal = (,  on the group   ; Ce denotes the time cost of bilinear pairing;  ℎ 1 denotes the time cost of the hash function ℎ 1 .In other schemes, the sector must be in   .Our scheme only requires the hash function h1s value which lies in   .Thus, the hash function ℎ 1 can be used to generate less block-tag pairs for the same file.Less block-tag pairs only incur less computation cost.This shows that our protocol can be implemented in mobile devices which have limited computation power.
Communication.In the phase proof, the communication overhead mainly comes from the challenge chal and response.
The block-tag pairs are uploaded once and for all.After that, the phase proof will be performed periodically.Thus, the communication overheads mainly come from the Chal and responses.Suppose there are  message blocks stored in the CS.  and   have the same order .In chal, the verifier sends the challenge chal = (,  1 ,  2 ) to MCS.That is, the communication overhead is log 2  + 2log 2 .
On the other hand, Zhu et al. [17], Zhu et al. [20], and Wang [23] proposed three different provable data possession schemes.We do the comparison under the same probability of detection.Our scheme and Wang's ID-PDP have the same total communication cost during the challenge phase.During the proof phase, the communication cost of the proof incurs less communication cost than Wang's ID-PDP.Compared with these three schemes, our scheme is more efficient in the communication cost.The communication comparison can be summarized in Table 2.In Table 2, 1 1 denotes one element of   and 1 1 denotes one element of   .

Conclusion
In this paper, we propose a novel anonymous authentication scheme for roaming service in global mobility networks.Security and performance analysis show that the proposed scheme is more suitable for the low-power and resourcelimited mobile devices and is secure against various attacks and has many excellent features.The cloud server number   :

Notations and Descriptions
The index of the CS which stores the th block-tag pair CS   : Th e C S w h i c h s t o r e s t h e th block   = ℎ(  , CS  ) ⋅ ∏  =1   ⋅ : The record where  denotes the th block  exp : The computation of exponentiation  ℎ 1 : The computation of hash function  mul : The computation of multiplications in group    : The computation of bilinear pairings DO: Data owner DU: The data user/client/ requested DS: Data stakeholder used to define both DO and DU MCS: The multicloud server HV: Home Verifier V  : The permutated index of V  =   1 ().
valid, MCS is authenticated Verify signature V 2 output r = 1; otherwise it outputs 0 If they are equal, MCS and HV are authenticated {W 3 , W 2 } Compare H with H  = h(ID DS ‖h(PW DS DS ( (
1, chal} to MCS, where DID DS = ID ⊕ ℎ(  ) is used to protect the real identity DID DS of DS.Based on the CDL problem, any attacker cannot obtain the random number a from  and thus cannot retrieve ID DS from DID DS .At the same time, the attacker cannot trace the moving history and current location of DS according to the login request message since , DID DS , and  1 are dynamically changed in different login request messages of DS.Therefore, the proposed scheme can provide privacypreserving of DS.

Table 1 :
Comparison of cost.( + ( + 2)) exp +  mul 3  + ( + ) exp + ( +  − 2) mul   + (3 +  + 2) exp + (2n +  − 1) mul Zhu et al. [20] ( + 2) exp +  mul 3  + ( + ) exp + ( +  − 2) mul  exp + ( − 1) mul Wang [23] ( + 1) exp +  mul +  ℎ 1 2  + ( +  + 1) exp + ( + ) mul  exp + ( − 1) mul +  ℎ 1 Our protocol  mul +  ℎ 1   + ( + ) mul   + ( + 1) mul + 2 exp +  ℎ 1 network, the HV authenticates DS by verifying the computed  * 1 = ℎ(ℎ(ID DS ‖ ) ‖   ‖ ID MCS ‖  ‖ ) with the received  1 = ℎ( ‖ ID DS ‖  ‖  ‖ ).Since the attacker does not possess DSs password PW DS , he/she cannot compute the correct  =  ⊕ ℎ(PW DS ‖  DS ) and thus cannot cheat HV by forging a login request message.At the same time, since a is a one-time random number and only possessed by DS,  1 is dynamically changed in each login request message.Therefore, the attacker cannot cheat the HV by replaying a previous login request message.Besides, when DS is located in a foreign network, the authentication of MCS to DS is completely dependent on the authentication of HV to DS.If an attacker cannot successfully cheat HV by masquerading as DS, he/she cannot cheat MCS successfully.(2) Any attacker cannot impersonate MCS to cheat HV and DS.In the proposed scheme, the HV authenticates MCS by checking whether   MCS { 2 } equals ℎ(, , Cert MCS ,  1 , DID DS ), where  2 is MCSs digital signature.Obviously, the attacker cannot compute the correct MCSs digital signature without knowing MCSs private key § MCS .Therefore, the attacker cannot cheat HV successfully by masquerading as MCS.At the same time, the authentication of DS to MCS is completely dependent on the authentication of HV to MCS.If an attacker cannot successfully cheat HV by masquerading as MCS, he/she cannot cheat DS successfully.(3) Any attacker cannot impersonate HV to cheat DS.In the proposed scheme, the DS authenticates HV by verifying  * 2 = ℎ( ‖   ‖ ID MCS ‖  ‖  ‖ ID HV ) with the received W 2 = ℎ(ℎ(ID DS ‖ ) ‖  ‖ ID MCS ‖ ID HV ).Obviously, any attacker cannot compute the correct  2 without knowing ID DS and , and the attacker cannot cheat DS successfully.

Table 1 ,
[20] 2 ) and generate the response  and the MCS perform  + 1 multiplication on the group   ,  hash function ℎ 1 .In the verification of the response, HV performs 2 exponentiations, 2 pairings, and  +  multiplication on the group   and  hash function ℎ.On the other hand, in 2012, Zhu et al. proposed the cooperative provable data possession for integrity in multicloud storage[17].Almost at the same time, Zhu et al. proposed the dynamic audit services for outsourced storage in clouds[20].Compared with them, our proposed scheme is more efficient in the computation cost.The computation comparison can be summarized in Table1.In  exp denotes the time cost of exponentiation on the group   ;  mul denotes the time cost of multiplication

Table 2 :
Comparison of communication cost.