ID-Based Public Auditing Protocol for Cloud Data Integrity Checking with Privacy-Preserving and Effective Aggregation Verification

With the rapid development of cloud service, people with limited storage space can store their data files to the cloud and delete the file in their memory. However, the cloud service provider may change or partly delete user’s file for his benefit. Therefore, it is necessary for the user to periodically check the data file integrity. Public auditing protocols are just designated for checking the data file integrity by an auditor on behalf of the user. Recently, based on ID-based cryptography many ID-based public auditing protocols for cloud data integrity checking are proposed. However, some existing protocols are subjected to forgery attack. Other existing protocols cannot preserve the privacy of the user, as the auditor can obtain user’s file content through times of auditing the same file blocks. In this paper, we propose a new ID-based public auditing protocol for cloud data integrity checkingwith optimized structure, privacy-preserving, and effective aggregation verification. We also prove that the proposed protocol can resist forgery attack under the assumption that the Diffie-Hellman problem is hard. Furthermore, we compare our protocol with other ID-based auditing protocols.


Introduction
With the rapid development of cloud service, people with limited storage space like to store their large data file to the cloud, but cloud storage service also causes some security issues [1].The cloud service provider may change or partly delete user's data file for his benefit.Therefore, it is necessary for the user to periodically check data file integrity.However, once the user transfers his file to the cloud, he will delete the file in his memory.Later, he cannot check the data integrity in conventional method.Public auditing protocols [2] are just designated for checking the data file integrity.In a public auditing protocol a data user firstly signs every block of his data file.Then the user sends his file and the signatures on file blocks to the cloud service provider and deletes the file locally.In the protocol there is an auditor who can periodically contact with cloud service provider to check the data file integrity on behalf of the user.
After first auditing protocols [2] many auditing protocols based on public key cryptographic system  were proposed.Recently, to eliminate public key management burden, a few public auditing protocols based on ID-based cryptographic system are proposed [16][17][18][19][20][21][22].However, some existing ID-based public auditing protocols are subjected to malicious cloud server forgery attack [20].Other existing IDbased public auditing protocols cannot preserve the privacy of the user as the auditor can obtain user's file content through times of auditing the same file blocks [19,29].A common ID-based public auditing protocol consists of six phases: setup, key extraction, tag generation, challenge, prove, and verify [17].In challenge phase the auditor generates challenge information and sends it to the cloud servicer.When the cloud server returns the proof information of the date file integrity, the auditor verifies the proof information using the parameters from the cloud servicer.In our views, since the auditor has more computation and storage resources than the data users, the auditor should store a few parameters and do more computations for the verification of the proof information.This may effectively resist the forgery attack from the cloud server.Another problem is that the existing IDbased public auditing protocols [17] lack necessary signature authentications on the messages between the data user, the cloud server, and the auditor.This problem leads to the lack of strictness in the protocols.
Based on the above understanding, we proposed a new ID-based public auditing protocol for data integrity checking.Our contributions are fivefold.Firstly we optimize the structure of ID-based public auditing protocol.We compress the six phases of common ID-based public auditing protocols into four phases.We also add necessary signature authentications.These measures make the proposed protocol more compact, clear, and rigorous.Secondly we use the method of aggregate signatures to make the proposed protocol more effective due to aggregation verification.Thirdly in the challenge and prove phase of the proposed protocol, to prove the proof information from the cloud server, the auditor must provide some parameters.This makes the protocol more secure than existing protocols in preventing forgery attack.The proposed protocol proves to be secure against forgery attack under the assumption that the Diffie-Hellman problem is hard.Fourthly the proposed protocol has privacy-preserving security features.The auditor cannot obtain any information of user's file content even through times of auditing the same file blocks.
The rest of the paper is organized as follows.In Section 2, we review bilinear pairing and computational Diffie-Hellman problem relevant to the security of the proposed protocol.An ID-based public auditing protocol is proposed in Section 3. In Section 4, we provide security proofs of the proposed protocol.In Section 5, we compare the proposed protocol with other two protocols in security, communication efficiency, and computation cost.Conclusion is given in Section 6.

Preliminary
In this section, we briefly introduce the definitions of bilinear pairings and computational Diffie-Hellman (CDH) problem relevant to the security of the proposed protocol [17].

The Bilinear Pairing.
Let  1 be a cyclic additive group generated by , whose order is a prime , and  2 be a cyclic multiplicative group of the same order.Let  :  1 ×  1 →  2 be a pairing map which satisfies the following conditions.
The typical way of obtaining such pairings is by deriving them from the Weil-pairing or the Tate-pairing on an elliptic curve over a finite field.
2.2.Computational Diffie-Hellman (CDH) Problem.Given a generator  of an additive cyclic group  with order  and given (, ) for unknown ,  ∈  *  , it is hard to compute .

The Proposed Protocol
As in [17], there are a data user, a cloud server, an auditor, and a private key generator (PKG) in an ID-based public auditing protocol.The cloud server is a semitrusted party.He might change or delete the data user's file for his benefit.Here we consider the cloud server as the only adversary to launch the forgery attack of the proof information for integrity checking.The new protocol consists of four algorithms: setup, key extraction, tag generation, challenge, and prove phase.The following is the detailed description of the proposed protocol.The two phases of setup and key extraction are the same as the general method of ID-based signatures [25].
Setup.Given a security parameter  ∈ , the algorithm works as follows: (1) Run the parameter generator on input  to generate a prime , an additive cyclic group  1 and a multiplicative cyclic group  2 of the same order , a generator  of  1 , and a bilinear map  :  1 ×  1 →  2 .
(2) Pick a random  ∈  *  as master key of PKG and set system public key   =  ⋅ .

Key Extraction.
When any one of the data user (DU), the cloud server (CS), and the auditor (AU) wants to register his identity  to PKG, the algorithm works as follows: (1) Compute   = () ∈  1 .
(2) Set the private key   =  ⋅   , where  is the master key of PKG.
By the two steps the data user (DU), the cloud server (SC), and the auditor (AU) obtain their private key   ,   , and   , respectively.
Tag Generation.This phase consists of five steps showing the messages transfer between the data user (DU) and both the cloud server (SC) and the auditor (AU).For a data file  =  1 ‖ ⋅ ⋅ ⋅ ‖   , the data user (DU) selects a random file name, name, and lets  =  ‖  be the file tag.The tag generation phase is shown in Algorithm 1.
If it holds, DU chooses ∈   *  and generates the signature on information  expressing the a request for auditing agency.
If the equations hold, AU chooses ∈   *  , computes sends (  , , , ) to DU for expressing that he accepts the auditing agency, and stores   .
(5) When DU receives the (, ) from AU, DU checks the following equation: If the equation holds, DU deletes the file .
Challenge and Prove Phase.This phase consists of three steps showing the messages transfer between the auditor AU and the cloud server CS.
(3) Upon receiving the proof information (  , ), based on stored information   , AU computes Then AU checks the following equation: If the equation holds, AU accepts the proof.The challenge and prove phases are shown in Algorithm 2.

Security of the Proposed Protocol
Theorem 1.The proposed protocol is correct.
Proof of Theorem 1.In order to save space, to prove the correctness of proof of the proposed protocol, we only prove the correctness of three representative equations.Firstly, we show that the aggregate signature  can be verified by equation  Secondly, the signature  can be verified by equation  (, ) =  (ℎ ( ‖  ‖   ‖   )   + ,   ) .
Finally, the proof information (  , ) can be verified by the following equation.

𝑒 (𝜎
In fact, ⋅  (  ,   ) . ( Theorem 2. If the CDH assumption is hard, then the proposed protocol is secure against existential forgery attack.
Proof of Theorem 2. Similar to general proof thought, it will be shown that the challenger can solve the CDH problem when CS can provide forged valid proof information for the data integrity checking.
In the proof process, hash  and ℎ are random oracles.For given CDH problem instance (, ), the challenger sets system public key   = , user DU's private as   (),   ∈    , for timely oracles.
Assuming that for the same challenge information ℎ = [  , , , ], CS produces two valid forged proof pieces of information (  * 1 ,  * ) and (  * 2 ,  * ) in two forgeries, then the following two equations hold.

𝑒 (𝜎
Then, Theorem 3. In the proposed protocol, the author cannot derive any information of data file content.
Proof of Theorem 3. In the whole auditing procedure, the author AU only obtains messages from DU and  from CS.However, (, , ) and (, , ) are signatures irrelevant to the file content.( 1 , ⋅ ⋅ ⋅ ,   ) is also irrelevant to the file content.( 1 , ⋅ ⋅ ⋅ ,   ) and   are relevant to the file content, but the file content is protected by hash function.
It is impossible for AU to obtain block   from equation  = ∑ ∈   (  + ℎ(  )).Even through times of auditing the same file blocks, AU also does not obtain any block of the file.Because  = ∑ ∈   (  + ℎ(  )) is not linear equation of   .Therefore, AU cannot derive any information about DU's data file content during the whole auditing procedure.

Comparisons
In this section, the comparisons of the proposed protocol with other two ID-based auditing protocols [16,17] are shown.The comparison results of the security features, communication number, and computation costs are shown, respectively, in Tables 1, 2, and 3.
From Table 2, in tag generation phase, the communication number in the proposed protocol is obviously higher than the other two protocols.This is caused by the following two facts.One is that in our protocol when the cloud server accepts the data file from cloud user, the cloud server must return an 'accept service' authentication information to the user.The other one is that the date user must send information to the auditor for begging auditing agency, and once accepting the auditing agency, the auditor also sends a response to the user.
Since there is no detail file tag signature algorithm description in [16], in Table 3, we only compare the computation costs of the parts common to the proposed protocol with [17] in key extraction phase, block tag generation phase, challenge phase, and prove phase.In addition, we mainly count the exponential operation, scalar multiplication, hash computation, and bilinear pairings operation.Also we assume in challenge and prove phase that the challenging blocks number is |I|.The computation cost of Zhang et al. 's protocol [17] is (4n+2|I|+2)H+(6n+4|I|+2)S+(3n+3)B+(n+|I|)E.However, the computation cost of our protocol is (4n+|I|+8)H+ (5n+2|I|+13)S+14B+|I|E.According to [33],  ≈ 23,  ≈ 29,  ≈ 21,  ≈ 1440.Here,  represents the time cost of a modular multiplication in   .Then, the computation cost of Zhang et al. 's protocol is about (4607 + 183|| + 4424).However, the computation cost of our protocol is about (237+102||+20721).The computation cost of Zhang et al. 's protocol in tag generation phase is about 4607.However, the computation cost of our protocol in tag generation phase is about (237 + 13049).
We simulate the computational cost of our protocol and Zhang et al. 's protocol [17] on a Mac OS High Sierra system with an Intel Core i7 at 2.9 GHz and 16-GB RAM.The algorithms are implemented using the pairing-based cryptography (PBC) library version 0.5.14.When the file is 1024 Bytes, the comparison of computation cost in tag generation phase between our protocol and Zhang et al. 's protocol is shown in Figure 1.The whole computation costs of our protocol and Zhang et al. 's protocol are shown in Figures 2 and 3, respectively.When the number  of the blocks of the file is 48, the comparison of computation cost between our protocol and Zhang et al. 's protocol is shown in Figure 4.When the file is large and the number of its blocks is correspondingly large, our protocol needs significant low computation cost.
Another need for comparison and explanation is the relationship between our protocol and the one in [25].In [25] a certificateless public auditing protocol with privacy-preserving for cloud-assisted wireless body area networks was proposed.Since the same issue of public auditing is researched in the two protocols, there are some unavoidable similarities in structure and concern.However, the protocol in [25] is based on certificateless public cryptography, while the protocol in this paper is based on ID-based public cryptography.There is a great difference in the concrete structure of the two protocols.In the tag generation phase of the protocol in this paper aggregation verification technology is used to greatly reduce the amount of computation.Therefore, on the whole, the efficiency and design concept of the protocol in this paper are higher than the one in [25].

Conclusion
In this paper, we propose a new ID-based public auditing protocol for cloud data integrity checking.The proposed protocol has not only optimized structure but also effective aggregation verification to reduce the computation cost.Furthermore, the proposed protocol has privacy-preserving feature as the auditor cannot obtain any information of user's file content even through times of auditing the same file blocks.We prove that the proposed protocol can resist forgery attack under the assumption that the Diffie-Hellman problem       is hard.We also compare the proposed protocol with other ID-based auditing protocols.The proposed protocol is shown to be more secure and efficient in computation cost.

Figure 1 :
Figure 1: The computation time of tag generation for 1024-Byte data.
al nu mb er of the blo cks of the file th e c h a ll e n g in g b lo c k s n u m b e r

Figure 2 :
Figure 2: The computation cost of our protocol.

Figure 3 :
Figure 3: The computation cost of Zhang et al. 's protocol.

Figure 4 :
Figure 4: The comparison of computation cost between our protocol and Zhang et al. 's protocol.

Table 1 :
Comparison of features.

Table 2 :
Required communication number.

Table 3 :
Comparison of computation costs.: key extraction phase, P2: block tag generation phase, P3: prove phase, P4: verify phase; E: exponential operation and its time cost, S: scalar multiplication and its time cost, H: hash computation and its time cost, B: bilinear pairing and its time cost. P1