A Certificate-Based Provable Data Possession Scheme in the Standard Model

Certificate-based cryptosystem can not only resolve the private key escrow problem inherent in the identity-based cryptosystem but also reduce the cost of public key certificate management in the public key infrastructure-(PKI-) based cryptosystem. Provable data possession (PDP) can ensure the integrity of users’ data stored in the cloud at a very high probability. By combining these two concepts, we propose a certificate-based PDP scheme.We prove that our scheme is secure in the standardmodel assuming that the Squ-CDH problem is hard. Based on the index logic table, our scheme can be extended to support dynamic operations easily. Efficiency analysis shows that our scheme has high efficiency.


Introduction
With the rapid development of the cloud storage technology, more and more users and companies store their data in the cloud. However, a new problem has emerged, that is, how users can ensure the integrity of their data if they no longer physically hold them. Luckily, provable data possession (PDP) [1] can resolve this problem. PDP is a lightweight probabilistic integrity checking model of cloud data. It can ensure the integrity of data stored in the cloud at a high probability even if users save no data or only a small amount of data locally. It is one of the core technologies to support cloud storage security. e certificate-based cryptosystem [2] was proposed to reduce the high cost of public key certificate management in the public key infrastructure-(PKI-) based cryptosystem [3] and to eliminate the private key escrow problem inherent in the identity-based cryptosystem [4]. Just like in the PKIbased cryptosystem, a user's public key in the certificatebased cryptosystem needs a certificate generated by the certificate authority (CA), except that in the latter case, the certificate should participate in the decryption or signing process along with the private key. erefore, the certificate is verified implicitly. In this way, in the process of encryption or signature verification, the user need not care about whether the certificate has been revoked or out of date, and as a result, the cost of certificate management is reduced. In addition, the private key is produced by the user himself, so the private key escrow problem is also eliminated.
By combining the certificate-based cryptosystem and the concept of PDP, we propose a certificate-based PDP scheme. Based on the assumption that the Squ-CDH problem is hard, we prove the security of our scheme in the standard model. Based on the index logical table [5], our scheme can be extended to support dynamic operations easily. At last, we evaluate the efficiency of our scheme, which shows that it is efficient.

Related Work.
Ateniese et al. [1] first introduced the notion of PDP in 2007. Afterwards, Erway et al. [6] and Wang et al. [7] proposed dynamic PDP schemes, where users can modify, insert, or delete their data stored in the cloud. In addition, Wang et al.'s scheme [7] also supports public verification, that is, users themselves need not check whether their data are stored intact in the cloud; instead, they can delegate a third party auditor (TPA) to do it. erefore, the users' burden is reduced, and furthermore, TPA or users can afford evidence when a dispute occurs. Afterwards, Wang et al. [8] pointed out that TPAs should not obtain users' data to protect users' privacy when they audit data in public auditing schemes and proposed a privacy-preserving public PDP scheme. Meanwhile, in their paper, Wang et al. [8] also considered batch auditing so that even if there are multiple tasks from different users to be carried out simultaneously, TPA just needs to do one auditing task, which improves efficiency.
All the above schemes were proposed in the PKI-based cryptosystem. e main drawback in the PKI-based cryptosystem is the high cost of certificate management, which hinders its application on a large-scale. To reduce the cost of certificate management, identity-based PDP schemes [9,10] were proposed. However, what is inherent in it is the private key escrow problem. e certificate-based cryptosystem can not only resolve the private key escrow problem but also reduce the cost of public key certificate management, making it much superior. In 2015, Wang and Li [11] first proposed a certificate-based PDP scheme, but it supports neither public verification nor dynamic operations. In 2020, Wang et al. [12] proposed a lightweight certificate-based PDP scheme, which supports both private and public audits, but it does not support dynamic operations. Both of the above certificate-based PDP schemes rely on the random oracle model. Canetti et al. [13] showed that the random oracle is just an ideal model and that those schemes that are secure under the random oracle model will not be still secure when the random oracle is replaced by some concrete hash functions. erefore, it is necessary to design certificate-based PDP schemes in the standard model. To the best of our knowledge, so far there have only been two certificate-based PDP schemes proposed in the literature, as mentioned above.
In terms of PDP schemes in the standard model, Zhang et al. [14] proposed an identity-based public PDP scheme, but Shen et al. [15] pointed out that the scheme [14] is insecure. A malicious cloud server can modify or delete users' data arbitrarily, while still being able to produce a proof passing the verification equation as long as it keeps just one data block and its corresponding tag valid. Wang et al. [16] proposed a public and dynamic PDP scheme, but it is based on the PKI technology, which thus requires high cost of certificate management. Zhu et al. [17] proposed a shared data PDP scheme, where a group of users share the data stored in the cloud. It also supports malicious member revocation. okchom and Saikia [18] proposed an efficient privacy preserving public dynamic PDP scheme and also extended their scheme to support batch auditing in multiuser and multicloud scenarios, but they did not give security proof of their scheme. Yang et al. [19] proposed a quantum resistant lattice-based PDP scheme, which supports privacy preserving public auditing, dynamic operations, and batch auditing.
e rest of this work is organized as follows. In Section 2, we introduce the bilinear pairing and some complexity assumptions. In Section 3, we introduce the system model, the formal definition, and the security model of certificatebased PDP. In Section 4, we propose a concrete certificatebased PDP scheme in the standard model. In Section 5, we extend our scheme to support dynamic operations by using the index logic table. In Section 6, we prove the security of the proposed scheme. In Section 7, we evaluate the efficiency of the proposed scheme. We conclude the work in Section 8.

Preliminaries
2.1. Bilinear Pairing. Let G 1 and G 2 be two multiplicative cyclic groups of prime order q and g be a generator of G 1 . If the following conditions hold, then it is deemed that the map e: G 1 × G 1 ⟶ G 2 is a bilinear pairing.
(1) Bilinearity: for any a and b ∈ Z q and P and Q ∈ G 1 , the equation e(P a , Q b ) � e(P, Q) ab holds (2) Nondegeneracy: e(g, g) ≠ 1 G 2 (3) Computability: for any P and Q ∈ G 1 , e(P, Q) can be calculated efficiently

Complexity Assumption.
Square Computational Diffie-Hellman (Squ-CDH) problem: given g and g a ∈ G 1 , where a ∈ Z q is selected randomly, one does not know the value of a and needs to calculate g a 2 .
Let A be a probabilistic polynomial time (PPT) algorithm, and the advantage of A in solving the Squ-CDH problem on

System Model, Definition, and Security
Model of the Certificate-Based PDP

System Model.
ere are four entities involved in a certificate-based PDP scheme as illustrated in Figure 1.
CA: it is a trusted third party who initializes the system and issues certificates for users. Users: they have a large amount of data to be stored in the cloud. When they decide to store their data in the cloud, they divide their data into file blocks and produce a tag for each file block. en, they store their data along with these tags in the cloud and delete them locally. TPA: TPA is delegated by users to audit the data in the cloud. It periodically audits the data. When TPA plans to audit the data, it will launch a challenge to the cloud by randomly selecting a subset of the index numbers of file blocks to the cloud. After getting a proof from the cloud server, it checks if the proof can pass an equation in advance. If it can, then it is highly probable that the data stored in the cloud are intact. Cloud server: it provides cloud storage service. When it receives a challenge from TPA, it generates a proof by using the data blocks selected by TPA and their corresponding tags and sends the proof to TPA.

Definition of the Certificate-Based PDP.
A certificatebased PDP scheme consists of the following seven algorithms.
(1) Setup: given a security parameter 1 k , it outputs the system's public parameters params and a master private key s. It is run by CA. (2) User-Key-Generation: given the system's public parameters params, it outputs a public/private key pair (pk, sk). It is run by the user. (3) Certificate-Gen: given a user's public key pk, the system's public parameters params, and the master private key s, it outputs a certificate cert for the user. It is run by CA. (4) Tag-Gen: Given n blocks m i ∈ Z * q (i � 1, ..., n) of a file F, the user's private key sk, and the system's public parameters params, it outputs a tag tag i for each file block m i . It is run by the user. en, the user stores all m i and tag i to the cloud and deletes them locally. (5) Proof-Gen: given a subset of the index numbers of file blocks selected by TPA, the corresponding tags tag i , and the system's public parameters Params, it outputs a proof of data. It is run by CSP and CSP sends the proof to TPA. (6) Proof-Verify: given the system's public parameters params and the proof, it outputs TRUE or FALSE. It is run by TPA. (7) Update-Op: It is run by CSP.
Inserting: given the system's public parameters Params, the index number i, and a file block m i , it does the updating and outputs TRUE or FALSE. Modifying: given the system's public parameters Params, the index number i, and a new file block m i ′ , it does the updating and outputs TRUE or FALSE.
Deleting: given the system's public parameters Params and the index number i, it does the updating and outputs TRUE or FALSE.

Security Model of the Certificate-Based PDP.
ere are two types of adversaries in the certificate-based cryptosystem [2]. e first type of adversary A I does not know the master private key, but he can replace anyone's public key, as it models any adversary except CA. On the contrary, the second type of adversary A II knows the master private key, but he cannot replace anyone's public key, as it models the honest-but-curious CA. e honest-butcurious CA means that CA will honestly execute the system protocol, but then he can attack the system. In 2009, Wu et al. [20] introduced the malicious-but-passive CA A II adversary in the certificate-based cryptosystem.
is type of A II adversary may be malicious in the system protocol execution. In our security model, this type of adversary A II is considered.
Definition 1 (type I adversary). A certificate-based PDP scheme is secure if for any PPT adversary A I , the probability that A I wins the following game is negligible.
Setup. Given a security parameter k, challenge C runs the setup algorithm to generate a master private key s and a common parameter Params. Params are given to A I and C keeps s private.

Queries.
A I can make the following queries adaptively.

Security and Communication Networks
runs the User-Key-Generation algorithm to create a private/public key pair (SK ID , PK ID ) of that user and returns PK ID to A I ; otherwise, C returns PK ID to A I directly.
(2) User-PrivateKey queries: A I supplies an already created identity ID. C returns ID's private key SK ID to A I . (3) PublicKey-Replacement queries: A I supplies an already created identity ID and a new public/private key pair (PK ID ′ , SK ID ′ ). C replaces the current public/ private key pair (PK ID , SK ID ) with the new pair (PK ID ′ , SK ID ′ ). (4) Certificate queries: A I supplies an already created identity ID and the corresponding public key PK ID . C runs the Certificate-Gen algorithm to produce ID's certificate Cert ID and sends it to A I . (5) Tag-Gen queries: A I supplies an already created identity ID and a file block m i . C runs the Tag-Gen algorithm to generate a tag of (ID, m i ) and sends it back to A I . (6) Update-Op queries: A I supplies an already created identity ID and a request for a dynamic operation. C makes the corresponding dynamic operation.
Challenge. C generates a challenge (ID * , I * , W * )and sends it to A I , where I * is a subset of the index numbers of file blocks and W * is a set of random numbers. Forge. A I generates a proof P * for (ID * , I * , W * ) and sends it to C.
A I wins the game if the following conditions hold.
(1) True � ProofVerify(ID * , P * ) (2) A I has not made a certificate query on ID * (3) At least one query of Tag-Gen on (ID * , i * , m * i ) does not happen, where i * ∈ I * Definition 2 (type II adversary). A certificate-based PDP scheme is secure if for any PPT adversary A II , the probability that A II wins the following game is negligible.
Setup. Given a security parameter k, adversary A II runs the setup algorithm to generate a master private key s and a common parameter Params. Params and s are given to C.

Queries.
A II can make User-Creation, User-PrivateKey, Tag-Gen, and Update-Op queries adaptively, and these queries are the same as in Definition 1. Other queries are not needed for A II .
Challenge. Same as in Definition 1.
Forge. A II generates a proof P * for (ID * , I * , W * ) and sends it to C.
A II wins the game if the following conditions hold.
(1) True � ProofVerify(ID * , P * ) (2) A II has not made a User-PrivateKey query on ID * (3) At least one query of Tag-Gen on (ID * , i * , m * i ) does not happen, where i * ∈ I * Note. In order to resist the malicious-but-passive CA A II adversary, it must let adversary A II run the setup algorithm rather than challenger C.

A Concrete Certificate-Based PDP Scheme
denotes a collision-resistant cryptographic hash function for some n u ∈ Z * q , which is used to create identities of the desired length.
(1) Setup: given a security parameter 1 k , CA chooses two cyclic groups G 1 and G 2 of prime order q, a random generator g of G 1 , a bilinear map e: (2) User-Key-Generation: the user ID randomly selects x ID and y ID ∈ Z * q as his secret keys and computes his public key as UPK ID � (UPK ID,1 , UPK ID,2 , UPK ID, 3 where σ ID � y ID + x ID H (UPK ID,1 , UPK ID,2 , Params)mod q is a Schnorr onetime signature. e signature can be generated using the technique of Fiat-Shamir transform without random oracles as described in [21].
(3) Certificate-Gen: given a user's identity ID and his public key UPK ID , CA randomly selects r ID ∈ Z * q and computes the user's certificate as (5) Proof-Gen: TPA selects a random integer c and two random elements k 1 and k 2 ∈ Z * q . TPA sends the challenge (ID, c, k 1 , k 2 ) to CSP. CSP computes i j � π k 1 (j), and w j � f k 2 (j), where j � 1, 2, ..., c. Let I � i 1 , i 2 , ..., i c , and CSP computes S � i∈I t w i ID,i,2 and δ � i∈I w i m i and sends the proof (t ID,1 , S, δ) to TPA. (6) Proof-Verify: TPA computes i j � π k 1 (j), and id � H 1 (ID, UPK ID,1 , UPK ID,2 , UPK ID,3 ), and W ID,i � H 2 (ID, UPK ID,1 , UPK ID,2 , UPK ID,3 , t ID,1 , i). TPA verifies whether e(UPK ID,3 , g) � e(UPK ID,2 , g)e(UPK ID,1 , g) c 1 and (1) Table. Wang et al. [5] introduced the index logic table (ILT) to support dynamic operations in PDP schemes, as ILT can overcome the delete-insert attack [5] in the map version table [22] structure. An ILT includes two columns: the index number (the first column) and the logic number (the second column). In addition, one additional column (the third column) is used to explain the ILT and not appear in the ILT actually. Let "iin" denote the first column, "lln" denote the second one, "blocks" denote the third one, "inEF" denote the last line of column 1, and "lnEF" denote the last line of column 2. e ILT is illustrated in Table 1. Please note that the last row of blocks does not include any file block in Table 1.

Index Logic
ere are four operations in ILT, namely, initializing, modifying, inserting, and deleting. We assume a file F is divided into n blocks. e initializing operation is described in algorithm 1(a) of Table 2, with an example of n � 6 given in Table 1(a). e modifying operation is described in algorithm 1(b) of Table 2, with an example of modifying file block m4 to m4' at i � 4 given in Table 1(b). e inserting operation is described in algorithm 1(c) of Table 2, with an example of inserting a file block m'' after i � 4 given in Table 1(c). e deleting operation is described in algorithm 1(d) of Table 2, with an example of deleting i � 2 given in Table 1(d).

Dynamic Operations.
To make our scheme support dynamic operations, we must replace W ID,i � H 2 (ID, UPK ID,1 , UPK ID,2 , UPK ID,3 , t ID,1 , i) with W ID,i � H 2 (ID, UPK ID,1 , UPK ID,2 , UPK ID,3 , t ID,1 , lln(i)) in the Tag-Gen and the Proof-Verify algorithms; in other words, we must replace i with lln(i). e ILT must be stored in users and TPA locally.
(1) Data modifying: when a user wants to modify a file block mi to mi' at iin � i, he runs algorithm 1(b) first. en, he computes tag' for mi'. He uploads mi', tag', iin, and ILT to the cloud and deletes mi' and tag' locally. CSP makes the corresponding modification.
(2) Data inserting: when a user wants to insert a file block m'' after iin � i, he runs algorithm 1 (c) first. en, he computes tag'' for m''. He uploads m'', tag'', iin, and ILT to the cloud and deletes m'' and tag'' locally. CSP makes the corresponding insertion.
(3) Data deleting: when a user wants to delete a file block mi at iin � i, he runs algorithm 1 (d) first. en, he uploads iin and ILT to the cloud. CSP makes the corresponding deletion.

Unforgeability
Theorem 1 (type I unforgeability). In the standard model, if a PPT attacker A I has a nonnegligible advantage ε in winning the game of Definition 1, running for time t and performing at most q UCreation user creation queries, q Cert certificate queries, and q tag Tag-Gen queries, then there is an algorithm C that solves the Squ-CDH problem with an advantage Adv where t m and t e denote the time for a multiplication and an exponentiation on G 1 , respectively.
Proof. Suppose C is given (g, B � g b ) ∈ G 1 for randomly chosen b ∈ Z q . C does not know the value of b and is asked to compute g b 2 . To utilize adversary A I , challenger C will simulate all the oracles defined in Definition 1. C maintains a table tb � ID, Cert ID , x ID , y ID , UPK ID , tag � 0 , which is initially empty. tag � 0 means that the public key is not replaced.
Setup Let l u � 2(q Cert + q tag ). C randomly chooses the following elements: (1) An integer k u (0 ≤ k u ≤ n u ). We assume that l u (n u + 1) < q for the given values of q Cert , q tag , and n u (2) An integer x u ′ ∈ Z l u , and a vector X u � (x u,i ) n u (x u,i ∈ Z l u ) (3) An integer y u ′ ∈ Z q , and a vector Y u � (y u,i ) n u (y u,i ∈ Z q ) For convenience, we define the following functions: where id � i 1 i 2 ...i n u is a bit string. en, C randomly chooses two cyclic groups G 1 and G 2 of prime order q, a random generator g of G 1 , a bilinear map e: G 1 × G 1 ⟶ G 2 , and three hash functions is assignment means F u (id) � B J u (id) g K u (id) and that the master secret key s � b, which is not known to C. C chooses a pseudorandom function f: Z * q × 1, 2, . . . , n { } ⟶ Z * q and a pseudorandom permutation π: Queries. A I can adaptively make a polynomial bounded number of queries as follows.
(1) User-Creation queries: A I supplies an identity ID. C first checks the table tb to see whether it contains the item or not. If it does, C returns ID's public key UPK ID to A I ; otherwise, C executes the User-Key-Generation algorithm to produce ID's private/public key pair (x ID , y ID , UPK ID ). C puts (ID, − , x ID , y ID , UPK ID , tag � 0) into the table tb and returns UPK ID to A I .
(2) User-PrivateKey queries: A I supplies an already created identity ID. C searches the table tb to find out the private keys x ID and y ID and returns them to A I . (3) PublicKey-Replacement queries: A I supplies an already created identity ID and a new public/private key pair (UPK ID ′ , x ID ′ , y ID ′ ). C replaces the current public/private key pair (UPK ID , x ID , y ID ) with the new key pair (UPK ID ′ , x ID ′ , y ID ′ ) in the table tb and sets tag � 1. (4) Certificate queries: A I supplies an already created identity ID and ID's public key UPK ID . C first checks table tb to see whether the certificate Cert ID is produced or not. If it does, C returns the certificate Cert ID to A I ; otherwise, C computes id � H 1 (ID, UPK ID,1 , UPK ID,2 , UPK ID,3 ) and produces the certificate as follows (C does not know the master private key). en, C returns the certificate Cert ID to A I and updates"− "with the Cert ID in table tb.
(a) J u (id) ≠ 0modq. C randomly selects r ID ∈ Z * q and computes the user's certificate as Cert ID � (Cert ID,1 , To make the analysis of the simulation easier, we will force C to abort whenever J u (id) � 0modl u . (J u (id) ≠ 0modl u implies J u (id) ≠ 0modq, given the assumption l u (n u + 1) < q).
(a) J u (id) ≠ 0modq. C produces the tag as normal because C can get the certificate and private key of ID. (b) J u (id) � 0modq. C aborts.
(6) Update-Op queries: A I supplies an already created identity ID. For inserting operation, A I also supplies the "iin" number in the ILT table and a new file block m; for modifying operation, A I also supplies the "iin" number in the ILT table, the old file block mi and the new file block mi'; for deleting operation, A I also supplies the "iin" number in the ILT table. CSP makes the corresponding dynamic operations and returns ILT to the user.
Challenge: C generates a challenge (ID * , c, k 1 , k 2 ) to A I .
If J u (id * ) ≠ 0modq, then C aborts; otherwise, we have F u (id * ) � g K u (id * ) . If (t ID * ,1 , S * , δ * ) can pass the Proof-Verify algorithm and A I does not violate the restrictions of Definition 1, then C retrieves the private key x ID * of ID * and computes W ID * ,i * � H 2 (ID * , UPK ID * ,1 , UPK ID * ,2 , UPK ID * ,3 , t ID * ,1 , i * ) and Because C knows x ID * and m i * , he can compute g b 2 from g b 2 ·x 2 ID * m i * . C solves the Squ-CDH problem. Now, we assess the probability of success. If the simulation is not aborted, the following conditions must be met.
(1) In all certificate and signature queries, J u (id) ≠ 0modq (2) In the forgery stage, J u (id * ) � 0modq Let ID 1 , ID 2 , . . . , ID q I be the identities appearing in these queries, but they do not involve any of the challenge identities. Clearly, we have q I ≤ q Cert + q tag . Define the events A * 1 , A * 2 , and A i as erefore, the time complexity of C is t + O(q Cert · n u · t m + (q UCreation +q Cert + q tag )t e ). □ Theorem 2 (type II unforgeability). In the standard model, if a PPTattacker A II has a nonnegligible advantage ε in winning the game of Definition 2 running for time t and performing at most q UCreation user creation queries, q p private key queries, and q tag Tag-Gen queries, then there is an algorithm C that solves the Squ-CDH problem with an advantage Adv where t e denotes the time for an exponentiation on G 1 .
Proof. Let us suppose C is given (g, B � g b ) ∈ G 1 for randomly chosen b ∈ Z q . C does not know the value of b and is asked to compute g b 2 . To utilize the adversary A II , challenger C will simulate all the oracles defined in Definition 2. C maintains a table tb � ID, x ID , y ID , UPK ID , which is initially empty.
As h is a generator of G 1 , there must be a b ′ ∈ Z * q to make the equation B � h b′ hold. Knowing (h, B � h b′ ) ∈ G 1 , now C's goal becomes computing h (b′) 2 . C randomly selects an index π from 1, . . . , q UCreation .
Queries. A II can make the following queries adaptively.
(1) User-Creation queries: A II supplies an identity ID i . C first checks table tb to see whether it contains the item or not. If it does, C returns ID i 's public key UPK ID i to A II . Otherwise, C produces the public/ private key pair as follows and returns UPK ID i to A II .
(a) ID i ≠ ID π . C executes the User-Key-Generation algorithm as normal to produce ID i 's private/ Security and Communication Networks 7 public key pair (2) Private Key queries: A II supplies an already created identity ID i .
(a) ID i ≠ ID π . C searches table tb to find out the private keys x ID i and y ID i and returns them to A II . (b) ID i � ID π . C aborts.
(3) Tag-Gen queries: A II supplies an already created identity ID i and a file block m i . C computes id � H 1 (ID, UPK ID,1 , UPK ID,2 , UPK ID,3 ).
(a) ID i ≠ ID π . C produces the tag as normal because C can get the certificate and private key of ID i . (b) ID i � ID π . C aborts.
(1) In all private key queries, ID i ≠ ID π (2) In all Tag-Gen queries, ID i ≠ ID π (3) In the forgery stage, ID * � ID π At a probability 1/q UCreation , the adversary will output an identity ID π with index π in the forgery stage. e probability of ID i ≠ ID π in the private key queries is (1 − 1/q p ). e probability of ID i ≠ ID π in the Tag-Gen queries is (1 − 1/q tag ). us, we can conclude that the advantage of C is Adv erefore, the time complexity of C is t + O((q UCreation + q tag )t e ).
Note. e goal of C is to compute g b 2 . However, the initialization of system is run by A II , and therefore, there is a high probability that A II will not choose g as one of the system parameters. In this scenario, we change the goal of C from computing g b 2 to computing h (b′) 2 .

Analysis of Efficiency
We analyse the efficiency of our scheme in terms of computational time, communication overhead, and storage cost. Let h, e1, e2, and p denote a map-to-point hash computation, an exponentiation computation on G 1 , an exponentiation computation on G 2 , and a bilinear pairing computation, respectively. We compare our scheme with those proposed also in the standard model, which include schemes [14,16,18]. To show a more direct comparison with these schemes, we also adopt the experiment results of the scheme [23]. e computation time of each operation is shown in Table 3 and that of each scheme is shown in Table 4. By combining Tables 3 and 4, we get Table 5. Since the scheme [14,16] also divided a file block into s sectors, for the sake of fairness, we set s � 1 in Table 5. From Table 5, we can get Figure 2 for CSP's running time and Figure 3 for TPA's running time. From Table 5, we can see that the scheme [18] is the most efficient one in terms of the Tag-Gen algorithm. From Figure 2, we can see that our scheme is the most efficient one in terms of CSP's running time (the Proof-Gen algorithm). From Figure 3, we can see that scheme [14] is the most efficient one in terms of TPA's running time (the Proof-Verify algorithm). e communication overhead of each scheme is shown in Table 6. Based on the experiment results of the scheme [23], the size of q is 512 bits, and if the technique of point compression is used, the size of an element in G1 or G2 is 512 bits. An integer is represented by 64 bits. From this, we get Table 7. From Table 7 and by taking s � 1, we obtain Figure 4. From Table 7, we can see that our scheme is the most efficient one in terms of the Tag-Gen algorithm, and in summary, our scheme is the most efficient one in terms of both storage and communication of tags. From Figure 4, we can see that our scheme is the most efficient one in the communication of Proof-Gen. We also compare our scheme with those certificatebased PDP schemes, which include schemes [11,12]. e computation time of each scheme is shown in Table 8. By  combining Tables 3 and 8, we get Table 9. From Table 9, we can get Figure 5 for CSP's running time and Figure 6 for TPA's running time. From Table 9, we can see that the scheme [11] is the most efficient one in terms of the Tag-Gen algorithm. From Figure 5, we can see that all schemes are the same in terms of the CSP's running time (the Proof-Gen algorithm). From Figure 6, we can see that scheme [11] is the most efficient one in terms of TPA's running time (the Proof-Verify algorithm). e communication overhead of each scheme is shown in Table 10. By using the concrete parameters, we get Table 11. From Table 11, we can see that the scheme [11] is the most efficient one in terms of the Tag-Gen algorithm, and thus, the scheme [11] is the most efficient one in terms of both storage and communication of tags. Also from Table 11, we can see that all schemes are almost the same in the communication of Proof-Gen. erefore, it can be concluded that our scheme is an efficient scheme.
In our system, the storage cost of ILT is linear to the size of the outsourced data and the file block is directly used as an exponent in the tag generation algorithm. Now, let us analyse how the file block size affects the efficiency. If the file    Scheme [14] Scheme [16] Scheme [18] Our scheme  Scheme [14] Scheme [16] Scheme [18] Our scheme

Schemes
Tag-Gen Proof-Gen Proof-Verify [11] (n + 1) e1 ce1 2p + (c + 3) e1 [12] (3n + s) e1 + (n + 2)h ce1 2p + (c + 4) e1 + h Ours (n + 1) e1 + nh ce1 7p + ce1 + 3e2 + h  Scheme [11] Scheme [12] Our scheme block size is small, there will be a large number of blocks, and then, the storage cost of ILT will be high. Now, let us take a look at the calculation efficiency of tag. It is related to the number of tags and the computation cost of each tag. Since the block is directly used as an exponent in the tag generation algorithm and m i ∈ Z * q , the size of block m i has no effect on the computation cost of each tag, that is, no matter what the block size is, the computation cost of each tag is one exponent computation. However, the smaller the file block size is, the more blocks there will be and the more tags there will be, leading to a higher computation cost of tags. erefore, to reduce the storage cost of ILT and to improve the computation efficiency of tags, the file block size should be as large as possible. But, when the user is performing dynamic operations, the file block size should be as small as possible because in this case, the communication cost of each modification or insertion will be lower. Since how many blocks the file is divided into is decided by the users themselves, the users must make a tradeoff among storage efficiency, computation cost of tags, and efficiency of dynamic operations. e system can give a reference value. Take a 1 GB file for example. If a user divides it into blocks with a size of 16 KB each, then there will be a total of 62500 file blocks. Each entry of ILT contains just two integers iis and lln (total 8 bytes). erefore, the total storage cost of ILT is 512 KB (<0.05% of the file size). In dynamic operations, the communication cost of inserting or modifying one block is the communication cost of regular tags plus the transmission cost of 16 KB file blocks. e users can refer to these values when they divide the file.
In addition, the purpose of Ateniese et al. [1] proposing PDP is to realize probabilistic proofs of possession by sampling a small amount of data from the server. ey concluded that if there are 1% of the file blocks deleted by the cloud, then the user or TPA just needs to randomly choose 460 blocks as a challenge to the cloud to detect the cloud's misbehaviour with a probability of at least 99%. If there are 10000 file blocks, we just need to challenge 460/10000 � 4.6% of the blocks. In this view, it would be better if the number of file blocks is more than 10000.

Conclusions
To exploit the advantages of certificate-based cryptosystems, a certificate-based PDP scheme is proposed. Based on the index logic table, our scheme can be extended to support dynamic operations easily. We prove that our scheme is secure in the standard model under the Squ-CDH assumption. Efficiency evaluation shows that our scheme is efficient.

Data Availability
Previously reported simulation results of PBC library were used to support this study and are available at DOI: 10.1109/ TII.2017.2761806. ese prior studies are cited at relevant places within the text as references [23].

Conflicts of Interest
e author declares that there are no conflicts of interest.