Security-EnhancedCertificate-BasedRemoteData IntegrityBatch Auditing for Cloud-IoT

)e Internet of )ings (IoT) plays a crucial role in the generation of new, intelligent information technologies. Generally, the IoT facilities are composed of lightweight devices, and they expand computing and storage resources primarily through the cloud. Massive data collected by intelligent devices will be stored in cloud servers, but the vulnerabilities of cloud servers will directly threaten the security and reliability of the IoT. To ensure the integrity of data in the cloud, data owners need to audit the integrity of their outsourced data. Recently, several remote data integrity batch auditing protocols have been proposed to reduce transmission loss and time cost in the auditing process. However, most of them cannot resist collusion attacks. Meanwhile, certificate management problem exists in their system, which brings an enormous burden on the system. In this paper, we construct a certificate-based remote data integrity batch auditing protocol which can issue batch auditing and resist the highest level of collusion attacks—the fully chosen-key attacks for cloud-IoT . Our protocol makes use of a certificate-based cryptosystem which gets rid of the certificate management problem and key escrow problem, with no need for secret channels. Our protocol is proved to be secure in the random oracle model and implemented to show its efficiency. )e simulation results illustrate that, in the case of enhanced security, our batch auditing protocol still has computational efficiency and practicability.


Background and Motivation.
With the introduction and application of new concepts and technologies such as smart cities, virtual sports, and the Metaverse, the number of devices connected to the Internet is increasing, requiring more powerful storage and processing resources. Fortunately, cloud services can provide data outsourcing storage services [1] for data owners (DOs), which are the devices in the IoT. By outsourcing data to a cloud server (CS), a DO is free from the burden of complex data management and huge storage. Meanwhile, a DO can access outsourced data in a network environment anytime and anywhere.
While cloud storage and the IoT are convenient to people's life, they bring some security concerns to the outsourced data [2]. One of the main security problems of cloud storage is the integrity of the outsourced data [3]. On the one hand, the CS is vulnerable to external attacks, resulting in the destruction of the outsourced data's integrity. On the other hand, the IoT devices store data in the storage resources provided by a cloud service provider (CSP) who will maliciously tamper with the outsourced data in order to gain greater profits. If the data stored in the CS is tampered with or damaged, DOs may suffer considerable loss. erefore, DOs are forced to audit the integrity of their outsourced data. e local data uploaded to the cloud will be deleted locally at the same time. In this case, the DO audits their own data integrity, which means that they need to download the data stored in the CS to the local server [4], and then locally audit the integrity of the data. It undoubtedly brings more trouble. Remote data integrity auditing (RDIA) can enable the DO to audit the integrity of cloud data and protect its interests without local backup. In practice, DOs prefer to hire a third-party auditor (TPA) to audit the integrity of their outsourced data.
Because of the linearity of the linear homomorphic signature (LHS) [5], any linear combination of valid signatures can form a new valid signature. us, the LHS can be used to audit data integrity by random sampling. A TPA can sample random data blocks to audit data integrity without accessing the entire file. A basic RDIA process is shown in Figure 1. Firstly, a TPA gives a challenge to the CSP. en, the CSP honestly generates a proof which is based on the LHS according to the challenge and returns it to the TPA. Finally, the TPA validates the proof and returns "accept" or "reject" to the DO. Note that the process of a TPA validating the proof is actually the process of verifying the linear homomorphic signature.
To date, many RDIA protocols have been proposed and the vast majority of them only support auditing data from a single DO in a single auditing process. Let us imagine a scenario. If a TPA needs to audit the data of multiple DOs, it needs to interact with the CSP many times, which is undoubtedly inefficient and highly risky in the complex network environment. Batch auditing [6] is an efficient auditing technique, which enables the TPA to complete multiple data auditing tasks with only one interaction with the CSP. When a TPA needs to audit the data integrity of multiple DOs, it will first prepare a set of challenges and send them to the CSP. After receiving these challenges, the CSP will generate and send a batch proof to the TPA. Passing the inspection of the TPA means that the integrity of the data associated with the set of challenges has not been compromised. In this way, the interaction between the TPA and the CSP is only once. e initial remote data integrity batch auditing (RDIBA) protocols [6,7] are based on a traditional public key cryptosystem. Although this cryptosystem has been broadly applied in practice, it still faces the problem of public key certificate management, which brings heavy burden to the system. In order to avoid this weakness, an identity-based cryptosystem (IBC) [8] is used to build RDIBA protocols. However, key escrow is an intrinsic defect of the IBC. erefore, the identitybased RDIBA protocols have certain limitations which are only applied to small, closed systems rather than to RDIA. A certificateless cryptosystem (CLC) [9] is beneficial to address the weaknesses of the public key certificate management and key escrow, simultaneously. Nevertheless, it is necessary for the CLC to construct a costly, secure, and secret channel for each DO to send the partial private key, which is tricky. In order to overcome the shortcomings, we use a certificate-based cryptosystem (CBC) first introduced in [10] to form our protocol. e CBC requires no certificate management, key escrow, secure channels, and a fully trusted authorization, and hence it can be easily deployed in the public environment of cloud-IoT. In recent years, a number of RDIBA protocols have been proposed. Unfortunately, the vast majority of them cannot prevent collusion attacks. It means that the CSP can be tricked by multiple DOs such that the DOs can claim compensations from the CSP.

Our Contributions.
In this paper, a security-enhanced certificate-based remote data integrity batch auditing protocol that can resist the highest level of collusion attacks is proposed.
e main contributions of our paper can be summarized as follows: (1) We propose the formal definition and security model of the certificate-based remote data integrity batch auditing (CBRDIBA) protocol according to cloud-IoT. (2) We give a secure protocol that can prevent the current highest level of collusion attacks. And we offer four games to analyse the security of our protocol in the random oracle model. (3) We compare batch auditing with single auditing in terms of the communication cost and the computation cost in our protocol in theory, and simulate their performance through experiments by Java pairing-based cryptography library. e simulation results illustrate that, although our protocol is security-enhanced, our batch auditing protocol remains computationally efficient and practical.

e Organization of the Rest
Paper. e rest of our paper is structured as follows. In Section 2, we review some previous work associated with the CBRDIBA protocol. Next, in Section 3, we give some preliminaries used as the basis for the CBRDIBA protocol and present the problem formulations including the system model, an overview of the CBRDIBA protocol, and the security model. en, we demonstrate the concrete construction of the CBRDIBA protocol in section 4, and analyze the properties of the CBRDIBA protocol in Section 5. In Section 6, we demonstrate the superiority of the CBRDIBA protocol through theoretical analysis and experiments. Finally, we draw conclusions in Section 7.

Related Work
In the cloud-IoT environment, RDIA provides a fundamental solution to audit the integrity of data according to  homomorphic verifiable tags (HVTs), which are some homomorphic signatures of the data blocks. e concept of homomorphic signature was first proposed by Rivest in 2000 [11]. It can be divided into linear homomorphic signature, polynomial function homomorphic signature, and fully homomorphic signature. In 2007, Zhao et al. [12] proposed the first linear homomorphic signature (LHS) scheme that allows the arbitrary linear combination of the signature, which can be used to easily audit the integrity of the received data. However, their scheme has been proven to be unsafe and impractical. In the same year, Ateniese et al. [13] first presented a provable data possession model and initially introduced the technique of probabilistic integrity checking for the remote data.
In 2009, Boneh et al. [5] proposed a LHS scheme that gives the first formal definition of the LHS scheme. In the following years, a large number of LHS schemes have been proposed, which have been further improved in terms of efficiency, privacy, and security. In 2015, Yu et al. [14] suggested an identity-based LHS scheme. e disadvantages of using public key certificates are avoided by adding the identity-based feature. In 2018, Li et al. [15] used a certificateless LHS signature scheme to construct a certificateless public data integrity auditing protocol for data shared among a group. In 2021, Li et al. [16] constructed a data integrity auditing protocol for cloud-assisted wireless body area networks using certificate-based LHS. eir protocol adds timestamps to the HVTs such that adversaries cannot use the expired valid proof to pretend to be the current ones. In 2022, Li et al. [17] introduced a concept of transparent integrity auditing which can keep the CS from misbehaving (i.e., procrastinating auditing).
All the above LHS schemes are constructed in single-user scenarios, and all the signatures entered in the algorithm are produced using the same private key. In real life, there are many application scenarios with multi-users. In these scenarios, a newly generated signature is aggregated from signatures generated by different DOs using their private keys. For these scenarios, an aggregate signature (AS) scheme can be used. e first AS scheme and its formal definition were proposed by [18]. As time went by, identitybased AS [19], certificateless AS [20], and certificate-based AS [21] were gradually proposed. In AS, a problem worth paying attention to is the fully chosen-key attacks [22], which were first proposed by Wu et al. in 2019. e fully chosen-key attacks are currently the most difficult collusion attacks to defend against.
As time progressed, AS were gradually combined with LHS. e first linear homomorphic aggregate signature (LHAS) was put forward by Jing [23] in 2014, which supports linear operations on binary domains. Its security is based on the small integer solution problem [24]. In 2018, Han et al. [25] proposed an efficient error search technique called Lucas search, which is based on the Lucas sequence [26], to efficiently search the corrupted data files once the batch auditing task fails. In 2019, Wang et al. [27] used a certificate-based cryptosystem to construct a data integrity auditing protocol in which they mentioned that their scheme can perform batch auditing. Although their protocol can perform batch auditing and has used a CBC, it cannot prevent collusion attacks. In 2019, Yang et al. [28] constructed a data integrity batch auditing protocol that can work in multi-cloud storage. In 2020, Huang et al. [29] applied the CLC to RDIBA and proposed a certificateless remote data integrity batch auditing protocol. However, most of the above protocols are not resistant to collusion attacks let alone the fully chosen-key attacks.

Preliminaries
Definition 1 (Bilinear Pairing). Let G 1 , G 2 , G T denote three multiplicative groups of the same order q. Let g 1 be a generator of G 1 and let g 2 be a generator of G 2 . e: G 1 × G 2 ⟶ G T is a bilinear mapping with following properties: (1) Bilinearity: e(g a 1 1 , g a 2 2 ) � e(g 1 , g 2 ) a 1 a 2 for any a 1 , a 2 ∈ Z q and g 1 ∈ G 1 , g 2 ∈ G 2 .
(2) Non-degeneracy: if g 1 is a generator of G 1 and g 2 is a generator of G 2 , then e(g 1 , g 2 ) is a generator of G T . (3) Computability: for any g 1 ∈ G 1 and g 2 ∈ G 2 , e(g 1 , g 2 ) is a generator of G T .

Co-Computational Diffie-Hellman Problem (co-CDH).
Let G 1 , G 2 be two cyclic groups of the same prime order q. g 1 is a generator of G 1 and g 2 is a generator of G 2 ; for random a ∈ Z * q , given g 1 , g 2 , g a 2 , compute g a 1 .

Co-CDH Problem Assumption.
We say that the co-CDH assumption holds in G 1 and G 2 if the advantage is negligible in solving the co-CDH problem for any probabilistic polynomial-time algorithm.

k-CAA Problem Assumption.
We say that the k-CAA assumption holds in G 1 and G 2 if the advantage is negligible in solving the k-CAA problem for any probabilistic polynomial-time algorithm.

e RDIBA System Model.
We raise a RDIBA system where the TPA validates timestamps and the integrity of multiple datasets. e system is composed of three kinds of entities: data owners (DOs), cloud service provider (CSP), and third-party auditor (TPA). As the clients of the CSP, the DOs upload their datasets to the CSP and then delete them locally. e DOs are foxy. Two or more data owners may negotiate with each other to generate tags for their own data blocks using each other's private keys. In this case, the TPA Security and Communication Networks will respond "accept," even if the single auditing information is not right. After that, the data owners will extort compensation from the CSP. e CSP is honest but curious. Although the CSP will honestly generate proofs, as the certification authority of the system, it can embed trapdoors in the system parameters to achieve the purpose of forging a valid signature without owning the user's private key. As the system user, the TPA can have access to the datasets and validate the data integrity. Figure 2 shows the system model and the process is elaborated as follows: (1) Every DO generates timestamps and tags for data blocks that come from the collected dataset. e DOs then upload these data blocks with the related auditing information (such as all tags of data blocks, the label of the dataset, timestamp, and the number of data blocks) to the CS and delete them locally. (2) e TPA can obtain the auditing information from the CSP, and then generate and send one or more challenges to the CSP. On receiving a challenge or a set of challenges, the CSP will generate a proof or a batch proof and then return it to the TPA. (3) e TPA will validate the authenticity and correctness of the proof or the batch proof and output "accept" or "reject." If the proof or the batch proof passes the verification, the corresponding one or multiple datasets stored in the CSP are considered to be secure.
When a TPA issues multiple challenges, the CSP only needs to interact with the TPA once because the TPA validates batch proof, which means it validates all corresponding proofs.
ere is no doubt that a lot of data transmission loss is saved.

System Components.
A RDIBA system model Ω � (System Setup, User Registration, Outsourcing Storage, Auditing, Batch Auditing) is an interactive protocol allowing a third party (i.e., TPA) to validate that files are stored truthfully.
(i) System Setup: e CSP initializes a data integrity auditing system. After generating the system master private key msk, the CSP publishes the system parameters params. (ii) User Registration: e DO generates public/private key pair (upk ID , usk ID ) and provides the CSP with its public key upk ID . e CSP returns a verifiable certificate Cert ID to the TPA. (iii) Outsourcing Storage: On receiving an encoded dataset F � (m 1 , . . . , m k ) named ds and a timestamp t, the DO uploads the encoded dataset F, label τ, and tags σ i of data blocks to the CS. (iv) Auditing: e TPA provides the CSP with a challenge chal by sampling some data blocks. And then according to the challenge, the CSP generates a proof PF and returns it to the TPA. Next, on receiving a valid proof PF, the TPA outputs "accept." Otherwise, it outputs "reject." Outputting "Accept" also means that the dataset is stored in the CS intactly and honestly. (v) Batch Auditing: e TPA provides the CSP with challenges chal z , z � (1, . . . , l), l ≤ L (As shown in Figure 2, L indicates the total number of data owners in the system) by sampling some data blocks. And then according to the challenges, the CSP generates a batch proof and returns it to the TPA. Next, on receiving a valid proof PF, the TPA outputs "accept." Otherwise, it outputs "reject." Outputting "Accept" also means that multiple corresponding datasets are stored in the CS intactly and honestly.

Design Objectives.
Our protocol is designed to achieve the following objectives: e security model can be defined using the following four games between adversaries A I , A II , A III , A IV and challenger B. e goal of the adversaries A I , A II , and A III is to forge a valid single proof. A IV aims to forge a valid batch proof.
Among them, A I is an outside attacker (hostile DO) who wants to forge a tag of data block in order to outsmart the TPA. A II is an inside attacker (honest but curious CSP) who is more inclined to defend itself when mistakes occur. It can hold some system information (such as the system master private key) that the DO does not have.
We can go to the literature [16] and read the attack models (Game I and Game II).
A III models the ability of the CSP to forge a valid proof, and attempts to generate a valid proof when some data blocks are damaged. e adversary game of A III is as follows.
Game III (Type III adversary A III ): (i) System Initialization: On inputting a security parameter 1 λ , B runs System Setup to generate public parameters params and system master private key msk, and sends params to A III . (ii) Oracle Simulation: A III can adaptively make Tag-Gen Queries and ProofCheck Queries. (iii) Challenge: B generates a challenge chal and sends it to A III . On receiving chal, A III generates a proof PF and returns it to B. (iv) Forge: A III outputs (ID * , upk ID * , τ * , chal * , PF * ).
A III wins the game if the following conditions are satisfied: ere is at least one challenged data block that has never been issued a TagGen Queries.
In our protocol, we consider the DO can be dodgy and that two or more data owners may cheat the TPA and the CSP for profit. We simulate these data owners as adversary A IV . e purpose of A IV is to use a set of single proofs to generate a valid batch proof with at least one invalid single proof. e adversary A IV can do the fully chosen-key attacks. Now we revisit the security model in [22] through the following game between an adversary A IV and a challenger B. e Game IV consists of three steps: System Initialization, Oracle Simulation, and Forge. e adversary game of A IV is as follows.
Game IV (Type IV adversary A IV ): System Initialization: Inputting the security parameter λ, the challenger B generates the system parameters params. Furthermore, B randomly generates the public-secret key pair (upk ver , usk ver ) for the TPA, and then B gives A IV the params and upk ver . Oracle Simulation: A IV can access the following queries: (i) Corruption Queries: A IV requests such a query, and B generates the key pairs (upk ID z , usk ID z ) by running the algorithm UserkeyGen, and then returns usk ID z to A IV . (ii) Batch Proof Check Queries: e simulator B generates some challenges and sends the challenges to A IV . en, on receiving the challenges from B, A IV generates a batch proof BPF and returns it to B. Finally, B verifies BPF by running the algorithm Batch Proof Verification and gives the result to A IV .
Forge: Finally, A IV outputs its forgery. If the following two conditions are satisfied, A IV wins the game: (1) e batch proof is generated from all the single proofs.
(3) At least one single proof of the batch proof is invalid.

Definition 2.
A CBRDIBA protocol is secure if the advantage of the adversaries A I , A II , A III , and A IV winning game I, game II, game III, and game IV in probabilistic polynomial time (PPT) is negligible, respectively.

A CBRDIBA Protocol
Based on the construction of homomorphic verifiable tags in [16], we design a security-enhanced CBRDIBA protocol which is composed of five procedures: System Setup, User Registration, Outsourcing Storage, Auditing, and Batch Auditing. e notations used in this section are shown in Table 1.

System Setup.
Given a security parameter λ, the CSP does: G T are three multiplicative cyclic groups with the same prime order q. Bilinear pairing e: q as the master private key, and the master public key is mpk � g s 2 . e CSP publishes the system parameters params � q, G 1 , G 2 , G T , e, ψ, g 1 , g 2 , mpk, H 0 , H 1 , H 2 , H 3 , H 4 } and keeps the system master private key msk � s secret.

User Registration.
e user registration process is composed of three phases.
(i) Phase 1 (UserKeyGen): Given the system parameters params and the user's real identity RI D, the user does: (1) Randomly choose x ∈ Z * q as the user's secret key which is denoted by usk I D . Generate the user's pseudonym by computing I D � RI D⊕H 4 (mpk usk I D ).
holds, then the user succeeds in logging into the system.

Outsourcing Storage.
e outsourcing storage procedure is composed of two phases: Data Processing and Data Upload. (1) Given an encrypted dataset F ∈ (0, 1) * named ds, the DO splits the dataset into k data blocks m 1 , m 2 , . . . , m k , and each block comprises n sectors, i.e., F � (m i,j ) k×n (2) e DO randomly chooses α ∈ Z * q , and then computes β � g α 2 and τ 0 � Cert I D 1/usk I D +H 2 (I D,ds ,t,β) . e DO sets τ � τ 0 , β, ds , t, k, n as the label of the dataset.
(ii) Phase 2 (Data Upload): After the above phase is completed, the DO uploads the label τ, all data blocks m 1 , . . . , m k , and the corresponding tags σ 1 , . . . , σ k to the CSP. Meanwhile, the DO only stores the label τ of the dataset and deletes the data blocks and the corresponding tags locally.

Auditing.
e auditing procedure is composed of three phases: Challenge, Proof Generation, and Proof verification.
In the end, if the above equation holds, the TPA thinks the dataset stored in the CSP is unwounded. Otherwise, the dataset has been damaged.

Batch Auditing.
e TPA can improve the efficiency of auditing through batch auditing. e batch auditing procedure is composed of four phases: Challenges, Single Proof Generation, Batch Proof Generation, and Batch Proof verification. We describe the batch auditing process as follows.
(i) Phase 1 (Challenges): e TPA wants to verify the integrity of multiple data once. Firstly, the TPA randomly chooses s ver ∈ Z * q as its private key usk ver , and computes upk ver � g s ver 2 as its public key. e registration procedure of the TPA is similar to DO's registration procedure. However, for security and actual needs, the TPA cannot hide its real identity. en, the TPA gets labels and sends some challenges to the CSP. It randomly selects l nonempty subsets I z ⊆[1, k z ], z � 1, . . . , l along with random values c zi ∈ Z * q for every i ∈ I z . After that, the TPA prepares the user identity ID z , the identifier of dataset ds z , and the challenge chal z � ID z , ds z , (i, c zi ): i ∈ I z , where z � 1, . . . , l is the serial number of lchals. Note that for each user, the number and location of the challenged blocks may be different. e TPA sends them and its public key upk ver to the CSP with no secure channels and keeps its private key usk ver secret.
and then, the CSP computes the batch proof σ as follows: Next, if the above equation holds, the TPA computes where m z � i∈I c zi m zi , m z � m z1 , . . . , m zn , z � 1, . . . , l.
If all the above equations hold, the TPA thinks multiple corresponding datasets stored in the CSP are unwounded. Otherwise, one or more datasets have been damaged, and then we can use Lucas search to efficiently identify which datasets have been breached. e Lucas search is divided into two cases according to the amount of DOs. Please refer to [25] for details. Security and Communication Networks 7

Correctness of Auditing.
In procedure 4.4, the proof of dataset includes the label τ of the dataset and the tags σ of data blocks. Furthermore, every tag is generated by the Data Processing algorithm, and the single proof is generated by the Proof Generation algorithm. All of them are equivalent, i.e., the Proof Verification algorithm can verify both of them. Assuming that all entities operate honestly with the algorithms described above, then the correctness of the scheme can be verified from two aspects: (1) For any file label τ and for any single proof PF � (m, σ), we have: (2) For any file label τ � τ 0 , β, ds, t, k, n and for any data block m i ∈ F with corresponding tag σ i , we have:

Correctness of Batch
Auditing. If the single proof σ z is generated by the DO ID z directly with public key upk I D z , then the following equations hold for z � 1, . . . , l: e σ z , upk ver � e n j�1 g 1 and then And for the label of dataset ds z , z � 1, . . . , l, we have

Batch
Auditing. If the TPA needs to audit the integrity of multiple data blocks simultaneously, it can issue valid challenges according to ds z and k z , where z � 1, . . . , l. When the CSP receives multiple challenges from the same TPA, the CSP generates a batch proof and sends it to the TPA. Batch proof allows the TPA to interact with the CSP only once to verify that the integrity of the stored data that have not been corrupted.

Anonymity. In our protocol, the user's real name RI D is protected by a pseudonym I D � RI D⊕H 4 (mpk usk I D ).
Every entity can know the mpk and the upk I D , but they cannot get the knowledge of msk or usk I D . We have H 4 (mpk usk I D ) � H 4 (upk msk I D ). Apart from the user with real identity RI D and the CSP, any other third entity cannot know the RI D of the user because of the secrecy of msk, usk I D , andRI D, and the unipolarity of the hash function H 4 .

e Security of Single Data
Auditing. In our certificatebased remote data integrity auditing (CBRDIA, not including the Batch Auditing procedure) protocol, we consider three types of PPTadversaries. Type I adversary (A I ) models an attacker who can replace the user's public key. Type II adversary (A II ) models the honest but curious CSP who holds the master secret key and is not allowed to replace the target user's public key. A I and A II cannot hold both user's private key and certificate. Type III adversary (A III ) models the ability of the CSP to forge a valid proof. We conclude the security of the single data auditing procedure in our protocol by eorems 1-3.

Theorem 1. Suppose a PPT adversary
A I can forge a valid proof with advantage ϵ, and suppose A I can make at most q u times Create User Queries, q e times Certification Queries, and q t times TagGen Queries. en there exists a challenger B to solve the co-CDH problem with advantage ϵ ′ ≥ (1 − 1/q u ) q e (1 − 1/q t + 1) q t 1/(q t + 1)q u ϵ.

Proof.
e detailed proof is given in A.

Proof.
e detailed proof is given in B.

Theorem 3. e probability of B forging a valid single proof is negligible if the file challenged is damaged or modified.
Proof.
e detailed proof is given in C. Proof. e detailed proof is given in D.

Performance Evaluation
Before analyzing the performance of our CBRDIBA protocol, we first compared our CBRDIBA protocol with several data integrity auditing protocols [13,16,25,[27][28][29] in Table 2, and we notice that the CBRDIBA protocol supports batch auditing, resisting collusion attacks, anonymity, Lucas error search, with no key escrow problem, and with no secure channels simultaneously. e protocol uses Lucas search to deal with batch auditing failures, which is a more efficient error search method than binary search. And the protocol also adds timestamps to the HVTs such that it can make adversaries not use the expired valid proof to pretend to be the current ones.
Furthermore, we will demonstrate the efficiency of our data integrity batch auditing scheme in comparison with data integrity auditing of a single DO both theoretically and experimentally. Table 3 shows the notations used in this section. Table 4 we can see that the communication cost of Batch Auditing with l different DOs is lower than the cost of l times Auditing procedures.

Communication Cost. From
Note that as the number of DOs involved in a batch auditing procedure increases, the number of interactions between the CSP and the TPA is constant. However, there is no doubt that in the Auditing procedure, the number of DOs is directly proportional to the number of interactions. Table 4, we list the computation and communication costs of the Auditing procedure and the Batch Auditing procedure. Note that, in order to facilitate to compare, we ignore the time cost of map to Z q hash operation, additive operation in Z q , and inverse operation in Z q . e comparison results show that the computation cost of batch auditing with l different DOs is

Computation Cost. In
Security and Communication Networks 9 lower than the cost of l times Auditing procedures. Although the efficiency improvement was not very significant (mainly only n pairing operations off), it was due to the fact that we considered our protocol could resist collusion attacks.

Experiment Analysis.
We implement our CBRDIBA protocol using the Java Pairing-Based Cryptography (JPBC) Library [30] and evaluate it on a personal computer with Intel i7 2.20 GHz quad-cores processor, 16 GB RAM. In our implementation, we use the parameter f.param which is one of the standard parameter settings of the JPBC library. f.param provides an asymmetric pairing. For 80-bit security, only 160 bits are needed to represent elements of G 1 and 320 bits for G 2 . To effectively evaluate the performance, the size of the test file we choose is 112 KB (114763 bytes), and we split a test dataset F with size Size(F) bits into m blocks in our experiments. en, we further divide each data block into n sectors, and the length of each sector is 160 bits. e number m of the data blocks and the number n of the data block's sectors satisfy (m − 1)n ≤ Size(F)/160 ≤ mn.

Proof Verification Cost.
We simulate the TPA to run the algorithms Proof Verification and Batch Proof Verification when the total data blocks are 375 with different numbers of DOs from 10 to 100. We define the algorithms Proof Verification and Batch Proof Verification to verify the proof. Both of them will finish the same amount of users' data auditing mission in their own way. In this case, Figure 3 shows that the cost of algorithm Batch Proof Verification is lower than that of Proof Verification. Furthermore, the TPA runs the algorithms Proof Verification and Batch Proof Verification when the total data blocks are 375 with different numbers of challenged blocks from 10 to 100. In order to control variables, we set the number of data owners in this experiment as 20. In this environment, Figure 4 shows that in most cases, the cost of

Feature
Ateniese et al. [13] Li et al. [16] Yang et al. [28] Han et al. [25] Huang et al. [29] Wang et al. [ Multiplicative operation in G 2 n e number of data block's sectors c e number of challenged data blocks |Z q | e binary length of an element in Z q |G 1 | e binary length of an element in G 1 l e number of proofs used in the batch proof algorithm Batch Proof Verification is lower than that of Proof Verification.

Conclusion
In this paper, we first present a security-enhanced CBRDIBA protocol for cloud-IoT. In our protocol, the TPA can audit the integrity of multiple data simultaneously. If the file is corrupted or lost, the DO will require the CSP to compensate for the damaged file. e correctness and security of the proposed protocol are proved. e security games show that our protocol can resist the highest level of collusion attacks. e communication and computation costs of batch auditing in our protocol have been evaluated through experiments and theoretic analysis. e results indicate that in the case of enhanced security, our batch auditing protocol still has computational efficiency and practicability.

A. The Proof of Theorem 1
Proof. Suppose A 1 can break the basic scheme's existential unforgeability against adaptive chosen messages attacks (EUF-CMA) security, then with inputting a random instance (g 1 ∈ G 1 , g 2 ∈ G 2 , W � g a 2 ∈ G 2 ), the challenger B can use A I to compute g a 1 ∈ G 1 , and solve the co-CDH problem in PPT. B's interaction with A I is as follows.    A.1. System Initialization. B sets mpk � W, and runs the system setup algorithm System Setup in our protocol to generate the public parameters params � (q, G 1 , G 2 , G T , g 1 , g 2 , e, ψ, mpk).
en, B sends params to A I . Hash functions H 1 , H 2 , H 3 are random oracles.

A.2. Oracle Simulation.
A I is allowed to adaptively issue the queries as follows: (i) Create User Queries: B takes the v-th query as ID v , and assumes the V-th query is the aim identity (V ∈ 1, . . . , q u ). B holds a list L u : (ID v , upk v , usk v ) which is initially empty. When B receives the identity ID v 's query, if ID v already exists in the list L u , B replies the corresponding public key to A I ; otherwise, B randomly selects x v ∈ Z * q and computes ID v 's public key tosses a biased coin with two sides. e probability of the coin coming up heads is ζ, and then B records c � 1. e probability of the coin coming up tails is 1 − ζ, and then B records c � 0. B randomly selects d v ∈ Z * q and computes H 1 's hash value as follows:   sends c 1 , . . . , c k to A I , and inserts (ID v , τ 0 , c 1 , . . . , c k ) into the list L H 3 . (viii) TagGen Queries: A I self-adaptively selects an identity ID v and a dataset F with its name ds. Firstly, B randomly selects α ∈ Z * q and computes β � g α 2 . If (ID v , ds , t, β) has been in L H 2 , then terminate the game and output ⊥. Otherwise, B simulates A I to execute H 2 query and compute τ 0 : B sets the file's label τ v � τ 0v , β v , ds , t, k, n , and then computes the tags for m 1 , . . . , m k . B computes σ j for m j as follows: B responds the label τ v � τ 0v , β v , ds , t, k, n and computes the tags σ 1 , . . . , σ k for m 1 , . . . , m k to A I . (ix) ProofCheck Queries: As a TPA, B issues a challenge on a dataset F ( e tags of the dataset have been queried) and then A I as a voucher returns the corresponding answer to B. [1, k], and sends it to A I . (1) Proof (m * , σ * ) can pass the algorithm Proof Verification. (2) A II has never issued a Corruption Queries on ID * .

A.4. Analysis.
If ID * ≠ ID V , then B terminates the simulation and outputs ⊥. Otherwise, B first iterates over L H 2 list, if c � 0, and then terminates the simulation and outputs ⊥. If c � 1, we have: If public key upk * is the latest public key which maybe has not been replaced, or maybe has been replaced, B can figure out the solution of the k-CAA problem g a 1 � τ 0 * usk * +h * /d * (1) If E 1 happens, then we consider the following two circumstances: (a) B doesn't output ⊥ in the Certification Query phase. In this case, the probability is (1 − 1/q u ) q e . (b) B doesn't output ⊥ in the TagGen Query phase.
In summary, we have

B. The Proof of Theorem 2
Proof. Suppose A II can break the basic scheme's EUF-CMA security, then with inputting a random instance (h 1 , . . . , h k ∈ Z * q , g 1 ∈ G 1 , W � g a 2 ∈ G 2 , (h 1 , g 1/a+h 1 1 ), . . . , (h k , g 1/a+h k 1 )), the challenger B can use A II to output a new pair (h * , g 1/a+h * 1 ), and solve the k-CAA problem in PPT. B's interaction with A II is as follows. □ B.1. System Initialization. B randomly selects s ∈ Z * q as the system master private key msk and computes the system public key mpk � g s 2 . B sends the system public parameters params � (q, G 1 , G 2 , G T , e, ψ, g 1 , g 2 , mpk) and the system private key msk to A II . Hash functions H 1 , H 2 , H 3 are random oracles.

B.2. Oracle Simulation.
e adversary A II is allowed to adaptively issue the queries as follows: (i) Create User Queries: B takes the v-th query as ID v , and assumes the V-th query is the aim identity (V ∈ 1, . . . , q u ). B holds a list L u : (ID v , upk v , usk v ) which is initially empty. When B receives the identity ID v 's query, if ID v has already existed in the list L u , B replies the corresponding public key to A II ; otherwise, B randomly selects x v ∈ Z * q and computes ID v 's public/private key pair (upk v , usk v ) as follows.
(iii) Corruption Queries: In terms of the v-th corruption query, if ID v does not exist in list L u or ID v � ID V , B terminates the simulation and outputs ⊥. Otherwise, B checks out the list L u and gives the corresponding private key x v to A II . (iv) H 2 Queries: B holds a list L H 2 which is initially empty consisting of (ID v , ds , t, β, h, c). If (ID v , ds , t, β) has already existed in the list L H 2 , then B replies h to A I . Otherwise, B tosses a biased coin with two sides. e probability of the coin coming up heads is ζ, and then B records c � 1. e probability of the coin coming up tails is 1 − ζ, and then B records c � 0. Furthermore, B selects h as follows.  , τ 0 , c 1 , . . . , c k ).
(vi) TagGen Queries: A II adaptively selects an identity ID v and a dataset F with its name ds. Firstly, B randomly selects α ∈ Z * q and computes β � g α 2 . If (ID v , ds , t, β) has been in L H 2 , then, terminate the game and output ⊥. Otherwise, B simulates A II to execute H 2 query and compute τ 0 : B sets the file's label τ � τ 0 , β, ds , t , and then computes the tags for m 1 , . . . , m k . B computes σ j for m j as follows: B replies the label τ � τ 0 , β, ds , t and computes the tags σ 1 , . . . , σ k for m 1 , . . . , m k to A I .  (1) If E 1 happens, then we consider the following two circumstances: (a) B doesn't output ⊥ in the Corruption Queries phase. In this case, the probability is (1 − 1/q u ) q r . (b) B doesn't output ⊥ in the TagGen Queries phase. In this case, the probability is (1 − 1/q u ζ) q t . erefore, we have: (2) If E 2 happens, then we have Pr(E 2 |E 1 ) � ϵ.

C. The Proof of Theorem 3
Proof. Suppose adversary A III can forge a valid single proof successfully. e System Initialization and the Oracle Simulation are the same as those in Game I or Game II. □ C.1. ProofCheck. A III generates the proof PF using some data blocks and the corresponding tags, and sends PF and challenge to B. B validates the proof and returns the result to A III .

C.2.
Challenge. e simulator B generates a challenge chal � (i, c i ): i ∈ I, c i ∈ Z q , where I⊆ [1, k]. ere is at least a challenged data block having never been queried tag. And then B sends the challenge to A III .

C.3. Forge.
e adversary A III outputs a valid proof PF � m, σ { } and returns it to B, where m � i∈I c i m i and σ � i∈I σ i c i .

C.4. Analysis.
Since the forged proof is valid, it can make the following equation hold. Due to the collision resistance of the hash function, the adversary A III can get the only response when it issues a H 1 queries and similarly, H 2 queries and H 3 queries. Obviously, the above two equations are equal, i.e., σ � σ, i.e., i∈I σ i c i � i∈I σ i c i . Because σ i , σ i ∈ G 1 , there exists x i , y i ∈ Z * q satisfying σ i � g x i 1 and σ i � g y i 1 .
We get g i ∈ I c i x i �g i ∈ I c i y i 1 1 , i.e., i∈I c i x i � i∈I c i y i , which means i∈I c i (x i − y i ) � 0. Since c i ∈ Z * q , we get x i � y i mod q.
is is contrary to the previous results. According to eorems 1 and 2, the probability of forging a single tag is negligible. erefore, the probability of the adversary A III forging a valid proof successfully is negligible if the file has been damaged or modified.
erefore, B presents a pair of collisions of hash function H 0 .
We complete the description of how B outputs a pair of collisions. en, we analyze the advantage of B who holds the master secret key msk and can answer the Corruption Queries. Moreover, B simulates the TPA such that B holds the TPA's private key usk ver , and hence B can answer the Corruption Queries. Our simulation scheme is indistinguishable from the real one. If A IV has advantage ϵ in forging a valid batch proof, then B has advantage ϵ in generating a pair of collisions of hash function H 0 .
Data Availability e data supporting the findings of this study are available from the corresponding author upon reasonable request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.