Public Integrity Auditing of Shared Encrypted Data within Cloud Storage Group

,e pandemic of COVID-19 has posed a severe challenge to the traditional on-site centralized development projects; people therefore have to share data in a group by the cloud storage server and develop projects at home. ,e cloud server is untrustworthy, although it supplies the powerful computing capability and abundant storage space; so far wide research has been proposed to verify data integrity. ,erefore, how to leverage the cloud server and ensure the integrity of the data (especially the encrypted data) stored on the remote cloud devices remains an issue for the clients. To address this issue, we utilize the technique of homomorphic hash function to implement reencryption ciphertext blocks and introduce a certificateless signature scheme for the integrity verification of encrypted data shared within a group. A detailed challenge-and-response game represents that the proposed scheme can preserve encrypted data blocks integrity against the internal/external attacker and malicious cloud service servers. We give the theoretical and experimental performance analysis of the scheme and exhibit that the scheme is efficient and practical.


Introduction
To date, cloud storage service has been an efficient paradigm for storing and sharing data information and a cooperation platform for staff to collaborate in many companies. Once a project manager can upload tasks to the server, each project participant can access, download, and modify the corresponding files through the network without any geographical restriction. Especially with the travel restrictions caused by the COVID-19 pandemic, people can only stay in their own homes and work through the Internet; thereby the use of cloud services for task cooperation and sharing has become particularly important. In the real world, Dropbox for Business [1], TortoiseSVN [2], and Google Drive already have become cloud service platforms for employees to share and collaborate online.
However, the prerequisite for this type of application to facilitate many company staff to work together is whether the cloud server provider (CSP) can make sure that the data is retained intact. In the field of cloud services, there is a multitude of inevitable internal and external attacks [3], as a slice of examples, the failure of software or hardware, illegal access, and deliberate deletion or corruption of the outsourced data, resulting in unreliable cloud services. Owing to the existence of these above attacks, the integrity of data is destroyed, which will inevitably reduce the availability and storage significance of data. is paper focuses on the integrity of data stored in the cloud.
For decades, to address the integrity verification of data, an army of studies on remote data integrity checking have been proposed by papers [4][5][6][7][8][9][10][11][12][13][14][15][16], and these schemes give efficient approaches to verify the integrity of outsourced data on cloud server without downloading them. However, all the above solutions are focused on the integrity auditing for individual data without involving the situation of sharing data in a group. How to verify the integrity of the shared data in a group is an interesting and essential task in the cloud server, which is also another item for the cloud service.
Remote data integrity verification is a technology that, for the data stored in the virtual cloud server, there is no need to download the entire file locally to check the integrity of data. When a project with data attached to it is uploaded to a cloud server and shared among multiple engineers, some new challenges emerge and these challenges cannot be solved well with existing individual data integrity verification solutions. According to the above scenario, the project with data attached is divided into blocks and sent to the engineers of the project group, and different engineers will output different block tags in the same block. When a block is modified by the engineers of the project group, the new block tags will be regenerated. In a project group, all engineers will either online or offline compile their tasks, but no matter which kind they are required to store the results of the day's tasks in the cloud server and generate block tags for checking. To ensure that each engineer is honest to compile the project with the given data, the project manager must act as a verifier to verify the integrity of the data from time to time. When the verifier wants to audit the integrity of raw data, it needs to aggregate all tags with the engineer's identity information. e process of verification is more complicated and brings a significant volume of calculation [17][18][19][20][21][22][23][24]; these protocols thereby are not valid for the case of data sharing in a group.
When the data is shared among the engineers in the project group, also other challenges appear where some engineers in the group maybe withdraw from the group due to some special circumstances, such as being transferred to another project group or misbehaving. As a result of the above situations, the tags generated by the revoked user are invalid and need to be renewed by the other legitimate members. In addition, the data in the shared group also needs to be updated frequently, which also leads the tags to be changed constantly. For security reasons, if the identity of an engineer is revoked, all data as well as the corresponding tags, which belong to the revoked members previously, still have to be renewed by the existing user in the group. According to common sense, when an engineer exits the project, then its task will be transferred to other engineers, and its identity information in the project will be revoked; that is, its public/private key for participating in the project will become invalid. Considering the fact that the shared data is not stored on local devices, the traditional way is to download all data previously generated by the revoked engineer and ask an existing engineer to renew the tags and finally upload the new tags to the cloud server again.
is operation can safely transfer the task to the engineer existing in the task, but it may significantly increase the existing engineer communication cost and calculation resources, especially when a considerable volume of the blocks needs to frequently change and update. To overcome the above drawbacks, the execution of the verification operations should be outsourced to CSP instead of execution by the existing engineers. Besides, integrity verification of shared data can be verified not only by the members of the shared data group but also by everyone who wants to leverage the data blocks in the cloud service. As a result, it is of tremendous significance that the scheme to be proposed can meet the public verification with the help of CSP.
At present, plenty of integrity verification schemes for shared data in this group have been put forward. Most of them [25][26][27][28][29] focus on the PKI technology based on the trustworthiness of certificate authority (CA), where it is difficult to find a trusted CA. Others are identity-based [28,30] remote data integrity verification protocols, which rely on the private key generator (PKG) to generate all private keys. However, this approach suffers from a key escrow problem. erefore, how to efficiently verify the integrity of outsourced data in a shared group by a public verifier and transfer the revoked members' data to existing members without downloading the data from the cloud service, as well as solving the key escrow and certificate management issues, is a challenging task.
Reviewing the existing protocol solutions, we mainly focus on the integrity verification for the encrypted shared data in a group. In this paper, we assume that there is an encrypted business project, which is divided into numerous encrypted subprojects, and it needs plenty of engineers to participate in development. A project manager, who invites the engineers to a temporary project group, takes charge of the system parameters and encrypts the raw project. en the project blocks encrypted with public keys of specified members in the group are uploaded to the cloud service so that the engineers within the group can modify and upload subprojects compiled online or offline. If this is a big project with plenty of engineers in the project group, there are some issues to be addressed efficiently, for example, the integrity verification after legitimate changes to subprojects under development, the members revocation problem, and the entry of new members.

Contributions.
To overcome the disadvantages of previous schemes and address the aforementioned issues, we propose a new remote data possession checking scheme for encrypted shared data group. e contributions of the proposed scheme are presented as follows: (i) We propose a new remote data possession checking scheme to audit encrypted shared data in each group, in which the certificateless public key system is utilized as an underlying encryption mechanism, and the homomorphism hash approach is used to regenerate the ciphertext to improve the efficiency of member revocation scheme. (ii) We then construct a public auditing scheme for verifying the integrity of encrypted data in the cloud service provider based on the corresponding certificateless authentication tag aggregation. (iii) We design a ciphertext conversion scheme which leverages a homomorphic hash function to convert the ciphertext of the revoked member into the ciphertext of the existing member. e scheme has been implemented and the results are more efficient compared to state-of-the-art protocols. (iv) We have proven the security of the proposed scheme which is based on the stability of CDH and DL assumptions by simulating a challenge-and-2 Wireless Communications and Mobile Computing response game involving two players: a challenger and an adversary.

1.2.
Organization. e rest of this paper is organized as follows. Section 2 discusses the prior work done in verifying the integrity of group shared data. Section 3 introduces the preliminaries and Section 4 defines the problem statement which includes system model, design goals, outline of the scheme, and the secure model. e detailed construction of our scheme is presented in Section 5. e proposed scheme is simulated and a challenge-and-response secure model is formalized in Section 6, and we assess the efficiency of the proposed scheme in Section 7 based on the computation cost of tag generation and verification, communication cost analysis, and vocation analysis compared with the existing schemes. e conclusion of this paper is presented in Section 8.

Related Work
Since Deswarte et al. [4] first proposed a scheme for checking the integrity of data stored on remote virtual cloud servers; so far, a number of auditing schemes have been proposed. Among the proposed schemes, they can be generally divided into two directions: Provable Data Possession (PDP) [5] and Proofs of Retrievability (POR) [23]. e PDP scheme is proposed by Ateniese et al. [5] based on RSA signature and sampling strategies to improve the efficiency of integrity checking without retrieving the whole file. However, there is a limitation for this scheme; that is, it is only suitable for the auditing of static data files. To overcome this limitation, Ateniese et al. [31] presented the revised version of PDP based on symmetric encryption to efficiently address the dynamic checking issues instead of handling the insertion operation. Erway et al. [18] gave a dynamic provable data possession (DPDP) scheme, which supports full data dynamic operations to solve the insertion operation and improve the verification efficiency by leveraging the authenticated skip list.
To support fully dynamic data, Wang et al. [32], Erway et al. [18], and Zhu et al. [33] successively proposed schemes to construct auditing mechanisms supporting fully dynamic data, respectively. To realize public verification and dynamic data operation, Liu et al. [34] gave a dynamic public auditing scheme based on the Merkle Hash Tree (MHT), in which the block tags are generated by the data owners, and this incurs the increase of communication and calculation cost. To overcome this drawback, a scheme [35] to solve the heavy calculation burden on the data owner side at the expense of data owner's privacy has been proposed, in which both tag generation and integrity verification are implemented by the cloud server. e issue of privacy-preserving in public auditing has been addressed, in which the data blocks are blinded by a data owner before generating signatures by the third party [36]. In another related research, to avoid the certificate management problem of PKI, some PDP schemes based on Identity-Based Signature (IBS) [37,38] were proposed. e major problem of IBS is the key escrow, which is solved by a certificateless-based signatures PDP scheme [39].
Similar to PDP, the POR is another approach introduced by Juels et al. [23] to audit the integrity of remote data stored on the cloud service. An improved POR scheme is given by Wang et al. [10] to authenticate block tags, in which a security proof is revised in their previous work. Based on the previous works of Erway et al. [18] and Ateniese et al. [5], a generic framework DPOR is proposed by Etemad et al. [40] to store call updated information in the logs. Apart from the aforementioned protocols, some other publicly verifiable protocols are published. Hao et al. [41] gave a public verification without including a TPA, and Shen et al. [42] solved the loss of private key for auditing issue. Wu et al. [43] introduced a time encapsulated POR protocol that could check the integrity of data and timestamp by verifier.
All schemes mentioned above mainly devote themselves to verifying the integrity of individual data. Since Wang et al. [44] proposed a scheme for auditing the integrity of data shared in a group in 2012, a succession of verification schemes for sharing data in a group have been proposed [7,[26][27][28][29]45]. Among these schemes, [26,27,29,45] represented PDP schemes for group data based on the signatures, respectively, and all of these schemes are more or less deficient in efficiency and revocation. To solve the multiuser modification problem of blocks, [28] based on PKI mechanism proposed a PDP scheme of polynomial authentication tags, which led to a heavy burden of certificate management. Recently, Li et al. [7] based on certificateless mechanism proposed a public integrity checking of group shared data on cloud storage, which changes the data tags of the revoked member into the existing member's tags. However, the data within the group in the scheme is all plaintext, which cannot satisfy the situation that the shared data in the group is ciphertext. According to all references mentioned above, although there are numerous schemes that can solve the problems of user adding and revocation in a shared group, on the premise of integrity auditing, there is no verification research on the integrity of encrypted data in a shared group. erefore, we devote to designing a scheme for the integrity verification of encrypted data group in cloud service, which not only satisfies the member addition and revocation but also decreases the computational burden of challenge proof on the client side with the help of CSP.

Bilinear Maps.
Let G 1 and G 2 be two multiplicative cyclic groups of prime order p, and let g be a generator of G 1 . A bilinear map e: G 1 × G 1 ⟶ G 2 has the following properties: (1) Computability: there exists an efficient algorithm to compute map e. (2) Bilinearity: for all u, v ∈ G 1 and a, b ∈ Z p , e(u a , v b ) � e(u, v) ab . (3) Nondegeneracy: there exists a point g such that e(g, g) ≠ 1.

Complexity Assumptions.
In our scheme, the security is based on the following security assumptions.
Definition 1 (Computational Diffie-Hellman (CHE) Problem). Let a, b ∈ Z p * ; given the tuple g, g a , g b ∈ G 1 as input, output g ab ∈ G 1 .
Definition 3 (Discrete Logarithm (DL) Problem). Let g be a generator of G 1 ; given the tuple (g, g a ) as input, output a ∈ Z p * .

Homomorphic Hash Function.
For a finite field F n and a multiplicative group Z p of orderp, a family of homomorphic hash functions are a collection H � h i : F n ⟶ Z q , where i is the index yielded by an efficient algorithm. A homomorphic hash function [46] consists of the following properties: (1) One way: given x ∈ F n and an index i, there is no polynomial time adversary which can find a h i − 1 (x).
(2) Collision resistance: given an index i, it is hard (computationally infeasible) to find two vectors x, y ∈ F n (x ≠ y) for which h i (x) � h i (y). (3) Homomorphism: given an index i and any x, y ∈ F n (x ≠ y) h i (x ∘ y) � h i (x) ∘ h i (y), "∘" is either a "·" or a "+."

Problem Statement
In this section, we show the system model and secure model and illustrate the design goals and the outline of our proposed scheme.

System
Model. Similar to [7,27,29], we combine the cloud architecture with an example of sharing and developing encrypted files by the staffs of a company that are in the same group or department. e system model consists of three major entities: project group (i.e., members involved in the project), cloud service provider (CSP), and public verifier, and the relationship and the interaction situation among them are represented in Figure 1. Project group consists of a volume of project members and a project manager that rents the cloud service platform. In the given example, a project manager is the original owner of the project file and takes charge of dividing the file into encrypted blocks, system parameters generation, member joining/revocation, and sharing the blocks in the project group through a cloud service provider. All project members can access, download, and modify the specified, encrypted data blocks.
Cloud service provider offers a wealth of storage services and powerful computing abilities by charging a certain fee. Referring to the research in [7], CSP can honestly implement the scheme but may try to gain the content of stored files and return an incorrect result to the verifier to get some extra benefits. erefore, we assume that the CSP is semitrusted, encrypting all file blocks stored in the CSP, and generate tags corresponding to the project members. e verifier can be any member of the project group that checks the integrity of encrypted data blocks kept in the CSP. Once a verifier sends an integrity auditing request, the CSP generates and returns the verification information. e verifier then checks the correctness of the auditing proof and reports the verification result.

Design Goals.
To efficiently and securely verify shared encrypted data with a volume of members in a project group, our proposed scheme should be designed to achieve the following properties: (i) Correctness: Based on the challenged proof generation, the verifier is able to correctly detect the integrity of challenging blocks. (ii) Unforgeability: Only the specified member in the project group can yield valid verification information on the encrypted data blocks. (iii) Identity privacy: During the integrity of auditing, the CSP cannot distinguish the identity of tag generator on each randomly picked block in the shared project group. (iv) Tag-updating: When the identity of some members in the project group is revoked or new members are added, the corresponding ciphertext tags should be updated efficiently and securely. (v) Verifiability: Random verifier is able to verify the integrity of ciphertext attached tags by the challenged proof calculated by the CSP.

Outline of the Scheme.
e scheme consists of eight steps: Taking a security parameter κ as input, the project manager implements this step and outputs the master key msk and all system parameters params. Tak-ing the member's identity ID i , the master key msk, and the parameters params as input, the project manager executes this step and outputs member u i 's partial key D i . Taking the count of challenged block c as input, the verifier runs this step to output a challenge information chal appending the block name F i d for the integrity querying of the data file. (7) ProofGen (chal, F * , T i |i ∈ n ) ⟶ P: Taking the challenge information chal, the challenged encrypted block set F * , and tag set T i |i ∈ n as input, CSP runs this step and responds with the integrity proof P. (8) Verify Proof(P, chal, params) ⟶ 0, 1: Taking the integrity proof P, the challenge information chal, and the public parameters params as input, the verifier implements this step and returns 1 if result P passes the verification; otherwise, it returns 0.
Note that, in addition to the above steps, there are two other steps: JoinGen andRevGen.
Step JoinGen is executed by the project members, which invites some other members who are not in the project group, and step RevGen is also implemented by the project members, and the procedure is divided into two scenarios depending on whether the revoked member has invited members to participate in the project group.

Secure Model.
Since the certificateless cryptography [47] is the underlay of our new scheme, and referring to the security model of data integrity auditing protocols represented in papers [30,39,48], we consider the security requirement and adversary model of the encrypted shared scheme against a fully-adaptive chosen ciphertext attacker (IND-CCA) [47,49] which involves a challenger C and four types of adversaries, namely ,A 1 , A 2 , A 3 , andA 4 . Among the four adversary types, although adversaries A 1 andA 2 both execute the tag-forge attacks, they have different attack capabilities. Type A 3 implements the ciphertext integrity proof attack to cheat the verifier, and type A 4 tries to generate a forgery of regenerated ciphertext and passes the verification of ciphertext receiver. We give the four following games to illustrate the security model in detail.

Setup.
ere are two parties, adversary A i for A i and challenger C that keeps the private keys and the master key security and sends the public system parameters toA i . Challenger C interacts with adversary A j for j ∈ 1, 2 { } in this game. In order to generate a forgery of tag in a security game, A j needs to execute the following different queries: hash query, key query, public key query, public key replacement, encryption query, and tag query.

Common Queries.
A j gives the polynomial times different queries to C which responds to the following queries: (1) Hash query is adaptively made by A j and the hash values are responded by C. (2) Key query is adaptively run by A j to submit different target identity ID (first running the step PartialKeyGen byC for ID if necessary) to C for

Wireless Communications and Mobile Computing
querying the key, and then a key pairing for ID is responded to A j by C performing the step KeyGen.
(3) Encrypt query is adaptively implemented by A j to submit different plaintext m to C, and then a ciphertext σ with both the randomly picked value r and the public key spk ID is responded to A j by C. (4) Tag query is adaptively executed by A j to query the tag of any ciphertext block σ with the corresponding member's identity ID, and then a tag Tag is returned by C running the step TagGen.

Game1.
In this game, adversary A 1 not only executes the Common Queries above but also runs the following specialized queries: (1) Partial key query: is adaptively implemented by A 1 to submit different target identity ID to C, and then the partial key for the ID is responded to A 1 by C running the step PartialKeyGen. (2) Public key replacement: According to the assumed capability of A 1 , it can replace the public key ssk I D of any ID with random value ssk ID ′ multiple times if necessary.

Forgery.
Eventually, there are two scenarios on the forgery tag Tag ′ output by adversary A 1 . One is that A 1 outputs a forgery tag Tag ′ for the ciphertext block σ encrypted by the public keyssk I D , and the tag is generated with the public key ssk ID′ and the identity ID ′ . e other one is that A 1 outputs a forgery tag Tag ′ for ciphertext block σ ′ encrypted by public key ssk ID′ , and the tag is generated with the public key ssk ID′ and the identity ID ′ . In both scenarios, such adversary A 1 does not have access to the master key of system, but it can request the public key and has the capability to replace the member's public key and make the tag queries for all identities of its random choice. However, if A 1 wants to win the game, there are several natural restrictions on adversary A 1 as discussed below: (1) A 1 cannot request a query on the private key for identity ID ′ at any time. (2) A 1 cannot both query the partial key for ID ′ and substitute the public key of identity ID ′ at the same time.
(3) A 1 cannot make a tag query for the encrypted target data block σ ′ with the identityID ′ and the public key ssk ID′ . (4) In addition to the above limitations, A 1 can forge a valid tag for the encrypted data block σ ′ with the identity ID ′ and the public key ssk ID′ , and it also can forge a valid tag for the ciphertext block σ encrypted with the legitimate public key ssk I D , where the tag is generated by the replaced public key ssk ID′ and the identity ID ′ .

Game2
. In this game, adversary A 2 only executes the Common Queries above and then forges the tag Tag ′ for the ciphertext σ ′ with the identity ID ′ .

Forgery.
In this process of forgery, adversary A 2 is unable to replace the member's public key, but it has the capability to access the master key of system. However, there are also two scenarios on the forgery tag Tag ′ output by adversary A 2 . One is that A 2 outputs a forgery tag Tag ′ for ciphertext block σ encrypted by the public key ssk I D , and the tag is generated with the public key ssk ID′ and the identity ID ′ . e other one is that A 2 outputs a forgery tag Tag ′ for ciphertext block σ ′ encrypted by public key ssk ID′ , and the tag is generated with the public key ssk ID′ and the identity ID ′ . In addition, if A 2 wants to win the game, it is subject to the following restrictions: (1) A 2 can neither query the private key nor replace the public key for ID ′ at any point. (2) A 2 cannot make a tag query for the encrypted target data block σ ′ with the identity ID ′ . (3) In addition to the above limitations, A 2 can forge a valid tag Tag ′ for the encrypted data block σ ′ with the identityID ′ , as well as the legitimate public key ssk I D .
Definition 5. e scheme is semantically secure against the single tag forged attack of the ciphertext block if adversary A 1 or A 2 in polynomial probability time has a negligible advantage to win Game 1 and Game 2.

4.4.7.
Game3. In terms of Definition 5, an adversary cannot forge a legitimate label for a single ciphertext block without accessing the right private key. In this game, we consider that adversary A 3 that acts as the untrusted CSP in the system attempts to persuade the verifier to pass the integrity verification of corrupted data. Inspired by [7], challenger C plays two roles, that is, the honest CSP and an integrity checker, and the operation of Game 3 is executed as follows: Tag query: e target tuple (ID, m) is adaptively selected by A 3 and sent to C, which responds with the querying tag which is generated with the ciphertext σ and the identity ID by the step TagGen.
Challenge: Challenger C, which acts as the verifier, generates and sends a random challenge information chal to A 3 , which is requested to respond with the corresponding data possession proof P for chal.
Forgery: Once receiving the challenge information chal, A 3 acts as the CSP, generates a proof P, and responds toC. e premise for A 3 to win the game is that the miscalculated block information in proof P can pass the integrity verification successfully.

Definition 6.
e scheme is semantically secure against forging the integrity proof on incorrect data if adversary A 3 in polynomial probability time has a negligible advantage to win Game 3.

Game4
. In this game, the specified member acts as adversary A 4 that interacts with challenger C. Here, the revoked member and CSP are regarded as the trusted parties.
If the reencrypted data has been corrupted, A 4 tries to cheat the verifier that the tag generated by reencrypted data can pass the integrity verification. In terms of Definitions 5 and 6, we know that any adversary cannot pass the tag verification on a single block without accessing the private key and correct data. erefore, the focus of this game is on whether adversary A 4 can forge the integrity proof of reencrypted data to pass the verification. Inspired by [7,29], challenger C plays two roles, that is, the honest CSP and a revoked member, and the operation of Game 4 is executed as follows: Reencrypt key query: A 4 adaptively picks an identity ID and submits it to challenger C for querying the reencrypting key of ID. C runs the reencrypting key subroutine in step RevGen and returns the reencrypting key r A↔C .
Tag query: e target tuple (σ, ID) is adaptively selected by A 4 and sent to C for querying the tag for the reencrypting ciphertext σ ′ . According to the step RevGen, C responds the tag generated by ciphertext σ ′ and ID to adversaryA 4 .

4.4.9.
Forgery. Eventually, A 4 outputs a forgery tag Tag ′ for the target ciphertext σ with the identity ID.

Definition 7.
e scheme is semantically secure against forging the integrity proof without both correct identity and reencryption key if adversary A 4 in polynomial probability time has a negligible advantage to win the aforementioned Game 4.

Our Scheme
Without loss of generality, there is a project manager named u 0 in the group which is in charge of the generation of system parameters and other engineers' partial secret keys. Suppose that the project F is divided into n project blocks as the following M � (m 1 , m 2 , · · · , m n ). u 0 invites z engineers in one group to execute this project, and each engineer u i has a unique identity represented as ID i for 1 ≤ i ≤ z. In order to keep the security of each block, all project blocks stored on the CSP should be encrypted by the public key of the corresponding developing engineer; namely, C * � (σ 1 , σ 2 , · · · , σ n ), in which σ i represents the ciphertext of ith subproject m i . e scheme consists of the following steps: Setup(1 κ ): u 0 takes as input a security parameterκ and outputs the public parameters including two multiplicative cyclic groups G 1 and G 2 and a bilinear map e: G 1 × G 1 ⟶ G 2 , where the orders of G 1 and G 2 are both the big prime q and g is a generator of G 1 . It sets two collision-resistant hash functions H 1 : 0, 1 { } * ⟶ G * 1 andH 2 : 0, 1 { } * ⟶ G * 1 . Two pseudorandom generators π and ϕ are selected, where π: Z * q × 1, 2, · · · , n { } ⟶ Z * q and ϕ: Z * q × 1, 2, · · · , n { } ⟶ 1, 2, · · · , n { } are used to generate the pseudorandom value and pseudorandom permutation, respectively. u 0 selects a master key msk � s ∈ Z * q and calculates the public key P 0 � g s . All the parameters params � (q, g, G 1 , G 2 , e, P 0 , H 1 , H 2 , ϕ, π) are published.
PartialKeyGen: When receiving the identity ID i of the participant engineer u i , the project manager u 0 returns D i � H 1 (ID i ) s by secure channel as the partial private key of u i .
KeyGen: ID i randomly selects secret value x i ∈ Z * q as a partial private key and constructs ID i 's private/public key x i . Encrypt: e project manager u 0 randomly picks a value r i ∈ Z * q and encrypts l project blocks (engineer u i could be assigned l project blocks) m i 1 , · · · , m i l into σ i 1 , · · · , σ i l leveraging u i 's public key spk i and uploads them to the CSP, ∈ (1, l). Note that u 0 only executes this step once, encrypting the corresponding project blocks by utilizing every engineer's public key, and later this step is mainly implemented by the engineers involved in the project.
TagGen: Since each block has a unique file name F i d , a tag will be generated for all the encrypting blocks of file F. Suppose that the project engineer u i wants to generate tags for each uploaded encrypted block σ i ′ . It randomly picks a parameter r i ′ ∈ Z * q (1 ≤ i ≤ z), first encrypts its developed project blocks mi k ′ (1 ≤ k ≤ l) into σi k ′ � 〈 σi k 1 ′ , σi k 2 ′ 〉, and then en, project engineer u i uploads σi k ′ , T i k |k ∈ (1, l) to the CSP. en, the CSP utilizes the public parameters and the data provided by the user to construct an (1) to check the correctness of all u i 's tags: where σ i2 ′ � g x i .
Challenge: Anyone as a verifier can check the integrity of group data stored in CSP. e verifier randomly picks the challenged block count c(1 ≤ c ≤ n) and two valuesk 1 , k 2 ∈ Z * q . en the challenged information chal � (c, k 1 , k 2 ) appending the file name F i d is sent to CSP.
ProofGen: Once the CSP receives chal � (c, k 1 , k 2 ), the challenge information set I � (v i ′ , a i ) is calculated, in which a i � π(k 1 , i) is the regenerated parameter by the pseudorandom generatorπ, and the subset v i ′ |i ∈ (1, c) (for v i ′ � ϕ(k 2 , i)) of 1, 2, · · · , n { } is a new index permutation of challenge block regenerated by the pseudorandom generatorϕ. Without loss of generality, suppose that the challenge block set consists of encrypted blocks
VerifyProof: Upon receiving proof P, the verifier utilizes the precalculated values set (v i ′ , a i ) to generate a set of challenge blocks. According to the tag generation rules, the verifier obtains ω v i to generate all the tags T v i a i of participating challenge blocks. en it takes all above proof information as input to check whether (2) holds, where l k ′ � |C l k |: If this equation holds, it outputs either 1 ("accept") or 0 ("reject"). e correctness of this scheme can be checked by the following equality:

Invite to Join.
If engineer u i invites another engineer u j to participate in its subproject, u i first sends an identity concatenation ID j � � � � � ID i to u 0 , and then u 0 responds a partial private key D ji � H 1 (ID j ||ID i ) s to u j by secure channel. u j randomly chooses x ji ∈ Z q * to generate its secure key ssk ji � 〈D ji x ji , x ji 〉 and public key spk ji � 〈X ji , Y ji 〉, where X ji � g x ji and Y ji � P 0 x ji . While u j successfully joins the project and wants to editu i 's some block (named mi k ′ ), the specified file ciphertext block σi k 1 ′ needs to converted to a block encrypted by u j 's public key. e reencryption key r i↔j is generated and the ciphertext σi k 1 ′ turns into σji k 1 ′ which is encrypted by u j 's private key and parameter r i randomly picked by u 0 . Note that the reencryption key r i↔j is bidirectional; that is, it can be utilized to transfer the ciphertext from u j to u 0 and vice versa.
JoinGen(ID i , ID j ) ⟶ (r i↔j ): When receiving the identity ID j , u i calculates the reencryption key sends it tou j . en u j calculates ciphertext σji k 1 ′ for block mi k g r i ))..

Revoke a Participant.
Once an engineer u i leaves the project, the project manager u 0 should claim the private/ public key pairings of u 0 to be invalid. At the same time, the contents consisting of the ciphertext, tags, and so forth of the file block associated with the revoked engineer u i are also changed. Otherwise, there are some secure risks on the ciphertext and tags which are executed by u i ; thereby the integrity of the ciphertext cannot be checked either. In this process, there are two situations to be considered: one is that the revoked user u i has invited engineers in the project, and, in this case, any inviter (named u j ) can be required to replace the tag and ciphertext of the revoked user. In the other case, u i does not invite any users to participate in the project, so the project manager needs to convert the ciphertext and tags for u i . We represent the detailed implementation as follows: RevGen: Assume that u i is the revoked project member, and u j is the member who continues the project in place of u i . In this section, CSP is used to check the correctness of regenerated tags by u j . In addition, suppose that u i , u j , and CSP are all online simultaneously during this procedure.
Without loss of generality, let member u j as a specified recipient take charge of all blocks of the revoked engineeru i . u i utilizes the step JoinGen to regenerate the ciphertext of u j , and the block tag is yielded by u j .
(1) u i calculates r i↔j and sends it to u j , where (3) While receiving the tuple ( σj k ′ , T j k ), CSP verifies (1) to ensure the validity of the tags.

Security Proof
In this section, we give the secure proof of the proposed scheme via the following properties.

Security Analysis
Theorem 1. If a polynomial probability time adversary A 1 has an advantageε to win Game 1 described in Section 4.4 within time t after executing the most q H 1 Hash-1 queries, q K key queries, q R Public Key Replace, q E encryption queries, and q H 2 Hash-2 queries and requesting at most q T times tag queries, then there exists a (ε ′ , t)-simulator B that can address the CDH problem with (ε ′ ≥ ε/((1 + q p + q T ) · e)) t ′ ≤ t + (q H 1 + q p + 3q K + 3q H 2 + 2q T t e + 3t m q T + q R + q E ), where one exponentiation costs time t e onG 1 , one scalar multiplication operation costs time t m inG 1 , and e is the base of natural logarithm.
Proof . On input (g, g a , g b ) in G 1 , if adversary A 1 is able to forge a tag with the identityI D and the replaced public key in Game 1, then algorithm B has capability to address CDH problem; that is, it can calculateg ab . Given g, g a , and g b , simulator B simulates each step of interaction with A as follows: Setup. A 1 launches a query-respond game. B sets P 0 � g a with the master key a which is security picked and then outputs and returns the system parameters params � (q, g, G 1 , G 2 , e, P 0 , H 1 , H 2 , ϕ, π) to A 1 .
Hash-1 Query. A 1 adaptively requests the Hash-1 query results for any identity ID * in terms of its capability. In order to facilitate the management of all the query results, B establishes a tuple list L 1 � (I D, r, Q, τ) { } to record all query data. If a certain ID * has been recorded in the list, B directly returns its corresponding tuple (ID * , r * , Q * , τ * ) to A 1 . Otherwise, B selects a random value r * ∈ Z q * and tosses a coin τ ∈ 0, 1 { }. Assume that the coin represents 1 with a probability of c, and vice versa, 1 − c. If τ shows 0, B sets en the result Q * is returned to A 1 and the tuple (ID * , Q * , * , * ) is inserted to list L 1 , where the symbol * indicates that the position is empty and has no value, which may be generated in a subsequent query.
Partial key query. In order to obtain the partial key of any identity ID * , A 1 adaptively implements partial key query. B firstly checks whetherID * corresponding tuple (ID * , r * , Q * , τ * ) exists in L 1 . If not, B executes the Hash-1 query and inserts the result in L 1 . Notably, another new tuple list L 2 is established by B to manage the newly queried data during this process, where L 2 � (ID, D ID , spk I D , ssk I D , σ I D )}. If τ shows 1 in L 1 , B returns⊥ for ID * and then records the tuple value (ID * , ⊥, * , * , * ) in L 2 . Otherwise, B responds the partial key query as follows.
(1) If ID * is stored in listL 2 , B checks whether the location of D ID * is a symbol⊥ or not. If it is not ⊥, B returns it directly to A. Otherwise, B reexecutes the coin tossing step in Hash-1 query. When the coin tosses τ � 0, B returns the value D ID * � (Q * ) a � g ar * to A 1 and then updates the values Q * , τ in L 1 , andD ID * in L 2 on the corresponding identity ID * , respectively; otherwise, τ � 1, and B aborts.
(2) If ID * is not stored in list L 2 , B determines the value of D ID * according to τ in list L 1 . If τ � 0, B returns D ID * � g ar * to A 1 ; otherwise, τ � 1, and B aborts.
Note that the tuple in L 1 and L 2 has such a characteristic: the value of τ in the tuple (I D, Q, r, τ) of L 1 corresponding to the tuple (I D, ⊥, * , * , * ) of L 2 is 1; the value of τ in the tuple (I D, Q, r, τ) of L 1 corresponding to the tuple (I D, D ID * , spk ID * , ssk ID * , σ ID * ) inL 2 is 0.
Key query. A 1 adaptively requests the key query for any identityID * . B searches list L 2 for the tuple (I D, D ID * , spk ID * , ssk ID * , σ ID * ).
(1) If the tuple (I D, D ID * , spk ID * , ssk ID * , σ ID * ) is stored in L 2 , B first checks whether the position of D ID * is ⊥ or not. IfD ID * � ⊥, B turns to execute Hash-1 query and partial key query in turn. Otherwise, B checks whether the position of spk ID * in this tuple is the symbol * . If spk ID * � * , B selects x ID * ∈ Z q * at random and setsssk ID * � 〈D ID * x ID * , x ID * 〉 and spk ID * � 〈X ID * , Y ID * 〉 � 〈g x ID * , P 0 x ID * 〉. B updates the tuple (I D, D ID * , * , * , * ) into L 2 and sends the key pairing (spk ID * , ssk ID * ) to A 1 .
(2) If the tuple (I D, D ID * , spk ID * , ssk ID * , σ ID * ) is not stored in L 2 , B turns to execute Hash-1 query and partial key query in turn. Once the value ofD ID * has been obtained after the Hash-1 query and partial key query, B randomly selectsx ID * ∈ Z q * and sets Wireless Communications and Mobile Computing ssk ID * � 〈D ID * x ID * , x ID * 〉 and spk ID * � 〈X ID * , Y ID * 〉 � 〈g x ID * , P 0 x ID * 〉. B inserts the tuple (I D, D ID * , spk ID * , ssk ID * , σ ID * ) into L 2 and returns (spk ID * , ssk ID * ) to A 1 . On the other hand, if D ID * � ⊥, the tuple (ID, ⊥, * , * , * ) is inserted intoL 2 , and B aborts.
Public Key Replace. According to the assumption, adversary A 1 has capability to replace the public key. A 1 adaptively implements the Public Key Replace for the target memberID * with the substitution public key sp kID * ′ .
Tag query. A 1 adaptively requests the tag on any identityID * and plaintext block m ID * by submitting the result ofσ ID * . Based on the result of tossing the coin in L 1 ; if τ * � 1, B aborts. Otherwise, based on the values of H 2 (ω ID * ) in L 3 and both D ID * andσ ID * inL 2 , B generates the tag for the tuple (D ID * , σ ID * , H 2 (ω ID * )) by step TagGen and returns it to A 1 .
Forgery. Eventually, a forgery tag T ′ , which is relevant to plaintext m ′ on the identityID ′ with the public key spk ID′ , is forged by A 1 . If τ � 0, B aborts. Otherwise, based on the aforementioned operations, B holds the following values: andX ID′ , and then it can output g ab � (T ′ /X ID′ λ+h ) (1/(r′σ ID′ )) solving the proposed CDH problem.
Analysis. Now, we analyze the probability that B can guess the correct query of the target data block by simulating operation. Similar to the analysis and proof of [48,50], B only halts two queries on partial key query and tag query; therefore the probability of B implementing the queries is higher than (1 − c) q p +q T . Assume that the probability of occurrence of output of the right value of g ab for B is ε · c · (1 − c) q p +q T . Let In order to find the minimum value of ε ′ , let us take the derivatives of both sides of (4) with respect to c: Replace dε ′ /dc � 0; that is, We can obtain c opt � 1/(1 + q p + q T ). ereby (4) becomes According to the formula limit n⟶∞ (1 + (1/n)) n � e for n ∈ N, equation (7) becomes Further, simulator B can solve the CDH problem in polynomial time t ′ which satisfies t ′ ≤ t + (q H 1 + q p + 3q K + 3q H 2 )t e + (3t m +2t e ) · q T + q R + q E . □ Theorem 2. If a PPT adversary A 2 has an advantageε to win Game 2 described in Section 4.4 within time t after implementing the mostq H 1 Hash-1 queries, q K key queries, q E encryption queries, and q H 2 Hash-2 queries and requesting at most q T times tag queries, then there exists a (ε ′ , t)-simulator B that can address the CDH problem withε ′ ≥ (ε/((1 + q K + q T + q E ) · e)), t ′ ≤ t + (q H 1 + q p + 3q K + 3q H 2 ) · t e + (3t m + 2t e ) · q T + q R + q E , where one exponentiation costs time t e onG 1 , one scalar multiplication operation costs time t m in G 1 , and e is base of natural logarithm.
Proof. On input (g, g a , g b ) in G 1 , the CDH algorithm B has capability to simulate a data-integrity-verifying security game and output g ab by interacting with adversaryA 2 as follows: Setup. B chooses the master keys at random and outputs the system parametersparams. en, both s andparams are returned to A 2 by B.
Hash-1 query. A 2 requests the Hash-1 query results for any identityID * in terms of its capability. A tuple list L 1 � (I D, Q, r) { } is established to record all query data by B. If a certain ID * has been stored in L 1 , B returns (g a ) r * to A 2 .
Otherwise, B selects a random value r * ∈ Z q * and responds to A 2 with Q * � (g a ) r * and then stores (ID * , Q * , r * ) in L 1 . Key query. According to the assumption that adversary A 2 has an ability to access the master keys, it directly initiates the key query of the public/private key pairing (spk I D , ssk I D ). A list L 2 � (I D, { spk I D , ssk I D , σ I D , τ)} is established by B for recording the results of key query.
(2) If ID * is stored in listL 2 , B checks whether the value of τ * is 1 or 0. If τ * � 1, B halts and returns⊥. Otherwise, assuming that ssk ID * is already inL 2 , B directly returns it to A 2 .
Notably, since A 2 can access the master key to get the private key, there is no partial key query.
Tag query. For ciphertext σ ID * associated with plaintext m * , adversary A 1 adaptively performs the tag query with (ω ID * , σ ID * , ID * ). B first checks the value of τ * in L 2 ; if τ * � 1, B halts and outputs⊥. Otherwise, based on the values of ω ID * in L 3 and σ ID * in L 2 , B calculates D ID * to generate the tag for the tuple (ω ID * , σ ID * , ID * ) by step TagGen and then returns it to A 2 .
Analysis. In this game, there are three times of aborting for B on key query, encrypt query, and tag query. ereby, the probability of B implementing the queries for A 2 without abortion is higher than (1 − c) q K +q T +q E . us, the probability of occurrence of output of the right value of g ab Running time of algorithm B generating the forgery tag ist ′ ≤ t + (2q T + q K )t e + (2q T + 2q H 1 + 4q K + 3q H 2 ) · t e + q E . □ Theorem 3. As long as the DL assumption holds, the probability that adversary A 3 wins Game3, that is, to forge the tag and pass the verification in the scheme, is computationally negligible.
Proof. If A 3 wants to win the game, it has to generate the forged integrity proof P ′ � (T ′ , F ′ ) according to the challenge informationchal � (c, k 1 , k 2 ) and satisfy the following equations with the nonnegligible probability: where z ′ denotes the count of the group member participating in the challenge and l k ′ represents the number of encrypted data blocks participating in the challenge.
On the other hand, assuming that P � (T, F) is also a set of legitimate integrity proofs generated according to challenge informationchal � (c, k 1 , k 2 ), tuple P is also verified . According to the rules of Game3, the two different integrity proofs P ′ andP generated, respectively, by adversaryA 3 and the legitimate member on the same challenge information chal � (c, k 1 , k 2 ) have the following relationship: T � T ′ and F ≠ F ′ . According to the above inequality, we can get the same formula as that in [29]: Randomly given α k ∈ Z q * andh a generator ofG 1 , H 1 (ID k ) can be denoted asH 1 (ID k ) � h α k . en we can get an approach to solve the DL problem by turning above In terms of the assumption in the game, there must be at least one tuple (F ′ k , F k ) that satisfies F ′ k ≠ F k , and therefore at least one of the corresponding α k is 0. Based on the analysis of α k , there is at least one component α k � 0(1 ≤ k ≤ z ′ ) in the vector (α 1 , α 2 , · · · , α z′ ), so the count of vectors satisfying the condition is at most q z′− 1 . Clearly, we can find that the probability of z′ k�1 α k (F ′ k − F k ) � 0 is less than q z′− 1 /q z � 1/q, which is negligible for a large prime q. We can find that the probability of solving the DL problem is a nonnegligible probability 1 − 1/q; thereby adversary A 3 wins Game3 at the negligible probability.

Theorem 4.
e adversary cannot pass the integrity proof by leveraging forged ciphertext.
Proof: . If A 4 wants to win the game, it tries to generate the forged ciphertext σ ′ � (σ ID 1 ′ , σ ID 2 ′ ) with the forgery identity ID ′ and legitimate ciphertext σ in the revoke a participant phase. Suppose that adversaryA 4 generates its parameters for its identity ID ′ through the aforementioned games, for example, H 1 (ID ′ ), the private key ssk ID′ � 〈D x′ ID′ , x ′ 〉, the public key spk ID′ � 〈X ID′ , Y ID′ 〉, andH 2 (ω ID′ ). If the tag generating by A 4 utilizing these parameters still passes the integrity proof by CSP, then adversaryA 4 wins this game. Otherwise, it fails.
(1) Assume that the revoked member u i calculates the reencryption key 4 's identity ID ′ and its public key spk ID′ and then returns r i↔j to A 4 .
en A 4 randomly picks x ID′ as the partial key and outputs the forgery tag rough the aforementioned operations, the forgery tag is generated by attacker A 4 . If the tag passes the integrity proof, the equation e(T ID′ , g) � e(H 2 (ω ID′ ) · σ ID′2 , X ID′ ) · e(H 1 (ID ′ ) σ ID′1 , P 0 ) holds. However, eorems 1 and 2 have pointed that the tag with the forged private/public key pairing has a negligible probability to win Game1 and Game2; thereby, without the real ciphertext reencrypted by the legitimate private key, the adversary could output the correct integrity proof only with negligible probability. □

Performance Analysis
In this section, we first show the computation and communication cost of our scheme by theory and then represent the experiment results of the scheme.

Computation Cost.
In our scheme, the computation cost is mainly concentrated on those operations that are computationally complex and time-consuming, such as pairing operation, exponentiation operation, and multiplication operations. For the simplicity of presentation, we use symbols C p , C exp , C mul 1 , andC mul 2 to represent the cost of one pairing operation in G 1 × G 1 ⟶ G 2 , one exponentiation operation in G 1 , one multiplication in group G 1 , and one multiplication in groupG 2 , respectively. In addition, the computational overhead of some other operations (such as pseudorandom parameter selection, hash operation, addition, and pseudorandom permutation) is negligible, so these operations are not analyzed. Continue to leverage the above symbols, and let n, z, c, andz ′ denote the number of projects divided into subprojects, members participating in the project, the challenge subprojects, and the members involved in the challenge, respectively. According to the processes of Encrypt and TagGen, the computation costs for n data blocks arez(C p + 2C exp ) and n(2C mul 1 + 2C exp ), respectively.
In the process of ProofGen, we ignore the generation operation cost of challenge information chal and focus on the proof information, so the computation cost of this procedure iscC exp + (c − z ′ )C mul 1 . In this scheme, we also give the computation cost on the revocation step RevGen for a member of the project, in which the revoked member costs 2(C p + C exp ), the specified recipient costs 2(C exp + C mul 1 ), and the verification computation cost for the CSP is (2l − 1)C mul 1 + 3C p + 2C exp + C mul 2 . Table 1 shows the detailed comparison of computation cost and data blocks types among the scheme of papers [7,39] and ours. As can be seen from Table 1, in step TagGen, our scheme is one more C mul 1 than [7] and much less than [39]. After all, the cost of [39] is related to the number of participants z ′ . e cost amount of the step ProofGen is the same as that of [7] but is less than that of paper [39]. In addition, the step VerifyProof is used to verify the correctness of proof information and its computation cost is(z ′ + 2)C p + (2c+z ′ − 2)C mul 1 + (c + 2z ′ )C exp + z ′ C mul 2 , and the costs of [7,39] are 3C p + (2c + z ′ ) · C exp + (2c + z ′ )C mul 1 + C mul 2 and (z ′ + 2)C p + (c + z ′ )C exp + (c + 2z ′ )C mul 1 + z ′ C mul 2 , respectively. Compared with the schemes in [7,39], the cost of our scheme is slightly higher. e reason is that our scheme performs tag generation, verification, and update of ciphertext, and the computational cost is obviously higher than that in literature.

Communication Cost.
In this scheme, the communication cost mainly arises from the challenge information generation phase and proof generation phase. To audit the integrity of the data stored in the cloud service, a verifier sends the challenge information (c, k 1 , k 2 ) to the CSP, and then proof P � (T, F) is returned to the verifier by CSP. e communication cost for an integrity proof challenge is|n| + 2|q| bits, and the communication cost of proof information response is 2(c + z ′ )|G 1 | + |n| + 2|q| bits, where |q| is the element length in Z q and |n| is the length of the element in set 1, n { }. In addition, the communication cost for the revocation phase is (2(l + 1)|G 1 |), where l is denotes the number of ciphertext data blocks owned by the revoked member.

Experimental Results.
In this experiment, we utilized the Ubuntu Kylin 16.04 LTS (64-bit) operation system equipped with the VMware Workstation 10 with Intel Core i7-8700 3.2 GHz processor and 16 G RAM of the host computer with Win10 operation system using C language to simulate the scheme implementation environment.
e Pairing Based Cryptography (PBC) [51] library (version 0.5.14) has been used to execute pairing steps and the Openssl library [52] (version 1.1.1k) is deployed to implement two hash (SHA 256) operations. For the choice of experimental parameters, we used the file params/a.param provided by PBC for type A pairing and constructed a 256-bit order elliptic curve [53] group of type A. To obtain more accurate results,all experiments were run 50 times to get an average. e step Encrypt needs to execute two time-consuming calculations, namely, pairing operation and exponentiation on group G 1 , totally costing almost 602.024 ms for 100 members. We utilize the file with the size of 32 M for experimental demonstration, so the total number of blocks is 10 6 which is bounded by the order of the 256-bit group. Suppose that all blocks are averagely distributed to project members; thereby the number of members getting the blocks is 10 4 . Figure 2 depicts the time cost result for the members varying from 1 to 100 to generate all ciphertext blocks. rough observation, it is found that the time consumption of encrypting operation is proportional to the number of users. It takes 5.83 ms for a single member to encrypt all its data blocks, while all members can accept the fact that it takes 602.02 ms to encrypt all data blocks. Moreover, the operation that all data blocks are clustered together and encrypted only occurs at the beginning of the project, in the distribution phase of the subproject.
Based on the cost of ciphertext generation, we now evaluate the cost of tag generation experimentally. We still leverage the 10 6 ciphertext blocks for the experiment. To carry out the experiment demonstration, we utilize the participant ciphertext number ranging from 10 5 to 10 6 with an increment of 10 5 for each test. From the experimental results in Figure 3, we can observe that the time consumption for tag generation is linear with the increase of the number of blocks, and it takes about 173.9 s to generate tags for all 10 6 blocks. As observing the proposed scheme, the entire Encrypt and TagGen processes are executed by only the project manager; thereby the project members just need to download the ciphertext and tags within the appointed time.

Ciphertext
In Figure 4, we can see that when the size of project group varies from 500 to 1000 and the number of challenge members ranges from 0 to 200, our scheme can achieve an auditing task with the maximum verification time of 14.664 s and 42 KB by choosing c � 460.

Conclusion
In this paper, a remote encrypted data integrity auditing scheme stored on a cloud service provider is presented. is scheme addresses the integrity auditing issue for the encrypted data which is shared with numerous members of a group. In our scheme, the sponsor of a shared data group is the project manager who is responsible for the initialization of system parameters, the selection of partial private keys for project members, and the generation of original ciphertext blocks for subprojects. Meanwhile, with the help of certificateless signature idea, the synchronization change between the ciphertext block and the tag is realized, and the problem of auditing the integrity of the ciphertext block is transformed into an equation verification related to the tag. erefore, based on the above two measures, the key escrow and certificate management in PKI naturally do not exist. With regard to the revocation of the member, our scheme utilizes the homomorphic hash function to transform the ciphertexts of the revoked members into the ciphertexts of the existing members without leaking the information of ciphertext. Finally, the protocol has been proven secure to satisfy adaptively selective the ciphertext attack assuming the stability of CDH and DL in bilinear pairing. From the results of the experiment, our scheme is efficient in both computation and communication cost and more secure in a shared group in cloud storage.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.