Public Cloud Data Auditing Revisited: Removing the Tradeoff Between Proof Size and Storage Cost

Abstract

Public cloud data auditing allows any third party to check the integrity of data stored on untrusted cloud servers without retrieving the data. The challenge is how to audit the proof of storage with efficient communications. In ACM CCS 2007, Ateniese et al. described the first practical public cloud data auditing scheme based on RSA, in which the proof of storage consists of one RSA element and one hash value and the storage cost for generating the proof can be as short as \(1\%\) of the stored file. Soon after, in Asiacrypt 2008, Shacham and Waters gave another public cloud data auditing scheme based on bilinear pairing, in which the generated proof of storage can be as short as 320 bits for 80-bit security (71\(\%\) less compared to Ateniese et al.’s scheme). However, Shacham and Waters’ scheme must trade off the storage cost, where the storage overhead for generating the proof of storage must be \(100\%\) of the stored file. Surprisingly, until today, the tradeoff between the proof size (namely proof of storage) and the storage cost (namely storage overhead) in cloud data auditing remains an open problem.

In this paper, we introduce a completely new public cloud data auditing mechanism. The proof of storage is not computed from block tags directly, but from evolution tags that are still unforgeable and evolved from bunch tags. We propose a concrete public cloud data auditing scheme based on this mechanism, in which the proof size is 240 bits for 80-bit security (25\(\%\) less compared to Shacham and Waters’ scheme) and the storage cost can be as efficient as Ateniese et al.’s scheme. The core of our technique is the feasibility of tag aggregations within this new mechanism. Our scheme is provably secure in the random oracle model.

Appendix A

Theorem 2

The n-GDHE problem fulfils the intractability analysis stated in [6].

Proof. The n-GDHE problem is to compute \(e(h_1, h_2)^{a^{n+1}bc}\) from the following given instance

$$\begin{aligned}&h_1, h_1^c \in G_1\\&h_2, h_2^b \in G_2\\&h_1^a, h_1^{a^2},\cdots , h_1^{a^n} \in G_1\\&h_2^{a^1}, ~h_2^{a^2},~\cdots ,h_2^{a^n}, h_2^{a^{n+1}},~ h_2^{a^{n+2}},\cdots , ~h_2^{a^{2n}} \in G_2\\&h_2^{a^1b}, h_2^{a^2b},\cdots ,h_2^{a^nb},~~~~~~~, h_2^{a^{n+2}b},\cdots , h_2^{a^{2n}b} \in G_2. \end{aligned}$$

The n-GDHE problem instance can be reformulated as

$$\begin{aligned} P_1= & {} \left( \begin{array}{lcl} 1, ~c, &{} &{}\\ a, ~a^2, &{} \cdots , &{} ~a^n, \\ \end{array}\right) , \\ P_2= & {} \left( \begin{array}{l} ~1 ,~b\\ ~a, ~~ \cdots , ~a^n,~~ a^{n+1},~~ a^{n+2},~\cdots , ~~~ a^{2n}\\ ~ ab, \cdots , ~ ~ a^nb,~~~~~~~~~~~~ a^{n+2}b,~\cdots , ~~ a^{2n}b\\ \end{array}\right) , \\ Q= & {} 1,\\ F= & {} a^{n+1}bc. \end{aligned}$$

Here, \(P_1\) refers to the set of exponents with \(h_1\) as the base in all group elements in \(G_1\) in the problem instance. \(P_2\) refers to the set of exponents with \(h_2\) as the base in all group elements in \(G_2\) in the problem instance. Q refers to the set of exponents with \(e(h_1, h_2)\) as the base in all group elements in \(G_T\) in the problem instance.

We need to show that F is independent of \((P_1,P_2,Q)\), i.e. that no coefficients \(x_i,y_j\) and z exist such that \( a^{n+1}bc=F=\sum x_{i}d_iy_jd_j+z,\) where \(d_i \in P_1 ,d_j \in P_2\). In order to satisfy this equation, the multiplication of any element from \(P_1\) and any element from \(P_2\) must contain abc only. By making all possible multiplications listed in \(F'\) as follows

$$\begin{aligned} F'= & {} \left( \begin{array}{rcl} ab \cdot c, ~ a^2b \cdot c, &{} \cdots ,&{} ~ a^nb \cdot c,\\ ~ a^{n+2}b \cdot c,&{}~\cdots ,&{} ~ a^{2n}b \cdot c\\ \end{array}\right) . \end{aligned}$$

we want to prove that no linear combination among the polynomials from the list \(F'\) below leads to F.

Any such linear combination associated with abc can be written as \( a^{n+1}bc=A(a) abc+B(a) a^{n+2}bc, \) where A(a) and B(a) are polynomials with \( 0\le deg A(a) \le n-1\) and \( 0\le deg B(a) \le n-2\). By cancelling out abc in both sides, we can simplify the above equation as

$$\begin{aligned} a^{n}(1-aB(a))=A(a). \end{aligned}$$

Since A(a) has the degree less than n and \(a^n| A(a)\), we have \(1-aB(a)=A(a)=0\). That is, \(aB(a)=1\) for any a. On the other hand, we have \(0\cdot B(0)=0\). Therefore, there does not exist coefficients \({x_{i}},y_j\) and z such that \(F=\sum x_{i}d_iy_jd_j+z\) holds. Hence, the defined n-GDHE problem is one of the intractable GDHE problems. This completes the proof. \(\Box \)