IPad: ID-based public auditing for the outsourced data in the standard model

Abstract

Cloud storage is an important cloud computing service, it allows data users to store and access their files anytime, from anywhere and with any device. To ensure the security of the outsourced data, it also must allow data user to periodically verify integrity of the data which was outsourced to an untrusted cloud server at a relatively low cost. To solve this problem, most recent auditing protocols are mainly based on the traditional-public key infrastructure. In this infrastructure, the auditor must validate the certificates of data user before auditing data integrity. Thus, it results in a large amount of computation cost and is not suitable to the multi-user setting. To overcome this problem, in this paper, we propose two efficient ID-based public auditing protocols for the outsourced data by combing Water’s signature and public auditing for the outsourced data. And the two protocols are provably secure in the standard security model. Especially, our optimized protocol has constant communication overhead and computation cost. To the best of our knowledge, it is the first ID-based auditing for data integrity in the standard security model. By comparison with Wang et al.’s scheme and Tan et al.’s scheme, our protocols have the large advantages over the other two schemes in terms of communication cost and computation cost. Simulation results show that our proposed ID-based auditing protocols are the most efficient among three schemes in terms of computation cost.

Appendix

Theorem 1

If there exists a probabilistic polynomial-time adversary \(\mathcal {A}\) which can successfully convince that the auditor to accept a fake proof information with non-negligible probability, we can construct an algorithm B to solve the CDH problem.

Proof

Assume that there exist an adversary \(\mathcal {A}\) which can produce a fake proof information to bypass verification, then we can construct an algorithm B by interacting with \(\mathcal {A}\) to break the CDH assumption. First, let us recall the CDH problem, given a group \(\mathbb {G}_1\), a generator \(g\in \mathbb {G}_1\), two elements \(g^a,g^b \in \mathbb {G}_1\), where a, b are unknown, its goal is to compute another element \(g^{ab}\).

In order to use \(\mathcal {A}\) to solve the CDH problem, B acts as a challenger and simulates the following oracles in the interacting with \(\mathcal {A}\). \(\square \)

Setup Let \(l_u=2(q_e+q_t)\), where \(q_e\) is the query time on KeyExtract oracle and \(q_t\) is the query time on TagGen oracle. B randomly chooses an integer \(k_u\) which satisfies \(0\le k_u \le n_u\). And we assume that \(l_u(n_u+1)<q \) for the given values \(q_e,q_t\) and \(n_u\). Then B produces the following random numbers to setup public parameters:

• First, it randomly selects \(x'_R \in _R Z_{l_u}\) and \(y'\in _R Z_p\).

• For \(i=1\) to \(n_u\), it randomly selects \(\hat{x}_i \in Z_{l_u}\) and \(\hat{y}_i \in Z_q\).

• Then, it defines the following functions for binary strings \(\mathfrak {U}_j\) where \(\mathfrak {U}_j=H_v(ID_j)\) for a data user with identity \(ID_j\).

  $$\begin{aligned} F(\mathfrak {U}_j)=x'+\sum _{i\in \mathfrak {V}_j}\hat{x}_i -l_uk_u&\text {and }&J(\mathfrak {U}_j)=y'+\sum _{i\in \mathfrak {V}_j}\hat{y}_i \end{aligned}$$

• B setups a set of public parameters as follows: \(P_{pub}=g^a\), \(g_2=g^b\), \(v'=g_2^{-l_uk_u+x'}g^{y'}\), \(v_i=g_2^{\hat{x_i}}g^{\hat{y_i}}\) for \(1\le i \le n_u\).

Obviously, the master secret key is \(P_{pub}^{b}=g_2^{\alpha }=g^{ab}\) and the following relation hold.

$$\begin{aligned} v'\prod _{i\in \mathfrak {V}_j}v_i=g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)} \end{aligned}$$

Key extraction When the adversary \(\mathcal {A}\) makes a key extraction query with an identity information \(ID_j\), B first computes \(\mathfrak {U}_j=H_v(ID_j)\). If \(F(\mathfrak {U}_j)\ne 0 \mod q\), we constructs the private key of the data user \(ID_j\)

1. 1.

   It randomly chooses \(e_{u_j} \in _R Z_q\).

2. 2.

   Then it computes \(d_{j1}=(P_{pub})^{-\frac{J(\mathfrak {U}_j)}{F(\mathfrak {U}_j)}} \Big (g_2^{F(\mathfrak {U}_j)}g^{J(F(\mathfrak {U}_j)}\Big )^{e_{u_j}}\) and \(d_{j2}=(P_{pub})^{-\frac{1}{F(\mathfrak {U}_j)}} g^{e_{u_j}}\).

3. 3.

   Finally, set \(d_j=(d_{j1},d_{j2})\) as the private key of the data user with identity \(ID_j\) and add \((ID_j,d_j)\) to the \(H_v\)-list which is initially empty.

If let \(e_j=e_{u_j}-\frac{a}{F(\mathfrak {U}_j)}\), then the above private key is valid since

$$\begin{aligned} d_{j1}= & {} (P_{pub})^{-\frac{J(\mathfrak {U}_j)}{F(\mathfrak {U}_j)}}\left( g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)}\right) ^{e_{u_j}}\\= & {} g^{-\frac{a J(\mathfrak {U}_j)}{F(\mathfrak {U}_j)}}\left( g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)}\right) ^{e_{u_j}}\\= & {} g^{-a\frac{J(\mathfrak {U}_j)}{F(\mathfrak {U}_j)}}\left( \left( g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)} \right) ^{\frac{a}{F(\mathfrak {U}_j)}}\right) \\&\times \,\left( \left( g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)}\right) ^{-\frac{a}{F(\mathfrak {U}_j)}}\right) \left( g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)}\right) ^{e_{u_j}}\\= & {} g^{-\frac{aJ(\mathfrak {U}_j)}{F(\mathfrak {U}_j)}} g^{ab}g^{\frac{aJ(\mathfrak {U}_j)}{F(\mathfrak {U}_j)}} \left( g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)}\right) ^{e_{j}}\\= & {} g^{ab}\left( g_2^{F(\mathfrak {U}_j)}g^{J(\mathfrak {U}_j)}\right) ^{e_{j}} \end{aligned}$$

and

$$\begin{aligned} d_{j2}=P_{pub}^{-\frac{1}{F(\mathfrak {U}_j)}} g^{e_{u_j}}=g^{-\frac{a}{F(\mathfrak {U}_j)}} g^{e_{u_j}}=g^{e_{j}} \end{aligned}$$

If \(F(\mathfrak {U}_j)=0 \mod q\), according to the above private key construction, we know the private key cannot be performed, thus, B aborts it.

TagGen queries When an adversary \(\mathcal {A}\) makes a tag query with \((m,ID_j)\), B responses as below

1. 1.

   First, B checks whether the identity \(ID_j\) exists in the \(H_v-\) list. If it exists, then B executes the following steps

   1. (a)

      For k=0 to s, randomly choose \(r_k \in _R Z_q\) and compute \(u_k=g_2^{r_k}\).

   2. (b)

      produce a pair of public/private keys \((pk_s,sk_s)\leftarrow \sum .KGen(1^l)\) by a secure signature algorithm \(\sum \), where l is a security parameter.

   3. (c)

      compute \(\phi =\sum .sign(sk_s,\tau _0)\) to obtain a signature on string \(\tau _0\), where \(\tau _0=``Name||n||u_0||u_1||\cdots ||u_s''\) and n denotes the number of data blocks.

   4. (d)

      Assume that m is divided into n blocks. For each data block \(m_i\),\(1\le i \le n\), it computes

      $$\begin{aligned} \omega _i=r_0H_1(Name||i)+\sum _{j=1}^sr_jm_{ij} \end{aligned}$$
   5. (e)

      the authentication tag on data block \(m_i\) is computed as

      $$\begin{aligned} t_i=\left( t_{i1}=(d_{j1})^{\omega _i}=g_2^{\xi _1}\left( v'\prod _{i\in \mathcal {V}_j}v_i\right) ^{\xi _2},t_{i2}=d_{j2}^{\omega _i}=g^{\xi _2}\right) \end{aligned}$$

      where \(\xi =\alpha \cdot \omega _i\) and \(\xi _2=a_{u_j}\cdot \omega _i\).

2. 2.

   If \(ID_j\) does not exist in the \(H_v\)-list, then B invokes Key Extraction to obtain a private key \(d_j\) with identity \(ID_j\) and produces the authentication tags \((t_1,\ldots ,t_n,\tau _0)\) by the above step 1.

3. 3.

   Finally, it returns \((t_1,\ldots ,t_n,\tau _0)\) to the adversary \(\mathcal {A}\).

Auditing queries In this type of queries, B and the adversary \(\mathcal {A}\) act as the roles as the auditor and the prover, respectively. For any challenged files, they must been queried for TagGen queries. B runs Challenging algorithm to produce a challenged information C and sends it to \(\mathcal {A}\). After the adversary receives the challenged information C, it produces a proof information Prf. Finally, B verifies the proof information Prf by running Verifying algorithm.

Output Eventually, A outputs a faked proof information \(Prf^{*}\) on a data file \(m^{*}\) of data user with identity information \(ID^{*}\) in a non-negligent probability \(\varepsilon \). B checks whether the following conditions are satisfied:

1. 1.

   \(F(\mathfrak {U}^{*})=0 \mod q\), where \(\mathfrak {U}^{*}=H_v(ID^{*})\);

2. 2.

   \(Prf^{*}\) satisfies the verifying equation Eq. 5.

If all the above conditions are not satisfied, then B aborts it.

Let \(Prf^{*}=(\delta ^{*}_1,\delta ^{*}_2,\{\mu ^{*}_i\})_{i=1,\ldots ,s}\) be the faked proof information and satisfy \(Prf^{*}\ne Prf\) where \(Prf=(\delta _1,\delta _2,\{\mu _i\})_{i=1,\ldots ,s}\) is the real proof information. Thus they should satisfy the following relations:

$$\begin{aligned} e\left( u_0^{\hat{h}}\cdot \prod _{i=1}^su_i^{\mu ^{*}_j},P_{pub}\right) e\left( v'\prod _{i\in \mathcal {V}^{*}}v_i,\delta ^{*}_2\right) =e(\delta ^{*}_1,g) \end{aligned}$$

(16)

and

$$\begin{aligned} e\left( u_0^{\hat{h}}\cdot \prod _{i=1}^su_i^{\mu _i},P_{pub}\right) e\left( v'\prod _{i\in \mathcal {V}^{*}}v_i,\delta _2\right) =e(\delta _1,g) \end{aligned}$$

(17)

Based on Eqs. 6 and 7, we can obtain

$$\begin{aligned} e\left( \frac{\prod _{i=1}^su_i^{\mu ^{*}_i}}{\prod _{i=1}^su_i^{\mu _j}},P_{pub}\right) e\left( v'\prod _{i\in \mathcal {V}^{*}}v_i,\frac{\delta ^{*}_2}{\delta _2}\right)= & {} e\left( \frac{\delta ^{*}_1}{\delta _1},g\right) \end{aligned}$$

(18)

$$\begin{aligned}&\Updownarrow&\nonumber \\ e\left( {g_2^{\sum _{i=1}^sr_i(\mu ^{*}_j-\mu _j)}},P_{pub}\right) e\left( g^{J(\mathfrak {U}^{*})},\frac{\delta ^{*}_2}{\delta _2}\right)= & {} e\left( \frac{\delta ^{*}_1}{\delta _1},g\right) \end{aligned}$$

(19)

where \(v'\prod _{i\in \mathfrak {V}^{*}}v_i=g_2^{F(\mathfrak {U}^{*})}g^{J(\mathfrak {U}_j)}\) and \(F(\mathfrak {U}^{*})=0\).

Thus, we have

$$\begin{aligned} {g_2^{a\sum _{i=1}^sr_i(\mu ^{*}_j-\mu _j)}}= & {} \left( \frac{\delta ^{*}_2}{\delta _2}\right) ^{J(\mathfrak {U}^{*})}\cdot \frac{\delta ^{*}_1}{\delta _1} \nonumber \\&\Downarrow&\nonumber \\ g^{ab}= & {} \left( \left( \frac{\delta ^{*}_2}{\delta _2}\right) ^{J(\mathfrak {U}^{*})}\cdot \frac{\delta ^{*}_1}{\delta _1}\right) ^{\pi ^{-1}} \end{aligned}$$

(20)

where \(\pi =\sum _{i=1}^sr_i(\mu ^{*}_j-\mu _j)\).

It means that the right side of Eq. 10 is the solution of the CDH problem instance. Obviously, it is in contradiction with the difficulty of solving the CDH problem. \(\Box \)