Efficient Pairing-Free Privacy-Preserving Auditing Scheme for Cloud Storage in Distributed Sensor Networks

Abstract

With the rapid growth of the distributed sensor networks, the distributed sensor network data security problems begin to attract the attention of people. The previous research of distributed sensor network security has focused on secure information in communication; however the research of secure data storage has been overlooked. As we know, cloud data storage and retrieval have become popular for efficient data management in distributed sensor networks; thus they can enjoy the on-demand high-quality cloud storage service. Meanwhile, it also introduces new security challenges. To tackle with these security challenges, many classic auditing schemes of cloud storage have been proposed. However, these schemes all need very expensive pairing computation, which is not suitable for sensor networks. In this paper, we propose an efficient pairing-free auditing scheme for data storage of distributed sensor networks. We exploit homomorphic message authentication codes (MACs) to reduce the space used to store the verification information. We also employ the random masking technique to make sure the TPA cannot recover the primitive data blocks of the sensor networks data manager. Experimental results show that our auditing scheme is more light-weight than previous auditing schemes and more practical in applied distributed sensor networks environments.

1. Introduction

Nowadays, distributed sensor networks have been rapidly applied in many practical environments in our social life [1, 2]. With distributed sensor networks being applied widely, the sensor network data managers often need to collect massive data and choose to be stored in the cloud server, while the security and privacy of sensor networks storage data become increasingly important [3, 4]. As we know, cloud computing is an alternative to conventional computing model since it can provide a flexible, resilient, and cost-effective infrastructure [5]. So it is suitable option to store the massive sensor network data on cloud server [6]. While cloud storage is an important service of cloud computing, which allows cloud users to move data from their local computing systems to the cloud, by data outsourcing, the cloud users can be relieved from the burden of local data storage and maintenance. Thus the cloud servers can concentrate on their core business issues and operate other business applications through the Internet, rather than incurring substantial hardware, software, and personnel costs involved in deploying and maintaining applications in-house.

Although the cloud storage service makes these advantages more appealing than ever before, it also introduces new security challenges towards user's outsourced data [7–9]. Firstly, the cloud users would worry their data could be misused or accessed by unauthorized users. Many researches have been done on this security issue of data hosting [10–12]. Secondly, the cloud users would worry their data could be lost in the cloud. This is because data loss could happen in any infrastructure, no matter what high degree of reliable measures the cloud service providers would take [13, 14]. Sometimes, the cloud service providers may be dishonest and they may discard the data which have not been accessed or rarely accessed to save the storage space or keep fewer replicas than promised. Moreover, the cloud service providers may choose to hide data loss and claim that the data are still correctly stored in the cloud. Consequently, the cloud users need to be convinced that their data are correctly stored in the cloud.

As the cloud users no longer physically possess the storage of their data, traditional cryptographic primitives for the purpose of data security protection can not be directly adopted. Thus how to efficiently verify the integrity of outsourced cloud data without the local copy of data files becomes a big challenge for data storage security in cloud computing. Checking on retrieval is a common method for checking the data integrity, which means cloud users check the data integrity when accessing their data. This method has been used in peer-to-peer storage systems [15], network file systems [16, 17], web-service object stores [18], and database systems [19]. However, checking on retrieval is not sufficient to check the integrity for all the data stored in the cloud. There is usually a large amount of data stored in the cloud; the ability to audit the correctness of the data in a cloud environment can be formidable and expensive for the cloud users [20, 21]. Therefore, in order to save the communication resources as well as the online burden potentially brought by the periodic storage correctness verification, cloud users can delegate a third party (TPA) to perform security auditing tasks as it is not economically feasible for them to handle it by themselves. Meanwhile, the cloud users also hope to keep their data private from the TPA and the cloud server.

1.1. Related Work

Until now, a number of auditing schemes have been proposed in the context of ensuring remotely stored data integrity without the knowledge of the entire data with different requirements [20, 22–24]. However, these schemes need the expensive pairing computation; it is a burden for the sensor network. And most of these schemes [20, 22, 24] do not consider the privacy protection of user's data. Indeed, the user's data may be revealed to some curious adversaries. This shortcoming will greatly affect the security of these schemes in cloud computing. In the view of protecting the data privacy, the users can rely on the TPA for the storage security of their data, and they also do not want this auditing process to introduce new vulnerabilities of unauthorized information leakage toward their data security [25]. The unauthorized data leakage still remains possible due to the potential exposure of decryption keys. In 2013, Wang et al.'s [26] has presented a privacy-preserving public auditing scheme for cloud storage; it resorts to the homomorphic authenticator technique and random masking technique to achieve privacy-preserving public auditing and utilizes the technique of bilinear aggregate signature to realize batch auditing. However it also acquires very expensive pairing computation, which is time-consuming. Therefore, how to design an efficient privacy-preserving auditing scheme for cloud storage in distributed sensor networks, especially without needing the expensive pairing computation, is the important work we are going to do in this paper.

1.2. Our Contribution

Motivated by the above, in this paper, we propose an efficient pairing-free privacy-preserving auditing scheme for cloud storage in distributed sensor networks. In particular, we utilize the modified Schnorr signature to construct homomorphic authenticator so that the TPA can verify the integrity of the data without retrieving the entire data. Additionally, we exploit homomorphic MACs [27] to reduce the space used to store the verification information. As a necessary tradeoff, we allow the TPA to share a private key pair with the DSN data manager, which we refer to as authorized auditing. Due to the function of the random masking, even if the authorized TPA possesses the private key pair, the TPA cannot recover the primitive data blocks of the DSN data manager. As the individual auditing of these growing auditing tasks can be tedious, we extend our basic scheme to support batch auditing for multiuser, which can thus enable the TPA to efficiently perform multiple auditing tasks in a batch manner simultaneously. Furthermore, compared with the previous classic auditing scheme [26], our experimental results show that our auditing scheme is more light-weight, and this is mainly because our auditing scheme does not need the expensive pairing operations, which can satisfy the requirement of the sensor network.

1.3. Organization

The rest of this paper is organized as follows. We introduce the preliminaries of our work in Section 2. We give the formal pairing-free privacy-preserving auditing scheme for cloud storage with distributed sensor networks in Section 3. We give the analysis of the proposed auditing scheme in Section 4. We make a performance comparison in Section 5. We make a conclusion in Section 6.

2. Preliminaries

2.1. The Cloud Data Storage Model in Sensor Network

We exemplify the security needs in data storage with a distributed sensor networks application scenario. Here, for simplicity, after collecting the data by the sink node, we assume that we assume that a DSN (distributed sensor network) data storage manager processes and transfers sensor networks data to the cloud sever. Since DSN data storage manager does not own additional computing resources, it only takes advantage of the limited computing capacity of the sink node to finish the secure DSN data storage. For the part of DSN, it can be considered as a data storage manager, while, for the part of the CSP (cloud service provider), it can be considered as a special cloud user. In our distributed sensor networks application scenario, we suppose Pob is a DSN data owner; his business is that to collect sensor network data which are processed to supply various service to clients. Since he does not have enough money to buy devices and hire professionals, he wishes to turn to CSP and outsource his data to CSP. However, he will worry about the following questions: (1) he cannot physically control the data, and CSP may repudiate that the data are lost, which makes him verify the integrity of data at any time; (2) CSP is honest and curious, Pob wants to guarantee his data confidentiality, and he must assure his storage mode has the function of privacy-preserving; (3) Pob's main work is responsible for sensor network, and he needs an efficient audit scheme to complete this task.

As illustrated in Figure 1, sensor nodes collect data from the target setting and send them to sink node; Pob is a distributed sensor networks data owner; he can assign a DSN data storage manager to sign and encrypt data, then outsource data and tags to CSP, and delete local data simultaneously. If the DSN data storage manager wants to verify data integrity stored in the cloud server, he makes a request for TPA; TPA verifies tags after it receives the requests. If it is true, it generates a challenge message. After receiving the challenge message request, CSP supplies the response proof to TPA; TPA verifies the response proof message and returns the verified result to the DSN data storage manager. Finally, the DSN data storage manager submits the auditing result to Pob.

Figure 1

DSN data storage in the CSP.

The sensor network (DSN) data manager can rely on the cloud server for cloud data storage and maintenance. They may also dynamically interact with the cloud server to access and update their stored data for various application purposes. The DSN data manager may resort to the TPA for ensuring the storage security of their outsourced data, while hoping to keep their data private from the TPA. We consider that a semitrusted cloud server exists. Namely, in most of time it behaves properly and does not deviate from the prescribed protocol execution. However, during providing the cloud data storage based services, for the benefits the cloud server might neglect to keep or deliberately delete rarely accessed data files which belong to the DSN data manager. Moreover, the cloud server may decide to hide the data corruptions caused by server hacks or failures to maintain reputation. We assume that the TPA, who is in the business of auditing, is reliable and independent and thus has no incentive to collude with either the cloud server or the DSN data manager during the auditing process. The TPA should be able to efficiently audit the cloud data storage without local copy of data and without bringing in additional online burden to the DSN data manager. However, any possible leakage of DSN manager's outsourced data towards the TPA through the auditing protocol should be prohibited.

2.2. Design Goals

To enable privacy-preserving auditing for cloud data storage under the aforementioned model, our auditing scheme should achieve the following security and performance guarantee: (i)

public auditability: to allow the TPA to verify the correctness of the cloud data on demand without retrieving a copy of the whole data or introducing additional online burden to the DSN data manager,

(ii)

storage correctness: to ensure that there is not a cheating cloud server that can pass the auditing from the TPA without indeed storing DSN data manager data intact,

(iii)

privacy-preserving: to ensure that there exists no way for the TPA to derive DSN data managers’ data content from the information collected during the auditing process,

(iv)

batch auditing: to enable the TPA with secure and efficient auditing capability to cope with multiple auditing delegations from possibly large number of different DSN data managers simultaneously,

(v)

lightweight: to allow the TPA to perform auditing with minimum communication and computation overhead.

2.3. Cryptographic Definition

Definition 1.

Discrete Logarithm problem states that, given a multiplicative cyclic group of order of p and $g, d \in G$ as input, compute $η \in Z_{p}$ such that $d = g^{η}$ .

The Discrete Logarithm assumption holds in G if no polynomial time algorithm has a nonnegligible probability in solving the Discrete Logarithm problem, which means it is computationally infeasible to solve the Discrete Logarithm problem in G.

Now we introduce homomorphic MAC, described in [27].

Definition 2 (Homomorphic MAC).

Given a data block $m_{j} = (m_{j, 1}, \dots, m_{j, k}) \in Z_{q}^{k}$ , the homomorphic MAC of this data block can be computed as $t_{j} = \sum_{l = 1}^{k} ‍ ρ_{l} m_{j, l} + ω_{j} \in Z_{q}$ , where $ρ = (ρ_{1}, \dots, ρ_{k})$ is generated by a pseudorandom generator and a secret key $s k_{prg}$ and $ω_{j}$ is calculated by a pseudorandom function and a secret key $s k_{prf}$ .

We know that, given $t_{1}$ and $t_{2}$ , an intermediate node can compute a valid MAC of a new date block $m^{'} = m_{1} + m_{2}$ by calculating $t^{'} = t_{1} + t_{2}$ without knowing the secret key pair $(s k_{prg}, s k_{prf})$ .

3. Pairing-Free Privacy-Preserving Auditing Scheme for Cloud Storage in Distributed Sensor Networks

In this section, we propose our privacy-preserving authorized auditing scheme for cloud storage in distributed sensor networks, and our scheme does not need pairing computation and thus can reduce much computation cost. The privacy-preserving auditing scheme is illustrated in Table 1. Here, we need to define a semitrusted TPA, who is only responsible for auditing the integrity of data blocks honestly; however, it is curious and may try to reveal the DSN managers’ primitive data blocks based on verification information. Our scheme consists of the following four algorithms. They are Setup, SigGen, ProofGen, and ProofVerify, respectively.

Table 1

The privacy-preserving auditing scheme.

TPA		The cloud server
(1) Retrieve file $t a g$ , verify its signature, and quit if it failed.
(2) Generate a challenge message $c h a l = {(j, ν_{j})}_{j \in J}$ .	$\vec{c h a l = {(j, ν_{j})}_{j \in J}}$	(3) Compute $r = \prod_{j \in J} ‍ r_{j}^{ν_{j} r_{j}}$ mod p and compute $s = \sum_{j \in J} ‍ v_{j} s_{j} \mod q$ , $μ_{l}^{'} = \sum_{j \in J} ‍ ν_{j} m_{j, l}^{'} \in Z_{p}$ , where $l \in {1, \dots, k}$ .


		(4) Choose a random element $η_{l} \leftarrow Z_{q}$ and calculate $W_{l} = y^{η_{l}}$ .
		(5) Compute $μ = (μ_{1}, \dots, μ_{k})$ , where $μ_{l} = μ_{l}^{'} + η_{l} h (W_{l})$ and $W = (W_{1}, \dots, W_{k})$ .
	$\overset{\leftarrow}{{μ, r, s, W, {{id}_{j}}_{j \in I}}}$
(6) Generate $ρ = (ρ_{1}, \dots, ρ_{k}) \leftarrow PRG ({sk}_{prg}) \in Z_{q}^{k}$ and $ρ_{j} \leftarrow PRF ({sk}_{prf}, {id}_{j}) \in Z_{q}$ .
(7) Compute $λ_{1} = \sum_{l = 1}^{k} ‍ ρ_{l} μ_{l} + \sum_{j \in J} ‍ ν_{j} ω_{j} \in Z_{q}$ , $λ_{2} = \sum_{l = 1}^{k} ‍ \sum_{j \in J} ‍ ρ_{l} ν_{j} f_{τ} (l, {id}_{j}) \in Z_{q}$ , and $h (W_{l})$ , where $l \in {1, \dots, k}$ , and then verify ${μ, r, s, W, {{id}_{j}}_{j \in J}}$ via the verification equation.

Setup. The initial system chooses two large prime numbers p and q, satisfying that q is a prime factor of $p - 1$ . Choose an integer g, such that $g^{q} \equiv 1 \mod p$ ; g is a generator of multiplicative cyclic group of order q; denote it by G. Data file M is divided into n blocks, and each data block is further divided into k elements of $Z_{q}$ . Therefore, M can be presented as $M = (m_{1}, m_{2}, \dots, m_{n}) \in Z_{q}^{n \times k}$ ; each $m_{j} = (m_{j, 1}, m_{j, 2}, \dots, m_{j, k}) \in Z_{q}^{k}$ , $1 \leq j \leq n$ . The system sets a pseudorandom generator $PRG : K_{prg} \to Z_{q}^{k}$ and a pseudorandom function $PRF : K_{prf} \times I \to Z_{q}$ , where $K_{prg}$ and $K_{prf}$ denote the set of secret keys for $PRG$ and $PRF$ , respectively, and $I$ denotes the set of all identities of each data block in data file M. Then, the DSN data manager selects $x \leftarrow Z_{q}$ randomly, and $x \neq 0$ computes $y = g^{x} \mod p$ . Meanwhile, the DSN data manager also randomly computes a secret key pair $skp = (s k_{prg}, s k_{prf})$ , where $s k_{prg} \in K_{prg}$ and $s k_{prf} \in K_{prf}$ . The system sets a lightweight symmetry encryption algorithm f, with its private key being τ. The system also sets a secure hash function $h : G \to Z_{q}$ . In particular, to generate the data block tag, the DSN data manager chooses a random signing key pair $(spk, ssk)$ . Thus the public parameters are $pk = {G, g, y, spk}$ , and the private parameters are $sk = {x, τ, ssk}$ .

SigGen. Given a data block $m_{j} = (m_{j, 1}, \dots, m_{j, k})$ , this data block's identifier ${id}_{j} \in I$ . To ensure the integrity of unique data block identity, the DSN data manager computes ${tag}_{j} = {id}_{j} ∥ SSi g_{ssk} ({id}_{j})$ as the data block tag for $m_{j}$ . The DSN data manager computes $ρ = (ρ_{1}, \dots, ρ_{k}) \leftarrow PRG (s k_{prg}) \in Z_{q}^{k}$ and $ω_{j} \leftarrow PRF (s k_{prf}, {id}_{j}) \in Z_{q}$ . Then the DSN data manager calculates the homomorphic MAC of data block $m_{j} = (m_{j, 1}, \dots, m_{j, k})$ as $t_{j} = \sum_{l = 1}^{k} ‍ ρ_{l} m_{j, l} + ω_{j} \in Z_{q}$ . The DSN data manager begins to compute the signature of $t_{j}$ as follows: (1)

choose $k_{j} \leftarrow Z_{q}$ and compute $r_{j} \equiv g^{k_{j}} \mod p$ and $r_{j}^{'} \equiv r_{j} \mod q$ ;

(2)

$s_{j} = (r_{j}^{'} k_{j} + t_{j} x) \mod q$ ;

(3)

output $σ_{j} = (r_{j}, s_{j})$ as the signature of $t_{j}$ .

Denote the set of signatures by $Φ = {σ_{j}}_{1 \leq j \leq n}$ . Meanwhile, to guarantee the confidentiality of the data file, the DSN data manager employs the lightweight symmetry encryption algorithm f to encrypt each data block $m_{j} = (m_{j, 1}, \dots, m_{j, k})$ as $m_{j}^{'} = (m_{j, 1} + f_{τ} (1, {id}_{j}), \dots, m_{j, k} + f_{τ} (k, {id}_{j}))$ under the symmetry private key τ. Thus, the data file $M = (m_{1}, \dots, m_{n})$ is encrypted to be $M^{'} = (m_{1}^{'}, \dots, m_{n}^{'})$ . Finally, the DSN data manager sends ${M^{'}, {tag}_{1 \leq j \leq n}, Φ}$ to the cloud server and deletes them from local storage.

ProofGen. In this phase, for each data block $m_{j}$ , the TPA first retrieves the data block tag, verifies the signature $SSi g_{ssk} ({id}_{j})$ with $spk$ , and aborts if the verification fails. Otherwise, the DSN data manager recovers ${id}_{j}$ .

Now it comes to the important part of the auditing process. To audit the integrity of data file, a DSN data manager first sends an auditing request to the TPA. After receiving an auditing request, the TPA generates an auditing challenge message as follows. (1)

Randomly choose a c-element subset $J$ of set ${1, \dots, n}$ to locate the c selected data blocks in this auditing task.

(2)

For each $j \in J$ , the TPA also chooses a random value $ν_{j}$ .

(3)

Output an auditing challenge message $chal = {(j, ν_{j})}_{j \in J}$ and send it to the cloud server; the $chal$ message specifies the positions of the data blocks required to be checked.

After receiving an auditing challenge message $chal$ , the cloud server generates a response proof of possession of selected data blocks storage correctness as follows. (1)

Compute $r = \prod_{j \in J} ‍ r_{j}^{ν_{j} r_{j}} \mod p$ .

(2)

Compute $s = \sum_{j \in J} ‍ ν_{j} s_{j} \mod q$ .

(3)

Compute $μ_{l}^{'}$ as the linear combination of sampled blocks: $μ_{l}^{'} = \sum_{j \in J} ‍ ν_{j} m_{j, l}^{'} \in Z_{q}$ , where $l \in {1, \dots, k}$ .

To blind $μ_{l}^{'}$ , the cloud server chooses a random element $η_{l} \leftarrow Z_{q}$ , and then it calculates $W_{l} = y^{η_{l}}$ and $μ_{l} = μ_{l}^{'} + η_{l} h (W_{l})$ . Finally, the cloud server sends ${μ, r, s, W, {{id}_{j}}_{j \in J}}$ to the TPA for auditing, where $μ = (μ_{1}, \dots, μ_{k})$ and $W = (W_{1}, \dots, W_{k})$ .

ProofVerify. Given an auditing response proof ${μ, r, s, W, {{id}_{j}}_{j \in J}}$ , an auditing message $chal = {(j, ν_{j})}_{j \in J}$ . The TPA verifies the correctness of this proof as follows. (1)

Generate $ρ = (ρ_{1}, \dots, ρ_{k}) \leftarrow PRG (s k_{prg}) \in Z_{q}^{k}$ and $ω_{j} \leftarrow PRF (s k_{prf}, {id}_{j}) \in Z_{q}$ , $j \in J$ .

(2)

Compute $λ_{1} = \sum_{l = 1}^{k} ‍ ρ_{l} μ_{l} + \sum_{j \in J} ‍ ν_{j} ω_{j} \in Z_{q}$ , $λ_{2} = \sum_{l = 1}^{k} ‍ \sum_{j \in J} ‍ ρ_{l} ν_{j} f_{τ} (l, {id}_{j}) \in Z_{q}$ , and $h (W_{l})$ , where $l \in {1, \dots, k}$ .

(3)

Verify the response proof by checking whether the verification equation $g^{s} = r y^{λ_{1} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p$ holds or not.

If the verification equation $g^{s} = r y^{λ_{1} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p$ holds, the DSN data manager can believe that the integrity of the data file stored in the cloud server is correct, it is not modified by others, and, with the random masking codes $W_{{1 \leq l \leq k}}$ , the TPA can never recover the primitive data blocks from the DSN manager's data file.

4. Analysis of the Proposed Auditing Scheme

In this section, we begin to analyze the proposed auditing scheme, including its correctness, unforgeability, and privacy-preserving. Considering the scalability of the auditing scheme, we also extend it to support batch auditing.

4.1. Correctness

According to the ProofVerify phase of the auditing scheme, the correctness of the verification equation is elaborated as follows:

\begin{array}{l} g^{s} = g^{\sum_{j \in J} ‍ ν_{j} s_{j}} = g^{\sum_{j \in J} ‍ ν_{j} (r_{j}^{'} k_{j} + t_{j} x (\mod q))} \mod p \\ = g^{\sum_{j \in J} ‍ ν_{j} r_{j}^{'} k_{j}} g^{\sum_{j \in J} ‍ ν_{j} t_{j} x} \mod p \\ = \prod_{j \in J} ‍ r_{j}^{ν_{j} r_{j}} y^{\sum_{j \in J} ‍ ν_{j} t_{j}} \mod p \\ = r y^{\sum_{j \in J} ‍ (\sum_{l = 1}^{k} ‍ ρ_{l} m_{j, l} + ω_{j}) ν_{j}} \mod p \\ = r y^{\sum_{j \in J} ‍ \sum_{l = 1}^{k} ‍ ρ_{l} ν_{j} m_{j, l} + \sum_{j \in J} ‍ ω_{j} ν_{j}} \mod p \\ = r y^{\sum_{l = 1}^{k} ‍ ρ_{l} \sum_{j \in J} ‍ ν_{j} m_{j, l} + \sum_{j \in J} ‍ ω_{j} ν_{j}} \mod p \\ = r y^{\sum_{l = 1}^{k} ‍ ρ_{l} (μ_{l} - \sum_{j \in J} ‍ ν_{j} f_{τ} (l, {id}_{j}) - η_{l} h (W_{l})) + \sum_{j \in J} ‍ ν_{j} ω_{j}} \mod p \\ = r y^{\sum_{l = 1}^{k} ‍ ρ_{l} μ_{l} + \sum_{j \in J} ‍ ν_{j} ω_{j}} \\ \cdot y^{- \sum_{l = 1}^{k} ‍ \sum_{j \in J} ‍ ρ_{l} ν_{j} f_{τ} (l, {id}_{j})} y^{- \sum_{l = 1}^{k} ‍ ρ_{l} η_{l} h (W_{l})} \mod p \\ = r y^{λ_{1} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p . \end{array}

(1)

Thus the verification equation $g^{s} = r y^{λ_{1} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p$ holds.

4.2. Unforgeability

Theorem 3.

With the from DSN data manager's data file $M^{'}$ and the corresponding signatures stored in the cloud server, a malicious cloud server is computationally infeasible to generate an invalid auditing response proof that can pass the verification equation.

In the proposed auditing scheme, we make use of homomorphic MACs to compress each data block to efficiently decrease the amount of storage space needed to store verification information. According to the discussions and proofs in [27], we know that the probability for an adversary to break one homomorphic MAC on a data block is $1 / q$ , which is negligible.

Besides generating a forgery of a homomorphic MAC, if the malicious cloud server can win Game 1, it can generate an invalid auditing response proof for the challenged data blocks and enable this invalid auditing response proof to successfully pass the verification. Now we describe Game 1 as follows.

Game 1. After receiving an auditing message from the DSN data manager, the TPA sends an auditing challenge message $chal = {(j, ν_{j})}_{j \in J}$ to the cloud server, and the correct auditing response proof should be ${μ, r, s, W, {{id}_{j}}_{j \in J}}$ , where $μ = (μ_{1}, \dots, μ_{k})$ , $W = (W_{1}, \dots, W_{k})$ . The response proof can pass the verification equation. Now, instead of generating the correct auditing response proof, the malicious cloud server generates an invalid auditing proof as ${μ^{*}, r, s, W, {{id}_{j}}_{j \in J}}$ based on the corrupted data file $M^{' *}$ , where $μ^{*} = (μ_{1}^{*}, \dots, μ_{k}^{*})$ , $μ_{l}^{*} = μ_{l}^{' *} + η_{l} h (W_{l})$ , and $μ_{l}^{' *} = \sum_{j \in J} ‍ ν_{j} m_{j, l}^{' *} \in Z_{q}$ . Define $Δ μ_{l} = μ_{l}^{*} - μ_{l}$ for $1 \leq l \leq k$ , since $M^{'} \neq M^{' *}$ , and thus there is at least one element of ${Δ μ_{l}}_{1 \leq l \leq k}$ which is nonzero. If this invalid response proof can still pass the verification, the malicious cloud wins Game 1. Otherwise, it fails.

Now we begin to show that if the malicious cloud can win the above Game 1, we can find a solution to the Discrete Logarithm problem. We first assume that the malicious cloud wins Game 1. Then, according to the verification equation, we have $g^{s} = r y^{λ_{1}^{*} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p$ , where $λ_{1}^{*} = \sum_{l = 1}^{k} ‍ ρ_{l} μ_{l}^{*} + \sum_{j \in J} ‍ ν_{j} ω_{j} \in Z_{q}$ . Since ${μ, r, s, W, {{id}_{j}}_{j \in J}}$ is the correct auditing response proof, we also have $g^{s} = r y^{λ_{1} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p$ . Then, according to the two verification equations, we learn that $y^{λ_{1}^{*}} = y^{λ_{1}}$ . Thus

\begin{matrix} y^{\sum_{l = 1}^{k} ‍ ρ_{l} μ_{l}^{*} + \sum_{j \in J} ‍ ν_{j} ω_{j}} = y^{\sum_{l = 1}^{k} ‍ ρ_{l} μ_{l} + \sum_{j \in J} ‍ ν_{j} ω_{j}}, \\ y^{\sum_{l = 1}^{k} ‍ ρ_{l} μ_{l}^{*}} = y^{\sum_{l = 1}^{k} ‍ ρ_{l} μ_{l}}, \\ y^{\sum_{l = 1}^{k} ‍ ρ_{l} Δ μ_{l}} = \prod_{l = 1}^{k} ‍ {(y^{ρ_{l}})}^{Δ μ_{l}} = 1 . \end{matrix}

(2)

Because G is a multiplicative cyclic group of order q, for two random elements $α, β \in G$ , there exists $η \in Z_{q}$ such that $β = α^{η}$ . Without loss of generality, given $α, β \in G$ , each $y^{ρ_{l}}$ is able to randomly and correctly be generated by computing $y^{ρ_{l}} = α^{ξ_{l}} β^{γ_{l}}$ , where $ξ_{l}$ and $γ_{l}$ are random values in $Z_{q}$ . Then we get

\begin{array}{l} 1 = \prod_{l = 1}^{k} ‍ {(y^{ρ_{l}})}^{Δ μ_{l}} \\ = \prod_{l = 1}^{k} ‍ {(α^{ξ_{l}} β^{γ_{l}})}^{Δ μ_{l}} \\ = α^{\sum_{l = 1}^{k} ‍ ξ_{l} Δ μ_{l}} \cdot β^{\sum_{l = 1}^{k} ‍ γ_{l} Δ μ_{l}} . \end{array}

(3)

Obviously, we can find a solution to the Discrete Logarithm problem. Particularly, given α, $β = α^{η} \in G$ , we can output $β = α^{η} = α^{- \sum_{l = 1}^{k} ‍ ξ_{l} Δ μ_{l} / \sum_{l = 1}^{k} ‍ γ_{l} Δ μ_{l}}$ ; thus $η = - \sum_{l = 1}^{k} ‍ ξ_{l} Δ μ_{l} / \sum_{l = 1}^{k} ‍ γ_{l} Δ μ_{l}$ , unless the denominator is zero. However, as we defined in Game 1, there is at least one element of ${Δ μ_{l}}$ which is nonzero, and $γ_{l}$ is a random element of $Z_{q}$ . Therefore, the denominator is zero with probability of $1 / q$ , which is negligible. It means that once the malicious cloud wins Game 1, we can find a solution to the Discrete Logarithm problem with a nonnegligible probability of $1 - 1 / q$ , which contradicts to the assumption that Discrete Logarithm problem is computationally infeasible in G.

Moreover, if the malicious cloud server tries to forge the aggregate signature, that means the cloud server generates an invalid response proof as ${μ, r^{'}, s^{'}, W, {{id}_{j}}_{j \in J}}$ , this invalid response proof can still pass the verification equation $g^{s^{'}} = r^{'} y^{λ_{1} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p$ , and the malicious cloud server can succeed. As we know that the correct auditing response proof should be ${μ, r, s, W, {id}_{j \in J}}$ , which can pass the verification equation $g^{s} = r y^{λ_{1} - λ_{2}} \prod_{l = 1}^{k} ‍ W_{l}^{- ρ_{l} h (W_{l})} \mod p$ , according to the two verification equations, we get that $g^{s^{'} - s} = r^{'} r^{- 1} \mod p$ ; thus we get $s = s^{'}$ and $r = r^{'}$ , or we can find a solution of the Discrete Logarithm problem between g and d (here we set $d = r^{'} r^{- 1}$ ), and these two results both contradict to our assumption.

Therefore, it is computationally infeasible for the malicious cloud to generate an invalid auditing proof, which can pass the verification equation.

4.3. Privacy-Preserving

Theorem 4.

Given an auditing response proof message $p r o o f = {μ, r, s, W, {{i d}_{j}}_{j \in J}}$ from the cloud server, it is computationally infeasible for the curious TPA to reveal any private data block from the data file of the DSN data manager.

Proof.

If the combined message $μ_{l}^{'} = \sum_{j \in J} ‍ ν_{j} m_{j, l}^{'} \in Z_{q}$ , which is a linear combination of elements in data blocks, is directly sent to the TPA, the curious TPA can learn the content of data blocks by solving linear equations after collecting a sufficient number of linear combinations. To preserve private data blocks from the TPA, the combined message is computed with random masking as $μ_{l} = μ_{l}^{'} + η_{l} h (W_{l})$ . In order to still solve linear equations, the TPA must know the value of $η_{l}$ . However, given y, $W_{l} = y^{η_{l}} \in G$ , computing $η_{l}$ is as hard as solving the Discrete Logarithm problem in G, which is computationally infeasible. Therefore, given the auditing response proof message, the TPA cannot directly obtain any linear combination of elements in data blocks and cannot further reveal any private data block from the data file by solving linear equations.

4.4. Support for Batch Auditing

With the usage of privacy-preserving auditing scheme in the cloud storage, the TPA may receive amount of multiple auditing requests from different DSN data managers in a short time. Unfortunately, allowing the TPA to execute the separate auditing task can be tedious and very inefficient. Therefore, we further extend our scheme to support batch auditing. Batch auditing not only allows the TPA to execute the multiple auditing tasks simultaneously, but also dramatically decreases the computation cost on the TPA side. This is because aggregating L verification equations into one helps save a considerable amount of auditing time. The details are described as follows.

Setup Phase. The DSN data managers just perform setup independently. Suppose there are L DSN data managers in the auditing system, and each DSN data manager θ has a data file $M_{θ} = {m_{θ, 1}, \dots, m_{θ, n}}$ to be outsourced to the cloud server, where $m_{θ, j} = (m_{θ, j, 1}, \dots, m_{θ, j, k})$ , $j = 1,2, \dots, n$ . For simplicity, we assume each data file $M_{θ}$ has the same number of n data blocks. Particularly, for a DSN data manager θ, denote his private parameters by $(x_{θ}, ss k_{θ}, s k_{pr g_{θ}}, s k_{pr f_{θ}})$ and the corresponding public parameters by $(G, g, y_{θ}, sp k_{θ})$ , where $y_{θ} = g^{x_{θ}}$ . As it is similar to the single DSN data manager case, each DSN data manager θ has already randomly chosen a different identity ${id}_{θ, j}$ for the data block $m_{θ, j}$ and has correctly generated the corresponding data block ${tag}_{θ, j} = {id}_{θ, j} ∥ SSi g_{ss k_{θ}} ({id}_{θ, j})$ .

Then each DSN data manager θ computes $ρ_{θ} = (ρ_{θ, 1}, \dots, ρ_{θ, k}) \leftarrow PRG (s k_{pr g_{θ}}) \in Z_{q}^{k}$ and $ω_{θ, j} \leftarrow PRF (s k_{pr f_{θ}}, {id}_{θ, j}) \in Z_{q}$ . Then the DSN data manager calculates the homomorphic MAC of data block $m_{θ, j} = (m_{θ, j, 1}, \dots, m_{θ, j, k})$ as $t_{θ, j} = \sum_{l = 1}^{k} ‍ ρ_{θ, l} m_{θ, j, l} + ω_{θ, j} \in Z_{q}$ . The DSN data manager begins to compute the signature of $t_{θ, j}$ as follows. (1)

Choose $k_{θ, j} \leftarrow Z_{q}$ and compute $r_{θ, j} \equiv g^{k_{θ, j}} \mod p$ and $r_{θ, j}^{'} \equiv r_{θ, j} \mod q$ ;

(2)

$s_{θ, j} = (r_{θ, j}^{'} k_{θ, j} + t_{θ, j} x) \mod q$ ,

(3)

output $σ_{θ, j} = (r_{θ, j}, s_{θ, j})$ as the signature of $t_{θ, j}$ .

Denote the set of signatures by $Φ_{θ} = {σ_{θ, j}}_{1 \leq j \leq n}$ . Meanwhile, to guarantee the confidentiality of the data file, the DSN data manager employs the lightweight symmetry encryption algorithm f to encrypt each data block $m_{θ, j} = (m_{θ, j, 1}, \dots, m_{θ, j, k})$ as $m_{θ, j}^{'} = (m_{θ, j, 1} + f_{τ_{θ}} (1, {id}_{θ, j}), \dots, m_{θ, j, k} + f_{τ_{θ}} (k, {id}_{θ, j}))$ under the symmetry private key $τ_{θ}$ . Thus, the data file $M_{θ} = (m_{θ, 1}, \dots, m_{θ, n})$ is encrypted to be $M_{θ}^{'} = (m_{θ, 1}^{'}, \dots, m_{θ, n}^{'})$ . Finally, the DSN data manager θ sends ${M_{θ}^{'}, {{tag}_{θ, j}}_{1 \leq j \leq n}, Φ_{θ}}$ to the cloud server and deletes them from local storage.

Audit Phase. The TPA first retrieves and verifies the data block ${tag}_{θ, j}$ for each DSN data manager θ for later auditing. If the verification fails, the TPA aborts. Otherwise, the TPA recovers ${id}_{j, θ}$ and sends the auditing challenge message $chal = {(j, ν_{j})}_{j \in J}$ to the cloud server. Meanwhile, for each DSN data manager θ, the cloud server chooses $η_{θ, l} \in Z_{q}$ randomly as before and computes $W_{θ, l} = y_{θ}^{η_{θ, l}}$ and $μ_{θ, l} = \sum_{j \in J} ‍ ν_{j} m_{θ, j, l}^{'} + η_{θ, l} h (W_{θ, l})$ ; thus, the cloud server can compute $μ_{θ} = (μ_{θ, 1}, \dots, μ_{θ, l}, \dots, μ_{θ, k})$ . Then the cloud server makes the aggregation as $r = Π_{θ = 1}^{L} Π_{j \in J} r_{θ, j}^{ν_{j} r_{θ, j}} \mod p$ and $s = Σ_{θ = 1}^{L} Σ_{j \in J} ν_{j} s_{θ, j} \mod q$ . Finally, the cloud server responses with $({μ_{θ}}_{1 \leq θ \leq L}, r, s, {W_{θ}}_{1 \leq θ \leq L}, {{id}_{θ, j}}_{j \in J, 1 \leq θ \leq L})$ , where $W_{θ} = (W_{θ, 1}, \dots, W_{θ, l}, \dots, W_{θ, k})$ .

To verify the response, the TPA first does as follows. (1)

Generate $ρ_{θ} = (ρ_{θ, 1}, \dots, ρ_{θ, k}) \leftarrow PRG (s k_{pr g_{θ}}) \in Z_{q}^{k}$ and $ω_{θ, j} \leftarrow PRF (s k_{pr f_{θ}}, {id}_{θ, j}) \in Z_{q}$ , $j \in J$ .

(2)

Compute $λ_{θ, 1} = \sum_{l = 1}^{k} ‍ ρ_{θ, l} μ_{θ, l} + \sum_{j \in J} ‍ ν_{j} ω_{θ, j} \in Z_{q}$ , $λ_{θ, 2} = \sum_{l = 1}^{k} ‍ \sum_{j \in J} ‍ ρ_{θ, l} ν_{j} f_{τ_{θ}} (l, i d_{θ, j}) \in Z_{q}$ , and $h (W_{θ, l})$ , where $1 \leq l \leq k$ and $1 \leq θ \leq L$ .

Then the TPA checks if the following verification equation holds: $g^{s} = r \prod_{θ = 1}^{L} ‍ y_{θ}^{λ_{θ, 1} - λ_{θ, 2}} (\prod_{l = 1}^{k} ‍ W_{θ, l}^{- ρ_{θ, l} h (W_{θ, l})}) \mod p$ . The correctness of the verification equation can be shown as follows:

\begin{array}{l} (4) & g^{s} = g^{Σ_{θ = 1}^{L} Σ_{j \in J} ν_{j} s_{θ, j}} \mod p \\ = \prod_{θ = 1}^{L} ‍ g^{\sum_{j \in J} ‍ ν_{j} s_{θ, j}} \mod p \\ = \prod_{θ = 1}^{L} ‍ g^{\sum_{j \in J} ‍ ν_{j} (r_{θ, j}^{'} k_{θ, j} + t_{θ, j} x_{θ} (\mod q))} \mod p \\ = \prod_{θ = 1}^{L} ‍ g^{\sum_{j \in J} ‍ ν_{j} r_{θ, j}^{'} k_{θ, j}} g^{\sum_{j \in J} ‍ ν_{j} t_{θ, j} x_{θ}} \mod p \\ = \prod_{θ = 1}^{L} ‍ \prod_{j \in J} ‍ r_{θ, j}^{ν_{j} r_{θ, j}} y_{θ}^{\sum_{j \in J} ‍ ν_{j} t_{θ, j}} \mod p \\ = r \prod_{θ = 1}^{L} ‍ y_{θ}^{\sum_{j \in J} ‍ ν_{j} (\sum_{l = 1}^{k} ‍ ρ_{θ, l} m_{θ, j, l} + ω_{θ, j})} \mod p \\ = r \prod_{θ = 1}^{L} ‍ y_{θ}^{\sum_{l = 1}^{k} ‍ ρ_{θ, l} \sum_{j \in J} ‍ ν_{j} m_{θ, j, l} + \sum_{j \in J} ‍ ν_{j} ω_{θ, j}} \mod p \\ = r \prod_{θ = 1}^{L} ‍ y_{θ}^{\sum_{l = 1}^{k} ‍ ρ_{θ, l} (μ_{θ, l} - \sum_{j \in J} ‍ ν_{j} f_{τ_{θ}} (l, {id}_{θ, j}) - η_{θ, l} h (W_{θ, l})) + \sum_{j \in J} ‍ ν_{j} ω_{θ, j}} \mod p \\ = r \prod_{θ = 1}^{L} ‍ y_{θ}^{\sum_{l = 1}^{k} ‍ ρ_{θ, l} μ_{θ, l} + \sum_{j \in J} ‍ ν_{j} ω_{θ, j} - \sum_{l = 1}^{k} ‍ \sum_{j \in J} ‍ ρ_{θ, l} ν_{j} f_{τ_{θ}} (l, {id}_{θ, j}) - \sum_{l = 1}^{k} ‍ ρ_{θ, l} η_{θ, l} h (W_{θ, l})} \mod p \\ = r \prod_{θ = 1}^{L} ‍ y_{θ}^{λ_{θ, 1} - λ_{θ, 2}} y_{θ}^{- \sum_{l = 1}^{k} ‍ ρ_{θ, l} η_{θ, l} h (W_{θ, l})} \mod p \\ = r \prod_{θ = 1}^{L} ‍ y_{θ}^{λ_{θ, 1} - λ_{θ, 2}} (\prod_{l = 1}^{k} ‍ W_{θ, l}^{- ρ_{θ, l} h (W_{θ, l})}) \mod p . \end{array}

(4)

Thus the verification equation $g^{s} = r \prod_{θ = 1}^{L} ‍ y_{θ}^{λ_{θ, 1} - λ_{θ, 2}} (\prod_{l = 1}^{k} ‍ W_{θ, l}^{- ρ_{θ, l} h (W_{θ, l})}) \mod p$ holds.

5. Performance Comparison

In this section, we begin to compare the performance of our privacy-preserving auditing scheme for cloud storage with the auditing scheme in [26]. We first focus on discussing the computation cost and the communication cost. Then we evaluate the performance comparison between the two schemes in experiments to show our auditing scheme advantages.

5.1. Computation Cost

We first give the computation cost of our pairing-free auditing scheme for cloud storage with the auditing scheme in [26]. The main cryptographic operations used in our scheme include multiplications, additions, and hash operations. For simplicity, we omit the computation cost of the pseudorandom number generator $PRG$ and pseudorandom function $PRF$ because they are much easier to be computed than the three types of operations mentioned above. Here, we denote ${Mult}_{G}$ , ${Add}_{G}$ , and ${Exp}_{G}$ by multiplication, addition, and modular exponentiation operation in group G, respectively; we also denote ${Hash}_{G}$ by hash operation into the group G, and we denote ${pair}_{G_{1}, G_{2}}$ by pairing operation.

During the auditing process, the TPA first generates some random values to construct the auditing message, which only introduces a small cost in computation. Then, after receiving the auditing message, the cloud server needs to compute a proof ${μ, r, s, W, {{id}_{j}}_{j \in J}}$ to the TPA for auditing, where $μ = (μ_{1}, \dots, μ_{k})$ and $W = (W_{1}, \dots, W_{k})$ . The computation cost of a proof is about $(k c + 2 c + k) {Mult}_{Z_{p}} + c {Mult}_{Z_{q}} + k c {Add}_{Z_{p}} + (c - 1) {Add}_{Z_{q}} + k {Exp}_{Z_{p}} + k {Hash}_{Z_{p}}$ , while the computation cost of a proof in [26] is about $(c - 1) {Mult}_{G_{1}} + (c + 1) {Mult}_{Z_{p}} + c {Exp}_{G_{1}} + {Exp}_{G_{T}} + c {Add}_{Z_{p}} + {Hash}_{Z_{p}}$ .

To check the correctness of the proof, the TPA verifies it based on verification equation and the computation cost of verifying the auditing proof is $(2 k + c + 2 c k) {Mult}_{Z_{q}} + k {Mult}_{Z_{p}} + (k + 2) {Exp}_{Z_{p}} + (c k + c + k - 2) {Add}_{Z_{q}} + 2 k {Hash}_{Z_{q}} + c {Enc}_{ɛ}$ , while the computation cost of verifying the auditing proof in [26] is $(c + 1) {Mult}_{G_{1}} + {Mult}_{G_{T}} + (c + 3) {Exp}_{G_{1}} + 2 {Pair}_{G_{1}, G_{2}} + {Hash}_{Z_{p}} + c {Hash}_{G_{1}}$ .

5.2. Communication Cost

The communication cost of our scheme is mainly introduced by two factors: the auditing message and the auditing proof. For the auditing message $chal = {(j, ν_{j})}_{j \in J}$ , the auditing proof information generated by the cloud server is ${μ, r, s, W, {{id}_{j}}_{j \in J}}$ , where $μ = (μ_{1}, \dots, μ_{k})$ and $W = (W_{1}, \dots, W_{k})$ ; thus the total communication cost of our auditing scheme is $(c + k + 1) |q| + c | n | + (k + 1) | p |$ , while the total communication cost of the auditing scheme in [26] is $c (| p | + | n |) + | p | + | G_{1} | + | G_{T} | + | id |$ , where $| n |$ is the length of an index and $| G_{T} |$ is the length of an element of $G_{T}$ . Moreover, the communication overhead of $| G_{1} |$ and $| G_{T} |$ in [26] is much larger than others; therefore our auditing scheme is more light-weight than [26] in communication cost.

5.3. Experimental Results

We now compare the cloud server computation cost and the TPA auditing computational cost of our auditing scheme with the work of [26] in experiments. Since the random mask needs one exponentiation operation, one multiplication operation, one hash and one addition operation, so the sum of the extra cost that resulted from the random mask only needs a constant, ${Exp}_{G_{T}} + {Mult}_{Z_{p}} + {Hash}_{Z_{p}} + {Add}_{Z_{p}}$ , which has nothing to do with the number of sampled blocks c. When c is set to be $400$ to $600$ for high assurance of auditing, the extra cost on the cloud server side for privacy-preserving guarantee would be negligible against the total server computation for response generation. Therefore, the main computation cost of the cloud server in [26] is $(c - 1) {Mult}_{G_{1}} + c {Mult}_{Z_{p}} + c {Exp}_{G_{1}} + (c - 1) {Add}_{Z_{p}}$ in our experiments. However, in our auditing scheme, the extra cost resulting from the random masking is only a small constant: $k ({Exp}_{Z_{p}} + {Mult}_{Z_{p}} + {Hash}_{Z_{q}} + {Add}_{Z_{q}})$ , where k is much less than the practical challenge number of the data blocks. Here we can omit the computation cost $k ({Mult}_{Z_{p}} + {Hash}_{Z_{q}} + {Add}_{Z_{q}})$ . Therefore, in our experiments we set the main cloud server computation cost to be $(k c + 2 c) {Mult}_{Z_{p}} + c {Mult}_{Z_{q}} + (k c - k) {Add}_{Z_{p}} + (c - 1) {Add}_{Z_{q}} + k {Exp}_{Z_{p}}$ .

As also discussed in [26], the extra cost resulting from the random masking is only a constant: ${Mult}_{G_{T}} + 2 {Exp}_{G_{1}} + {Hash}_{Z_{p}}$ , which has nothing to do with the number of sampled blocks c. As considering the relatively expensive pairing operations, the extra cost for privacy-preserving guarantee would be also negligible against the overall cost of response validation. Therefore, here we set the main auditing computation cost of the TPA to be $c {Mult}_{G_{1}} + (c + 1) {Exp}_{G_{1}} + 2 {Pair}_{G_{1}, G_{2}} + c {Hash}_{G_{1}}$ in our experiments. However, in our auditing scheme, the extra cost resulting from the random masking is $k ({Mult}_{Z_{p}} + {Mult}_{Z_{q}} + {Hash}_{Z_{q}} + {Exp}_{Z_{p}})$ , where k is much less than the practical challenge number of the data blocks. Since the modular exponentiation operation is much larger than others, here we can omit the computation cost $k ({Mult}_{Z_{p}} + {Mult}_{Z_{q}} + {Hash}_{Z_{q}})$ . For consistence, we also set the main auditing computation cost of the TPA to be $(k + c + 2 c k) {Mult}_{Z_{q}} + (k + 2) {Exp}_{Z_{p}} + (c k + c + k - 2) {Add}_{Z_{q}} + k {Hash}_{Z_{q}} + c {Enc}_{ɛ}$ .

Our experiments are implemented on a Windows 7 system with an Intel Core 2 i5 CPU running at 2.53 GHz, 2 GB DDR 3 of RAM (1.74 GB available). All algorithms are implemented by C language, and our code uses the MIRACL library version 5.6.1. The elliptic curve we use is a MNT curve, the base field size is 159 bits, and the embedding degree is 6. The security level is chosen to be 80 bit, and $| p | = | q | = 160$ . For simplicity, we also set $k = 20$ . All the results of experiments are represented as the average of 30 trials.

As described in Figures 2 and 3, the experimental results show that, compared with the auditing scheme in [26], the computation cost of the cloud server and the TPA auditing time of our auditing scheme are much more light-weight than [26]. More specifically, with the increasing of the number of challenge data blocks, our auditing scheme is more advantageous than [26] in computation cost. This is mainly because the auditing scheme in [26] needs very expensive pairing computation which is much more time-consuming.

Figure 2

Comparison on the computation cost of cloud server.

Figure 3

Comparison on the auditing time between our scheme and the scheme in [26].

6. Conclusions

Data outsourcing, one of the fundamental components of cloud computing, centralizes DSN data manager's data to the cloud server and enables the DSN data managers to enjoy high quality service. However, the DSN data managers do not have physical possession on their own data; hence it is indispensable to create schemes on how to protect the security of the data, unlike the previous auditing schemes [26] which need expensive pairing operations. In this paper, we propose a pairing-free privacy-preserving auditing scheme for data storage security in distributed sensor networks. We employ the homomorphic linear authenticator and random masking to guarantee that the TPA would not only eliminate the burden of the DSN data managers from the tedious and possible expensive auditing task, but also alleviate the DSN data managers’ fear of their outsourced data leakage. We also utilize homomorphic MACs to effectively reduce the amount of storage space needed to store verification information. Moreover, we further extend our auditing scheme to support batch auditing for multiple DSN data managers, where the TPA can perform multiple auditing tasks simultaneously. Extensive security and performance compared analysis shows that the proposed auditing scheme is more light-weight and more practical in distributed sensor networks environments.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (no. 61370203) and the Science and Technology on Communication Security Laboratory Foundation (Grant no. 9140C110301110C1103).

References

Luo

Cheng

Zhang

A two-tier data dissemination model for large-scale wireless sensor networks

Proceedings of the 8th ACMe on Mobile Computing and Networking (MOBICOM ′02)

September 2002

148 159

2-s2.0-0036949025

Wang

Cao

la Porta

Zhang

Sensor relocation in mobile sensor networks

Proceedings of the IEEE INFOCOM

March 2005

2302 2312

2-s2.0-25644433619

Mykletun

Girao

Westhoff

Public key based cryptoschemes for data concealment in wireless sensor networks

Proceedings of the IEEE International Conference on Communications (ICC ′06)

July 2006

2288 2295

10.1109/icc.2006.255111

2-s2.0-42549159545

Girao

Westhoff

Mykletun

Araki

TinyPEDS: tiny persistent encrypted data storage in asynchronous wireless sensor networks

Ad Hoc Networks 2007 5 7 1073 1089

10.1016/j.adhoc.2006.05.004

2-s2.0-34249316910

Mell

Grance

The NIST definition of cloud computing

National Institute of Standards and Technology 2009 53 6 50

Subramanian

Yang

Zhang

Securing distributed data storage and retrieval in sensor networks

Pervasive and Mobile Computing 2007 3 6 659 676

10.1016/j.pmcj.2007.06.002

2-s2.0-35648972648

Kincaid

MediaMax/Thelinkup Close Its Doors

2009, http://techcrunch.com/2008/07/10/mediamaxthelinkup-closes-its-doors/

Amazon.com Amazon s3 Availability Events: July 20, 2008 2008 http://status.aws.amazon.com/s3-20080720.html

Cloud Security Alliance Top Threats to Cloud Computing 2010 http://www.cloudsecurityalliance.org

10.

Schwarz

Miller

E. L.

Store, forget, and check: using algebraic signatures to check remotely administered storage

Proceedings of the 26th IEEE International Conference on Distributed Computing Systems (ICDCS ′06)

July 2006

10.1109/icdcs.2006.80

2-s2.0-33947694320

11.

Wang

Ren

Lou

Achieving secure, scalable, and fine-grained data access control in cloud computing

Proceedings of the 29th IEEE Conference on Information Communications (INFOCOM ′10)

March 2010

534 542

12.

Ren

Lou

Secure personal health records in cloud computing:patient-centric and fine-grained data access control in multi-owner settings

Security an Privacy in Communication Networks 2010

Berlin, Germany

Springer

89 106

13.

Kher

Kim

Securing distributed storage: challenges, techniques, and systems

Proceedings of the ACM Workshop on Storage Security and Survivability (StorageSS ′05)

November 2005

9 25

10.1145/1103780.1103783

2-s2.0-33244454312

14.

Schroeder

Gibson

G. A.

Disk failures in the real world: what does an MTTF of 1,000,000 hours mean to you?

Proceedings of the 5th USENIX Conference on File and Storage Technologies (FAST ′07)

2007

New York, NY, USA

ACM

1 16

15.

Muthitacharoen

Morris

Gil

T. M.

Chen

Ivy: a read/write peer to peer file system

Proceeding of the 5th Symosium on Operation Systems Design and Implementation (OSDI ’02)

2002

ACM

31 44

10.1145/844128.844132

16.

Kallahalla

Riedel

Swaminathan

Wang

Plutus: scalable secure file sharing on untrusted storage

Proceedings of the 2nd USENIX Conference on File and Storage Technologies

2003

San Francisco, Calif, USA

USENIX Association

29 42

17.

Krohn

Mazieres

Shasha

Secure untrusted data repository (sundr)

Proceedings of the 6th Conference on Symposium on Operating Systems Design and Implementation

2004

Berkeley, Calif, USA

USENIX Association

18.

Yumerefendi

A. R.

Chase

J. S.

Strong accountability for network storage

ACM Transactions on Storage 2007 3 3, article 11

10.1145/1288783.1288786

2-s2.0-36048935605

19.

Maheshwari

Vingralek

Shapiro

How to build a trusted database system on untrusted storage

Proceedings of the 4th Conference on Symposium on Operating System Design and Implementation (OSDI ′00)

2000

San Diego, Calif, USA

USENIX Association

20.

Wang

Ren

Lou

Enabling public verifiability and data dynamics for storage security in cloud computing

Proceedings of the 14th European Symposium Research in Computer Security (ESORICS ′09)

2009

Saint Malo, France

355 370

21.

Cloud Security Alliance

Security guidance for critical areas of focus in cloud computing

2009, http://cloudsecurityalliance.org/

22.

Ateniese

Burns

Curtmola

Herring

Kissner

Peterson

Song

Provable data possession at untrusted stores

Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ′07)

November 2007

598 609

10.1145/1315245.1315318

2-s2.0-74049102823

23.

Juels

Burton

Kaliski

Pors: proofs of retrievability for large files

Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS ′07)

October 2007

Alexandia, Va, USA

584 597

10.1145/1315245.1315317

2-s2.0-74049103479

24.

Shacham

Waters

Compact proofs of retrievability

Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT ′08), Melbourne, Australia, December 2008 2008 5350

Springer

90 107 Lecture Notes in Computer Science

2-s2.0-58349118819

MR2546090

10.1007/978-3-540-89255-7_7

25.

Shah

M. A.

Baker

M. M.

Mogul

J. C.

Swaminathan

Auditing to keep online storage services honest

Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems (HOTOS ′07)

2007

Berkeley, Calif, USA

USENIX Association

1 6

26.

Wang

Chow

S. M.

Wang

Ren

Lou

Privacy-preserving public auditing for secure cloud storage

IEEE Transactions on Computers 2013 62 2 362 375

2-s2.0-84861959172

10.1109/tc.2011.245

MR3007637

27.

Agrawal

Boneh

Homomorphic MACs: MAC-based integrity for network coding

Proceedings of the 7th International Conference on Applied Cryptography and Network Security (ACNS ′09), Paris-Rocquencourt, France, June 2009 2009

Springer

292 305