Sage Journals: Discover world-class research

Abstract

The smart grid is considered to be the next-generation electric power network. In a smart grid, there are massive data to be processed, so cloud computing is introduced into it to form a cloud-based smart grid data management system. However, with data no longer being stored locally, how to ensure the integrity of data stored in the cloud in the smart grid has become an urgent problem awaiting solution. Provable data possession has been proposed to solve this problem. With the development of quantum computer technology, quantum attacks-resistant cryptographic schemes are gradually entering people’s horizons. Lattice cryptography can resist quantum attacks. In this article, a lattice-based provable data possession scheme is proposed for cloud-based smart grid data management systems. The scheme is proved unforgeable under the small integer solution hard assumption in the standard model. Compared with other two efficient lattice-based provable data possession schemes in the standard model, our scheme also shows efficiency.

Keywords

Cloud storage lattice-based cryptography provable data possession smart grid standard model

Introduction

In recent years, the smart grid has gained more and more attention from many countries, and a great number of smart grid projects have been launched around the world.¹ A smart grid is a new type of modern power grid integrating the advanced sensing measurement technology, information and communication technology, automatic control technology, analysis and decision technology, and energy power technology with grid infrastructure. As the next-generation electric power network, it is aimed to achieve reliability, security, economy, efficiency, environment friendliness as well as use safety.

A smart grid relies on the Internet of Things (IoT) technology. The core technologies of IoT cover the awareness of physical state, information representation, information transmission, and information processing, ranging from the sensor network to the upper application systems. In the aspects of communication, security, and the upper application of smart grid information system, IoT plays an important role. The sensor network technology can be used in the data and information acquisition of smart meters; the real-time and security communication technology can be used for the transmission of smart grid operation parameters, so that the operational data and power load data of the smart grid can be transmitted in real-time; the data storage and information representation technology can be used to store, manage, query, and organize huge amounts of data of the smart grid; and the distributed data processing and task scheduling technology can be used for the security and stability analysis of the smart grid and the real-time deployment of energy after new energy integration. In a word, IoT has turned the power system from a relatively closed and self-contained control system into one that is part of a digital environment, which has not only improved the stability of the smart grid, but also made new energy sources such as wind power and nuclear power more easily integrated into the smart grid for unified planning and scheduling.

Nowadays, cloud computing provides users with massive computing and storage resources. Users can use it at a low cost without having to buy local equipment, saving a large amount of hardware, software, and maintenance costs. For cloud computing, the National Institute of Standards and Technology (NIST) defines three types of cloud services, that is, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). IaaS provides virtual machines or other infrastructure services such as storage resources; PaaS provides development platforms including software development kits, documentation, and testing environment; and SaaS provides application software based on cloud infrastructure, which users can use directly through browsers, and so on. At present, the research hotspots of cloud computing include job scheduling,² cloud-based service broker routing policy,³ and so on.

In a smart grid, there are a large number of sensors deployed, exponentially increasing the collected data and thus greatly enlarging the data storage requirement. To deal with this issue, people combine the smart grid with cloud computing to form cloud-based smart grid data management systems.⁴

In terms of the security of cloud-based systems, Gou et al.⁵ analyzed various security issues and challenges in the cloud computing environment, which involve security policies, user-oriented security, data storage security, application security, and network security. In this article, we mainly focus on the data storage security.

In a cloud-based smart grid data management system, data are no longer stored locally. But if these data are changed intentionally or unintentionally without being detected in time by users, it will bring serious consequences to the operation of the smart grid. Therefore, ensuring the integrity of the data stored in the cloud in the smart grid has become an urgent problem awaiting solution. Ateniese et al.⁶ studied integrity checking for the first time. They put forward the concept of provable data possession (PDP) and proposed two concrete schemes. In their model, users can be ensured that their data are intact in the cloud without having to download the data from the cloud. It is a lightweight integrity probabilistic checking model. In their first scheme, if a file is divided into 10,000 blocks, of which 1% are tampered with, a user will be able to detect the change at a probability of 99% by just randomly selecting 460 blocks (4.6%) as the audit request. Following Ateniese et al.’s pioneering work, many other PDP schemes^7,8 were proposed. To address the integrity of cloud-based smart grid data management systems, He et al.⁴ proposed a certificateless PDP scheme. However, Zhou⁹ later pointed out that He et al.’s scheme is insecure as a malicious cloud can cheat the users. In addition, He et al.’s scheme relies on the random oracle model¹⁰ and cannot withstand the quantum computer attacks.¹¹

Our contributions

We propose a security model of the PDP scheme and summarize its security requirements.

We propose a quantum attack-resistant PDP scheme based on lattice for cloud-based smart grid data management systems and prove its unforgeable security in the standard model. We also show that the proposed scheme can satisfy other security requirements.

We compare our scheme with other two quantum attack-resistant PDP schemes in the standard model to show that our scheme is also efficient.

The rest of the article is organized as follows. In section “Related works,” we review some related work. In section “Preliminaries,” we describe some preliminaries about lattice. In section “Definition and security requirements of PDP,” we introduce the definition and security requirements of PDP. In section “The scheme,” we propose a concrete PDP scheme based on lattice. In section “Analyses of the scheme,” we analyze the security and efficiency of the proposed scheme. We conclude the article in section “Conclusion.”

Related works

In 2007, Ateniese et al.⁶ pioneered the idea of PDP and proposed two concrete schemes. However, their schemes only support private audit, that is, only cloud users can audit the data stored in the cloud, because in the audit process, some private information must be used. Later, Wang et al.¹² put forward a public audit scheme. They removed the private information in the audit process, so that anyone can audit the data stored in the cloud. In this way, users can delegate their audit work to a third-party auditor (TPA) to reduce the burden of their own and the TPA can prove the data corruption to the court when a dispute occurs. Furthermore, Wang et al.¹³ pointed out that TPA can reveal users’ data by solving enough linear equations in scheme [12] and proposed a privacy-preserving public PDP scheme by introducing random numbers.

All the above PDP schemes were proposed in the random oracle model, which, however, is just an ideal model. There is no random oracle in reality, and the random oracles are often replaced by some concrete hash functions in the real world. Some studies¹⁰ have shown that schemes secure in the random oracle model will not be still secure when the random oracles are replaced by concrete hash functions. To deal with this issue, Zhang et al.¹⁴ proposed an efficient identity-based public PDP scheme in the standard model (without relying on the random oracle model).

With the rapid development of the quantum computer technology, all schemes based on factoring, discrete log, or bilinear pairings have become insecure under quantum computers, but schemes based on lattice can resist quantum computer attacks.¹⁵ In 2016, NIST initiated a process to solicit, evaluate, and standardize post-quantum cryptographic algorithms around the world, marking the beginning of the post-quantum era. To deal with this issue, Xu et al.¹⁶ proposed a lattice-based public PDP scheme. However, their scheme relies on the random oracle model. Chen et al.¹⁷ proposed an efficient lattice-based PDP scheme in the standard model, which is based on the ideal lattice hard problem. Recently, Yang et al.¹⁸ also proposed an efficient lattice-based PDP scheme in the standard model, which is based on the Ring Learning with Errors (RLWEs) hard problem. However, lattice with special structures such as ideal lattice and RLWE lattice is less secure than that without special structures.¹⁹ Therefore, all the above schemes are not suitable for cloud-based smart grid data management systems.

In 2018, He et al.⁴ proposed a certificateless PDP scheme for cloud-based smart grid data management systems. Thereafter, Zhou⁹ pointed out that He et al.’s scheme⁴ is not secure as a malicious cloud can cheat users. Furthermore, He et al.’s scheme is not quantum attack-resistant and is reliant on the random oracle model.

Preliminaries

In this section, we will give some definitions, theorems, and hard problem of lattice. The definitions will help the readers understand the concept of lattice better. The theorems show the existence of the algorithms TrapGen and SamplePre, which will be used in the design of our scheme. The hard problem will be used in the unforgeable proof of our scheme.

Notation

The lower-case letters denote the column vectors and the upper-case letters denote the matrices. $\tilde{A}$ denotes the Gram–Schmidt orthogonalization of $A$ . $| | a | |$ denotes the Euclidean norm of $a$ and $| | A | |$ denotes the largest Euclidean norm of the column vectors in $A$ .

Lattice

Definition 1

A lattice is a discrete additive subgroup of $R^{m}$ .²⁰ It can be expressed as $Λ = L (b_{1}, b_{2}, . . ., b_{n}) = {\sum_{i = 1}^{n} z_{i} b_{i} | z_{i} \in Z}$ , where ${b_{1}, b_{2}, . . ., b_{n}} \in R^{m}, m \geq n$ are $n$ linearly independent vectors, which are called the basis of the lattice. The integers $n$ and $m$ are the rank and dimension of the lattice, respectively. If $n = m$ , the lattice is called a full rank lattice.

Q-ary lattices

Definition 2

Given a matrix $A \in Z_{q}^{n \times m}$ and a vector $u \in Z_{q}^{n}$ , define $Λ_{q}^{⊥} (A) = {e \in Z^{m} | Ae = 0 mod q}$ and $Λ_{q}^{u} (A) = {e \in Z^{m} | Ae = u mod q}$ .²⁰

Discrete Gaussian distribution

Definition 3

For a parameter $σ > 0$ and a vector $c \in R^{m}$ , the Gaussian function on $R^{m}$ centered at $c$ is defined as $\forall x \in R^{m}, ρ_{σ, c} (x) = \exp (- π | | x - c | |^{2} / σ^{2})$ .²⁰

The discrete Gaussian distribution over $Λ$ centered at $c$ with standard deviation $σ$ is defined as $D_{Λ, σ, c} (x) = ρ_{σ, c} (x) / \sum_{v \in Λ} ρ_{σ, c} (v)$ , where $x \in Λ$ .

Trapdoor functions

Theorem 1

Let $n, m, q$ be the positive integers, $m \geq 6 n \log q$ . There is a probabilistic polynomial time (PPT) algorithm $TrapGen$ , which outputs the two matrices $(A, T) \in Z_{q}^{n \times m} \times Z^{m \times m} \leftarrow TrapGen (q, n, m)$ , so that $A$ is statistically close to a uniform matrix in $Z_{q}^{n \times m}$ and $T$ is a basis for $Λ_{q}^{⊥} (A)$ satisfying $| | \tilde{T} | | \leq O (\sqrt{n \log q})$ and $| | T | | \leq O (n \log q)$ .²⁰

Theorem 2

On input $A \in Z_{q}^{n \times m}$ , a basis $T$ of $Λ_{q}^{⊥} (A)$ , $u \in Z_{q}^{n}$ and $σ \geq \tilde{| | T} | | ω (\sqrt{\log m})$ , there is a PPT algorithm $Sample \Pr e$ , which outputs a $e \in Z^{m}$ so that $| | e | | \leq σ \sqrt{m}$ and $Ae = u mod q$ .²⁰

Hard lattice problem

The security of our lattice-based PDP scheme relies on the hardness assumption of the small integer solution (SIS) problem.

Definition 4

SIS problem:²⁰ given $n, m, q, β$ , and a random matrix $A \in Z_{q}^{n \times m}$ , one must find a non-zero vector $v \in Z^{m}$ so that $Av = 0 mod q$ and $| | v | | \leq β$ .

Definition and security requirements of PDP

In this section, we will give the algorithm constitution and design goals of PDP.

Definition of PDP

There are three participants in a PDP scheme, that is, Cloud server, Cloud user, and TPA, as illustrated in Figure 1. The process of PDP is as follows.

Figure 1.

System model of PDP.

A user first divides his data to $n$ blocks and uses his private key to produce a tag for each block. Then, he uploads all the data blocks along with the tags to the cloud and deletes them locally. To ensure the data blocks are intact in the cloud, the user delegates TPA to audit the data blocks stored in the cloud periodically. In the audit process, TPA randomly selects part of the data blocks for auditing. He sends the index numbers of the selected blocks and some randomly selected values to the cloud. The cloud produces a proof of these data blocks using the selected data blocks, received random values and corresponding tags, and sends the proof to TPA. Then, TPA checks whether the proof can pass a verification equation in advance.

A PDP scheme consists of the following four algorithms:

$Setup (1^{k})$ : given a security parameter $1^{k}$ , it generates a public/private key pair $(pk, sk)$ .

$TagSign (sk, i, m_{i})$ : on input private key $sk$ , index $i$ of file block $m_{i}$ , and file block $m_{i}$ , it generates a tag $t_{i}$ of $m_{i}$ . It is run by the cloud user.

$\Pr oofGen (pk, m_{i}, t_{i}, chal)$ : on input public key $pk$ , file blocks $m_{i}' s$ , tags $t_{i}' s$ , and a challenge $chal$ , which contains a random index subset $I$ of total file blocks and random value set $W$ , it generates a proof of data possession $V$ . It is run by the cloud server.

$Verify \Pr oof (pk, V, chal)$ : on input public key $pk$ , proof $V$ , and challenge $chal$ , it evaluates if $V$ is a correct proof of data possession for the blocks determined by $chal$ . For public audit, it is run by TPA.

Design goals of PDP

Unforgeablity: the PDP scheme must be existentially unforgeable against the adaptive chosen message attacks. The formal definition will be given in section “Analyses of the scheme.”

Public auditability: it does not need any private information when auditing the cloud. Therefore, users can delegate their audit tasks to TPA to release their own burden and prove the data corruption to the court when a dispute occurs.

Privacy preserving: TPA should not deduce the users’ data by solving the linear equations when it audits the cloud.

The scheme

The scheme includes the following four algorithms. In the Setup algorithm, some common parameters are produced. In the TagSign algorithm, user produces a tag for each file block. Then, he transmits the file blocks along with the tags to the cloud and deletes them locally. In the ProofGen algorithm, TPA sends an audit request to the cloud and then the cloud responds a proof of data being intact to TPA. In the VerifyProof algorithm, TPA verifies the correctness of the proof. If it is correct, TPA can be sure that the data are intact.

Setup: the cloud user runs the $TrapGen (q, n, m)$ algorithm to generate a uniform matrix $A \in Z_{q}^{n \times m}$ and a basis $T_{A} \in Z^{m \times m}$ of $Λ_{q}^{⊥} (A)$ so that $| | {\tilde{T}}_{A} | | \leq O (\sqrt{n \log q})$ . Similarly, the cloud server runs the $TrapGen (q, n, m)$ algorithm to generate a uniform matrix $Q \in Z_{q}^{n \times m}$ and a basis $T_{Q} \in Z^{m \times m}$ of $Λ_{q}^{⊥} (Q)$ so that $\tilde{| | T_{Q} | |} \leq O (\sqrt{n \log q})$ . The cloud user chooses $2 l + 2$ linearly independent vectors $c_{0}, c_{1}, \dots, c_{l}, d_{0}, d_{1}, \dots, d_{l} \in Z^{m}$ randomly and produces a hash function $H : Z \to {0, 1}^{l},$ where $l$ is the bit length of a file block. The public parameters are $pk = (A, Q, c_{0}, c_{1}, . . ., c_{l}, d_{0}, d_{1}, . . ., d_{l})$ .

TagSign: the message file is divided into $r$ blocks $μ_{i} \in {0, 1}^{l}, i = 1, 2, . . ., r$ , and $i \in Z$ is the index of $μ_{i}$ . For every block $i$ , the cloud user computes $η_{i} = H (i) \in {0, 1}^{l}$ , $u_{i} = c_{0} + \sum_{j = 1}^{l} (μ_{i} [j] \cdot c_{j}) + d_{0} + \sum_{j = 1}^{l} (η_{i} [j] \cdot d_{j}) \in Z^{m}$ , and $u_{i}^{'} = Q u_{i} \in Z_{q}^{n}$ . Then, the cloud user computes $e_{i} \leftarrow Sample \Pr e (A, T_{A}, u_{i}^{'}, σ) \in Z^{m}$ , where $σ = s ((1 + \sum_{j = 1}^{l} μ_{i} [j]) / (l + 1))$ . The cloud user outputs $(μ_{i}, e_{i}), i = 1, 2, . . ., r$ to the cloud server. The cloud server can verify the correctness of these tags by $A e_{i} = u_{i}^{'} mod q$ and $| | e_{i} | | \leq s ((1 + \sum_{j = 1}^{l} μ_{i} [j]) / (l + 1)) \sqrt{m}$ .

ProofGen: to confirm the data in the cloud are intact, TPA selects a subset $J = {i_{1}, i_{2}, . . ., i_{c}}$ of set ${1, 2, . . ., r}$ and random elements $w_{j} \in Z_{q}^{*}, j = i_{1}, i_{2}, . . ., i_{c}$ . TPA sends $(j, w_{j}), j = i_{1}, i_{2}, . . ., i_{c}$ to the cloud server. Then, the cloud server selects $v \in Z_{q}^{n}$ randomly. The cloud server computes $b \leftarrow Sample \Pr e (Q, T_{Q}, v, σ) \in Z^{m}$ , $s = \sum_{k = i_{1}}^{i_{c}} w_{k} e_{k} \in Z^{m}$ , and $t = b + \sum_{k = i_{1}}^{i_{c}} (w_{k} \sum_{j = 1}^{l} (μ_{k} [j] \cdot c_{j})) \in Z^{m}$ . The cloud server sends $(s, t, v)$ to TPA.

VerifyProof: TPA verifies whether the equation $As = \sum_{k = i_{1}}^{i_{c}} w_{k} Q (c_{0} + d_{0}) + Qt - v + \sum_{k = i_{1}}^{i_{c}} (w_{k} Q \sum_{j = 1}^{l} (η_{k} [j] \cdot d_{j}))$ holds true or not.

Analyses of the scheme

Security model of PDP

In the following, we will give the security model of PDP, which will be used in the unforgeable security proof of our scheme.

The unforgeable security of a PDP scheme is defined through an interactive game between an adversary $A$ and a challenger $C$ . The game consists of the following stages:

Setup: the challenger $C$ runs the setup algorithm to generate a public/private key pair $(pk, sk)$ . $C$ gives $pk$ to $A$ and keeps $sk$ secret.

Query: $A$ can make $TagSign$ queries adaptively: $A$ selects a file block $m_{i}$ and sends it to $C$ . $C$ runs the $TagSign$ algorithm to generate a tag of block $m_{i}$ and sends it back to $A$ .

Challenge: $C$ generates a challenge $(I, W)$ and sends it to $A$ , where $I$ is a subset of index numbers of file blocks and $W$ is a set of random numbers.

Forge: $A$ generates a proof $V$ for $(I, W)$ and returns $V$ to $C$ .

If $V$ can pass the $VerifyProof$ algorithm and at least one query of $TagSign (sk, i, m_{i})$ does not happen, where $i \in I$ , $A$ wins the game.

Definition 5

A PDP scheme is secure if for any PPT adversary $A$ , the probability that $A$ wins the above game is negligible.

Security theorem

According to the above security model of PDP, we prove that our scheme is unforgeable assuming that the SIS problem is hard.

Theorem 3

In the standard model, if there is an adversary $A$ that can break the unforgeability of the above scheme with probability $ε$ , then the SIS problem can be solved with $ε^{'} = (1 - 2^{- ω (\log n)}) ε$ .

Proof

Given a random instance $SI S_{(n, m, q, 2 s)} = (A, n, m, s)$ , where $A \in Z_{q}^{n \times m}$ , the challenger $C$ is asked to find a short vector $e$ satisfying $Ae = 0 mod q$ and $| | e | | \leq 2 s \sqrt{m}$ , $e \in Z^{m}$ .

$Setup$ : $C$ runs $(Q, T_{Q}) \leftarrow TrapGen (q, n, m)$ . $C$ chooses $e_{i}^{'}$ and $e_{i}^{″}$ from $D_{Z^{m}, s / (l + 1), 0}$ for $i = 0, 1, . . ., l$ , where $l$ is the bit length of a file block. Then, $C$ computes $c_{i}^{'} = {Ae}_{i}^{'} mod q$ and $d_{i}^{'} = {Ae}_{i}^{″} mod q$ . $C$ computes vectors $c_{0}, c_{1}, . . ., c_{l} \in Z^{m}$ so that $Q c_{i} = c_{i}^{'} mod q$ , $i = 0, 1, . . ., l$ and vectors $d_{0}, d_{1}, . . ., d_{l} \in Z^{m}$ so that $Q d_{i} = d_{i}^{'} mod q$ , $i = 0, 1, . . ., l$ . $C$ publishes $pk = (A, Q, c_{0}, c_{1}, . . ., c_{l}, d_{0}, d_{1}, . . ., d_{l})$ .

$TagSign$ queries: $A$ produces a message block $μ_{i} \in {0, 1}^{l}$ and the index $i \in Z$ of $μ_{i}$ . $C$ computes $e_{i} = e_{0}^{'} + \sum_{j = 1}^{l} (μ_{i} [j] \cdot e_{j}^{'}) + e_{0}^{"} + \sum_{j = 1}^{l} (η_{i} [j] \cdot e_{j}^{"}) \in Z^{m}$ as the tag. From the adversary’s point of view, $e_{i}$ is a valid tag of $μ_{i}$ .

$Challenge$ : $C$ selects a subset $J = {i_{1}, i_{2}, . . ., i_{c}}$ of set ${1, 2, . . ., r}$ and random elements $w_{j} \in Z_{q}^{*}, j = i_{1}, i_{2}, . . ., i_{c}$ . $C$ sends $(j, w_{j}), j = i_{1}, i_{2}, . . ., i_{c}$ to $A$ .

$Forge$ : $A$ generates a forged proof $(s, t, v)$ for $(j, w_{j}), j \in J$ . According to Definition 5, at least one query of $TagSign (sk, i, μ_{i})$ must not happen, that is, $A$ generates a forged tag $e_{i}$ for file block $μ_{i}$ . If the forged tag is valid, then $A e_{i} = u_{i}^{'} mod q$ must hold. For the same file block $μ_{i}$ , $C$ computes $\bar{e_{i}} = e_{0}^{'} + \sum_{j = 1}^{l} (μ_{i} [j] \cdot e_{j}^{'}) + e_{0}^{''} + \sum_{j = 1}^{l} (η_{i} [j] \cdot e_{j}^{''}) \in Z^{m}$ . Then, $A \bar{e_{i}} = u_{i}^{'} mod q$ . If $\bar{e_{i}} = e_{i}$ , then $C$ aborts, or else we have $A (\bar{e_{i}} - e_{i}) = 0 mod q$ and $| | \bar{e_{i}} - e_{i} | | \leq 2 s ((1 + \sum_{j = 1}^{l} μ_{i} [j]) / (l + 1)) \sqrt{m} \leq 2 s \sqrt{m}$ , that is, $C$ solves the SIS problem. The min-entropy of $SamplePre$ is $ω (\log n)$ .²¹ Therefore, the probability of $\bar{e_{i}} \neq e_{i}$ is $1 - 2^{- ω (\log n)}$ .

Other design goals

Some common design goals include public auditability and privacy preserving:

Public auditability: the public auditability of our scheme is evident. In our $VerifyProof$ algorithm, TPA does not need any private information in the verification equation, which means anyone can audit the data.

Privacy preserving: TPA should not deduce the users’ data by solving the linear equations when it audits the cloud. In our $ProofGen$ algorithm, the cloud server sends proof $(s, t, v)$ to TPA. Note that $t = b + \sum_{k = i_{1}}^{i_{c}} (w_{k} \sum_{j = 1}^{l} (μ_{k} [j] \cdot c_{j})) \in Z^{m}$ contains the original data blocks. If TPA selects the same index set of data blocks for audit $c$ times, he can get $c$ equations. However, $b$ is unknown to him. The number of unknown variables is always greater than the number of equations. Therefore, he cannot reveal the user’s data blocks by solving the linear equations.

Efficiency

In this section, we will evaluate the efficiency of our scheme. Only efficient scheme has practical value. To the best of our knowledge, there have been only two lattice-based PDP schemes in the standard model till now, that is, schemes [17] and [18]. We compare the costs of computation, storage, and communication of our scheme with those of the other two. The computation cost of the $SamplePre$ algorithm is equivalent to the cost of about $m^{2} + 2 mn$ multiplications in $Z_{q}$ when the parity check matrix belongs to $Z_{q}^{n \times m}$ .²² The comparisons are listed in Tables 1 and 2, where $c$ denotes the number of audited blocks, and $l$ denotes the bit length of a file block.

Table 1.

Computation costs.

Schemes	TagSign	ProofGen	VerifyProof
[17]	$m n^{2}$	$2 cm n^{2}$	$m n^{2}$
[18]	$m^{2} + 2 mn + n^{2} m^{2}$	$2 cm (n^{2} + n)$	$n^{2} m + cnm$
Our scheme	$m^{2} + 3 mn$	$m^{2} + 2 (n + c) m$	$(c + 1) (m + 1) n + nm$

Note: n and m are of the same meaning as in the scheme, and c denotes the number of audited blocks.

Table 2.

Storage and communication costs.

Schemes	Pk + Sk	Tag-Length	Proof-Length
[17]	$mn \log q$	$nm \log q$	$2 nm \log q$
[18]	$3 nm \log q$	$nm \log q$	$2 nm \log q$
Our scheme	2(n+m+l+1) $m \log q$	$m \log q$	$(2 m + n) \log q$

Note: n, m, and q are of the same meaning as in the scheme, and $l$ denotes the bit length of a file block.

To provide more direct comparisons, we take $n$ = 391, $q$ = 2.34e + 10, $m$ = 71,380 for our scheme (non-ideal lattice) and $n$ = 256, $q$ = 7.21e + 16, $m$ = 2204 for schemes [17] and [18] (ideal lattice).²³ With these parameters adopted, its security level is about equivalent to that of 88-bit symmetric key cryptosystem. In addition, we take $l = 160$ . Therefore, we get Tables 3 and 4. From Table 3, we can get Figure 2 for cloud server’s running time and Figure 3 for TPA’s running time.

Table 3.

Computation costs (multiplications in $Z_{q}$ ).

Schemes	TagSign	ProofGen	VerifyProof
[17]	$1.44 e 8$	$c \times 2.88 e 8$	$1.44 e 8$
[18]	$3.18 e 11$	$c \times 2.9 e 8$	$1.44 e 8 + 5.6 e 5 \times c$
Our scheme	$5.18 e 9$	$5.1 e 9 + (391 + c) \times 1.4 e 5$	$(c + 2) \times 2.8 e 7$

Note: c denotes the number of audited blocks, and e denotes 10. The number behind e denotes the exponent.

Table 4.

Storage and communication costs (bit).

Schemes	Pk + Sk	Tag-Length	Proof-Length
[17]	$3.16 e 7$	$3.16 e 7$	$6.32 e 7$
[18]	$9.48 e 7$	$3.16 e 6$	$6.32 e 7$
Our scheme	$1.77 e 11$	$2.46 e 6$	$4.93 e 6$

Note: e denotes 10. The number behind e denotes the exponent.

Figure 2.

cloud server’s running time.

Figure 3.

TPA’s running time.

From Table 3, we can see that scheme [17] is the most efficient one in the $TagSign$ stage. From Table 4, we can see that scheme [17] is the most efficient one in the storage of $Pk + Sk$ and that ours is the most efficient one in the storage of $Tags$ and the communication of $Tags$ and $Proof$ . From Figure 2, we can see that ours is the most efficient one in cloud server’s running time ( $ProofGen$ stage). And according to Figure 3, scheme [17] is the most efficient one in TPA’s running time ( $VerifyProof$ stage). Therefore, it can be concluded that our scheme is efficient.

Conclusion

To resist quantum computer attacks, a lattice-based PDP scheme is proposed for cloud-based smart grid data management systems to ensure the integrity of cloud data. We prove that the scheme is secure under the SIS assumption in the standard model, and performance analysis shows that the scheme is efficient.

Footnotes

Acknowledgements

The authors thank Ms Yan Di for checking the article.

Handling Editor: Miguel Acevedo

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Scientific and Technological Research Project of Jiangxi Provincial Education Department of China under grant GJJ201807, the National Natural Science Foundation of China under grant 62041603, and the key Project of Jiangxi Provincial Natural Science Foundation of China under grant 20202ACBL202005.

ORCID iD

Caixue Zhou

References

Zhang

Chen

Gao

WJ.

A survey on the development status and challenges of smart grids in main driver countries. Renew Sustain Energ Rev 2017; 79: 137–147.

Jami

Munir

Current trends in cloud computing for data science experiments. Int J Cloud Appl Comput 2021; 11(4): 80–99.

Manasrah

Aldomi

Gupta

BB.

An optimized service broker routing policy based on differential evolution algorithm in fog/cloud environment. Clust Comput 2019; 22: 1639–1653.

Kumar

Zeadally

, et al. Certificateless provable data possession scheme for cloud-based smart grid data management systems. IEEE Trans Ind Inform 2018; 14(3): 1232–1241.

Gou

Yamaguchi

Gupta

BB.

Analysis of various security issues and challenges in cloud computing environment: a survey. In: Gupta

Agrawal

Yamaguchi

(eds) Handbook of research on modern cryptographic solutions for computer and cyber security. Hershey, PA: IGI Global, 2016, pp.393–419.

Ateniese

Burns

Curtmola

, et al. Provable data possession at untrusted stores. In: Proceedings of the 2007 ACM conference on computer and communications security (CCSP), Alexandria, VA, 28–31 October 2007, pp.598–609. New York: ACM.

Kang

Wang

Shao

DY.

Certificateless public auditing with privacy preserving for cloud-assisted wireless body area networks. Mob Inform Syst 2017; 2017: 2925465.

Yang

Sinnott

RO.

Decentralized big data auditing for smart city environments leveraging blockchain technology. IEEE Access 2018; 7: 6288–6296.

Zhou

CX.

Security analysis of a certificateless public provable data possession scheme with privacy preserving for cloud-based smart grid data management system. Int J Netw Secur 2020; 22(4): 584–588.

10.

Canetti

Goldreich

Halevi

The random oracle methodology, revisited. J ACM 2004; 51(4): 557–594.

11.

Shor

Polynomial-time algorithms for prime factorization and discrete logarithms in a quantum compute. SIAM J Comput 1997; 26(5): 1484–1509.

12.

Wang

, et al. Enabling public verifiability and data dynamic for storage security in cloud computing. In: Proceedings of the 14th European symposium on research in computer security (ESORICSP), Saint-Malo, 21–23 September 2009, pp.355–370. New York: Springer.

13.

Wang

Ren

, et al. Privacy-preserving public auditing for data storage security in cloud computing. In: Proceedings of the 29th IEEE international conference on computer communications (INFOCOM), San Diego, CA, 14–19 March 2010, pp.525–533. New York: IEEE.

14.

Zhang

Mao

IPad: ID-based public auditing for the outsourced data in the standard model. Clust Comput 2016; 19(1): 127–138.

15.

Peikert

A decade of lattice cryptography. Found Trend Theor Comput Sci 2016; 10(4): 283–424.

16.

Feng

Liu

. Public verifiable proof of storage protocol from lattice assumption. In: Proceedings of the 2012 IEEE international conference on intelligent control, automatic detection and high-end equipment (ICADE 2012), Beijing, China, 27–29 July 2012, pp.133–137. New York: IEEE.

17.

Chen

Han

Jing

, et al. A post-quantum provable data possession protocol in cloud. Secur Commun Netw 2013; 6(5): 658–667.

18.

Yang

Huang

Chen

Secure cloud storage based on RLWE problem. IEEE Access 2018; 7: 27604–27614.

19.

Cramer

Ducas

Peikert

, et al. Recovering short generators of principal ideals in cyclotomic rings. In: Proceedings of the 35th annual international conference on advances in cryptology: part II (EUROCRYPT 2016), Vienna, 8–12 May 2016, pp.559–585. New York: Springer.

20.

Yao

Zhang

, et al. Lattice based signature with outsourced revocation for multimedia social networks in cloud computing. Multimed Tool Appl 2019; 78(3): 3511–3528.

21.

Wang

Zhang

Gupta

, et al. An identity-based signcryption on lattice without trapdoor. J Univ Comput Sci 2019; 25(3): 282–293.

22.

Yan

Wang

, et al. Attribute-based signcryption from lattices in the standard model. IEEE Access 2019; 7: 56039–56050.

23.

Ruckert

Schneider

Estimating the security of lattice-based cryptosystems, 2010, http://eprint.iacr.org/2010/137.pdf

Lattice-based provable data possession in the standard model for cloud-based smart grid data management systems

Abstract

Keywords

Introduction

Our contributions

Related works

Preliminaries

Notation

Lattice

Definition 1

Q-ary lattices

Definition 2

Discrete Gaussian distribution

Definition 3

Trapdoor functions

Theorem 1

Theorem 2

Hard lattice problem

Definition 4

Definition and security requirements of PDP

Definition of PDP

Design goals of PDP

The scheme

Analyses of the scheme

Security model of PDP

Definition 5

Security theorem

Theorem 3

Proof

Other design goals

Efficiency

Conclusion

Footnotes

Acknowledgements

Declaration of conflicting interests

Funding

ORCID iD

References