Sage Journals: Discover world-class research

Abstract

Deduplication has been widely applied to save storage overhead in the cloud server. Data integrity verification with deduplication can not only save space of the cloud server but also ensure security of the stored data. In the existing integrity verification scheme, deduplications are implemented by the cloud server. The signatures of all data blocks are generated and sent to the cloud server. Once receiving the data blocks and signatures, the cloud server compares the received signatures with the stored signatures. If there is a signature that has the same value as some stored signature, the received signature and data block will not be stored by the cloud server. Otherwise, the cloud server stores all received signatures and data blocks. In fact, these operations bring a lot of computational costs. To solve this problem, we propose a data integrity verification scheme with deduplication. In this scheme, the deduplication is performed by the cloud users, which can avoid additional communicational and computational costs. The experiment evaluation indicates that our scheme is practical for real application scenario. We demonstrate that the proposed scheme satisfies signature unforgeability, and the malicious users cannot obtain any legitimate file from the cloud server in the form of deception.

Keywords

Data integrity verification dynamic deduplication public checking homomorphic composability homomorphic verifiability

Introduction

Cloud service platform is becoming more and more popular because it is regarded as a promising technique to relieve burden of the cloud users’ local hardware and software maintenance.¹ However, remote storage does not come without security issues. The essence of cloud storage is to delegate validation steps to a public auditor. It brings the security problems in terms of integrity, availability, and privacy of file. Therefore, it is especially crucial for the cloud users to guarantee that their data blocks are kept correctly since they do not hold these data locally.

To address security issues of the remote data, a number of cryptographic mechanisms have been proposed, such as proof of data possession,^2–5 proof of storage (POS),⁶ and proof of retrievability (POR).^7–11 These schemes allow the cloud users to validate integrity of remote data blocks that are stored on the cloud server. The users divide their files into multiple data blocks and store these blocks on the cloud server. Periodically, the cloud users initiate integrity verification challenges. Then, the cloud server makes responses for the challenges and sends the responses back to the cloud users. These schemes are mainly to improve the security of cloud storage.

For cloud storage efficiency, Harnik et al.¹² introduced a deduplication technique to save the storage space. The deduplication mechanism has become a popular practice for cloud service providers (CSPs). This is necessary when there are multiple data copies in the cloud server (only $25 %$ of data is unique¹³). Thus, the cloud server can save storage space by keeping a single data file regardless of the number of users who own it. The data deduplication mechanism is regarded as the most influential storage technique.¹² Especially, the data block deduplication can achieve a better result than the file deduplication, because there may be the same data blocks in different files. In cloud server, the file is stored in the form of data blocks, thus the data block deduplication has a great significance. Therefore, the data block deduplication which supports update operation of block is considered in our data integrity verification scheme.

The main purpose of the deduplication scheme is to improve storage efficiency of the cloud server, and the main task of the integrity verification is to ensure the security of the stored data. In order to adapt to the needs of cloud users, the deduplication and the integrity verification are combined. In the existing integrity verification scheme with deduplication, the deduplication operation is performed by the cloud server. The data owner generates the signatures of all data blocks and stores the signatures and blocks on the cloud server. The cloud server checks whether a data block is a duplicate according to signature of this data block. If the signature of the data block is the same as a previously stored signature, then the data block is a duplicate. The cloud server does not store the data block and its signature. If the signature of the data block is not the same as all previously stored signatures, the cloud server would store the data block and its signature. In fact, the data owner needs to generate signatures of all the data blocks and sends the signatures and data blocks on the cloud server, which needs additional communication consumption and computation consumption.

To solve this problem, we propose an integrity verification scheme with deduplication. In this scheme, the deduplication operation is performed by the data owner. The signatures of data blocks which are stored for the first time are generated by data owner. For the duplicates, the data owner does not need to generate their signatures. Thus, performing deduplication on the user side does not need to compute signature of the duplicate and transfer the signatures and duplicate, which can save a lot of communication and computation costs.

Related work

In the cloud storage platform, the users’ data are outside their control. In order to obtain more benefits, the selfish cloud server may hide the accident of data loss or damage. Many security models had been established to deal with this issue. Ateniese et al.² first proposed provable data possession (PDP) model. In this scheme, the third verifier was allowed to check correctness of the stored data blocks. A fully dynamic PDP model had been established by Erway et al.¹⁴ In this scheme, the data owner was allowed to modify the stored data. In 2012, a proxy PDP scheme and security model had been presented by Wang.¹⁵ At the same time, a cooperative PDP scheme which deals with multicloud storage issue had been proposed by Zhu et al.¹⁶

The first POR scheme¹⁷ had been proposed by Shacham et al. in 2008. In their scheme, the integrity of cloud users’ data can be checked by file owner at any time. In the next year, Ateniese et al.⁶ showed how to establish a POS scheme according to public-key homomorphic linear authenticator. In order to save computing resources of local users, the cloud users usually transfer the correctness validation steps to the third-party auditor (TPA) who can learn nothing about data information. The third-party auditing has wide application in cloud storage.^4,18–20 In Xu and Chang’s²¹ scheme, a private POR scheme was presented by Xu and Zhang. Compared with the mechanism proposed in the scheme,³ this scheme saved communication overheads greatly using polynomial commitment technique introduced in Kate et al.’s²² scheme.

Zheng and Xu²³ showed how to remove the extra copies of the same file in PDP scheme. Data deduplication is an ideal method to eliminate redundant data and minimize storage and network overhead. A private data deduplication protocol had been proposed in 2012.²⁴ This protocol can be regarded as a complement of Halevi et al.’s²⁵ scheme, and it was constructed on the basis of the standard cryptographic assumptions. Yang et al.²⁶ used the technique of spot checking to reduce the computational complexity for users. A secure deduplication storage system that can support keyword search had been presented by Li et al.²⁷ Miao et al.²⁸ proposed a secure multi-server-aided data deduplication protocol, but the protocol did not work when the valid key server was less than $t$ . These schemes mainly considered data deduplication protocol, and data security storage was not mentioned by them.

In order to realize data security storage and deduplication, Yuan et al.²⁹ presented an integrity auditing scheme which was equipped with polynomial commitment. Although this scheme had constant communication complexity and computational cost, the data block update was not considered in this scheme.

Contributions

Motivated by the security storage and data deduplication, we propose a public data integrity verification scheme which supports deduplication. Considering that the data block deduplication is more meaningful than the file deduplication, we choose the data blocks to implement integrity verification and deduplication.

The existing integrity verification scheme with deduplication can support dynamic operation of data block and public verification. In addition to these properties, the proposed scheme achieves the following functions: (1) The secret keys of all data blocks are generated by the group manager according to content of each data block. Thus, signature results for the same data blocks are identical. (2) The deduplication is performed by group manager and group users, which avoids additional computation costs and communication costs. (3) The proposed scheme also supports batch checking, which greatly reduces the validation complexity. (4) The group user independently uses the secret key of a data block to compute signature of this data block without interacting with other group users.

One of the biggest challenges of this scheme is to prevent dishonest users or malicious users from cheating the server. These users attempt to obtain some files that do not belong to them from the cloud server. We establish a challenge–response interaction between the users and cloud server. Once a user sends a file request to the cloud server, the server asks the user to provide information to prove that the file belongs to him. If the information can pass verification of the cloud server, the server creates an access link to the file for the user. Otherwise, the server refuses to create the file link.

Organizations

The remainder of this article is organized as follows: section “Related work” shows some preliminaries used in the proposed scheme. Section “Preliminary” introduces the system model and security goals of our scheme. The detailed construction of the scheme is illustrated in section “System model and security goals.” The security analysis of the scheme is evaluated in Section “Our scheme.” Performance analysis of the proposed scheme is given in section “Security analysis.” Finally, section “Performance analysis” concludes our article.

Preliminary

Preliminary and notation

Denote $G_{1} = 〈 g 〉$ and $G_{2} = 〈 g' 〉$ as two multiplicative cyclic groups with the prime order $p$ . A bilinear pairing is a map $e : G_{1} \times G_{1} \to G_{2}$ :

Bilinearity: $\forall g_{1}, g_{2} \in G_{1}$ and $b_{1}, b_{2} \in Z_{p}^{*}$ , $e (g_{1}^{b_{1}}, g_{2}^{b_{2}}) = e (g_{1}, g_{2})^{b_{1} b_{2}}$

Non-degeneracy: $\exists g_{3}, g_{4} \in G_{1}$ such that $e (g_{3}, g_{4}) \neq 1_{2}$

Computability: $\forall g_{5}, g_{6} \in G_{1}$ , there exists an efficient algorithm to obtain $e (g_{5}, g_{6})$ .

Definition 1. Computational Diffie–Hellman assumption³⁰

For a triple $(g, g^{ς_{1}}, g^{ς_{2}})$ with random integers $ς_{1}, ς_{2} \in Z_{p}^{*}$ , any probability polynomial time (PPT) adversary $A$ has negligible probability to compute $g^{ς_{1} \cdot ς_{2}}$ , which is expressed as

\Pr [A (g, g^{ς_{1}}, g^{ς_{2}}) = g^{ς_{1} \cdot ς_{2}}, ς_{1}, ς_{2} \in Z_{p}^{*}]

Definition 2. Homomorphic verifiability³⁰

We say that a signature mechanism $S$ is $(ζ_{1}, ζ_{2})$ -homomorphic verifiable if

There are two computable functions $ζ_{1}, ζ_{2}$ such that $ζ_{1} : M \times K \to R$ where $R$ denotes some ring, and $ζ_{2} : G \times R \to T$ .

There exists an verification function $ν (pk; m, σ; \overset{\cdot\cdot}{x}, \overset{\cdot\cdot}{y})$ that inputs a message $m$ , a public key $pk$ , a signature $σ$ of message, $\overset{\cdot\cdot}{x} \in G$ , and $\overset{\cdot\cdot}{y} \in T$ .

The function $ν$ outputs 1 if the signature/message pair is correct under the public key $pk$ , otherwise 0.

Definition 3. Homomorphic composability³⁰

We say that a signature mechanism $S$ is $(ζ_{1}, ζ_{2})$ -homomorphic composability if for each data message $m \in M$ and each public/secret key pair $(pk, sk)$ , the signature has the form $σ' = ζ_{2} (g, ζ_{1} (sk, m))$ , which holds

ζ_{2} (g, ζ_{1} (sk, m))^{x} = ζ_{2} (g^{x}, ζ_{1} (sk, m))

where $x$ is a random element in $R$ and $ζ_{2} ()^{x}$ is the exponentiation computation in signature space $T$ .

Wang et al.³⁰ presented two exemplary signature schemes, Boneh–Boyen scheme³¹ and Gennaro–Halevi–Rabin scheme,³² which hold the Definitions 2 and 3. Combined with the actual scene, we choose the Boneh–Boyen signature as the secret key generation algorithm in our scheme.

System model and security goals

System model

The data integrity verification scheme with deduplication involves in four participants, and the system model is shown in Figure 1. The participants include the following: (1) group manager, (2) cloud storage service provider, (3) group members, and (4) the TPA.

Figure 1.

System model.

The specific functions of each component in system model are as follows: (1) the group manager is responsible for generating signature secret key of each data block that is not repeated according to data block’s content. At the same time, the identities of these data blocks are recorded by the group manager. Once a new data block is sent to the manager, the group manager compares the identity of this data block with identities of the stored data blocks. When the group manager finds that this data block is the same as some stored data block, the group manager will inform the data owner that these data block has been stored and he/she does not need to store it again. (2) The cloud storage server has two main functions: (a) the cloud server is responsible for storing the data blocks and their signatures, and there is no similar data block in these blocks; (b) the cloud server accomplishes the integrity verification by the challenge–response interaction with the TPA. That is to say, the cloud server provides the proof information of the stored data blocks for the auditor. (3) The group member is responsible for generating signatures of the data blocks that are not repeated according to signature key assigned by the group manager. For the data replicas, the signature keys are not sent to the group members. Therefore, the group member does not need to calculate signatures of the data replicas. If the group member wants to access the stored data, an access link of the data block for the members will be created by the cloud server. When the group members modify their data blocks, a modification command will be sent to the cloud server. Thus, the stored data blocks and signatures can be updated timely. (4) The TPA is responsible for making a challenge–response interaction with the cloud server to check whether or not the stored data blocks are correct.

Security goals

In our scheme, the following three security goals should be considered: (1) Unforgeability of secret key—the attacker cannot successfully forge the signature secret key. (2) Unforgeability of signature—the attacker or the cloud server may collude to obtain a forged signature when the TPA initiates a challenge to the cloud server. (3) Due to curiosity, the dishonest group users always want to spy other honest users’ data information. Assume that honest user $u$ has already stored his/her file $F$ on the cloud server. The dishonest user $u'$ sends a access request to the cloud server, and then, the cloud server may directly create a pointer link of the file $F$ to $u'$ . Thus, if there is no verification operation, the dishonest user $u'$ can obtain the file $F$ easily. Actually, the user $u'$ is not the owner of file $F$ . In our scheme, we mainly consider the security influence caused by the behavior of all participants, so we suppose that all transmission channels are secure.

Our scheme

In this section, we present the data possession checking protocol with deduplication as follows. Let $n$ be the total number of files owned by group users. Sign each file as $F^{(l)}$ , $1 \leq l \leq n$ . Each file is divided into $r$ data blocks, that is, $F^{(l)} = {f_{1}^{(l)}, f_{2}^{(l)}, \dots, f_{r}^{(l)}}$ . There exist $m$ users $U_{k}, 1 \leq k \leq m$ in the group.

Setup

Denote $\hat{e} : G \times G \to G_{T}$ as a bilinear mapping, $G_{T}$ and $G = 〈 g 〉$ as two cyclic groups, and $p$ as their prime order. The manager chooses a random integer $γ \in Z_{p}^{*}$ and calculates $w = g^{γ}$ . Denote $H : {0, 1}^{*} \to Z_{p}^{*}$ as a hash function that is collision resistant. Sign the group secret key as $gsk = γ$ , the group public key as $gpk = (\hat{e}, G, G_{T}, g, w, H)$ , and the master key as $sk = g^{1 / γ}$ which is shared by the group members secretly.

KeyGen

For user $U_{k}, 1 \leq k \leq n$ who owns a file $F^{(l)} = {f_{1}^{(l)}, f_{2}^{(l)}, \dots, f_{r}^{(l)}}$ , he/she obtains the signature secret key of each data block from the group manager. The group manager computes the signature secret key for each block element $f_{i}^{(l)} (1 \leq i \leq r)$ as

s k_{li} = g^{H ({f_{i}}^{(l)}) / γ}

and the secret key $s k_{li}$ to the $U_{k}$ . The secret key $s k_{li}$ can be validated by $U_{k}$ as the equation

\hat{e} (s k_{li}, w) \overset{?}{=} \hat{e} (g^{H ({f_{i}}^{(l)})}, g)

If the equation holds, receive it, otherwise abandon it.

When the group manager computes the signature secret key of data blocks, he/she records the identity of each data block. If the group manager finds that a data block is the same as some stored data block, he/she informs the data block owner that there is no need to store the data block and does not send the signature secret key to the owner. The detailed process is shown in Figure 2. If there is no replica in the data blocks, the group manager generates the signature secret key $s k_{li}$ for each data block $f_{i}^{(l)}$ , sends the secret key to the owner of $f_{i}^{(l)}$ , and records the identity of each data block. If the group manager finds that the current data block $f_{2}^{(l ″)}$ is the same as a previous data block $f_{r}^{(1)}$ , he/she just sends the identity location information $U_{1} ‖ 1 ‖ r$ of $f_{r}^{(1)}$ to the owner of data block $f_{2}^{(l ″)}$ . Then, the data owner requires the CSP to create a pointer for $f_{2}^{(l ″)}$ without storing it again.

Figure 2.

The generation of signature secret key.

Sign

If there is no duplicate in the data blocks, the group users compute signature of the data blocks and store them on the CSP. The user $U_{k}$ randomly chooses an element $ϖ \in Z_{p}^{*}$ and calculates the signature of each data block in $F^{(l)}$ as

\begin{matrix} η_{i} = ϖ \cdot f_{i}^{(l)} \\ σ_{i} = s k_{li} \cdot s k^{η_{i}} \in G \end{matrix}

Then, the user $U_{k}$ uploads $(f_{i}^{(l)}, σ_{i}), 1 \leq i \leq r$ to the CSP for storage and deletes them locally.

If a data block $f_{i}^{(l')}, 1 \leq i \leq r$ is the same as a stored data block $f_{i'}^{(l)}$ , the owner $U_{k'}$ of $f_{i}^{(l')}$ does not need to compute its signature. Since the data block $f_{i'}^{(l)}$ and its signature have already been stored on the CSP, $U_{k'}$ just needs to send the identity location information of $f_{i'}^{(l)}$ to the CSP. The CSP creates a pointer which points to the identity location of $f_{i'}^{(l)}$ without storing $f_{i}^{(l')}$ .

Challenge

The verifier performs the challenge algorithm for file $F^{(l)}$ as the following steps:

Choose $c$ random data blocks from $f_{i}, 1 \leq i \leq r$ as the challenged data block index set $Q \in [1, r]$ . Here, the element in $Q$ refers to logical index of data block, which denotes the relative position of data block in one file.

Select a random integer $β_{i}, 1 \leq i \leq c$ from $Z_{p}^{*}$ .

Send the challenge vector $C = (F_{name}^{(l)}, Q, β_{i}), i \in Q$ to the CSP.

Response

Once obtaining the challenge vector from the verifier, the CSP makes a response to the challenge.

Aggregate the data blocks

μ = \sum_{i \in Q} β_{i} f_{i}^{(l)} mod p

Aggregate the data signature

σ = \underset{i \in Q}{Π} σ_{i}^{β_{i}} = s k^{\sum_{i \in Q} β_{i} \cdot H (f_{i}^{(l)}) + ϖ \cdot μ} \in T

(1)

Then, the CSP returns the proof vector $(μ, σ)$ to the TPA.

Verify

The TPA checks whether or not the following equality holds

\hat{e} (σ, w) \overset{?}{=} \hat{e} (ψ \cdot π^{μ}, g)

(2)

where $ψ = g^{\sum_{i \in Q} β_{i} \cdot H (f_{i}^{(l)})} (π = g^{ϖ})$ . If equation (1) holds, output 1; otherwise, output 0.

Deduplication

In order to save storage space, the same data block is stored only once on the CSP in our scheme. That is, the CSP stores a data block only when it receives the first upload request for this data block. For the subsequent storage request for this data block, the CSP creates an access pointer to this data block. However, some dishonest group users may deceive the CSP and attempt to obtain the stored data blocks that do not belong to them.

Assume that a group user $U'_{k}$ wants to get the file $F'$ from the CSP, and the file $F'$ has already been stored on the CSP. $U'_{k}$ claims that he previously stored the file $F'$ and requires the CSP to create a pointer of $F'$ for him/her. If the pointer of $F'$ is created, $U'_{k}$ can directly obtain the file $F'$ from the CSP. Therefore, it is important to check whether or not the group user is the owner of $F'$ .

When the user $U'_{k}$ asserts that he/she possesses the stored file $F' = {f'_{1}, f'_{2}, \dots, f'_{r}}$ , the CSP randomly chooses a d-elements set $I = {i_{1}, i_{2}, \dots, i_{d}}$ for checking, where the set $I$ refers to the logical indexes of $d$ data blocks.

Once receiving the set $I$ , the group user $U'_{k}$ makes a response with the data blocks $f'_{i_{t}}, i_{t} \in I$ as

\begin{matrix} η_{i_{t}} = ϖ \cdot {f'}_{i_{t}} mod p \\ σ_{i_{t}} = s {k'}_{i_{t}} \cdot s k^{η_{i_{t}}} \in G \end{matrix}

Then, $U'_{k}$ sends $σ_{i_{t}}$ and $π = g^{ϖ}$ to the CSP.

The CSP performs the verification operation as follows

μ' = \sum_{i_{t} \in I} β_{i_{t}} {f'}_{i_{t}} mod p, σ' = \underset{i_{t} \in I}{Π} σ_{i_{t}}^{β_{i_{t}}}

(3)

And checks whether or not the following equality holds

\hat{e} (σ', w) \overset{?}{=} \hat{e} (ψ' \cdot π^{μ'}, g)

(4)

where $ψ' = g^{\sum_{i \in I} β_{i_{t}} \cdot H ({f'}_{i_{t}})}$ .

Update

The stored data blocks will be updated when the group users compile their files. The data block owner sends the update command that includes identity information of updated data block to the CSP. Then, the CSP updates the stored data blocks: (1) if the data block to be updated is stored on the CSP for the first time, the CSP replaces the original data block and its signature with the updated data block and signature. (2) If the data block to be updated is a copy of the stored data block, the CSP adjusts the pointer of this data block to the stored data block that is identical with the updated data block. Figure 3 provides us with an example of data block update.

Figure 3.

The data block update process.

In Figure 3, we assume that the user $U_{k}$ compiles his/her first file $F^{(1)}$ , where the second and third data blocks of $F^{(1)}$ are modified. Sign the original file as $F^{(1)} = {f_{1}^{(1)}, f_{2}^{(1)}, f_{3}^{(1)}, \dots, f_{r}^{(1)}}$ and the updated file as $F^{(1)'} = {f_{1}^{(1)}, f_{2}^{(1)'}, f_{3}^{(1)'}, \dots, f_{r}^{(1)}}$ . In order to update the stored $F^{(1)}$ , $U_{k}$ sends to the CSP two update commands $U_{k} ‖ 1 ‖ 2 ‖ f_{2}^{(1)'} ‖ σ'_{12}$ and $U_{k} ‖ 1 ‖ 3 ‖ f_{3}^{(1)'} ‖ σ'_{13}$ , where $U_{k}$ denotes the file owner’s identity, 1 denotes the file location, 2 and 3 denote the data block location, $f_{2}^{(1)'}$ and $f_{3}^{(1)'}$ are the updated data blocks, and $σ'_{12}$ , $σ'_{13}$ are their signatures. Once receiving the update commands, the CSP judges that the data blocks $f_{2}^{(1)}, f_{3}^{(1)}$ are the first storage or subsequent storage. If $f_{2}^{(1)}, f_{3}^{(1)}$ are the first storage, the CSP directly replaces $f_{2}^{(1)}, f_{3}^{(1)}$ and their signatures with the updated data blocks $f_{2}^{(1)'}, f_{3}^{(1)'}$ and signatures $σ'_{12}, σ'_{13}$ . This is the first update way. If $f_{2}^{(1)}, f_{3}^{(1)}$ are the subsequent storage, we use the second update way. We assume that the original pointer of $f_{2}^{(1)}$ points to $f_{i}^{(1)}$ and the pointer of $f_{3}^{(1)}$ points to $f_{j}^{(1)}$ , and the updated data block $f_{2}^{(1)'}$ is identical with the stored data block $f_{1}^{(1)}$ and $f_{3}^{(1)'}$ is identical with $f_{r}^{(1)}$ . Therefore, the CSP adjusts the pointers of $f_{2}^{(1)'}$ and $f_{3}^{(1)'}$ from $f_{i}^{(1)}$ and $f_{j}^{(1)}$ to $f_{1}^{(1)}$ and $f_{r}^{(1)}$ , respectively. When the update operation is completed, the TPA can make a validation to guarantee that the CSP performs the update operation correctly.

Security analysis

Theorem 1

Our data integrity verification protocol and deduplication checking protocol are correct.

Proof

The correctness of integrity verification protocol

\begin{array}{l} \hat{e} (σ, w) \\ = \hat{e} (\prod_{i \in Q} {σ_{i}}^{β_{i}}, w) \\ = \hat{e} (\prod_{i \in Q} {(s k_{l i} \cdot s k^{η_{i}})}^{β_{i}}, w) \\ = \hat{e} (\prod_{i \in Q} {({(g)}^{(f_{i}^{(l)} + ϖ \cdot f_{i}^{(l)})})}^{β_{i}}, g) \\ = \hat{e} (g^{\sum_{i \in Q} β_{i} \cdot H (f_{i}^{(l)})} \cdot g^{ϖ \cdot \sum_{i \in Q} β_{i} \cdot f_{i}^{(l)}}, g) \\ = \hat{e} (ψ \cdot π^{μ}, g) \end{array}

where $ψ = g^{\sum_{i \in Q} β_{i} \cdot H ({f_{i}}^{(l)})}, π = g^{ϖ}$ .

The correctness of deduplication checking protocol

\begin{array}{l} \hat{e} (σ^{'}, w) \\ = \hat{e} (\prod_{i_{t} \in I} {σ_{i_{t}}}^{β_{i_{t}}}, w) \\ = \hat{e} (\prod_{i_{t} \in I} {(s k^{'} \cdot s k^{η_{i_{t}}})}^{β_{i_{t}}}, g^{γ}) \\ = \hat{e} (g^{\sum_{i_{t} \in I} β_{i_{t}} \cdot H ({f^{'}}_{i_{t}})} \cdot g^{ϖ \cdot \sum_{i_{t} \in I} β_{i_{t}} \cdot {f^{'}}_{i_{t}}}, g) \\ = \hat{e} (ψ^{'} \cdot π^{μ^{'}}, g) \end{array}

where $ψ' = g^{\sum_{i_{t} \in I} β_{i_{t}} \cdot H ({f'}_{i_{t}})}, π = g^{ϖ}$ .

Theorem 2

In our scheme, the response proof is unforgeable for any PPT adversary $A$ if the Computational Diffie–Hellman (CDH) problem is difficult.

Proof

Referring to Wang et al.,³⁰ the generation algorithm of secret key is a secure signature protocol. Hence, we mainly discuss security of signature scheme.

We assume that a PPT adversary $A$ who creates a subgroup set $U_{C}$ forges a signature successfully. We show that if $A$ can generate a forged proof $(μ', σ')$ for a file $F'$ which is valid, then we can find an algorithm $B$ to solve the CDH problem.

$A$ sends the subgroup users $U_{C}$ to the challenger $C$ . The challenger $C$ computes group secret key $gsk$ and group public key $gpk$ , sends $gpk$ to $A$ , and keeps $gsk$ secretly. $C$ and $A$ make the following interaction:

Query

Assume that $F$ is owned by a certain user in $U_{C}$ , the adversary $A$ queries $C$ the signature secret key of each block $f_{i}, 1 \leq i \leq r$ in $F$ . If the data block $f_{i}$ has not been queried before, the challenger $C$ performs KeyGen algorithm to obtain a secret key $s k_{i}$ for it and sends $s k_{i}$ and $sk' = g^{ϖ / γ}$ to $A$ . The adversary $A$ queries $C$ the signature $σ_{i}$ of $f_{i}$ . After running the signature generation algorithm, $C$ forwards $σ_{i}$ to $A$ . If $F$ does not belong to any users in $U_{C}$ , then $s k_{i}$ cannot be sent to $A$ .

Challenge

The challenger $C$ executes the challenge algorithm to get a vector $V = (F, Q, {β_{i}, i \in Q})$ and sends the challenge vector $V$ to the adversary $A$ . Then, $A$ responds with a proof $(μ, σ)$ and forwards the proof to $C$ . The challenger $C$ validates the proof according to equation (2).

End

The adversary $A$ forges a response proof pair $(μ', σ')$ for a file $F'$ which includes data blocks $f'_{i}, 1 \leq i \leq r$ . Assume that the file $F'$ belongs to a certain group user $U_{k}^{'} \notin U_{C}$ . If the proof pair $(μ', σ')$ is valid, we have

σ' = \underset{i \in Q}{Π} {(s k_{i} \cdot s k^{{η'}_{i}})}^{β_{i}} = s k^{\sum_{i \in Q} H ({f ″}_{i}) \cdot β_{i}} \cdot s k^{ϖ \cdot μ'}

(5)

where $f_{i}^{″} (1 \leq i \leq r)$ denotes the forged data blocks in $F'$ .

For the correct proof information $(μ, σ)$ , the following equation holds

σ = \underset{i \in Q}{Π} (s k_{i} \cdot s k^{η_{i}})^{β_{i}} = s k^{\sum_{i \in Q} H ({f'}_{i}) \cdot β_{i}} \cdot s k^{ϖ \cdot μ}

(6)

According to equations (5) and (6), we can obtain

\frac{σ'}{σ} = s k^{\sum_{i \in Q} [H ({f ″}_{i}) - H ({f'}_{i})] \cdot β_{i}} \cdot s k^{ϖ (μ' - μ)}

(7)

Since $σ$ and $σ'$ are elements in $G$ , we can find two elements $τ, τ' \in Z_{p}^{*}$ such that $σ = g^{τ}$ and $σ' = g^{τ'}$ . Then, equation (7) can be rewritten as

{(g^{τ' - τ - \frac{\sum_{i \in Q} [H ({f_{i}}^{''}) - H ({f_{i}}^{'})] \cdot β_{i}}{γ}})}^{\frac{1}{(μ' - μ)}} = s k^{ϖ}

Notice that $π = g^{ϖ}$ is a public parameter and $ϖ \in Z_{p}^{*}$ is a random element. The challenger $C$ computes $s k^{ϖ}$ according to $sk \in G$ and $π$ . Thus, the challenger solves the CDH problem.

Theorem 3

The group user $U_{k}$ cannot obtain a pointer link of $F'$ from the CSP if he/she has no file $F'$ .

Proof

Assume that a user $U_{k}$ has no file $F'$ . He/she wants to get the file $F'$ by requiring pointer link from the CSP. In order to pass the verification, he/she tries to use another file $F ″$ instead of $F'$ , where $F ″ \neq F'$ .

The CSP sends to the group user $U_{k}$ a d-element random index set $I = {i_{1}, i_{2}, \dots, i_{d}}$ of data blocks in $F'$ for challenge. The user $U_{k}$ makes a response using $F ″$ .

Computes the signature secret key of each block of $F ″$

sk ″ = g^{H ({f ″}_{i}) / γ}

Generates signature $σ_{i_{t}}^{″}$ of data block, the index of which belongs to $I$

η_{i_{t}}^{″} = ϖ \cdot f_{i_{t}}^{″}, σ_{i_{t}}^{″} = sk ″ \cdot s k^{{η ″}_{i_{t}}}

Then, $U_{k}$ sends $σ_{i_{t}}^{″}$ to the CSP who aggregates the signatures

σ' = \underset{i_{t} \in I}{Π} {σ ″}_{i_{t}}^{β_{i_{t}}}

and the stored data blocks, the indexes which belong to $I$

μ' = \sum_{i_{t} \in I} β_{i_{t}} {f'}_{i_{t}} mod p

Then, the CSP verifies the aggregation information as

\begin{matrix} \hat{e} (σ', w) = \hat{e} (\underset{i_{t} \in I}{Π} g^{\frac{H ({f ″}_{i_{t}}) \cdot β_{i_{t}} + ϖ \cdot {f ″}_{i_{t}} \cdot β_{i_{t}}}{γ}}, g^{γ}) \\ = \hat{e} (\underset{i_{t} \in I}{Π} g^{H ({f ″}_{i_{t}}) \cdot β_{i_{t}}} \cdot \underset{i_{t} \in I}{Π} g^{ϖ \cdot {f ″}_{i_{t}}^{\cdot} β_{i_{t}}}, g) \end{matrix}

If the result in equation (8) holds the verification equation, then

\hat{e} (ψ' \cdot π^{μ'}, g) = \hat{e} (g^{\sum_{i_{t} \in I} H ({f'}_{t_{t}}) \cdot β_{i_{t}}} \cdot g^{ϖ \cdot \sum_{i_{t} \in I} β_{i_{t}} \cdot {f'}_{i_{t}}}, g)

thus

\begin{matrix} \hat{e} (\underset{i_{t} \in I}{Π} g^{H ({f ″}_{i_{t}}) \cdot β_{i_{t}}} \cdot \underset{i_{t} \in I}{Π} g^{ϖ \cdot {f ″}_{i_{t}} \cdot β_{i_{t}}}, g) \\ = \hat{e} (g^{\sum_{i_{t} \in I} H ({f'}_{t_{t}}) \cdot β_{i_{t}}} \cdot g^{ϖ \cdot \sum_{i_{t} \in I} β_{i_{t}} \cdot {f'}_{i_{t}}}, g) \end{matrix}

That is

\sum_{i_{t} \in I} β_{i_{t}} \cdot [H ({f ″}_{i_{t}}) - H ({f'}_{t_{t}})] + ϖ \sum_{i_{t} \in I} β_{i_{t}} \cdot ({f ″}_{i_{t}} - {f'}_{t_{t}}) = 0

Thus, for $i_{t} \in I$ , we get

H (f_{i_{t}}^{″}) = H (f'_{i_{t}}), f_{i_{t}}^{″} = f'_{i_{t}}

Therefore, $F ″$ and $F'$ are the same files.

We have completed the proof of theorem.

Performance analysis

Numerical analysis

In order to evaluate the performance of our scheme, we first show computation efficiency in each step. Since the exponentiation operations and pairing operations in $G$ , $G_{T}$ , and $Z_{p}$ are regarded as the most time-consuming computations and the multiplication, addition, and hash operations are regarded as light time-consuming computations, we only consider the exponentiation and pairing operations in $G$ , $G_{T}$ , and $Z_{p}$ . As shown in section “System model and security goals,” our scheme includes eight algorithms: Setup, KeyGen, Sign, Challenge, Response, Verify, Deduplication, and Update. In the Challenge stage, the verifier generates two random element sets $Q$ and ${β_{i}}$ for challenge, and these operations are not considered in computation costs. Denotes EXP as the exponentiation operations in $G$ , $G_{T}$ ; Pair as the pairing operations in $G$ , $G_{T}$ ; and Mult as the multiplication operations in $G$ , $G_{T}$ .

Setup. In this stage, the group manager creates the group public key $gpk$ and secret key $gsk$ . The group secret key is a random element in $Z_{p}^{*}$ , the public group public key is $w = g^{γ}$ which needs one EXP operation, and the master key is $sk = g^{1 / γ}$ which needs one EXP operations.

KeyGen. For each file, the group manager needs one EXP to obtain the signature secret key of file. After receiving the signature secret, the group user needs two Pair operations to verify whether the secret key is correct or not.

Sign. For one data block, the user needs one Mult and one EXP operations to generate its signature. Response. Once receiving the challenge from the verifier, the CSP makes a response. He/she needs $c$ EXP operations and $c - 1$ Mult operations to get the aggregation signature.

Verify. The verifier needs one EXP, one Mult, and two Pair operations to verify whether the proof information is correct or not.

Deduplication. This process is completed by the interaction of group user and CSP. The group user needs $d$ EXP and $d$ Mult operations to make a response to the CSP. The CSP needs $(d + 1)$ EXP, $d$ Mult and two Pair operations to check whether or not the response of user is correct.

Update. The group user computes signature of updated data block and sends the updated data block and its signature to the CSP. For each updated data block, the group user needs one Mult and one EXP operations to generate its signature.

The communication costs are discussed in this section. Our scheme involves eight interactions that are shown in Figure 4. In the first interaction, the group manager sends the signature secret key and master secret key to the group user. Since the signature secret key and master secret key are elements in $G$ , the size of $G$ is $| G |$ , thus the size of the two secret keys are $2 \cdot | G |$ . In the second interaction, the group users sends to the CSP the data block and signature pairs $(f_{i}, σ_{i}), 1 \leq i \leq r$ . Hence, the communication in this stage is $r \cdot (| f | + | G |)$ , where $| f |$ is the size of each data block. In the third interaction, the verifier sends the challenge vector $C = (F_{name}^{(l)}, Q, β_{i}), i \in Q$ to the CSP. The size of vector is $| F_{name} | + c (\log r + \log p)$ , where $| F_{name} |$ is the size of file name. In the fourth interaction, the CSP makes a response for challenge and gives the response to the verifier. The size of the response $(μ, σ)$ is $\log p + | G |$ . In the fifth interaction, the group user obtains his/her file from the CSP when he/she wants to compile the file of size $| F |$ . After compiling the file, the group user sends to the CSP the modified command $U_{k} ‖ i ‖ j ‖ {f'}_{i} ‖ σ'_{i}$ of size is $| U_{k} | + \log n + \log r + | f | + | G |$ . In the seventh interaction, the CSP sends to the group user a challenge index set $I = {i_{1}, i_{2}, \dots, i_{d}}$ of size $d \cdot \log r$ . In the last interaction, the group user sends $σ_{i_{t}}$ and $π$ to the CSP for $i_{t} \in I$ . Therefore, the size of them is $(d + 1) \cdot | G |$ .

Figure 4.

The interaction of scheme.

Experimental analysis

To illustrate that the proposed scheme is efficient, we perform the experiments on a computer with Intel (R) Core (TM) i5-2400 CPU @ 3.10 GHz processor and 4 GB memory on the Win7 system and use Pairing Based Cryptography (PBC) library³³ to perform cryptographic operations in our scheme. In the following experiment, we assume that the number of file changes from 10 to 100, and each files consist of 64 data blocks. Let the size of an element of $G, G_{T}$ and $Z_{p}$ be $| p | = 160 bits$ , and the size of file name be $| F_{name} | = 30 bits$ . The size of each block is set as 2 MB, and then, the size of each file is 128 MB. All experiments are performed 50 times.

As shown in section “System model and security goals,” we just generates the group public/secret key pair with one exponentiation operation in $G$ , which consumes about 0.0618 s. We first evaluate the efficiency of secret key generation in the group manager. The evaluated results which indicate that the cost of secret key generation is proportional to the data block number are shown in Figure 5. According to the setting above, the number of data blocks changes from 640 to 6400. Because the group manager is only responsible for generating the signature secret key of single data block, the computational efficiency will be improved when there are replicas in the data blocks. We make the efficiency analysis with no replica, 20% replicas, 40% replicas, and 60% replicas in the data blocks.

Figure 5.

Secret key generation time on the data blocks.

As shown in Figure 5, when there is no replica in the data blocks, the group manager needs to compute secret key of each data block, and the cost of secret key generation is approximately linear growth with the increase in data blocks. When there are 20% replicas in the data blocks, the group manager only needs to compute the secret key of 80% data blocks, and the cost of secret key generation is also approximately linear growth with the increase in data blocks, and the growth rate is smaller than no replica. When there are 40% replicas in the data blocks, the group manager only needs to compute the secret key of 60% data blocks, and the cost of secret key generation is linear growth with the increase in data blocks, and the growth rate is smaller than 20% replicas. When there are 60% replicas in the data blocks, the group manager only needs to compute the secret key of 40% data blocks, and the cost of secret key generation is also linear growth with the increase in data blocks, and the growth rate is smaller than 40% replicas. Since the group manager is only responsible for generating the signature secret key of single data block, the computational efficiency of secret key is higher and higher with the increase in replicas.

The computational cost of signature is shown in Figure 6. Because the group users are only responsible for generating the signature of single data block, the generation efficiency will be improved when there are replicas in the data blocks. We make the efficiency analysis with no replica, 20% replicas, 40% replicas and 60% replicas in the data blocks.

Figure 6.

Signature generation time on the group users.

From Figure 6, when there is no replica in the data blocks, the group users need to compute signature of each data block, and the cost of signature is increased with the increase in data blocks. When there are 20% replicas in the data blocks, the group users only need to compute the signature of 80% data blocks, and the cost of signature is increased with the increase in data blocks, and the growth rate is smaller than no replica. When there are 40% replicas in the data blocks, the group users only need to compute the signature of 60% data blocks, and the cost of signature is also increased with the increase in data blocks and the growth rate is smaller than 20% replicas. When there are 60% replicas in the data blocks, the group users only need to compute the signature of 40% data blocks, and the cost of signature is approximately linear growth with the increase in data blocks, and the growth rate is smaller than 40% replicas. Since the group users are only responsible for generating the signature of single data block, the computational efficiency of signature is higher and higher with the increase in replicas. Thus, the deduplication can avoid additional computational cost in user side, communication cost in channel, and storage cost in CSP. Therefore, it is crucial for the group users and CSP to combine deduplication with the integrity validation scheme.

The efficiency of verification is represented in Figure 7. The number of data blocks that are chosen by the verifier changes from 400 to 4000. The batch verification and verification one by one are tested. From Figure 7, we can see that the computation cost of batch verification is constant and the computation time of verification one by one increases with the increase in verified data blocks. Although the efficiency difference of the two verification algorithms is small when the number of verified data blocks is 400, the computation time of verification one by one is about six times of the batch verification when the number of verified data blocks is 4000. In our scheme, the verifier chooses the batch verification.

Figure 7.

Verification time of verifier.

In this section, we analyze the deduplication efficiency. We show the computation cost of group users and the CSP in Figures 8 and 9, respectively. Here, we choose the number of challenged data blocks changing from 20 to 200. For the group users, they need to compute the signature for the data blocks that are challenged by the CSP. Actually, this is a signature process. Therefore, the computation efficiency of group user in this process has a similar trend with signature generation. As the challenged blocks are only a small part of the whole data blocks, the computation time of response for group users in this process is also less than signature generation. As shown in Figure 8, when the number of data blocks is 20, it is about 0.68 s to generate signatures of challenged data blocks. When the number of challenged data blocks is 200, it is about 2.68 s to generate their signatures.

Figure 8.

Signature time on the group users in deduplication.

Figure 9.

Verification time of CSP in deduplication.

In deduplication, the CSP is responsible for checking whether or not the response of group user is correct. Here, the CSP first needs to aggregate the signature sent by the group user and then proves the verification equation. Although the computation cost of verification process for the CSP is constant, the aggregation cost of signature increases with the increase in data blocks. Because the aggregation involves exponentiation and multiplication operations in $G$ , which are time-consuming processes, the computation efficiency becomes more and more low with the increase in data blocks. Especially when the number of data blocks changes from 160 to 180, the growth rate of verification time is the fastest.

In the update stage, the group user needs to compute signature of updated data block. For the group user, the computation cost mainly comes from the signature computation. Therefore, we evaluate the efficiency of update by referring signature cost and no longer make a detailed efficiency analysis.

Conclusion

In this article, we propose a data possession–checking protocol with deduplication. Our scheme is featured by a special signature secret key. Any illegal group users cannot generate a valid signature secret key. Since deduplication operations are performed by group users and group manager, additional communicational and computational costs are saved. Our scheme supports data block update and efficient deduplication, which guarantees that an illegal group user cannot obtain the file information of other valid group user. The provided security analysis and experiment evaluation show that our scheme is secure and practical for real application scenario.

Footnotes

Acknowledgements

The authors are very grateful to the editor and reviewers for their suggestions to improve the quality of paper.

Academic Editor: Luca Foschini

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National key Research and Development Program of China (2016YFB 0800903), the NSF of China (U1636212, U1636112).

References

Deng

Qin

et al . Tracing and revoking leaked credentials: accountability in leaking sensitive outsourced data. In: Proceedings of the 9th ACM symposium on information, computer and communications security (ASIA CCS ’14), Kyoto, Japan, 3–6 June 2014, pp.425–434. New York: ACM.

Ateniese

Burns

Curtmola

et al . Provable data possession at untrusted stores. In: Proceedings of the 14th ACM conference on computer and communications security (CCS ’07), Alexandria, VA, 29 October–2 November 2007, pp.598–609. New York: ACM.

Erway

Küpçü

Papamanthou

et al . Dynamic provable data possession. ACM T Inform Syst Se 2015; 17(4): 15.

Wang

Ren

et al . Enabling public auditability and data dynamics for storage security in cloud computing. IEEE T Parall Distrib 2011; 22(5): 847–859.

Ateniese

Pietro

Mancini

et al . Scalable and efficient provable data possession. In: Proceedings of the 4th international conference on security and privacy in communication networks (SecureComm ’08), Istanbul, Turkey, 22–25 September 2008, vol. 9, pp.1–10.

Ateniese

Kamara

Katz

. Proofs of storage from homomorphic identification protocols. In: Matsui

(ed.) Advances in cryptology-ASIACRYPT, vol. 5912. Heidelberg: Springer, 2009, pp.319–333.

Shacham

Waters

. Compact proofs of retrievability. J Cryptol 2013; 26(3): 442–483.

Juels

Kaliski

Jr . PORs: proof of retrievability for large files. In: Proceedings of the 14th ACM conference on computer and communications security (CCS ’07), Alexandria, VA, 29 October–2 November 2007, pp.584–597. New York: ACM.

Dodis

Vadhan

Wichs

. Proofs of retrievability via hardness amplification. In: Proceedings of the 6th theory of cryptography conference on theory of cryptography (TCC ’09), San Francisco, CA, 15–17 March 2009, pp.109–127. Berlin, Heidelberg: Springer.

10.

Zheng

. Fair and dynamic proofs of retrievability. In: Proceedings of the first ACM conference on data and application security and privacy (CODASPY’11), San Antonio, TX, 21–23 February 2011, pp.237–248. New York: ACM.

11.

Bowers

Juels

Oprea

. Proofs of retrievability: theory and implementation. In: Proceedings of the 2009 ACM workshop on cloud computing security (CCSW’09), Chicago, IL, 13 November 2009, pp.43–54. New York: ACM.

12.

Harnik

Pinkas

Shulman-Peleg

. Side channels in cloud services: deduplication in cloud storage. IEEE Secur Priv 2010; 8(6): 40–47.

13.

Dave

. Data deduplication will be even bigger in 2010. Stamford, CT: Gartner, 2010.

14.

Erway

Kupcu

Papamanthou

et al . Dynamic provable data possession. In: Proceedings of the CCS, Chicago, IL, 9–13 November 2009, pp.213–222. New York: ACM.

15.

Wang

. Proxy provable data possession in public cloud. IEEE T Serv Comput 2013; 6(4): 551–559.

16.

Zhu

Ahn

et al . Cooperative provable data possession for integrity verification in multicloud storage. IEEE T Parall Distrib 2012; 23(12): 2231–2244.

17.

Shacham

Waters

. Compact proofs of retrievability. Proc ASIACRYPT 2008; 5350: 90–107.

18.

Wang

Ren

et al . Privacy-preserving public auditing for data dynamics for storage security in cloud computing. In: Proceedings of the IEEE INFOCOM, San Diego, CA, 15–19 March 2010, pp.1–9. New York: IEEE.

19.

Wang

Ren

et al . Toward secure and dependable storage services in cloud computing. IEEE T Serv Comput 2012; 5(2): 220–232.

20.

Zhu

Ahn

et al . Dynamic audit services for outsourced storages in clouds. IEEE T Serv Comput 2011; 6(2): 227–238.

21.

Chang

. Towards efficient proofs of retrievability. In: Proceedings of the 7th ACM symposium on information, computer and communications security (ASIACCS’12), Seoul, Korea, 2–4 May 2012, pp.79–80. New York: ACM.

22.

Kate

Zaverucha

Goldberg

. Constant-size commitments to polynomials and their applications. In: Abe

(ed.) Advances in cryptology-ASIACRYPT, vol. 6477. Heidelberg: Springer, 2010, pp.177–194.

23.

Zheng

. Secure and efficient proof of storage with deduplication. In: Proceedings of the second ACM conference on data and application security and privacy (CODASPY ’12), San Antonio, TX, 7–9 February 2012, pp.1–12. New York: ACM.

24.

Wee

Wen

Zhu

. Private data deduplication protocols in cloud storage. In: Proceedings of the SAC’12, Trento, 26–30 March 2012, pp.441–446. New York: ACM.

25.

Halevi

Harnik

Pinkas

et al . Proof of ownership in remote storage systems. IACR, 2011, https://eprint.iacr.org/2011/207

26.

Yang

Ren

. Provable ownership of file in de-duplication cloud storage. In: Proceedings of the global communications conference, January 2014, vol. 8, pp.2457–2468. IEEE.

27.

Chen

Xhafa

et al . Secure deduplication storage systems supporting keyword search. J Comput Syst Sci 2015; 81(8): 1532–1541.

28.

Miao

Wang

et al . Secure multi-server-aided data deduplication in cloud computing. Pervasive Mob Comput 2015; 24: 129–137.

29.

Yuan

. Secure and constant cost public cloud storage auditing with deduplication, http://eprint.iacr.org/2013/149

30.

Wang

Qin

et al . Group-oriented proofs of storage. In: Proceedings of the ASIA CCS ’15, Singapore, 14–17 April 2015, pp.73–84. New York: ACM.

31.

Boneh

Boyen

. Short signatures without random oracles. In: Proceedings of annual international conference on the theory and applications of cryptographic techniques (EUROCRYPT’04), Interlaken, 2–6 May 2004, pp.56–73. Berlin: Springer.

32.

Gennaro

Halevi

Rabin

. Secure hash-and sign signature without the random oracle. In: Stern

(ed.) Advances in cryptology-EUROCYPT ’99, vol. 1592. Heidelberg: Springer, 1999, pp.123–139.

33.

Pairing Based Cryptography (PBC) library, 2014, http://crypto.stanford.edu/pbc/

Efficient data possession–checking protocol with deduplication in cloud

Abstract

Keywords

Introduction

Related work

Contributions

Organizations

Preliminary

Preliminary and notation

Definition 1. Computational Diffie–Hellman assumption 30

Definition 2. Homomorphic verifiability 30

Definition 3. Homomorphic composability 30

System model and security goals

System model

Security goals

Our scheme

Setup

KeyGen

Sign

Challenge

Response

Verify

Deduplication

Update

Security analysis

Theorem 1

Proof

Theorem 2

Proof

Theorem 3

Proof

Performance analysis

Numerical analysis

Experimental analysis

Conclusion

Footnotes

Acknowledgements

Declaration of conflicting interests

Funding

References

Definition 1. Computational Diffie–Hellman assumption³⁰

Definition 2. Homomorphic verifiability³⁰

Definition 3. Homomorphic composability³⁰