Sage Journals: Discover world-class research

Abstract

With the continuous and rapid development of cloud computing, it becomes more popular for users to outsource large-scale data files to cloud servers for storage and computation. However, data outsourcing brings convenience to users while it also causes certain security problems. The integrity of outsourced data needs to be periodically checked by users to protect their data. Also, the secure transfer of cloud data can avoid data losses to users. Aiming at solving these problems in the data outsourcing process, a provable data transfer scheme based on provable data possession and deletion is recently proposed by Xue et al. However, we found a security flaw in Xue et al.’s scheme. Concretely, the block tags can be forged in their scheme. In this article, we first give a brief review of Xue et al.’s scheme and then a detailed attack is shown. To remove the security flaw, an improved scheme is proposed. Furthermore, we replace the integrity checking protocol of their proposal with a more efficient protocol to improve the efficiency of data integrity auditing.

Keywords

Cloud storage data outsourcing data deletion data integrity auditing data transfer

Introduction

Cloud computing, big data, and information security, as important means of information technology development, bear all aspects of social development today. Cloud computing has achieved blowout-like development since it was proposed in 2006 with its service mode and high performance in line with the needs of the times. It can be foreseen that in the next decade or more, cloud computing will be jointly moved as the core force of information technology and industry. Mobile Internet, Internet of things, artificial intelligence, and other technologies drive the information transformation of traditional industries, and promote the society to enter a more convenient and secure era.¹ Nowadays, the new normal of Internet is characterized by the exponential growth of business caused by decentralized users but instantaneous aggregation. Cloud computing solves the technical problem of flexible computing through distributed computing and distributed storage. With cloud computing coming out of the cloud and becoming a new Internet service accessible to everyone, the cloud computing industry has entered a large-scale commercial era.

The rapid development of cloud technology has greatly facilitated people’s lives.² People can use cloud to calculate and store efficiently and conveniently. The relationship between cloud and people’s daily life is more and more inseparable. More and more data need to be stored. Cloud disks with convenient storage and large capacity become the only choice for most people. However, the generation of massive data has brought great burden to users’ storage and computing. Therefore, designing a more simplified and efficient auditable cloud data transfer protocol can promote the application and development of cloud more effectively.

Cloud servers have emerged as the times require. They can provide secure, reliable, and efficient storage and computing services with flexible processing capabilities. Their management methods are simpler and more efficient than those of physical servers. Users only need to buy or rent storage and computing services from cloud servers and do not have to buy expensive hardware or software, which greatly reduces their own economic burden.³ Data outsourcing brings convenience to users, but it also brings some trust problems.⁴ The integrity and availability of data are challenged tremendously.⁵ For the reason that users lose control of data after data outsourcing, data security auditing becomes particularly important.^6,7

In real life, users need to periodically audit the outsourced data to protect their integrity. Using traditional methods, users need to download all the audited data, which brings huge communication cost and also causes huge storage burden to users locally. The idea to solve this problem is a provable data possession (PDP) protocol:^8–13 users no longer need to download the audited data, instead they just need to send an integrity auditing request to the cloud. The cloud generates an integrity proof according to the request and returns the proof to the user. Users can complete the auditing task by verifying proofs. Many improved PDP protocols^13,14 have been proposed to prove the integrity of outsourced data.

In addition, the services of different cloud storage providers are different, such as price, access speed, security, and reliability. Based on these different considerations, users may choose different cloud service providers to minimize costs and obtain high-quality services. Besides, different users may need to share data to complete a collaborative task. In fact, the secure transfer of data between private, public, and hybrid clouds can help enterprises to speed up cloud access, improve enterprise efficiency and productivity, reduce costs, and enable enterprises to enjoy the benefits of a multi-cloud environment without sacrificing performance. All these realistic requirements make the safe and effective transfer of outsourced data between two different cloud servers unavoidable. A secure transfer mechanism is needed urgently in this field. A brief description of the provable data transfer (PDT) protocol^15,16 is as follows: the user sends a data transfer query to a cloud server, the cloud server executes the transfer query, and then, sends transferred data to the targeted cloud server. The targeted cloud server verifies the integrity of transferred data. If the validation passes, the transferred data will be stored locally and the message of successful data transfer will be informed to the user. Otherwise, the targeted cloud server refuses to store data and informs the user.

Besides, when outsourced data are transferred from one semi-trusted cloud to another semi-trusted cloud, users also need to check whether the cloud has deleted the complete transferred data. If the malicious cloud retains a copy of the transferred data, users’ privacy will be directly threatened. Therefore, the malicious cloud server may not delete the data as requested for some hidden economic benefits, the privacy-preserving of users will be challenged directly.¹⁷ Behind the nude picture scandal is actually the information security. Stars had deleted their photos, but the malicious cloud retained a copy of the transferred data, which led to the occurrence of the event. So, how can we ensure that cloud servers have deleted the data securely and completely? The idea to solve this problem is a provable data deletion (PDD) protocol:¹⁸ users send a deletion verification query to the cloud which is responsible for deleting data. If the cloud does not delete the data as required, the generated proof will not pass the verification of users. Xue et al.¹⁹ combine these three protocols together for the first time and propose a new type of data tracking auditing scheme, which guarantees the security of outsourced data in the whole life cycle and fosters the development of secure cloud storage.

The bad thing is that there exists a security flaw in their scheme. Concretely, the corresponding tag of the tampered block m_i is insecure, and the malicious cloud server can forge a tag easily. In this article, the flaw is pointed out. As learning the work of Chen et al.,²⁰ we propose another data integrity auditing protocol that is more efficient and secure compared to existing approaches, and we integrate their protocol and replace the integrity checking module of Xue et al.¹⁹ with it.

In this article, we learn from the idea of zero-knowledge proof (ZKP) and design an auditing scheme based on classical string alignment. ZKP was proposed by Goldwasser et al.²¹ in the early 1980s. It means that the tester can convince the tester that an assertion is correct without providing any useful information to the tester. It is pointed out that with the application of block chain, ZKP develops rapidly.^22,23 In that article, Yu et al.²⁴ introduced a privacy protection audit scheme based on ZKP. In his scheme, the cloud server can provide corresponding proof to make third-party auditor (TPA) believe that the data in the cloud server is complete, but it does not provide any information about data and signature.

Finally, with i7-6700hq CPU and 8GB RAM, we install Java Development Kit (JDK) and configure the related java virtual machine environment under Windows Operating System 10. The experiment is carried out in this setting following Chen et al.’s²⁰ work. From the experimental results, the delay of audit verification process and the additional communication cost is within the acceptable range of users. The results of audit and data transfer are in line with the expected objectives of the experiment, and the design meets the actual needs.

Organization

The rest of the article consists of the following parts. We give a review of their system model in section “Xue et al.’s system model,” and a brief description of their scheme is introduced in section “The construction of Xue et al.” In section “Our attack,” we demonstrate a detailed attack which shows that their scheme is insecure. In section “Our improved scheme I,” an improved scheme is given. The alternative auditing protocol and performance analysis are introduced in sections “Another alternative auditing scheme II” and “Performance analysis,” respectively. In section “Security analysis,” we give a security analysis of our new scheme. In the last part, we summarize the article.

Xue et al. ’s system model

The system model consists of the following four entities: Cloud A, Cloud B, users, and the TPA, as shown in Figure 1:

Cloud A or Cloud B: it provides data storage and computation services for users, and users can outsource their data to reduce their own burden.

User: there are many large-scale data files for them to store and compute.

TPA: it is believed by users and is in charge of verifying the outsourced data on behalf of users to reduce their burden further.

Figure 1.

The system model.

Users can outsource their data to a cloud server for the services of storage and computation. Here, we assume that it is Cloud A. The user uploads his data files to Cloud A. When the user wants to change the storage location of outsourced data to Cloud B, Cloud B can send a transfer query to Cloud A. Then, Cloud A executes the transfer query, sends the transferred data to Cloud B, and deletes these data locally. To reduce the burden of users further, TPA is chosen to perform these tasks on behalf of them. Some tasks (such as data transfer, the verification of data integrity, and data deletion) can be executed by TPA. By verifying the returned result proof, TPA can complete the task authorized by the user.

The construction of Xue et al

Based on the PDP thought with Ranked Merkle Hash Tree (RMHT) (Figure 2) of Yu et al.¹⁶ and Yuan and Yu,²⁵ Xue et al. constructed a provable secure data tracking auditing scheme. The detailed structure is introduced as follows.

Figure 2.

Rank-based Merkle hash tree.

Two multiplicative cyclic groups G and $G_{T}$ with an order q (a large prime) are chosen by the user, the generator of G is g and u is a random value of G. A hash function $H_{1} : {0, 1}^{*} \to Z_{q}^{*}$ is used to construct Rank-based Merkle hash tree. $H_{2} : {0, 1}^{*} \to Z_{q}^{*}$ is a hash function used to encrypt data blocks. $e : G \times G \to G_{T}$ is a bilinear map. The public parameters $(G, G_{T}, g, q, f_{\vec{a} (x)}, H_{1}, H_{2}, e)$ can be got. Their scheme mainly contains five processes: KeyGen, Store, Transfer, DeletCheck, and IntegCheck (Figures 3 –7). As our attack mainly lies in the position of block tag generation in the process of Store, this process will be described in detail while other phases briefly. The detailed introductions can be found in the scheme of Xue et al.¹⁹

Figure 3.

KeyGen process.

Figure 4.

Store process.

Figure 5.

DeletCheck process.

Figure 6.

IntegCheck process.

Figure 7.

Transfer process.

Our attack

For each file block $m_{i}$ , the user computes a block tag

σ_{i} = {(u^{H_{1} (fname)} \cdot Π_{j = 0}^{s - 1} g^{m_{ij} α^{j + 2}})}^{β}

(1)

Let $A = u^{β}$ , $B_{0} = g^{α^{2} β}$ , $B_{1} = g^{α^{3} β}$ , and $B_{2} = g^{α^{4} β}, \dots, B_{s - 1} = g^{α^{s + 1} β}$ , then equation (1) is converted to the following equation (2)

σ_{i} = A^{H_{1} (fname)} \cdot Π_{j = 0}^{s - 1} B_{j}^{m_{ij}} (1 \leq i \leq n)

(2)

After knowing some block tags equations as mentioned above, $A, B_{0}, B_{1}, B_{2}, \dots, B_{s - 1}$ can be computed using some mathematics operations. To express our attack process more clearly, we give a simple example. Supposing that there is a file F which is split into three blocks and every block consists of two sectors $m_{ij} (1 \leq i \leq 3, 0 \leq j \leq 2)$ , the corresponding block tag $σ_{i} (1 \leq i \leq 3)$ can be computed as follows

σ_{1} = (u^{H_{1} (fname)} \cdot g^{m_{10} α^{2}} \cdot g^{m_{11} α^{3}})^{β}

(3)

σ_{2} = (u^{H_{1} (fname)} \cdot g^{m_{20} α^{2}} \cdot g^{m_{21} α^{3}})^{β}

(4)

σ_{3} = (u^{H_{1} (fname)} \cdot g^{m_{30} α^{2}} \cdot g^{m_{31} α^{3}})^{β}

(5)

Let $A = u^{β}$ , $B_{0} = g^{α^{2} β}$ , and $B_{1} = g^{α^{3} β}$ , then the malicious cloud can get

σ_{1} = A^{H_{1} (fname)} \cdot B_{0}^{m_{10}} \cdot B_{1}^{m_{11}}

(6)

σ_{2} = A^{H_{1} (fname)} \cdot B_{0}^{m_{20}} \cdot B_{1}^{m_{21}}

(7)

σ_{3} = A^{H_{1} (fname)} \cdot B_{0}^{m_{30}} \cdot B_{1}^{m_{31}}

(8)

Because he knows the values of $σ_{i} (1 \leq i \leq 3)$ , $m_{ij} (1 \leq i \leq 3, 0 \leq j \leq 2)$ , and $H_{1} (fname)$ , equations (9) and (10) can be obtained

\frac{σ_{1}}{σ_{2}} = B_{0}^{m_{10} - m_{20}} \cdot B_{1}^{m_{11} - m_{21}}

(9)

\frac{σ_{2}}{σ_{3}} = B_{0}^{m_{20} - m_{30}} \cdot B_{1}^{m_{21} - m_{31}}

(10)

Next, it computes

\begin{matrix} C = {(\frac{σ_{1}}{σ_{2}})}^{m_{20} - m_{30}} \\ = B_{0}^{(m_{10} - m_{20}) \cdot (m_{20} - m_{30})} \cdot B_{1}^{(m_{11} - m_{21}) \cdot (m_{20} - m_{30})} \end{matrix}

(11)

\begin{matrix} D = {(\frac{σ_{2}}{σ_{3}})}^{m_{10} - m_{20}} \\ = B_{0}^{(m_{20} - m_{30}) \cdot (m_{10} - m_{20})} \cdot B_{1}^{(m_{21} - m_{31}) \cdot (m_{10} - m_{20})} \end{matrix}

(12)

Let $x = (m_{11} - m_{21}) \cdot (m_{20} - m_{30})$ and $y = (m_{21} - m_{31}) \cdot (m_{10} - m_{20})$ , then he can compute

E = \frac{C}{D} = B_{1}^{x - y} mod q

(13)

thus

B_{1} = E^{{(x - y)}^{- 1}} mod (q - 1)

(14)

The value of $B_{0}$ can be computed by the malicious cloud easily through the same method. Once $B_{0}$ and $B_{1}$ are known, it is easy to compute A. According to the above attack method, the malicious cloud can forge arbitrary block $m_{i}$ and the corresponding block tag, TPA and users will be deceived.

Our improved scheme I

An improved scheme is introduced by us to make up for the security flaw of their scheme; G and $G_{T}$ with a composite order $N = pq$ (the length is $λ$ bits) are two multiplicative cyclic groups; and p and q are two large primes. Like the RSA encryption scheme, it is difficult to factor N to be p and q. A hash function $H_{1} : {0, 1}^{*} \to Z_{N}^{*}$ is chosen to construct the Rank-based Merkle hash tree, and another hash function $H_{2} : {0, 1}^{*} \to Z_{N}^{*}$ is used to encrypt data. Other constructions are identical to their original scheme.

Given that N is difficult to factor, the value of its Euler function $ϕ (N) = (p - 1) (q - 1)$ is also difficult to compute. Equation (14) will be replaced with equation (15)

B_{1} = E^{{(x - y)}^{- 1}} mod ϕ (N)

(15)

According to equation (15), it is difficult for the adversary to compute $B_{1}$ . Although the value of N is public, $ϕ (N)$ is difficult to be computed. Therefore, the attack which we have introduced is ineffective for our improved scheme. The security flaw of their scheme is compensated well.

Another alternative auditing scheme II

First, let’s review the classic string equality checking protocol:^26,27 the purpose of this protocol is to determine whether the string $x \in {0, 1}^{n}$ of Alice is equal to the string $y \in {0, 1}^{n}$ owned by Bob. Its communication overhead is $O (\log n)$ . Supposing that there is public random string pool $S \subseteq {0, 1}^{n}$ , the detail work process is as follows:

Alice chooses a string $s \in S$ randomly and then sends S and $< x, s > mod 2$ to Bob;

Bob computes $< y, s > mod 2$ and compares the result with $< x, s > mod 2$ . If they are not equal, Bob tells Alice; otherwise, the protocol continues;

This process is repeated by Alice and Bob 100 times. If $< x, s > = < y, s >$ is always equal, Bob tells Alice that the two strings are equal and the protocol terminates.

The theory of this protocol is as follows: if $x = y$ holds, the equation $< x, s > = < y, s >$ will always be true. If $x \neq y$ , then in 1 cycle: $\underset{s}{\Pr} [< x, s > mod 2 =$ $< y, s > mod 2] = 1 / 2$ ; after 100 cycles, the probability of $< x, s > = < y, s >$ always holding is $1 / 2^{100}$ , so $1 / 2^{100}$ is the error probability of this protocol, which can be ignored basically.

Let Alice simulate the user and Bob simulate the cloud server, the following improvements of the above protocol are made to replace the integrity checking module of Xue et al.:¹⁹

Two integers $g, r \in Z_{p}^{*}$ are selected by the user, g is a generator of the group $Z_{p}^{*}$ .

The user chooses a $λ$ bits key $K_{1}$ for the pseudorandom function $F_{K_{1}} (\cdot)$ with inputting domain integers and outputting image $Z_{p}^{*}$ . And, $(r, K_{1})$ is the secret of the user, and $(p, g)$ is its public key.

The workspace ${0, 1}^{n}$ is alternative with $Z_{p}^{n}$ .

A random string pool $S \subseteq {0, 1}^{n}$ is alternative with the pseudorandom function $F_{K_{1}} (\cdot)$ to reduce communication overhead. The user authorizes TPA to help complete the data audit task to reduce the computational burden.

TPA can use randomized auditing mode to audit the integrity of partial data stored on the cloud, the indexes ${i_{1}, i_{2}, \dots, i_{L}}$ of audited blocks and a random index $(e_{i_{1}}, e_{i_{2}}, \dots, e_{i_{L}})$ are chosen by TPA from ${1, 2, \dots, n}$ and $Z_{N}^{L}$ , the integrity auditing query is $χ = {{i_{1}, i_{2}, \dots, i_{L}}, (e_{i_{1}}, e_{i_{2}}, \dots, e_{i_{L}})}$ . When the whole data file needs to be audited, TPA generates a new secret key ( $λ$ bits) for the pseudorandom function $F_{K_{2}} (\cdot)$ and sends $K_{2}$ to the cloud. The integrity auditing query is $χ = K_{2}$ . There are two different ways for the cloud server to generate proofs for the above two different auditing modes. For the mode of partial data auditing, the cloud server performs the following calculations to generate proof $(α, β)$

α = \sum_{j = 1}^{L} m_{i_{j}} \cdot e_{i_{j}} mod (p - 1)

(16)

β = Π_{j = 1}^{L} S_{i_{j}}^{e_{i_{j}}} mod p

(17)

Then, the cloud returns the integrity proof to TPA, TPA can know the integrity of the audited data by verifying equation (18) or (19)

β = g^{r α + \sum_{j = 1}^{L} e_{i_{j}} \cdot F_{K_{1}} (i_{j})}

(18)

β = g^{r α + \sum_{i} e_{i} \cdot F_{K_{1}} (i)}

(19)

If the equation holds, return 1(true) to TPA; otherwise, return 0 (false). Finally, TPA tells the auditing result to the user (Figure 8).

Figure 8.

The alternative auditing scheme (protocol) II.

Performance analysis

In the improved scheme I, the order of groups G and $G_{T}$ is replaced with the composite order $N = pq$ , and $Z_{p}^{*}$ is converted to $Z_{N}^{*}$ . First, we analyze the performance difference in the process of KeyGen, Store, and Transfer (as shown in Tables 1 –3). In our analysis, other operations will be ignored for the reason that the performance difference between Xue et al.¹⁹ scheme and our improved scheme mainly lies in modulo operations. It can be clearly seen that our improved protocol is higher than original protocol in the aspect of computation complexity. And, the efficiency comparison of IntegCheck will be shown later because the module of IntegCheck is alternative with a new auditing protocol.

Table 1.

Computation complexity of KeyGen.

	Modular multiplication operation	Modular exponentiation operation
Xue et al.	1 (mod p)	(2s + 1)mod p
Our improved scheme I	1 (mod N)	(2s + 1)mod N

Table 2.

Computation complexity of Store.

	Modular multiplication operation	Modular exponentiation operation
Xue et al.	sn (mod p)	(sn + 2n) (mod p)
Our improved scheme I	sn (mod N)	(sn + 2n) (mod N)

Table 3.

Computation complexity of Transfer.

	Modular multiplication operation	Modular exponentiation operation	Bilinear pairing operation
Xue et al.	(n* + s–1) (mod p)	(s + 1) (mod p)	2 (mod p)
Our improved scheme I	(n* + s–1) (mod N)	(s + 1) (mod N)	2 (mod N)

Now, we assume that p and q are 512 bits, and N is 1024 bits. The communication complexity increases obviously in comparison with their scheme. Our improved scheme is slower in the aspect of efficiency, but it can resist the attack that we have proposed. Besides, our improved scheme is compatible with the classic RSA cryptosystem. In the module of IntegCheck, we replace the original protocol of Xue et al. with a new auditing protocol. The alternative auditing protocol II which we have introduced in section “Another alternative auditing scheme II” only uses modular multiplication and modular exponential operations, and the complex operations (such as bilinear mapping) do not appear, so it is simpler conceptually and more efficient. The computational cost of the original protocol and alternative scheme II is shown in Figures 9 and 10, respectively. The comparison of computation complexity is presented in Table 4.

Figure 9.

Computation complexity of the original protocol.

Figure 10.

Computation complexity of the alternative scheme II.

Table 4.

Comparison of computation complexity.

	Modular multiplication operation	Modular exponentiation operation	Bilinear pairing operation
Original protocol	(2s + 4) (mod p)	(3s + 1) (mod p)	4
Alternative scheme II	3L (mod p)/3n (mod p)	(L + 1) (mod p)/ (n + 1) (mod p)	0

We evaluate the effectiveness of the alternative auditing scheme II using java and give its time running figures to express it intuitively, including the processes of key generation, outsourcing, auditing, certification, verification, and total running time (unit: ms). As can be seen from Figures 11 –16, the time consumption of the software is mainly in the file outsourcing or file upload process, but the file can be audited multiple times after one upload, so the alternative protocol is practical.

Figure 11.

Audit time.

Figure 12.

Prove time.

Figure 13.

KeyGen time.

Figure 14.

Verifying time.

Figure 15.

Outsouring time.

Figure 16.

Total running time.

Security analysis

In this section, we mainly prove the security of the alternative auditing protocol because the security of other modules had been proved in the article of Xue et al. and the security flaw has been made up by us. For our alternative auditing protocol, the error probability of the alternative auditing protocol is $1 / 2^{100}$ , which can be ignored basically; if the data stored on the cloud is compromised, the cloud server will not be able to generate a fake proof to trick users. Next, we will prove this conclusion through two steps:

Step 1: when the data stored on the cloud is compromised, the cloud server cannot cheat the user with a non-negligible probability. First, if a true random function is used in our protocol, let $\Pr [Unbound]$ be the probability that a cloud server successfully cheats the user. According to the linear algebra theory, $\Pr [Unbound] = negl (λ)$ Then, we use a pseudorandom function in the original protocol. For the reason that the malicious cloud server has the probability of distinguishing the pseudorandom functions and the true random functions, $Adv [PRF] \geq \Pr [Cheat] - \Pr [Unbound]$ . Furthermore, $\Pr [Cheat] \leq Adv [PRF] + \Pr [Unbound]$ .

Step 2: we show that if $\Pr [Cheat]$ is not negligible, the user can reconstruct the data with the probability of $\Pr [Recover] = 1 - negl (λ)$ ; the basic idea is that the user can obtain the linear equations of the inner product of the outsourced data and the challenge vectors and then solves the equations to obtain the outsourced data. The early cloud storage proof processes also have some similar processing methods.

Conclusion

In this article, we first point out a security flaw in Xue et al.’s scheme. To optimize their scheme, an improved scheme is proposed for secure cloud storage; the security analysis shows that our improved scheme is more secure and can resist the attack which we have present. Besides, we propose a alternative protocol to improve the integrity auditing efficiency of their scheme. The performance analysis shows that our alternative protocol is more efficient and likely to be applied in cloud systems.

Footnotes

Acknowledgements

This paper is an extended work of a conference paper²⁸ with significant extension including new proposal, new security analysis, and performance analysis. The authors thank Xiaoshuang Luo, Liqun Lv, and Zhenlin Li’s help on this paper.

Handling Editor: José Camacho

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Cryptography Development Fund of China (grant no. MMJJ20170112), Natural Science Basic Research Plan in Shaanxi Province of China (grant no. 2018JM6028), National Natural Science Foundation of China (grant nos 61772550, U1636114, and 61572521), and National Key Research and Development Program of China (grant no. 2017YFB08 02000). This work is also supported by Engineering University of PAP’s Funding for Scientific Research Innovation Team (grant no. KYTD201805).

ORCID iD

Xu An Wang

References

Sangaiah

Medhane

Han

et al . Enforcing position-based confidentiality with machine learning paradigm through mobile edge computing in real-time industrial informatics. IEEE T Ind Inform. Epub ahead of print 8 February 2019. DOI: 10.1109/TII.2019. 2898174.

Esposito

Ficco

Palmieri

et al . Smart cloud storage service selection based on fuzzy logic, theory of evidence and game theory. IEEE T Comput 2016; 65(8): 2348–2362.

Liu

Sun

Quan

et al . Publicly verifiable inner product evaluation over outsourced data streams under multiple keys. IEEE T Serv Comput 2017; 10(5): 826–838.

Sun

Liu

Lou

et al . Catch you if you lie to me: efficient verifiable conjunctive keyword search over large dynamic encrypted cloud data. In: Proceedings of the conference on computer communications, Kowloon, Hong Kong, 26 April–1 May 2015, pp.2110–2118. New York: IEEE.

Liu

Zhang

Wang

et al . Mona: secure multi-owner data sharing for dynamic groups in the cloud. IEEE T Parall Distr Syst 2013; 24(6): 1182–1191.

Liu

Huang

Rong

et al . Privacy-preserving public auditing for regenerating-code-based cloud storage. IEEE T Inform Foren Secur 2015; 10(7): 1513–1528.

Xiang

Chen

et al . Achieving verifiable, dynamic and efficient auditing for outsourced database in cloud. J Parall Distr Comput 2018; 112: 97–107.

Deswarte

Quisquater

Saïdane

Remote integrity checking. In: Jajodia

Strous

(eds) Integrity and internal control in information systems VI (IICIS 2003: IFIP International Federation for Information Processing), Vol. 140. Boston, MA: Springer, 2004, pp.1–11.

Ateniese

Burns

Curtmola

et al . Provable data possession at untrusted stores. In: Proceedings of the 14th conference on computer and communications security, Alexandria, VA, 2007, pp.598–609. New York: ACM, https://dl.acm.org/citation.cfm?doid=1315245.1315318

10.

Shacham

Waters

. Compact proofs of retrievability. In: Pieprzyk

(ed.) Advances in cryptology—ASIACRYPT 2008. Berlin: Springer, 2008, pp.90–107.

11.

Zhang

Wang

et al . Improved secure fuzzy auditing protocol for cloud data storage. Soft Comput 2018, https://doi.org/10.1007/s00500-017-3000-1

12.

Wang

Liu

Zhang

et al . Improved group-oriented proofs of cloud storage in IoT setting. Concurr Comput Pract Exp 2018; 30(21), https://onlinelibrary.wiley.com/doi/abs/10.1002/cpe.4781

13.

Wang

Ren

Lou

et al . Toward publicly auditable secure cloud data storage services. IEEE Netw 2010; 24(4): 19–24.

14.

Zhu

Wang

et al . Secure collaborative integrity verification for hybrid cloud environments. Int J Cooper Inform Syst 2012; 21(3): 165–197.

15.

Han

Susilo

et al . Attribute-based data transfer with filtering scheme in cloud computing. Comput J 2014; 57(4): 579–591.

16.

et al . Provable data possession supporting secure data transfer for cloud storage. In: Proceedings of the 10th international conference on broadband and wireless computing, communication and applications, Krakow, 4–6 November 2015, pp.38–42. New York: IEEE.

17.

Zhu

Ahn

et al . Cooperative provable data possession for integrity verification in multicloud storage. IEEE T Parall Distr Syst 2012; 23(12): 2231–2244.

18.

Klonowski

Przykucki

Strumiński

Data deletion with provable security. In: Chung

Sohn

Yung

(eds) Information security applications. Berlin: Springer, 2009, pp.240–255.

19.

Xue

et al . Provable data transfer from provable data possession and deletion in cloud storage. Comput Stand Interf 2017; 54: 46–54.

20.

Chen

Xiang

Yang

et al . Secure cloud storage hits distributed string equality checking: more efficient, conceptually simpler, and provably secure. In: Proceedings of the conference on computer communications, Kowloon, Hong Kong, 26 April–1 May 2015, pp.2389–2397. New York: IEEE.

21.

Goldwasser

Micali

Rackoff

. The knowledge complexity of interactive proof-systems. In: Proceedings of the 17th annual symposium on theory of computing, Providence, RI, 6–8 May 1985, pp.291–304. New York: ACM.

22.

Zheng

Chiesa

et al . DIZK: a distributed zero knowledge proof system. In: Proceedings of the 27th USENIX conference on security symposium, Baltimore, MD, 15–17 August 2018, pp.675–692. Berkeley, CA: USENIX Association.

23.

Sasson

Chiesa

Garman

et al . Zerocash: decentralized anonymous payments from Bitcoin. In: Proceedings of the symposium on security and privacy, San Jose, CA, 18–21 May 2014, pp.459–474. New York: IEEE.

24.

Ateniese

et al . Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage. IEEE T Inform Foren Secur 2017; 12(4): 767–778.

25.

Yuan

Secure and constant cost public cloud storage auditing with deduplication. In: Proceedings of the conference on communications and network security, National Harbor, MD, 14–16 October 2013, pp.145–153. New York: IEEE.

26.

Yao

ACC

. Some complexity questions related to distributive computing (preliminary report). In: Proceedings of the 11th annual symposium on theory of computing, Atlanta, GA, 30 April–2 May 1979, pp.209–213. New York: ACM.

27.

Schmid

ML.

Computing equality-free string factorisations. In: Beckmann

Mitrana

Soskova

(eds) Evolving computability. Cham: Springer International Publishing, 2015, pp.313–323.

28.

Liu

Wang

Cao

et al . Improved provable data transfer from provable data possession and deletion in cloud storage. In: Advances in intelligent networking and collaborative systems: the 10th international conference on intelligent networking and collaborative systems (eds Xhafa

Barolli

Greguš

), Bratislava, 5–7 September 2018, pp.445–452. Cham: Springer.

New provable data transfer from provable data possession and deletion for secure cloud storage

Abstract

Keywords

Introduction

Organization

Xue et al. ’s system model

The construction of Xue et al

Our attack

Our improved scheme I

Another alternative auditing scheme II

Performance analysis

Security analysis

Conclusion

Footnotes

Acknowledgements

Declaration of conflicting interests

Funding

ORCID iD

References