Sage Journals: Discover world-class research

Abstract

With the rapid development of cloud storage, more and more resource-constraint data owners can employ cloud storage services to reduce the heavy local storage overhead. However, the local data owners lose the direct control over their data, and all the operations over the outsourced data, such as data transfer and deletion, will be executed by the remote cloud server. As a result, the data transfer and deletion have become two security issues because the selfish remote cloud server might not honestly execute these operations for economic benefits. In this article, we design a scheme that aims to make the data transfer and the transferred data deletion operations more transparent and publicly verifiable. Our proposed scheme is based on vector commitment (VC), which is used to deal with the problem of public verification during the data transfer and deletion. More specifically, our new scheme can provide the data owner with the ability to verify the data transfer and deletion results. In addition, by using the advantages of VC, our proposed scheme does not require any trusted third party. Finally, we prove that the proposed scheme not only can reach the expected security goals but also can satisfy the efficiency and practicality.

Keywords

Cloud storage data deletion data transfer vector commitment public verification

Introduction

Cloud computing, an emerging and promising computing paradigm, was first put forward by Google.¹ Cloud computing can connect a large number of computing resources, network bandwidths, and storage spaces together via the Internet.^2,3 Using these tremendous resources, the cloud service provider is able to provide on-demand self-service for the tenants conveniently and ubiquitously, for example, outsourcing service,^4–6 identity authentication,⁷ cloud storage service, and data search.^8–10 In the cloud storage service paradigm, the cloud storage service provider can offer resource-constraint data owners boundless storage resources and network resources. Thanks to a number of irresistible advantages, the cloud storage service has been widely applied in daily life and work. In order to save the overhead of storing and maintaining the data, there will be more and more tenants, including the corporations and individuals prefer to store their files on a remote cloud data center. Investigation shows that 82% organizations benefit by embracing the cloud storage service.¹¹

Although the cloud storage service has plenty of attractive advantages, it is unavoidably subjected to some novel security issues and challenges.¹² In the cloud storage service, the data owners might lose the direct control over their outsourced files, which prevents them from performing operations over their outsourced data directly.¹³ Therefore, all the operations over the outsourced data, such as moving the data from one cloud server to another and removing the outsourced file from the storage medium, will be executed by the remote cloud server. As a result, the outsourced data transfer and deletion have become two new problems because the selfish cloud server might not execute these operations sincerely for economic benefits. In order to permanently remove the outsourced data, a lot of researchers have focused on the problem of data deletion in the past decade and have put forward plenty of methods, such as deletion by overwriting^14–19 and deletion by cryptography.^20–24 Although a number of deletion schemes have been proposed, there are still some problems and challenges in deleting the outsourced data.

First of all, plenty of the existing data deletion schemes are inefficient, especially the schemes that realize data deletion by overwriting the disk. In the overwriting methods, when the data owners require the cloud server to delete the data, the remote cloud server will realize data deletion by utilizing random data to overwrite the physical medium and then return a deletion result. To make the data deletion operation more secure, some researchers argue that the disk should be overwritten more than one time. However, deletion by overwriting is inefficient in practical applications, especially in the distributed storage system because it needs to overwrite all the storage mediums that store the data backups. Besides, Gutmann²⁵ stated that it cannot really realize data deletion by overwriting the physical medium simply because there is some physical remanence left on the disk. The attacker can use the physical remanence to recover the deleted files. Hence, it is very significant to improve the efficiency and security of data deletion schemes.

Secondly, most of the existing data deletion methods cannot achieve public verification of the deletion results. Plenty of deletion schemes can be described as “one-bit-return” scheme: the data owners send an order to require the storage medium to delete the data. After receiving the deletion command, the storage system removes the corresponding data and then sends a one-bit result (Success/Failure) to the data owners to indicate the status of the deletion operation. In these schemes, the data owners must believe the returned data deletion result because they cannot verify it conveniently and efficiently. However, the storage system might reserve the data backups maliciously for economic interests and send a false result to cheat the data owners. Later, some schemes aim to offer the data owners the capacity to verify the data deletion outcome, but many of them need a trusted third party (TTP). Take Hao et al.’s²⁶ data deletion scheme as an example, it needs a trusted platform module (TPM). Nevertheless, it is very hard to find such a TTP in practical applications. Therefore, the requirement of public verifiability should be reached in the data deletion schemes without requiring a TTP.

Finally, moving the cloud data among different cloud servers and deleting the transferred data from the original cloud server have become two fundamental requirements for the data owners. Data transfer is frequent in plenty of real-applicitaions, for example, smart homes, power control system, and medical data-management system. The report shows that cloud data traffic will increase by 19.3 exabytes per year.²⁷ By 2018, 9% of the total cloud traffic is predicted to be the data traffic among different clouds; there is a 2% increase compared with the end of 2013. However, only a few existing schemes can realize outsourced data transfer and deletion simultaneously.^28–30 In addition, all of them need a third party auditor. Take Ni et al.’s²⁸ scheme as an example, it uses the improved BCP encryption scheme and the polynomial-based authenticators to ensure the integrity of transferred data on the new cloud. Finally, it utilizes proxy-encryption technique to achieve deletion of the transferred data from the original cloud server. However, it needs a third party auditor, which will become the bottleneck. As far as we know, it seems that there is no research work on efficient and publicly verifiable outsourced data transfer and deletion scheme that does not require a TTP under the dishonest cloud server model. As a consequence, we design a vector commitment-based construction that aims to make the outsourced data transfer and deletion processes publicly verifiable. In addition, the presented construction does not require any TTP.

Main contributions

In this article, we design a new vector commitment-based scheme that not only can achieve publicly verifiable cloud data deletion but also can realize provable data transfer between two different cloud servers. In our scheme, we use the primitive of vector commitment to generate some corresponding proofs that can be used to verify the data transfer and deletion results. Therefore, our article’s main contributions are the following two folds:

We put forward a new vector commitment-based scheme that not only can achieve publicly verifiable cloud data deletion but also can realize provable data transfer between two different cloud servers. If the selfish original cloud server does not honestly transfer the data to the target cloud server, or it does not delete the transferred data sincerely, the proposed scheme can offer the data owner the ability to discover the dishonest operations by verifying the returned evidences.

We apply the vector commitment (VC) to reach the property of public verifiability in the outsourced data transfer and deletion. By utilizing the tremendous advantages of VC, our proposed scheme can achieve public verifiability without requiring any TTP, which is very different from most of the previous solutions. Besides, our novel scheme is also quite efficient in communication as well as computation.

This work is the extension of our previous paper, which was presented at the International Conference on Information and Communications Security (ICICS) 2018.³¹ In the following, we describe the main differences between this article and the conference version. Firstly, we describe the related work more detailed in section “Introduction.” Secondly, we present a more detailed scheme and add the high description of our scheme in section “Our construction.” We also describe the design goals for our scheme in section “Design goals” and prove that our proposed scheme can satisfy these security properties in section “Security analysis.” Finally, we add the experimental simulation of our novel scheme and the overhead comparison between a previous scheme and our scheme in section “Performance evaluation.”

Related work

In cloud storage, plenty of researchers have focused on the verifiable cloud data transfer and deletion for a long time, resulting in a large number of solutions. In processing the problem of data deletion, although unlinking can delete the link of the file efficiently, the contents of outsourced file still remain in the storage medium. The attacker can recover the contents by using tools to scan the disk.³² Therefore, it is particularly meaningful to study and put forward more secure outsourced data deletion schemes.

In 2010, in order to delete the contents of the file and provide the data owner with the ability to verify the deletion result, Paul and Saxena³³ put forward a verifiable data deletion protocol that is named “Proof of Erasability” (PoE). In addition, Perito and Tsudik³⁴ put forward a similar solution called “Proofs of Secure Erasure” (PoSE-s), which aims to permanently delete digital data from the embedded devices. In 2011, Wei et al.³⁵ proposed a scheme to erase the data from flash-based solid-state drives reliably. Luo et al.³⁶ put forward a permutation-based verifiable cloud data erasure protocol in 2016. In their protocol, they assume that the cloud server is self-serving, and it merely maintains the latest version of the outsourced data. Besides, all the backups are assumed to be consistent when the data owner updates the data. Therefore, they turn overwriting operation into data update operation. That is, they can delete the data by updating them. Finally, the data owner is able to use a challenge–response protocol to verify the deletion outcome.

In order to permanently and efficiently delete the file from the Yet Another Flash File System (YAFFS), Lee et al.³⁷ put forward a secure data deletion protocol in 2010. In their scheme, they modify the YAFFS to encrypt different files with different encryption keys, and then they store the keys in the file header. Finally, they realize data deletion by deleting the file header to make the ciphertext unavailable. In 2012, Reardon et al.³⁸ proposed a data node encrypted file system, which can also be used to remove data from flash memory. They use a unique key to encrypt every data block and store the corresponding keys in a key storage area. They delete the related keys if the data owner wants to remove some data blocks. To be specific, the key storage area will be replaced with a new one, which does not contain the decryption keys for the deleted data blocks. In 2014, Xiong et al.³⁹ presented a data self-destructing protocol. In their scheme, each file is labeled with a time instant. Besides, every privacy key will also be associated with a time interval. If the attributes that are related to the corresponding ciphertext satisfy the access structure, and the time instant must be in the specified time interval, the ciphertext can be decrypted. Upon reaching the expired time, the sensitive information will be self-destructed securely.

In order to manage the cloud data more transparently and efficiently, Du et al.⁴⁰ studied the Merkle hash tree, pre-deleting sequence, and some other basic cryptography techniques and designed a deletion scheme for multi-copy in cloud storage. Their scheme offers data owner the ability to check the deletion result by verifying the deletion evidence. In 2018, Yang et al.⁴¹ put forward a novel outsourced data deletion scheme with public verifiability, which is based on blockchain. In their scheme, the remote cloud server stores and maintains the outsourced data. Upon receiving a valid deletion command, the remote cloud server may remove the related outsourced data and generates the corresponding deletion evidence at the same time. Finally, the deletion proof is published on the blockchain, and any verifier can check the deletion result by verifying the deletion proof without requiring any TTP. Yang and Tao⁴² put forward a new cloud data deletion scheme with publicly verifiability and efficient tracking. They use the Merkle hash tree to deal with the problem of public verification and offer the data owner the ability to verify the deletion result.

Furthermore, how to achieve provable cloud data transfer and deletion simultaneously has caught plenty of researchers’ attentions. In 2015, Yu et al.²⁷ presented a verifiable cloud data possession protocol that is characterized by provable data transfer and deletion. After the data are transferred to a new cloud server, they are able to check the transferred data integrity on the new cloud server and then delete the transferred data from the original cloud server. In 2017, Xue et al.²⁹ designed a verifiable cloud data transfer scheme from provable data possession (PDP) and cloud data deletion. In their scheme, when the data owners want to alter the service provider, they can move the data blocks to a new cloud server and check the transferred data integrity on the new cloud server. Moreover, the original cloud removes the corresponding transferred data blocks and utilizes rank-based Merkle Hash Tree (RMHT) to generate a deletion proof. Then the data owners can check the deletion result by verifying the proof. Later, Wang et al.¹¹ presented a verifiable cloud data transfer and erasure protocol. Their scheme could provide the data owner the ability to transfer data between two different cloud servers. Besides, they use homomorphic authenticators and homomorphic encryption to offer the data owner the ability to verify the deletion result on the original cloud and the transferred data integrity on the new cloud.

Organization

In the following section, we will describe the organization for the rest of the article. We present some preliminaries in section “Preliminaries,” including the bilinear pairings and the VC. In section “Problem statement,” we will minutely describe the problem statement. Then, in section “Our construction,” we describe our novel scheme in detail. In section “Analysis of our scheme,” we first give a brief security analysis of our scheme. After that, we make a comparison between our novel scheme and an existing scheme. Finally, we give a conclusion about the proposed data transfer and deletion scheme in section “Conclusion.”

Preliminaries

In the following section, we firstly present the basic definitions and main properties of the bilinear pairings briefly. Secondly, we may give a short description about the Computational Diffie–Hellman (CDH) problem. Finally, we describe the cryptographic primitive of VC, which is particularly important for realizing public verifiability.

Bilinear pairings

We assume that the groups $G_{1}$ and $G_{2}$ are two cyclic multiplicative groups. $p$ is a prime that is the order of groups $G_{1}$ and $G_{2}$ . Then we let $g$ be an arbitrary generator of $G_{1}$ . A bilinear pairing is a map $e : G_{1} \times G_{1} \to G_{2}$ with three properties:

$Bilinear$ : for all $U, V \in G_{1}$ , and $x, y \in Z_{p}^{*}, e (U^{x}, V^{y}) = e (U, V)^{xy}$ .

$Non-degenerate$ : $e (g, g) \neq 1$ .

$Computable$ : for all $U, V \in G_{1}$ , there is always an algorithm to efficiently calculate the value of $e (P, Q)$ .

The CDH problem in $G_{1}$ is defined as follows:

Definition 1

We assume that a and b are both randomly chosen from $Z_{p}$ . For any $a, b \in Z_{p}$ , on input a triple $(g, g^{a}, g^{b})$ , and subsequently outputs a value $g^{ab}$ , where g is a generator of $G_{1}$ . If for each probabilistic polynomial time (PPT) algorithm $A$ , there is always a negligible function $negl (\cdot)$ which $\Pr [A (1^{a}, g, g^{a}, g^{b}) = g^{ab} \leq negl (k)]$ , the CDH assumption holds, where $k$ is the discretionary security parameter.

Vector commitment

As a fundamental cryptographic primitive, commitment scheme plays a really important role in plenty of security protocols, for instance, zero-knowledge proof, identification protocol, digital voting scheme, and verifiable database.⁴³ Informally, a commitment protocol could intuitively be seen as a sealed envelope: when the sender wants to commit to a message m, he can put the message m into the envelope and send the sealed envelope to the receiver. At a later moment, the sender is able to open the sealed envelope to publicly show the committed message m. A commitment scheme is expected to satisfy two properties. The first one is called “ $hiding$ ,” which means that nobody but the sender is able to open the envelope to disclose the committed message m from the commitment. The other one is called “ $binding$ ,” which means that upon committing to a message m, the commitment mechanism does not allow the sender to change m anymore.⁴⁴

In 2013, Catalano and Fiore⁴⁵ put forward a new cryptographic primitive from commitment, which is called vector commitment (VC). Generally speaking, a VC scheme is very closely related to the zero-knowledge sets. Without loss of generality, a VC scheme can allow the committer to commit to an ordered sequence of messages $(m_{1}, \dots, m_{q})$ in a particular way: the committer can open the commitment to reveal the messages at specific positions.⁴⁶ Furthermore, a VC protocol can satisfy the property of “ $posititon binding$ ,” which means that nobody is able to open the commitment to reveal two different messages at a same position. Moreover, a VC scheme can also satisfy the property of $hiding$ . That is, for any given commitment, no one but the committer can distinguish whether the given commitment is created to m or $m'$ . Although have obtained some openings at the corresponding positions, the adversary still cannot distinguish whether the commitment is created to m or $m'$ . However, Catalano and Fiore do not consider the property of $hiding$ because it is not a critical property in some applications. Last but not least, a VC scheme is also required to be concise, which means that the opening and the size of the commitment both are independent of q.

$VC . KeyGen (1^{k}, q)$ : on input k and $q = poly (k)$ , the key generation algorithm outputs some public parameters pp, where k is the security parameter and q defines the size of the committed vector. Besides, pp can also implicitly define the message space $M$ .

$VC . Co m_{pp} (m_{1}, \dots, m_{q})$ : the committing algorithm takes as inputs $pp$ and $(m_{1}, \dots, m_{q}) \in M^{q}$ and then, outputs auxiliary information $aux$ and commitment $π$ .

$VC . Ope n_{pp} (m, i, aux)$ : the opening algorithm is executed by the committer and finally outputs an evidence $λ_{i}$ to prove $m$ is the $i - th$ committed message.

$VC . Ve r_{pp} (π, m, i, λ_{i})$ : if and only if $λ_{i}$ is valid and commitment $π$ is created to $(m_{1}, \dots, m_{q})$ such that $m = m_{i}$ will this algorithm return 1.

$VC . Updat e_{pp} (π, m, i, m')$ : this algorithm is executed by the original committer, who wants to obtain a new commitment by changing m to $m'$ at position i. This update algorithm takes as inputs m and $m'$ and then outputs $π'$ and U.

$VC . ProofUpdat e_{pp} (π, U, m', i, λ_{j})$ : every user who owns $λ_{j}$ can run this algorithm, where $λ_{j}$ is an evidence for the message at the position j related to $π$ when the $i - th$ message is updated to $m'$ . On input $π$ , $λ_{j}$ , $U$ , and $m'$ , then returns a novel evidence $λ'_{j}$ and an updated VC $π'$ .

Problem statement

In the following section, we firstly describe the system model of our proposed scheme. Then we formalize the main security threats, which are considered in our scheme. Finally, we identify our principal design goals in detail.

System model

In the following section, we present the system model of our new proposed scheme. Without loss of generality, the system model contains two remote cloud servers $S_{1}$ and $S_{2}$ , and a data owner O, as illustrated in Figure 1.

A data owner O refers to an entity that owns restricted computing resources, network resources, and storage resources. In order to save the local storage overhead, O prefers to outsource his personal data to the remote cloud server S₁. Later, as some controllable or uncontrollable factors, O may transfer the outsourced data to a new cloud server S₂. Whereafter, O is willing to permanently delete the transferred data from S₁ and verifies the transfer and deletion results by checking the returned evidences.

An original cloud server S₁ is an entity who has powerful computing ability, plenty of storage resources, and transmission bandwidths. In our system model, we assume that S₁ might transfer the specified data to cloud server S₂. After that, S₁ is requested to permanently remove the transferred data. Finally, S₁ computes some corresponding proofs to convince O that the data transfer and deletion operations have been executed honestly.

A target cloud server S₂ refers to another entity which also owns a number of storage spaces and provides on-demand cloud storage service for the resource-constraint data owners. In our scheme, we define that S₂ is the target cloud server. That is to say, S₂ receives the transferred data from S₁ and stores them. After that, S₂ generates a new commitment and returns evidence to O to indicate the success of the data transfer.

Figure 1.

The system model of our scheme.

Security threats

In our scheme, we will assume that S₁ is a “semi-honest-but-curious” cloud server and it may not follow our protocol honestly for financial incentives. Besides, some malicious users (hackers) might try to unlawfully access the outsourced data. Therefore, there are two types of attacks should be considered in our scheme: the external attacks and the internal attacks. The external attackers, such as hackers and malicious users, might pay attention to digging the sensitive information from the outsourced data. The internal attackers, such as the dishonest administrators of the cloud storage system, may study the privacy of O from the outsourced data. Besides, S₁ may not transfer the data or delete the transferred data sincerely for economic benefits. More specifically, we mainly consider the following four security challenges:

Data privacy exposure: data privacy exposure is a very common security threat for the data owner in the cloud storage service for the following three reasons. Firstly, the attackers are so curious that they might try their best to illegally access the outsourced data for digging some private information. Secondly, the remote cloud server might share the outsourced data with their corporators for financial incentives. Last but not least, the cloud server would reserve some copies maliciously to dig some implicit benefits from the data. Therefore, the outsourced data suffer from privacy exposure threat.

Data pollution: the outsourced data may be polluted as the following factors. Firstly, the selfish remote cloud server might delete some outsourced data that are rarely accessed to save storage resources. Secondly, for saving the transmission bandwidth, S₁ may merely send part of the data when O downloads or transfers the data. Finally, the external attackers may destroy the data maliciously. Hence, the outsourced data suffer from data pollution.

Dishonest data transfer: in practical applications, the local data owner may transfer the data from S₁ to S₂ for some objective or subjective reasons. To transfer the data successfully, S₁ needs to cost some computation and communication resources. For some economic reasons, S₁ may only transfer partial data to S₂, or even worse, S₁ may not transfer the data at all. However, S₁ will claim that the data have been transferred to S₂ honestly and return an error transfer result to mislead O. Therefore, dishonest data transfer is another security threat.

Malicious data reservation: when the data have been transferred to S₂, O prefers to permanently delete the transferred file from S₁. However, the selfish S₁ might maliciously keep some backups of transferred data for the following reasons. Firstly, S₁ needs to expend some additional overhead to delete the transferred data. Secondly, S₁ can obtain some implicit benefits from the data reservation arbitrarily, which may lead to data privacy exposure. Therefore, from O’s point of view, the malicious transferred data reservation is also a security threat.

Moreover, we can assume that S₁ and S₂ will not collude together to cheat O because they belong to different enterprises. That is, the two cloud servers both follow our protocol independently. Furthermore, we assume that S₂ would not slander S₁ maliciously for good reputation and S₁ will not store any data backups on other subcontractors.

Design goals

In our new scheme, we aim to reach provable data transfer and verifiable data deletion in cloud storage. As a result, according to the above security threats, we need to realize the following four properties:

Data confidentiality: in order to protect the sensitive data contained in the outsourced file, it must prevent the attackers from accessing the sensitive data illegally. This implies that we need to use secure encryption algorithm to encrypt the outsourced file and then outsource the corresponding ciphertext. In addition, the decryption key should be maintained so secret that only the data owner knows.

Data integrity: in order to prevent the outsourced data from being polluted, on one hand, O should be given the ability to verify data integrity during the data decryption process; on the other hand, S₂ should check that whether the transferred data blocks are intact before storing them. If the data are not intact, both O and S₂ can detect the data pollution.

Verifiability: in order to ensure that the outsourced data have been successfully transferred to S₂ and have been deleted from S₁ permanently, O and S₂ should have the ability to check the results of the data transfer and deletion operations. If S₁ does not faithfully transfer or delete the transferred data, it cannot forge effective evidences to prove that the file has been transferred or deleted honestly.

Accountability: Upon performing some operations over the outsourced data, both O and S₁ cannot deny their behaviors. If one of them denies his performance and slanders the other, the one who is vilified can prove his innocence and disclose the slanderer’s malicious behavior.

Our construction

Overview

In this article, we adopt the primitive of VC to construct a new scheme that aims to solve the problem of verifiable outsourced data transfer and deletion under a commercial model.

The main processes of our new proposed scheme are demonstrated in Figure 2. The outsourced file always contains some sensitive information which should be kept secret from the data owner’s point of view. Therefore, the data owner O should first encrypt the file to protect the data confidentiality and then outsource the ciphertext to the original cloud server S₁. The original cloud server S₁ maintains the data and returns a storage proof. After that, the data owner O can check the storage result and delete the local backups. Later, when the data owner O needs the outsourced file, he must download the ciphertext from the original cloud server S₁ and decrypt it to obtain the related plaintext. Meanwhile, due to some controllable or uncontrollable factors, the data owner O may want to change the cloud storage service provider. Therefore, the data owner O needs to transfer the data from the original cloud server S₁ to the target cloud server S₂ and checks the data transfer result. Finally, the data owner O wants to delete the transferred data from the original cloud server S₁. The original cloud server S₁ executes data deletion command and returns a data deletion evidence, which will be used to verify the data deletion result by the data owner O.

Figure 2.

The main process of our scheme.

We can easily find that our new proposed scheme can achieve data confidentiality, provable data transfer, and verifiable data deletion, which is very similar to the previous solutions.^29,47 Moreover, our new construction is able to achieve public verifiability without requiring any TTP. However, the previous schemes^29,47,48 need to introduce a third party auditor. In real-applications, the third party auditor has become the bottleneck that impedes the rapid development of verifiable data transfer and deletion. Therefore, we can think that our new proposed solution is more attractive and practical.

The concrete construction

In this subsection, we may introduce our novel provable outsourced data transfer and deletion scheme in detail. In the following, we firstly describe some symbols that will be utilized in our novel scheme. First of all, we could assume that O has passed the identification and become a legal client of the two cloud storage service providers S₁ and S₂. After that, O can set a secret and unique identity number $i d_{o}$ . Besides, we use symbols $H_{1} (\cdot)$ and $H_{2} (\cdot)$ to represent two secure one-way collision resistant hash functions. Furthermore, every file is named with a unique name in our scheme, and the file’s name is kept secret by O. Without loss of generality, O is assumed to outsource a file $F$ , and its name is $n_{f}$ .

KeyGen

First of all, it is required to generate ECDSA public/private key pairs $(p k_{o}, s k_{o})$ , $(p k_{s_{1}}, s k_{s_{1}})$ , and $(p k_{s_{2}}, s k_{s_{2}})$ for the data owner O, the original cloud server S₁, and the target cloud server S₂, respectively. Then O runs the algorithm $VC . KeyGen (1^{k}, q)$ to obtain public parameters $pp = (g, {h_{i}}_{i \in [q]}, {h}_{i, j \in [q], i \neq j})$ , where $VC$ is a vector commitment scheme which is based on the CDH assumption.

Encrypt

In order to prevent the sensitive information from disclosure, the data owner $O$ needs to encrypt the outsourced data. First of all, $O$ divides file $F$ into $q$ blocks $(m_{1}, \dots, m_{q})$ . Secondly, for all $i \in [1, q]$ , $O$ computes the encryption keys $(k_{1}, \dots, k_{q})$ as $k_{i} = H_{1} (n_{f} | | s k_{o} | | i)$ and then executes data block encryption operations $ci p_{i} = En c_{k_{i}} (m_{i})$ , where $Enc$ is an IND-CPA secure symmetric encryption algorithm. Whereafter, $O$ generates a file tag $tag = H_{2} (n_{f} | | s k_{o})$ and computes the hash values $(h_{1}, \dots, h_{q})$ as $h_{i} = H_{2} (ci p_{i} | | tag | | s k_{o} | | i)$ . After that, $O$ sends the final ciphertext $C = (tag, C_{1}, \dots, C_{q})$ to $S_{1}$ , where $C_{i} = (ci p_{i}, h_{i}, i)$ . Finally, $O$ sets $aux = (C_{1}, \dots, C_{q})$ and runs the algorithm $VC . Co m_{pp} (C_{1}, \dots, C_{q})$ to generate a commitment $π$ . On receipt of $C$ , $S_{1}$ may store the data block $C_{i}$ at position $i$ .

StoreCheck

After uploading the outsourced data to $S_{1}$ , $O$ wants to check that whether $S_{1}$ stores the data blocks honestly. Firstly, for all $i \in [1, q]$ , $S_{1}$ executes the algorithm $λ_{i} \leftarrow VC . Ope n_{pp} (C_{i}, i, aux)$ to generate the storage evidences $λ = (λ_{1}, \dots, λ_{q})$ and sends $λ$ to $O$ . Upon receiving $λ$ , $O$ runs the algorithm $x_{i} \leftarrow VC . Ve r_{pp} (π, C_{i}, i, λ_{i})$ and then checks all $x_{i}$ . If there exists an i to make $x_{i} = 0$ hold, $O$ quits and outputs failure; otherwise, $O$ trusts that S₁ honestly stores the data blocks and deletes the local data backups.

Decryption

When $O$ requires the outsourced file, he must obtain the corresponding ciphertext from S₁ and execute decryption operation to obtain related plaintext. Therefore, there will be two processes in the $Decryption$ algorithm: $DataDownload$ and $DataDecrypt$ .

$DataDownload$ : first of all, to download the ciphertext, $O$ creates a block index set $Φ$ , and it identifies the ciphertext blocks which will be downloaded. Then $O$ computes an ECDSA signature $si g_{d} = Sig n_{s k_{o}} (download | | tag | | T_{d} | | Φ)$ , where $Sign$ is the corresponding signature generation algorithm, and $T_{d}$ is the timestamp. After that, $O$ generates a download request $R_{d} = (download, si g_{d}, tag, T_{d}, Φ)$ and sends it to S₁. Upon receiving the download request $R_{d}$ , S₁ checks the validity of $R_{d}$ by signature verification. If $R_{d}$ is not valid, S₁ quits and outputs failure; otherwise, S₁ sends the data blocks ${C_{i} = (ci p_{i}, h_{i}, i)}_{i \in Φ}$ to $O$ .

$DataDecrypt$ : upon receiving ${C_{i}}_{i \in Φ}$ , $O$ should verify the data integrity before decrypting. To be more specific, $O$ checks that whether the equation $h_{i} \overset{?}{=} H_{2} (ci p_{i} | | tag | | s k_{o} | | i)$ holds. If $h_{i} \neq H_{2} (ci p_{i} | | tag | | s k_{o} | | i)$ , $O$ quits and outputs failure; otherwise, $O$ can decrypt $ci p_{i}$ to obtain the plaintext $m_{i}$ as $m_{i} = De c_{k_{i}} (ci p_{i})$ , where $k_{i} = H_{1} (n_{f} | | s k_{o} | | i)$ , $i \in Φ$ and $Dec$ is the corresponding IND-CPA secure symmetric decryption algorithm.

Transfer

For some objective or subjective reasons, $O$ may alter the cloud storage service provider. Therefore, $O$ needs to transfer a few outsourced data blocks, or even the whole file from S₁ to S₂.

$TranReGen$ : in order to transfer the data blocks from $S_{1}$ to $S_{2}$ , $O$ needs to generate a data transfer request $R_{t}$ . Firstly, $O$ creates a block index set $Ψ$ , and it identifies the data blocks which will be transferred to $S_{2}$ . Secondly, $O$ computes a signature $si g_{t}$ as $si g_{t} = Sig n_{s k_{o}} (transfer | | tag | | T_{t} | | Ψ)$ , where $T_{t}$ is a timestamp. After that, $O$ generates a data transfer request $R_{t} = (transfer, si g_{t}, tag, T_{t}, Ψ)$ and sends $R_{t}$ to S₁. At the same time, $O$ will send the commitment $π$ to S₂.

$Migrate$ : upon receipt of the data transfer request $R_{t}$ , $S_{1}$ will check the validity of $R_{t}$ . If $R_{t}$ is not valid, $S_{1}$ quits and outputs failure; otherwise, $S_{1}$ computes a signature $si g_{ts} = Sig n_{s k_{s_{1}}} (transfer | | R_{t})$ . Then $S_{1}$ sends the data blocks ${C_{i}}_{i \in Ψ}$ to $S_{2}$ , along with the proofs ${λ_{i}}_{i \in Ψ}$ and the signature $si g_{ts}$ .

$TranCheck$ : upon receiving $si g_{ts}$ and ${C_{i}, λ_{i}}_{i \in Ψ}$ , $S_{2}$ firstly verifies the validity of $si g_{ts}$ . If $si g_{ts}$ is not valid, $S_{2}$ quits and outputs failure; otherwise, for all $i \in Ψ$ , $S_{2}$ executes the algorithm $x_{i} \leftarrow VC . Ve r_{pp} (π, C_{i}, i, λ_{i})$ , and then checks all $x_{i}$ . If there exists an $i \in Ψ$ to make $x_{i} = 0$ hold, S₂ quits and outputs failure; otherwise, S₂ creates $q$ empty units $(b_{1}, \dots, b_{q})$ . Then for all $i \in Ψ$ , S₂ stores $C_{i}$ at position $b_{i}$ . Besides, the other units ${b_{i}}_{i \in [1, q], i \notin Ψ}$ will be set $NULL$ . After that, S₂ runs the algorithm $VC . Co m_{pp} (b_{1}, \dots, b_{q})$ to compute a new commitment $π_{s_{2}}$ and sets the auxiliary information $au x_{s_{2}} = (b_{1}, \dots, b_{q})$ . Finally, S₂ sends $π_{s_{2}}$ and $si g_{ts}$ to $O$ .

Deletion

$O$ prefers to permanently delete the transferred data blocks from $S_{1}$ after migration, and only store the transferred data on S₂ finally.

$DelReGen$ : first of all, $O$ computes a signature $si g_{e} = Sig n_{s k_{o}} (erasure | | tag | | T_{e} | | Ψ)$ , where $T_{e}$ is a timestamp. Then $O$ generates the deletion request $R_{e} = (erasure, si g_{e}, tag, T_{e}, Ψ)$ and sends $R_{e}$ to S₁ to delete the transferred data blocks.

$Delete$ : after receiving $R_{e}$ , S₁ firstly checks that whether $R_{e}$ is valid. If $R_{e}$ is not valid, S₁ quits and outputs failure; otherwise, $S_{1}$ generates a signature $si g_{es} = Sig n_{s k_{o}} (erasrue | | R_{e})$ . Subsequently, S₁ generates signatures $si g_{ei} = Si g_{s k_{s_{1}}} (erasure | | R_{e} | | tag | | i)$ , where $i \in Ψ$ . Then S₁ deletes $C_{i}$ and uses $si g_{ei}$ to replace $C_{i}$ to compute a new $aux'$ . Besides, S₁ runs the $VC . Com$ algorithm to obtain a new commitment $π'$ . Finally, S₁ sends evidence $τ = (R_{e}, π^{'}, {i, s i g_{e i}}_{i \in Ψ}, Ψ)$ to S₂.

$DelCheck$ : upon receipt of $τ$ , S₂ verifies $R_{e}$ and ${si g_{ei}}_{i \in Ψ}$ . If some verifications cannot pass, S₂ quits and outputs failure; otherwise, S₂ will verify the equation $π' \overset{?}{=} π \underset{i \in Ψ}{Π} h_{i}^{si g_{ei} - C_{i}}$ . If $π' \neq π \underset{i \in Ψ}{Π} h_{i}^{si g_{ei} - C_{i}}$ , S₂ quits and outputs failure; otherwise, S₂ returns $τ$ to $O$ .

Analysis of our scheme

In the following section, we will provide a detailed analysis about our new proposed scheme. First of all, we might prove the security properties that our new scheme can satisfy. Secondly, we give a comparison between Hao et al.’s scheme²⁶ and our scheme. Finally, we present the efficiency evaluation comparisons of Hao et al.’s²⁶ scheme and our proposed scheme.

Security analysis

In the following, we will prove that our proposed scheme can satisfy the desired security properties.

Data confidentiality

Data confidentiality means that the attacker cannot obtain any plaintext information of the outsourced data if they cannot obtain the corresponding data decryption key. In our proposed scheme, the local data owner uses the IND-CPA secure Advanced Encryption Standard (AES) to encrypt the outsourced data and maintains the encryption/decryption keys secretly, which can ensure that any attacker cannot get the data encryption/decryption keys illegally. That is, any attacker cannot maliciously obtain the plaintext. Therefore, the proposed scheme can satisfy the outsourced data confidentiality.

Data integrity

Without loss of generality, our proposed provable cloud data transfer and deletion scheme is able to guarantee the cloud data integrity.

After outsourcing the personal data to the original cloud server S₁, the local data owner $O$ would delete the corresponding data copies from local storage medium. Therefore, in the $Decryption$ phase, $O$ must download the related ciphertext $C_{i} = (ci p_{i}, h_{i}, i)$ from S₁ and execute decryption operation to obtain the corresponding plaintext $m_{i}$ . On receipt of the ciphertext $C_{i}$ , $O$ can check the data integrity of $C_{i}$ . First of all, $O$ checks that whether the equation $h_{i} \overset{?}{=} H_{2} (ci p_{i} | | tag | | s k_{o} | | i)$ holds. Note that $s k_{o}$ is $O$ ’s privacy key; hence, nobody can forge a new ciphertext $ci p'_{i}$ and a hash value $h'_{i}$ to make the equation $h'_{i} = H_{2} (ci p'_{i} | | tag | | s k_{o} | | i)$ hold. In other words, if and only if $C_{i}$ is intact, can the verification pass and $O$ is able to get the correct plaintext after running the $Decryption$ algorithm; otherwise, $O$ is always able to discover the data pollution if the data are tampered maliciously.

In the $Transfer$ process, the original cloud server S₁ transfers $(si g_{ts}, {C_{i}, λ_{i}}_{i \in Ψ})$ to the target cloud server S₂. First of all, the VC scheme is able to achieve $position binding$ and $hiding$ . Hence, for a same position $i$ , S₁ cannot open the message $C_{i}$ to another message $C'_{i}$ . That is, the proofs ${λ_{i}}_{i \in Ψ}$ must be valid; otherwise, the dishonest action will be discovered by S₂. Secondly, S₂ executes the algorithm $x_{i} \leftarrow VC . Ve r_{pp} (π, C_{i}, i, λ_{i})$ , where $i \in Ψ$ . After that, S₂ verifies all $x_{i}$ . If and only if the data blocks ${C_{i}}_{i \in Ψ}$ are integrated and the proofs ${λ_{i}}_{i \in Ψ}$ are valid will all the verifications pass; otherwise, S₂ is able to discover the malicious data manipulation.

Therefore, we can say that our new proposed scheme is able to guarantee the outsourced data integrity in the data transfer and decryption phases.

Public verifiability

Our proposed scheme is able to satisfy the property of public verifiability. After deleting the transferred data from the storage medium, the remote original cloud S₁ may compute a deletion evidence $τ$ , where $τ = (R_{e}, π', {i, si g_{ei}}_{i \in Ψ}, Ψ)$ . After that, any verifier that acquires the evidence $τ$ can efficiently check the result of the outsourced data deletion operation by verifying the evidence. First of all, the verifier is able to check the validity of the data deletion request $R_{e} = (erasure, si g_{e}, tag, T_{e}, Ψ)$ through signature verification. If the verification passes, it can prove that $O$ had asked $S_{1}$ to delete the transferred data. After that, the verifier checks the validity of the signatures $si g_{ei}$ that are generated by S₁ with private key $s k_{s_{1}}$ , where $i \in Ψ$ . If every signature can pass the verification, the verifier further checks that whether the equation $π' \overset{?}{=} π \underset{i \in Ψ}{Π} h_{i}^{si g_{ei} - C_{i}}$ holds. If and only if each verification passes, the verifier will believe that the data blocks have been deleted by $S_{1}$ faithfully. In addition, we can realize that all the verification phases do not require any private information. As a result, any verifier can use evidence $τ$ to verify the deletion result. Hence, our presented scheme can achieve public verifiability.

Accountable traceability

Our novel proposed scheme can satisfy the property of accountable traceability. More specifically, we analyze the accountable traceability in the data transfer and data deletion processes, respectively.

In data transfer process

Our new scheme can achieve provable data transfer between two different cloud servers. We will mainly consider the following scenarios: the dishonest $O$ and the malicious $S_{1}$ .

Dishonest $O$ : if $O$ is not honest, he may slander the original cloud server $S_{1}$ maliciously during the data transfer. First of all, $O$ had already requested $S_{1}$ to transfer some data blocks (even the whole file) to the target cloud server S₂, and S₁ had done that honestly. However, the dishonest $O$ may deny his transfer request. At this point, S₁ can demonstrate the data transfer request $R_{t} = (transfer, si g_{t}, tag, T_{t}, Ψ)$ , which contains a signature $si g_{t}$ . Note that only $O$ can generate the signature $si g_{t}$ ; therefore, $si g_{t}$ can be seen as an evidence, which proves that $O$ had sent a data transfer order to transfer some outsourced data blocks. Secondly, $O$ had never asked S₁ to transfer the data blocks. However, $O$ may declare that he had requested S₁ to transfer the data, and S₁ did not do it honestly. Here, S₁ can request $O$ to demonstrate the signature $si g_{ts} = Sig n_{s k_{s_{1}}} (transfer | | R_{t})$ , which is generated by $S_{1}$ with its private key $s k_{s_{1}}$ when it received the transfer request from $O$ . That is, no one can forge the signature $si g_{ts}$ . Hence, $O$ is not able to prove that he had requested S₁ to transfer the data.

Malicious S₁: if S₁ is malicious, S₁ may behave dishonestly in the data transfer process. On one hand, $S_{1}$ may transfer the data without $O$ ’s permission and slander that $O$ requested it to transfer the data. For this case, $O$ should ask $S_{1}$ to present the data transfer request $R_{t} = (transfer, si g_{t}, tag, T_{t}, Ψ)$ ; however, S₁ does not have the transfer request. Besides, the transfer request $R_{t}$ contains a signature $si g_{t}$ that can be generated by $O$ with $s k_{o}$ merely. Hence, S₁ cannot forge the transfer request $R_{t}$ to prove that it transferred the data blocks as $O$ ’s request. On the other hand, if S₁ did not transfer the data honestly and slanders that $O$ had not requested to transfer the data blocks. At this moment, $O$ can demonstrate the signature $si g_{ts}$ that is computed by $S_{1}$ with private key $s k_{s_{1}}$ . The private key $s k_{s_{1}}$ is only owned by S₁; therefore, nobody can forge the signature $si g_{ts}$ . That is, the signature $si g_{ts}$ can be seen as an evidence, which is able to prove that $O$ had requested S₁ to transfer the data and S₁ has responded to the request.

In data deletion process

Similarly, we describe the accountable traceability when $O$ and $S_{1}$ behave maliciously during the data deletion process.

Dishonest $O$ : first of all, the data owner $O$ may have requested $S_{1}$ to delete the transferred data blocks, and $S_{1}$ has executed the data deletion operation honestly. However, the dishonest $O$ may deny his data deletion request and slander that $S_{1}$ maliciously deleted the data. At this point, $S_{1}$ is able to demonstrate the data deletion request $R_{e} = (erasure, si g_{e}, tag, T_{e}, Ψ)$ , which contains a signature $si g_{e}$ . In addition, the signature $si g_{e}$ can been generated by $O$ with private key $s k_{o}$ merely. Therefore, the deletion request $R_{e}$ can be regarded as an evidence, which is able to prove that $O$ had already requested $S_{1}$ to delete the data blocks. Secondly, $O$ had never asked S₁ to delete the data blocks. Nevertheless, the dishonest $O$ may slander that S₁ did not faithfully delete the data. At this point, S₁ is able to request $O$ to demonstrate $si g_{es}$ that is generated by S₁ with private key $s k_{s_{1}}$ . As a result, $O$ cannot forge the signature $si g_{es}$ . Furthermore, $O$ cannot successfully slander S₁.

Malicious S₁: first of all, $O$ had never asked S₁ to delete the transferred data blocks; however, the malicious S₁ might delete the data arbitrarily. Then S₁ may declare that it performed the data deletion according to $O$ ’s command. At this point, $O$ can request S₁ to demonstrate $R_{e} = (erasure, si g_{e}, tag, T_{e}, Ψ)$ . But $O$ had never generated the deletion request $R_{e}$ at all. Besides, the deletion request $R_{e}$ includes a signature $si g_{e}$ that is generated by $O$ with $s k_{o}$ . That is, $S_{1}$ cannot forge the signature $si g_{e}$ . Therefore, S₁ cannot present the deletion request $R_{e}$ to show that $O$ had asked to delete the transferred data blocks. In addition, for saving overhead or digging sensitive information, the malicious S₁ might not faithfully delete the transferred data blocks. Meanwhile, S₁ may claim that $O$ had not requested to execute data deletion. At this point, $O$ is able to show $si g_{es}$ to demonstrate that $O$ had sent a deletion order and S₁ had received the deletion command. As a result, the dishonest S₁ cannot successfully slander $O$ .

Comparison

In order to demonstrate the overhead and efficiency more intuitively, we compare our novel VC-based scheme with the existing Hao et al.’s scheme²⁶ in the following section.

Without loss of generality, both the two schemes need to execute a few one-time computations to prepare the corresponding keys. Secondly, our proposed scheme is able to achieve public verifiability without requiring any TTP; however, Hao et al.’s scheme²⁶ needs a TPM. Moreover, our proposed scheme is able to reach provable outsourced data transfer and deletion, which is different from Hao et al.’s scheme.²⁶ Finally, the remote cloud server might maintain the outsourced data. That is to say, the remote cloud server will execute most of the computation operations (this is the same in Hao et al.’s scheme²⁶).

In our novel scheme, the outsourced file $F$ is assumed to be divided into $q$ blocks before encrypting, and then $m$ blocks are downloaded in the $Decryption$ process. To compare the overhead more conveniently, we will introduce some symbols. Firstly, $E$ represents an operation of IND-CPA secure $AES$ encryption, and $D$ represents a performance of $AES$ decryption (particularly, we can also use other secure encryption/decryption algorithms). In addition, we use $S$ to indicate an ECDSA signature generation calculation, respectively, and $V$ indicates an ECDSA signature verification operation. Furthermore, we define $E$ as an exponentiation computation in $G_{1}$ or $G_{2}$ , $M$ as a multiplication calculation in $G_{1}$ (or $G_{2}$ ), and $H$ as a hash computation. Finally, we assume that the data owner wants to transfer $l$ data blocks to the target cloud server, and after that delete these data blocks from the original cloud server.

From Tables 1 and 2, it can be easily discovered that our scheme can simultaneously achieve verifiable outsourced data transfer and deletion without relying on any TTP, which is different from scheme.²⁶ Moreover, our novel scheme will cost much less overhead to encrypt and decrypt the same size of the file. In order to delete $l$ data blocks, our new scheme needs to execute $(l + 1)$ ECDSA signature generation calculations and $(l + 1)$ ECDSA signature verification computations, and $(q + l)$ exponentiation operations. However, Hao et al.’s scheme²⁶ merely needs to perform one signature generation computation and one signature verification performance to delete a file. Hao et al.’s scheme²⁶ costs fewer computations to delete the data; however, the extra computations in our scheme are fully acceptable. In addition, the data deletion operation is one-time. As a result, our new scheme is still relatively efficient.

Table 1.

Function comparison of the two schemes.

	Hao et al.’s scheme²⁶	Our scheme
Model	Amortized model	Amortized model
TTP	Yes	No
Data transfer	No	Yes
Data deletion	Yes	Yes
Accountability	Yes	Yes

TTP: trusted third party.

Table 2.

Computational overhead comparison of the two schemes.

	Hao et al.’s scheme²⁶	Our scheme
Encrypt	$1 M + 2 E + 4 H$	$1 E + (2 q + 1) H + qE$
Decrypt	$1 E + 1 D + 3 H$	$1 S + 1 V + 1 D + 2 m H$
Delete	$1 S + 1 V$	$(l + 1) (S + V) + (q + l) E$

Performance evaluation

In the following, we will provide the performance evaluation of our proposed verifiable cloud data transfer and deletion scheme. We both simulate our novel scheme and Hao et al.’s scheme²⁶ with the OpenSSL library and the pairing-based cryptography library. More specifically, we execute the simulation experiments on the same Linux machine equipped with 4GB main memory and Intel(R) Core(TM) i5-4590 processors running at 3.30 GHz, and we simulate all the entities on this Linux machine. Finally, we are able to evaluate the overhead of the proposed scheme precisely throughout the simulations.

In order to protect the outsourced data confidentiality, the local data owner should use encryption algorithm to encrypt the outsourced file before outsourcing it to the remote cloud server. The encryption operation efficiency comparison of our novel scheme and Hao et al.’s scheme is presented in Figure 3. From the comparison of the simulation results, we can find that the overhead of the encryption operation will increase with the size of the encrypted file. To encrypt the same size of plaintext, Hao et al.’s scheme requires much more time than our scheme. Furthermore, our novel scheme’s growth rate is much lower than that of Hao et al.’s scheme. Therefore, we can say that our novel scheme is much more efficient in encryption phase.

Figure 3.

The time cost of encrypting.

After outsourcing the personal data to the remote cloud server, our scheme gives the local data owner the ability to verify the storage result. The main computation comes from generating storage proofs and verifying the storage proofs. To be more specific, the remote cloud server needs to perform $q (q - 1)$ exponentiation calculations and $q (q - 2)$ multiplication computations to generate related storage proofs for the data owner. Then the data owner needs to execute $2 q$ pairing computations and $q$ exponentiation calculations to verify the storage result. From Figure 4, we are able to find that the time cost will increase with the number of the data blocks, and the growth rate is quite high. However, the remote cloud server will bear most of these computational overhead. Furthermore, the remote cloud server can generate the storage proofs off-line. That is, our novel scheme is still quite efficient in practical applications.

Figure 4.

The time cost of storage verification.

The local data owner will not maintain any data copy after outsourcing the file to the remote cloud server. Therefore, when the data owner requires the outsourced data, they need to download the ciphertext from the remote cloud server, and then they can obtain the file by decrypting the ciphertext. To perform the experiment conveniently, we can assume that the data owner stores 100 data blocks on the cloud server and downloads 20 data blocks in the decryption phase. Then the decryption efficiency comparison of our proposed scheme and Hao et al.’s scheme is shown in Figure 5. From Figure 5, we can realize that our proposed scheme costs much less overhead to decrypt the same size of decrypted ciphertext. Furthermore, the time cost will increase with the size of the decrypted file, nevertheless, the growth rate of Hao et al.’s scheme is much higher than that of our new proposed scheme. As a result, our new proposed scheme is much more efficient to decrypt the file.

Figure 5.

The time cost of decrypting.

Both our novel scheme and Hao et al. scheme can satisfy the public verifiability of the data deletion result. To delete a file, Hao et al.’s scheme needs to execute one signature generation operation and a signature verification operation. However, in order to delete $l$ data blocks, our novel scheme should compute $(l + 1)$ ECDSA signatures and check the validity of these signatures. In addition, our scheme still needs to perform $(q + l)$ exponentiation operations (here we assume $q = 100$ ). The Figure 6 shows the efficiency comparison between the two schemes in data deletion process. Then we can find that Hao et al.’s scheme costs less time. Besides, the overhead of our scheme will increase with the number of deleted data blocks. Luckily, the data deletion operation is one-time, and the overhead is absolutely acceptable because the time is very short. For example, it only takes about 11 ms to delete 16 data blocks. Hence, we can say that our proposed scheme is still efficient in data deletion.

Figure 6.

The time cost of deleting.

Conclusion

Due to the lack of trust between the local data owner $O$ and the remote original cloud server S₁, $O$ will think that S₁ might not honestly transfer the file to the target cloud server S₂ or delete the transferred data for economic interests. To deal with this trust issue, we design a novel verifiable outsourced data transfer and deletion scheme for cloud storage, which is based on VC. The proposed scheme is able to simultaneously achieve provable outsourced data transfer and verifiable transferred data deletion from S₁. If S₁ does not honestly execute the outsourced data transfer and deletion operations, our proposed scheme can enable $O$ to discover S₁’s dishonest operations by checking the returned evidences. In addition, we utilize the VC to deal with the issue of public verifiability, by which the verifier can verify the results of the transfer and deletion operations without requiring any TTP.

Footnotes

Handling Editor: Marcin Wozniak

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Open Projects of State Key Laboratory of Integrated Service Networks (ISN) of Xidian University (grant no. ISN19-13), the Natural Science Foundation of Guangxi (grant no. 2016GXNSF AA380098), and the Science and Technology Program of Guangxi (grant no. AB17195045).

ORCID iD

Changsong Yang

References

Buyya

Yeo

Venugopal

, et al. Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility. Future Gener Comp Sy 2009; 25(6): 599–616.

Yang

. Secure and efficient fine-grained data access control scheme in cloud computing. J High Speed Netw 2015; 21: 259–271.

Loeb

Yang

Rose

, et al. Impact of ice cloud microphysics on satellite cloud retrievals and broadband flux radiative transfer model calculations. J Climate 2018; 31(5): 1851–1864.

Chen

, et al. New algorithms for secure outsourcing of modular exponentiations. IEEE T Parall Distr 2014; 25: 2386–2396.

Chen

Huang

, et al. New algorithms for secure outsourcing of large-scale systems of linear equations. IEEE T Inf Foren Sec 2015; 10: 69–78.

Wang

Chen

Huang

, et al. Verifiable auditing for outsourced database in cloud computing. IEEE T Comput 2015; 64: 3293–3303.

Wozniak

Polap

Borowik

, et al. A first attempt to cloud-based user verification in distributed system. In: Proceedings of the 2015 Asia-Pacific conference on computer aided system engineering, Quito, Ecuador, 14–16 July 2015, pp.226–231. New York: IEEE.

Zuo

Shao

Liu

, et al. Fine-grained two-factor protection mechanism for data sharing in cloud storage. IEEE T Inf Foren Sec 2018; 13(1): 186–196.

Ren

Wang

, et al. Dynamic proofs of retrievability for coded cloud storage systems. IEEE T Serv Comput 2018; 11(4): 685–698.

10.

Polap

Woźniak

Napoli

, et al. Real-time cloud-based game management system via cuckoo search algorithm. Int J Electron Telecommun 2015; 61(4): 333–338.

11.

Wang

Tao

, et al. Data integrity checking with reliable data transfer for secure cloud storage. Int J Web Grid Serv 2018; 14: 106–121.

12.

Xue

, et al. Cloud data integrity checking with an identity-based auditing mechanism from RSA. Future Gener Comp Sy 2016; 62: 85–91.

13.

Ateniese

, et al. Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage. IEEE T Inf Foren Sec 2016; 12(4): 767–778.

14.

Hughes

Coughlin

Commins

. Disposal of disk and tape data by secure sanitization. IEEE Secur Priv 2009; 7: 29–34.

15.

Gutmann

. Data remanence in semiconductor devices. In: Proceedings of the 10th conference on USENIX security symposium, Washington, DC, 13–17 August 2001, pp.39–54. Berkeley, CA: USENIX.

16.

Diesburg

Wang

. A survey of confidential data storage and deletion methods. ACM Comput Surv 2010; 43: 1–37.

17.

Wright

Kleiman

Sundhar

RSS

. Overwriting hard drive data: the great wiping controversy. In: Proceedings of the 4th international conference on information systems security, Hyderabad, India, 16–20 December 2008, pp.243–257. Berlin; Heidelberg: Springer.

18.

Bauer

Priyantha

. Secure data deletion for Linux file systems. In: Proceedings of the 10th conference on USENIX security symposium, Washington, DC, USA, 13–17 August 2001. Berkeley, CA: USENIX.

19.

Kissel

Scholl

Skolochenko

, et al. Guidelines for media sanitization. NIST special publication 800-88: 1C88, 2006.

20.

Boneh

Lipton

. A revocable backup system. In: Proceedings of the 6th conference on USENIX security symposium, San Jose, CA, 22–25 July 1996, pp.91–96. Berkeley, CA: USENIX.

21.

Geambasu

Kohno

Levy

, et al. Vanish: increasing data privacy with self-destructing data. In: Proceedings of the 18th conference on USENIX security symposium, Montreal, QC, Canada, 10–14 August 2009, pp.299–316. Berkeley, CA: USENIX.

22.

Tang

Lee

Lui

, et al. Secure overlay cloud storage with access control and assured deletion. IEEE T Depend Secure 2012; 9: 903–916.

23.

Peterson

Burns

. Ext3cow: a time-shifting file system for regulatory compliance. ACM T Storage 2005; 1: 190–212.

24.

Reardon

Ritzdorf

Basin

, et al. Secure data deletion from persistent media. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, Berlin, 4–8 November 2013, pp.271–284. New York: ACM.

25.

Gutmann

. Secure deletion of data from magnetic and solid-state memory. In: Proceedings of the 6th conference on USENIX security symposium, San Jose, CA, 22–25 July 1996, pp.77–89. Berkeley, CA: USENIX.

26.

Hao

Clarke

Zorzo

. Deleting secret data with public verifiability. IEEE T Depend Secure 2016; 13: 617–629.

27.

, et al. Provable data possession supporting secure data transfer for cloud storage. In: Proceedings of 2015 10th international conference on broadband and wireless computing, communication and applications (BWCCA 2015), Krakow, Poland, 4–6 November 2015, pp.38–42. New York: IEEE.

28.

Lin

Zhang

, et al. Secure outsourced data transfer with integrity verification in cloud storage. In: Proceedings of 2016 IEEE/CIC international conference on communications in China, Chengdu, China, 27–29 July 2016, pp.1–6. New York: IEEE.

29.

Xue

, et al. Provable data transfer from provable data possession and deletion in cloud storage. Comput Stand Inter 2017; 54: 46–54.

30.

Liu

Wang

Cao

, et al. Improved provable data transfer from provable data possession and deletion in cloud storage. In: Proceedings of the International conference on intelligent networking and collaborative systems, Bratislava, 5–7 September 2018, pp.445–452. Cham: Springer.

31.

Yang

Wang

Tao

, et al. Publicly verifiable data transfer and deletion scheme for cloud storage. In: Proceedings of the 20th international conference on information and communications security (ICICS 2018), Lille, France, 29–31 October 2018, pp.445–458. Cham: Springer.

32.

Garfinkel

Shelat

. Remembrance of data passed: a study of disk sanitization practices. IEEE Secur Priv 2003; 99: 17–27.

33.

Paul

Saxena

. Proof of erasability for ensuring comprehensive data deletion in cloud computing. Comm Com Inf Sc 2010; 89: 340–348.

34.

Perito

Tsudik

. Secure code update for embedded devices via proofs of secure erasure. In: Proceedings of the 15th European symposium on research in computer security, Athens, 20–22 September 2010, pp.643–662. Berlin; Heidelberg: Springer.

35.

Wei

Grupp

Spada

, et al. Reliably erasing data from flash-based solid state drives. In: Proceedings of the 9th USENIX conference on file and storage technologies, San Jose, CA, 15–17 February 2011, pp.105–117. Berkeley, CA: USENIX.

36.

Luo

, et al. Enabling assured deletion in the cloud storage by overwriting. In: Proceedings of the 4th ACM international workshop on security in cloud computing, Xi’an, China, 30 May–2 June 2016, pp.17–23. New York: ACM.

37.

Lee

Heo

, et al. An efficient secure deletion scheme for flash file systems. J Inf Sci Eng 2010; 26: 27–38.

38.

Reardon

Capkun

Basin

. Data node encrypted file system: efficient secure deletion for flash memory. In: Proceedings of the 21st USENIX conference on security symposium, Bellevue, WA, 8–10 August 2012, pp.333–348. Berkeley, CA: USENIX.

39.

Xiong

Liu

Yao

, et al. A secure data self-destructing scheme in cloud computing. IEEE T Cloud Comput 2014; 2: 448–458.

40.

Zhang

Tan

, et al. An associated deletion scheme for multi-copy in cloud storage. In: Proceedings of the 18th international conference on algorithms and architectures for parallel processing (ICA3PP 2018), Guangzhou, China, 15–17 November 2018. Cham: Springer.

41.

Yang

Chen

Xiang

. Blockchain-based publicly verifiable data deletion scheme for cloud storage. J Netw Comput Appl 2018; 103: 185–193.

42.

Yang

Tao

. New publicly verifiable cloud data deletion scheme with efficient tracking. In: Proceedings of the 2th international conference on security with intelligent computing and big-data services, Guilin, China, 14–16 December 2018, vol. 895, pp.359–372. Cham: Springer.

43.

Azarbonyad

Sim

White

. Domain adaptation for commitment detection in email. In: Proceedings of the twelfth ACM international conference on web search and data mining, Melbourne VIC, Australia, 11–15 February 2019, pp.672–680. New York: ACM.

44.

Zhang

Chen

, et al. HVDB: a hierarchical verifiable database scheme with scalable updates. J Amb Intel Hum Comp 2018; 10: 3045–3057.

45.

Catalano

Fiore

. Vector commitments and their applications. In: Proceedings of the 16th international conference on practice and theory in public-key cryptography, Nara, Japan, 26 February–1 March 2013, pp.55–72. Berlin; Heidelberg: Springer.

46.

Seita

Nakanishi

. Speeding up revocable group signature with compact revocation list using vector commitments. In: Proceedings of 2018 sixth international symposium on computing and networking (CANDAR 2018), Takayama, Japan, 23–27 November 2018, pp.160–166. New York: IEEE.

47.

Xue

, et al. Efficient attribute-based encryption with attribute revocation for assured data deletion. Inform Sciences 2019; 479: 640–650.

48.

Yuan

. Secure and constant cost public cloud storage auditing with deduplication. In: Proceedings of 2013 IEEE conference on communications and network security, National Harbor, MD, 14–16 October 2013, pp.145–153. New York: IEEE.