Sage Journals: Discover world-class research

Abstract

With the widespread use of fog-to-cloud computing–based Internet of things devices, how to ensure the integrity of the data uploaded to the cloud has become one of the most important security issues. This article proposes an efficient and secure data auditing scheme based on fog-to-cloud computing for Internet of things scenarios, which can better meet performance and security requirements. The proposed scheme realizes data sharing under the condition of protecting privacy by encrypting sensitive information. Using the private key separation method, the private key is divided into two parts using identity information generation and random selection which are, respectively, held by the user and the fog center. Then, using the two-time signature method, the Internet of things and fog computing center use two parts of the private key to generate the original signature and final signature in two separate times. Since the fog computing center only has a part of the private key generated using the identity information, the security of the system will not be damaged due to the leakage of part of the private key held by the fog center, and the fog center significantly participates in the signature generation process, which significantly reduces the computation and communication overhead of the Internet of things device. Security analysis and performance evaluation show that the proposed scheme is safe and efficient.

Keywords

Data integrity data sharing Internet of things fog-to-cloud computing

Introduction

With the introduction and widely used of Internet of things (IoT) devices in our life and industrial production, Cisco first proposed fog computing in 2012¹ is also widely considered as a new paradigm that can effectively support for distributed, delay sensitive, and quality of service (QoS)-aware. As an intermediate device between the IoT device and the cloud, the fog computing center contains multiple fog nodes. The fog node has basic computing power, storage capabilities, and network resources to meet the data preprocessing and transmission requirements.² Therefore, the fog computing is an effective and practical solution from the perspective of delay constraints and resource constraints. It is estimated that the data currently generated by IoT devices have exceeded half of the total data.³ In 2019, the data generated by IoT devices will reach 500 ZB, which will be preprocessed by fog and then outsourced to the cloud for further analysis and storage. As an emerging technology, fog-to-cloud computing still faces many security challenges.⁴ One of the most concerned issues is how to ensure the integrity and correctness of important data uploaded to the cloud. Like traditional cloud storage, the cloud service provider (CSP) also tries to hide the fact that data are corrupted because of its own benefits or reputation,⁵ and even deletes some data that users rarely access to save storage space.⁶ To this end, it is important to design an efficient and secure cloud data auditing scheme. At present, many cloud data auditing schemes have been proposed.^7–11 However, these schemes cannot be directly applied to IoT devices based on fog-to-cloud computing.¹² The reasons are as follows: (1) the signature generation overhead in traditional auditing scheme for cloud storage is too high, and it is difficult to apply to IoT devices with low computing power and (2) the traditional auditing scheme for cloud storage does not involve fog nodes, but the fog node plays a very important role in the fog-to-cloud computing, which can help IoT devices to efficiently process and transmit data.

There are many successful applications for IoT based on fog-to-cloud computing. One of the most common situations is users use sensors to collect the required data, such as related environmental data. Of course, users can also set multiple sensors to collect different areas or different types of data and transmit them to the fog node. Each fog node is a small service device provided by a service provider that can simply process and analyze data. Multiple fog nodes form a fog computing center and a management node is set up to manage all fog nodes. Finally, all data are outsourced to the cloud for cost-effective storage and other future uses.¹³ In order to ensure the integrity of the data, the sensor should create verifiable metadata before sending the collected data to the fog node; for the received data, the fog node must first verify its correctness, and then perform local analysis and processing, and for the processed data, fog nodes should create new verifiable metadata. Finally, all data and its verifiable metadata are transferred to the cloud for long-term storage. The data owner or any other authorized party should be able to verify the integrity of the data anytime, anywhere, that is, remotely audit the correctness of the data. It is the very purpose of this work to design a secure and efficient auditing scheme for data storage based on fog-to-cloud computing for IoT scenarios.

Compared with the existing scheme, the proposed scheme reduces the user’s computation overhead through the two-time signature and private key separation method, so that the proposed scheme can be better used for IoT devices with low computing capabilities. At the same time, the proposed scheme will verify the system parameters and the file tag during the signature generation and the proof generation to ensure the security of the scheme.

Our contributions

In this article, we proposed an efficient and secure data auditing scheme based on fog-to-cloud computing for IoT scenarios (DAFCI). Contributions can be summarized as follows:

We use the method of separating the private key, which divides the private key into two parts, and part of the private key $sk'$ was randomly selected and held by the IoT device. The other part of the private key $sk ″$ is generated by the private key generator (PKG) based on the user’s identity information. This part of the private key will be held by fog nodes and used to generate the final signature. This method improves the security of the system.

We then propose the two-time signature method, which divided the signature process into two phases: original signature and final signature. The first is that the sensor uses $sk'$ to generate and send the signature set to the fog node. The fog nodes use $sk ″$ to generate final signature based on the original signature. This method improves the security of the system.

We formally prove the security of the proposed scheme, and evaluate its performance by theoretical analysis and experimental comparisons with other schemes. The results show that the proposed scheme can effectively achieve secure auditing in fog-to-cloud computing, and outperforms the others in computation complexity and energy consumption.

Organization

The rest of this article is organized as follows. In section “Related work,” we review the related work on cloud data auditing, especially the public auditing schemes. In section “Symbols and preliminary knowledge,” we present notations and preliminaries. In section “System model and security model,” the system model and security model are presented. In section “The proposed scheme,” we introduced the proposed scheme. In section “security analysis” and section “performance evaluation,” the security analysis and the performance evaluation are given, respectively. Finally, in section “Conclusion,” we conclude our article.

Related work

With the increasing popularity and importance of IoT, the security and privacy issues of IoT have attracted widespread attention from industry and academia.¹⁴ Many fruitful and relevant studies have been carried out, such as how to implement secure communication between IoT nodes,¹⁵ how to preprocess service privacy while providing users with secure data services in IoT applications,¹⁶ and how to ensure the integrity of the message moves the entire IoT infrastructure.¹⁷

In most applications, the sensor device collects the data and generates verifiable metadata, and then uploads the metadata to the fog node. After receiving the metadata, the fog node will first verify the metadata. If the result is true, the metadata will be further processed, then upload it and the data to the cloud for long-term storage. Data owners can verify at anytime to ensure the correctness and integrity of the data stored in the cloud, that is, the data owner can perform remote integrity auditing of the data. The auditing model is divided into private auditing and public auditing. The verification operation of the private auditing is only carried out between the CSP and the user, without the intervention of a third party,¹⁸ and the public auditing in which the verification operation is customarily done by an authorized third-party auditor (TPA).¹⁹ Public auditing is generally considered to be a more effective approach because it provides more convincing results while significantly reducing the user’s computation and communication overhead. At present, data integrity auditing based on IoT devices has received more and more attention. Aazam et al.²⁰ believed that IoT devices use the cloud to process and store data. There are still some problems that must be solved, because the cloud is not trusted, so users cannot ensure that the cloud correctly stores the data uploaded by IoT. For data stored on the cloud server, the provable data possession (PDP) scheme²¹ can effectively verify the integrity of the cloud data and achieve blockless verification, that is, without downloading the original data. Integrity verification ensures storage security, but the computational and communication overhead of this scheme is too large to be applied to IoT devices. Xu et al.²² proposed a distributed fully homomorphic encryption-based Merkle Tree (FHMT) scheme, which effectively solves the cloud credibility problem using blockchain technology, but their scheme does not implement public auditing. Yu et al.²³ proposed an identity-based private key generation auditing scheme, which reduces the overhead of certificate management, but the overhead of signature generation and auditing proof verification is still large to the IoT device. Zhu et al.²⁴ proposed a short signature-based data auditing scheme, which reduced the computational overhead of signature generation. However, their proposed scheme is not based on fog-to-cloud computing. The communication and computation overhead of IoT devices is still very high. Tian et al.²⁵ reduced the overhead of signature generation by introducing fog nodes, but in their scheme, fog nodes are considered to be credible, but in reality, the fog node used by most users is not a trustworthy entity, the same as the cloud. Huang et al.²⁶ proposed the Efficient Versatile Auditing Scheme for IoT-Based Datamarket in Jointcloud to solve the single-point-of-failure (SPoF) of cloud server using the blockchain to record the data flow, but it still does not solve the problem that the signature generation overhead of the cloud auditing scheme is too high, so it cannot be directly applied to low computing IoT devices.

Li and Yu²⁷ proposed a cloud auditing scheme based on threshold secret sharing, but compared to this, the two-time signature method has two advantages as follows:

One of the characteristics of threshold secret sharing scheme is that when the number of people who want to unlock the secret reaches a predetermined value, it can be decrypted even without other parts of private key. But this method is difficult to apply directly to the IoT scenarios, because if the private key is assigned to sensors, when the parts of private key held by some sensors are leaked, the adversary can forge a signature based on some of the private keys to access sensitive data.

The above-mentioned schemes and other existing schemes cannot well meet the requirements of low computing overhead and high security of IoT devices, so we try to propose a cloud auditing scheme that can better meet the requirements of the IoT environment.

In the secret sharing scheme with the threshold, parts of private key are different. However, in the proposed scheme, the part of private key held by all sensors in the same system is the same, which enables even different types of sensors can generate the same signature, ensuring the consistency of the signature and facilitating verification.

In the proposed scheme, the fog-to-cloud computing is introduced, but the fog is designed as an untrusted entity. The method of private key separation and two-time signature avoids the situation that the private key is directly leaked by the fog node, and the security is destroyed due to the leakage of the private key, improving efficiency and security.

Symbols and preliminary knowledge

Notions

The symbols and corresponding descriptions appearing in the DAFCI scheme can be seen in Table 1.

Table 1.

Notations.

Notation	Meaning
P	One large prime
$G_{1}, G_{2}$	Multiplicative cyclic groups with order p
e	A bilinear paring map $e : G_{1} \times G_{1} \to G_{2}$
$Z_{p}^{*}$	A prime field with nonzero elements
H	A hash function: $H : {0, 1}^{*} \to G_{1}$
g	A generator of $G_{1}$
$μ', μ$	The elements of $G_{1}$
$F = {m_{1}, m_{2}, \dots, m_{n}}$	Original data file
$F = {m_{1}^{}, m_{2}^{}, \dots, m_{n}^{*}}$	Blinded data file
ID	The identity information
$K_{1}$	The set of the indexes of the data blocks corresponding to the sensitive information
$sk'$	The partial private key selected and hold by the sensor
$sk ″$	The partial private key selected by PKG and sent to the FCC
$Φ = {σ_{i}}_{i \in [1, n]}$	Original signature
$Φ' = {σ_{i}^{'}}_{i \in [1, n]}$	Final signature

PKG: private key generator; FCC: fog computing center.

Preliminary

Bilinear map: let $G_{1}, G_{2}$ be two multiplicative cyclic groups of same large prime order p, and g be a generator of $G_{1}$ . Bilinear map is a map $e : G_{1} \times G_{1} \to G_{T}$ with the following properties:

(a) Bilinearity: for all $g_{1}, g_{2} \in G_{1}$ and $a, b \in Z_{p}^{*}$

e (g_{1}^{a}, g_{2}^{b}) = e {(g_{1}, g_{2})}^{ab}

(b) Computability: there exists an efficiently computable algorithm for computing map e.

2. Computational Diffie–Hellman (CDH) problem: for unknown $x, y \in Z_{p}^{*}$ , given $g, g^{x}$ as input, outputs $g^{xy} \in G_{1}$ . The CDH assumption in $G_{1}$ holds if it is computationally infeasible to solve the CDH problem in $G_{1}$ .

3. Discrete logarithm (DL) problem: for unknown $x \in Z_{p}^{*}$ , given $g, g^{x}$ as input, outputs x. The DL assumption in $G_{1}$ holds if it is computationally infeasible to solve the DL problem in $G_{1}$ .

System model and security model

System model

The system model of the DAFCI scheme is shown in Figure 1. The model mainly includes five different entities: CSP, sensor, PKG, fog computing center (FCC), and TPA, as follows:

CSP: CSP provides enormous data storage and data processing service to the users.

Sensor: the sensor device is responsible for collecting data, then hiding the sensitive information and generating the original signature, and uploading it to FCC. A system can contain multiple sensor devices. Multiple sensors belonging to the same system can be of different types, collecting different data separately, but they have the same private key.

FCC: the FCC consists of several fog nodes, each of which is responsible for generating a final signature for the sensors in the area to reduce the computational overhead of the sensor.

PKG: PKG is responsible for generating part of the private key $s k ″$ for sensors and system public parameters. The sensor will check $s k ″$ generated by PKG.

TPA: TPA is a third-party auditor. It helps sensors audit the integrity of the data stored in the cloud.

Figure 1.

System model.

After the sensor collects the data, the sensitive information is blinded. Since the proportion of this part of the data is small, the process overhead is very low. The original signature is then generated based on a portion of the private key and sent to the FCC. After receiving the original signature, the FCC uses its holds partial private key to generate the final signature and upload it to the CSP.

When the sensor wants to verify the cloud data, it sends an audit request to the TPA. After receiving the request, the TPA selects challenge blocks according to the block number contained in the instruction and initiates an audit challenge to the CSP. The CSP then sends the data auditing proof back to the TPA. Finally, the TPA will verify the proof and inform the result to the sensor.

Design goals

In order to effectively ensure the secure storage of sensor data in the cloud, the DAFCI is designed to achieve the following goals.

The detectability

The scheme should have a high enough probability to detect damage of the cloud data. When the proportion of damaged blocks is $ρ$ , the probability of finding a damaged block during the audit is at $δ$ least. This probability is called the probability of detection. At the same time, this scheme is called $(ρ, δ)$ detectable.

The correctness

The correctness includes the correctness of the private key and the correctness of the auditing:

The correctness of the private key: verify the partial private key $sk ″$ generated by PKG to ensure its correctness.

The correctness of auditing: TPA verifies the auditing proof generated by CSP to ensure the integrity of sensor data.

The soundness

The soundness requires that any false proof pass verification probability is negligible. In other words, only the CSP that correctly stores the data can generate the correct auditing proof.

Definition

Definition 1

The DAFCI scheme consists of six algorithms: Setup, Extract, SigGenU, SigGenF, ProofGen, and ProofVerify. These algorithms are described as follows:

$Setup (1^{k})$ : this algorithm is a setup algorithm executed by PKG. It takes as input a security parameter k and outputs the system public parameters pp.

$Extract (PP, ID)$ : the algorithm consists of two parts, one part is the extraction algorithm run by PKG. It takes as input the system public parameters pp and the user’s identity ID. It outputs the sensor’s partial private key $sk ″$ . The sensor will verify this part of the private key and accept it if $sk ″$ can pass the verification. Another part of this algorithm is performed by the sensor. Sensor selects x as another part of the private key $sk'$ .

$SigGenS (F, sk', name, ssk)$ : this algorithm is run by the sensor. It takes as input the signature private key ssk, the original file F, the partial private key $sk'$ of sensor, and the file identifier name. It outputs blind file $F^{*}$ , corresponding original signature set $Φ$ and file tag $τ$ .

$SigGenF (sk ″, name, Φ)$ : the algorithm is run by the FCC. It takes as input the sensor part private key $s k ″$ generated by PKG, the file name name, and the first signature set $Φ$ , and it outputs the final signature set $σ$ .

$ProofVerify (pp, P, chal)$ : this algorithm is a verification algorithm executed by the TPA. It takes as input the auditing challenge chal, the system public parameters pp, and the auditing proof P. TPA will verify and inform the sensor auditing results based on the above information.

Security model

In the DAFCI scheme, the PKG may be untrusted because the PKG only generates a partial private key $sk ″$ according to the identity information of the system to which the sensor belongs. The sensor also undertakes the generation of partial private keys $sk'$ , which will further improve the security of the system. TPA is also honest, and it helps sensor auditing the data stored in cloud and reduce the burden on the sensor. Fog node is used to help the sensor generate the corresponding signature, and it is not completely trusted. The security model of the DAFCI scheme is implemented through the following adversaries and challengers. The game is introduced as follows:

Setup phase: the challenger C runs the Setup algorithm to get the private key sk and public parameters pp, and then sends the public parameters pp to the adversary A.

Query phase: at this stage, adversary A will make the following two queries to the challenger C.

Extract queries: the adversary A sends the identity information ID to challenger C. The challenger executes the Extract algorithm to get the private key $s k_{ID}$ , and then sends it to the adversary A.

SigGen queries: the adversary asks for the corresponding signature of file F. The challenger executes the Extract algorithm to obtain the private key. Challenger C then runs the SigGen algorithm to calculate the signature corresponding to file F and sends it to adversary A.

Challenge phase: at this stage, the adversary will act as a prover and the challenger will act as a verifier. The challenger C sends the challenge block $chal = {i, v_{i}}_{i \in I}$ to the adversary A, where $I \in {ω_{1}, ω_{2}, \dots, ω_{n}} (ω_{j} \in [1, n], j \in [1, c])$ . The challenger asks the adversary to provide the data holding proof P of the corresponding data block ${m_{ω 1}, m_{ω 2}, \dots, m_{ω c}}$ .

ProofGen phase: after receiving the challenge of challenger C, the adversary A generates a corresponding proof P of the chal block and sends it to the challenger C. If it is proved that P can pass the verification with a non-negligible probability, it can be considered that the adversary A has won the game.

For the above security model, it is necessary to prove that if the adversary cannot have all the challenge blocks required by the challenger, it cannot generate the correct proof P, which means that the proof of the adversary’s forgery cannot be verified. The purpose of the adversary A is to correctly generate the corresponding signature of the challenge chal without holding the data blocks.

Definition 2

We consider a remote data integrity auditing scheme is secure if the following condition holds: whenever the adversary A in the aforementioned game is able to generate a valid proof P to pass the challenge of the challenger C with a non-negligible probability, there is a knowledge extractor that can capture the challenged data block, but the probability can be neglected.

Definition 3

If only the data owner can view the sensitive information in the file, the CSP and other shared sensors can only view the non-sensitive information, then the sensitive information in the file is safe.

The proposed scheme

An overview

The sensor has lower computing power and shorter battery life. In order to minimize the energy consumption of the sensor device, the DAFCI scheme uses the blockless verification technology to enable the sensor to complete the integrity verification without downloading the blocks stored in the cloud. The private key separation method and the two-time signature method are used to further reduce the computation overhead of the sensor. The private key separation method refers to dividing the private key sk into two parts to calculate and generate, that is, $sk = (sk', sk ″)$ . The two-time signature method means that the initial signature $Φ = (σ_{i})_{i \in [1, n]}$ is generated by the sensor and uploaded to the FCC, and then the FCC generates the final signature $Φ' = {σ_{i}'} (i \in [1, n])$ .

In the DAFCI scheme, PKG uses the identity information received from the sensor to generate the partial private key $sk ″$ . The sensor can verify the correctness of this part of the private key. The other part of the private key $sk'$ is selected by the sensor, and no additional verification is required. Before the sensor uploads data to the cloud, the file needs to be blinded. Other shared sensors can only access non-sensitive information, not any content that involves sensitive information. The sensor can recover the blinded file when needed. The signature will be used to verify the integrity of the data, which is split into two generations. After the file is blinded, the sensor device generates the original signature. After the original signature is generated, the FCC performs a two-time signature to generate a final signature set. Finally, the fog node sends the signature set and the blind file to the CSP and sends the file tag to the TPA. When the sensor wants to check the integrity of the data stored in the cloud, it sends an audit request to the TPA. After receiving the request, the TPA challenges the CSP and asks the CSP to return the corresponding auditing proof. The TPA verifies the auditing proof and determines whether the CSP stores the sensor’s data correctly, and sends the auditing result to the sensor. The specific details are described in the following section.

In addition, the proposed scheme can be further applied with edge-cloud computing. A large amount of data are collected by the sensors set in the system and analyzed and processed by the edge end close to the user, while being scalable. Users get real-time insights and experiences with responsive and context-aware applications.

Description of the proposed scheme

In the DAFCI scheme, the original file F is divided into n blocks $F = {m_{1}, m_{2}, \dots, m_{n}}_{i \in n}$ , and $m_{i} \in Z_{p}^{*}$ denotes the $i - th$ block of file F. Assuming that the length of the sensor identity information ID is l bits, it can be described as ${I D_{1}, I D_{2}, \dots, I D_{l}} \in {0, 1}^{l}$ . Usually, sensitive information only accounts for a small part of whole files, and only needs to be blinded, so the blinding overhead is small. After the blind file $F^{*} = {m_{1}^{*}, m_{2}^{*}, \dots, m_{i}^{*}}_{i \in n}$ is formed, the sensor uses the private key $sk' = x$ to generate the original signature $σ_{i} = {H (m_{i}^{*}) \cdot x}$ , the private key $s k'$ is selected and saved by the sensor device controlled by the sensor, not known by other entities, and then the original signature set $Φ = (σ_{i})_{i \in l}$ is sent to the FCC. The FCC generates a final signature $σ_{i}' = σ_{i} \cdot μ'^{Π_{j = 1}^{l} μ^{I D_{j}}}$ according to a part of the private key generated by PKG, $sk ″ = Π_{j = 1}^{l} μ^{I D_{j}}$ , and generates the final signature set $Φ' = {σ_{i}'}_{i \in [1, n]}$ . The two-time signature method is shown in Figure 2.

Figure 2.

The process of two-time signature.

Since the DAFCI scheme divides the private key into two parts, which are generated by PKG and sensor, respectively, the FCC only has the part calculated by PKG, so even if the FCC leaks part of the private key it owns, it is still difficult to forge the correct signature.

The following is a detailed description of the DAFCI program:

$Algorithm Setup (1^{k})$

The PKG chooses two multiplicative cyclic groups $G_{1}$ and $G_{2}$ of a same prime order p, a generator g of $G_{1}$ , a bilinear pairing $e : G_{1} \times G_{1} \to G_{2}$ , and a pseudorandom function $f : Z_{p}^{*} \times Z_{p}^{*} \to Z_{p}^{*}$ .

The PKG randomly chooses an element $x \in Z_{p}^{*}$ , then chooses elements $μ', μ \in G_{1}$ , and a cryptographic hash function $H : {0, 1^{*} \to G_{1}}$ .

The PKG publishes the system parameters $pp = (G_{1}, G_{2}, p, e, g, μ', μ, H, f)$ .

$Algorithm Extract (pp, ID)$

The sensor sends the identity information $ID = {I D_{1}, I D_{2}, \dots, I D_{l}} \in {0, 1}^{l}$ to PKG. After receiving the identity information ID, the PKG calculates partial private key $s k ″ = Π_{j = 1}^{l} μ^{I D_{j}}$ and partial public key $p k ″ = P^{s k ″}$ , and then sends $s k ″$ and $p k ″$ to the sensor.

After the sensor receives $s k ″$ and $p k ″$ , it will verify the correctness of the received private key by checking the following equation holds or not

e ({μ'}^{Π_{j = 1}^{l} μ^{I D_{j}}}, P) = e (μ', p k ″)

(1)

If the above equation does not hold, the sensor refuses to accept it; if the equation (1) holds, the sensor will calculate another partial private key $s k'$ and public key $p k' = x \cdot p$ , that is, the private key $sk = (s k', s k ″)$ and the public key $pk = (p k', p k ″)$ . The above process is illustrated in Figure 3.

$Algorithm SigGenU (F, name, s k')$

The sensor will first blind the file, and the sensitive information blind method here draws on the scheme of Shen et al.²⁸ The sensor randomly selects a seed $k_{1} \in Z_{p}^{*}$ as the input private key of the random number generation function f. The sensor uses the seed $k_{1}$ to generate a blinder $α_{i} = f_{k_{1}} (i, name) (i \in K_{1})$ and then uses $α_{i}$ to encrypt sensitive information in the file. $name \in Z_{p}^{*}$ is a randomly selected random number that identifies the file.

In order to protect sensitive information, the sensor should blind data blocks corresponding to the sensitive information of the original file F before sending it to the FCC. The index of these data blocks is in set $K_{1}$ . The sensor computes the blinded data block $m_{i}^{*} = m_{i} + α_{i}$ for each data block $m_{i} \in Z_{p}^{*} (i \in K_{i})$ of the original file F. The blinded file is $F^{*} = {m_{1}^{*}, m_{2}^{*}, \dots, m_{i}^{*}}$ , where $i \in [1, n]$ and $i \notin K_{1}$ , otherwise $m_{i} \in Z_{p}^{*} (i \in K_{1})$ .

After generating the blind file $F^{*} = {m_{1}^{*}, m_{2}^{*}, \dots, m_{i}^{*}}$ , the sensor then uses a hash function H to compute its hash value $H (m_{i}^{*})$ , then uses the hash value and part of the private key x generates an original signature $σ_{i}$ . The calculation process is as follows: $σ_{i} = H (m_{i}^{*}) \cdot x$ . The original signature set is $Φ = {σ_{i}}_{i \in [1, n]}$ .

The sensor computes $τ_{0} = name ∥ μ'$ and then generates the corresponding file tag $Ssi g_{ssk} (τ_{0})$ , where Ssig is the signature of the file tag $τ_{0}$ using the signing private key ssk. Finally, the sensor sends ${Φ, τ_{0}, F^{*}, s k ″, p k ″}$ to FCC for further computing.

$Algorithm SigGenF (s k ″, Φ)$

The FCC first checks whether the signature $Ssi g_{ssk} (τ_{0})$ is valid. If it is a valid signature, the FCC parses the file tag $τ_{0}$ to obtain the file name and verification value $μ'$ , and then does the next step.

The FCC further verifies the correctness of the original signature $σ_{i} (i \in [1, n])$ by verifying whether the following equation holds

e (σ_{i}, P) = e (Π_{i = 1}^{c} H (m_{i}^{*}), p k')

(2)

If the above equation holds, then FCC considers that the original signature $σ_{i}$ is correct and can proceed the following step.

The FCC is responsible for computing the final signature $σ_{i}' = σ_{i} \cdot μ'^{Π_{j = 1}^{l} μ^{I D_{j}}}$ for the sensor, and the final signature set is $Φ' = {σ_{i}'}_{i \in [1, n]}$ , then sends ${F^{*}, Φ'}$ to the CSP, and sends the file tag $τ$ to the TPA.

$Algorithm ProofGen (F^{*}, Φ', chal)$

The sensor or the TPA is authorized to challenge the CSP from time to time. The TPA checks whether the file tag $τ$ is valid. If it is invalid, the TPA will not perform the auditing request; if it is valid, the TPA obtains the file identity name and the verification parameter $μ_{'}$ by parsing the file tag $τ_{0}$ , and then generates the auditing challenge chal. The challenge generation process is as follows:

(a) TPA randomly selects c elements from the data block index set to form set I. Set $I \in [1, n]$ .

(b) For each element in the set I choose a random number $v_{i} \in Z_{p}^{*}$ .

(d) After receiving the auditing challenge from the TPA, the CSP generates a proof of data possession for this challenge as follows: computes the aggregated signature $σ = Π_{i = 1}^{c} σ_{i}^{' v_{i}}$ and sends it to the TPA as the challenge proof P.

$Algorithm ProofVeirify (chal, pp, P)$

The TPA will verify the correctness of the auditing proof as follows

e (σ, g) = {(e (Π_{i = 1}^{c} H (m_{i}^{*}), p k') \cdot e (μ', p k ″))}^{\sum_{i = 1}^{c} v_{i}}

(3)

If equation (3) holds, the data stored in the CSP are intact, otherwise, it is not.

Figure 3.

The process of two-time signature.

Security analysis

In this section, we prove the DAFCI is secure in terms of correctness, soundness, and detectability.

Theorem 1 (the correctness)

Private key correctness: when PKG sends a correct partial private key to the sensor, this partial private key can pass the verification of the sensor.

Original signature correctness: when the FCC receives the original signature, it will verify it to ensure that the original signature is correct.

Auditing correctness: if the CSP correctly stores the data uploaded by the sensor, then it can pass the TPA verification.

Proof

If the partial private key given by PKG is correct, then it can be verified by the Extract algorithm equation (1). Based on the properties of the bilinear pairing equation, the following is a proof that starts from the left equation and finally introduces the right equation

\begin{matrix} e ({μ'}^{Π_{j = 1}^{l} μ^{I D_{j}}}, P) & = e (μ', P^{Π_{j = 1}^{l} μ_{I D_{j}}}) \\ = e (μ', p k ″) \end{matrix}

If the original signature $σ_{i}$ given by the sensor is correct, it can pass the verification by the FCC. Based on the properties of bilinear pairing, equation (2) can be proved correct by deducing the left-hand side from the right-hand side

e (σ_{i}, P) = e (Π_{i = 1}^{c} H (m_{i}^{*}, p k'))

\begin{matrix} e (σ, P) \\ = e (Π_{i = 1}^{c} {(H (m_{i}^{*}) \cdot x \cdot μ^{' Π_{j = 1}^{l} μ^{I D_{j}}})}^{v_{i}}, P) \\ = e (Π_{i = 1}^{c} {(H (m_{i}^{*}) \cdot x)}^{v_{i}}, P) \\ \cdot e (Π_{i = 1}^{c} {(μ^{' Π_{j = 1}^{l} μ^{I D_{j}}})}^{v_{i}}, P) \\ = e {(Π_{i = 1}^{c} H (m_{i}^{*}), x \cdot p)}^{\sum_{i = 1}^{c} v_{i}} \\ \cdot e {(μ', P^{Π_{j = 1}^{l} μ^{I D_{j}}})}^{\sum_{i = 1}^{c} v_{i}} \\ = e {(Π_{i = 1}^{c} H (m_{i}^{*}), p k ″)}^{\sum_{i = 1}^{c} v_{i}} \cdot e {(μ', p k ″)}^{\sum_{i = 1}^{c} v_{i}} \\ = {(e (Π_{i = 1}^{c} H (m_{i}^{*}, p k') \cdot e (μ', p k ″)))}^{\sum_{i = 1}^{c} v_{i}} \end{matrix}

Theorem 2 (the soundness)

Privacy of private key: in our scheme, the FCC is considered to be an incompletely trusted entity, and it may leak the partial private key. The solution needs to consider that in the case that some of the private keys held by the FCC are leaked, it can still be guaranteed that the private keys held only by the sensor cannot be known through other information calculations.

Anti-replace attack: during the TPA verification process, replace attacks would never be effective. In other words, if the CSP does not store data blocks or signature correctly, it is impossible for the CSP to succeed in replacing such a data block with another block to respond to the challenge to maintain this reputation.

Anti-reply attack: during the TPA verification process, reply attack would never be effective. In other words, a malicious CSP could not pass the verification using the signature generated by previous auditing.

Proof

The private key consists of two parts, namely, $s k ″$ generated by PKG based on the identity information provided by the sensor and $s k'$ selected by the sensor. $s k ″$ was sent to the FCC for the second signature, but since the first signature was performed on the sensor device, even if the FCC leaked part of the private key it holds, it was still impossible to obtain sk.

The TPA selects some random blocks for auditing, and sends some challenge blocks $chal = {i, v_{i}}_{i \in [1, s]}$ to the CSP. Assume that the TPA is currently under replay attack, that is, the CSP tries to use the previous block signature information and replaces part of the correct signature to pass verification, and then TPA verifies the received proof $σ^{-}$

e (σ^{-}, P) = e (σ, P)

(4)

If equation (4) holds, the replacement attack is successful. The received proof is $σ^{-} = \prod_{i \in [1, j - 1]} \underset{[j + 1, s]}{\cup} {σ'}_{i}^{v_{i}} \cdot {σ'}_{j^{-}}^{v_{j^{-}}}$ . From the left-hand side of equation (4)

\begin{matrix} e (σ^{-}, P) \\ = e (\underset{i \in [1, j - 1] ⋃ [j + 1, s]}{Π} σ_{i}'^{v_{i}}, P) \cdot e (σ_{j^{-}}'^{v_{j^{-}}}, P) \end{matrix}

In order for equation (4) to be true, there is

e (σ_{j^{-}}'^{v_{j^{-}}}, P) = e (σ_{i}'^{v_{i}}, P)

(5)

If equation (5) holds, there are $σ_{j^{-}}'^{v_{i}} = σ_{i}'^{v_{i}}$ and $σ_{j^{-}} = σ_{j^{-}}' \cdot μ'^{Π_{j = 1}^{l} μ^{I D_{j}}} = H (m_{j^{-}}^{*}) \cdot x \cdot μ'^{Π_{j = 1}^{l} μ^{I D_{j}}}$ .

Due to the privacy of the private key, even if $s k ″$ is leaked, the CSP cannot forge $s k'$ , nor can it forge the correct signature. In other words, replay attacks in DAFCI are impossible to succeed.

3. The replay attack game is similar to the replacement attacks mentioned above. The sensor also authorizes TPA to auditing. After receiving the auditing request, the TPA randomly selects several data blocks in the indicated file and generates the challenge $chal = {i, v_{i}}_{i \in [1, s]}$ . In this scenario, the CSP attempts to use a forged signature to pass verification. The proof of anti-replay attacks is similar to the proof of anti-replacement attacks, which is not repeated here.

Theorem 3 (the detectability)

Assume that the original file F is divided into n blocks and encrypted to generate a blind file $F^{*}$ then stored in the cloud. Among them, k blocks are modified or deleted by the CSP and the number of challenge blocks is c. At this time, the detectability of the DAFCI scheme is

(\frac{k}{n}, 1 - {(\frac{n - k}{n})}^{c})

X is the intersection of the damaged block and the challenge block. Then, there are

\begin{matrix} Px = P {X \geq 1} \\ = 1 - P {X = 0} \\ = 1 - \frac{n - k}{n} \times \frac{n - 1 - k}{n - 1} \times \dots \frac{n - c + 1 - k}{n - c + 1} \end{matrix}

From the above equation, we can know that

1 - {(\frac{n - k}{n})}^{c} \leq Px \leq 1 - {(\frac{n - c + 1 - k}{n - c + 1})}^{c}

because $n - i - 1 - k / n - i - 1 \leq n - i - k / n - i$ , so the probability that the DAFCI scheme detects a damaged block is at least $1 - (n - k / n)^{c}$ . Suppose the proportion of damaged blocks is 1%, in other words when $n - k / n = 0.99$ , assuming that the challenge block is 300, the detection probability can reach 95%, and assuming that the challenge block is 400, the detection probability can reach 99%.

Theorem 4 (sensitive information hiding)

Sensitive information cannot be accessed by any entity except the data owner, including FCC, TPA, CSP, and shared sensors.

Proof

This part borrows from the encryption scheme of Shen et al.,²⁹ but considering the performance of the sensor device, it is lightweight. Before the sensor has hashed the file block, the file has been blinded first, so under the random oracle model, only the sensor can access sensitive information.

Performance evaluation

In this section, the functional comparison of the DAFCI scheme and some other related schemes will be performed first, and then the computation overhead will be compared. Then, the communication overhead and computational complexity of the DAFCI scheme will be discussed. Finally, the specific performance of the DAFCI scheme is demonstrated through experiments.

Functionality comparison

As shown in Table 2, the functionality of the DAFCI scheme and other related schemes^{25,29,30,31,32} is compared. As can be seen from the table, the DAFCI solution is the only one that meets all the following properties: public verification, certificateless management, data sharing, sensitive information hiding, and suitable for lightweight device supporting.

Table 2.

Functionality comparison with existing related schemes.

Schemes	Public	Certificate management	Data	Sensitive information	Lightweight device
Schemes	Verifiability	Simplification	Sharing	Hiding	Support
Shacham et al.³⁰	Yes	No	No	No	No
Tian et al.²⁵	Yes	Yes	No	No	Yes
Li et al.³¹	Yes	Yes	No	No	No
Wang³²	Yes	No	No	Yes	No
Shen et al.²⁹	Yes	Yes	Yes	Yes	No
Ours	Yes	Yes	Yes	Yes	Yes

Performance analysis and comparison

First define H for a hash operation, Mul for a multiplication operation, Add for an addition operation, P for a bilinear pairing operation, and $ε$ for an exponential operation. n is the number of file blocks, c is the number of challenge blocks, and l is the length of the identity information. d is the number of file blocks containing sensitive information. $| n |$ represents the size of the set $[1, n]$ , $| p |$ represents the number of elements in $Z_{p}^{*}$ , and $| q |$ represents the number of elements in $G_{1}$ .

$Computation overhead comparison :$ computation overhead refers to the cost of corresponding computing tasks performed by the corresponding entity, including signature generation, proof generation, and proof verification. Table 3 compares the computation overhead of the DAFCI scheme with the scheme of Shen et al.²⁹ and the scheme of Tian et al.²⁵ In section “System model and security model,” we introduced how to encrypt sensitive information. Its computational overhead is $d \cdot Add$ . As mentioned earlier, due to $d << n$ , this part of the overhead is small, so it is not reflected in the table. The computation overhead of the sensor to generate the original signature is $n \cdot (H + Mul)$ . The original signature and related parameters are then sent to the FCC, and the overhead of the FCC to generate the final signature is $n \cdot (2 Mul + 2 ε)$ . The final signature is then sent to the CSP. During the challenge process, the overhead of generating the auditing proof is $c \cdot Mul + c \cdot ε$ , and the overhead of TPA verification after receiving the proof is $(c + 1) \cdot Mul + 2 ε + 3 P$ .

As shown in Table 3, compared with the related schemes, the computation overhead of the DAFCI scheme is lower. On the sensor side, that is, the overhead reduction is more obvious. Compared with the scheme that also introduces FCC, the computation overhead of the fog node is slightly higher, but it is not obvious. The generated overhead is consistent with scheme B of Tian et al.,²⁵ but smaller than scheme A of Tian et al. And scheme of Shen et al.’s²⁹ TPA verification overhead is less than related schemes.

$Communication overhead comparison :$ according to the description of section “The proposed scheme,” we can know that the communication overhead of the proposed scheme is mainly from the integrity auditing phase, as shown in Table 4. Communication overhead refers to the overhead incurred when transferring files or related parameters between different entities. Reducing communication overhead can increase solution stability and practicability. Therefore, the increase in communication overhead caused by the introduction of the FCC is negligible compared with the auditing process. Therefore, only the overhead of the auditing process needs to be considered. In this part, the TPA sends a challenge block $chal = {i, v_{i}}_{i \in I}$ to the cloud. The size of the challenge block is $c \cdot (| n | + | p |)$ bits. The CSP generates a certificate $P = {σ}$ with size $| q |$ bits. Therefore, in an audit task, the communication overhead is $c \cdot (| n | + | p |) + | q |$ .

$Computation complexity :$ we analyze the computation complexity of the different entities in different phases in Table 5. The number of challenge blocks c, the total number of file blocks n, and the number of blocks containing sensitive information d determine the corresponding time complexity of each entity of the DAFCI solution. From Table 5, we can see that the time complexity of the file blinding process is $O (d)$ , the time complexity of the initial label generation is $O (n)$ , and the time complexity of the final label generation is $O (d)$ . The challenge generation and the time complexity of proof generation and proof verification is $O (c)$ .

Table 3.

The computation overhead of our scheme and related schemes.

	TagGenS	TagGenF	ProofGen	Verify
Tian’s scheme A	$n \cdot (H + Mul + 3 ε)$	$n \cdot (2 ε + H) + m \cdot (H + Mul + 2 ε)$	$H + c \cdot (P + 2 Mul + ε) + w \cdot P + c \cdot (ε + 1) \cdot Mul + (c + ω) \cdot Add$	$2 ε + P + (c + 1) \cdot H$
Tian’s scheme B	$n \cdot (H + Mul + 2 ε)$	$m \cdot (H + Mul + 2 ε)$	$c \cdot Mul + c \cdot ε$	$c \cdot (ε + H) + ω \cdot (2 P + ε + Mul)$
Shen’s scheme	$n \cdot (H + 2 Mul + 2 ε)$	–	$(2 c - 1) \cdot Mul + c \cdot ε + (c + 1) \cdot Add$	$4 P + (2 + c + l) Mul + 2 (c - 1) Add + (l + c) ε + c \cdot H$
Purposed scheme	$n \cdot (H + Mul)$	$2 n \cdot (Mul + ε)$	$c \cdot Mul + c \cdot ε$	$(c + 1) Mul + 2 ε + 3 P$

Table 4.

The communication overhead of the proposed scheme.

Entity	Phase	Communication overhead
TPA	Auditing challenge	$c \cdot (\| n \| + \| p \|)$
CSP	Auditing proof	$\| q \|$

TPA: third-party auditor; CSP: cloud service provider.

Table 5.

The computation complexity of different entities in different phases.

	User	FCC	TPA	CSP
File blinding	O(d)	–	–	–
Original signature generation	O(n)	–	–	–
Final signature generation	–	O(n)	–	–
Challenge generation	–	–	O(c)	–
Proof generation	–	–	–	O(c)
Proof verification	–	–	O(c)	–

FCC: fog computing center; TPA: third-party auditor; CSP: cloud service provider.

Performance evaluation

In this section, we evaluate the performance of the proposed scheme by several experiments. The experiment was implemented using the Ubuntu 16.04 operating system with an Intel Core i5 3.0 GHz processor and an 8 GB memory. The programmer is written in C program, and it uses the library functions in the pairing-based cryptography (PBC) library to simulate the cryptographic operations, where the benchmark threshold is 512 bits, the size of the element is $| p | =$ 160 bits in $Z_{p}^{*}$ , the size of the file is 20 MB, and the length of user identity to be 160 bits.

The experimental results are the averages of the 10 experiments.

$Performance of different proces s :$ to effectively evaluate the performance in different processes, we set the number of data blocks to be 100 and the number of blinded data blocks to be 5 in our experiment. As shown in Figure 4, private key generation spends nearly 0.26 s. The time consumed by the original signature generation is 0.312 s. The time of the final signature generation is 2.4 s. The time of signature verification and that of sensitive information blindness, respectively, are 0.22 and 0.031 s. So we can conclude that in these processes, the final signature generation spends the longest time.

$Performance of signature generation :$ to evaluate the performance of signature generation and signature verification, we generate the signatures for different numbers of blocks from 0 to 1000 increased by an interval of 10 in our experiment. As shown in Figure 5, the time cost of the original signature generation, the final signature generation, and the signature generation with DAFCI all linearly increases with the number of the data blocks. The time of original signature generation ranges from 0.312 to 3.12 s. The time of final signature generation ranges from 2.4 to 24.0 s. The time of signature generation without DAFCI ranges from 2.712 to 27.1 s.

$Performance of auditing :$ Figures 6 and 7 show the TPA and CSP auditing overheads for different numbers of challenge blocks, respectively. Considering that the detection probability has reached 99% when the number of challenge blocks is 400, only the case where the challenge blocks are from 50 to 500 is shown in the figure. As shown in Figures 6 and 7, it can be seen that the computation overhead of the challenge generation and proof verification increases linearly with the number of challenge data blocks. The computation overhead of the challenge generation increases from 0.097 to 0.486 s as the challenge block increases. The overhead of the proof verification increased from 0.5 to 11 s. It can be concluded that compared with the challenge verification overhead, the challenge overhead is lower and grows slowly. In summary, it can be concluded that as the challenge block increases, the computation overhead of both TPA and CSP will increase.

Figure 4.

Performance of difference of different processes.

Figure 5.

The computation overhead in the process of signature generation.

Figure 6.

The computation overhead in the process of signature generation.

Figure 7.

The computation overhead in the process of signature generation.

Conclusion

This article proposed an efficient and secure public cloud data auditing scheme based on IoT scenarios. Through the encryption of sensitive information, the separation of private key method, and the two-time signature method, data sharing under privacy protection is realized, which reduce the computation and communication overhead of IoT devices, while ensured security. The security analysis shows that the DAFCI scheme is safe under the random oracle model. Performance analysis shows that compared with traditional cloud data auditing schemes and other schemes using fog-to-cloud computing, the DAFCI scheme is more efficient and has certain advantages, which can be better applied to low power IoT devices. However, considering the rapid development and widespread application of IoT technology, further reducing the overhead of computation and communication under the condition of ensuring the security of the solution will still be the focus of work in the future for a long time.

Footnotes

Handling Editor: Yan Huang

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported, in part, by the National Natural Science Foundation of China (grant no. 61802106) and the Natural Science Foundation of Hebei Province (grant no. F2016201244).

ORCID iD

Hao-Ning Wang

References

Bonomi

Milito

Zhu

, et al. Fog computing and its role in the Internet of things. In: Proceedings of the 1st Edition of the MCC workshop on mobile cloud computing, Helsinki, 13–17 August 2012, pp.13–16. New York: ACM.

Adat

Gupta

BB.

Security in Internet of Things: issues, challenges, taxonomy, and architecture. Telecommun Syst 2018; 67(3): 423–441.

Cai

Jiang

, et al. IoT-based big data storage systems in cloud computing: perspectives and challenges. IEEE Internet Things J 2017; 4(1): 75–87.

Roman

Lopez

Mambo

. Mobile edge computing, fog et al.: a survey and analysis of security threats and challenges. Future Generat Comput Syst 2018; 78: 680–698.

Wang

Ren

Lou

, et al. Toward publicly auditable secure cloud data storage services. IEEE Netw 2010; 24: 19–24.

Kumar

Zeadally

, et al. Certificateless provable data possession scheme for cloud-based smart grid data management systems. IEEE Trans Ind Informat 2018; 14(3): 1232–1241.

Wang

HQ.

Identity-based distributed provable data possession in multicloud storage. IEEE Trans Servic Comput 2015; 8(2): 328–340.

Shen

Xia

, et al. Light-weight and privacy-preserving secure cloud auditing scheme for group users via the third party medium. J Netw Comput Appl 2017; 82: 56–64.

Yao

Han

, et al. User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage. IEEE Syst J 2018; 12(2): 1767–1777.

10.

Wang

Panda: public auditing for shared data with efficient user revocation in the cloud. IEEE Trans Serv Comput 2015; 8(1): 92–106.

11.

Luo

, et al. Efficient integrity auditing for shared data in the cloud with secure user revocation. In: IEEE Trustcom/BigDataSE/ISPA, Helsinki, 20–22 August 2015, pp.434–442. New York: IEEE.

12.

Ateniese

, et al. Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage. IEEE Trans Inf Forensics Security 2017; 12(4): 767–778.

13.

Shen

Yang

, et al. Remote data possession checking with privacy-preserving authenticators for cloud storage. Future Gener Comput Syst 2017; 76: 136–145.

14.

Singh

Pasquier

Bacon

, et al. Twenty security considerations for cloud-supported Internet of Things. IEEE Internet Things J 2016; 3: 269–284.

15.

Esposito

Ficco

Castiglione

, et al. Distributed group key management for event notification confidentiality among sensors. IEEE Trans Dependable Secure Comput. Epub ahead of print 30 January 2018. DOI: 10.1109/TDSC.2018.2799227.

16.

Belguith

Kaaniche

Laurent

, et al. PHOABE: securely outsourcing multi-authority attribute based encryption with policy hidden for cloud assisted IoT. Comput Network 2018; 133: 141–156.

17.

Esposito

Castiglione

Palmieri

, et al. Integrity for an event notification within the Industrial Internet of Things by using group signatures. IEEE Trans Ind Inf 2018; 14: 3669–3678.

18.

Juels

Kaliski

Jr . PoRs: proofs of retrievability for large files. In: Proceedings of the 14th ACM conference on Computer and communications security, Alexandria, VI, 29 October–2 November 2007, pp.584–597. New York: ACM.

19.

Wang

Ren

, et al. Enabling public auditability and data dynamics for storage security in cloud computing. IEEE Tans Parallel Distr Syst 2011; 22: 847–859.

20.

Aazam

Khan

Alsaffar

, et al. Cloud of things: integrating Internet of Things and cloud computing and the issues involved. In: Proceedings of the 11th international Bhurban conference on applied sciences and technology (IBCAST), Islamabad, Pakistan, 14–18 January 2014, pp.414–419. New York: IEEE.

21.

Ateniese

Burns

Curtmola

, et al. Provable data possession at untrusted stores. In: Proceedings of the 14th ACM conference on computer and communications security, 29 October–2 November 2007, pp.598–609. New York: ACM.

22.

Wei

, et al. Privacy-preserving data integrity verification by using lightweight streaming authenticated data structures for healthcare cyber–physical system. Future Gener Comput Syst 2018; 108: 1287–1296.

23.

Hao

Xia

, et al. Intrusion- resilient identity-based signatures: concrete scheme in the standard model and generic construction. Inf Sci 2018; 442–443: 158–172.

24.

Zhu

Yuan

Chen

, et al. A secure and efficient data integrity verification scheme for cloud-IoT based on short signature. IEEE Access 2019; 7: 90036–90044.

25.

Tian

Nan

Chang

, et al. Privacy-preserving public auditing for secure data storage in fog-to-cloud computing. J Netw Comput Appl 2019; 59–69: 127.

26.

Huang

Zhang

, et al. EVA: efficient versatile auditing scheme for IoT-based datamarket in jointcloud. IEEE Internet Things J 2020; 7(2): 882–892.

27.

Wang

Chow

Wang

, et al. Privacy-preserving public auditing for secure cloud storage. IEEE Trans- Actions on Computers 2013; 62: 362–375.

28.

Shen

Chen

, et al. An efficient public auditing protocol with novel dynamic structure for cloud data. IEEE Trans Inf Forensics Security 2017; 12(10): 2402–2415.

29.

Shen

Qin

Hao

, et al. Enabling identity-based integrity auditing and data sharing with sensitive information hiding. IEEE Trans Inf Forensics Security 2019; 14(2): 1556–6013.

30.

Shacham

Waters

Compact proofs of retrievability. J Cryp-Tol 2013; 26(3): 442–483.

31.

Min

, et al. Fuzzy identity-based data integrity auditing for reliable cloud storage systems. IEEE T Depend Secure Comput 2019; 16: 72–83.

32.

Wang

Proxy provable data possession in public clouds. IEEE Trans Serv Comput 2013; 6(4): 551–559.

An efficient and secure data auditing scheme based on fog-to-cloud computing for Internet of things scenarios

Abstract

Keywords

Introduction

Our contributions

Organization

Related work

Symbols and preliminary knowledge

Notions

Preliminary

System model and security model

System model

Design goals

The detectability

The correctness

The soundness

Definition

Definition 1

Security model

Definition 2

Definition 3

The proposed scheme

An overview

Description of the proposed scheme

Security analysis

Theorem 1 (the correctness)

Proof

Theorem 2 (the soundness)

Proof

Theorem 3 (the detectability)

Theorem 4 (sensitive information hiding)

Proof

Performance evaluation

Functionality comparison

Performance analysis and comparison

Performance evaluation

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References