Professional Documents
Culture Documents
Reference 18
Reference 18
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
1
Abstract—The deployment of cloud storage services has significant benefits in managing data for users. However, it also causes
many security concerns, and one of them is data integrity. Public verification techniques can enable a user to employ a third-party
auditor to verify the data integrity on behalf of her/him, whereas existing public verification schemes are vulnerable to procrastinating
auditors who may not perform verifications on time. Furthermore, most of public verification schemes are constructed on the public key
infrastructure (PKI), and thereby suffer from certificate management problem. In this paper, we propose the first certificateless public
verification scheme against procrastinating auditors (CPVPA) by using blockchain technology. The key idea is to require auditors to
record each verification result into a blockchain as a transaction. Since transactions on the blockchain are time-sensitive, the
verification can be time-stamped after the corresponding transaction is recorded into the blockchain, which enables users to check
whether auditors perform the verifications at the prescribed time. Moreover, CPVPA is built on certificateless cryptography, and is free
from the certificate management problem. We present rigorous security proofs to demonstrate the security of CPVPA, and conduct a
comprehensive performance evaluation to show that CPVPA is efficient.
Index Terms—Cloud storage, data integrity, certificateless public verification, procrastinating auditors, blockchain.
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
2
caused by the EHR corruption as far as possible. However, management problem existing in most of existing
an irresponsible auditor may procrastinate on the sched- public verification schemes.
uled verification, due to network failures, system errors, • We present rigorous security proofs to prove that
or request from the cloud server1 . We call this auditor a CPVPA is secure against the procrastinating auditor
procrastinating auditor, it deviates from the original objective defined in this paper, the semi-trusted server and
of public verification schemes, i.e., detecting data corruption the malicious auditor in the strongest model [14],
as soon as possible. It might be too late to recover the [17], [18]. We also conduct a comprehensive perfor-
data loss or damage if the auditor procrastinates on the mance analysis, and show that CPVPA has constant
verification. In fact, the procrastinating auditor also cannot communication overhead, and is efficient in terms of
be detected in the public verification schemes, even though computational overhead on both the server side and
malicious auditors can be detected there [17], [18], [19]. the user side.
Furthermore, most public verification schemes are built
The remainder of this paper is organized as follows.
on the public key infrastructure (PKI), where the auditor
We motivate CPVPA in Section 2, and define the system
needs to manage the user’s certificate to choose the correct
model, adversary model, and design goals and present
public key for verification. Consequently, these schemes
preliminaries in Section 3. We propose CPVPA in Section
suffer from the certificate management problem including
4 and analyze its security in Section 5. We provide the
certificate revocation, storage, distribution, and verification,
performance evaluation in Section 6, review the related
which is very costly and cumbersome in practice [23], [24].
work in Section 7, and draw the conclusions and present
In this paper, we propose the first certificateless public some open problems in Section 8.
data integrity verification scheme that resists malicious and
procrastinating auditors, dubbed CPVPA. The key idea be-
hind CPVPA is to use blockchain-based currencies (i.e., on- 2 P ROBLEM S TATEMENT
chain currencies), such as Bitcoin and Ethereum [25], [26], 2.1 Public Verification of Data Integrity
[27], which provide a tamper-proofing and distributed way
to conduct transactions without a central authority (i.e., The key idea of the public verification technique [13], [14],
bank). In CPVPA, the auditor is required to create a new [15] is that the user (i.e., data owner) splits the data into
transaction after each verification, where the information multiple blocks, computes a signature for each one, and
corresponding to the verification is integrated into the trans- outsources the data blocks as well as corresponding signa-
action, and the auditor conducts the transaction. After the tures to the cloud server. When the auditor verifies the data
transaction is recorded into the blockchain, the user is able integrity, it chooses a random subset of all data blocks (e.g.,
to verify the time when the auditor performs the verification sample 300 blocks from 10000 ones) and sends the sampled
by checking the generation time of the transaction. We stress blocks’ indexes (as a challenging message) to the cloud
that for a blockchain system, the more participants in it, server. The cloud server responses with the corresponding
the stronger security guarantee it can provide. Therefore, proof, the auditor checks the integrity of challenged blocks
we construct CPVPA on a well-established and widely-used by verifying the validity of the proof. If the verification
blockchain system (e.g., Ethereum), rather than a newly passes, the integrity of entire data set is ensured. The key
created one. Moreover, CPVPA is built on the certificateless technique used here is aggregated signature [29], which
cryptography [28] and avoids the certificate management enables the auditor to verify multiple blocks simultaneously
problem. Specifically, the contributions of this work are without downloading the data.
summarized as follows. In public verification schemes, after data outsourcing,
the user sets a verification period (i.e., the frequency at
which the auditor performs the verification). Then the audi-
• We analyze existing public verification schemes, and
tor verifies the outsourced data integrity at the correspond-
demonstrate that existing schemes cannot resist a
ing time. In practice, the auditor generates a verification
procrastinating auditor who may not perform the da-
report containing multiple verification results (correspond-
ta integrity verification on schedule and deviate from
ing to multiple periods, we call these periods an epoch).
the original objective of public verification schemes,
If in any period the verification result is “Reject”, it means
i.e., detecting the data corruption as soon as possible.
that the data may be corrupted and the auditor needs to
• We propose a certificateless public verification of
inform the user at once. Otherwise, the auditor generates
data integrity scheme, namely CPVPA, which resists
a verification log and provides the user with the log at the
malicious auditors and procrastinating ones without
end of each epoch. Since the auditor is able to verify the
introducing any trusted entity, where each verifica-
data integrity without the user’s participation, the user can
tion performed by the auditor is time-stamped by
assign the auditor to perform the verification with any pe-
integrating it into a transaction of blockchain-based
riod as needed. In other words, from the user’s perspective,
currencies, e.g., Ethereum. Such mechanism enables
if the outsourced data is corrupted, the longest delay within
the user to check the time when the auditor perform-
which she/he needs to find the data corruption should be
s the verification. CPVPA addresses the certificate
the verification period.
We stress that the frequency at which the auditor checks
1. When the data corruption occurs, the cloud server may collude the data integrity would not be very high in practice, due
with the auditor, where it asks the auditor for halting the scheduled
verification, and gains much more time to retrieval the outsoucrced to the following reasons. First, the auditor serves multiple
data for good reputation. users simultaneously. If users require the auditor to perform
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
3
the data integrity verification with a high frequency, e.g., can be regenerated in the 30th day. As such, the verification
performing the verification every hour, the auditor would report only reflects the most recent (the 30th day’s) state
bear a heavy communication and computation burden. Fur- of integrity for the outsourced data. This deviates from the
thermore, the higher frequency to perform the data integrity public verification’s original target: if the outsourced data is
verification, the more costs to employ the auditor. From a corrupted, the data owner is able to find it within 1 day (i.e.,
pragmatic standpoint, users would not require the auditor one verification period).
to perform data integrity verification with a high frequency To resist the procrastinating auditor, a straightforward
in existing scenarios. Second, performing the data integrity solution is to require the user to audit the auditor’s be-
verification with a high frequency would also cause heavy haviours in a random time interval. However, before the
verification burden on the cloud server. As pointed out by user audits the correctness of auditor’s behaviours, she/he
Armknecht et al. [17], if integrating security mechanisms needs to interact with the auditor to obtain the data that
into existing cloud systems incurs considerable costs on the records the auditor’s behaviours for the auditing, this suf-
cloud service providers, most of the providers would not ficiently gives rise to forge the data for the auditor and
accept liability for the corresponding security guarantees in cloud server. As such, a procrastinating auditor can pass
their Service Level Agreements (SLAs) and only ensure the the user’s auditing by colluding with the cloud server.
service availability. Another straightforward solution is to introduce a trusted
service provider who provides a time-stamping service [33].
After each verification, the auditor is required to query the
2.2 On the vulnerability of existing public verification
time-stamping on the information, which is used to check
schemes against procrastinating auditors
the data integrity, and is used to be audited by the user
In most of existing public verification schemes [14], [16], to prove the correctness of its behavior. This enables the
[30], auditors are assumed to be honest and reliable. This information to be time-sensitive, and therefore can resist the
means that the auditor would honestly follow the prescribed procrastinating auditor. Nevertheless, the security of such
schemes, and performs the verification reliably2 . mechanisms rely on the security and reliability of the time-
These schemes cannot resist malicious auditors. The stamping service provider, and the provider here becomes
most trivial attack a malicious auditor can perform is that it a single point of failure. Furthermore, the provider has to
always generates a good integrity report without verifying bear heavy communication and computation burden in the
the data integrity to avoid the verification burden. To thwart case of multiple users and auditors. As such, how to resist
such attacks, the user is able to audit the auditor’s behavior the procrastinating auditor without introducing any trusted
at the end of each epoch. However, a more tricky attack still entity is a very challenging problem.
exists in the mechanism: the auditor colludes with the cloud
server, and always generates bias challenging messages
2.3 On the (in)efficiency of PKI-based public verifica-
such that only the data blocks which are well maintained
tion schemes
are verified, this avoids revealing the data corruption. To
resist this attack, the challenging messages should not be Most of existing public verification schemes are built on
predetermined by any participant. Existing schemes [17], the public key infrastructure (PKI), where a fully trusted
[18], [19] utilize Bitcoin to generate the challenging messages certificate authority issues the participants’ certificates, and
to ensure the randomness of challenged data blocks, where the auditor has to manage users’ certificates to choose the
the auditor extracts the hash value of the latest block from correct public keys for the verification. However, certifi-
the Bitcoin blockchain, and generates the challenging mes- cate management, which includes revocation, storage, dis-
sage according to the security parameter and the extracted tribution, and verification, is very costly and cumbersome
hash value. Since in the Bitcoin blockchain the hash value in practice [18], [28]. Therefore, removing the certificate
of a block generated at a future time is unpredictable, this management problem could be economic and favorable in
ensures that the auditor cannot generate a bias challenging practice.
message to deceive the user, and enables the user to effi-
ciently audit the auditor’s behavior. 3 D EFINITIONS AND P RELIMINARIES
However, such mechanism is vulnerable to a procrasti-
3.1 System model
nating auditor. Assuming the agreed verification period is
1 day, and an epoch is 1 month (i.e., 30 days), this means The system model is shown in Fig. 1. There are four different
that the auditor checks the outsourced data integrity one entities in CPVPA: cloud user (data owner), cloud server,
time per day, and the user audits the auditor’s behaviors third-party auditor (TPA), and key generation center (KGC).
one time per month. Normally, the auditor would perform • User: The user is the data owner, who outsources
the verification every day and generate a verification report her/his data to the cloud server and accesses the
every 30 days. For a procrastinating auditor, it would not outsourced data as needed. After data outsourcing,
perform the verification on the first 29 days, and would the user employs a TPA, agrees a verification period
perform the verification 30 times on the last day, where the with TPA, and let TPA periodically verify the data
challenging messages in each verification of the first 29 days integrity.
• Cloud server: The cloud server is subject to the
2. Some works [15], [31], [32] assume that auditors are honest but cloud service provider, and provides cloud storage
curious, however, from the perspective of data integrity verification,
there is no difference between these two assumptions, since the auditors services. It has not only significant storage space, but
would not deviate from the prescribed schemes. also a massive amount of computing power.
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
4
• TPA: TPA works for the user. It feeds back the 2) Type II adversary AII : He is able to access the KGC’s
verification results to the user and the cloud server, master key but cannot perform public key replacement.
and detects the data corruption as soon as possible. Misbehaved auditors. We extend the existing threat
The communication between TPA and other entities models of malicious auditors [17], [18]. TPA may be com-
is authenticated. promised, which means that TPA may hide an incident of
• KGC: The KGC is controlled by an authority. It data corruption from the user by colluding with the cloud
generates a partial private key for the user by using server. Furthermore, TPA may deviate from the prescribed
the user’s identity. verification period, and may not perform the verification on
schedule.
Malicious users. We follow the existing threat model
of malicious users [17], [18]. The only attack the user may
perform is that he uploads incorrect verification tags (signa-
tures) to circumvent the cloud server.
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
5
3.5 Bilinear maps such ledger is verifiable and inherently resistant to mod-
Let G be an additive group and GT be a multiplicative ification of chained blocks, the participants who perform
group, G and GT have the same prime order p. A bilinear the transaction verifications are called miner. Actually, the
map e: G × G → GT has the following properties: more miners that participate in a blockchain system, the
1. Bilinearity: e(g a , q b ) = e(g, q)ab for all g, q ∈ stronger security guarantee the blockchain system has. In
G1 , a, b ∈ Zp∗ . this work, we utilize the Ethereum blockchain to construct
2. Non-degeneracy: for g, q ∈ G and g 6= q , e(g, q) 6= 1. CPVPA, since Ethereum is more expressive than other on-
chain currencies and Ethereum is the one of most popular
3. There exists an efficient computable algorithm for
blockchain systems.
computing e.
Computation Diffe-Hellman (CDH) problem in G: given We show a simplified Ethereum blockchain in Fig. 2,
G and one of its generator g , for any unknown a, b ∈ Zq∗ , where Tx denotes the transaction, BlockHash denotes the
given g a and g b ; compute g ab . hash value of current block, PrevBlockHash denotes the hash
value of the last block, Time denotes the timestamp, and
MerkleRoot denotes the root value of a Merkle hash tree [38]
3.6 Public blockchain and on-chain currencies formed by all transactions recorded in current block. The
A blockchain is a linear collection of data elements, where ledger of Ethereum can be thought of as a state transition
each data element is called block. All blocks are linked system, where there is a “state” consisting of the ownership
to form a chain and secured using cryptographic hash status of all existing Ethers (which are the value token of
function. Each block typically contains a hash pointer as the Ethereum blockchain) and a “state transition function”
a link to a previous block, a timestamp, and transaction that takes a state and a transaction as input, and outputs a
data [25]. Only if a transaction’s validity is verified, it new state which is the result. When a new block is added
can be recorded into the block. Generally, the blockchain into the chain, all transactions recorded in the block should
technique can be classified into two types: private blockchain be verified first, and then miners compute a valid nonce
and public blockchain. For a private blockchain (including such that the hash value of the block is less than or equal
the consortium blockchain), the verifications are performed to a value provided by the Ethereum system. This process
by authorized participants, who may be employed by the is a proof of work (PoW) and is well known as “Mining”.
blockchain managers or the managers themselves. For a The first miner who finds the nonce broadcasts the block of
public blockchain, the verifications can be performed by any transactions together with this nonce. Other participants can
participant in the network: a transaction can be recorded verify that the nonce is a valid solution, and hence add the
into a block, only if it has been verified and accepted by a new block to their blockchain. Once the block is added to
considerable majority [35], [36], [37]. the chain, all the corresponding state information has been
The most prominent manifestation of public blockchain updated. More technique details can be found in [26].
is on-chain currencies, such as Bitcoin [25] and Ethereum In Ethereum, the state is made up of objects called
[26]. In such currencies, the public blockchain is used to “account”. In general, there are two types of accounts
serve as an open and distributed ledger that efficiently in Ethereum: externally owned accounts and contract ac-
records transactions between two participants. Furthermore, counts. Externally owned accounts are controlled by private
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
6
keys and can conduct a transaction. Contract accounts are and is chained to the blockchain, the string T i is
controlled by their contract code. Each smart contract corre- then time-stamped. It means that T i is generated no
sponds to a contract account, after the contract is deployed later than the time that the block is chained to the
and contained by the Ethereum blockchain, one can send blockchain. Thus T i is time-sensitive. Furthermore,
message to the contract account (i.e., transferring Ethers since the average time that a block is mined is de-
from an account to the contract account) to trigger the terministic, one can easily derive the time when the
execution of the smart contract, where the data included in block is chained to the blockchain from the height
the “data field” can be set as the input of the contract. For the of the block. Specifically, if a transaction with T i is
transaction between two external owned accounts, i.e., the recorded in the blockchain, anyone is able to extract
payer transfers Ethers from her/his account to the payee’s the corresponding block’s height (which is denoted
account, if the transaction is recorded into the blockchain, by t1 ) to determine whether T i is generated no lat-
the balances of these two accounts are updated. Note that er than BlockT imet1 , where BlockT imet1 denotes
the transactions between two external accounts in Ethereum the height-derived time. By doing so, an Ethereum
also include a “data” field. The user who conducts the blockchain provides an efficient and secure service
transaction (i.e., the payer shown in Fig. 2) can set the data for time-stamping a digital document but without
field to be any binary data she/he chooses. introducing any trusted authority [33].
There are three fundamental properties in secure
blockchain systems [39], [40], [41]:
4 T HE PROPOSED CPVPA
1) ϕ-chain consistency. Blockchains of any two honest
miners at any point in time during the mining execution 4.1 Overview
can differ only in the last ϕ blocks.
2) (ι, ϕ)-chain quality. For an honest miner’s blockchain,
the fraction of blocks mined by honest miners in any
sequence of ϕ or more successive blocks is at least ι.
In other words, the probability that any ϕ successive
blocks in blockchain are generated by an adversarial
miner whose hashrate is less than 51% of the network’s
mining hashrate can be negligible. In Ethereum, ϕ ≥ 12.
3) Chain growth. The number of blocks that are added
to the blockchain during any given time interval is
deterministic. In other words, the blockchain height can
be trusted to steadily increase with respect of either
short or long term.
With the above fundamental properties as well as the
inherent characteristics of PoW-based consensus algorithm, Fig. 3. The proposed CPVPA
we derive two properties from the Ethereum blockchain and
adopt them to construct CPVPA. We utilize the Ethereum blockchain as the underlying
• Unpredicted hash value3 . The hash value (denoted public blockchain. Fig. 3 shows the proposed CPVPA.
by BlockHash in Fig. 2) of each block on the chain CPVPA consists of two phases. In the first phase, the
only can be determined after a valid nonce is com- auditor verifies the integrity of outsourced data. In the
puted and verified by all miners. Once the block is second phase, the user audits the auditor’s behavior.
added to the chain, its hash value is deterministic In the first phase, the verification period is determined
and would never be changed. This means that given by the user. For a point in time when the data integri-
a time time, if time is a past time, the hash value ty should be verified, TPA first extracts the hash values
of the latest block that has appeared since time in of ϕ successive blocks that are the latest ones confirmed
the blockchain is deterministic, and can be extracted on the Ethereum blockchain, where ϕ denotes the num-
efficiently; if time is a future time, the hash value ber of blocks deep used to confirm a transaction (in the
is computationally unpredictable. We stress that the Ethereum, ϕ = 12), and these hash values are denoted
fact that the hash value of blocks generated in the future by {Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt }. Then TPA generates a chal-
cannot be predicted does not means that the hash value lenging message on {Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt }, and sends
cannot be biased by an adversary who has infinite budget. the challenging message to the cloud server. Upon receiving
Since the adversary can incentivize a miner who first the challenging message, the cloud server computes the
mine a block to throw the newly mined block away corresponding proof. TPA checks the validity of the proof to
and continue to mine if the hash value of the block verify the data integrity. If the checking fails, TPA informs
does not meet the adversary’s requirement [42]. the user that the data may be corrupted; Otherwise, TPA sets
• Time-sensitive data state. For a transaction with a {Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt } and the proof as a log entry,
string T i as its Data value, if a block including stores the entry to a log file, and creates a transaction that
this transaction is accepted by a majority of miners transfers 0 deposit from its account to the user’s account4 ,
3. Other PoW-based on-chain currencies, such as Bitcoin, also have 4. The Ethereum blockchain allows a payer to conduct a transaction,
this feature [17]. wherein the transaction value is 0.
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
7
wherein the data field is set to the hash value of the entry. • U outsources M̃ = {M, {Si }i=1,2,...,n , R, ∆} to C .
In this paper, for the sake of simplicity, we assume the • After receiving M̃ , C first computes τ =
transaction is recorded to the block whose height is t + ϕ + 1 H(name||n||∆||spkU ), and then it verifies the cor-
and PrevBlockHash = Blt+ϕ , as shown in Fig. 4. rectness of the data by checking
In the second phase, the user audits the TPA’s behav- n n
ior in a much longer period compared with the verifica-
Y Y
e( Si , g) = e( (Qm i ~i
U ,0 · QU ,1 ), PM )
tion period. We first show how is a single entry (with- i=1 i=1
out loss of generality, {Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt } and the Yn n
Y
corresponding proof) in the log file audited by the user. × e( (V mi · W ~i ), pkU )e( Ti , R),
The user first determines the verification time that TPA i=1 i=1
should perform data integrity verification. Then she/he where ~i = H(i||τ ||R). If the checking passes, C
obtains {Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt } from the Ethereum
accepts M̃ .
blockchain according to the agreed verification time, and
extracts the hash value of the entry from the transac- Audit. To check the integrity of outsourced data, TPA
tion. Next she/he regenerates the challenging message on first generates a challenging message as follows:
{Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt }, and checks the validity of the
corresponding proof by using the challenging message gen- • Extract {Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt } from the
erated by herself/himself. If the checking passes, it means Ethereum blockchain based on the current time,
that TPA performs the verification correctly. Multiple entries where ϕ denotes the number of blocks deep used
can be audited simultaneously, and the auditing costs can be to confirm a transaction, t denotes the height of the
amortized over these entries, which we show in Section 6. block that is latest confirmed at the current time.
• Set ({Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt }, t) as the challeng-
ing message and send it to C .
4.2 Construction of CPVPA
A user U , a TPA, a cloud server C , and a KGC are involved After receiving ({Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt }, t)
in CPVPA. The user U has an identity IDU . from TPA, C first checks the validity, i.e., whether
Phase 1. TPA verifies the data integrity. {Blt−ϕ+1 , Blt−ϕ+2 , ..., Blt } are the correct ones in the
Setup. With a security parameter `, KGC determines the blockchain. If the checking fails, C rejects; Otherwise, C
system parameters as follows: generates the proof information as follows:
• Determine the bilinear map e : G × G → GT , where • Compute k1 = h1 (Blt−ϕ+1 ||Blt−ϕ+2 ||...||Blt ) and
G and GT are multiplicative groups with the same k2 = h2 (Blt−ϕ+1 ||Blt−ϕ+2 ||...||Blt ), where h1 (·) is
order p, g is the generator of G. a secure hash function and maps {0, 1}∗ to the key
• Choose a random λ ∈ Zp as the master key and space of πkey (·), and h2 (·) is a secure hash function
computes PM = λP as its public key. and maps {0, 1}∗ to the key space of fkey (·).
• Choose five hash functions H(·), H1 (·), H2 (·), H3 (·), • Compute iξ = πk1 (ξ), viξ = fk2 (ξ), ξ = 1, 2, ..., c,
H4 (·), where H(·) : {0, 1}∗ → Zp , H1 (·) ∼ H4 (·) : where c is the number of data blocks that should be
{0, 1}∗ → G are cryptographic hash functions. checked, and is determined by `.
c vi c
Choose a pseudorandom permutation πkey (·) and a Siξ ξ , µ =
Q P
• • Compute S = viξ miξ .
pseudorandom function fkey (·) [43]. ξ=1 ξ=1
• Send {S, R, µ, ∆} to TPA.
The system parameters are {e, G, GT , g, p, H(·), H1 (·) ∼
H5 (·), πkey (·), fkey (·)}. Upon receiving the proof information from C , TPA
The KGC generates the partial private key for U using checks the integrity of the data as follows:
IDU as follows:
• Compute τ = H(name||n||∆||spkU ).
• Compute QU ,0 = H1 (IDU , 0) and QU ,1 = • Compute k1 = h1 (Blt−ϕ+1 ||Blt−ϕ+2 ||...||Blt ) and
H1 (IDU , 1). k2 = h2 (Blt−ϕ+1 ||Blt−ϕ+2 ||...||Blt ).
• Compute DU ,0 = QλU ,0 and DU ,1 = QλU ,1 . • Compute iξ = πk1 (ξ), viξ = fk2 (ξ), ξ = 1, 2, ..., c.
• Check wether
U chooses a random xU ∈ Zp∗ and computes pkU = g xU .
c c
U ’s signing key is sskU = {xU , DU ,0 , DU ,1 }, and the vi ~ i ξ vi
e(S, g) = e(QµU ,0 ·
Y ξ
Y
QU ,1 , PM )e( Tiξ ξ , R)
corresponding public key is spkU = {pkU , IDU }.
ξ=1 ξ=1
Store. c
W viξ ~iξ , pkU ),
Y
• U transfers his/her data M into n blocks: M = × e(V µ · (1)
{mi }1≤i≤n . ξ=1
• U randomly chooses an element name ∈ Zp for file where ~iξ = H(iξ ||τ ||R), Tiξ = H2 (iξ ||τ ||R).
naming, randomly chooses a one-time number ∆ ∈ • If the equation 1 does not hold, TPA takes the
Zp , and computes τ = H(name||n||∆||spkU ). checking result as Reject; Otherwise, TPA takes the
• U randomly chooses r ∈ Zp∗ , and computes R = g r , checking result as Accept.
V = H3 (∆), W = H4 (∆).
• For each i ∈ [1, n], U computes Ti = H2 (i||τ ||R), and Phase 2. The user checks the TPA’s behavior.
Si = (DU ,0 · V xU )mi · (DU ,1 · W xU )H(i||τ ||R) · Tir . LogGen. TPA generates a log file as follows:
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
8
Tx Tx Tx … Tx Tx1 Tx …
Data correctness of equation (1) and (2), and we provide the
Signature correctness proof in the following:
𝑆𝑖𝑔 (Tx1)
c
Y vi
Fig. 4. The Transaction Tx1 in PVPA
e(S, g) = e( Siξ ξ , g)
ξ=1
c c
vi miξ
V viξ miξ , pkU )
Y Y
CheckLog. We first show that how to check the validity = e( ξ
QU ,0 , PM )e(
of a single entry (e.g., the first row) in Λ: ξ=1 ξ=1
c c
vi ξ ~ i ξ
W viξ ~iξ , pkU )
Y Y
× e( QU ,1 , PM )e(
• U first acquires t(1) and t(1) + ϕ + 1, and derives
ξ=1 ξ=1
the physical time when the verification is performed c
vi ξ
from t(1) and t(1) + ϕ + 1. If the time does not match
Y
× e( Tiξ , R)
the agreed one, U sets the checking result as Reject. ξ=1
(1)
• U acquires Blt from the Ethereum blockchain, and c
vi ξ ~ i ξ
e(QµU ,0 ·
Y
extracts θt1 from the block whose hash value is = QU ,1 , PM )
(1)
Blt+ϕ+1 . If the extraction fails, U sets the checking ξ=1
c c
result as Reject. vi
W viξ ~iξ , pkU )e(
Y Y
• U checks that whether θt1 matches the entry in the × e(V µ · Tiξ ξ , R).
ξ=1 ξ=1
first row of Λ.
(1)
• U computes τ = H(name||n||∆||spkU ), iξ =
(1) 4.3 Remark and further discussion
πk1 (ξ), viξ = fk2 (ξ), where
In CPVPA, we do not set the timestamp recorded in the
block as the transaction time (i.e., when the verification is
(1) (1) (1) performed), since the timestamp recorded in the Ethereum
k1 = h1 (Blt−ϕ+1 ||Blt−ϕ+2 ||...||Blt ),
(1) (1) (1) block might suffer from up to 15 minutes error. In CPVPA,
k2 = h2 (Blt−ϕ+1 ||Blt−ϕ+2 ||...||Blt ). the user derives the transaction time from the height of the
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
9
block which includes the transaction, due to the property of • Sign queries S(∆i , mi , IDU , spkU ): AI can request
chain-growth discussed in Section 3.6. U ’s signature on a message mi under a state informa-
Now, we show how to compute the height-derived phys- tion ∆i . On receiving a query S(∆i , mi , IDU , spkU ),
ical time when a block was generated. An Ethereum block ℘ generates the corresponding signature σi , and
averagely takes 15.85579752 seconds (this is counted based sends σi to AI .
on the data released by Etherscan5 ) to be mined from the
time of genesis block (which was generated on 2015-07- Forgery: For the IDU , AI outputs the corresponding
0
30) to the time of block with height 5784426 (which is the public key spkU , a messages m∗ , a state information ∆∗ ,
last block generated on 2018-06-15). We denote time5784426 and a signature σ ∗ .
the height-derived physical time that transactions includ- We say that AI wins Game I if and only if:
ed in the block with height 5784426 were generated. 1) σ ∗ is a valid signature on m∗ with state information ∆∗
0
time5784426 = time0 + 15.85579752 × 5784426 (seconds), under IDU and spkU .
where time0 is the physical time when the genesis block of ∗
2) m is not submitted during the sign queries.
Ethereum was generated (2015-07-30, 03:26:13 PM +UTC). Game II (for adversary AII ):
In CPVPA, the main goal of utilizing blockchain-based Setup: a challenger ℘ runs the Setup algorithm and
currencies is to resist procrastinating auditors. CPVPA also obtains the secret and public parameters. ℘ sends the public
achieves an appealing feature, which we believe might be parameters and the KGC’s master key to AII .
of independent interest. The auditor cannot pre-perform the Query:
scheduled verifications due to the unpredictability of block’s
hash value. In other words, if the auditor is required to • Sign queries S(∆i , mi , IDU , spkU ): AII can request
verify the data integrity at a time, it has to perform the U ’s signature on a message mi under a state informa-
verification at the time. Our proposed mechanism used to tion ∆i . On receiving a query S(∆i , mi , IDU , spkU ),
resist procrastinating auditors is well compatible with most ℘ generates the corresponding signature σi , and
of existing public verification of data integrity schemes. sends σi to AII .
We stress that we construct CPVPA on PoW-based
Forgery: For the IDU , AII outputs a messages m∗ , a state
blockchain systems, such as Bitcoin and Ethereum. Theo-
information ∆∗ , and a signature σ ∗ .
retically, CPVPA can also be constructed on the blockchain
We say that AII wins Game II if and only if:
systems that are based on other consensus algorithms (e.g.,
proof of stake (PoS) [44]), since the ϕ-chain consistency, 1) σ ∗ is a valid signature on m∗ with state information ∆∗
(ι, ϕ)-chain quality, and chain growth are fundamental under IDU and spkU .
properties for secure blockchain systems. However, due 2) m∗ is not submitted during the sign queries.
to the differences on the block structure of the PoS-based Proof: We first prove that the advantage that AI wins
blockchains, constructing CPVPA on different PoS-based Game I is negligible.
blockchains requires different constructions. Furthermore, Let ℘ be a CDH attacker who receives a random instance
as discussed before, for a public blockchain system, the (g, g a , g b ) of the CDH problem in G and needs to compute
more participants in it, the stronger security guarantee it can g ab . Here, we show that if AI is able to forge a signature
provide. The number of participants in existing PoS-based with a probability , ℘ is able to solve the CDH problem by
blockchain systems, e.g., CARDANO [44], is much less than using AI ’s output with the same probability. Due to space
that in Ethereum. Therefore, if we construct CPVPA on these limitation, we only show the proof sketch and omit some
blockchains, the costs that the adversary breaks the security interaction details. In fact, this proof follows the proof of
of CPVPA are reduced significantly. [34].
At the beginning of the game, ℘ sets PM = g a as an
instance of the CDH problem, and simulates H(·), H1 (·) ∼
5 S ECURITY ANALYSIS ∗
H4 (·) as random oracles. In the game, ℘ sets QU ,0 = g αU ,0 ·
0∗ ∗ 0∗ ∗ ∗
Lemma 1. The signature σi = {Si , R} in CPVPA is existen- g αU ,0 b , QU ,1 = g αU ,1 · g αU ,1 b , T = g ς , V = g β , and W =
∗ 0 0
tially unforgeable under adaptively chosen-message attack. g γ , where αU∗ ,0 , αU∗,0 , αU∗ ,1 , αU∗,1 , ς ∗ , β ∗ , γ ∗ ∈ Zp∗ are chosen
To prove this lemma, we first define two games cor- randomly. For any signature query on any message m under
responding to the type I adversary and type II adversary, any state information, ℘ responses with the corresponding
respectively. signature as follows.
Game I (for adversary AI ): 0 0
Setup: a challenger ℘ runs the Setup algorithm and ob- • ℘ sets H(R) = −(mαU∗,0 )/αU∗,1 .
tains the public parameters. ℘ sends the public parameters • ℘ randomly choose r ∈ Zp , computes R = g r and
to AI . ∗ ∗ 0∗ ∗ 0∗
5. https://etherscan.io pkU∗ .
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
10
Since σ ∗ is a valid signature, we have Game 0. This game is simply the challenge game between
∗ ∗ TPA and the cloud server defined in Section 4.2.
e(S ∗ , g) = e(Qm H
U ,0 · QU ,1 , PM ) Game 1. This game is the same as Game 0, with the
∗ ∗
× e((V ∗ )m · (W ∗ )H , pkU∗ ) exception of one difference. The adversary is trained to be
× e(T ∗ , R∗ ), (3) able to forge a part of the proof information in Audit. Since
σi = {Si , R} in CPVPA is existential unforgeable, here, the
where H ∗ = H(R∗ ), T ∗ = H2 (R∗ ). Here, we discuss the challenger records each proof information generated by the
security of a single signature, hence the form H ∗ is slightly adversary, and declares failure and aborts if
different from the one in CPVPA. This difference should not 1) the proof information is a valid one;
reduce the security of Si . Note that 2) µ0 in the proof information is different from the expect-
∗ ∗ ∗ 0∗ ∗ ∗ ∗ 0
αU∗,1 ab ed µ.
e(S ∗ , g) = e(g m αU ,0 a · g m αU ,0 ab · g H αU ,1 a · g H
∗ ∗ ∗ ∗ ∗ Analysis. As Game 1 defined, in the case that the chal-
× (pkU∗ )m β · (pkU∗ )H γ · (R∗ )ς , g). lenger aborts, the proof information generated by the ad-
We have versary is {S, R, µ0 , ∆}. By the correctness, we have
∗
c
α∗ ∗
α∗ ∗
β∗ vi ~ i ξ
g ab = (S ∗ · (g m U ,0 a · gH U ,1 a · (pkU∗ )m e(S, g) = e(QµU ,0 ·
Y ξ
QU ,1 , PM )
∗ ∗ 0 0
∗ ς ∗ −1 (m∗ αU∗,0 +H ∗ αU∗,1 )−1
× (pkU∗ )H γ · (R ) ) ) . ξ=1
c
W viξ ~iξ , pkU )
Y
By this way, ℘ can solve the CDH problem. × e(V µ ·
For AII , let ℘ be a CDH attacker who have received a ξ=1
c
random instance (g, g a , g b ) of the CDH problem and needs Y vi
to compute g ab by using AII ’s output. × e( Tiξ ξ , R), (4)
ξ=1
At the beginning of Game II, ℘ randomly selects λ, xU ∈
Zp∗ and obtains the public parameters. Then ℘ sends λ and and for the adversary’s output, we have
∗
the public parameters to AII . In Game II, ℘ sets T = g β , 0
c
vi ~ i ξ
e(S, g) = e(QµU ,0 ·
0∗ 0∗
X ξ
γ∗ γ a ς∗ ς a xU b QU ,1 , PM )
V = g · g 0 , W0 = g · g , and pkU = g ,
where β ∗ , γ ∗ , γ ∗ , ς ∗ , ς ∗ ∈ Zp∗ are chosen randomly. For ξ=1
c
any signature query on any message m under any state 0
W viξ ~iξ , pkU )
Y
information, ℘ responses with the corresponding signature × e(V µ ·
ξ=1
as follows. c
0 0
Y vi
• ℘ sets H(R) = −(γ ∗ m)/(ς ∗ ). × e( Tiξ ξ , R). (5)
• ℘ randomly choose r ∈ Zp , computes R = g r and ξ=1
∗ Since µ 6= µ0 , µ̄ = µ − µ0 6= 0. We further have
S = H1 (U, 0)λ · H1 (U, 1)λ · g γ mxU
0 0
QµU ,0 6= QµU ,0 , V µ 6= V µ .
∗ 0∗ 0∗ ∗
× g −((ς γ m)/ς )xU
· gβ r .
• ℘ outputs (S, R) as the response. Furthermore, we also have
0 0
Finally, AII outputs a tuple {m∗ , σ ∗ , ∆∗ }, where σ ∗ = e(QµU ,0 , PM )e(V µ , pkU ) = e(QµU ,0 , PM )e(V µ , pkU ).
{S , R∗ } is a valid signature of m∗ under ∆∗ .
∗
Rearranging terms yields:
Since σ ∗ is a valid signature, it satisfies the equation 3. 0 0
By our setting, we also have e(Qµλ
U ,0 · V
µxU
, g) = e(QµU ,0λ · V µ xU , P ),
∗ ∗ ∗ 0
γ∗ that is, (QλU ,0 · V xU )µ = (QλU ,0 · V xU )µ . We set ω =
e(S ∗ , g) = e(Qλm λH
U ,0 · QU ,1 · g
xU bm
xU bH ς ∗ 0∗
a ∗ β ∗ ω = (g ∗ )ζ · (g ∗ )ζ , where ζ ∗ , ζ ∗ ∈ Zp , g ∗ , g ∗ ∈ G are
× g · (R ) , g), random elements. Similarly, there exists χ ∈ Zp such that
0 0
where QU ,0 = H1 (IDU , 0), QU ,1 = H1 (IDU , 1), and H ∗ = g ∗ = (g ∗ )χ . Here, the CDH problem is that given g ∗ and
0
H(R). ℘ can solve the CDH problem: g ∗ = (g ∗ )χ , computing χ. By our setting, the solution of
0
∗ ∗ ∗
CDH problem is χ = −(ζ ∗ /ζ ∗ ).
g ab = (S ∗ · (Qλm λH ∗ β
U ,0 · QU ,1 · (R ) Game 2. This game is the same as Game 1, with the
0∗ 0 ∗ −1
∗
γ ∗ +xU H ∗ ς ∗ )b −1 (xU m∗ r +xU H ∗ ς exception of one difference. The adversary is trained to be
× g (xU m ) ) )
.
able to forge any part of proof information in Audit. That is,
the challenger records each proof information generated by
This concludes the proof of this lemma. the adversary, and declares failure and aborts if
0 0 0
Claim 1. CPVPA achieves the authenticity defined by 1) the proof information {S , R , µ , ∆} is a valid one;
0 0 0
[14], that is, if the cloud server passes the TPA’s verification, 2) the proof information {S , R , µ , ∆} is different from
it must possess truly the specified data intact. the expected {S, R, µ, ∆}.
Proof: To prove the authenticity of CPVPA, we define Analysis. We consider the user as the challenger. At the
a sequence of games with interleaved analysis. beginning of the game, the challenger sets PM = g s as an
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
11
instance of the CDH problem. Then the challenger randomly Proof: For the first case, we will discuss it in two
0 0 0 0
chooses α0 , α0 , α1 , α1 ∈ Zp and sets Hi = −mi α0 α1−1 , aspects.
0 0 0
0 0
0
QU ,0 = g α0 · (g )α0 , and QU ,1 = g α1 · (g )α1 . For random
0
First, TPA forges an entry {Blt−ϕ+1 , · · · , Blt , S , R , µ }
values r and xU , the challenger computes (Si , Ri ): that can pass the user’s auditing. However, due to the
authenticity of CPVPA, it is computationally infeasible to
Ri = g ri generate the entry. Specifically, since we have proved that if
Si = (DU ,0 · V xU )mi · (DU ,1 · W xU )~i · Tir the data loss occurs, the cloud server can pass the auditor’s
0 0 −1 verification with negligible probability. If TPA is able to
= g (mi α0 −mi α0 α1 α1 )s
· V mi xU forge the entry that passes the user’s auditing, the cloud
0 0
mi α0 α1−1 xU
× (W )−1 · Tir . server is able to break the authenticity of CPVPA by follow-
ing the TPA’s method.
The challenger continues to interact with the adversary. Second (for the procrastinating auditor), at the time
When the challenger aborts, the received proof information BlockT imet + time1 , time1 > 0, TPA forges an entry to
0 0 0
is {S , R , µ , ∆}, while the expected one is {S, R, µ, ∆}. By convince the user that the entry is generated at the time
the correctness, we have the equation 3 and BlockT imet . In this attack, TPA needs to generate a trans-
0 c action and record it to a block that has been chained in
0 vi ~ i ξ
e(S , g) = e(QµU ,0 ·
Y ξ
QU ,1 , PM ) the Ethereum blockchain. However, due to the security of
ξ=1 Ethereum, this attack is computationally infeasible.
0
c c
0 0
For the second case, we will analyze it in three aspects.
W viξ ~iξ , pkU ) · e( (Tiξ )viξ , R ).
Y X
× e(V µ · First, the hash values of blocks used to compute the chal-
ξ=1 ξ=1 lenging messages cannot be pre-determined and specified
0 0 0 by any entity, due to Lemma 2.
By our setting, (S , R ) 6= (S, R). Clearly, µ 6= µ , and we
0 Second, the blocks used to compute the challenging
define µ̄ = µ − µ. Here, the CDH problem is that given messages would not be generated by the adversary, due to
0 0
(g, g , g s ) computing (g )s . (ι, ϕ)-chain quality of the Ethereum blockchain [39], [45].
0 sµ̄
Now we have e(S /S, P ) = e(QU ,0 · V xU µ̄ · Third, the only attack the malicious auditor can perform
c 0 0 0 0
((Tiξ )r /Tirξ )viξ , g). Recall that QU ,0 = g α0 · (g )α0 , is to bias the hash value of the blocks by incentivizing the
Q
ξ=1
0
miners who mine a new block to throw the newly mined
0 0
we can further get S /S = g sµ̄α0 · (g )sµ̄α0 · V xU µ̄ · block away and continue to mine if the hash value of the
0
Qc 0
r r viξ block does not meet the adversarys requirement. Here, the
ξ=1 ((Tiξ ) /Tiξ ) . Finally, the CDH solution:
adversary’s requirement to the biased hash value is that the
0 0
(g )s = (S · S −1 · (g sµ̄α0 )−1 · (V xU µ̄ )−1 indexes of challenged blocks that generated on the hash
c 0 0 −1
value of the blocks exclude the corrupted ones, i.e., for
0
((Tiξ )r · Tirξ )viξ )(µ̄α0 ) .
Y
× ξ = 1, 2, · · · , c, iξ = πh1 (Blt−ϕ+1 ||Blt−ϕ+2 ||···||Blt ) (ξ) would
ξ=1 not include the indexes of corrupted blocks. Note that the
adversary can bias {iξ }(ξ = {1, 2, · · · , c}) only by biasing
This concludes the proof.
Blt . Now, we compute the probability that the adversary
Lemma 2. In a PoW-based public blockchain system,
successfully biases Blt . The adversary model and game
such as Bitcoin and Ethereum, an adversary cannot pre-
model follow the ones proposed by Pierrot et al. [42].
determine the hash value of the block generated at a future
For illustration, we assume an adversary A who aims
time.
at biasing Blt to break the security of CPVPA. In our
Proof: We first introduce the preimage resistance of a
setting, the indexes of corrupted data blocks form a set ε,
cryptographic hash function.
A wins whenever anyone of indexes of challenged blocks
A hash function is preimage resistant if given a uniform
generated by Blt do not fall in ε. Let Υ : ε → {0, 1} be the
y it is infeasible for a PPT adversary to find a value x such
characteristic function that predicates whether a given value
that H(x) = y [43].
meets A’s requirement.
With the preimage resistance of hash function, the proof
We denote by P the probability for a extracted hash
of this lemma is straightforward.
value of a block Bl to satisfy Υ(Bl) = 1. We stress that
Assuming the block of underlying blockchain
P is essentially a probability that the corrupted data set can
has the form shown in Fig. 4, where Blt =
pass the auditor’s verification in CPVPA. As evaluated by [9],
H(Blt−1 ||Nonce||Time||MerkleRoot), and H(·) is a secure
[16], [31], if ρ fraction of data is corrupted, then randomly
hash function with preimage resistance. If the adversary
(uniformly) sampling c blocks would reach the detection
can pre-determine Blt , the preimage resistance of H(·) is
probability Pdetec = 1 − (1 − ρ)c . Therefore,
broken.
This concludes this lemma.
P = 1 − Pdetec = (1 − ρ)c . (6)
Claim 2. CPVPA is able to thwart malicious auditors who
can perform two attacks to break the security: A’s strategy here is straightforward: he will focus all
1) Forging an entry in the log file Λ to pass the user’s his computational power on mining the next block and
audit; incentivize the miners to throw the newly mined blocks
2) Sampling bias challenging messages to generate bias away and continue to mine if Υ(Bl) = 0, where Bl denotes
verification results. the hash value of the newly mined block.
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
12
0.02
it is equipped with Window 10 system, an Intel Core 2 i5
0.018
c = 460
c = 500
CPU, and 8GB DDR 3 of RAM. We utilize C language and
0.016
MIRACL Library version 5.6.1. We select 80 bits security
level for analysis, the corresponding elliptic curve is a MNT
Probability
0.014
curve, its base field size is 159 bits and its embedding degree
0.012
is 6.
0.01
The difference for choices on the sector number s has
0.008 been discussed in [14], and we only give the atomic op-
0.006
0 0.1 0.2 0.3 0.4 0.5
eration analysis for the case s = 1 for simplicity in the
Proportion of mining hashrate following. Furthermore, we also assume the total number
(a) Probability that the adversary wins w.r.t. of data blocks is less than 10000.
mining hashrate
0.04
6.1 Communication overhead
= 0.25
0.035
= 0.5
We first show the communication overhead between TPA
0.03
0.025
blocks.
0.005
0
400 440 480 520 560 600
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
13
12 4.0 35
CPVPA
3.5 CPVPA CPVPA (c=300)
SWP 30
10 SWP CPVPA (c=460)
Communication costs (KB) SCLPV
3.0 SCLPV SCLPV (c=300)
15
1.5
4
10
1.0
2
0.5 5
0 0.0 0
0 200 400 600 0 100 200 300 400 500 600 0 5 10 15 20 25 30
The number of challenged data blocks The number of challenged data blocks The number of audited entries
Fig. 6. The communication overhead Fig. 7. The verification delay on the TPA side Fig. 8. The auditing delay on the user side
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
14
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2019.2908400, IEEE
Transactions on Cloud Computing
15
[24] D. He, S. Zeadally, and L. Wu, “Certificateless public auditing Yuan Zhang received his B.Sc. degree in Uni-
scheme for cloud-assisted wireless body area networks,” IEEE versity of Electronic Science Technology of Chi-
System Journal, vol. 12, no. 1, pp. 64–73, 2018. na (UESTC) in 2013, P.R.China. He is currently
[25] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system.” a Ph.D candidate in School of Computer Sci-
https://bitcoin.org/bitcoin.pdf. ence and Engineering at University of Electronic
[26] G. Wood, “Ethereum: A secure decentralised generalised transac- Science Technology of China, and is a visiting
tion ledger,” Ethereum Project Yellow Paper, vol. 151, 2014. Ph.D student in BBCR Lab, Department of ECE,
[27] F. Tschorsch and B. Scheuermann, “Bitcoin and beyond: A techni- University of Waterloo, Canada. His research
cal survey on decentralized digital currencies,” IEEE Communica- interests are applied cryptography, data securi-
tions Survey & Tutorials, vol. 18, no. 3, pp. 2084–2123, 2016. ty, and blockchain technology. He is a student
[28] S. S. Al-Riyami and K. G. Paterson, “Certificateless public key member of IEEE.
cryptography,” in Proc. of ASIACRYPT, 2003, pp. 452–473.
[29] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the
weil pairing,” in Proc. of ASIACRYPT, 2001, pp. 514–532.
[30] A. Juels and B. S. K. Jr, “Pors: Proofs of retrievability for large
files,” in Proc. of ACM CCS, 2007, pp. 583–597.
[31] C. Wang, S. S. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy- Chunxiang Xu received the B.Sc. and M.Sc.
preserving public auditing for secure cloud storage,” IEEE Trans. degrees in applied mathematics from Xidian U-
Computers, vol. 62, no. 2, pp. 362–375, 2013. niversity, Xian, China, in 1985 and 2004, respec-
[32] S. Worku, C. Xu, J. Zhao, and X. He, “Secure and efficient privacy- tively, and the Ph.D. degree in cryptography from
preserving public auditing scheme for cloud storage,” Computers Xidian University in 2004.
& Electrical Engineering, vol. 40, no. 5, pp. 1703–1713, 2014. She is currently a Professor with the Center for
[33] S. Haber and W. S. Stornetta, “How to time-stamp a digital Cyber Security, the School of Computer Science
document,” in Proc. of CRYPTO, 1990, pp. 437–455. and Engineering, UESTC. Her research interest-
[34] L. Zhang, B. Qin, Q. Wu, and F. Zhang, “Efficient many-to-one s include information security, cloud computing
authentication with certificateless aggregate signatures,” Computer security and cryptography. She is a member of
Network, vol. 54, pp. 2482–2491, 2010. IEEE.
[35] C. Xu, K. Wang, P. Li, S. Guo, J. Luo, B. Ye, and M. Guo, “Making
big data open in edges: A resource-efficient blockchain-based
approach,” IEEE Trans. Parallel and Distributed Systems, to appear,
doi: 10.1109/TPDS.2018.2871449.
[36] Y. Zhang, X. Lin, and C. Xu, “Blockchain-based secure data prove- Xiaodong Lin received the PhD degree in In-
nance for cloud storage,” in Proc. ICICS, 2018, pp. 3–19. formation Engineering from Beijing University of
[37] M. Li, J. Weng, A. Yang, W. Lu, Y. Zhang, L. Hou, J. Liu, Y. X- Posts and Telecommunications, China, and the
iang, and R. Deng, “Crowdbc: A blockchain-based decentralized PhD degree (with Outstanding Achievement in
framework for crowdsourcing,” IEEE Trans. Parallel and Distributed Graduate Studies Award) in Electrical and Com-
Systems, to appear, doi: 10.1109/TPDS.2018.2881735. puter Engineering from the University of Water-
[38] R. C. Merkle, “Protocols for public key cryptosystems,” in Proc. of loo, Canada. He is currently an associate pro-
IEEE S & P, 1980, pp. 122–134. fessor in the School of Computer Science at
[39] J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone the University of Guelph, Canada. His research
protocol: Analysis and applications,” in Proc. EUROCRYPT, 2015, interests include computer and network security,
pp. 281–310. privacy protection, applied cryptography, com-
[40] A. Kiayias and G. Panagiotakos, “Speed-security tradeoffs in puter forensics, and software security. He is a Fellow of the IEEE.
blockchain protocols,” IACR Cryptology ePrint Archive, vol. 2015,
p. 1019, 2015.
[41] R. Goyal and V. Goyal, “Overcoming cryptographic impossibility
results using blockchains,” in Proc. TCC, 2017, pp. 529–561.
[42] C. Pierrot and B. Wesolowski, “Malleability of the blockchains
entropy,” Cryptography and Communications, vol. 10, no. 1, pp. 211– Xuemin (Sherman) Shen received Ph.D. de-
233, 2018. gree from Rutgers University, New Jersey (US-
[43] J. Katz and Y. Lindell, Introduction to modern cryptography. CRC A) in electrical engineering, 1990. Dr. Shen is
press, 2014. a University Professor, Department of Electrical
[44] A. Kiayias, A. Russell, B. David, and R. Oliynykov, “Ouroboros: and Computer Engineering, University of Water-
A provably secure proof-of-stake blockchain protocol,” in Proc. loo, Canada. His research focuses on resource
CRYPTO, 2017, pp. 357–388. management in interconnected wireless/wired
[45] C. Badertscher, U. Maurer, D. Tschudi, and V. Zikas, “Bitcoin as networks, wireless network security, social net-
a transaction ledger: A composable treatment,” in Proc. CRYPTO, works, smart grid, and vehicular ad hoc and
2017, pp. 324–356. sensor networks. Dr. Shen is a registered Pro-
[46] A. Yang, J. Xu, J. Weng, J. Zhou, and D. S. Wong, “Lightweight fessional Engineer of Ontario, Canada, an IEEE
and privacy-preserving delegatable proofs of storage with data Fellow, an Engineering Institute of Canada Fellow, a Canadian Academy
dynamics in cloud storage,” IEEE Trans. Cloud Computing, to of Engineering Fellow, a Royal Society of Canada Fellow, and a Distin-
appear, doi: 10.1109/TCC.2018.2851256. guished Lecturer of IEEE Vehicular Technology Society and Communi-
[47] H. Wang, D. He, and S. Tang, “Identity-based proxy-oriented data cations Society.
uploading and remote data integrity checking in public cloud,” Dr. Shen is the Editor-in-Chief for IEEE Internet of Thing Journal and
IEEE Trans. Information Forensics and Security, vol. 11, no. 6, pp. the vice president on publications of IEEE Communications Society. He
1165–1176, 2016. received the Joseph LoCicero Award in 2015, the Education Award in
[48] M. Sookhak, A. Gani, H. Talebian, A. Akhunzada, S. U. Khan, 2017, the Harold Sobol Award in 2018, and the James Evans Avant
R. Buyya, and A. Y. Zomaya, “Remote data auditing in cloud Garde Award in 2018 from the IEEE Communications Society. He has al-
computing environments: A survey, taxonomy, and open issues,” so received the Excellent Graduate Supervision Award in 2006, and the
ACM Computing Surveys, vol. 47, no. 4, pp. 1–34, 2015. Outstanding Performance Award in 2004, 2007, 2010, 2014, and 2018
from the University of Waterloo, the Premier’s Research Excellence
Award (PREA) in 2003 from the Province of Ontario, Canada. Dr. Shen
served as the Technical Program Committee Chair/Co-Chair for IEEE
Globecom’ 16, IEEE Infocom’14, IEEE VTC’10 Fall, the Symposia Chair
for IEEE ICC’10, the Tutorial Chair for IEEE VTC’11 Spring, the Chair
for IEEE Communications Society Technical Committee on Wireless
Communications, and P2P Communications and Networking.
2168-7161 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.