Certificateless Remote Data Integrity Auditing with Access Control of Sensitive Information in Cloud Storage

Abstract

With the spread of cloud storage technology, checking the integrity of data stored in the cloud effectively is increasingly becoming a concern. Following the introduction of the first remote data integrity audit schemes, different audit schemes with various characteristics have been proposed. However, most of the existing solutions have problems such as additional storage overhead and additional certificate burden. This paper proposes a certificateless remote data integrity auditing scheme which takes into account the storage burden and data privacy issues while ensuring the correctness of the data audit results. In addition, the certificateless design concept enables the scheme proposed in this paper to avoid a series of burdens brought by certificates. The scheme designed in this paper provides a data access control function whereby only users who hold a valid token generated by the data owner can access the target data from the cloud. Finally, this paper provides a detailed security proof to ensure the rationality of the results. A theoretical analysis and subsequent experimental verification show that the proposed scheme is both effective and feasible.

1. Introduction

With the development of the information revolution, human society has entered a highly informationized mode. The development of informatization has fundamentally changed the human way of life and brought great developments to the industrial society. As an important source of power for the development of social informatization, data are now been regarded as a strategic resource like oil and coal by many countries. Although the emergence of massive data has greatly promoted the progress of society, it has brought problems as well, for example, the extra cost of massive data storage. As data owners (DO) can spend a great deal of time and energy on local data storage, they generally choose to store these data using cloud service providers (CSP) with greater storage and computing capabilities. However, although this move reduces the burden of data ownership to a certain extent, it leads to the DO losing direct control over the data, that is, the owner may not be able to obtain the latest iteration of their data at any time. Data stored in the cloud can be corrupted for a variety of reasons. For example, in order to save on storage cost, a CSP may intentionally delete data that is not frequently accessed by the DO. In addition, malicious attacks from third parties or hardware failures on CSP’s servers can cause data corruption. Furthermore, the CSP may choose to hide this from the DO in order to preserve their reputation. Such concealment by the CSP is likely to cause a degree of economic loss or other harm to the DO. In order to solve this problem, remote data integrity auditing scheme are increasingly being applied.

The first data integrity auditing scheme was proposed by Ateniese et al. [1] in 2007, in which the concept of provable data possession (PDP) was proposed. During the same period, Juels et al. [2] proposed another type of auditing scheme, proof of retrievability (PoR), for the first time. Following these early developments, research on data integrity auditing schemes has made great progress, and many schemes with their own characteristics have been proposed one after the other [3,4,5,6,7].

In the auditing scheme developed and proposed here, the designer pays attention to realizing other properties in addition to ensuring the accuracy of data auditing, among which the most important is privacy protection. The privacy of data has become a topic of great concern in today’s society. This is mainly because data often contain private information pertaining to the DO, which may cause serious harm if leaked. The existing solution is that, before uploading data to the cloud, the DO encrypts or blinds the data locally before generating tags and uploading [8,9]. Although this approach can effectively protect the privacy of data, encryption and blinding operations incur a huge computational burden on the DO, hindering the realization of the data’s value.

In addition to privacy, data access control is a concern. Data can only be of maximum value when circulated. The most direct manifestation of this is the emergence of a large number of base stations in the edge environment. In order to realize the value of their data, the CSP or DO chooses to set up base stations in a fixed area and provides services to nearby users. Therefore, there are many data integrity auditing schemes in edge environments [10,11,12]. In the field of cloud storage, data access control cannot directly apply the model in the edge environment. This is because the cloud storage environment does not consider users in a fixed area, only authorized users who hold legal warrants to acquire data from the CSP. Therefore, data access control under cloud storage conditions must consider the correctness and revocability of warrants.

Finally, the core of the extant data integrity auditing schemes is digital signature technology. The DO guarantees the implementation of the scheme by generating corresponding tags for each data block. This approach can effectively check the integrity of data stored in the cloud, however, the appearance of tags means that the DO needs to prepare extra overhead to store tags in the cloud. In most of the existing schemes, the storage overhead generated by the tag is close to or even greater than the storage overhead of the data block itself [13,14,15]. The storage overhead incurred by these tags has become a major factor hindering the application of data auditing schemes.

1.1. Contribution

In order to solve the main problems with current auditing schemes, we design a certificateless remote data integrity auditing scheme with an access control function and sensitive information hiding. The main contributions of this paper are as follows:

(1) We propose a certificateless remote data integrity scheme that avoids the additional overhead brought by certificates. At the same time, in order to reduce the storage overhead caused by tags, our scheme does not choose to generate tags for each data block when generating tags for data blocks, instead aggregating multiple data blocks into one signature to reduce the number of tags.

(2) In order to make better use of the value of data, our scheme implements an access control function. That is, the DO generates warrants for authorized users, allowing them to acquire data from the cloud. The warrants genarated in our scheme are revocable, which means that DO can revoke a user’s access at any time. At the same time, the scheme proposed in this paper takes privacy into account. During implementation, only authorized users, the DO, and the CSP can access the original master data, while unauthorized users and TPA cannot obtain the data by any means.

(3) We provide a detailed proof of the process of the proposed scheme and compare it with two other schemes through both theoretical analysis and experimental verification. The results show that the proposed scheme outperforms [8,15], mainly in terms of shorter time spent in tag generation and lower storage overhead on the part of the CSP.

1.2. Related Works

In 2012, Yang et al. [16] proposed a data integrity auditing scheme with privacy protection and support for dynamic updates, and which can support batch auditing for multiple DOs and CSPs. However, their approach is based on the traditional public key infrastructure design audit protocol, and as such there is a huge cost problem caused by the use of certificates. In 2013, Wang et al. [17] first proposed a certificateless public auditing scheme to verify the integrity of data in the cloud in order to solve the security risks brought on by public key infrastructure (PKI); however, they did not consider privacy or dynamic updating of data. In the same year, Kai et al. [18] proposed a data integrity auditing scheme in a multi-cloud environment with support for simultaneous verification of multiple audit requests for different data files stored on different CSPs by different DOs. The authors introduced a homomorphic encryption mechanism to ensure the privacy of the auditing process, however, the extra overhead caused by certificates was ignored. In 2014, Yuan et al. [19] proposed a remote data integrity auditing scheme with support for multi-user modification and collusion resistance based on full consideration of realistic scenarios. However, their approach did not address the risk of data leakage and was not able to guarantee privacy. In 2015, Jiang et al. [20] proposed a data integrity auditing scheme based on vector commitment and verifier-local revocation group signatures, however, the privacy of the data cannot be guaranteed by this approach. In 2016, Zhang et al. [21] proposed a lightweight auditing scheme based on entrusting most of the computation in the auditing process to the cloud in order to reduce the burden of auditing. Under this scheme third-party auditors can perform multiple audit tasks simultaneously, however, the risk of data leakage is increased. In 2017, Li et al. [22] designed a scheme to solve the complex key management problem in traditional methods by employing biometrics as a fuzzy identity; however, new computational overhead is generated in the process of key matching. In another paper from 2019, Shen et al. [5] designed an auditing scheme that does not require a private key using biometric data such as fingerprints as a fuzzy private key to sign data blocks to eliminate the storage burden of saving the private key. However, the feature of fuzzy private keys requires extra computational overhead to implement. In 2018, in order to better realize data sharing, Shen et al. [23] implemented data auditing and sharing by introducing a sanitizer to sanitize the data blocks containing sensitive information and their corresponding tags; however, the inclusion of these cleaning agents increases the computational cost of label generation. In 2020, Zhao et al. [24] embedded blockchain technology into the cloud auditing system and designed a data integrity auditing scheme with a privacy protection function by combining a blockchain and digital signature technology. However, the encryption algorithm they used to ensure data security adds an additional computational burden. In the same year, Lan et al. [25] pointed out that the RDIC protocol proposed by C. Sasikala et al. was not secure, and provided a rigorous proof analysis. In 2021, in order to avoid the waste of resources caused by repeatedly challenging specific data blocks over a short period of time, Wang et al. [26] confirmed the time at which such data blocks are checked by predicting user behavior and selecting the challenging data blocks on this basis. In 2022, Yang et al. [27] implemented a data integrity auditing scheme with support for dynamic insertion and provable seletion through a number-rank-based Merkle hash tree. In another 2022 paper, S. Dhelim et al. [28] proposed and designed a large-scale IoT trust management system able to effectively manage the trust relationships of devices in large-scale IoT contexts.

Table 1. Reference scheme comparison table.

	Certificateless	Privacy	Dynamic Update	Data Sharing
[5]	✓	✓
[16]		✓	✓
[17]	✓
[18]		✓
[19]				✓
[20]			✓	✓
[21]			✓
[22]		✓
[23]		✓		✓
[24]		✓
[26]

compares the characteristics of the works referenced above.

1.3. Organization

The rest of this paper is organized as follows. In Section 2, we describe several of the technologies that support our paper and then provide the scheme outline and security model. In Section 3, we elaborate our proposed remote data integrity auditing scheme. In Section 4, we analyze the security of our scheme in detail. Section 5 presents the results of our performance evaluation. Finally, we present the conclusions of this paper in Section 6.

2. Preliminaries

In this section, we provide relevant knowledge points and describe the security model of the scheme we designed. Important mathematical notations used in this paper are listed in

Table 2. Mathematical notation.

Notation	Description
$G_1,G_2$	two multiplicative cyclic groups
q	a large prime number
g,	a generator of the multiplicative group $G_1$
e,	bilinear map
$H_1,H_2,H_3$,	three secure cryptographic hash functions
$u_1,u_2,\dots ,u_t$,	t distinct elements in group $G_1$
$\pi$	a pseudo-random permutation
$\phi$	a pseudo-random function
${\sigma }_i$	a signal tag
$\Phi$	collection of tags
$chal$	a challenge message
P	a proof message

.

2.1. System Model

There are five entities in our scheme: DO, CSP, KGC, TPA, and Users. The relationship between them is shown in Figure 1.

(1) KGC: The KGC is responsible for generating relevant parameters and generating a partial private key for the DO.

(2) DO: The DO is the actual owner of the data and is responsible for splitting the file into appropriate sizes, generating corresponding tags, and generating warrants for authorized users.

(3) CSP: The CSP is an institution with sufficient storage and computing power, and is responsible for properly storing data and making it available to authorized users.

(4) TPA: The TPA is an institution with sufficient computing power, and is responsible for randomly issuing data integrity challenges to the CSP. In our scheme, the TPA is considered semi-honest, i.e., while it honestly reports auditing results, it is curious about the data.

(5) Users: Users are the groups who want to use the data stored by the CSP; they can obtain data from the CSP using legitimate warrants.

2.2. Bilinear Maps

Let q be a large prime and $G_1$ and $G_2$ be two cyclic multiplicative groups with the same order q, where g is a generator of $G_1$ and $e:G_1\times G_1\to G_2$ is a bilinear map with the following properties:

(1) Bilinearity: for $\forall a,b\in G_1$ and $\forall x,y\in Z_q^{*}$, $e(a^x,b^y)=e{(a,b)}^{xy}$.

(2) Non-degeneracy: $\exists a,b\in G_1$, and $e(a,b)\ne 1_{G_2}$.

(3) Computability: for $\forall a,b\in G_1$, there is an efficient algorithm to calculate $e(a,b)$.

2.3. Security Assumptions

2.3.1. Computational Diffie–Hellman (CDH) Problem

Let $G_1$ be a multiplicative cyclic group, where g is a generator of $G_1$. Given the tuple $\left(g,g^a,g^b\right)$, where $a,b\in Z_q^{*}$ is unknown, the CDH problem is to calculate $g^{ab}$.

2.3.2. CDH Assumption

For a probabilistic polynomial time (PPT) adversary A, the advantage for A in solving the CDH problem in $G_1$ is negligible. Assume that $\epsilon$ is a negligible value; then, it can be defined as

$$Ad{v}_{G_{1}A}^{CDH}=Pr\left[A\left(g,g^a,g^b\right)=g^{ab}:a,b\stackrel{R}{\leftarrow }{Z}_q^{*}\right]\le \epsilon$$

2.3.3. Discrete Logarithm (DL) Problem

Let $G_1$ be a multiplicative cyclic group, where g is a generator of $G_1$. Given the tuple $\left(g,g^x\right)$, where $x\in Z_q^{*}$ is unknown, the DL problem is to calculate x.

2.3.4. DL Assumption

For a PPT adversary A, the advantage for A in solving the DL problem in $G_1$ is negligible. Assume that $\epsilon$ is a negligible value; then, it can be defined as

$$Ad{v}_{G_{1}A}^{DL}=Pr\left[A\left(g,g^x\right)=x:x\stackrel{R}{\leftarrow }{Z}_q^{*}\right]\le \epsilon$$

2.4. Outline of Our Scheme

Our designed certificateless data integrity auditing scheme with sensitive information hiding involves eight algorithms with the following functions:

$Setup\left(1^k\right)⟶(params,msk)$: this algorithm is performed by the KGC to generate the relevant parameters and master key.

$Extract(params,ID,msk)⟶s{k}_1$: this algorithm is performed by the KGC, mainly to generate the partial private key for the DO.

$KeyGen(params,ID,s{k}_1)⟶(sk,pk)$: this algorithm is run by the DO, and its main function is to generate a complete private key.

$TagGen(params,sk,F,fname)⟶\Phi$: this algorithm is performed by the DO; its main function is to generate tags for each data block.

$Challenge(params,c)⟶chal$: this algorithm is executed by the TPA, and mainly generates relevant parameters used to challenge the integrity of the data blocks stored in the cloud.

$ProofGen(params,chal,F,\Phi )⟶P$: this algorithm is executed by the CSP to generate relevant proofs in response to TPA challenges.

$ProofVerify(params,pk,P,chal,ID)⟶\left\{0,1\right\}$: this algorithm is executed by TPA, mainly to judge whether the proof of the CSP response is legal and to judge the integrity of the data.

$warrantGen(params,ID,I{D}^{{}^{\prime }})⟶W$: this algorithm is executed by the DO, mainly to generate warrants for authorized users for access control.

2.5. Security Model

The security model of our scheme is based on a game played between a challenger $\beta$ and an adversary A, where the challenger $\beta$ represents the DO and TPA and the adversary A represents the malicious cloud CSP. The specific details of the game are as follows:

Setup: The challenger $\beta$ executes the $Setup$ algorithm to generate the master key $msk$ and the public parameters $params$, then sends the public parameters to the adversary A and stores the $msk$ properly.

Hash Queries: The adversary A can query any type of hash function, then challenger $\beta$ performs related calculations and sends the results to A.

Private/Public Key Queries: The adversary A can query the private key of the user with identity $ID$. When receiving a private key query request from adversary A, challenger $\beta$ runs $Extract$ and $KeyGen$, then feeds back the public key $p{k}_{ID}$ and the combined private key $s{k}_{ID}$ to A.

Tag Queries: The adversary A can randomly select a data block $m_i$ and query its corresponding tag; the challenger $\beta$ then executes $TagGen$ to generate the signature of the data block $m_i$ and sends the result to A.

Integrity Proof Queries: The adversary A can randomly select any number of data blocks and query their corresponding integrity proof; the challenger $\beta$ then executes $ProofGen$ and returns the result to A.

Challenge: The challenger $\beta$ selects a certain number of data blocks to send to the adversary A in order to obtain a data integrity proof.

Forging: In response to a challenge message sent by challenger $\beta$, adversary A forges an integrity proof and returns it to $\beta$ to verify the validity of the proof. If this proof can always pass the challenger’s verfication, the adversary A is considered to have won the game.

Based on the above game, we have the following definitions.

Definition 1.

A certificateless remote data integrity auditing scheme is considered to be secure if the probability of adversary A winning the game against challenger β is negligible.

Furthermore, we propose a formal definition to satisfy the security requirement of sensitive information hiding.

Definition 2.

A certificateless remote data integrity auditing scheme is regarded as having sensitive information hiding if only the DO and authorized users can obtain the original data from the CSP during the execution of the scheme.

3. Our Proposed Scheme

In this part, we elaborate the details of our design scheme.

$Setup\left(1^k\right)⟶(params,msk)$: This algorithm is performed by the KGC. Given a security parameter k, the KGC randomly generates a large prime q with the feature $\left|q\right|=k$. Then, the KGC generates two multiplicative cyclic groups $G_1$ and $G_2$, both of order q, where g is a generator of $G_1$ and $\left(u_1,u_2,\dots ,u_t\right)\in {\left(G_1\right)}^t$ represents t random elements. In addition, the KGC selects three secure cryptographic hash functions $H_1:{\left\{0,1\right\}}^{*}⟶G_1,H_2:{\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{*}\times G_1⟶G_1,H_3:{\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{*}⟶G_1$. Here, $\pi :Z_q^{*}\times \left\{1,2,\dots ,n\right\}⟶\left\{1,2,\dots ,n\right\}$ is a pseudo-random permutation (PRP), $\phi :Z_q^{*}\times Z_q^{*}⟶Z_q^{*}$ is a pseudo-random function (PRF), e is a bilinear map acting on $G_1$, and $G_2$: $G_1\times G_1⟶G_2$. Then, the KGC generates the master secret key $msk=s$, where s is randomly selected from $Z_q^{*}$ and the master public key $mpk$ is calculated by $mpk=g^s$. After carrying out the above operations, the KGC publishes $params=\left(G_1,G_2,g,q,u_1,u_2,\dots ,u_t,e,mpk,H_1,H_2,H_3,\pi ,\phi \right)$ and keeps the $msk$ private.

$Extract(params,ID,msk)⟶s{k}_1$: this algorithm is responsible for generating part of the private key for the DO. After receiving the $ID$ of the DO, the KGC computes $s{k}_1=H_1{\left(ID\right)}^{msk}$ and feeds the result back to the DO.

$KeyGen(params,ID,s{k}_1)⟶(sk,pk)$: when the DO receives the part of the private key $s{k}_1$ sent by the KGC, he or she first verifies whether $e(H_1\left(ID\right),mpk)=e(s{k}_1,g)$ is established. If the equation does not hold, the DO refuses to recognize the legitimacy of $s{k}_1$ and initiates a new round of application to the KGC. Otherwise, the DO randomly selects an element $s{k}_2=x\in Z_q^{*}$ and computes $pk=g^x$. After completing the above operation, the DO publishes the public key $pk$ and keeps the private key $sk=(s{k}_1,s{k}_2)$ secret.

$TagGen(params,sk,F,fname)⟶\Phi$: here, we assume that file F has been divided into n parts of $m_1,m_2,\dots ,m_n$ before uploading it to the cloud and that each part contains t small sectors with the same length, that is, $F={\left(m_{ij}\right)}_{n\times t}$, where $m_{ij}\in Z_q^{*}$$(1\le i\le n,1\le j\le t)$. $fname\in {\{0,1\}}^{*}$ is the unique $ID$ of the file F. The DO computes the tag for each row block ($m_1,m_2,\dots ,m_n)$ by computing Equation (1):

$${\sigma }_i=s{k}_1·{\left(H_3\left(ID\right|\left|fname\right|\left|i\right)·\prod _{j=1}^t{u}_j^{m_{ij}}\right)}^{s{k}_2}$$

(1)

The set of all tags is denoted by $\Phi =\left\{{\sigma }_i|i\in \left\{1,2,\dots ,n\right\}\right\}$. After generating tags for all data row blocks, the DO transmits $\Phi$ to the CSP. When receiving the tag set $\Phi$, the CSP can verify the single tag through $e({\sigma }_i,g)=e(H_1\left(ID\right),mpk)·e(H_3\left(ID\right|\left|fname\right|\left|i\right)·{\prod }_{j=1}^t{u}_j^{m_{ij}},pk)$.

$Challenge(params,c)⟶chal$: in order to reduce overhead, the TPA generally randomly selects partial data blocks when checking the integrity of data stored in the cloud. Suppose the TPA chooses to check c data blocks; then, the TPA randomly selects two elements $(k_1,k_2)\in {\left(Z_q^{*}\right)}^2$. Finally, the TPA sends the challenge message $chal=(c,k_1,k_2)$ to the CSP.

$ProofGen(params,chal,F,\Phi )⟶P$: after receiving the challenge request initiated by the TPA, the CSP first genarates the relevant parameters set $C=\left\{({\alpha }_l,{\beta }_l)|l\in \left\{1,2,\dots ,c\right\}\right\}$, where ${\alpha }_i=\phi (k_1,i),{\beta }_i=\pi (k_2,i)$. Then, the CSP selects a value $r\in Z_q^{*}$ and computes

$$\begin{array}{cc}\hfill & M=\left\{M_j|M_j=\sum _{i\in c}{\alpha }_i{m}_{{\beta }_{i}j}+r,j\in \left\{1,2,\dots ,t\right\}\right\}\hfill \\ \hfill & \sigma =\prod _{i\in c}{\sigma }_{{\beta }_i}^{{\alpha }_i},\hfill \\ \hfill & R=\prod _{j=1}^t{u}_j^r\hfill \end{array}$$

After completing the above calculation, the CSP sends the proof $P=\left\{M,\sigma ,R\right\}$ to the TPA.

$ProofVerify(params,pk,P,chal,ID)⟶\left\{0,1\right\}$: The TPA uses PRF and PRP locally to calculate the relevant parameter set $C=\left\{({\alpha }_i,{\beta }_i)|i\in \left\{1,2,\dots ,c\right\}\right\}$. In this way, the TPA can conduct verification using Equation (2):

$$\begin{array}{cc}\hfill & e(\sigma ,g)·e(R,pk)=e(H_1{(ID)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3(ID|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{j=1}^t{u}_j^{M_j},pk)\hfill \end{array}$$

(2)

If Equation (2) holds, the algorithm outputs a value of 1, indicating that the checked data is securely stored in the cloud. Otherwise, the data have been polluted, and the algorithm outputs 0.

$warrantGen(params,ID,I{D}^{{}^{\prime }})⟶W$: To generate a warrant that can access the data stored in the cloud, the DO and user $U_{I{D}^{{}^{\prime }}}$ randomly select $k_{ID},k_{I{D}^{{}^{\prime }}}\in Z_q^{*}$, respectively. After completing the above operation, the DO and $U_{I{D}^{{}^{\prime }}}$ keep $k_{ID},k_{I{D}^{{}^{\prime }}}$ private, and publish $g^{k_{ID}},g^{k_{I{D}^{{}^{\prime }}}},\alpha ={\left(g^{k_{ID}}\right)}^{k_{ID}^{{}^{\prime }}}={(g^{k_{ID}^{{}^{\prime }}})}^{k_{ID}}$, respectively. To authorize $U_{I{D}^{{}^{\prime }}}$ for sensitive data access, the DO computes a warrant $W=H_2\left(ID\right||I{D}^{{}^{\prime }}{\left|\right|\alpha )}^{k_{ID}}$ and sends it to $U_{I{D}^{{}^{\prime }}}$. After $U_{I{D}^{{}^{\prime }}}$ receives W, he or she calculates $H_2\left(ID\right||I{D}^{{}^{\prime }}{\left|\right|\alpha )}^{k_{ID}^{{}^{\prime }}}·W$ and sends it to the CSP to access the data. When the CSP receives the request, it checks whether

$$\begin{array}{cc}\hfill & e(H_2\left(ID\right||I{D}^{{}^{\prime }}{\left|\right|\alpha )}^{k_{ID}^{{}^{\prime }}}·W,g)\hfill \\ \hfill & =e(H_2\left(ID\right||I{D}^{{}^{\prime }}\left|\right|\alpha ),g^{k_{I{D}^{{}^{\prime }}}})·e(H_2\left(ID\right||I{D}^{{}^{\prime }}\left|\right|\alpha ),g^{k_{ID}})\hfill \end{array}$$

holds or not. If the equation holds, then the CSP transmits the data to $U_{ID}$; otherwise, the CSP rejects the application. When the DO wants to revoke $U_{I{D}^{{}^{\prime }}}$’s warrant, he or she simply re-selects a new $k_{ID}^{*}\in Z_q^{*}$ and updates $g^{k_{ID}^{*}}$, meaning that $U_{I{D}^{{}^{\prime }}}$ can no longer obtain data from the CSP.

4. Security Proof

In this section, we provide a theoretical analysis of our designed scheme from four aspects: correctness, soundness, sensitive information hiding, and detectability.

4.1. Correctness Proof

The correctness of our proposed scheme can be summarized in four points: (1) if the partial private key sent by the KGC to the DO is correct, the DO always accepts it; (2) a single tag always passes validation if the DO generates tags correctly for the data blocks; (3) if the CSP stores the data properly in the cloud, every generated proof can be verified by the TPA; (4) if the user holds a valid warrant from the DO for authorization, the user can obtain sensitive data from the CSP.

Proof. 

(1) The correctness of the partial private key generated by the KGC for the DO is as follows:

$$\begin{array}{cc}\hfill & e(H_1\left(ID\right),mpk)=e(H_1\left(ID\right),g^s)\hfill \\ \hfill & =e(H_1{\left(ID\right)}^s,g)=e(s{k}_1,g)\hfill \end{array}$$

(2) A single tag can be generated by Equation (1), and its correctness is proven as follows:

$$\begin{array}{cc}\hfill & e({\sigma }_i,g)\hfill \\ \hfill & =e(s{k}_1·{\left(H_3\left(ID\right|\left|fname\right|\left|i\right)·\prod _{j=1}^t{u}_j^{m_{ij}}\right)}^{s{k}_2},g)\hfill \\ \hfill & =e(s{k}_1,g)·e(H_3\left(ID\right|\left|fname\right|\left|i\right)·\prod _{j=1}^t{u}_j^{m_{ij}},g^{s{k}_2})\hfill \\ \hfill & =e(H_1\left(ID\right),g^s)·e(H_3\left(ID\right|\left|fname\right|\left|i\right)·\prod _{j=1}^t{u}_j^{m_{ij}},g^x)\hfill \\ \hfill & =e(H_1\left(ID\right),mpk)·e(H_3\left(ID\right|\left|fname\right|\left|i\right)·\prod _{j=1}^t{u}_j^{m_{ij}},pk)\hfill \end{array}$$

(3) The correctness of auditing relies on checking Equation (2), the correctness of which is proven as follows:

$$\begin{array}{cc}\hfill & e(\sigma ,g)·e(R,pk)\hfill \\ \hfill & =e(\prod _{i\in c}{\sigma }_{{\beta }_i}^{{\alpha }_i},g)·e(R,pk)\hfill \\ \hfill & =e(\prod _{i\in c}{(s{k}_1·{\left(H_3\left(ID\right|\left|fname\right||{\beta }_i)·\prod _{j=1}^t{u}_j^{m_{{\beta }_{i}j}}\right)}^{s{k}_2})}^{{\alpha }_i},g)·\hfill \\ \hfill & e(R,pk)\hfill \\ \hfill & =e(\prod _{i\in c}s{k}_1^{{\alpha }_i},g)·e(R,pk)·\hfill \\ \hfill & e(\prod _{i\in c}{\left(H_3\left(ID\right|\left|fname\right||{\beta }_i)·\prod _{j=1}^t{u}_j^{m_{{\beta }_{i}j}}\right)}^{{\alpha }_i},g^{s{k}_2})\hfill \\ \hfill & =e(\prod _{i\in c}{H}_1{\left(ID\right)}^{{\alpha }_i},g^s)·e(R,pk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3\left(ID\right|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{i\in c}\prod _{j=1}^t{u}_j^{{\alpha }_i·m_{{\beta }_{i}j}},g^x)\hfill \\ \hfill & =e(H_1{\left(ID\right)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·e(\prod _{j=1}^t{u}_j^r,g^x)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3\left(ID\right|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{i\in c}\prod _{j=1}^t{u}_j^{{\alpha }_i·m_{{\beta }_{i}j}},g^x)\hfill \\ \hfill & =e(H_1{\left(ID\right)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3\left(ID\right|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{j=1}^t{u}_j^{{\sum }_{i\in c}{\alpha }_i·m_{{\beta }_{i}j}+r},g^x)\hfill \\ \hfill & =e(H_1{\left(ID\right)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3\left(ID\right|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{j=1}^t{u}_j^{M_j},pk)\hfill \end{array}$$

(4) If the user holds the correct warrant, then it can be verified by the CSP as follows:

$$\begin{array}{cc}\hfill & e(H_2\left(ID\right||I{D}^{{}^{\prime }}{\left|\right|\alpha )}^{k_{ID}^{{}^{\prime }}}·W,g)\hfill \\ \hfill & =e(H_2\left(ID\right||I{D}^{{}^{\prime }}{\left|\right|\alpha )}^{k_{ID}^{{}^{\prime }}},g)·e(W,g)\hfill \\ \hfill & =e(H_2\left(ID\right||I{D}^{{}^{\prime }}\left|\right|\alpha ),g^{k_{ID}^{{}^{\prime }}})·e(H_2\left(ID\right||I{D}^{{}^{\prime }}\left|\right|\alpha ),g^{k_{ID}})\hfill \end{array}$$

 □

4.2. Soundness Proof

Theorem 1

(Auditing soundness). If the CDH assumption holds on the multiplicative cycle groups $G_1$ and $G_2$, then a malicious cloud cannot forge a verifiable proof.

Proof. 

We prove through a series of games that there exists an extractor to solve the CDH problem by extracting the interaction information between the challenger $\beta$ and adversary A if the CSP has forged a reasonable proof $P^{*}$ without saving the complete data. □

$Game0.$ The specific process of this game has been elaborated in Section 2, therefore, we omit it here.

$Game1.$ This game is largely the same as $Game0$, except with the addition of a new rule. Challenger $\beta$ maintains a list locally to record Tag Queries made by adversary A. If adversary A generates a proof P that is successfully verified by the challenger $\beta$ and the proof contains at least one tag that is not recorded in the list, then challenger $\beta$ terminates the game and declares defeat.

$Analysis.$ Assuming that adversary A wins $Game1$ with a non-negligible probability, then there is an extractor that can solve the CDH problem through the following steps. Without loss of generality, suppose that the identity of the adversary is $ID$, the file is $F={\left(m_{ij}\right)}_{n\times t}$, and the file name is $fname$.

Suppose the honest prover produces the correct proof $P=\left\{M,\sigma ,R\right\}$; then, it has

$$\begin{array}{cc}\hfill & e(\sigma ,g)·e(R,pk)=e(H_1{\left(ID\right)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3\left(ID\right|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{j=1}^t{u}_j^{M_j},pk)\hfill \end{array}$$

(3)

When adversary A successfully forges a verifiable proof $P^{*}=\left\{M^{*},{\sigma }^{*},R\right\}$, it has

$$\begin{array}{cc}\hfill & e({\sigma }^{*},g)·e(R,pk)=e(H_1{\left(ID\right)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3\left(ID\right|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{j=1}^t{u}_j^{M_j^{*}},pk)\hfill \end{array}$$

(4)

Obviously, $M\ne M^{*}$; otherwise, $\sigma ={\sigma }^{*}$. Given $g,g^{\alpha },h\in G_1$, its goal is to compute $h^{\alpha }$. The extractor randomly selects $r_i\in Z_q^{*}$ for each $i(1\le i\le c)$ in the challenge, then sets $u_j={\left(g^a\right)}^{{\beta }_j}·{\left(h^b\right)}^{{\gamma }_j}$, where $a,b,{\beta }_j,{\gamma }_j\in Z_q^{*}$ and $1\le j\le t$. This means that ${\prod }_{j=1}^t{u}_j^{m_{ij}}={\prod }_{j=1}^t{[{\left(g^a\right)}^{{\beta }_j}·{\left(h^b\right)}^{{\gamma }_j}]}^{m_{ij}}={\left(g^a\right)}^{{\sum }_{j=1}^t{\beta }_j{m}_{ij}}·{\left(h^b\right)}^{{\sum }_{j=1}^t{\gamma }_j{m}_{ij}}$. Meanwhile, the extractor randomly selects an element $s\in Z_q^{*}$ as $msk$ and then performs $Extract$ and $KeyGen$ to generate the private key $sk=(s{k}_1,s{k}_2)=(H_1{\left(ID\right)}^s,x)$. Then, the extractor randomly selects an element $k\in Z_q^{*}$ and sets $pk=g^x={\left(g^{\alpha }\right)}^k$, which means that $x=k·\alpha$. Finally, for each i, the extractor sets

$$\begin{array}{c}\hfill H_3\left(ID\right|\left|fname\right|\left|i\right)=g^{r_i}/{\left(g^a\right)}^{{\sum }_{j=1}^t{\beta }_j{m}_{ij}}·{\left(h^b\right)}^{{\sum }_{j=1}^t{\gamma }_j{m}_{ij}}\end{array}$$

Hence, the extractor can compute ${\sigma }_i=s{k}_1·{\left(H_3\left(ID\right|\left|fname\right|\left|i\right)·{\prod }_{j=1}^t{u}_j^{m_{ij}}\right)}^{s{k}_2}=H_1{\left(ID\right)}^s·{\left(g^{r_i}\right)}^x$.

Thus, by dividing Equations (4) and (3) we can obtain

$$\begin{array}{cc}\hfill & e({\sigma }^{*}/\sigma ,g)\hfill \\ \hfill & =e(\prod _{j=1}^t{u}_j^{M_j^{*}-M_j},{(g^{\alpha })}^k)\hfill \\ \hfill & =e(\prod _{j=1}^t{({(g^a)}^{{\beta }_j}·{(h^b)}^{{\gamma }_j})}^{M_j^{*}-M_j},{(g^{\alpha })}^k)\hfill \\ \hfill & =e({(g^a)}^{{\sum }_{j=1}^t{\beta }_j·(M_j^{*}-M_j)}·{(h^b)}^{{\sum }_{j=1}^t{\gamma }_j·(M_j^{*}-M_j)},{(g^{\alpha })}^k)\hfill \\ \hfill & =e(g^{a·k·{\sum }_{j=1}^t{\beta }_j·△M_j}·h^{b·k·{\sum }_{j=1}^t{\gamma }_j·△M_j},g^{\alpha })\hfill \end{array}$$

(5)

From Equation (5), we can obtain

$$\begin{array}{c}\hfill h^{\alpha }={({\sigma }^{*}·{\sigma }^{-1}·g^{-a·k·{\sum }_{j=1}^t{\beta }_j·△M_j})}^{1/(b·k·{\sum }_{j=1}^t{\gamma }_j·△M_j)}\end{array}$$

According to the above equation, the CDH problem is unsolvable only when $b·k·{\sum }_{j=1}^t{\gamma }_j·△M_j=0modq$. Obviously, in the finite field generated by the large prime number q, the probability of $b·k·{\sum }_{j=1}^t{\gamma }_j·△M_j=0$ is infinitely close to $1/q$. This means that if adversary A successfully forges a verifiable proof, the extractor can solve the CDH problem with probability $1-1/q$, which contradicts the difficulty of solving the CDH problem.

$Game2.$$Game2$ introducesa new rule on the basis of $Game1$, that is, if the challenger $\beta$ finds that $M^{*}$ in proof $P^{*}$ generated by adversary A is not equal to the expected M, then the challenger terminates the game and declares defeat.

$Analysis.$ Given $g,h\in G_1$, we build an extractor the purpose of which is to compute a value $x\in Z_q^{*}$ which satisfies $h=g^x$. We set $u_j={\left(g^a\right)}^{{\beta }_j}·{\left(h^b\right)}^{{\gamma }_j}$, where $a,b,{\beta }_j,{\gamma }_j\in Z_q^{*}$ and $1\le j\le t$.

Suppose P is a correct proof generated by the honest cloud; then, we have

$$\begin{array}{cc}\hfill & e(\sigma ,g)·e(R,pk)=e(H_1{(ID)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3(ID|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{j=1}^t{u}_j^{M_j},pk)\hfill \end{array}$$

The adversary then generates a proof $P^{*}$, meaning that we have

$$\begin{array}{cc}\hfill & e({\sigma }^{*},g)·e(R,pk)=e(H_1{(ID)}^{{\sum }_{i=1}^c{\alpha }_i},mpk)·\hfill \\ \hfill & e(\prod _{i\in c}{H}_3(ID|\left|fname\right||{\beta }_i{)}^{{\alpha }_i}·\prod _{j=1}^t{u}_j^{M_j^{*}},pk)\hfill \end{array}$$

From $Game1$, we know that ${\sigma }^{*}=\sigma$. Thus, the extractor has

$$\begin{array}{c}\hfill \prod _{j=1}^t{u}_j^{M_j}=\prod _{j=1}^t{u}_j^{M_j^{*}}\end{array}$$

It is clear that

$$\begin{array}{cc}\hfill & 1=\prod _{j=1}^t{u}_j^{M_j^{*}-M_j}=\prod _{j=1}^t{u}_j^{△M_j}\hfill \\ \hfill & ={(g^a)}^{{\sum }_{j=1}^t{\beta }_j△M_j}·{(h^b)}^{{\sum }_{j=1}^t{\gamma }_j△M_j}\hfill \end{array}$$

Therefore, the extractor can solve the DL problem as follows:

$$\begin{array}{c}\hfill h=g^{-(a·{\sum }_{j=1}^t{\beta }_j△M_j)/(b·{\sum }_{j=1}^t{\gamma }_j△M_j)}\end{array}$$

According to the above equation, the DL problem is unsolvable only when $a·{\sum }_{j=1}^t{\beta }_j△M_j=0modq$. Obviously, in the finite field generated by the large prime number q, the probability of $a·{\sum }_{j=1}^t{\beta }_j△M_j=0$ is infinitely close to $1/q$. This means that if adversary A successfully forges a verifiable proof, the extractor can solve the DL problem with probability $1-1/q$, which contradicts the difficulty of solving the DL problem. From the above analysis, it can be seen that the proposed scheme is secure unless the adversary successfully solves both the CDH problem and the DL problem.

4.3. Sensitive Information Hiding Proof

Theorem 2

(Sensitive information hiding). In our designed scheme, only the CSP, DO, and legitimate users authorized by the DO can access the original data.

Proof. 

We demonstrate this proof in two parts: (1) the TPA cannot obtain the original data during the auditing process and (2) the DO-generated warrants for authorized users are hard to forge. □

In the process of auditing, the TPA can select several data blocks for multiple challenges; its purpose is to try to reverse the original data blocks through a sufficient number of polynomials. In our scheme, the proof generated by the CSP adds a blinding factor r to all linearly aggregated data blocks $M=\left\{M_j|M_j={\sum }_{i\in c}{\alpha }_i{m}_{{\beta }_{i}j}+r,j\in \left\{1,2,\dots ,t\right\}\right\}$, meaning that unless the TPA can solve r from ${\prod }_{j=1}^t{u}_j^r$, it cannot recover the data. However, due to the difficulty of solving the DL problem, it is very unlikely that the TPA will be able to recover the data through multiple challenges. In addition, unauthorized users and users who have revoked warrants and want to continue to obtain data have difficulty forging legitimate warrants. The reason for this is simple: if the warrant is successfully forged, it means that $k_{ID}$ is solved from $g^{k_{ID}}$, which contradicts the difficulty of solving the DL problem. Therefore, as long as the DL assumption is always true, the scheme designed in this paper can guarantee the privacy of data.

5. Performance Analysis

In order to further analyze the performance of our scheme, in this section we compare our scheme with [8,15] from two aspects, namely, theoretical analysis and experimental verification. Figure 2 shows the mapping used for file segmentation and label generation in this paper.

5.1. Theoretical Analysis

In this theoretical analysis, we analyze the three schemes from three aspects: $Storagecost$, $Communicationcost$, and $Computationcost$. Through the analysis of relevant algorithms, it is easy to see that $TagGen$ is the core algorithm in the auditing scheme, and $Challenge$, $ProofGen$ and $ProofVerify$ are the algorithms with the highest execution frequency. Thus, we focus on these three algorithms and ignore the others. Before starting the comparison, we assume that file F is split into $nt$ small chunks. The number of data blocks in each challenge is c.

5.1.1. Storage Cost

In analyzing the storage cost, we focus on the storage burden of the DO and CSP. In our scheme, the DO only needs to store his or her own private key; because the private key consists of two parts, the storage cost of the DO is $|G_1| + |Z_q^{*}|$. In addition, the CSP only needs to store the DO’s data block and the corresponding tags locally. In our scheme, t data blocks correspond to one tag, meaning that the actual storage cost of the CSP is $nt|Z_q^{*}| + n|G_1|$.

Table 3. Storage cost.

	DO	CSP
Our Scheme	$|G_1| + |Z_q^{*}|$	$nt|Z_q^{*}| + n|G_1|$
[8]	$|G_1| + |Z_q^{*}|$	$nt|G_1| + nt|Z_q^{*}|$
[15]	$|G_1| + |Z_q^{*}|$	$nt|G_1| + nt|Z_q^{*}|$

lists the storage cost comparison of the three schemes in detail. It is obvious that our scheme greatly reduces the storage burden on the CSP.

5.1.2. Communication Cost

Communication cost is divided into three main stages. First, the DO transmits data blocks and tags to the CSP. In this process, the communication cost of our scheme is $nt|Z_q^{*}| + n|G_1|$. The second is the challenge request sent by the TPA to the CSP in the challenge stages. The communication cost of our scheme during this period is $3|Z_q^{*}|$. Finally, the CSP feeds the proof back to the TPA, for which the communication cost is $t|Z_q^{*}| + 2|G_1|$.

Table 4. Communication cost.

	DO to CSP	TPA to CSP	CSP to TPA
Our Scheme	$nt|Z_q^{*}| + n|G_1|$	$3|Z_q^{*}|$	$t|Z_q^{*}| + 2|G_1|$
[8]	$nt|G_1| + nt|Z_q^{*}|$	$2c|Z_q^{*}|$	$|Z_q^{*}| + 2|G_1|$
[15]	$nt|G_1| + nt|Z_q^{*}|$	$3|Z_q^{*}|$	$|Z_q^{*}| + 4|G_1|$

lists the storage cost comparison of the three schemes in detail.

5.1.3. Computation Cost

Before we start our analysis, we audit $T_p$ for the computation of one time bilinear mapping, $T_e$ for the computation of one time exponentiation operation, and $T_m$ for the computation of one time multiplication. In the tag generation stage, the total computation of our scheme is $n(t+2)T_m+n(t+1)T_e$. In the proof generation stage, the total computation of our scheme is $(ct+c+t)T_m+(c+t)T_e$. In the proof verification stage, the total computation of our scheme is $4T_p+(2+c+t)T_m+(1+c+t)T_e$.

Table 5. Computational cost.

	TagGen	ProofGen	ProofVerify
Our Scheme	$n(t+2)T_m+n(t+1)T_e$	$(ct+c+t)T_m+(c+t)T_e$	$4T_p+(2+c+t)T_m+(1+c+t)T_e$
[8]	$2nt(T_m+T_e)$	$(2c+1)T_m+c{T}_e$	$3T_p+(c+1)T_m+(c+2)T_e$
[15]	$2nt(T_m+T_e)$	$2c{T}_m+(c+1)T_e+T_p$	$3T_p+(c+2)T_m+(c+3)T_e$

lists the computation cost comparison of the three schemes in detail. It can be seen from Table 5 that the advantage of our scheme is reflected in a low computation cost in the tag generation stage.

5.2. Experimental Verification

Our experimental environment used Ubuntu-20.04, Parallel Desktop 17 with 8 GB RAM, 64 GB disk space, and a 2 GB CPU. The host system was a macOS Monterey 12.5 running on a MacBook Pro laptop with core Apple M1 and 16 GB RAM. We used the Pair-Based Cryptography (PBC) library [29] for all experiments. In the reproduction experiments [8,15], we split the 1.8 MB dataset into 10,000 equal chunks. When implementing our scheme, we chose to divide the 1.8 MB data set into 1000 data blocks of equal size, with each data block then divided into ten small data blocks of equal size. The test files used are public datasets from the Github “https://ai.stanford.edu/~amaas/data/sentiment/ (accessed on 1 April 2022)” repository. We compared the scheme proposed in this paper with [8,15] in four aspects. It is worth noting that our scheme signed the ten small data blocks uniformly in the experiment. The specific results are described below.

First, we analyze and compare the efficiency of TagGen algorithm. Unlike the other three experiments, we chose to gradually increase the number of data blocks from 1000 to 10,000 in order to count the time required for tag generation. The results are shown in Figure 3. It can see from the figure that the tag generation efficiency of our scheme is much better than the other two schemes. This is because the total number of tags generated by our scheme is about one-tenth that of the other two schemes, making its computational efficiency much better.

Because the tags generated by our scheme are much smaller than those of the other two schemes, we allowed our scheme to repeatedly check the same data block during challenge to achieve a fair comparison.

Then, we analyzed the efficiency of Challenge algorithm. In the experiment, we gradually increased the number of challenging data blocks from 1000 to 10,000 and counted the time, as shown in Figure 4. Our scheme takes almost zero time, as does [15]; both are much better than [8]. This is due to the introduction of PRP and PRF, which greatly reduces challenge generation time. Therefore, our scheme has good performance in the challenge generation stage.

Next, we compare the performance of the ProofGen algorithm of the three schemes. The results are shown in Figure 5. Obviously, the efficiency of our scheme is low, because in order to make a fair comparison the number of data blocks challenged by our scheme in each challenge is the same as that of the other two schemes, which results in our algorithm spending more computing power to carry out the relevant calculations. It is worth noting, however, that our algorithm checks more data blocks with the same number of challenges.

The final experiment analyzes the ProofVerify algorithm.The results are shown in Figure 6. For the same reasons as above, this algorithm is less efficient than the other two schemes. However, despite a slight disadvantage in efficiency, the number of data blocks checked is much higher than with the other schemes.

It can be seen from the above experiments that the scheme proposed in this paper is better than both [8,15] in terms of label generation efficiency, while the time cost is slightly higher in proof generation and verification. In addition, the use of PRP and PRF makes the time cost of the proposed scheme in the challenge phase independent of the number of challenged data blocks, which is maintained near a fixed value.

6. Conclusions

In this paper, we propose a certificateless remote data integrity auditing scheme. Our scheme can ensure the privacy of data while providing a data access control algorithm, which makes possible the practical application of the scheme. A detailed security proof guarantees the reasonableness of our scheme. Theoretical analysis and experimental verification show that our scheme has better performance in terms of storage cost and tag generation, making it both efficient and feasible. In actual scenarios, the DO may add, modify, and delete data stored in the cloud. However, this paper does not consider the dynamic updating of data in the design of the audit scheme. In addition, most previous audit schemes consider dynamic updating when signing a single data block. However, the scheme of this paper is to aggregate several data blocks as a whole for signing. Using the traditional dynamic updating method directly in this paper would lead to substantial waste of computing resources. Therefore, in the future we intend to design an efficient dynamic remote data integrity auditing scheme based on this paper.