Advanced
An Efficient Provable Secure Public Auditing Scheme for Cloud Storage
An Efficient Provable Secure Public Auditing Scheme for Cloud Storage
KSII Transactions on Internet and Information Systems (TIIS). 2014. Nov, 8(11): 4226-4241
Copyright © 2014, Korean Society For Internet Information
  • Received : July 23, 2014
  • Accepted : September 10, 2014
  • Published : November 30, 2014
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Chunxiang Xu
Yuan Zhang
Yong Yu
Xiaojun Zhang
Junwei Wen

Abstract
Cloud storage provides an easy, cost-effective and reliable way of data management for users without the burden of local data storage and maintenance. Whereas, this new paradigm poses many challenges on integrity and privacy of users' data, since users losing grip on their data after outsourcing the data to the cloud server. In order to address these problems, recently, Worku et al. have proposed an efficient privacy-preserving public auditing scheme for cloud storage. However, in this paper, we point out the security flaw existing in the scheme. An adversary, who is on-line and active, is capable of modifying the outsourced data arbitrarily and avoiding the detection by exploiting the security flaw. To fix this security flaw, we further propose a secure and efficient privacy-preserving public auditing scheme, which makes up the security flaw of Worku et al.’s scheme while retaining all the features. Finally, we give a formal security proof and the performance analysis, they show the proposed scheme has much more advantages over the Worku et al.’s scheme.
Keywords
1. Introduction
C loud storage is a momentous service of cloud computing, which provides an easy, cost-effective and reliable way of data management for users. Using cloud storage service, users can access their data remotely through the internet without incurring substantial hardware, software, and personnel costs involved in deploying and maintaining application in local storage. However, due to users losing grip on their data after outsourcing the data into cloud server, the integrity and correctness of the data are being put at risk and have naturally become the concerned focus of the cloud users. As a semi-trust part for cloud users, cloud server may discard the data motivated by the interest but claim that the data are still correctly stored. Furthermore, an adversary with profits motivation, who is interested in distorting the cloud user's data but convinces the cloud user of the data correctness and integrity [1] , [2] , [3] . Therefore, it is vital to check the correctness and integrity of the cloud data for protecting the stored data both from external adversaries and the cloud server itself.
Several outstanding research achievements [1] , [4] , [2] , [5] in addressing integrity and correctness of outsourced data have emerged. However, some of them have been proved insecure [6] , [7] , and some of them still have the room for performance improvement.
Recently, a public auditing scheme [3] was proposed to check the correctness and integrity of outsourced data for cloud storage. This scheme fixes the security flaw pointed out by [6] , meantime, it also improves efficiency.
In this paper, we review the public auditing scheme in [3] and point out that the scheme owns a security flaw. With the security flaw, an adversary is able to arbitrarily modify the cloud user's data, and it cannot be discovered. Particularly, an adversary, who is on-line and active, can produce a valid auditing proof to pass the data correctness and integrity checking. Once successful, the adversary can cheat the third-part auditor (TPA) and the cloud user. The adversary just needs recording how data are modified, intercepting, tampering with and transponding an interaction message between the cloud server and TPA to avoid the data correctness and integrity detection. Moreover, we propose a new secure and efficient privacy-preserving public auditing scheme. The proposed scheme fixes the security flaw existing in the Worku et al.’s scheme, while retaining all the features. At last, we give a formal security proof of the proposed scheme, it shows that the scheme is secure and fixes the security flaw indeed. We also give a performance analysis of the proposed scheme to prove the scheme is efficient.
2. Preliminaries
- 2.1 The System and Security Model
Our system model and security model are designed based on the model in [3] .
An auditing system for cloud storage involves cloud user, cloud server and third-party auditor (TPA) as shown in Fig. 1 .
PPT Slide
Lager Image
The System Model
The cloud user is the data owner, who needs flexibly to store and get his data in the cloud.
The cloud server is the provider of cloud services, it has significant storage space and a massive amount of computing power. The cloud server as a semi-trust part for the cloud user, that is, most of the time, cloud server executes the auditing protocol honestly, but in relationship with individual cloud users which are its stakeholders, cloud server might deviate from the prescribed routine.
The TPA has expertise and capabilities that cloud user does not have, who is managed by a trusted organization and will audit the data stored in cloud server by cloud users when needed. The TPA is regarded as an honest entity but curious. That is, the TPA honestly performs the auditing protocol, it is reliable and independent and thus has no incentive to collude with either the cloud server or the users during the auditing process. However, it is interest in the users’ data.
An auditing scheme can be said to be secure if and only if both of the following conditions hold:
  • 1. There is no any polynomial time algorithm that can pass the auditing with non-negligible probability.
  • 2. There is a polynomial time extractor that might recover the original data by doing multiple challenge-response executions.
The security of our scheme is constructed under the hardness assumption of computational Diffie-Hellman problem (CDH) and Discrete Logarithm problem (DL) over bilinear groups in the random oracle model [3] , [10] .
- 2.2 Notations and Basic Theory
We now introduce some necessary notations and basic theory, which will be utilized below.
We will work in the group Zp . F denotes the data file and m denotes the data block. F = { m1 , m2 , ..., mn } is made up of data blocks to be stored in cloud server, for each data file, n may be different.
Bilinear Map . Let G and GT be two multiplicative cyclic groups of the same prime order p , g be a generator of G . A bilinear map is that e : G x G GT with the following properties:
(1) Linearity. For any u , u 1 , u 2 , v , v 1 , v 2 G , then
  • e(u1‧u2,v) =e(u1,v)‧e(u2,v)
  • e(u,v1‧v2) =e(u,v1)‧e(u,v2)
(2) Non-degeneracy. For u , v G and u v , e is anti-symmetrical: e ( u , v ) ≠ 1.
(3) Bilinearity. For all u , v G and a , b Zp :
  • e(ua,vb) =e(u,v)a‧b
(4) Computability. There exists an efficiently computable algorithm for computing e .
Table 1 shows some notations and their descriptions.
Notations and Descriptions
PPT Slide
Lager Image
Notations and Descriptions
3. Review the Worku et al.'s scheme
For ease of description, we omit the batch auditing and any other inessential details.
The data file F = { mi } i ∈[1,n] is stored in the cloud server. Worku et al.'s scheme consists of four basic algorithms: KeyGen , SigGen , ProofGen and VerifyProof .
( pk , sk ) ← KeyGen (1 k ) : The user generates a random signing key pair (ssk , spk) , then he randomly chooses x , u G , and computes v = gx G . The user then stores sk = { x , ssk } as his secret parameters and states pk = { u , v , g , spk } as public parameters.
( ϕ ) ← SigGen ( sk , F ) : The user chooses a random element name for file naming and computes the file tag as t = name Sigssk ( name ), and generates a signature σi for each block mi as follows:
PPT Slide
Lager Image
Then he sends { F , ϕ = { σi } 1≤in , t } to the cloud server for storage. Any time when the TPA wants to start the auditing protocol, it first retrieves the tag t and checks its validity by spk . Then it constructs a challenge chal = { c , k 1 , k 2 }, where c is the number of data blocks to be checked and k 1 , k 2 are pseudorandom permutation keys chosen randomly by the TPA for each auditing.
( P ) ← ProofGen ( F , ϕ , chal ): Upon receiving the chal , the cloud server determines the subset I = { sj }(1 ≤ j n ) of set [1, n ], and computes
PPT Slide
Lager Image
and
PPT Slide
Lager Image
where k 3 is a pseudorandom function key generated by the cloud server for each auditing. And then, the server computes: R = ur G ,
PPT Slide
Lager Image
, μ = μ * + r h ( R ) and
PPT Slide
Lager Image
. Finally, the cloud server sends ( μ , σ , R ) to the TPA.
( True , False ) ← VerifyProof ( pk , chal , P ) : After receiving the proof from the cloud server, the TPA computes
PPT Slide
Lager Image
where (1 ≤ j c ) and verifies the proof by the following equation:
PPT Slide
Lager Image
If the equation holds, output "True"; Otherwise, output "False".
4. Cryptanalysis of the Worku et al.'s scheme
The Worku et al.'s scheme owns privacy-preserving guarantee and can be extended to support batch auditing. And the authors claim that their scheme is provably secure in the random oracle model. Although a formal proof is given in [3] to prove the scheme is secure, there still exists a strong adversary in the real cloud application scenario. For example, an adversary, who is on-line and active, can modify the outsourced data in the way he needs and also modify an interaction messages between cloud server and TPA in the network, in order to fool the TPA and the cloud user to trust that the data are well maintained by the cloud server.
Assume the adversary modifies each data block mi to mi * = mi + li for i ∈ [1, n ] and he records how the user's data are modified. In the ProofGen phase, cloud server computes
PPT Slide
Lager Image
as:
PPT Slide
Lager Image
PPT Slide
Lager Image
Then the cloud server sends
PPT Slide
Lager Image
to the TPA. The adversary intercepts this invalid proof, computes vi and modifies it to
PPT Slide
Lager Image
. Then the adversary sends the modified proof to the TPA.
After receiving the proof, the TPA verifies the following equation:
PPT Slide
Lager Image
For the above equation, the right-hand side as:
PPT Slide
Lager Image
Thus, the verification equation holds. In this way, the TPA seemingly has every reason to believe that the data stored in cloud server are well maintained. Actually, it is not true. Therefore, the adversary successfully modifies the outsourced data while passing the verification.
The worku et al.'s scheme owns the security flaw, since the adversary can modify the forge proof to the valid proof. Essentially, the cloud server uses a random mask code to blind the user's information for privacy-preserving, but there exists definite linear relationship between the random mask code and the blinded information. This definite linear relationship causes the security flaw which exists in original scheme mentioned before.
5. The proposed scheme
In this section, we propose a secure and efficient public auditing scheme. The scheme fixes the aforementioned security flaw while retaining all the features of the Worku et al.’s scheme. Our scheme employs a nonlinear disturbance code to change the definite linear relationship between the random mask code and the blinded information to non-linear relationship.
The proposed scheme has four basic algorithms ( KenGen , SigGen , ProofGen and VerifyProof ). Same as the Worku et al.’s scheme, we assume the data file F = { mi } i ∈[1,n] is stored in the cloud server.
In the KenGen algorithm, a cloud user generates a random signing key pair (ssk , spk) , randomly chooses x , u G and computes v = gx G . Here, the user’s secret parameters are sk = { x , ssk } and public parameters are pk = { u , v , g , spk }.
In the SigGen algorithm, the user chooses a random element name for file naming and computes the file tag as t = name Sigssk ( name ), and generates a signature σi for each block mi as follows:
PPT Slide
Lager Image
And then, the user sends
PPT Slide
Lager Image
to the cloud server for storage. Whenever the TPA wants to check the integrity of the cloud-stored data, it first retrieves the tag t and checks its validity by spk . Then it constructs a challenge chal = { c , k 1 , k 2 }, where c is the number of data blocks to be checked and k 1 , k 2 are pseudorandom permutation keys chosen randomly by the TPA for each checking. Finally, the TPA sends chal to the cloud server.
In the ProofGen algorithm, the cloud server determines the subset I = { sj }(1 ≤ j n ) of set [1, n ], computes
PPT Slide
Lager Image
and
PPT Slide
Lager Image
where k 3 is a pseudorandom function key generated by the cloud server for each auditing. And then, the server computes: R = ur G ,
PPT Slide
Lager Image
, μ = r   -1 ‧( μ * + h ( R )) and
PPT Slide
Lager Image
. Finally, the cloud server sends ( μ , σ , R ) to the TPA.
In the VerifyProof () algorithm, the TPA verifies the following equation:
PPT Slide
Lager Image
If the equation holds, output "True"; Otherwise, output "False".
- 5.1 Support for batch auditing
Our scheme also supports the batch auditing.
If there are K different users with K different data, let U = { Ux }( x K ) be the set containing all these users. Each user Ux has a data file
PPT Slide
Lager Image
to be outsourced to the cloud server. Firstly, each user Ux generates his secret parameters ( αx , sskx ) and public parameters ( ux , vx = gαx , g , spkx ) independently. For Ux ( x K ), he chooses a random element namex , as the identifier of the data file Fx . Then Ux calculates his file tag tx = namex Sig sskx ( namex ). Choosing ux from G randomly, and each of them computes a signature for every mx,i ( x ∈[1, K ], i ∈[1, n ]) as:
PPT Slide
Lager Image
Finally, all users send
PPT Slide
Lager Image
to the cloud server for storage.
Any time when the TPA wants to start the auditing protocol, it makes some necessary calculations and get the challenge parameters chal = { c , k 1 , k 2 } for auditing. Then the TPA sends the chal to the cloud server.
After receiving chal , the cloud server determines the subset I = { s 1 , s 2 ,..., sk }. It randomly chooses rx Zp , computes
PPT Slide
Lager Image
for each user. And then, the cloud server computes:
PPT Slide
Lager Image
The cloud server then sends the proof P = { σ ,{ μx } x∈I , { Rx } x∈I } to the TPA.
After receiving the proof from the cloud server, the TPA verifies the data integrity by the following equation:
PPT Slide
Lager Image
6. Evaluation
In this section, we give an overall evaluation in the proposed scheme. It consists of correctness proof, security analysis, performance analysis.
- 6.1 Correctness Proof
Here, we give the correctness proof of the verifiable equation (1) and (2) . It guarantees that our scheme is credible.
For (1) , the left-hand side as:
PPT Slide
Lager Image
For (2) , the left-hand side as:
PPT Slide
Lager Image
- 6.2 Security analysis
Here, we first prove that the proposed scheme fixes the security flaw which exists in the original scheme. Then, we give a formal proof of the proposed scheme's storage security. Finally, we prove the scheme can preserve the cloud user's privacy. Our security analysis depends on the hardness assumption of discrete logarithm problem (DLP) and the hardness assumption of Computational Diffie-Hellman problem (CDH). The Definition 1 recalls DLP on G . And the Definition 2 recalls CDH on G .
Definition 1 : DLP states that given h , g G as input, compute a Zp such that h = ga .
Definition 2 : CDH problem states that given g , ga , gb G , where a , b Zp , as input, compute h = gab .
- 6.2.1 Fixing the security flaw existing in the Worku et al.’ scheme
We suppose that there exists an adversary modifying each data mi to mi * = mi + li for i ∈ [1, n ]. The adversary records how the cloud user's data are modified. In the auditing process, the TPA and the cloud server honestly execute the protocol. That is, in the SigGen () phase, the TPA sends a challenge chal = { c , k 1 , k 2 } to the cloud server. In the ProofGen () phase, after calculating si ,
PPT Slide
Lager Image
, r , R , σ and r   -1 , the cloud server computes:
PPT Slide
Lager Image
Then the cloud server sends
PPT Slide
Lager Image
to the TPA. The adversary intercepts Proof on the channel. However, if the adversary attempts to modify the Proof to the valid Proof , he must modify the
PPT Slide
Lager Image
to μ . That is, he should compute
PPT Slide
Lager Image
. We notice that r is randomly chosen by the cloud server and is unknown to the adversary, and R = ur G , due to the hardness assumption of DLP, the adversary is still agnostic of the values r and r   -1 . Therefore, our scheme can resist the aforementioned attack.
- 6.2.2 Storage security assurance
We need to prove that cloud server cannot generate valid proof P without storing the correctness and integrity data, as captured by Theorem 1 .
Theorem 1 : If the cloud server passes the phase of data auditing, it must possess truly the specified data intact.
Proof . As [3] , there exists a challenger controlling the random oracle H (‧) , the malicious cloud server is treated as an adversary. If the adversary can forge a valid auditing proof to pass the verification with non-negligible probability, the challenger can construct a simulator that can solve the CDH problem.
The simulator randomly chooses a , b from Zp and h from G . Set v = gα , u = gahb . For each i in the challenge, the simulator chooses ri from Zp and the file identifier name , and processes the random oracle:
PPT Slide
Lager Image
We note that u = gahb and
PPT Slide
Lager Image
Therefore, the simulator calculates
PPT Slide
Lager Image
for signature query.
Actually, for the challenger, P = { σ , μ , R } is the valid response from the cloud server. And in this case, given ( g , gα , R ) ∈ G , the simulator wants to output Rα . Here, we stress in particular that it is difference from the original CDH problem. However, the adversary have been computed the r and hidden from the challenger, and then, R is definite and public. Thus, the simulator outputs Rα is also a CDH problem [11] .
Now, we will go on proving the Theorem 1 . The aforementioned P can meet verification equation (1).
PPT Slide
Lager Image
However, the malicious cloud server will try to forge the response proof as P' = { σ' , μ' , R } while r is the same as before. Thus, the response P' can also meet the equation as follows:
PPT Slide
Lager Image
As the challenger's process defined in the security model of original scheme, if σ = σ' , the challenger stop responding to the adversary. So σ σ' and μ μ' . Here, we define Δ μ = μ' - μ , Δ μ * = μ *' - μ * , and the adversary can solve the CDH problem as follows:
PPT Slide
Lager Image
Because r is same for the two verification equations above, and μ = r   -1 ‧( μ + h ( R )), we can get Δ μ r = Δ μ * , and further get:
PPT Slide
Lager Image
And because R = ur , v = gα , according to the bilinear property, we can rearrange and simplify the equation (5) as follows:
PPT Slide
Lager Image
It is clear that
PPT Slide
Lager Image
. Our premise is that μ' μ , thus Δ μ ≠ 0. Therefore, we can compute Rα . However, it contradicts to the hardness assumption of CDH. Therefore σ' = σ .
The simulator can solve the DLP, only if the adversary success probability is non-negligible. As described before, since σ' = σ , μ' is different from μ . The challenger answers the queries from the adversary and we have:
PPT Slide
Lager Image
It means r Δ μ = 0 mod p , and because the r is uniform, we can deduce μ' = μ . But it is inconsistent with our assumption. Therefore, u rΔμ = 1 . In this case, we can solve the DLP as follows:
  • 1 =urΔμ= (gahb)rΔμ=graΔμ‧hrbΔμ
The solution to DLP is:
PPT Slide
Lager Image
However, the probability of b = 0 just only 1/ p , and can be ignored. This completes the proof of the Theorem 1 .
- 6.2.3 Privacy-preserving Assurance
The following theorem indicates that the TPA cannot recover users' data during the verification process. Concretely, the TPA cannot recover μ * from the security perspective.
Theorem 2 . The TPA cannot recover μ * from the cloud server's Proof = { μ , σ , R }.
Proof . While the TPA tries to recover the user's data, it controls c in chal and obtains enough linear combinations of the data block mi and its corresponding element vi , and then, it achieves the goal by solving this system of linear equations. On this occasion, when the cloud server generates a valid proof, it blinds μ * using r   -1 which is the inverse element of the random mask r . If the TPA still attempts to get μ * , there are two methods to attain. One is to immediately obtains r   -1 , the other is to compute r   -1 by R . Since
PPT Slide
Lager Image
  k 3 is randomly chosen by the cloud server and is unknown to the TPA, the TPA cannot work out r and r   -1 . Therefore, the former method is not workable. For the latter method, note that R = ur G , due to the hardness assumption of DLP, the value r is still unknown to the TPA. As a consequence, μ assures the privacy of μ * .
This completes the proof of the Theorem 2 .
- 6.3 Performance Analysis
We give elaborate performance analysis in order to show the efficiency of the proposed scheme. In our experiment, the process of the user, the server and the TPA are implemented on a windows 7 system with an Intel Core 2 i5 CPU running at 2.53 GHz, 2 GB DDR 3 of RAM(1.74 GB available). All algorithms are implemented by C language, and our code uses the MIRACL library version 5.6.1. The elliptic curve we used is a MNT curve, where the base field size is 159 bits and the embedding degree is 6. The security level is chosen to be 80 bits, it means that | vi | = 80 and | p | = 160. All the results of experiment are represented the average of 30 trials.
In the following, we emphasize on reporting our performance results from computational overhead. And we also give a performance comparison with [3] . According to the comparison, we can see that our scheme retains the efficiency of [3] while fixing its security flaw.
- 6.3.1 The Proposed Scheme's Computation Overhead
Firstly, We specify some notations represent the computation of corresponding operation (refer to Table 2 ).
Notation of Operations
PPT Slide
Lager Image
Notation of Operations
For our scheme, on the cloud user side, the main calculation is in computing public parameters, the file tag and the data blocks' signatures (we use DSS to sign the data need to be signed). His computation cost is:
  • (2n+2)‧Exp

    + (n+2)‧MultG+AddZp+HashG+HashZp

On the TPA side, before generating chal , it retrieves the file tag T . After receiving Proof , the TPA checks the verification equation. The corresponding computation cost is
PPT Slide
Lager Image
Similarly, on the cloud server side, it computes μ * , θ , R and μ * . The corresponding computation cost is :
  • (c+1)‧MultG+ (c+1)‧Exp

    + (c+1)‧AddZp+HashZp+ComInverZp

Compared with [3] , our scheme just additionally calculates an inverse element in cloud server side. The operation of computing inverse element is too small to be ignored. Therefore, in a practical system, our scheme is of high efficiency as [3] . And Fig. 2 shows the performance of TPA in different challenge blocks c .
PPT Slide
Lager Image
The performance of TPA in different challenge blocks
- 6.3.2 Batch Auditing Overhead with Its Advantage
Fig. 3 and Fig. 4 respectively indicate the efficiency comparison on auditing time between batch auditing and basic auditing in c = 300 and c = 500 . The experiment shows that batch auditing improves efficiency a lot.
PPT Slide
Lager Image
Comparison on auditing time between batch and individual auditing (c=300)
PPT Slide
Lager Image
Comparison on auditing time between batch and individual auditing (c=500)
Through above fomal security proof and performance analysis, we can see that our scheme fixes the aforementioned security flaw while ensuring the same efficiency. Therefore, the proposed scheme has advantages over the [3] in a practical application.
7. Conclusion
In this paper, we give a cryptanalysis in Worku et al.'s scheme, and prove their scheme has a security flaw. Exploiting the security flaw, an adversary is able to arbitrarily modify the cloud user's data while avoiding the detection. Furthermore, we propose an efficient and provable secure public auditing scheme for cloud storage. The proposed scheme fixes the security flaw existing in the Worku et al.’s scheme while retaining all features. The formal security proof and performance analysis demonstrate that our scheme is secure and as efficient as worku et al.’s scheme.
Acknowledgements
This work is supported by the National Natural Science Foundation of China (No.61370203) and the Science and Technology on Communication Security Laboratory Foundation (Grant No. 9140C110301110C1103)
BIO
Chunxiang Xu received her B.Sc., M.Sc. and Ph.D. degrees at Xidian University, in 1985, 1988 and 2004 respectively, P.R.China. She is presently engaged in information security, cloud computing security and cryptography as a professor at University of Electronic Science Technology of China (UESTC).
Yuan Zhang received his B.Sc. degree in University of Electronic Science Technology of China (UESTC) in 2013,P.R.China. He is currently a master student in School of Computer Science and Engineering at University of Electronic Science Technology of China. His research interests are cryptography, network security and Cloud Computing security.
Yong Yu received his Ph.D. degree in cryptography from Xidian University in 2008. He is currently an associate professor of University of Electronic Science and Technology of China and a Vice Chancellor's research fellow of the University of Wollongong as well. His research focuses on cryptography and its applications, especially public encryption, digital signature and secure cloud storage.
Xiaojun Zhang received his B.Sc. degree in mathematics and applied mathematics at Hebei Normal University in 2009,P.R.China and received M.Sc degree at Guangxi University in 2012. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is a student member of CACR. He is presently engaged in cryptography, network security and cloud computing security.
Junwei Wen received his B.Eng. degree from Southwest Jiaotong University(SWJTU) in 2009,P.R.China. He is currently a master student in School of Computer Science and Engineering at University of Electronic Science Technology of China (UESTC). His research interests is in intrusion detection, network security.
References
Wang C , Wang Q , Ren K , Lou W “Privacy-preserving public auditing for data storage security in cloud computing,” in Proc. of IEEE Conf. on Computer Communication March 14-19, 2010 1 - 9
Yang K , Jia X 2013 “An efficient and secure dynamic auditing protocol for data storage in cloud computing,” IEEE Transactions on Parallel and Distributed Systems 24 (9) 1717 - 1726    DOI : 10.1109/TPDS.2012.278
Worku S G , Xu C , Zhao J , He X 2014 “Secure and efficient privacy-preserving public auditing scheme for cloud storage,” Computers & Electrical Engineering 40 (5) 1703 - 1713    DOI : 10.1016/j.compeleceng.2013.10.004
Wang C , Chow S. S , Wang Q , Ren K , Lou W 2013 “Privacy-preserving public auditing for secure cloud storage,” IEEE Transactions on Computers 62 (2) 362 - 375    DOI : 10.1109/TC.2011.245
Zhao J , Xu C , Li F , Zhang W 2013 “Identity-Based public verification with privacy-preserving for data storage security in cloud computing,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 96 (12) 2709 - 2716    DOI : 10.1587/transfun.E96.A.2709
Xu C , He X , Abraha-Weldemariam D “Cryptanalysis of Wang’s auditing protocol for data storage security in cloud computing,” in Proc. of International Conf. on Information Computer Application September 14-16, 2012 422 - 428
Ni J , Yu Y , Mu Y , Xia Q 2013 “On the Security of an Efficient Dynamic Auditing Protocol in Cloud Storage,” IEEE Transactions on Parallel and Distributed Systems 25 (10) 2760 - 2761    DOI : 10.1109/TPDS.2013.199
Li H , Lin X , Yang H , Liang X , Lu R , Shen X 2014 “EPPDR: An Efficient Privacy-Preserving Demand Response Scheme with Adaptive Key Evolution in Smart Grid,” IEEE Transactions on Parallel and Distributed Systems 25 (8) 2053 - 2064    DOI : 10.1109/TPDS.2013.124
Giuseppe A , Randal B , Reza C , Joseph H , Lea K , Zachary P , Dawn S “Provable data possession at untrusted stores,” in Proc. of ACM conf. on computer and communications security October 29–November 2, 2007 598 - 609
Shacham H , Waters B “Compact proofs of retrievability,” in Pro.of International Conf. on the Theory and Application of Cryptology and Information Security December 7-11, 2008 90 - 107
Boldyreva A , Gentry C , O'Neill A , Yum D. H “Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing,” in Proc. of ACM conf. on Computer and communications security October 29–November 2, 2007 276 - 285