Cloud storage provides an easy, costeffective and reliable way of data management for users without the burden of local data storage and maintenance. Whereas, this new paradigm poses many challenges on integrity and privacy of users' data, since users losing grip on their data after outsourcing the data to the cloud server. In order to address these problems, recently, Worku et al. have proposed an efficient privacypreserving public auditing scheme for cloud storage. However, in this paper, we point out the security flaw existing in the scheme. An adversary, who is online and active, is capable of modifying the outsourced data arbitrarily and avoiding the detection by exploiting the security flaw. To fix this security flaw, we further propose a secure and efficient privacypreserving public auditing scheme, which makes up the security flaw of Worku et al.’s scheme while retaining all the features. Finally, we give a formal security proof and the performance analysis, they show the proposed scheme has much more advantages over the Worku et al.’s scheme.
1. Introduction
C
loud storage is a momentous service of cloud computing, which provides an easy, costeffective and reliable way of data management for users. Using cloud storage service, users can access their data remotely through the internet without incurring substantial hardware, software, and personnel costs involved in deploying and maintaining application in local storage. However, due to users losing grip on their data after outsourcing the data into cloud server, the integrity and correctness of the data are being put at risk and have naturally become the concerned focus of the cloud users. As a semitrust part for cloud users, cloud server may discard the data motivated by the interest but claim that the data are still correctly stored. Furthermore, an adversary with profits motivation, who is interested in distorting the cloud user's data but convinces the cloud user of the data correctness and integrity
[1]
,
[2]
,
[3]
. Therefore, it is vital to check the correctness and integrity of the cloud data for protecting the stored data both from external adversaries and the cloud server itself.
Several outstanding research achievements
[1]
,
[4]
,
[2]
,
[5]
in addressing integrity and correctness of outsourced data have emerged. However, some of them have been proved insecure
[6]
,
[7]
, and some of them still have the room for performance improvement.
Recently, a public auditing scheme
[3]
was proposed to check the correctness and integrity of outsourced data for cloud storage. This scheme fixes the security flaw pointed out by
[6]
, meantime, it also improves efficiency.
In this paper, we review the public auditing scheme in
[3]
and point out that the scheme owns a security flaw. With the security flaw, an adversary is able to arbitrarily modify the cloud user's data, and it cannot be discovered. Particularly, an adversary, who is online and active, can produce a valid auditing proof to pass the data correctness and integrity checking. Once successful, the adversary can cheat the thirdpart auditor (TPA) and the cloud user. The adversary just needs recording how data are modified, intercepting, tampering with and transponding an interaction message between the cloud server and TPA to avoid the data correctness and integrity detection. Moreover, we propose a new secure and efficient privacypreserving public auditing scheme. The proposed scheme fixes the security flaw existing in the Worku et al.’s scheme, while retaining all the features. At last, we give a formal security proof of the proposed scheme, it shows that the scheme is secure and fixes the security flaw indeed. We also give a performance analysis of the proposed scheme to prove the scheme is efficient.
2. Preliminaries
 2.1 The System and Security Model
Our system model and security model are designed based on the model in
[3]
.
An auditing system for cloud storage involves cloud user, cloud server and thirdparty auditor (TPA) as shown in
Fig. 1
.
The System Model
The cloud user is the data owner, who needs flexibly to store and get his data in the cloud.
The cloud server is the provider of cloud services, it has significant storage space and a massive amount of computing power. The cloud server as a semitrust part for the cloud user, that is, most of the time, cloud server executes the auditing protocol honestly, but in relationship with individual cloud users which are its stakeholders, cloud server might deviate from the prescribed routine.
The TPA has expertise and capabilities that cloud user does not have, who is managed by a trusted organization and will audit the data stored in cloud server by cloud users when needed. The TPA is regarded as an honest entity but curious. That is, the TPA honestly performs the auditing protocol, it is reliable and independent and thus has no incentive to collude with either the cloud server or the users during the auditing process. However, it is interest in the users’ data.
An auditing scheme can be said to be secure if and only if both of the following conditions hold:

1. There is no any polynomial time algorithm that can pass the auditing with nonnegligible probability.

2. There is a polynomial time extractor that might recover the original data by doing multiple challengeresponse executions.
The security of our scheme is constructed under the hardness assumption of computational DiffieHellman problem (CDH) and Discrete Logarithm problem (DL) over bilinear groups in the random oracle model
[3]
,
[10]
.
 2.2 Notations and Basic Theory
We now introduce some necessary notations and basic theory, which will be utilized below.
We will work in the group
Z_{p}
.
F
denotes the data file and
m
denotes the data block.
F
= {
m_{1}
,
m_{2}
, ...,
m_{n}
} is made up of data blocks to be stored in cloud server, for each data file,
n
may be different.
Bilinear Map
. Let
G
and
G_{T}
be two multiplicative cyclic groups of the same prime order
p
,
g
be a generator of
G
. A bilinear map is that
e
:
G
x
G
→
G_{T}
with the following properties:
(1) Linearity. For any
u
,
u
_{1}
,
u
_{2}
,
v
,
v
_{1}
,
v
_{2}
∈
G
, then

e(u1‧u2,v) =e(u1,v)‧e(u2,v)

e(u,v1‧v2) =e(u,v1)‧e(u,v2)
(2) Nondegeneracy. For
u
,
v
∈
G
and
u
≠
v
,
e
is antisymmetrical:
e
(
u
,
v
) ≠ 1.
(3) Bilinearity. For all
u
,
v
∈
G
and
a
,
b
∈
Z_{p}
:
(4) Computability. There exists an efficiently computable algorithm for computing
e
.
Table 1
shows some notations and their descriptions.
Notations and Descriptions
Notations and Descriptions
3. Review the Worku et al.'s scheme
For ease of description, we omit the batch auditing and any other inessential details.
The data file
F
= {
m_{i}
}
_{i}
_{∈[1,n]}
is stored in the cloud server. Worku et al.'s scheme consists of four basic algorithms:
KeyGen
,
SigGen
,
ProofGen
and
VerifyProof
.
(
pk
,
sk
) ←
KeyGen
(1
^{k}
) : The user generates a random signing key pair
(ssk , spk)
, then he randomly chooses
x
,
u
∈
G
, and computes
v
=
g^{x}
∈
G
. The user then stores
sk
= {
x
,
ssk
} as his secret parameters and states
pk
= {
u
,
v
,
g
,
spk
} as public parameters.
(
ϕ
) ←
SigGen
(
sk
,
F
) : The user chooses a random element
name
for file naming and computes the file tag as
t
=
name
║
Sig_{ssk}
(
name
), and generates a signature
σ_{i}
for each block
m_{i}
as follows:
Then he sends {
F
,
ϕ
= {
σ_{i}
}
_{1≤i≤n}
,
t
} to the cloud server for storage. Any time when the TPA wants to start the auditing protocol, it first retrieves the tag
t
and checks its validity by
spk
. Then it constructs a challenge
chal
= {
c
,
k
_{1}
,
k
_{2}
}, where
c
is the number of data blocks to be checked and
k
_{1}
,
k
_{2}
are pseudorandom permutation keys chosen randomly by the TPA for each auditing.
(
P
) ←
ProofGen
(
F
,
ϕ
,
chal
): Upon receiving the
chal
, the cloud server determines the subset
I
= {
s_{j}
}(1 ≤
j
≤
n
) of set [1,
n
], and computes
and
where
k
_{3}
is a pseudorandom function key generated by the cloud server for each auditing. And then, the server computes:
R
=
u^{r}
∈
G
,
,
μ
=
μ
^{*}
+
r
‧
h
(
R
) and
. Finally, the cloud server sends (
μ
,
σ
,
R
) to the TPA.
(
True
,
False
) ←
VerifyProof
(
pk
,
chal
,
P
) : After receiving the proof from the cloud server, the TPA computes
where (1 ≤
j
≤
c
) and verifies the proof by the following equation:
If the equation holds, output "True"; Otherwise, output "False".
4. Cryptanalysis of the Worku et al.'s scheme
The Worku et al.'s scheme owns privacypreserving guarantee and can be extended to support batch auditing. And the authors claim that their scheme is provably secure in the random oracle model. Although a formal proof is given in
[3]
to prove the scheme is secure, there still exists a strong adversary in the real cloud application scenario. For example, an adversary, who is online and active, can modify the outsourced data in the way he needs and also modify an interaction messages between cloud server and TPA in the network, in order to fool the TPA and the cloud user to trust that the data are well maintained by the cloud server.
Assume the adversary modifies each data block
m_{i}
to
m_{i}
^{*}
=
m_{i}
+
l_{i}
for
i
∈ [1,
n
] and he records how the user's data are modified. In the
ProofGen
phase, cloud server computes
as:
Then the cloud server sends
to the TPA. The adversary intercepts this invalid proof, computes
v_{i}
and modifies it to
. Then the adversary sends the modified proof to the TPA.
After receiving the proof, the TPA verifies the following equation:
For the above equation, the righthand side as:
Thus, the verification equation holds. In this way, the TPA seemingly has every reason to believe that the data stored in cloud server are well maintained. Actually, it is not true. Therefore, the adversary successfully modifies the outsourced data while passing the verification.
The worku et al.'s scheme owns the security flaw, since the adversary can modify the forge proof to the valid proof. Essentially, the cloud server uses a random mask code to blind the user's information for privacypreserving, but there exists definite linear relationship between the random mask code and the blinded information. This definite linear relationship causes the security flaw which exists in original scheme mentioned before.
5. The proposed scheme
In this section, we propose a secure and efficient public auditing scheme. The scheme fixes the aforementioned security flaw while retaining all the features of the Worku et al.’s scheme. Our scheme employs a nonlinear disturbance code to change the definite linear relationship between the random mask code and the blinded information to nonlinear relationship.
The proposed scheme has four basic algorithms (
KenGen
,
SigGen
,
ProofGen
and
VerifyProof
). Same as the Worku et al.’s scheme, we assume the data file
F
= {
m_{i}
}
_{i}
_{∈[1,n]}
is stored in the cloud server.
In the
KenGen
algorithm, a cloud user generates a random signing key pair
(ssk , spk)
, randomly chooses
x
,
u
∈
G
and computes
v
=
g^{x}
∈
G
. Here, the user’s secret parameters are
sk
= {
x
,
ssk
} and public parameters are
pk
= {
u
,
v
,
g
,
spk
}.
In the
SigGen
algorithm, the user chooses a random element
name
for file naming and computes the file tag as
t
=
name
║
Sig_{ssk}
(
name
), and generates a signature
σ_{i}
for each block
m_{i}
as follows:
And then, the user sends
to the cloud server for storage. Whenever the TPA wants to check the integrity of the cloudstored data, it first retrieves the tag
t
and checks its validity by
spk
. Then it constructs a challenge
chal
= {
c
,
k
_{1}
,
k
_{2}
}, where
c
is the number of data blocks to be checked and
k
_{1}
,
k
_{2}
are pseudorandom permutation keys chosen randomly by the TPA for each checking. Finally, the TPA sends
chal
to the cloud server.
In the
ProofGen
algorithm, the cloud server determines the subset
I
= {
s_{j}
}(1 ≤
j
≤
n
) of set [1,
n
], computes
and
where
k
_{3}
is a pseudorandom function key generated by the cloud server for each auditing. And then, the server computes:
R
=
u^{r}
∈
G
,
,
μ
=
r
^{1}
‧(
μ
^{*}
+
h
(
R
)) and
. Finally, the cloud server sends (
μ
,
σ
,
R
) to the TPA.
In the
VerifyProof
() algorithm, the TPA verifies the following equation:
If the equation holds, output "True"; Otherwise, output "False".
 5.1 Support for batch auditing
Our scheme also supports the batch auditing.
If there are
K
different users with
K
different data, let
U
= {
U_{x}
}(
x
∈
K
) be the set containing all these users. Each user
U_{x}
has a data file
to be outsourced to the cloud server. Firstly, each user
U_{x}
generates his secret parameters (
α_{x}
,
ssk_{x}
) and public parameters (
u_{x}
,
v_{x}
=
g^{αx}
,
g
,
spk_{x}
) independently. For
U_{x}
(
x
∈
K
), he chooses a random element
name_{x}
, as the identifier of the data file
F_{x}
. Then
U_{x}
calculates his file tag
t_{x}
=
name_{x}
║
Sig
_{sskx}
(
name_{x}
). Choosing
u_{x}
from
G
randomly, and each of them computes a signature for every
m_{x,i}
(
x
∈[1,
K
],
i
∈[1,
n
]) as:
Finally, all users send
to the cloud server for storage.
Any time when the TPA wants to start the auditing protocol, it makes some necessary calculations and get the challenge parameters
chal
= {
c
,
k
_{1}
,
k
_{2}
} for auditing. Then the TPA sends the
chal
to the cloud server.
After receiving
chal
, the cloud server determines the subset
I
= {
s
_{1}
,
s
_{2}
,...,
s_{k}
}. It randomly chooses
r_{x}
∈
Z_{p}
, computes
for each user. And then, the cloud server computes:
The cloud server then sends the proof
P
= {
σ
,{
μ_{x}
}
_{x∈I}
, {
R_{x}
}
_{x∈I}
} to the TPA.
After receiving the proof from the cloud server, the TPA verifies the data integrity by the following equation:
6. Evaluation
In this section, we give an overall evaluation in the proposed scheme. It consists of correctness proof, security analysis, performance analysis.
 6.1 Correctness Proof
Here, we give the correctness proof of the verifiable equation (1) and (2) . It guarantees that our scheme is credible.
For (1) , the lefthand side as:
For (2) , the lefthand side as:
 6.2 Security analysis
Here, we first prove that the proposed scheme fixes the security flaw which exists in the original scheme. Then, we give a formal proof of the proposed scheme's storage security. Finally, we prove the scheme can preserve the cloud user's privacy. Our security analysis depends on the hardness assumption of discrete logarithm problem (DLP) and the hardness assumption of Computational DiffieHellman problem (CDH). The
Definition 1
recalls DLP on
G
. And the
Definition 2
recalls CDH on
G
.
Definition 1
: DLP states that given
h
,
g
∈
G
as input, compute
a
∈
Z_{p}
such that
h
=
g^{a}
.
Definition 2
: CDH problem states that given
g
,
g^{a}
,
g^{b}
∈
G
, where
a
,
b
∈
Z_{p}
, as input, compute
h
=
g^{ab}
.
 6.2.1 Fixing the security flaw existing in the Worku et al.’ scheme
We suppose that there exists an adversary modifying each data
m_{i}
to
m_{i}
^{*}
=
m_{i}
+
l_{i}
for
i
∈ [1,
n
]. The adversary records how the cloud user's data are modified. In the auditing process, the TPA and the cloud server honestly execute the protocol. That is, in the
SigGen
() phase, the TPA sends a challenge
chal
= {
c
,
k
_{1}
,
k
_{2}
} to the cloud server. In the
ProofGen
() phase, after calculating
s_{i}
,
,
r
,
R
,
σ
and
r
^{1}
, the cloud server computes:
Then the cloud server sends
to the TPA. The adversary intercepts
Proof
on the channel. However, if the adversary attempts to modify the
Proof
to the valid
Proof
, he must modify the
to
μ
. That is, he should compute
. We notice that
r
is randomly chosen by the cloud server and is unknown to the adversary, and
R
=
u^{r}
∈
G
, due to the hardness assumption of DLP, the adversary is still agnostic of the values
r
and
r
^{1}
. Therefore, our scheme can resist the aforementioned attack.
 6.2.2 Storage security assurance
We need to prove that cloud server cannot generate valid proof
P
without storing the correctness and integrity data, as captured by
Theorem 1
.
Theorem 1
: If the cloud server passes the phase of data auditing, it must possess truly the specified data intact.
Proof
. As
[3]
, there exists a challenger controlling the random oracle
H
(‧) , the malicious cloud server is treated as an adversary. If the adversary can forge a valid auditing proof to pass the verification with nonnegligible probability, the challenger can construct a simulator that can solve the CDH problem.
The simulator randomly chooses
a
,
b
from
Z_{p}
and
h
from
G
. Set
v
=
g^{α}
,
u
=
g^{a}h^{b}
. For each
i
in the challenge, the simulator chooses
r_{i}
from
Z_{p}
and the file identifier
name
, and processes the random oracle:
We note that
u
=
g^{a}h^{b}
and
Therefore, the simulator calculates
for signature query.
Actually, for the challenger,
P
= {
σ
,
μ
,
R
} is the valid response from the cloud server. And in this case, given (
g
,
g^{α}
,
R
) ∈
G
, the simulator wants to output
R^{α}
. Here, we stress in particular that it is difference from the original CDH problem. However, the adversary have been computed the
r
and hidden from the challenger, and then,
R
is definite and public. Thus, the simulator outputs
R^{α}
is also a CDH problem
[11]
.
Now, we will go on proving the
Theorem 1
. The aforementioned
P
can meet verification equation (1).
However, the malicious cloud server will try to forge the response proof as
P'
= {
σ'
,
μ'
,
R
} while
r
is the same as before. Thus, the response
P'
can also meet the equation as follows:
As the challenger's process defined in the security model of original scheme, if
σ
=
σ'
, the challenger stop responding to the adversary. So
σ
≠
σ'
and
μ
≠
μ'
. Here, we define Δ
μ
=
μ'

μ
, Δ
μ
^{*}
=
μ
^{*'}

μ
^{*}
, and the adversary can solve the CDH problem as follows:
Because
r
is same for the two verification equations above, and
μ
=
r
^{1}
‧(
μ
+
h
(
R
)), we can get Δ
μ
‧
r
= Δ
μ
^{*}
, and further get:
And because
R
=
u^{r}
,
v
=
g^{α}
, according to the bilinear property, we can rearrange and simplify the equation (5) as follows:
It is clear that
. Our premise is that
μ'
≠
μ
, thus Δ
μ
≠ 0. Therefore, we can compute
R^{α}
. However, it contradicts to the hardness assumption of CDH. Therefore
σ'
=
σ
.
The simulator can solve the DLP, only if the adversary success probability is nonnegligible. As described before, since
σ'
=
σ
,
μ'
is different from
μ
. The challenger answers the queries from the adversary and we have:
It means
r
Δ
μ
= 0 mod
p
, and because the
r
is uniform, we can deduce
μ'
=
μ
. But it is inconsistent with our assumption. Therefore,
u
^{rΔμ}
= 1 . In this case, we can solve the DLP as follows:

1 =urΔμ= (gahb)rΔμ=graΔμ‧hrbΔμ
The solution to DLP is:
However, the probability of
b
= 0 just only 1/
p
, and can be ignored. This completes the proof of the
Theorem 1
.
 6.2.3 Privacypreserving Assurance
The following theorem indicates that the TPA cannot recover users' data during the verification process. Concretely, the TPA cannot recover
μ
^{*}
from the security perspective.
Theorem 2
. The TPA cannot recover
μ
^{*}
from the cloud server's
Proof
= {
μ
,
σ
,
R
}.
Proof
. While the TPA tries to recover the user's data, it controls
c
in
chal
and obtains enough linear combinations of the data block
m_{i}
and its corresponding element
v_{i}
, and then, it achieves the goal by solving this system of linear equations. On this occasion, when the cloud server generates a valid proof, it blinds
μ
^{*}
using
r
^{1}
which is the inverse element of the random mask
r
. If the TPA still attempts to get
μ
^{*}
, there are two methods to attain. One is to immediately obtains
r
^{1}
, the other is to compute
r
^{1}
by
R
. Since
k
_{3}
is randomly chosen by the cloud server and is unknown to the TPA, the TPA cannot work out
r
and
r
^{1}
. Therefore, the former method is not workable. For the latter method, note that
R
=
u^{r}
∈
G
, due to the hardness assumption of DLP, the value
r
is still unknown to the TPA. As a consequence,
μ
assures the privacy of
μ
^{*}
.
This completes the proof of the
Theorem 2
.
 6.3 Performance Analysis
We give elaborate performance analysis in order to show the efficiency of the proposed scheme. In our experiment, the process of the user, the server and the TPA are implemented on a windows 7 system with an Intel Core 2 i5 CPU running at 2.53 GHz, 2 GB DDR 3 of RAM(1.74 GB available). All algorithms are implemented by C language, and our code uses the MIRACL library version 5.6.1. The elliptic curve we used is a MNT curve, where the base field size is 159 bits and the embedding degree is 6. The security level is chosen to be 80 bits, it means that 
v_{i}
 = 80 and 
p
 = 160. All the results of experiment are represented the average of 30 trials.
In the following, we emphasize on reporting our performance results from computational overhead. And we also give a performance comparison with
[3]
. According to the comparison, we can see that our scheme retains the efficiency of
[3]
while fixing its security flaw.
 6.3.1 The Proposed Scheme's Computation Overhead
Firstly, We specify some notations represent the computation of corresponding operation (refer to
Table 2
).
Notation of Operations
For our scheme, on the cloud user side, the main calculation is in computing public parameters, the file tag and the data blocks' signatures (we use DSS to sign the data need to be signed). His computation cost is:
On the TPA side, before generating
chal
, it retrieves the file tag
T
. After receiving
Proof
, the TPA checks the verification equation. The corresponding computation cost is
Similarly, on the cloud server side, it computes
μ
^{*}
,
θ
,
R
and
μ
^{*}
. The corresponding computation cost is :
Compared with
[3]
, our scheme just additionally calculates an inverse element in cloud server side. The operation of computing inverse element is too small to be ignored. Therefore, in a practical system, our scheme is of high efficiency as
[3]
. And
Fig. 2
shows the performance of TPA in different challenge blocks
c
.
The performance of TPA in different challenge blocks
 6.3.2 Batch Auditing Overhead with Its Advantage
Fig. 3
and
Fig. 4
respectively indicate the efficiency comparison on auditing time between batch auditing and basic auditing in
c
= 300 and
c
= 500 . The experiment shows that batch auditing improves efficiency a lot.
Comparison on auditing time between batch and individual auditing (c=300)
Comparison on auditing time between batch and individual auditing (c=500)
Through above fomal security proof and performance analysis, we can see that our scheme fixes the aforementioned security flaw while ensuring the same efficiency. Therefore, the proposed scheme has advantages over the
[3]
in a practical application.
7. Conclusion
In this paper, we give a cryptanalysis in Worku et al.'s scheme, and prove their scheme has a security flaw. Exploiting the security flaw, an adversary is able to arbitrarily modify the cloud user's data while avoiding the detection. Furthermore, we propose an efficient and provable secure public auditing scheme for cloud storage. The proposed scheme fixes the security flaw existing in the Worku et al.’s scheme while retaining all features. The formal security proof and performance analysis demonstrate that our scheme is secure and as efficient as worku et al.’s scheme.
Acknowledgements
This work is supported by the National Natural Science Foundation of China (No.61370203) and the Science and Technology on Communication Security Laboratory Foundation (Grant No. 9140C110301110C1103)
BIO
Chunxiang Xu received her B.Sc., M.Sc. and Ph.D. degrees at Xidian University, in 1985, 1988 and 2004 respectively, P.R.China. She is presently engaged in information security, cloud computing security and cryptography as a professor at University of Electronic Science Technology of China (UESTC).
Yuan Zhang received his B.Sc. degree in University of Electronic Science Technology of China (UESTC) in 2013,P.R.China. He is currently a master student in School of Computer Science and Engineering at University of Electronic Science Technology of China. His research interests are cryptography, network security and Cloud Computing security.
Yong Yu received his Ph.D. degree in cryptography from Xidian University in 2008. He is currently an associate professor of University of Electronic Science and Technology of China and a Vice Chancellor's research fellow of the University of Wollongong as well. His research focuses on cryptography and its applications, especially public encryption, digital signature and secure cloud storage.
Xiaojun Zhang received his B.Sc. degree in mathematics and applied mathematics at Hebei Normal University in 2009,P.R.China and received M.Sc degree at Guangxi University in 2012. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is a student member of CACR. He is presently engaged in cryptography, network security and cloud computing security.
Junwei Wen received his B.Eng. degree from Southwest Jiaotong University(SWJTU) in 2009,P.R.China. He is currently a master student in School of Computer Science and Engineering at University of Electronic Science Technology of China (UESTC). His research interests is in intrusion detection, network security.
Wang C
,
Wang Q
,
Ren K
,
Lou W
“Privacypreserving public auditing for data storage security in cloud computing,”
in Proc. of IEEE Conf. on Computer Communication
March 1419, 2010
1 
9
Yang K
,
Jia X
2013
“An efficient and secure dynamic auditing protocol for data storage in cloud computing,”
IEEE Transactions on Parallel and Distributed Systems
24
(9)
1717 
1726
DOI : 10.1109/TPDS.2012.278
Worku S G
,
Xu C
,
Zhao J
,
He X
2014
“Secure and efficient privacypreserving public auditing scheme for cloud storage,”
Computers & Electrical Engineering
40
(5)
1703 
1713
DOI : 10.1016/j.compeleceng.2013.10.004
Wang C
,
Chow S. S
,
Wang Q
,
Ren K
,
Lou W
2013
“Privacypreserving public auditing for secure cloud storage,”
IEEE Transactions on Computers
62
(2)
362 
375
DOI : 10.1109/TC.2011.245
Zhao J
,
Xu C
,
Li F
,
Zhang W
2013
“IdentityBased public verification with privacypreserving for data storage security in cloud computing,”
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
96
(12)
2709 
2716
DOI : 10.1587/transfun.E96.A.2709
Xu C
,
He X
,
AbrahaWeldemariam D
“Cryptanalysis of Wang’s auditing protocol for data storage security in cloud computing,”
in Proc. of International Conf. on Information Computer Application
September 1416, 2012
422 
428
Ni J
,
Yu Y
,
Mu Y
,
Xia Q
2013
“On the Security of an Efficient Dynamic Auditing Protocol in Cloud Storage,”
IEEE Transactions on Parallel and Distributed Systems
25
(10)
2760 
2761
DOI : 10.1109/TPDS.2013.199
Li H
,
Lin X
,
Yang H
,
Liang X
,
Lu R
,
Shen X
2014
“EPPDR: An Efficient PrivacyPreserving Demand Response Scheme with Adaptive Key Evolution in Smart Grid,”
IEEE Transactions on Parallel and Distributed Systems
25
(8)
2053 
2064
DOI : 10.1109/TPDS.2013.124
Giuseppe A
,
Randal B
,
Reza C
,
Joseph H
,
Lea K
,
Zachary P
,
Dawn S
“Provable data possession at untrusted stores,”
in Proc. of ACM conf. on computer and communications security
October 29–November 2, 2007
598 
609
Shacham H
,
Waters B
“Compact proofs of retrievability,”
in Pro.of International Conf. on the Theory and Application of Cryptology and Information Security
December 711, 2008
90 
107
Boldyreva A
,
Gentry C
,
O'Neill A
,
Yum D. H
“Ordered multisignatures and identitybased sequential aggregate signatures, with applications to secure routing,”
in Proc. of ACM conf. on Computer and communications security
October 29–November 2, 2007
276 
285