Académique Documents
Professionnel Documents
Culture Documents
X, XXXX 201X
I NTRODUCTION
Boyang Wang and Hui Li are with the State Key Laboratory of Integrated
Services Networks, Xidian University, Xian, 710071, China. Boyang
Wang is also a visiting Ph.D student at Department of Electrical and
Computer Engineering, University of Toronto.
E-mail: {bywang,lihui}@mail.xidian.edu.cn
Baochun Li is with the Department of Electrical and Computer Engineering, University of Toronto, Toronto, ON, M5S 3G4, Canada.
E-mail: bli@eecg.toronto.edu
A A A A A A B A B B
TPA
8th
Auditing Task 2
A A A A A A A B B B
8th
Auditing Task 3
A A A A B A A A B B
A
Fig. 1. Alice and Bob share a file in the cloud. The TPA
audits the integrity of shared data with existing mechanisms.
As shown in Fig. 1, after performing several auditing
tasks, some private and sensitive information may reveal
to the TPA. On one hand, most of the blocks in shared
file are signed by Alice, which may indicate that Alice
is a important role in this group, such as a group leader.
On the other hand, the 8-th block is frequently modified
by different users. It means this block may contain highvalue data, such as a final bid in an auction, that Alice
TABLE 1
Comparison with Existing Mechanisms
Public auditing
Data privacy
Identity privacy
PDP [2]
Yes
No
No
WWRL [3]
Yes
Yes
No
Oruta
Yes
Yes
Yes
P ROBLEM S TATEMENT
2.1
System Model
st
2. A
ue
udi
R
eq
or
R
ep
tin
di
3. A
tin
Au
udi
ting
ting
Me
ssa
ge
Pro
of
4.
Au
di
1.
Users
Cloud Server
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD
Design Objectives
P RELIMINARIES
Bilinear Maps
We first introduce a few concepts and properties related to bilinear maps. We follow notations from [5], [9]:
1) G1 , G2 and GT are three multiplicative cyclic
groups of prime order p;
2) g1 is a generator of G1 , and g2 is a generator of G2 ;
3) is a computable isomorphism from G2 to G1 ,
with (g2 ) = g1 ;
4) e is a bilinear map e: G1 G2 GT with the
following properties: Computability: there exists
an efficiently computable algorithm for computing
the map e. Bilinearity: for all u G1 , v G2 and
a, b Zp , e(ua , v b ) = e(u, v)ab . Non-degeneracy:
e(g1 , g2 ) 6= 1.
These properties further imply two additional properties: (1) for any u1 , u2 G1 and v G2 , e(u1 u2 , v) =
e(u1 , v) e(u2 , v); (2) for any u, v G2 , e((u), v) =
e((v), u).
3.2
Complexity Assumptions
believes that the blocks in data are all correct. In this way,
the verifier does not need to download all the blocks to
check the integrity of data. Non-malleability indicates
that an attacker cannot generate valid signatures on
invalid blocks by linearly combining existing signatures.
Other cryptographic techniques related to homomorphic authenticable signatures includes aggregate signatures [5], homomorphic signatures [10] and batchverification signatures [11]. If a signature scheme is
blockless verifiable and malleable, it is a homomorphic
signature scheme. In the construction of data auditing
mechanisms, we should use homomorphic authenticable
signatures, not homomorphic signatures.
4 H OMOMORPHIC
S IGNATURES
4.1
AUTHENTICABLE
= H1 (id)g1m G1 ,
Overview
Construction of HARS
(1)
and sets
s =
R ING
wiai )
i6=s
!1/xs
G1 .
(2)
e(, g2 ) =
e(i , wi ).
(3)
i=1
e(i , wi )
e(s , ws )
i=1
e(i , wi )
i6=s
=
=
=
=
e(
e(
! x1
ai
i6=s wi )
x i ai , g 2 )
)
i6=s g2
e(g1ai , g2xi )
i6=s
e(g1ai xi , g2 )
i6=s
,
g
)
e(
g1ai xi , g2 )
e( Q
2
a
x
i i
g
i6=s 1
i6=s
Y
e( Q
g 1 ai x i , g 2 )
ai x i
g
1
i6=s
i6=s
, g2xs )
e(, g2 ).
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD
y1
?
H1 (id2 )y2 g1m , g2 ) =
d
Y
y2
y1
, wi ).
2,i
e(1,i
i=1
=
=
=
=
i=1
d
Y
i=1
y2
y1
, wi ).
2,i
e(1,i
i=1
If the combined block m is correct, the verifier also believes that block m1 and m2 are both correct. Therefore,
HARS is able to support blockless verification.
Meanwhile, an adversary, who does not have any
users private key, cannot generate a valid ring signature
on an invalid block m by linearly combining 1 and
2 with y1 and y2 . Because if an element i in is
y2
y1
, the whole ring signature
2,i
computed as i = 1,i
y
y
2
1
2
1
.
= Q
2,s
s = 1,s
y a
y1 a1,i
w2,i2 2,i
i6=s w1,i
(y a
+y a
y2
y1
= g1 1 1,i 2 2,i , where a1,i
2,i
For all i 6= s, i = 1,i
and a2,i are random values. When ring signature =
(1 , ..., d ) is verified with the invalid block m using
Equation (3):
d
Y
5.1 Overview
Using HARS and its properties we established in the
previous section, we now construct Oruta, our privacypreserving public auditing mechanism for shared data in
the cloud. With Oruta, the TPA can verify the integrity
of shared data for a group of users without retrieving
the entire data. Meanwhile, the identity of the signer on
each block in shared data is kept private from the TPA
during the auditing.
i=1
Because 1y1 2y2 = H(id1 )y1 H(id2 )y2 g1m is not equal to
m
= H(id )g1 .
If block m1 and m2 are signed by different users, for
example, user us and user ut , then s and t can be
presented as
!1/xs
1y1
y a
s = Q
g1 2 2,s ,
y1 a1,i
i6=s wi
t
y a
g1 1 1,t
2y2
Q
y2 a2,i
i6=t wi
!1/xt
(y a
+y a
y2
y1
= g1 1 1,i 2 2,i ,
2,i
For all i 6= s and i 6= t, i = 1,i
where a1,i and a2,i are random values. When ring signature = (1 , ..., d ) is verified with the invalid block
m using Equation (3):
d
Y
FOR
i=1
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD
Index
1
2
3
..
.
n
Block
m1
m2
m3
..
.
mn
Insert
Index
1
2
3
4
..
.
n+1
Block
m1
m 2
m2
m3
..
.
mn
Block
m1
m2
m3
m4
..
.
mn
Delete
Index
1
2
3
..
.
n1
Block
m1
m3
m4
..
.
mn
Construction of Oruta
Index
1
2
3
..
.
n
Block
m1
m2
m3
..
.
mn
2
3
..
.
n
R
r1
r2
r3
..
.
rn
Insert
Index
1
2
3
4
..
.
n+1
Block
m1
m 2
m2
m3
..
.
mn
3/2
2
3
..
.
n
R
r1
r2
r2
r3
..
.
rn
Index
1
2
3
4
5
..
.
n
Block
m1
m2
m3
m4
m5
..
.
mn
2
3
4
5
..
.
n
R
r1
r2
r3
r4
r5
..
.
rn
Update
Delete
Index
1
2
3
4
..
.
n1
Block
m 1
m2
m4
m5
..
.
mn
2
4
5
..
.
n
R
r1
r2
r4
r5
..
.
rn
m1,1 . . . m1,k
m1
.. Z nk .
..
M = ... = ...
.
p
.
mn,1 . . . mn,k
mn
k
Y
mj,l
G1 .
Cloud Server
{(j, yj )}jJ
(4)
l=1
jJ j,i
After the computation, the cloud server sends an au, , , {idj }jJ } to the TPA, where =
diting proof {
(1 , ..., k ), = (1 , ..., k ) and = (1 , ..., d ) (as shown
in Fig. 8).
Cloud Server
, , , {idj }jJ }
{
Fig. 8. The cloud server sends an auditing proof to the
TPA.
, , , {idj }jJ
ProofVerify. With an auditing proof {
}, an auditing message {(j, yj )}jJ , public aggregate
key pak = (1 , ..., k ), and all the group members
public keys (pk1 , ..., pkd ) = (w1 , ..., wd ), the TPA verifies
the correctness of this proof by checking the following
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD
equation:
e(
H1 (idj )yj
jJ
?
d
Y
k
Y
d
k
Y
Y
Y y
h( )
RHS = e(
j,ij , wi ) e( l l , g2 )
i=1
ll , g2 )
l=1
e(i , wi )
i=1
e(
k
Y
h(l )
, g2 ).
(6)
l=1
H1 (idj )yj
jJ
k
Y
l=1
ll (
k
Y
h(l ) 1
l=1
, g2 ) =
d
Y
k
d Y
Y
Y
y
r h( )
(
e(j,ij , wi )) e( l l l , g2 )
i=1 jJ
jJ i=1
e(
e(
l=1
k
d
Y
Y Y
r h( )
( e(j,i , wi )yj ) e( l l l , g2 )
jJ
e(j , g2 )yj e(
k
Y
(H1 (idj )
H1 (idj )yj
H1 (idj )yj
e(i , wi ).
i=1
H1 (idj )yj
Now, we discuss security properties of Oruta, including its correctness, unforgeability, identity privacy and
data privacy.
Theorem 6: During an auditing task, the TPA is able to
correctly audit the integrity of shared data under Oruta.
Proof: To prove the correctness of Oruta is equivalent
of proving Equation (6) is correct. Based on properties of
bilinear maps and Theorem 1, the right-hand side (RHS)
l=1
r h(l )
l l
, g2 )
l=1
m
l j,l )yj , g2 )
e(
k
Y
r h(l )
l l
, g2 )
l=1
k
Y
jJ
mj,l yj
k
Y
k
Y
r h(l )
l l
, g2 )
l=1
l=1
jJ
, g2 )
l=1
jJ
(7)
e(
k
Y
l=1
jJ
e(
l=1
jJ
5.5
jJ
jJ
=
e(
k
Y
ll , g2 ).
l=1
jJ
yj
H1 (idj )
k
Y
l=1
l l , g2 )
=(
d
Y
i=1
e(i , wi ))e(
k
Y
l=1
h(l )
, g2 ).
10
yj
H1 (idj )
jJ
k
Y
ll , g2 )
=(
d
Y
e(i , wi ))e(
i=1
l=1
k
Y
h( )
l l , g2 ).
l l =
k
Y
l=1
l=1
ll ,
1=
l=1
ll =
k
Y
Auditing Task 2
N N N N N N N N N N
ll = 1.
N N N N N N N N N N
N
l=1
(g l hl )l = g
Pk
l=1
l l
Pk
l=1
l l
l=1
TPA
8th
Auditing Task 3
k
Y
N N N N N N N N N N
8th
Auditing Task 1
l=1
8th
Pk
l=1 l l
Pk
l
l=1 l
= gx .
Fig. 9. Alice and Bob share a file in the cloud, and the
TPA audit the integrity of shared data with Oruta.
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD
1 i db and
rb,l
b,l = P
b,l
b,l = jJ yj mb,j,l + rb,l h(b,l )
P
yj
b,i = jJ b,j,i
k
B
Y
Y
Y
b,lb,l , g2 )
e(
H(idb,j )yj
jJ
b=1
db
B Y
Y
l=1
e(b,i , wb,i )
b=1 i=1
e(
B Y
k
Y
h(b,l )
b,l
, g2 ), (8)
b=1 l=1
b=1 i=1
db
B Y
Y
e(b,i , wb,i )
b=1 i=1
db
B
Y
Y
b=1
B
Y
e(b,i , wb,i ))
i=1
e(
b=1
= e(
B
Y
b=1
H(idb,j )yj
jJ
b=1 l=1
k
B
Y Y
e(
h(b,l )
b,l
, g2 )
b=1 l=1
!
k
Y
h(b,l )
, g2 )
e( b,l
l=1
k
Y
b,lb,l , g2 )
l=1
H(idb,j )yj
jJ
k
Y
l=1
b,lb,l , g2 ).
k
B
Y
Y
Y
b,lb,l , g2 )
H(idb,j )yj
e(
?
b=1
jJ
d
Y
B
Y
i=1
e(
b=1
b,i , wi )
l=1
e(
B Y
k
Y
h(b,l )
b,l
, g2 ). (9)
b=1 l=1
11
P ERFORMANCE
12
c=460
c=300
5
15
10
20
d: the size of the group
14
12
10
8
6
4
c=460
2
c=300
00 20 40 60 80 100
k: the number of elements per block
14
12
10
8
6
4
2
00
5
15
10
20
d: the size of the group
3.0
c=460
2.5
c=300
2.0
1.5
1.0
0.5
0.00
50 100 150 200
k: the number of elements per block
c=460
c=300
4.0
3.5
3.0
2.5
2.0
1.5
1.0
0.5
0.00
5
15
10
20
d: the size of the group
80
d=10
70
d=20
60
50
40
30
20
10
00
50 100 150 200
k: the number of elements per block
k=100
k=200
100
80
60
40
20
00
1325
1300
1275
Seperate Auditing
1250
Batch Auditing-D
1225
Batch Auditing-S
1200
1175
11500 20 40 60 80 100
B: the number of audting tasks
1325
1300
1275
1250
1225
1200
Seperate Auditing
1175
Batch Auditing-S
11500 2 4 6 8 10 12 14 16
A: the number of incorrect proofs
Experimental Results
We now evaluate the efficiency of Oruta in experiments. To implement these complex cryptographic operations that we mentioned before, we utilize the GNU
Multiple Precision Arithmetic (GMP)2 library and Pairing Based Cryptography (PBC)3 library. All the following
experiments are based on C and tested on a 2.26 GHz
Linux system over 1, 000 times.
Because Oruta needs more exponentiations than pairing operations during the process of auditing, the elliptic
2. http://gmplib.org/
3. http://crypto.stanford.edu/pbc/
1325
1320
1315
1310
1305
1300
Seperate Auditing
1295
Batch Auditing-D
12900 2 4 6 8 10 12 14 16
A: the number of incorrect proofs
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD
k = 100, d = 10,
2GB + 200MB (data + signatures)
460
300
14.55KB
10.95KB
1.94s
1.32s
13
R ELATED W ORK
14
C ONCLUSION
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
In this paper, we propose Oruta, the first privacypreserving public auditing mechanism for shared data
in the cloud. We utilize ring signatures to construct
homomorphic authenticators, so the TPA is able to audit
the integrity of shared data, yet cannot distinguish who
is the signer on each block, which can achieve identity
privacy. To improve the efficiency of verification for multiple auditing tasks, we further extend our mechanism
to support batch auditing. An interesting problem in our
future work is how to efficiently audit the integrity of
shared data with dynamic groups while still preserving
the identity of the signer on each block from the third
party auditor.
[18]
R EFERENCES
[21]
[1]
M. Armbrust, A. Fox, R. Griffith, A. D.Joseph, R. H.Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, A View of Cloud Computing, Communications of the ACM,
vol. 53, no. 4, pp. 5058, Apirl 2010.
[16]
[17]
[19]
[20]
[22]
G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song, Provable Data Possession at Untrusted Stores,
in Proc. ACM Conference on Computer and Communications Security
(CCS), 2007, pp. 598610.
C. Wang, Q. Wang, K. Ren, and W. Lou, Privacy-Preserving
Public Auditing for Data Storage Security in Cloud Computing,
in Proc. IEEE International Conference on Computer Communications
(INFOCOM), 2010, pp. 525533.
R. L. Rivest, A. Shamir, and Y. Tauman, How to Leak a Secret,
in Proc. International Conference on the Theory and Application of
Cryptology and Information Security (ASIACRYPT).
SpringerVerlag, 2001, pp. 552565.
D. Boneh, C. Gentry, B. Lynn, and H. Shacham, Aggregate and
Verifiably Encrypted Signatures from Bilinear Maps, in Proc. International Conference on the Theory and Applications of Cryptographic
Techniques (EUROCRYPT). Springer-Verlag, 2003, pp. 416432.
H. Shacham and B. Waters, Compact Proofs of Retrievability,
in Proc. International Conference on the Theory and Application of
Cryptology and Information Security (ASIACRYPT).
SpringerVerlag, 2008, pp. 90107.
Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S. S.Yau, Dynamic
Audit Services for Integrity Verification of Outsourced Storage in
Clouds, in Proc. ACM Symposium on Applied Computing (SAC),
2011, pp. 15501557.
S. Yu, C. Wang, K. Ren, and W. Lou, Achieving Secure, Scalable,
and Fine-grained Data Access Control in Cloud Computing, in
Proc. IEEE International Conference on Computer Communications
(INFOCOM), 2010, pp. 534542.
D. Boneh, B. Lynn, and H. Shacham, Short Signature from the
Weil Pairing, in Proc. International Conference on the Theory and
Application of Cryptology and Information Security (ASIACRYPT).
Springer-Verlag, 2001, pp. 514532.
D. Boneh and D. M. Freeman, Homomorphic Signatures for
Polynomial Functions, in Proc. International Conference on the
Theory and Applications of Cryptographic Techniques (EUROCRYPT).
Springer-Verlag, 2011, pp. 149168.
A. L. Ferrara, M. Green, S. Hohenberger, and M. . Pedersen,
Practical Short Signature Batch Verification, in Proc. RSA Conference, the Cryptographers Track (CT-RSA). Springer-Verlag, 2009,
pp. 309324.
V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-Based
Encryption for Fine-Grained Access Control of Encrypted Data,
in Proc. ACM Conference on Computer and Communications Security
(CCS), 2006, pp. 8998.
A. Juels and B. S. Kaliski, PORs: Proofs pf Retrievability for Large
Files, in Proc. ACM Conference on Computer and Communications
Security (CCS), 2007, pp. 584597.
G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, Scalable
and Efficient Provable Data Possession, in Proc. International
Conference on Security and Privacy in Communication Networks
(SecureComm), 2008.
C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia, Dynamic
Provable Data Possession, in Proc. ACM Conference on Computer
and Communications Security (CCS), 2009, pp. 213222.
C. Wang, Q. Wang, K. Ren, and W. Lou, Ensuring Data Storage
Security in Cloud Computing, in Proc. IEEE/ACM International
Workshop on Quality of Service (IWQoS), 2009, pp. 19.
B. Chen, R. Curtmola, G. Ateniese, and R. Burns, Remote Data
Checking for Network Coding-based Distributed Stroage Systems, in Proc. ACM Cloud Computing Security Workshop (CCSW),
2010, pp. 3142.
N. Cao, S. Yu, Z. Yang, W. Lou, and Y. T. Hou, LT Codesbased Secure and Reliable Cloud Storage Service, in Proc. IEEE
International Conference on Computer Communications (INFOCOM),
2012.
S. Halevi, D. Harnik, B. Pinkas, and A. Shulman-Peleg, Proofs of
Ownership in Remote Storage Systems, in Proc. ACM Conference
on Computer and Communications Security (CCS), 2011, pp. 491500.
Q. Zheng and S. Xu, Secure and Efficient Proof of Storage with
Deduplication, in Proc. ACM Conference on Data and Application
Security and Privacy (CODASPY), 2012.
M. Franz, P. Williams, B. Carbunar, S. Katzenbeisser, and R. Sion,
Oblivious Outsourced Storage with Delegation, in Proc. Financial Cryptography and Data Security Conference (FC), 2011, pp. 127
140.
S. D. C. di Vimercati, S. Foresti, S. Paraboschi, G. Pelosi, and
P. Samarati, Efficient and Private Access to Outsourced Data,
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD
15