DPDP for shared data - Chennai Sunday Integrity Auditing for Sha… · public data integrity auditing for shared dynamic data. However, these schemes are still not secure against

0018-9340 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TC.2015.2389955, IEEE Transactions on Computers

1

Public Integrity Auditing for Shared DynamicCloud Data with Group User Revocation

Tao Jiang, Xiaofeng Chen, and Jianfeng Ma

✦

Abstract—The advent of the cloud computing makes storage out-sourcing become a rising trend, which promotes the secure remotedata auditing a hot topic that appeared in the research literature.Recently some research consider the problem of secure and efficientpublic data integrity auditing for shared dynamic data. However,these schemes are still not secure against the collusion of cloudstorage server and revoked group users during user revocation inpractical cloud storage system. In this paper, we figure out thecollusion attack in the exiting scheme and provide an efficient publicintegrity auditing scheme with secure group user revocation basedon vector commitment and verifier-local revocation group signature.We design a concrete scheme based on the our scheme definition.Our scheme supports the public checking and efficient user revoca-tion and also some nice properties, such as confidently, efficiency,countability and traceability of secure group user revocation. Finally,the security and experimental analysis show that, compared with itsrelevant schemes our scheme is also secure and efficient.

Index Terms—Public integrity auditing, dynamic data, victor commit-ment, group signature, cloud computing.

1 INTRODUCTION

The development of cloud computing motivates en-terprises and organizations to outsource their datato third-party cloud service providers (CSPs), whichwill improve the storage limitation of resource con-strain local devices. Recently, some commercial cloudstorage services, such as the simple storage service(S3) [1] on-line data backup services of Amazon andsome practical cloud based software Google Drive[2], Dropbox [3], Mozy [4], Bitcasa [5], and Memopal[6], have been built for cloud application. Since thecloud servers may return an invalid result in somecases, such as server hardware/software failure, hu-man maintenance and malicious attack [7], new formsof assurance of data integrity and accessibility arerequired to protect the security and privacy of clouduser’s data.

To overcome the above critical security challengeof today’s cloud storage services, simple replicationand protocols like Rabin’s data dispersion scheme [8]are far from practical application. The formers are

• Tao Jiang, Xiaofeng Chen and Jianfeng Ma are with the State KeyLaboratory of Integrated Service Networks(ISN), Xidian University,P.R. China, e-mail: [email protected], [email protected], [email protected].

not practical because a recent IDC report suggeststhat data-generation is outpacing storage availability[9]. The later protocols ensure the availability of datawhen a quorum of repositories, such as k-out-of -n ofshared data, is given. However, they do not provideassurances about the availability of each repositories,which will limit the assurance that the protocols canprovide to relying parties.

For providing the integrity and availability of re-mote cloud store, some solutions [10], [11] and theirvariants [12], [13], [14], [15], [16], [17], [18] havebeen proposed. In these solutions, when a schemesupports data modification, we call it dynamic scheme,otherwise static one (or limited dynamic scheme, ifa scheme could only efficiently support some speci-fied operation, such as append). A scheme is publiclyverifiable means that the data integrity check can beperformed not only by data owners, but also by anythird-party auditor. However, the dynamic schemesabove focus on the cases where there is a data ownerand only the data owner could modify the data.

Recently, the development of cloud computingboosted some applications [19], [20], [21], where thecloud service is used as a collaboration platform. Inthese software development environments, multipleusers in a group need to share the source code, andthey need to access, modify, compile and run theshared source code at any time and place. The newcooperation network model in cloud makes the re-mote data auditing schemes become infeasible, whereonly the data owner can update its data. Obviously,trivially extending a scheme with an online dataowner to update the data for a group is inappro-priate for the data owner. It will cause tremendouscommunication and computation overhead to dataowner, which will result in the single point of dataowner. To support multiple user data operation, Wanget al. [22] proposed a data integrity based on ringsignature. In the scheme, the user revocation problemis not considered and the auditing cost is linear tothe group size and data size. To further enhance theprevious scheme and support group user revocation,Wang et al. [23] designed a scheme based on proxyre-signatures. However, the scheme assumed that theprivate and authenticated channels exist between each

IEEE TRANSACTIONS ON COMPUTERS VOL: PP NO: 99 YEAR 2015



2

pare of entities and there is no collusion among them.Also, the auditing cost of the scheme is linear to thegroup size. Another attempt to improve the previousscheme and make the scheme efficient, scalable andcollusion resistant is Yuan and Yu [24], who designeda dynamic public integrity auditing scheme withgroup user revocation. The authors designed polyno-mial authentication tags and adopt proxy tag updatetechniques in their scheme, which make their schemesupport public checking and efficient user revocation.However, in their scheme, the authors do not considerthe data secrecy of group users. It means that, theirscheme could efficiently support plaintext data updateand integrity auditing, while not ciphertext data. Intheir scheme, if the data owner trivially shares agroup key among the group users, the defection orrevocation any group user will force the group usersto update their shared key. Also, the data owner doesnot take part in the user revocation phase, wherethe cloud itself could conduct the user revocationphase. In this case, the collusion of revoked user andthe cloud server will give chance to malicious cloudserver where the cloud server could update the dataas many time as designed and provide a legal datafinally. To the best of our knowledge, there is stillno solution for the above problem in public integrityauditing with group user modification.

The deficiency of above schemes motivates us to ex-plore how to design an efficient and reliable scheme,while achieving secure group user revocation. Tothe end, we propose a construction which not onlysupports group data encryption and decryption dur-ing the data modification processing, but also real-izes efficient and secure user revocation. Our ideais to apply vector commitment scheme [25] over thedatabase. Then we leverage the Asymmetric GroupKey Agreement (AGKA) [26] and group signatures[27] to support ciphertext data base update amonggroup users and efficient group user revocation re-spectively. Specifically, the group user use the AGKAprotocol to encrypt/decrypt the share database, whichwill guarantee that a user in the group will be ableto encrypt/decrypt a message from any other groupusers. The group signature will prevent the collusionof cloud and revoked group users, where the dataowner will take part in the user revocation phase andthe cloud could not revoke the data that last modifiedby the revoked user.

1.1 Our Contribution

In this paper, we further study the problem of con-struing public integrity auditing for shared dynamicdata with group user revocation. Our contributionsare three folds:

1) We explore on the secure and efficient shareddata integrate auditing for multi-user operationfor ciphertext database.

Data

Owner

Group Users Third Party AuditorRevoked

Group Users

Public Parameters

Data Integrity Auditing Results

Cloud Storage Server

Figure 1. The cloud storage model

2) By incorporating the primitives of victor com-mitment, asymmetric group key agreement andgroup signature, we propose an efficient dataauditing scheme while at the same time provid-ing some new features, such as traceability andcountability.

3) We provide the security and efficiency analysisof our scheme, and the analysis results show thatour scheme is secure and efficient.

1.2 Organization

The rest of this paper is organized as follows: Insection 2, we describe the problem formulation. Insection 3, we present the used preliminaries. Then,we provide the detail of our scheme in section 4. Weconduct the security and efficiency analysis in section5 and section 6 and leave the related works in section7. Finally, we show our conclusion in section 8.

2 PROBLEM FORMULATION

In this section, we first describe the cloud storagemodel of our system. Then, we provide the threatmodel considered and security goals we want toachieve.

2.1 Cloud Storage Model

In the cloud storage model as shown in Figure 1, thereare three entities, namely the cloud storage server,group users and a Third Part Auditor (TPA).

Group users consist of a data owner and a numberof users who are authorized to access and modify thedata by the data owner. The cloud storage server issemi-trusted, who provides data storage services forthe group users. TPA could be any entity in the cloud,which will be able to conduct the data integrity of theshared data stored in the cloud server. In our system,the data owner could encrypt and upload its data tothe remote cloud storage server. Also, he/she sharesthe privilege such as access and modify (compile andexecute if necessary) to a number of group users.The TPA could efficiently verify the integrity of the

Home17

Highlight

Home17

Highlight



3

m+Tag m' +Tag' m' +Tag"

Data last modified

by user Eve

Data last modified

by cloud server

Legitimate data authorized

by the data owner

Cloud server

and EveCloud server

Modify Revoke

Figure 2. Security problem of server proxy group userrevocation

data stored in the cloud storage server, even the datais frequently updated by the group users. The dataowner is different from the other group users, he/shecould securely revoke a group user when a groupuser is found malicious or the contract of the useris expired.

2.2 Threat Model and Security Goals

Our threat model considers two types of attack:

1) An attacker out side the group (include therevoked group user cloud storage server) mayobtain some knowledge of the plaintext of thedata. Actually, this kind of attacker has to atlease break the security of the adopted groupdata encryption scheme.

2) The cloud storage server colludes with the re-voked group users, and they want to provide aillegal data without being detected.

Actually, in cloud environment, we assume thatthe cloud storage server is semi-trusted. Thus, it isreasonable that a revoked user will collude with thecloud server and share its secret group key to thecloud storage server. In this case, although the serverproxy group user revocation way [24] brings muchcommunication and computation cost saving, it willmake the scheme insecure against a malicious cloudstorage server who can get the secret key of revokedusers during the user revocation phase. Thus, a ma-licious cloud server will be able to make data m, lastmodified by a user that needed to be revoked, into amalicious data m′. In the user revocation process, thecloud could make the malicious data m′ become valid.To overcome the problems above, we aim to achievethe following security goals in our paper:

1) Security. A scheme is secure if for any databaseand any probabilistic polynomial time adver-sary, the adversary can not convince a verifierto accept an invalid output.

2) Correctness. A scheme is correct if for anydatabase and for any updated data m by a validgroup user, the output of the verification by anhonest cloud storage server is always the valuem. Here, m is a ciphertext if the scheme couldefficiently support encrypted database.

3) Efficiency. A scheme is efficient if for any data,the computation and storage overhead investedby any client user must be independent of thesize of the shared data.

4) Countability. A scheme is countable, if for anydata the TPA can provide a proof for this misbe-havior, when the dishonest cloud storage serverhas tampered with the database.

5) Traceability. We require that the data owneris able to trace the last user who update thedata (data item), when the data is generatedby the generation algorithm and every signaturegenerated by the user is valid.

3 PRELIMINARIES

Our scheme makes use of bilinear groups. The se-curity of the scheme depends on the Strong Diffie-Hellman assumption and the Decision Linear assump-tion. In this section, we review the definitions ofbilinear groups and the complexity assumption.

3.1 Bilinear Groups

We review a few concepts related to bilinear maps,which follow the notation of [28]. Let G1 and G2 betwo multiplicative cyclic groups of prime order p, g1is a generator of G1 and g2 is a generator of G2. ψ isan efficiently computable isomorphism from G2 to G1

with ψ(g2) = g1, and e : G1 × G2 → GT is a bilinearmap with the following properties:

1) Computability: there exits an efficiently com-putable algorithm for computing map e;

2) Bilinearity: for all u ∈ G1, v ∈ G2 and a, b ∈ Zp,e(ua, vb) = e(u, v)ab;

3) Non-degeneracy: e(g1, g2) 6= 1.

3.2 Complexity Assumption

The security of our scheme relies on the difficulty ofsome problems: the Strong Diffie-Hellman problem,the Decision Linear problem, and the ComputationalDiffie-Hellman problem. We describe these problemsas follows.

Definition 1. q-Strong Diffie-Hellman problem. LetG1, G2 be cyclic group of prime order p, wherepossibly G1 = G2. Let g1 be a generator of G1

and g2 be a generator of G2. Given a (q + 2) −

tuple(g1, g2, gγ2 , g(γ2)2 , ..., g

(γq)2 ) as input, output a pair

(g1/(γ+x)1 , x) where x ∈ Z∗

p.

The assumption could be used to construct shortsignature scheme without random oracles [29]. Theassumption has properties similar to the Strong-RSAassumption [30] and the properties are adopted forbuilding short group signature in our scheme.

Definition 2. Decision Linear problem. Let g1 be agenerator of G1, and G1 be a cyclic group of primeorder p. Given u, v, h, ua, ub,uc ∈ G1 as input, outputyes if a+ b = c and no otherwise.

Boneh et al. [31] introduced the Decision Linearassumption and they proved that the problem isintractable in generic bilinear groups.



4

Definition 3. Square Computational Diffie-Hellman(Square-CDH) problem. With g ∈ G1 as above, given

(g, gx) for x ∈R Zp as input, output gx2

.It has been proved that the Square-CDH assump-

tion is equivalent to the classical CDH assumption[32], [33].

3.3 Vector Commitment

Commitment is a fundamental primitive in cryptog-raphy and it plays an important role in security pro-tocols such as voting, identification, zero-knowledgeproof, etc. The hiding property of commitment re-quires that it should not reveal information of thecommitted message, and the binding property re-quires that the committing mechanism should notallow a sender to change his/her mind about thecommitted message.

Recently, Catalano and Fiore [25] put forward a newprimitive called Vector Commitment. Vector Com-mitment satisfies position binding that an adversaryshould not be able to open a commitment to twodifferent values at the same position, and the VectorCommitment is concise, which means that the sizeof the commitment string and its openings have tobe independent of the vector length. We providethe formal definition of Vector Commitment [25] asfollows.

Definition 4. (Vector Commitment) A vector commit-ment scheme is a collection of six polynomial-timealgorithms (VC.KeyGen, VC.Com, VC.Open, VC.Ver,VC.Update, VC.ProofUpdate) such that:VC.KeyGen(1k, q). Given the security parameter k

and the size q of the committed vector (with q =poly(k)), the key generation outputs some public pa-rameters pp.VC.Compp(m1, ...,mq). On input a sequence of q

messages m1, ...,mq ∈ M (M is the message space) and the public parameters pp, the committing algo-rithm outputs a commitment string C and an auxiliaryinformation aux.VC.Openpp(m, i, aux). This algorithm is run by the

committer to produce a proof i that m is the i-thcommitted message. In particular, notice that in thecase when some updates have occurred the auxiliaryinformation aux can include the update informationproduced by these updates.VC.Verpp(C,m, i,Λi). The verification algorithm ac-

cepts (i.e., it outputs 1) only if Λi is a valid proofthat C was created to a sequence m1, ...,mq such thatm = mi.VC.Updatepp(C,m,m

′, i). This algorithm is run bythe committer who produces C and wants to updateit by changing the i-th message to m′. The algorithmtakes as input the old message m, the new messagem′ and the position i. It outputs a new commitmentC’ together with an update information U .

VC.ProofUpdatepp(C,Λj ,m′, i, U). This algorithm

can be run by any user who holds a proof Λj forsome message at position j w.r.t. C, and it allowsthe user to compute an updated proof Λ′

j (and theupdated commitment C′) such that Λ′

j will be validwith regard to C′ which contains m′ as the newmessage at position i. Basically, the value U containsthe update information which is needed to computesuch values.

The primitive of verifiable database with efficientupdate based on vector commitment is useful to solvethe problem of verifiable data outsourcing. Recently,Chen et al. [34], [35] figured out that the basic vectorcommitment scheme suffers from forward automaticupdate attack and backward substitution update at-tack. They also proposed a new framework for ver-ifiable database with efficient update from vectorcommitment, which is not only public verifiable fordynamic outsourced data but also secure against thetwo attacks. The solution in their scheme is easy toapply in our scheme, which will overcome the attacksthey figured out in our scheme.

3.4 Group Signature with User Revocation

We present the formal definition of group signatureswith verifier-local revocation [27] as follows.

Definition 5. A verifier-local group signature schemeis a collection of three polynomial-time algorithms(VLR.KeyGen,VLR.Sign,VLR.Verify), which behaves asfollows:

VLR.KeyGen(n). This randomized algorithm takesas input a parameter n, the number of mem-bers of the group. It outputs a group public keygpk, an n-element vector of user keys gsk =(gsk[1], gsk[2], ..., gsk[n]), and an n-element vector ofuser revocation tokens grt, similarly indexed.VLR.Sign(gpk, gsk[i],M). This randomized algo-

rithm takes as input the group public key gpk, aprivate key gsk[i], and a message M ∈ {0, 1}

∗, and

returns a signature σ.

VLR.Verify(gpk,RL, σ,M). The verification algo-rithm takes as input the group public key gpk, a set ofrevocation tokens RL (whose elements form a subsetof the elements of grt), and a purported signature σon a message M . It returns either valid or invalid. Thelatter response can mean either that σ is not a validsignature, or that the user who generated it has beenrevoked.

4 SCHEME CONSTRUCTION

In this section, we provide the formal definition ofour scheme according to the definition in [23], [24].Then, we design the concrete scheme based on ourdefinition.



5

4.1 New Framework

We consider the database DB as a set of tuple (x,mx),where x is an index and mx is the correspondingvalue. Informally, a public integrity auditing schemewith updates allows a resource-constrained client tooutsource the storage of a very large database to aremote server. Later, the client can retrieve and updatethe database records stored in the server and publiclyaudit the integrity of the updated data.

According to previous researches, the proposedframework of our public integrity auditing for shareddynamic cloud data with secure group user revocationis given as follows:Setup(1k, DB):

Let the database be DB = (i,mi) for 1 ≤ i ≤ q andthe database is shared by a group of n users with onlyone data owner.

1) The data owner run the key generation algo-rithm of vector commitment to obtain the publicparameters pp← VC.KeyGen(1k, q).

2) Run the key generation of verifier-local revo-cation to obtain the user keys and revocations(gsk, grt) ← VLR.KeyGen(1k, n), where gsk =(gsk[1], gsk[2]...gsk[n]) and an n-element vectorof user revocation tokens grt.

3) Run the computing algorithm to compute com-mitment and auxiliary information (C, aux) ←VC.Compp(c1, ..., cq). Let the current databasemodifier be group user s(0 ≤ s ≤ n − 1), and(gsk[s], gpk) be the secret/public key pair of thegroup user. Let Ct = V C.ComPP(c

t1, ..., c

tq) be the

commitment on the latest database vector, wheret is a counter with 0 as its initial value.

4) Run the signing algorithm over the commit-ment C. Specially, for the t-th time the groupuser s(0 ≤ s ≤ n − 1), whose secretkey is gsk[s], compute and output a signa-ture σt ← VLR.Sign(gpk, gsk[s], {C(t− 1), Ct, t}).Then, sends the signature σt to the cloud storageserver. If σt is valid, then the server computesC(t) = σt·Ct. Also, the cloud storage server addsthe information of Σ(t) = (C(t − 1), Ct, t, σt) toaux.

5) Finally, set public key parameter PK =(pp, gpk, C(t− 1), C(t)).

Query(PK,PP, aux, DB, i):

1) A group user run the opening algorithm to com-pute a proof Λi ← VC.Openpp(ci, i, aux), where Λi

is the proof of the i-th committed message andreturn τ = (ci,Λi,Σ(t)).

Verify(PK,RL, i, τ ):

1) Parse τ = (ci,Λi,Σ(t)). If the signatureis valid after running the algorithmVLR.Verify(gpk,RL,Σ(T )). Then, run theverification algorithm of vector commitment{0, 1} ← VC.Verpp(C(t), σ

t, ci, i,Λi). Thealgorithm accepts when it output 1, which

means that Λi is a valid proof that Ct wascreated by a sequence c1, ...cq , such that c = ci.Otherwise, return an error ⊥.

Update(i, τ ):

1) A group user first queries and verifies thedatabase to make sure the current database isvalid. More precisely, the group user obtainτ ←Query(PK,PP, aux, DB, i) and check thatVerify(PK, i, τ) = mi.

2) Run the update algorithm over the new data andoutput the updated commitment and the updateinformation (C′, U)← VC.Update(C,m,m′, i).

ProofUpdate(C,Λj, c′i, i, U ):

1) A third part auditor can first verify that,compared with the stored counter t, the lat-est counter equals t + 1. Then, run theproof of update algorithm of vector commit-ment to compute an update proof Λj ←VC.ProofUpdatepp(C,Λj ,m

′i, i, U) for the mes-

sage at position j, such that Λj is valid withrespect to C′ which contains m′ as the newmessage at position j. Here, U = (m,m′, i) isthe update information.

2) Verify the commitment C′, and its correspondingproof Λi is also valid over message m′

i.

UserRevocation(PK, i, τ ):

1) The third part auditor can run the veri-fication algorithm of verifier-local revocationand return either valid or invalid {0, 1} ←VLR.Verify(gpk,RL, σ,M). Here, RL are a set ofrevocation tokens.

4.2 A Concrete Scheme

In this section, we provide a concrete scheme fromvector commitment [25] and verifier-local revocationgroup signature [27].Setup(1k, DB):

Let k be a security parameter and DB = (i,mi) for1 ≤ i ≤ q be the database. The database DB = (i,mi)is shared by a group of n users with only one dataowner. The message space is M = Zp.

1) Let G,GT be two bilinear groups of primeorder p equipped with a bilinear mape : G × G → GT , and g be a random generatorof G. Randomly choose z1, ..., zq ←R Zp.For all i = 1, ..., q, set hi = gzi . For alli, j = 1, ..., q, i 6= j, set hi,j = gzizj . The dataowner runs the key generation algorithmof vector commitment VC.KeyGen(1k, q)to obtain the public parameters PP =(p, q,G,GT ,H, g, ({hi})i∈[q], {hi,j}i,j∈[q],i6=j) andthe message spaceM= Zp. By using a collision-resistant hash function H : {0, 1}∗ → Zp, ourscheme can be easily extended to supportarbitrary messages in {0, 1}∗.

2) Run the key generation of verifier-local revo-cation VLR.KeyGen(1k, n). Let G1, G2 be cyclic



6

group of prime order p, and g1 be a generatorof G1 and g2 be a generator of G2. Considerbilinear groups (G1,G2) with isomorphism ψ,where g1 ← ψ(g2). Select γ ←R Z∗

p and setw = gγ2 . For each user, generate an SDH tuple

(Ai, xi) by selecting xiR← Z∗

p such that γ+xi 6= 0,

and setting Ai ← g1/(γ+xi)1 . Then, set the group

public key gpk = (g1, g2, w). The private key is atuple gsk[i] = (Ai, xi). The revocation token cor-responding to a user’s secret key is grt[i] = Ai.Finally, the algorithm outputs (gpk, gsk, grk). γis only known to the private-key issuer (the dataowner).

3) Run the computing algorithmVC.Compp(m1, ...,mq) to compute commitmentC = hm1

1 , hm2

2 , ..., hmqq and auxiliary information

aux = (m1, ...,mq).4) Employ hash functions H0 and H as random

oracles, with respective ranges G22 and Zp. For

the t-th time data updating, run the signingalgorithm VLR.Sign(gpk, gsk[i], {C(t− 1), Ct, t})over the commitment. Assume that the inputmessage is {C(t− 1), Ct, t} ∈ {0, 1}∗. Then, picka random nonce r ←R Zp and obtain generators(u, v) ← H0(gpk, {C(t− 1), Ct, t} , r) ∈ G2

2 andcompute their images in G1 with u ← ψ(u)and v ← ψ(v) . Select an exponent α ←R Zp

and compute T1 ← uα and T2 ← Aivα. Set

δ ← xiα ∈ Zp. Pick blinding values rα, rx, andrδ ←R Zp. Compute helper values R1 ← urα ,R2 ← e(T2, g2)

rx · e(v, w)−rα · e(v, g2)−rδ and

R3 ← T rx1 ·u

−rδ . Compute a challenge value c←H(gpk, (C(t− 1), Ct, t), r, T1, T2, R1, R2, R3) ∈ Zp

using H . Compute sα = rα + cα, sx = rx + cxi,and sδ = rδ + cδ ∈ Zp. Finally, output a signa-ture σt ← (r, T1, T2, c, sα, sx, sδ). Then, sends thesignature σt to the cloud storage server. If σt isvalid, then the server computes C(t) = σt · Ct.Also, the cloud storage server adds the informa-tion of Σ(t) = (C(t− 1), Ct, t, σt) to aux.

5) Set public key parameter PK = (pp, gpk, C(t −1), C(t)).

Query(PK, pp, aux, DB, i):

1) We assume that the current public key is PK =(PP, gpk, C(t − 1), C(t)). A user runs the open-ing algorithm VC.Openpp(c

ti, i, aux) to compute

a proof Λti =

∏qj−1,j 6=i h

mtj

i,j = (∏q

j=1,j 6=i hmt

j

j )zi

of the i-th committed message and return τ =(mt

i,Λti,Σ(t)).

Verify(PK, i, τ ):

1) On input a group public key gpk, a purportedsignature σt, and the message {C(t− 1), Ct, t},the auditor first verify whether the signature isvalid.

2) If τ = (mti,Λi,Σ(t)), run the verification

algorithm of vector commitmentVC.Verpp(C

ti , c

ti, i,Λ

ti) to verify that the equation

e(Ct/hmt

i

i , hi)?= e(Λt

i, g) holds. The algorithmaccepts when it outputs 1, which means thatΛti is a valid proof that Ct was created to a

sequence m1, ...mq, such that m = mi.

Update(i, τ ):

1) A group user first queries and verifies thedatabase to make sure the current database isvalid.

2) If the user wanted to update mi tom′

i, the user runs the update algorithmVC.Update(C,m,m′, i) and outputs the updated

commitment C′ = C · hm′−m

i and the updatedinformation U = (m,m′, i).

ProofUpdate(C,Λj,m′i, i, U ):

1) The third part auditor can run theproof of update algorithm of vectorcommitment to compute an update proofΛj ← VC.ProofUpdatepp(C,Λj ,m

′, i, U) for themessage at position j, such that Λj is valid withrespect to C′ which contains m′ as the newmessage at position j.

2) For the auditor who owns a proof Λj, the auditoruses the update information U = (m,m′, i) togenerate the proof of update. If i 6= j, compute

the updated commitment C′ = C · hm′−m

i and

the updated proof is Λ′j = Λj · (h

m′−mi )zj =

Λj · hm′−mj,i ; If i = j, compute the updated

commitment C′ = C ·hm′−m

i while do not changethe proof Λi. Verify the commitment C′ andits corresponding proof Λi is also valid overmessage m′

i.

UserRevocation(PK, i, τ ):

1) To verify the validity of the signature, theauditor need to conduct the signaturecheck. The third part auditor runs theverification algorithm of verifier-local revocationVLR.Verify(gpk,RL, σ,M), M = C(t− 1), Ct, t.More precisely, compute u and v and theirimage u ← ψ(u) and v← ψ(v) in G1.Derive R1 ← usα/T c

1 , R2 ← e(T2, g2)sx ·

e(v, w)−sα · e(v, g2)−sδ · (e(T2, w)/e(g1, g2))

c andR3 ← T sx

1 · u−sδ . Check the challenge that

c?= H(gpk, (C(t − 1), Ct, t), r, T1, T2, R1, R2, R3)

and return either valid or invalid. Then, conductthe revocation check.

2) For each element A ∈ RL, check whether A is

encoded in (T1, T2) by checking if e(T2/A, u)?=

e(T1, v). If no element of RL is encoded in(T1, T2), the signer of σ has not been revoked.Here, RL is a set of revocation tokens.

4.3 Supporting Ciphertext Database

In cloud storage outsourcing environment, the out-sourced data is usually encrypted database, which isusually implicitly assumed in the exiting academic



7

research. Actually, our scheme could support the au-diting of database of both plaintext and ciphertextdatabase. However, it is not straightforward to extenda scheme to support encrypted database.

In order to achieve the confidentiality of the datarecord mx, the client can use his/her secret key toencrypt each mx using a encryption scheme. Whenthere is only one user (data owner) in the group, theuser only needs to choose a random secret key andencrypt the data using a secure symmetric encryptionscheme. However, when the scheme needs to supportmulti-user data modification, while at the same timekeeping the shared data encrypted, a shared secret keyamong group users will result in single point failureproblem. It means that any group user (revoked orleave) leak the shared secret key will break the confi-dentiality guarantee of the data.

To overcome the above problem, we need to adopta scheme, which could support group users datamodification. Luckily, Wu et al. [26] designed anAsymmetric Group Key Agreement scheme (ASGKA).The scheme has a nice property that, instead of acommon secret key, only a shared encryption keyis negotiated in an ASGKA protocol. Also, in thescheme, the public key can be simultaneously usedto verify signatures and encrypt messages while anysignature can be used to decrypt ciphertext under thispublic key. Using the bilinear pairings, the authorsinstantiate a one-round ASGKA protocol tightly re-duced to the decision Bilinear Diffie-Hellman Expo-nentiation (BDHE) assumption in the standard model.Thus, according to the ASGKA protocol, we considerthe case of encrypted database (x, cx), where x is anindex and cx is the corresponding cipher value.

We provide the detailed changes upon our schemeto support encrypted database.

1) In the Setup phase, the scheme has to run thekey agreement of ASGKA for the group users.Then, the database DB = (i,mi) is encryptedby the group key gpk of data owner. Finally, thestored database is a ciphertext database DB =(i, ci).

2) In the second step of the Update phase, a groupuser firstly decrypts the record ci using the AS-GKA secret key gsk[∗] to get plaintext databaseDB = (i,mi). Then, update the data to m′

i, andlater encrypt the data with the public key gpkof ASGKA scheme to get the new encrypteddatabase DB = (i, c′i).

4.4 Probabilistic Detection

Actually, the position binding property of vector com-mitment of the scheme allows the cloud storage serverto prove the data item correctness of certain position.Ateniese et. al. [10] figured out that the samplingability greatly reduces the overhead on the serverand provides high detection probability of server

misbehavior. Then, among the q data items, we as-sume that the third part auditor randomly select xitems out of the q-block item database as the targetitem. In the database, only y items of the databaseare incorrect. Then, if x, y and q satisfy the specificrelationship, the third part auditor could provide ahigh possession detection ability over the database.The result is interesting that when y is a fraction ofthe total item number q, the detection probability ofserver misbehavior is a constant amount of item. Forexample, if y = 1% of q, then the third part auditorasks for 460 blocks and 300 blocks in order to achievethe detection probability of at least 99% and 95%,respectively.

5 ANALYSIS OF OUR SCHEME

Our scheme is designed to solve the security andefficiency problems of public data integrity auditingwith multi-user modification, where the data has tobe encrypted among a dynamic group and any groupuser can conduct secure and verifiable data updatewhen necessary.

Some basic tools have been used to construct ourscheme. Thus we assume that the underlying buildingblocks are secure, which include the vector commit-ment, group signature, and asymmetric group keyagreement scheme. Based on this assumption, weshow that our scheme is secure with respect to thefollowing security analysis.

5.1 Security of Our Scheme

• Security of Our Scheme. Actually, Wu et al.[26] instantiated a one-round ASGKA schemetightly reduced to the decision Bilinear Diffie-Hellman Exponentiation assumption in the stan-dard model. Also, the security of adopted groupsignature scheme has been proved to be securein the random oracle model. The security of thescheme is based on the strong Diffie-Hellmanassumption and the Decision Linear assumptionin bilinear groups as defined in Definition 1 andDefinition 2. Thus, if we assume the two buildingblocks of our scheme is secure, then our schemecan be proven to be secure similar to [25].If we assume there exists a polynomial-time ad-versary A that has a non-negligible advantage ǫin the experiment for some initial database. Thenwe can use the adversary to build an efficientalgorithm to break the Squ-CDH assumption inDefinition 3. It means that the algorithm takes

a tuple g, ga as input and output ga2

. Triv-ially, suppose that (i, τ ) in a experiment whereτ = (cti,Λ

ti,Σ(t)), the verify query output a value

c 6=⊥, c 6= cti and e(Ct, hi) = e(hcti

i, hi)e(Λ

ti, g) =

e(hci, hi)e(Λ, g). If the simulation does not fail, we

have hi = ga. Then, the adversary can compute



8

Table 1Performance evaluation and comparison

Scheme Scheme [23] Scheme [24] Our Scheme

Query - - (q − 1)(Mul+ Exp)

Verify 2Exp+Mul+ 2Pair+Hash Exp+ 2Pair 7Pair+Mul+ 9Exp + 5Hash

Update - (s+ 2)Exp + (s+ 1)Mul s(Mul+ Exp)*

ProofUpdate - sExp+ (s+ 1)Mul + cPair 2s(Mul+ Exp)ors(Mul+ Exp)*

UserRevocation (c+d)Exp+(c+3d)Mul+(d+1)Pair+cHash

c(Pair+ Exp) z(Mul+ 2Pair)

* In our scheme, we do not need to verify up to s elements each time. For comparison, we assume that our scheme conducts averification of s data items here.

ga2

= ( ΛΛt

i

)(ct

i−c)−1

and the success probability of

the algorithm built by the adversary is ǫ/q.• Correctness of Our Scheme. If the server is

assumed to be honest, then the proof τ =

(cti,Λti,Σ(t)), where Λt

i =∏

i6=j,1≤j≤q hctji,j . Since

C(t)/Hthctii = Ct/h

ctii =

∏i6=j,1≤j≤q h

ctji,j , we have

e(Ct/Hthctii , hi) = e(Λt

i, g). Thus, the verificationalgorithm always output cti.

• Efficiency of Our Scheme. It is trivial that, exceptfor the one time setup, the computational andstorage overhead in our scheme invested by thegroup users are independent of the size of thedata. More precisely, to verify the validity of thescheme, the verify algorithm run by the clientrequires only pairings and exponentiation in G.Also, in the update algorithm, the computationoverhead of the client is independent of the sizeof data. The storage overhead of a group user isalso independent of the size of data. We will pro-vide the detail efficiency and experiment analysisin the full version of this paper.

• Countability of Our Scheme. Sine the updatecounter t is a public parameter, given the proofwith the counter t′, the client will firstly compareit with the public latest counter. if t′ = t, then theauditor verifies the corresponding signature σt′

over t′. Otherwise, if t′ 6= t the group auditor willreject the current result and report the maliciousactivity of the cloud storage server.

• Traceability of Our Scheme. The traceability ofour scheme is based on the traceability of theadopted group signature. In the theorem 2 ofreference [25], the authors provide the formalproof of the traceability of the group signatureadopted. It means that if SDH is hard on (G1,G2),the group signature scheme is traceable.

6 PERFORMANCE EVALUATION

In this section, we provide both the numerical and theexperimental analysis of our scheme and conduct thecomputation time cost comparison with [23] and [24].

6.1 Numerical Analysis

In this section, we conduct the numerical analysis ofour scheme and compare the scheme with references[23] and [24].

First of all, all of the three schemes require one-timeexpensive computational effort in the Setup phase.Then, our scheme is secure against the collusion attackof the cloud storage server and the revoked users inthe efficient scheme [24], and it is also efficient, sincethe computational resources invested by the client isindependent on the size of the database. The reasonis that, most of the expensive computation overheadis outsourced to the cloud storage server. Finally,the cloud storage server store all the database andits relevant materials. Thus, except some private keymaterials, the group users do not require to store anydata locally.

We provide the time cost simulation for our schemein different phases and the Table 1 presents the nu-merical analysis of computation of our scheme andtwo other schemes related. For the convenience ofanalysis, we denote by Mul a multiplication in G

(G1, G2 and GT ), Exp an exponentiation in G, Paira computation of the pairing, and Hash a regularhashing operation. We omit other operations such asaddition in G for all the schemes.

As shown in Table 1, in the Query algorithm of ourscheme, the computation overhead increases with thedatabase item q. However, we need to remark thatthe server does not need to compute the proof eachtime. The reason is that the proof is identical for thesame data item and the server only need to computeonce for the first query on each index. Thus, the servercould adopt some storage overhead to reduce thecomputational cost in the Query algorithm. Comparewith scheme [24], the Verify algorithm of our schemebring much more computation overhead. The reasonis that scheme [24] adopt the delegation technologyfor data updating. In our scheme, to prevent theattack against the collusion of the malicious andrevoked group users, we adopt the group signaturescheme with secure group user revocation. Althoughthe Verify algorithm bring much more computationaloverhead than scheme [24], it is important that it is



9

0 100 200 300 400 500 600 700 800 9000

0.5

1

1.5

2

2.5

3

3.5

4

q: the number of data items

Tim

eCost

(s)

Figure 3. Query Time Cost

0 100 200 300 400 500 600 700 800 90010

20

30

40

50

60

70

The number of data items or blocks

Tim

eCost

(ms)

Scheme [23]Scheme [24]Our Scheme

Figure 4. Verify Time Cost

0 10 20 30 40 50 60 70 80 900

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

s: the elements of each block

Tim

eCost

(s)

Scheme [24]Our Scheme

Figure 5. Update Time Cost

a constant part of our scheme. In the Update andProofUpdate algorithms, the computation cost of ourscheme and the scheme [24] grow with the increaseof data elements (data items in our scheme). Forthe UserRevocation algorithm, all the computationcomputation time cost grow with the increase ofthe challenge blocks (items) number. The differentis that, scheme [24] is efficient because the compu-tation time cost will not grow with the increase ofthe group users. Thus, their scheme provide constantcomputation overhead with different group size. Thecomputation time cost of our scheme grows with therevoked users number z, which is different from thescheme [23] growing with the increase of the groupusers number. Since it is reasonable that the revokedusers number z is small than the group users d, weuse 2z = d in our simulation.

6.2 Experimental evaluation

In this section, we evaluate the thorough experimentalevaluation of our scheme. Our experiments are sim-ulated with the pairing-based cryptography library(PBC)[36] on Linux Machine with Intelr CoreTM2 DuoProcessor T9500 running at 2.60GHz and 3G memory.To precisely evaluate the computation complexity atdifferent entities, we simulate all the entity on thismachine.

As shown in Figure 3, the Query time cost of ourscheme is linear with the data items number q, whichwill take approximately 4 seconds to query about1000 data items. However, we need to emphasize thatthe computation cost is at the cloud storage serverside, which is very powerful compare with the Linuxsystem running on our laptop. More over, the serverdoes not need to run the whole Query algorithmevery time as analyzed in the previous section.

Actually, in the Verify algorithm, the computationoverhead mostly comes from the group signaturescheme. More precisely, to verify the validity of thisphase, we need firstly to verify the integrity of thesignature, which means that our scheme need to gen-erate the time costed parameters such as R1, R2, andR3. Actually, the computation time cost of our schemea constant number. Also, it is around 5 times that of

the most efficient scheme [24]. In the Figure 5, weshow the data update computation comparison withscheme [24], and both their computation overheadsgrow with the increase of the element number in eachblock.

In the PoofUpdate algorithm, as shown in Figure 6,the computation time cost grows with the increase ofthe elements number of each block and the numberof selected challenging data blocks. Actually, the datablocks contain data elements in scheme [24] while notin our scheme. It is interesting that, if we do notconsider the data elements in the scheme [24], thecomputation overhead of the two schemes in with thesame challenging number are almost the same.

The UserRevocation algorithm simulation in Fig-ure 7 shows that scheme [24] is the most efficientone. Compare with scheme [23] whose computationoverhead grows rapidly with the increase of groupusers number and the selected challenging blocksnumber, scheme [24] and our scheme have a flat-ting growth. The reason is that, scheme [23] has toconsider the whole group users number, while thecomputation time cost in our scheme is related to therevoked group users. It means that we need to verify

e(T2/A, u)?= e(T1, v) for each user in the revocation

list. The best scheme is [24], whose computationoverhead is irrelevant to the group users number.They achieve this by allowing the cloud storage serverto recompute the authentication tag of blocks lastmodified by a revoked group user. We analyze thistag update delegation way in the previous section andpoint out that it is not secure against the cloud storageserver and revoked group users collusion attack.

7 RELATED WORK

Plenty of researchers have devoted considerable at-tention to the problems on how to securely outsourcelocal store to remote cloud server. Among which,the problem of remote data integrity and availabilityauditing attacks the attestation of many researchers.The concepts and solution Provable Data Possession(PDP) and Proofs of Retrievability (PoR) were firstproposed by Ateniese et al. [10] and Juels et al. [11]. In



10

020

4060

80100 0

2040

6080

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

c: selected challenging blockss: the elements of each block

Tim

eCost

(s)

Scheme [24]Our Scheme

Figure 6. ProofUpdate Time Cost

0100

200300

400500 0

1020

30

0

0.5

1

1.5

2

2.5

d: the group users numberc: selected challenging blocks number

Tim

eCost

(s)

Scheme [23]Scheme [24]Our Scheme

Figure 7. UserRevocation Time Cost

their scheme, the homomorphic authentication tech-nique was adopted to reduce both the communicationand computation cost. Later, a number of variants ofPDP and PoR schemes are designed to improve theefficiency and enhance the function of basic schemes,such as allowing public auditing [16], [22], [17] andsupporting data update [14], [15].

To enhance the previous works, Wang et al. [22]designed a scheme to support share data integrityauditing, whose scheme adopted ring signature toprotect the privacy of users. The limitation of thescheme is that it does no support dynamic groupand also suffers from a computational overhead linearto the group size and the number of data auditing.To further support user revocation, Wang et al. [23]designed another scheme based on the assumptionthat no collusion occurs between cloud servers andrevoked user. As a matter of fact, they assumed thatthe private and authenticated channels exit betweeneach pair of entities and collusion between invalidusers and cloud servers will lead to the disclosureof secrets of all other valid users. Recently, Yuanand Yu [24] designed a dynamic public integrityauditing scheme with secure group user revocation.The scheme is based on polynomial authenticationtags and adopts proxy tag update techniques, whichmakes their scheme support public checking andefficient user revocation. However, the authors donot consider the ciphertext store. Also, to make thescheme efficient, the data owner (the data owner’sprivate key is not necessary) does not take part in theuser revocation phase, where the cloud could conductsome malicious operation of user’s data when it col-ludes with the revoked users.

Gennaro et al. [37] formalized the notion of verifi-able computation which allows a client to outsourcethe computation of an arbitrary function. However, itis inefficient for practical applications due to the com-plicated fully homomorphic encryption techniques[38], [39]. Also, another disadvantage of the schemesbased on fully homomorphic encryption is that, the

client must repeat the expensive pre-processing stageif the malicious server tries to cheat and learn abit of information. Benabbas et al. [40] proposed thefirst practical verifiable database scheme based onthe hardness of the subgroup membership problemin bilinear groups with composite order. However,the scheme does not support the public verifiabilityproperty. Catalano and Fiore [25] proposed a practicalsolution to build verifiable database (VDB) from vec-tor commitment that supports the public verifiability.Both of the schemes assume that the size of the out-sourced database should be fixed and the client canknow the outsourcing function in advance. Recently,Backes et al. [41] presented a flexible VDB schemewith two additional properties that eliminates theassumption.

Group signature is introduced by Chaum and Heyst[42]. It provides anonymity for signers, where eachgroup member has a private key that enables theuser to sign messages. However, the resulting signa-ture keeps the identity of the signer secret. Usually,there is a third party that can conduct the signa-ture anonymity using a special trapdoor. Some sys-tems support revocation [43], [44], [45], [27], [46],[47], where group membership can be disabled with-out affecting the signing ability of unrevoked users.Boneh and Shacham [27] proposed an efficient groupsignature with verifier-local revocation. The schemeprovides the properties of group signature such asselfless-anonymity and traceability. Also, the schemeis a short signature scheme where user revocationonly requires sending revocation information to sig-nature verifiers. Libert et al. [46] proposed a newscalable revocation method for group signature basedon the broadcast encryption framework. However,the scheme introduces important storage overhead atgroup user side. Later, Libert et al. [47] designed ascheme to enhance the former scheme which couldobtain private key of constant size. In their scheme,the unrevoked members still do not need to updatetheir keys at each revocation.



11

8 CONCLUSION

The primitive of verifiable database with efficientupdates is an important way to solve the problemof verifiable outsourcing of storage. We propose ascheme to realize efficient and secure data integrityauditing for share dynamic data with multi-user mod-ification. The scheme vector commitment, Asymmet-ric Group Key Agreement (AGKA) and group sig-natures with user revocation are adopt to achievethe data integrity auditing of remote data. Besidethe public data auditing, the combining of the threeprimitive enable our scheme to outsource ciphertextdatabase to remote cloud and support secure groupusers revocation to shared dynamic data. We providesecurity analysis of our scheme, and it shows that ourscheme provide data confidentiality for group users,and it is also secure against the collusion attack fromthe cloud storage server and revoked group users.Also, the performance analysis shows that, comparedwith its relevant schemes, our scheme is also efficientin different phases.

9 ACKNOWLEDGMENT

This work is supported by the National Natural Sci-ence Foundation of China (No. 61272455), China 111Project (No. B08038), Doctoral Fund of Ministry ofEducation of China (No. 20130203110004), Programfor New Century Excellent Talents in University (No.NCET-13-0946), and the Fundamental Research Fundsfor the Central Universities (Nos. BDY151402 andJB142001-14).

REFERENCES

[1] Amazon. (2007) Amazon simple storage service (amazon s3).Amazon. [Online]. Available: http://aws.amazon.com/s3/

[2] Google. (2005) Google drive. Google. [Online]. Available:http://drive.google.com/

[3] Dropbox. (2007) A file-storage and sharing service. Dropbox.[Online]. Available: http://www.dropbox.com/

[4] Mozy. (2007) An online, data, and computer backup software.EMC. [Online]. Available: http://www.dropbox.com/

[5] Bitcasa. (2011) Inifinite storage. Bitcasa. [Online]. Available:http://www.bitcasa.com/

[6] Memopal. (2007) Online backup. Memopal. [Online].Available: http://www.memopal.com/

[7] M. A. et al., “Above the clouds: A berkeley view of cloudcomputing,” Tech. Rep. UCBEECS, vol. 28, pp. 1–23, Feb. 2009.

[8] M. Rabin, “Efficient dispersal of information for security,”Journal of the ACM (JACM), vol. 36(2), pp. 335–348, Apr. 1989.

[9] J. G. et al. (2006) The expanding digital universe: A forecast ofworldwide information growth through 2010. IDC. [Online].Available: Whitepaper

[10] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner,Z. Peterson, and D. Song, “Provable data possession at un-trusted stores,” in Proc. of ACM CCS, Virginia, USA, Oct. 2007,pp. 598–609.

[11] A. Juels and B. S. Kaliski, “Pors: Proofs of retrievability forlarge files,” in Proc. of ACM CCS, Virginia, USA, Oct. 2007,pp. 584–597.

[12] K. D. Bowers, A. Juels, and A. Oprea, “Proofs of retrievability:theory and implementation,” in Proc. of CCSW 2009, llinois,USA, Nov. 2009, pp. 43–54.

[13] Y. Dodis, S. Vadhan, and D. Wichs, “Proofs of retrievabilityvia hardness amplification,” in Proc. of TCC 2009, CA, USA,Mar. 2009, pp. 109–127.

[14] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, “Proofs ofretrievability via hardness amplification,” in Proc. of ESORICS2009, Saint-Malo, France, Sep. 2009, pp. 355–370.

[15] C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia,“Dynamic provable data possession,” in Proc. of ACM CCS,Illinois, USA, Nov. 2009, pp. 213–222.

[16] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preservingpublic auditing for data storage security in cloud computing,”in Proc. of IEEE INFOCOM 2010, CA, USA, Mar. 2010, pp. 525–533.

[17] J. Yuan and S. Yu, “Proofs of retrievability with publicverifiability and constant communication cost in cloud,” inProc. of International Workshop on Security in Cloud Computing,Hangzhou, China, May 2013, pp. 19–26.

[18] E. Shi, E. Stefanov, and C. Papamanthou, “Practical dynamicproofs of retrievability,” in Proc. of ACM CCS 2013, Berlin,Germany, Nov. 2013, pp. 325–336.

[19] Cloud9. (2011) Your development environment, in the cloud.Cloud9. [Online]. Available: https://c9.io/

[20] Codeanywhere. (2011) Online code editor. Codeanywhere.[Online]. Available: https://codeanywhere.net/

[21] eXo Cloud IDE. (2002) Online code editor. Cloud IDE.[Online]. Available: https://codenvy.com/

[22] B. Wang, B. Li, and H. Li, “Oruta: Privacy-preserving publicauditing for shared data in the cloud,” in Proc. of IEEE CLOUD2012, Hawaii, USA, Jun. 2012, pp. 295–302.

[23] B. Wang, L. Baochun, and L. Hui, “Public auditing for shareddata with efficient user revocation in the cloud,” in Proc. ofIEEE INFOCOM 2013, Turin, Italy, Apr. 2013, pp. 2904–2912.

[24] J. Yuan and S. Yu, “Efficient public integrity checking for clouddata sharing with multi-user modification,” in Proc. of IEEEINFOCOM 2014, Toronto, Canada, Apr. 2014, pp. 2121–2129.

[25] D. Catalano and D. Fiore, “Vector commitments and theirapplications,” in Public-Key Cryptography - PKC 2013, Nara,Japan, Mar. 2013, pp. 55–72.

[26] Q. Wu, Y. Mu, W. Susilo, B. Qin, and J. Domingo-Ferrer,“Asymmetric group key agreement,” in Proc. of EUROCRYPT2009, Cologne, Germany, Apr. 2009, pp. 153–170.

[27] D. Boneh and H. Shacham, “Group signatures with verifier-local revocation,” in Proc. of ACM CCS, DC, USA, Oct. 2004,pp. 168–177.

[28] D. Boneh, B. Lynn, and H. Shacham, “Short signatures fromthe weil pairing,” in Proc. of Asiacrypt 2001, Gold Coast,Australia, Dec. 2001, pp. 514–532.

[29] D. Boneh and X. Boyen, “Collision-free accumulators and fail-stop signature schemes without trees,” in Proc. of EUROCRYPT2004, Interlaken, Switzerland, May 2004, pp. 56–73.

[30] N. Baric and B. Pfitzman, “Collision-free accumulators andfail-stop signature schemes without trees,” in Proc. of EURO-CRYPT 1997, Konstanz, Germany, May 1997, pp. 480–494.

[31] D. Boneh, X. Boyen, and H. Shacham, “Short group signa-tures,” in Proc. of CRYPTO 2004, CA, USA, Aug. 2004, pp.41–55.

[32] U. M. Maurer and S. Wolf, “Diffie-hellman oracles,” in Proc.of CRYPTO 1996, CA, USA, Aug. 1996, pp. 268–282.

[33] F. Bao, R. Deng, and H. Zhu, “Variations of diffie-hellmanproble,” in Information and Communications Security, Huhe-haote, China, Oct. 2003, pp. 301–312.

[34] X. Chen, J. Li, J. Weng, J. Ma, and W. Lou, “Verifiable compu-tation over large database with incremental updates,” in Proc.of ESORICS 2014, Wroclaw, Poland, Sep. 2014, pp. 148–162.

[35] X. Chen, J. Li, X. Huang, J. Ma, and W. Lou, “New pub-licly verifiable databases with efficient updates,” to appearin IEEE Transactions on Dependable and Secure Computing,Accepted.

[36] B. Lynn. (2006) The pairing-based cryptography library.[Online]. Available: http://crypto.stanford.edu/pbc/

[37] R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifi-able computing: Outsourcing computation to untrusted work-ers,” in Proc. of CRYPTO 2010, CA, USA, Sep. 2010, pp. 465–482.

[38] C. Gentry, “Fully homomorphic encryption using ideal lat-tices,” in Proc. of ACM STOC 2009, Washington DC, USA, May2009, pp. 169–178.



12

[39] C. Gentry and S. Halevi, “Implementing gentrys fully-homomorphic encryption scheme,” in Proc. of EUROCRYPT2011, Tallinn, Estonia, May 2011, pp. 129–148.

[40] S. Benabbas, R. Gennaro, and Y. Vahlis, “Verifiable delegationof computation over large datasets,” in Proc. of CRYPTO 2011,CA, USA, Aug. 2011, pp. 111–131.

[41] M. Backes, D. Fiore, and R. M. Reischuk, “Verifiable delegationof computation on outsourced data,” in Proc. of ACM CCS2013, Berlin, Germany, Nov. 2013, pp. 863–874.

[42] D. Chaum and E. van Heyst, “Group signatures,” in Proc. ofEUROCRYPT 1991, Brighton, UK, Apr. 1991, pp. 257–265.

[43] E. Bresson and J. Stern, “Efficient revocation in group signa-tures,” in Public-Key Cryptography - PKC 2001, Cheju Island,Korea, Feb. 2001, pp. 190–206.

[44] J. Camenisch and A. Lysyanskaya, “Dynamic accumulatorsand application to efficient revocation of anonymous creden-tials,” in Proc. of CRYPTO 2002, CA, USA, Aug. 2002, pp. 61–76.

[45] G. Ateniese, D. Song, and G. Tsudik, “Quasi-efficient revoca-tion in group signatures,” in Proc. of FC 2002, Soughamption,Bermuda, Mar. 2002, pp. 183–197.

[46] B. Libert, T. Peters, and M. Yung, “Scalable group signatureswith revocation,” in Proc. of EUROCRYPT 2012, CA, USA, Aug.2002, pp. 61–76.

[47] ——, “Group signatures with almost-for-free revocation,” inProc. of CRYPTO 2012, CA, USA, Aug. 2012, pp. 571–589.

Tao Jiang received his B.S. (2009) in Net-work Engineering from Shandong JianzhuUniversity, China. He got his M.S. (2012)in Computer Application Technology fromJiangsu University, China. Currently, he is aPh.D. student of Xidian University in Cryptog-raphy. His research interests include cryptog-raphy and cloud computing security.

Xiaofeng Chen received his B.S. and M.S.on Mathematics from Northwest University,China in 1998 and 2000, respectively. He gothis Ph.D degree in Cryptography from XidianUniversity in 2003. Currently, he works at Xi-dian University as a professor. His researchinterests include applied cryptography andcloud computing security. He has publishedover 100 research papers in refereed inter-national conferences and journals. His workhas been cited more than 1800 times at

Google Scholar. He is in the Editorial Board of Computing andInformatics (CAI), International Journal of Grid and Utility Computing(IJGUC), and International Journal of Embedded Systems (IJES)etc. He has served as the program/general chair or program com-mittee member in over 30 international conferences.

Jianfeng Ma received his B.S. degree inmathematics from Shaanxi Normal Univer-sity, China in 1985, and obtained his M.E.and Ph.D. degrees in computer softwareand communications engineering from Xid-ian University, China in 1988 and 1995, re-spectively. From 1999 to 2001, he was withNanyang Technological University of Singa-pore as a research fellow. Now he is a Pro-fessor in School of Computer Science at Xi-dian University, China. His current research

interests include distributed systems, computer networks, and infor-mation and network security.

Documents

DPDP for shared data - Chennai Sunday Integrity Auditing for Sha… · public data integrity auditing for shared dynamic data. However, these schemes are still not secure against