Certificateless Provable Group Shared Data Possession with Comprehensive Privacy Preservation for Cloud Storage

Abstract

Provable Data Possession (PDP) protocol makes it possible for cloud users to check whether the cloud servers possess their original data without downloading all the data. However, most of the existing PDP schemes are based on either public key infrastructure (PKI) or identity-based cryptography, which will suffer from issues of expensive certificate management or key escrow. In this paper, we propose a new construction of certificateless provable group shared data possession (CL-PGSDP) protocol by making use of certificateless cryptography, which will eliminate the above issues. Meanwhile, by taking advantage of zero-knowledge protocol and randomization method, the proposed CL-PGSDP protocol leaks no information of the stored data and the group user’s identity to the verifiers during the verifying process, which is of the property of comprehensive privacy preservation. In addition, our protocol also supports efficient user revocation from the group. Security analysis and experimental evaluation indicate that our CL-PGSDP protocol provides strong security with desirable efficiency.

1. Introduction

In recent years, cloud computing [1] has received considerable attention from research communities in academia, as well as industry. As an important part of cloud computing, cloud storage has become a popular choice for people to deploy their data storage, which brings a number of benefits. Users are relieved of the burden of the management of a great deal of data. Furthermore, universal data access with independent geographical location is highly convenient.

However, a number of vulnerabilities that led to various attacks have left many potential users worried [2]. Thus, many researchers focus on creating trusted cloud services that provide the necessary security guarantees. Santos et al. [3] presented a trusted cloud-computing platform (TCCP), which offers a closed box execution environment for IaaS services. TCCP guarantees confidential execution of guest virtual machines. It also enables customers to attest to the IaaS provider and to determine if the service is secure before their VMs are launched into the cloud. In 2016, Paladi et al. [4] presented a security framework for cloud infrastructure. This framework included a trusted VM launching and a domain-based stored data protection protocols. The trusted VM launching protocol is used before deploying guest VMs, and trust is established by the remotely attesting host platform configuration. Meanwhile, the domain-based storage protection protocol ensures data confidentiality in remote storage by using cryptographic methods.

Furthermore, unlike traditional storage, the cloud stored data is outside of the control of the users, which entails security risks in terms of confidentiality, integrity, and availability of data and service [5]. One of the major concerns of cloud users is the integrity of their outsourced data. Moreover, the cloud server may not be fully trusted to report incidents of data loss in order to protect its reputation [6,7,8]. As a result, it is necessary for cloud users to periodically check whether their outsourced data are stored properly. Provable Data Possession (PDP) scheme is a primitive one that can be used to convince cloud users that their data are kept intact.

As is well known, it is impractical for cloud users to frequently download all the cloud data due to the expensive cost of bandwidth. Additionally, the traditional methods for data integrity checking, like hash function and Message Authorization Code (MAC), cannot be applied directly, because the cloud server may only store the hash code of the original data in order to reduce storage costs. In 2007, Ateniese et al. [9] proposed a provable data possession scheme to check the integrity of data, which employed RSA algorithm to construct homomorphic verifiable authenticators of the data blocks, meaning that the cloud servers were able to prove the data integrity with low communication overheads and computational costs. After that, many researchers proposed corresponding system models and security models based on the first PDP scheme. Later, the POR model was introduced in Juel et al. [10], which used an error-correcting code to establish a sentinel-based POR scheme. Shacham et al. [11] developed a proof of retrievability scheme based on the BLS signature [12], which not only eliminates the constraint on checking times, but also shortens the size of authenticator. In order to support the dynamic data operation on cloud data, Ateniese et al. [13] presented a scalable and efficient provable data possession scheme based on hash functions and symmetric key encryptions. The limitation is that this scheme cannot support data block insertion. Erway et al. [14] proposed a full-dynamic PDP Scheme by utilizing the authenticated flip table. Similarly, Cash et al. [15] proposed a dynamic POR scheme that relies on oblivious RAM protocols. Wang et al. [16] made further improvements to the previous dynamic PDP schemes by using Merkle hash tree (MHT). Liu et al. [17] introduced a top-down, levelled, multi-replica, MHT-based data auditing scheme for dynamic big data storage in the cloud, which supports fully dynamic data updates and authentication of block indices.

Public verifiability is one of the most important properties for PDP schemes, which means that external verifiers are able to check the integrity of cloud data. With this practical property, cloud users can delegate the rights to check data possession to a third-party auditor (TPA) to do the periodical checking job. However, data privacy may be leaked to the TPA during the checking process, which may cause financial loss for the users who have stored confidential or sensitive data on cloud servers. Recently, a number of schemes [16,18,19,20,21,22] have been developed that allow a TPA to check the integrity of the stored data. Wang et al. [20] proposed a privacy-preserving public cloud data auditing system by combining the public key-based homomorphic authenticator with random masking. This scheme explained the definition of data privacy against the TPA. Wang et al. [21] performed further study on data privacy preservation and proposed the notion of ‘zero-knowledge public auditing’ to defeat off-line guessing threat. Yu et al. [22] enhanced the privacy of remote data integrity-checking protocol for secure cloud storage. The aforementioned schemes [16,18,19,20,21,22] all work only in the public key infrastructure (PKI) [23]-based system, which may suffer from heavy public key management. Yu et al. [24] further presented an identity-based PDP scheme to eliminate heavy public key management. This scheme leaks no information of the stored data to the TPA, but cannot protect the privacy of the user’s identity. If the data is shared by a group of users, such as a company, the TPA will know all the details of the group users’ identities.

In order to reduce the complexity of the PDP scheme, many researchers [24,25,26,27] have focused on studying identity-based PDP schemes. By utilizing identity-based cryptography (IBC) [28], there is no need for a PKI to perform complex certificate management such as distribution, storage, revocation, and verification. Unfortunately, IBC has an inherent drawback of key escrow. Wang et al. [29] first proposed a certificateless public auditing mechanism for verifying data integrity in the cloud in order to eliminate the problem of key escrow. In this scheme, Key Generation Center will generate only the partial key, so that in any case it will not compromise the user’s private key. Li et al. [30] introduced a certificateless PDP scheme for shared group data, but it lost the privacy preservation of cloud data and the user’s identity to the TPA.

Motivation: In this paper, we mainly focus on preserving the privacy of group shared data against the third-party auditor (TPA) during the integrity checking process. Suppose there is a group of users from one company who share company data on a given cloud server. Each user of the group can upload and share their data on the cloud server. The manager of the group requires a TPA to periodically check the integrity of the outsourced data, but he does not allow the TPA to extract any information related to their data, not even the identity of the group users. Users of the group may leave the company, so the problem of user revocation from the group needs to be considered. Thus, we need a primitive to meet such requirements and to guarantee the integrity of the outsourced data on the cloud server.

Our contribution: The contributions of this paper are summarized as follows:

• First, we propose a new PDP protocol (CL-PGSDP) for group shared data by utilizing certificateless cryptography [31], which eliminates the problems of certificate management and key escrow.
• Second, by making use of the idea of zero-knowledge proof protocol, the equality of discrete logarithm [32,33,34], and randomization method, we construct a privacy-preserving CL-PGSDP protocol. On the one hand, our protocol leaks no information of the group shared data to the TPA. On the other hand, all the data blocks are signed by group users to get corresponding authentication tags, and the TPA cannot learn any identity information from the challenged data block during the auditing process.
• Third, based on CDH and DL assumptions, we provide detailed security proofs of our new protocol. Additionally, our protocol supports efficient group user revocation. We perform some experiments and show the practicality of our protocol.

Organization: The rest of the paper is organized as follows: In Section 2, we review some preliminaries used in CL-PGSDP construction. In Section 3, we formalize the system model and security model of CL-PGSDP protocol. We describe the concrete construction of the CL-PGSDP protocol in Section 4. We formally prove the correctness, soundness, and comprehensive privacy preservation of our protocol in Section 5. We report the performance and implementation results in Section 6. Section 7 concludes our paper.

2. Preliminaries

In this section, we review some preliminaries knowledge used in this paper, including bilinear pairing, certificateless Cryptography, zero-knowledge proof, and Complexity assumption.

2.1. Bilinear Pairing

Denote G₁ and G₂ as two multiplicative groups with the prime order $q$. g is a generator of group G₁. A function $\mathrm{e}:G_1\times G_1\to G_2$ is called a bilinear pairing [12] if it has the following properties:

• Bilinearity: For all $u,v\in G_1$. and $a,b\in Z_q$, $e(u^a,v^b)=e{(u,v)}^{ab}$ holds.
• Non-Degeneracy: $e(g,g)\ne 1_{G_2}$, in which $1_{G_2}$ is the identity of $G_2$.
• Efficient Computation: $e(u,v)$ can be computed efficiently for all. $u,v\in G_1$.

2.2. Certificateless Cryptography

A Certificateless Cryptography (CLC) [31] scheme is specified by seven randomized algorithms.

• Setup: This algorithm takes security parameter k as input and returns the system parameters $params$ and master-key.
• Partial-Private-Key-Extract: This algorithm takes $params$, master-key, and entity’s ID as inputs and returns a partial private key ${\mathrm{sk}}_{ID}$ for the entity.
• Set-Secret-Value: This algorithm takes $params$ and entity’s ID as inputs and outputs this entity’s secret value $y_{ID}$.
• Set-Private-Key: This algorithm takes $params$, entity’s ID, partial private key ${\mathrm{sk}}_{ID}$, and secret value $y_{ID}$ as inputs and outputs private key $S_{ID}$.
• Set-Public-Key: This algorithm takes $params$ and secret value $y_{ID}$ as inputs and outputs public key $Y_{ID}$.
• Encrypt: This algorithm takes $params$, message m, and public key $Y_{ID}$ as inputs and entity’s ID and generates ciphertext $\sigma$ of the message m if success.
• Decrypt: This algorithm takes $params$, $\sigma$, and $S_{ID}$ as inputs and returns message m.

By making use of certificateless cryptography, we will construct new authenticator of data block.

2.3. Zero-Knowledge Proof

Zero-knowledge proofs [33] are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Here, we introduce one of the zero knowledge protocol: equality of discrete logarithm [34]. Let $G$ be a finite cyclic group with the prime order $q$; $g_1$, $g_2$ are generators of $G$. The protocol shows that a prover (P) can prove to a verifier (V) that ${\log }_{g_1}{Y}_1={\log }_{g_2}{Y}_2$, $Y_1,Y_2\in G$ without leaking the secret key to V.

• P randomly chooses $\rho \in Z_q$, and computes $X_1=g_1^{\rho },X_2=g_2^{\rho }$, then sends $X_1,X_2$ to V.
• V also randomly chooses $\nu \in {\{0,1\}}^{\lambda }$ and sends $\nu$ to P.
• P computes $y=\rho -vx(\mathrm{mod}q)$, in which $x$ is the secret key of P, and returns $y$ to V.
• V accepts the proof if and only if $X_1=g_1^y{Y}_1^v$ and $X_2=g_2^y{Y}_2^v$.

2.4. Security Assumption

Discrete Logarithm (DL) problem [35]: $G_1$ is a multiplicative cyclic group, $g$ is a generator of $G_1$. Given $(g,g^a)\in G_1$, compute $a$.

Definition 1 (DL Assumption).

For any probabilistic polynomial time (PPT) algorithm $\mathrm{{\rm A}}$, the advantage for $\mathrm{{\rm A}}$ to solve the DL problem in $G_1$ is negligible, which can be defined as $Ad{v}_{\mathrm{{\rm A}}}^{Dl}=\mathrm{Pr}\left[A(g,g^a)=a:a\stackrel{R}{\leftarrow }{Z}_p^{*}\right]\le \epsilon$.

Computational Deffie-Hellman (CDH) Problem [36]: $G_1$ is a multiplicative cyclic group, $g$ is a generator of $G_1$. Given $(g,g^a,g^b)\in G_1$, compute $g^{ab}$.

Definition 2 (CDH Assumption).

For any PPT algorithm $\mathrm{{\rm A}}$, the advantage for $\mathrm{{\rm A}}$ to solve the CDH problem in $G_1$ is negligible, which can be defined as $Ad{v}_{\mathrm{{\rm A}}}^{CDH}=\mathrm{Pr}\left[A(g,g^a,g^{\mathrm{b}})=g^{ab}:a,b\stackrel{R}{\leftarrow }{Z}_p^{*}\right]\le \epsilon$.

The $\epsilon$ denotes a negligible value in the above definitions.

3. System Model and Security Model

In this section, we introduce the system model and security model of CL-PGSDP protocol.

3.1. CL-PGSDP System

The system model of our scheme is composed of three different entities: user group, cloud service provider (CSP), and the third party public auditor (TPA). Figure 1 illustrates the relationships and interactions among the three entities of the system. The user group includes numbers of users, who have large amount of data to be stored on cloud without keeping a local copy (each user is able to upload, access, and update the outsourced group shared data). We suppose one of the users is the group manager, who sets up the system and generates system parameters. The CSP has significant storage space and computation resources and provides data storage services for cloud users. The CSP could be semi-trusted and might even hide data corruption incidents to cloud users to maintain their good reputation. The TPA has expertise and capabilities to be delegated by the cloud users to check the data possession of the cloud, but the TPA is also curious in the sense that he is willing to learn some information during the data integrity checking procedure.

3.2. System Components

Eight algorithms are involved in CL-PGSDP system.

• Setup is a probabilistic algorithm run by the group manager. It takes a security parameter λ as input and outputs the system parameters $params$ and the master key $msk$.
• Partial-Private-Key-Gen is a probabilistic algorithm run by the group manager. It takes the master key $msk$, a random value $\delta$, and the identity $I{D}_i\in {\{0,1\}}^{*}$ of the user $u_i$ as inputs, and outputs the $u_i$’s partial private key $ps{k}_{I{D}_i}$.
• Secret-Value-Gen is a probabilistic algorithm run by the group user who randomly selects $y_{I{D}_i}$ as the secret value. Thus, the private key of the group user contains two parts: secret value $y_{I{D}_i}$ and partial private key $ps{k}_{I{D}_i}$.
• Public-Key-Gen is a probabilistic algorithm performed by the group user $u_i$ to compute the public key. It inputs the $u_i$’s secret value $y_{I{D}_i}$ and outputs the $u_i$’s public key $p{k}_{I{D}_i}$.
• Tag-Gen is a probabilistic algorithm executed by the group user $u_i$ to generate authentication tags for data blocks. It takes the $u_i$’s partial private key $ps{k}_{I{D}_i}$, the secret value $y_{I{D}_i}$, and the data block $m_j$ as inputs, and outputs the tag ${\sigma }_j$ of $m_j$.
• Challenge is a randomized algorithm run by the TPA. It takes the system parameters $params$, a unique file name, and the count $c$ of the challenged data blocks as inputs, and outputs the challenge information $chal$.
• Proof-Gen is a probabilistic algorithm run by cloud server to obtain a data possession proof P of the challenged blocks. The inputs include $chal$, the challenged data blocks and tags of the challenged data blocks.
• Proof-Check is a deterministic algorithm run by the TPA. It inputs the proof P, the challenge information $chal$, and the user’s public key. If P is correct, this algorithm outputs 1, otherwise it outputs 0.

3.3. System Security

We consider three security properties, namely, completeness, soundness, and comprehensive privacy preservation against the TPA in our CL-PGSDP protocol.

• Completeness means the cloud server can pass the possession checking procedure as long as the cloud server properly stores the group shared data.
• Comprehensive privacy preservation means that the TPA achieves no information on the data blocks and the user’s identity during the integrity checking procedure.
• Soundness states that whenever the cloud server convinces a TPA to accept its proof, the cloud server should actually store the challenged data blocks. According to certificateless cryptography [30,31], we consider three types of probabilistic polynomial-time (PPT) adversaries, namely, A₁, A₂, A₃, and a challenger C in our security model and define the security of our protocol by three games. The details are as follows:

Game 1: This game is played by challenger C and adversary A₁ who wants to substitute the user’s public key with any other value, but A₁ cannot access the master key of the system.

Setup: Challenger C runs the Setup algorithm to obtain the system parameters $params$ and the master secret key $msk$, and forwards $params$ to the adversary A₁, while keeps $msk$ confidential.

Queries: A₁ can adaptively issue the following queries to C. C maintains the corresponding query lists, which are initially empty, and responds to the queries to A₁ as follows.

(1)

Hash Query. A₁ makes hash function queries to C for any identity ID, and C responds to the hash values to A₁.

(2)

Partial Private Key Query. A₁ adaptively chooses different ID and summits it to C for querying the partial private key of the ID. C executes the Partial-Private-Key-Gen algorithm to obtain the partial private key for the ID and sends it to A₁.

(3)

Secret Value Query. A₁ adaptively chooses different ID and summits it to C for querying the secret value of the ID. C runs the Secret-value-Gen algorithm to generate the secret value for the ID and sends it to A₁.

(4)

Public Key Query. A₁ adaptively chooses different ID and summits it to C for querying the public key of the ID. C performs the algorithm Public-key-Gen to compute the public key for the ID and sends it to A₁.

(5)

Public Key Replacement. A₁ can repeatedly select a value to replace the public key of any ID.

(6)

Tag Query. A₁ adaptively chooses the tuple (ID, $m$) and submits it to C for querying the tag of the data block $m$. C runs Tag-Gen algorithm to generate the tag of data block $m$ and sends it to A₁.

Forge: Finally, A₁ outputs a forged tag $\sigma$ for the $m$ with the identity $ID$ and the public key $p{k}_{ID}$.

If the forged tag $\sigma$ is valid after the above queries, then A₁ wins the game.

Game 2: This game is played by challenger C and adversary A₂ who is able to get the master key but cannot substitute the group user’s public key.

Setup: Challenger C runs the Setup algorithm to obtain the system parameters $params$ and the master secret key $msk$, and forwards $params$ and $msk$ to the adversary A₂.

Queries: A₂ can make a number of queries to C adaptively. C maintains the corresponding query lists, which are initially empty, and responds to the queries to A₂ as follows.

(1)

Hash Query. A₂ makes hash function queries to C for any identity ID, and C responds the hash values to A₂.

(2)

Secret Value Query. A₂ adaptively chooses different ID and summits it to C for querying the secret value of the ID. C runs the Secret-value-Gen algorithm to generate the secret value for the ID and sends it to A₂.

(3)

Public Key Query. A₂ adaptively chooses different ID and summits it to C for querying the public key of the ID. C performs the algorithm Public-key-Gen to compute the public key for the ID and sends it to A₂.

(4)

Tag Query. A₂ adaptively chooses the tuple (ID, $m$) and submits it to C for querying the tag of the data block $m$ generated by the ID. C runs Tag-Gen algorithm to generate the tag of data block $m$ and sends it to A₂.

Forge: Finally, A2 outputs a forged tag $\sigma$ for the $m$ with the identity $ID$.

If the forged tag $\sigma$ is valid after the above queries, then A₂ wins the game.

Definition 3.

A CL-PGSDP scheme is secure against adaptive impersonation and forging tag attacks if any PPT adversary A (A₁ or A₂) who plays the above games with the challenger C has only negligible probability $\epsilon$ of winning the games, that is,

$$\mathrm{Pr}(A_{win})\le \epsilon$$

in which the probability $\epsilon$ is taken over all coin tosses made by A and C.

Game 3: This game is played by challenger C and adversary A₃ who aims to forge the data integrity proof to cheat the TPA. A₃ is regarded as the untrusted CSP. From the Definition 3, we know that it is hard to forge the tag of single data block. Thus, we will focus on the issue of whether A₃ can forge the integrity proof without correct data to pass the challenge.

Setup: Challenger C runs the Setup algorithm to obtain the system parameters $params$, the master secret key $msk$, and partial private key for all users, and only forwards $params$ to the adversary A₃.

Tag Queries: A₃ adaptively chooses the tuple (ID, m) and sends it to C for querying the tag of data block m. C runs the algorithm Tag-Gen to generate the tag of m and returns it to A_3.

Challenge: C makes a random challenge $chal$ to A₃ and requests A₃ to provide the corresponding data possession proof for $chal$.

Forge: For the challenge $chal$, A₃ generates a proof and sends it to C. If the proof can pass the integrity verification while A₃ does not possess the correct data, A₃ wins the game.

Definition 4. 

A CL-PGSDP scheme is secure against adaptive impersonation and forging proof attacks if any PPT adversary A who plays Game 3 with the challenger C has only negligible probability $\epsilon$ of winning the games, that is,

$$\mathrm{Pr}(A_{win})\le \epsilon$$

in which the probability $\epsilon$ is taken over all coin tosses made by A and C.

4. Our Construction

In this section, we provide a concrete construction of certificateless provable group shared data possession protocol supporting comprehensive privacy preservation for cloud storage. We suppose the number of users in the group is z, and ${\mathrm{ID}}_i$ represent the unique identity of the user $u_i$, in which $1\le i\le z$. Without losing the generality, we set $u_1$ as the group manager who will set up system and generate system parameters and the partial private keys for other users. The group shared data M is split into n blocks, denoted as $M=\left\{m_j\right|1\le j\le n,m_j\in Z_q^{*}\}$. In the Partial-Private-Key-Gen algorithm, we employ short signature [12] and randomization method to produce the partial private key for each user of the group. In the Tag-Gen algorithm, we take the advantage of the idea of certificateless cryptography [31] to construct the tags of the data blocks using the partial private key and the secret value. In the challenge phase, the TPA randomly chooses some indexes of the data blocks and corresponding random values as a challenge to the CSP. In the proof generating phase, the CSP computes a response to the TPA. We utilize the idea of zero knowledge proof [33,34] to design the details of the interaction between the TPA and the CSP. The details of the proposed protocol are as follows:

• Setup. This algorithm is run by $u_1$. On input of security parameter $\lambda$, $u_1$ chooses two cyclic multiplicative groups, $G_1$ and $G_2$, with prime order $q$, ${\log }_{2}q\le \lambda$. $g$ is a generator of $G_1$. There exists a bilinear map $e:G_1\times G_1\to G_2$. $u_1$ selects three secure hash functions $H_1,H_2:{\{0,1\}}^{*}\to G_1$, $H_3:G_2\to {\{0,1\}}^l$, a pseudo-random permutation (PRP) $\pi :Z_q^{*}\times \left\{1,\dots ,\mathrm{n}\right\}\to \left\{1,\dots ,\mathrm{n}\right\}$, and a pseudo-random function (PRF) $\varphi :Z_q^{*}\times Z_q^{*}\to Z_q^{*}$. $u_1$ initializes a public log file $LF$, which is used to record the information of the indexes of the data blocks and the information of the corresponding tag generators. $u_1$ randomly chooses $x\in Z_q^{*}$ as master secret key $msk$ and $\delta \in Z_q^{*}$ as secret value, and computes $P_{pub}=g^x$. $u_1$ keeps the master secret key $msk$ and $\delta$ privately, and publishes the system parameters $params=\{G_1,G_2,P_{pub},H_1,H_2,H_3,e,g,q,LF,\pi ,\varphi \}$.
• Partial-Private-Key-Gen. This algorithm is run by $u_1$. When receiving the identity $I{D}_i\in {\{0,1\}}^{*}$ of the user $u_i$, $u_1$ computes the $u_i$’s partial private key $ps{k}_{I{D}_i}={\mathrm{H}}_1{(I{D}_i+\delta )}^x$ and sends $ps{k}_{I{D}_i}$ and ${\mathrm{H}}_1(I{D}_i+\delta )$ to $u_i$.
• Secret-Value-Gen. This algorithm is run by group user. $u_i$ randomly selects $y_{I{D}_i}\in Z_q^{*}$ as the secret value and keeps it privately.
• Public-Key-Gen. This algorithm is run by group user. $u_i$ uses the secret value to compute the public key $Y_{I{D}_i}=g^{y_{I{D}_i}}$.
• Tag-Gen. Each user in group can generate tags of data blocks using partial private key and secret value. Suppose user $u_i(0<i\le z)$ generates an authentication tag for data block $m_j(0<j\le n)$. It takes $u_i$’s partial private key $ps{k}_{I{D}_i}$, the secret value $s_{I{D}_i}$, and the data block $m_j$ as inputs and outputs the tag ${\sigma }_j$ of $m_j$. The equation for computing tag is ${\sigma }_j=ps{k}_{I{D}_i}{}^{m_j}\cdot H_2{({\omega }_j)}^{y_{I{D}_i}}$, in which ${\omega }_j=j\left|\right|fname$, $j$ is the index of data block $m_j$, and $fname$ denotes the unique identity of data block $m_j$. Each time the $u_i$ generates a tag for data block $m_j$, $u_i$ will update the information in public log file $LF$ with the index $j$ of $m_j$, $Y_{I{D}_i}$, and $H_1(I{D}_i+\delta )$. Actually, $LF$ is a table, and one line of it can be showed as follows:

  j

  $H_1(I{D}_i+\delta )$

  $Y_{I{D}_i}$

• The user $u_i$ uploads the data blocks and its tags to the CSP. The CSP can check the validation of each tag using the following equation:

  $$e({\sigma }_j,g)=e(H_1{(I{D}_i+\delta )}^{m_j},P_{pub})\cdot e(H_2({\omega }_j),Y_{I{D}_i})$$

  (1)
• Challenge. This algorithm is run by the TPA, who randomly picks c-element subset $J$ of the set $[1,n]$ by pseudo-random permutation (PRP) $\pi$; each element in $J$ denotes the index of the challenged data block. The TPA chooses a random element ${\upsilon }_j\in Z_q^{*}$ for each element in $J$ by pseudo-random function (PRF) $\varphi$. Let $Q$ be the set ${\{(j,{\upsilon }_j)\}}_{j\in \mathrm{J}}$. To generate a challenge, the TPA will search the log file $LF$ according the set $J$ to get the information $\{(j,H_1(I{D}_i+\delta ))\}$. The TPA picks a random value $t\in Z_q^{*}$ as secret value and computes $T_1=g^t$, $T_{2j}=e{(H(I{D}_i+\delta ),P_{pub})}^t$. Let $T_2=\left\{T_{2j}\right\},j\in J$. The TPA sends the $chal=\{Q,T_1,T_2\}$ to the server.
• Proof-Gen. Upon receiving the $chal=\{Q,T_1,T_2\}$, the CSP computes $\mu ={\displaystyle \prod _{j\in J}{T}_{2j}{}^{{\upsilon }_j{m}_j}}$, $\sigma ={\displaystyle \prod _{j\in J}{\sigma }_j{}^{{\upsilon }_j}}$ and $proof=H_3(e(\sigma ,T_1)\cdot {\mu }^{-1})$, then sends $proof$ as a response to the $chal$ from the TPA.
• Proof-Check. Upon receiving the $proof$ from the CSP, the TPA first searches the publish log file $LF$ to get the information $\{(j,Y_{I{D}_i})\}$ and checks the equation:

  $$proof=H_3({\displaystyle \prod _{\begin{array}{l}j\in J\\ \mathrm{j}\to i\end{array}}e(H_2{(j||fname)}^{{\upsilon }_j},Y_{I{D}_i}^t)})$$

  in which $j\to i$ means the information of $u_i$ can be find from public log file $LF$ by the index $j$ of data block $m_j$. If the equation holds, the TPA accepts the proof; otherwise, the proof is invalid. The process of Challenge, Proof-Gen, and Proof-Check are summarized as Figure 2.
• Revocation-Tag-Gen. If user $u_m$, $2\le m\le z$ leaves the group, and user $u_n$ will be the successor of $u_m$. The following procedure will efficiently update the tags generated by $u_m$. It needs $u_m$, $u_n$ and the CSP online simultaneously.

  (1)

  The CSP randomly selects $\alpha \in Z_q^{*}$, and sends it to $u_n$.

  (2)

  Upon receiving $\alpha$, $u_n$ computes $(K_1={(ps{k}_{I{D}_n})}^{\frac{1}{y_{I{D}_n}}},K_2=\alpha \cdot y_{I{D}_n})$ and sends $(K_1,K_2)$ to $u_m$.

  (3)

  $u_m$ computes $(R_1=\frac{K_1{}^{y_{I{D}_m}}}{s{k}_{I{D}_m}},R_2=\frac{K_2}{y_{I{D}_m}})$ and sends it to the CSP.

  (4)

  When receiving $(R_1,R_2)$, the CSP computes $R_3=\frac{R_2}{\alpha }=\frac{y_{I{D}_{\mathrm{n}}}}{y_{I{D}_m}}$. The CSP will update the tag of the data block $m_{i^{\prime }}$ by computing the equation ${\sigma }_{i^{\prime }}^{\prime }={(R_1{}^{m_{i^{\prime }}}\cdot {\sigma }_{i^{\prime }})}^{R_3}$, in which ${\sigma }_{i^{\prime }}$ is the tag generated by $u_m$. The proof of the correctness of algorithm Revocation-Tag-Gen is as follows:

  $$\begin{array}{cc}\hfill {\sigma }_{i^{\prime }}^{\prime }& ={(R_1{}^{m_{i^{\prime }}}\cdot {\sigma }_{i^{\prime }})}^{R_3}={\left({\left(\frac{s{k}_{I{D}_n}{}^{\frac{y_{I{D}_m}}{y_{I{D}_n}}}}{s{k}_{I{D}_m}}\right)}^{m_{i^{\prime }}}\cdot s{k}_{I{D}_m}{}^{m_{i^{\prime }}}\cdot H_2{({\omega }_{i^{\prime }})}^{y_{I{D}_m}}\right)}^{{}^{\frac{y_{I{D}_n}}{y_{I{D}_m}}}}\hfill \\ & ={\left({\left(s{k}_{I{D}_n}{}^{\frac{y_{I{D}_m}}{y_{I{D}_n}}}\right)}^{m_{i^{\prime }}}\cdot H_2{({\omega }_{i^{\prime }})}^{y_{I{D}_m}}\right)}^{{}^{\frac{y_{I{D}_n}}{y_{I{D}_m}}}}=s{k}_{I{D}_n}{}^{m_{i^{\prime }}}\cdot H_2{({\omega }_{i^{\prime }})}^{y_{I{D}_n}}\hfill \end{array}$$

5. Security Analysis of the New Protocol

In this section, we show that our protocol is secure with the properties of completeness, soundness, and comprehensive privacy preservation.

5.1. Completeness

If the CSP properly stores data, it can always pass the verification. The completeness of the protocol can be demonstrated as follows:

$$\begin{array}{cc}\hfill proof& =H_3(e(\sigma ,T_1)\cdot {\mu }^{-1})=H_3\left(\frac{e(\sigma ,T_1)}{{\displaystyle \prod _{j\in J}{T}_{2j}{}^{v_j{m}_j}}}\right)=H_3\left(\frac{e(\sigma ,T_1)}{{\displaystyle \prod _{\begin{array}{l}j\in J\\ j\to i\end{array}}e{(H_1(I{D}_i+\delta ),P_{pub})}^{t{v}_j{m}_j}}}\right)\hfill \\ & =H_3\left(\frac{e({\displaystyle \prod _{j\in I}{\sigma }_j{}^{v_j}},T_1)}{{\displaystyle \prod _{\begin{array}{l}j\in J\\ j\to i\end{array}}e{(ps{k}_{I{D}_i},T_1)}^{v_j{m}_j}}}\right)=H_3\left({\displaystyle \prod _{\begin{array}{l}j\in J\\ j\to i\end{array}}\frac{e({\sigma }_j{}^{v_j},T_1)}{e(ps{k}_{I{D}_i}{}^{m_j},T_1{}^{v_j})}}\right)=H_3\left({\displaystyle \prod _{\begin{array}{l}j\in J\\ j\to i\end{array}}e(\frac{{\sigma }_j}{ps{k}_{I{D}_i}{}^{m_j}},T_1{}^{v_j})}\right)\hfill \\ & =H_3\left({\displaystyle \prod _{\begin{array}{l}j\in J\\ j\to i\end{array}}e(H_2{({\omega }_j)}^{y_{I{D}_i}},g^{t{v}_j})}\right)=H_3\left({\displaystyle \prod _{\begin{array}{l}j\in J\\ j\to i\end{array}}e(H_2{({\omega }_j)}^{v_j},g^{t{y}_{I{D}_i}})}\right)=H_3\left({\displaystyle \prod _{\begin{array}{l}j\in J\\ j\to i\end{array}}e(H_2{({\omega }_j)}^{v_j},Y_{I{D}_i}^t)}\right)\hfill \end{array}$$

5.2. Soundness

Theorem 1. 

In the random oracle model, if a PPT adversary A₁ wins Game 1 defined in Section 3 with non-negligible probability $\epsilon$, then there is an algorithm $B$ that can solve the CDH problem.

Proof of Theorem 1. 

Algorithm $B$ is given $(g,g^a,g^b)\in G_1$; its goal is to output $g^{ab}\in G_1$. Algorithm $B$ simulates the challenger and interacts with as A₁ follows.

Setup:$B$ produces the system parameters $params$, secret key $\delta \in Z_q^{*}$, and sets $P=g^a$, while $a$ keeps unknown.

H₁-Query: At any time, A₁ can query the random oracle H₁. To respond to these queries, algorithm $B$ maintains a list of tuples $(ID,k_1,K)$ as Tab₁. When A₁ queries the oracle H₁ at the identity $I{D}^{\prime }$, Algorithm $B$ responds as follows:

(1)

If $I{D}^{\prime }\in Ta{b}_1$, then algorithm $B$ retrieves the tuple $(I{D}^{\prime },k_1{}^{\prime },K^{\prime })$ and responds with $K^{\prime }$ to A₁.

(2)

Otherwise, $B$ picks a random $k_1{}^{\prime }\in Z_q^{*}$ and computes $K^{\prime }=g^{\mathrm{b}{k}_1{}^{\prime }}$. Then, it adds the tuple $(I{D}^{\prime },k_1{}^{\prime },K^{\prime })$ to Tab₁ and responds with $K^{\prime }$ to A₁.

PartialKey-Query: At any time, A₁ can query partial key for any identity $I{D}^{\prime }$. If $I{D}^{\prime }\notin Ta{b}_1$, $B$ makes the H₁-Query. Otherwise, $B$ maintains a list of tuples $(ID,psk)$ as Tab₂. When A₁ queries the oracle PartialKey-Query at the identity, Algorithm $B$ responds as follows:

(1)

If $I{D}^{\prime }\in Ta{b}_2$, then algorithm $B$ retrieves the tuple $(I{D}^{\prime },ps{k}^{\prime })$ and responds $ps{k}^{\prime }$ to A₁.

(2)

Otherwise, $B$ computes $ps{k}^{\prime }={(K^{\prime })}^a$. Then, it adds the tuple $(I{D}^{\prime },ps{k}^{\prime })$ to Tab₂ and responds $ps{k}^{\prime }$ to A₁.

SecretValue-Query: At any time, A₁ can query secret value for any identity $I{D}^{\prime }$, if $I{D}^{\prime }\notin Ta{b}_1$ or $I{D}^{\prime }\notin Ta{b}_2$. $B$ firstly makes the H₁-Query or PartialKey-Query for the identity $I{D}^{\prime }$. Then, $B$ randomly chooses a value $x^{\prime }\in Z_q^{*}$ as response to A₁.

PublicKey-Query: At any time, A₁ can query public key for any identity $I{D}^{\prime }$, if $I{D}^{\prime }\notin Ta{b}_1$ or $I{D}^{\prime }\notin Ta{b}_2$. $B$ first makes the H₁-Query or PartialKey-Query for the identity $I{D}^{\prime }$. Then, $B$ computes $P{K}^{\prime }=g^{x^{\prime }}$, in which $x^{\prime }$ is the secret value from SecretValue-Query and responds $P{K}^{\prime }$ to A₁.

H₂-Query: At any time, A₁ can query the random oracle H₂ for ${\omega }^{\prime }$. Algorithm $B$ also maintains a list of tuples $(\omega ,W)$ as Tab₃. If ${\omega }^{\prime }\in Ta{b}_3$, then algorithm $B$ retrieves the tuple $({\omega }^{\prime },W^{\prime })$ and responds $W^{\prime }$ to A₁. Otherwise, $B$ randomly selects $k_2\in Z_q^{*}$ and computes $W^{\prime }=g^{k_2}$. Then, it adds the tuple $({\omega }^{\prime },W^{\prime })$ to Tab₃ and responds $W^{\prime }$ to A₁.

Tag-Query: At any time, A₁ can query tag with $(m^{\prime },I{D}^{\prime })$. $B$ first checks whether $I{D}^{\prime }\in Ta{b}_1$, $I{D}^{\prime }\in Ta{b}_2$, and ${\omega }^{\prime }\in Ta{b}_3$. If not, $B$ will compute corresponding tuple and update Tab₁, Tab_2, and Tab₃. After that, $B$ can get corresponding information from Tab₁, Tab_2, and Tab₃ and compute the tag $T^{\prime }$ for $({\omega }^{\prime },m^{\prime },I{D}^{\prime })$ by the algorithm Tag-Gen and returns it to A₁.

Forge: Eventually, A₁ outputs $(I{D}^{\prime },K^{\prime },ps{k}^{\prime },x^{\prime },P{K}^{\prime },W^{\prime },m^{\prime },T^{\prime })$. $T^{\prime }$ is the forged tag of the data block $m^{\prime }$ on the identity $I{D}^{\prime }$ with the public key $P{K}^{\prime }$.

Analysis: If A₁ wins Game 1, on the one hand, $B$ can get

$$e(T^{\prime },g)=e(H_1{(I{D}^{\prime }+\delta )}^{m^{\prime }},P)\cdot e(H_2({\omega }^{\prime }),P{K}^{\prime })$$

according to the verification Equation (1). On the other hand, $B$ can retrieve $H_1(I{D}^{\prime }+\delta )=g^{b{k}_1{}^{\prime }}$ from Tab₁ and $H_2({\omega }^{\prime })=g^{k_2}$ from Tab₃. Thus, $B$ gets $e(T^{\prime },g)=e(g^{b{k}_1{}^{\prime }}{}^{m^{\prime }},g^a)\cdot e(g^{k_2},P{K}^{\prime })$. Finally, we can derive that

$$g^{ab}={\left(\frac{T^{\prime }}{{(P{K}^{\prime })}^{k_2}}\right)}^{\frac{1}{k_1^{\prime }{m}^{\prime }}}$$

which means that $B$ can solve the CDH problem with non-negligible probability $\epsilon$. However, according to CDH assumption, the advantage for $B$ to solve the CDH problem in $G_1$ is negligible. Thus, A₁ cannot win Game 1. This completes the proof. ☐

Theorem 2. 

In the random oracle model, if a PPT adversary A₂ wins Game 2 defined in Section 3 with non-negligible probability $\epsilon$, then algorithm $B$ can solve the CDH problem.

Proof of Theorem 2. 

Algorithm $B$ is given $(g,g^a,g^b)\in G_1$; its goal is to output $g^{ab}\in G_1$. Algorithm $B$ simulates the challenger and interacts with as A₂ follows.

Setup:$B$ produces the system parameters $params$, secret key $\delta \in Z_q^{*}$, and sets $P=g^s$, in which $s$ is master key. $B$ sends $params$, $\delta$, $s$, and $P$ to A₂.

H₁-Query: At any time, A₂ can query the random oracle H₁. To respond to these queries, algorithm $B$ maintains a list of tuples $(ID,l_1,L)$ as Tab₁. When A₂ queries the oracle H₁ at the identity $I{D}^{\prime }$, Algorithm $B$ responds as follows:

(1)

If $I{D}^{\prime }\in Ta{b}_1$, then algorithm $B$ retrieves the tuple $(I{D}^{\prime },l_1{}^{\prime },L^{\prime })$ and responds with $L^{\prime }$ to A₂.

(2)

Otherwise, $B$ picks a random $l_1{}^{\prime }\in Z_q^{*}$ and computes $L^{\prime }=g^{l_1{}^{\prime }}$. Then, it adds the tuple $(I{D}^{\prime },l_1{}^{\prime },L^{\prime })$ to Tab₁ and responds with $L^{\prime }$ to A₂.

SecretValue-Query: Because A₂ knows the master key, there is no need for A₂ to query the partial key. At any time, A₂ can query secret value for any identity $I{D}^{\prime }$. If $I{D}^{\prime }\notin Ta{b}_1$, $B$ makes the H₁-Query. Otherwise, $B$ maintains a list of tuples $(ID,y,Y)$ as Tab₂. When A₂ queries the oracle SecretValue-Query at the identity $I{D}^{\prime }$, Algorithm $B$ responds as follows:

(1)

If $I{D}^{\prime }\in Ta{b}_2$, then algorithm $B$ retrieves the tuple $(I{D}^{\prime },y^{\prime },Y^{\prime })$ and responds with $y^{\prime }$ to A₂.

(2)

Otherwise, $B$ randomly selects $l_2\in Z_q^{*}$ and makes $y^{\prime }=l_2$. Then, it adds the tuple $(I{D}^{\prime },y^{\prime })$ to Tab₂ and responds with $y^{\prime }$ to A₂.

PublicKey-Query: At any time, A₂ can query public key for any identity $I{D}^{\prime }$, if $I{D}^{\prime }\notin Ta{b}_1$ or $I{D}^{\prime }\notin Ta{b}_2$. $B$ first makes the H₁-Query or PartialKey-Query for the identity $I{D}^{\prime }$. Then, $B$ computes $Y^{\prime }=g^{a{y}^{\prime }}=g^{a{l}_2}$, in which $y^{\prime }$ is the secret value from SecretValue-Query, and updates Tab₂. $B$ responds with $Y^{\prime }$ to A₂.

H₂-Query: At any time, A₂ can query the random oracle H₂ for ${\omega }^{\prime }$. Algorithm $B$ also maintains a list of tuples $(\omega ,W)$ as Tab₃. If ${\omega }^{\prime }\in Ta{b}_3$, then algorithm $B$ retrieves the tuple $({\omega }^{\prime },W^{\prime })$ and responds $W^{\prime }$ to A₂. Otherwise, $B$ randomly selects $l_3\in Z_q^{*}$ and computes $W^{\prime }=g^{b{l}_3}$. Then, it adds the tuple $({\omega }^{\prime },W^{\prime })$ to Tab₃ and responds with $W^{\prime }$ to A₂.

Tag-Query: At any time, A₂ can query tag with $(m^{\prime },I{D}^{\prime },{\omega }^{\prime })$. $B$ first checks whether $I{D}^{\prime }\in Ta{b}_1$, $I{D}^{\prime }\in Ta{b}_2$, and ${\omega }^{\prime }\in Ta{b}_3$. If not, $B$ will compute corresponding tuple and updates Tab₁, Tab_2, and Tab₃. After that, $B$ can get corresponding information from Tab₁, Tab_2, and Tab_3, and computes the tag $T^{\prime }$ for $({\omega }^{\prime },m^{\prime },I{D}^{\prime })$ using the algorithm Tag-Gen and returns it to A₂.

Forge: Eventually, A₂ outputs $(T^{\prime },{\omega }^{\prime },m^{\prime },I{D}^{\prime })$. $T^{\prime }$ is the forged tag of the data block $m^{\prime }$ on the identity $I{D}^{\prime }$.

Analysis: If A₂ wins Game 2, on the one hand, $B$ can get

$$e(T^{\prime },g)=e(H_1{(I{D}^{\prime }+\delta )}^{m^{\prime }},P)\cdot e(H_2({\omega }^{\prime }),Y^{\prime })$$

according to the verification Equation (1). On the other hand, $B$ can retrieve $H_1(I{D}^{\prime }+\delta )=g^{l_1{}^{\prime }}$ from Tab₁, $Y^{\prime }=g^{a{l}_2{}^{\prime }}$ from Tab₂, and $H_2({\omega }^{\prime })=g^{b{l}_3}$ from Tab₃. Thus, $B$ gets $e(T^{\prime },g)=e(g^{{l_1}^{\prime }}{}^{m^{\prime }},P)\cdot e(g^{b{l}_3},g^{a{l}_2^{}})$. Finally, we can derive that

$$g^{ab}={\left(T^{\prime }\right)}^{\frac{1}{l_1^{\prime }{l}_2^{}{l}_3^{}{\mathrm{sm}}^{\prime }}}$$

which means that $B$ can solve the CDH problem with non-negligible probability $\epsilon$. However, according to CDH assumption, the advantage for $B$ to solve the CDH problem in $G_1$ is negligible. Thus, A₂ cannot win Game 2. This completes the proof. ☐

Theorem 3. 

If the DL assumption holds, the adversary A₃ wins Game 3 only at negligible probability.

Proof of Theorem 3. 

Let the challenge information be $chal=\{Q,T_1,T_2\}$. If A₃ outputs $proo{f}^{\prime }$ and wins Game 3 at non-negligible probability, we can get the verification equation:

$$proo{f}^{\prime }=H_3(e({\sigma }^{\prime },T_1)\cdot {\mu }^{\prime }{}^{-1})=H_3({\displaystyle \prod _{j\in I}e(H_2{(j||fname)}^{{\upsilon }_j},Y_{I{D}_i}^t)})$$

in which ${\sigma }^{\prime }$ is the forged tag for the forged data block $m^{\prime }$ and ${\mu }^{\prime }$ is produced by A₃. Assume the real proof is $proof$ and the corresponding information is $(\sigma ,\mu )$. We also get the verification equation:

$$proof=H_3(e(\sigma ,T_1)\cdot {\mu }^{-1})=H_3({\displaystyle \prod _{j\in I}e(H_2{(j||fname)}^{{\upsilon }_j},Y_{I{D}_i}^t)})$$

Thus, we can derive from the above two verification equations that

$$\frac{e(\sigma ,T_1)}{e({\sigma }^{\prime },T_1)}=\frac{\mu }{{\mu }^{\prime }}$$

Because A₃ wins the Game 3, there exists $\sigma ={\sigma }^{\prime }$ and at least one data block $m_j\ne m_j{}^{\prime }$. Suppose $m_j-m_j{}^{\prime }=\Delta m_j$. Then, we get $\frac{\mu }{{\mu }^{\prime }}=1$, which is $\frac{{\displaystyle \prod _{j\in I}{T}_{2j}{}^{{\upsilon }_j{m}_j}}}{{\displaystyle \prod _{j\in I}{T}_{2j}{}^{{\upsilon }_j{m}_j{}^{\prime }}}}=1$. We can get ${\displaystyle \prod _{j\in I}{T}_{2j}{}^{{\upsilon }_j\Delta m_j}}=1$. Based on this conclusion, the DL problem can be solved as follows: Given two elements $g,y\in G_1$ in which $y=g^a$, we will compute $a\in Z_q{}^{*}$. We randomly select ${\alpha }_j,{\beta }_j\in Z_q^{*}$ and let $T_{2j}{}^{{\upsilon }_j}{=\mathrm{X}}_j=g^{{\alpha }_j}{y}^{{\beta }_j}$. We can get following equation:

$${\displaystyle \prod _{j\in I}{T}_{2j}{}^{{\upsilon }_j\Delta m_j}}={\displaystyle \prod _{j\in I}{X}_j{}^{\Delta m_j}}={\displaystyle \prod _{j\in I}{(g^{{\alpha }_j}{y}^{{\beta }_j})}^{\Delta m_j}}=g^{{\displaystyle \sum _{j\in I}{\alpha }_j\Delta m_j}}{y}^{{\displaystyle \sum _{j\in I}{\beta }_j\Delta m_j}}=1$$

Then, we can derive $y=g^{-\frac{{\displaystyle \sum _{j\in I}{\alpha }_j\Delta m_j}}{{\displaystyle \sum _{j\in I}{\beta }_j\Delta m_j}}}$. Since $\Delta m_j\ne 0$, ${\beta }_j$ is the random value from $Z_q{}^{*}$, so the probability of ${\displaystyle \sum _{j\in I}{\beta }_j\Delta m_j}=0$ is only $\frac{1}{q}$. Therefore, we can output the right value of $a$ with non-negligible probability $1-\frac{1}{q}$. This completes the proof. ☐

5.3. Comprehensive Privacy Preservation

5.3.1. Data Privacy Preservation

Upon receiving the challenge from the TPA, the cloud server responds with the proof: $proof=H_3(e(\sigma ,T_1)\cdot {\mu }^{-1})$, in which we hide the information of $\sigma$ and $\mu$ using hash function H₃. Furthermore, the TPA just needs to check the following equation: $proof=H_3({\displaystyle \prod _{\begin{array}{l}j\in J\\ \mathrm{j}\to i\end{array}}e(H_2{(j||fname)}^{{\upsilon }_j},Y_{I{D}_i}^t)})$, without knowing any information about data file blocks $\left\{m_i\right\}$ or their corresponding tags $\left\{{\sigma }_i\right\}$.

5.3.2. User Identity Privacy Preservation

In CL-PGSDP protocol, we design a log file that is used to record the information of the index of data block and the information of its tag generator, including the hash value $H_1(I{D}_i+\delta )$ and the public key $Y_{I{D}_i}$ of user $u_i$. During the auditing process, the TPA gets the hash value $H_1(I{D}_i+\delta )$ for the challenged data block $m_j$ from the log file. Because the user identity is randomized by $\delta \in Z_q^{*}$ in Partial-Private-Key-Gen, it is impossible for the TPA to obtain user’s real identity. Therefore, the user identity cannot be known by the TPA.

6. Performance and Implementation

In this section, we give the performance analysis and experimental results of our protocol.

6.1. Performance Analysis

We summarize the computational and the communicational cost of our protocol as follows.

Computational cost: For simplicity, we denote by Exp_G2 and Exp_G2 the exponentiations in G₁ and G₂, by Mult_G1 and Mult_G2 the multiplication in G₁ and G₂, by P the pairing computation, and by H the map-to-point hash function, respectively. The original hash function, PRF and PRP operation, addition and multiplication on $Z_q^{*}$, and so on are omitted in our evaluation, because the computational cost of them is negligible. Suppose the data is split into n blocks. The main computation of the group manager is generating system parameters and partial private key for each group user. Thus, the main computational cost is 2Exp_G1 + H. The primary computation of group users is generating tags for data blocks, which is the most expensive operation in our protocol, but fortunately part of it can be done offline. The cost of group users is (2n + 1) Exp_G1 + nH. The dominated computation of the TPA is generating a challenge and checking the validity of a proof. We suppose all the group users have generated tags and the challenge involves their corresponding tags. Thus, the cost for the TPA is zP + zExp_G2 + Exp_G1 at most for one challenge. When checking a proof, the cost for the TPA is 2cExp_G1 + cP_G1 + cH + (c − 1) Exp_G2. The main computational cost for the CSP is to generate a proof for a challenge, and the total cost is (2c − 1) Mult_G1 + cMult_G2 + cExp_G2 + cExp_G1 + P. We make a detailed comparison with Li’s protocol [30] in

Table 1. Comparison with Li [30].

	Li [30]	Our CL-PGSDP
Tag Generation cost	2nExpG1 + nH	2nExpG1 + nH
Challenge cost	Negligible cost	zP + zExpG2 + ExpG1
Proof Generation cost	cExpG1 + (c − z) MultG1	(2c − 1) MultG1 + cMultG2 + cExpG2 + cExpG1 + P
Proof-Check cost	(z + 2) P + (c + d) ExpG1 + (c + 2d) MultG1 + dMultG2	2cExpG1 + cPG1 + cH + (c − 1) ExpG2
Working scenario	Group data	Group data
Support data privacy-preserving	No	Yes
Support user identity privacy-preserving	No	Yes

.

Communicational cost: In the challenge phase, the TPA summits $chal=\{Q,T_1,T_2\}$ to the CSP. The CSP responds with a proof to the TPA that is a hash value from H₃. Thus, the communicational cost is $2c{\log }_2\lambda +(c+1){\log }_{2}q+l$.

6.2. Experimental Results

To evaluate the efficiency of our proposed protocol, we conduct experiments on Ubuntu 16.04 operation system with Intel i5-6200CPU @ 2.40 GHz and 4 GB memory. We implement the algorithm in C with the Pairing-based Cryptography (PBC) library [37] and the GNU Multiple Precision Arithmetic (GMP) library [38]. We utilize the parameter a.param, which provides a symmetric pairing with the fastest speed among all default parameters. The implementation time overhead of the protocol is displayed in following two parts.

In the first part, we carry out an experiment to evaluate the tag generation cost of our protocol. We set the number of the group users at 50, and the size of data ranges from 0.2 MB to 2 MB. The order of $G_1$ is set at 160-bit, which has the equivalent security level of 1024-bit RSA. Hence, the number of data blocks ranges from 10,000 to 100,000. Figure 3 depicts the comparison on computation cost for tag generation. From Figure 3, we can see that the phase of tag generation of our protocol is separated into two parts: offline and online. As its computational cost is the most expensive one, the group user $u_i$ can preprocess $H_2{({\omega }_j)}^{y_{I{D}_i}}$, which can be conducted in offline phase. In the online phase of tag generation, group user $u_i$ needs to compute $ps{k}_{I{D}_i}{}^{m_j}$ for each data block, which is more practical than Li’s protocol. The time cost of offline computation of tag generation for 1 MB data file is 150.5 s, while the online time cost is 25.3 s. Without loss of generality, we suppose the blocks are, on average, assigned to group users, which makes the result more acceptable. As we expected that both online and offline time of generating tags increases almost linearly with the increase of the data size. Thus, one shall be able to anticipate the time cost of generating tags for any size of data files.

In the second part, we increase the number of challenged data blocks from 50 to 1000 with an increment of 50 for each test to see the time cost of Challenge, Proof-Gen, and Proof-Check steps. We suppose all the users in the group will get involved in generating the tags of the challenged data blocks. Figure 4 demonstrates the time cost of these three parts, which increase with the increase of the number of challenged data blocks, which is consistent with our previous computational analysis, because when the number of challenged data blocks rises, more random values in $Q$ need to be produced and more $T_2=\left\{T_{2j}\right\}$ need to be computed. The CSP has increasing computation on $\mu$ and $\sigma$. According to [9], if the CSP has polluted 1% of the data blocks, the TPA can achieve the probability of CSP’s misbehavior detection of at least 99% while only needing to make 460 data blocks for a challenge. We can see that it costs the TPA only about 5.75 s to verify a response and the CSP costs about 1.1 s to generate a response when the number of challenged data blocks is 460. We compare the Proof-Check performance between Li’s protocol and our protocol in

Table 2. Comparison of Proof-Check with Li [30].

	Li [30]	Our CL-PGSDP
Number of challenged blocks	460	460
Time cost	2.16 s	5.75 s

. We find that our mechanism requires more checking time compared to Li’s protocol. Based on our analysis of computation cost from Table 1, we find that there are more pairing operations (P) during the phase of Proof-Check, which is consistent with our experimental results, because one pairing operation takes more time than other cryptographic operations. However, our mechanism is of comprehensive privacy preservation, while Li’s not.

7. Conclusions

In this paper, we propose a new PDP protocol for group shared data at untrusted cloud storage, which aims to solve the problems of privacy preservation, including data privacy and the group user identity privacy. By utilizing certificateless cryptography, we eliminate the issues of expensive certificate management and key escrow. We prove that our protocol is secure, and further illustrate its efficiency through practical experiments. The results show that the proposed protocol is efficient and practical.