Enabling Public Auditability and Data Dynamics
for Storage Security in Cloud Computing
Qian Wang, Student Member, IEEE, Cong Wang, Student Member, IEEE, Kui Ren, Member, IEEE,
Wenjing Lou, Senior Member, IEEE, and Jin Li
Abstract—Cloud Computing has been envisioned as the next-generation architecture of IT Enterprise. It moves the application
software and databases to the centralized large data centers, where the management of the data and services may not be fully
trustworthy. This unique paradigm brings about many new security challenges, which have not been well understood. This work
studies the problem of ensuring the integrity of data storage in Cloud Computing. In particular, we consider the task of allowing a third
party auditor (TPA), on behalf of the cloud client, to verify the integrity of the dynamic data stored in the cloud. The introduction of TPA
eliminates the involvement of the client through the auditing of whether his data stored in the cloud are indeed intact, which can be
important in achieving economies of scale for Cloud Computing. The support for data dynamics via the most general forms of data
operation, such as block modification, insertion, and deletion, is also a significant step toward practicality, since services in Cloud
Computing are not limited to archive or backup data only. While prior works on ensuring remote data integrity often lacks the support of
either public auditability or dynamic data operations, this paper achieves both. We first identify the difficulties and potential security
problems of direct extensions with fully dynamic data updates from prior works and then show how to construct an elegant verification
scheme for the seamless integration of these two salient features in our protocol design. In particular, to achieve efficient data
dynamics, we improve the existing proof of storage models by manipulating the classic Merkle Hash Tree construction for block tag
authentication. To support efficient handling of multiple auditing tasks, we further explore the technique of bilinear aggregate signature
to extend our main result into a multiuser setting, where TPA can perform multiple auditing tasks simultaneously. Extensive security
and performance analysis show that the proposed schemes are highly efficient and provably secure.
Index Terms—Data storage, public auditability, data dynamics, cloud computing.
Ç
1INTRODUCTION
S
EVERAL trends are opening up the era of Cloud Comput-
ing, which is an Internet-based development and use of
computer technology. The ever cheaper and more powerful
processors, together with the “software as a service” (SaaS)
computing architecture, are transforming data centers into
pools of computing service on a huge scale. Meanwhile, the
increasing network bandwidth and reliable yet flexible
network connections make it even possible that clients can
now subscribe high-quality services from data and software
that reside solely on remote data centers.
Although envisioned as a promising service platform for
the Internet, this new data storage paradigm in “Cloud”
brings about many challenging design issues which have
profound influence on the security and performance of the
overall system. One of the biggest concerns with cloud data
storage is that of data integrity verification at untrusted
servers. For example, the storage service provider, which
experiences Byzantine failures occasionally, may decide to
hide the data errors from the clients for the benefit of their
own. What is more serious is that for saving money and
storage space the service provider might neglect to keep or
deliberately delete rarely accessed data files which belong to
an ordinary client. Consider the large size of the outsourced
electronic data and the client’s constrained resource cap-
ability, the core of the problem can be generalized as how can
the client find an efficient way to perform periodical integrity
verifications without the local copy of data files.
In order to solve the problem of data integrity checking,
many schemes are proposed under different systems and
security models [2], [3], [4], [5], [6], [7], [8], [9], [10], [11]. In
all these works, great efforts are made to design solutions
that meet various requirements: high scheme efficiency,
stateless verification, unbounded use of queries and
retrievability of data, etc. Considering the role of the verifier
in the model, all the schemes presented before fall into two
categories: private auditability and public auditability.
Although schemes with private auditability can achieve
higher scheme efficiency, public auditability allows anyone,
not just the client (data owner), to challenge the cloud
server for correctness of data storage while keeping no
private information. Then, clients are able to delegate the
evaluation of the service performance to an independent
third party auditor (TPA), without devotion of their
computation resources. In the cloud, the clients themselves
are unreliable or may not be able to afford the overhead of
performing frequent integrity checks. Thus, for practical
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 5, MAY 2011 847
. Q. Wang, C. Wang, and K. Ren are with the Department of Electrical and
Computer Engineering, Illinois Institute of Technology, Chicago, IL 60616.
E-mail: {qian, cong, kren}@ece.iit.edu.
. W. Lou is with the Department of Electrical and Computer Engineering,
Worcester Polytechnic Institute, 100 Institute Road, Worcester, MA
01609. E-mail: wjlou@ece.wpi.edu.
. J. Li is with the School of Computer Science and Educational Software,
Guangzhou University, Room 1610, Yudongxi Road 36, Tianhe District,
Guangzhou 510500, Guangdong Province, China. E-mail: jli25@iit.edu.
Manuscript received 29 Mar. 2010; revised 10 Aug. 2010; accepted 25 Aug.
2010; published online 20 Oct. 2010.
Recommended for acceptance by C.-Z. Xu.
For information on obtaining reprints of this article, please send e-mail to:
tpds@computer.org, and reference IEEECS Log Number TPDS-2010-03-0184.
Digital Object Identifier no. 10.1109/TPDS.2010.183.
1045-9219/11/$26.00 ß 2011 IEEE Published by the IEEE Computer Society
use, it seems more rational to equip the verification protocol
with public auditability, which is expected to play a more
important role in achieving economies of scale for Cloud
Computing. Moreover, for efficiency consideration, the
outsourced data themselves should not be required by the
verifier for the verification purpose.
Another major concern among previous designs is that of
supporting dynamic data operation for cloud data storage
applications. In Cloud Computing, the remotely stored
electronic data might not only be accessed but also updated
by the clients, e.g., through block modification, deletion,
insertion, etc. Unfortunately, the state of the art in the
context of remote data storage mainly focus on static data
files and the importance of this dynamic data updates has
received limited attention so far [2], [3], [4], [5], [7], [10],
[12]. Moreover, as will be shown later, the direct extension
of the current provable data possession (PDP) [2] or proof of
retrievability (PoR) [3], [4] schemes to support data
dynamics may lead to security loopholes. Although there
are many difficulties faced by researchers, it is well believed
that supporting dynamic data operation can be of vital
importance to the practical application of storage out-
sourcing services. In view of the key role of public
auditability and data dynamics for cloud data storage, we
propose an efficient construction for the seamless integra-
tion of these two components in the protocol design. Our
contribution can be summarized as follows:
1. We motivate the public auditing system of data
storage security in Cloud Computing, and propose a
protocol supporting for fully dynamic data opera-
tions, especially to support block insertion, which is
missing in most existing schemes.
2. We extend our scheme to suppo rt scalable and
efficient public auditing in Cloud Computing. In
particular, our scheme achieves batch auditing where
multi ple delegated auditing tasks from different
users can be performed simultaneously by the TPA.
3. We prove the security of our proposed construction
and justify the performance of our scheme through
concrete implementation and comparisons with the
state of the art.
1.1 Related Work
Recently, much of growing interest has been pursued in the
context of remotely stored data verification [2], [3], [4], [5],
[6], [7], [8], [9], [10], [12], [13], [14], [15]. Ateniese et al. [2] are
the first to consider public auditability in their defined
“provable data possession” model for ensuring possession
of files on untrusted storages. In their scheme, they utilize
RSA-based homomorphic tags for auditing outsourced
data, thus public auditability is achieved. However,
Ateniese et al. do not consider the case of dynamic data
storage, and the direct extension of their scheme from static
data storage to dynamic case may suffer design and security
problems. In their subsequent work [12], Ateniese et al.
propose a dynamic version of the prior PDP scheme.
However, the system imposes a priori bound on the number
of queries and does not support fully dynamic data
operations, i.e., it only allows very basic block operations
with limited functionality, and block insertions cannot be
supported. In [13], Wang et al. consider dynamic data
storage in a distributed scenario, and the proposed
challenge-response protocol can both determine the data
correctness and locate possible errors. Similar to [12], they
only consider partial support for dynamic data operation.
Juels and Kaliski [3] describe a “proof of retrievability”
model, where spot-checking and error-correcting codes are
used to ensure both “possession” and “retrievability” of
data files on archive service systems. Specifically, some
special blocks called “sentinels” are randomly embedded
into the data file F for detection purpose, and F is further
encrypted to protect the positions of these special blocks.
However, like [12], the number of queries a client can
perform is also a fixed priori, and the introduction of
precomputed “sentinels” prevents the development of
realizing dynamic data updates. In addition, public audit-
ability is not supported in their scheme. Shacham and
Waters [4] design an improved PoR scheme with full proofs
of security in the security model defined in [3]. They use
publicly verifiable homomorphic authenticators built from
BLS signatures [16], based on which the proofs can be
aggregated into a small authenticator value, and public
retrievability is achieved. Still, the authors only consider
static data files. Erway et al. [14] were the first to explore
constructions for dynamic provable data possession. They
extend the PDP model in [2] to support provable updates to
stored data files using rank-based authenticated skip lists.
This scheme is essentially a fully dynamic version of the
PDP solution. To support updates, especially for block
insertion, they eliminate the index information in the “tag”
computation in Ateniese’s PDP model [2] and employ
authenticated skip list data structure to authenticate the tag
information of challenged or updated blocks first before the
verification procedure. However, the efficiency of their
scheme remains unclear.
Although the existing schemes aim at providing integrity
verification for different data storage systems, the problem
of supporting both public auditability and data dynamics
has not been fully addressed. How to achieve a secure and
efficient design to seamlessly integrate these two important
components for data storage service remains an open
challenging task in Cloud Computing.
Portions of the work presented in this paper have
previously appeared as an extended abstract [1]. We revise
the paper a lot and add more technical details as compared to
[1]. First, in Section 3.3, before the introduction of our
proposed construction, we present two basic solutions (i.e.,
the MAC-based and signature-based schemes) for realizing
data auditability and discuss their demerits in supporting
public auditability and data dynamics. Second, we generalize
the support of data dynamics to both PoR and PDP models
and discuss the impact of dynamic data operations on the
overall system efficiency both. In particular, we emphasize
that while dynamic data updates can be performed efficiently
in PDP models more efficient protocols need to be designed
for the update of the encoded files in PoR models. For
completeness, the designs for distributed data storage
security are also discussed in Section 3.5. Third, in Section 3.4,
we extend our data auditing scheme for the single client and
explicitly include a concrete description of the multiclient
848 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 5, MAY 2011
data auditing scheme. We also redo the whole experiments
and present the performance comparison between the multi-
client data auditing scheme and the individual auditing
scheme in Section 5. Finally, for the proposed theorems in this
paper, we provide formal security proofs under the random
oracle model, which are lacking in [1].
Organization. The rest of the paper is organized as
follows: In Section 2, we define the system model, security
model, and our design goals. Then, we present our scheme
in Section 3 and provide security analysis in Section 4,
respectively. We further analyze the experiment results and
show the practicality of our schemes in Section 5. Finally,
we conclude in Section 6.
2PROBLEM STATEMENT
2.1 System Model
A representative network architecture for cloud data
storage is illustrated in Fig. 1. Three different network
entities can be identified as follows:
. Client: an entity, which has large data files to be
stored in the cloud and relies on the cloud for data
maintenance and computation, can be either indivi-
dual consumers or organizations;
. Cloud Storage Server (CSS): an entity, which is
managed by Cloud Service Provider (CSP), has
significant storage space and computation resource
to maintain the clients’ data;
. Third Party Auditor: an entity, which has expertise
and capabilities that clients do not have, is trusted to
assess and expose risk of cloud storage services on
behalf of the clients upon request.
In the cloud paradigm, by putting the large data files on
the remote servers, the clients can be relieved of the burden of
storage and computation. As clients no longer possess their
data locally, it is of critical importance for the clients to ensure
that their data are being correctly stored and maintained.
That is, clients should be equipped with certain security
means so that they can periodically verify the correctness of
the remote data even without the existence of local copies. In
case that clients do not necessarily have the time, feasibility or
resources to monitor their data, they can delegate the
monitoring task to a trusted TPA. In this paper, we only
consider verification schemes with public auditability: any
TPA in possession of the public key can act as a verifier. We
assume that TPA is unbiased while the server is untrusted.
For application purposes, the clients may interact with the
cloud servers via CSP to access or retrieve their prestored
data. More importantly, in practical scenarios, the client may
frequently perform block-level operations on the data files.
The most general forms of these operations we consider in
this paper are modification, insertion, and deletion. Note that we
don’t address the issue of data privacy in this paper, as the
topic of data privacy in Cloud Computing is orthogonal to the
problem we study here.
2.2 Security Model
Following the security model defined in [4], we say that the
checking scheme is secure if 1) there exists no polynomial-
time algorithm that can cheat the verifier with non-
negligible probability; and 2) there exists a polynomial-
time extractor that can recover the original data files by
carrying out multiple challenges-responses. The client or
TPA can periodically challenge the storage server to ensure
the correctness of the cloud data, and the original files can
be recovered by interacting with the server. The authors in
[4] also define the correctness and soundness of their
scheme: the scheme is correct if the verification algorithm
accepts when interacting with the valid prover (e.g., the
server returns a valid response) and it is sound if any
cheating server that convinces the client it is storing the data
file is actually storing that file. Note that in the “game”
between the adversary and the client, the adversary has full
access to the information stored in the server, i.e., the
adversary can play the part of the prover (server). The goal
of the adversary is to cheat the verifier successfully, i.e.,
trying to generate valid responses and pass the data
verification without being detected.
Our security model has subtle but crucial difference from
that of the existing PDP or PoR models [2], [3], [4] in the
verification process. As mentioned above, these schemes do
not consider dynamic data operations, and the block
insertion cannot be supported at all. This is because the
construction of the signatures is involved with the file index
information i. Therefore, once a file block is inserted, the
computation overhead is unacceptable since the signatures
of all the following file blocks should be recomputed with
the new indexes. To deal with this limitation, we remove
the index information i in the computation of signatures
and use Hðm
i
Þ as the tag for block m
i
instead of HðnamekiÞ
[4] or hðvkiÞ [3], so individual data operation on any file
block will not affect the others. Recall that in existing PDP
or PoR models [2], [4], HðnamekiÞ or hðvkiÞ should be
generated by the client in the verification process. However,
in our new construction the client has no capability to
calculate Hðm
i
Þ without the data information. In order to
achieve this blockless verification, the server should take
over the job of computing Hðm
i
Þ and then return it to the
prover. The consequence of this variance will lead to a
serious problem: it will give the adversary more opportu-
nities to cheat the prover by manipulating Hðm
i
Þ or m
i
. Due
to this construction, our security model differs from that of
the PDP or PoR models in both the verification and the data
updating process. Specifically, the tags in our scheme
should be authenticated in each protocol execution other
than calculated or prestored by the verifier (the details will
WANG ET AL.: ENABLING PUBLIC AUDITABILITY AND DATA DYNAMICS FOR STORAGE SECURITY IN CLOUD COMPUTING 849
Fig. 1. Cloud data storage architecture.
be shown in Section 3). In the following descriptions, we
will use server and prover (or client, TPA, and verifier)
interchangeably.
2.3 Design Goals
Our design goals can be summarized as the following:
1. Public auditability for storage correctness assurance:
to allow anyone, not just the clients who originally
stored the file on cloud servers, to have the capability
to verify the correctness of the stored data on demand.
2. Dynamic data operation support: to allow the clients
to perform block-level operations on the data files
while maintaining the same level of data correctness
assurance. The design should be as efficient as
possible so as to ensure the seamless integration of
public auditability and dynamic data operation
support.
3. Blockless verification: no chall enged file blocks
should be retrieved by the verifier (e.g., TPA) during
verification process for efficiency concern.
3THE PROPOSED SCHEME
In this section, we present our security protocols for cloud
data storage service with the aforementioned research goals
in mind. We start with some basic solutions aiming to
provide integrity assurance of the cloud data and discuss
their demerits. Then, we present our protocol which
supports public auditability and data dynamics. We also
show how to extent our main scheme to support batch
auditing for TPA upon delegations from multiusers.
3.1 Notation and Preliminaries
Bilinear map. A bilinear map is a map e : G G ! G
T
,
where G is a Gap Diffie-Hellman (GDH) group and G
T
is
another multiplicative cyclic group of prime order p with the
following properties [16]: 1) Computable: there exists an
efficiently computable algorithm for computing e; 2) Bi-
linear: for all h
1
;h
2
2 G and a; b 2 ZZ
p
;eðh
a
1
;h
b
2
Þ¼eðh
1
;h
2
Þ
ab
;
3) Nondegenerate: eðg; gÞ 6¼ 1, where g is a generator of G.
Merkle hash tree. A Merkle Hash Tree (MHT) is a well-
studied authentication structure [17], which is intended to
efficiently and securely prove that a set of elements are
undamaged and unaltered. It is constructed as a binary
tree where the leaves in the MHT are the hashes of
authentic data values. Fig. 2 depicts an example of
authentication. The verifier with the authentic h
r
requests
for fx
2
;x
7
g and requires the authentication of the received
blocks. The prover provides the verifier with the auxiliary
authentication information (AAI)
2
¼<hðx
1
Þ;h
d
> and
7
¼ <hðx
8
Þ;h
e
>. The verifier can then verify x
2
and x
7
by
first computing hðx
2
Þ;hðx
7
Þ;h
c
¼ hðhðx
1
Þkhðx
2
ÞÞÞ;h
f
¼
hðhðx
7
Þkhðx
8
ÞÞÞ;h
a
¼ hðh
c
kh
d
Þ;h
b
¼ hðh
e
kh
f
Þ and h
r
¼
hðh
a
kh
b
Þ, and then checking if the calculated h
r
is the
same as the authentic one. MHT is commonly used to
authenticate the values of data blocks. However, in this
paper, we further employ MHT to authenticate both the
values and the positions of data blocks. We treat the leaf
nodes as the left-to-right sequence, so any leaf node can be
uniquely determined by following this sequence and the
way of computing the root in MHT.
3.2 Definition
ðpk; skÞ KeyGenð1
k
Þ. This probabilistic algorithm is run by
the client. It takes as input security parameter 1
k
, and returns
public key pk and private key sk.
ð; sig
sk
ðHðRÞÞÞ SigGenðsk; F Þ. This algorithm is run by
the client. It takes as input private key sk and a file F which is an
ordered collection of blocks fm
i
g, and outputs the signature set ,
which is an ordered collection of signatures f
i
g on fm
i
g. It also
outputs metadata—the signature sig
sk
ðHðRÞÞ of the root R of a
Merkle hash tree. In our construction, the leaf nodes of the Merkle
hash tree are hashes of Hðm
i
Þ.
ðPÞ GenProofðF;; chalÞ. This algorithm is run by the
server. It takes as input a file F , its signatures , and a challenge
chal. It outputs a data integrity proof P for the blocks specified
by chal.
fT RUE; F ALSEg V erifyProofðpk; chal; P Þ. This algo-
rithm can be run by either the client or the third party auditor
upon receipt of the proof P. It takes as input the public key pk, the
challenge chal, and the proof P returned from the server, and
outputs TRUE if the integrity of the file is verified as correct, or
FALSE otherwise.
ðF
0
;
0
;P
update
Þ ExecUpdateðF; ; updateÞ.Thisalgo-
rithm is run by the server. It takes as input a file F , its
signatures , and a data operation request “update” from client.
It outputs an updated file F
0
, updated signatures
0
, and a proof
P
update
for the operation.
fðT RUE; FALSE; sig
sk
ðHðR
0
ÞÞÞg V erifyUpdate ðpk;
update; P
update
Þ. This algorithm is run by the client. It takes
as input public key pk, the signature sig
sk
ðHðRÞÞ, an operation
request “update,” and the proof P
update
from server. If the
verification successes, it outputs a signature sig
sk
ðHðR
0
ÞÞ for
the new root R
0
,orF ALSE otherwise.
3.3 Basic Solutions
Assume the outsourced data file F consists of a finite
ordered set of blocks m
1
;m
2
; ...;m
n
. One straightforward
way to ensure the data integrity is to precompute MACs for
the entire data file. Specifically, before data outsourcing, the
data owner precomputes MACs of F with a set of secret
keys and stores them locally. During the auditing process,
the data owner each time reveals a secret key to the cloud
server and asks for a fresh keyed MAC for verification. This
approach provides deterministic data integrity assurance
850 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 22, NO. 5, MAY 2011
Fig. 2. Merkle hash tree authentication of data elements. We treat the
leaf nodes hðx
1
Þ; ...;hðx
n
Þ as the left-to-right sequence.
straightforwardly as the verification covers all the data
blocks. However, the number of verifications allowed to be
performed in this solution is limited by the number of secret
keys. Once the keys are exhausted, the data owner has to
retrieve the entire file of F from the server in order to
compute new MACs, which is usually impractical due to
the huge communication overhead. Moreover, public
auditability is no t supported as the private keys ar e
required for verification.
Another basic solution is to use signatures instead of
MACs to obtain public auditability. The data owner
precomputes the signature of each block m
i
(i 2½1;n) and
sends both F and the signatures to the cloud server for
storage. To verify the correctness of F , the data owner can
adopt a spot-checking approach, i.e., requesting a number of
randomly selected blocks and their corresponding signa-
tures t o be returned. This basic solution can provide
probabilistic assurance of the data correctness and support
public auditability. However, it also severely suffers from the
fact that a considerable number of original data blocks
should be retrieved to ensure a reasonable detection
probability, which again could result in a large communica-
tion overhead and greatly affects system efficiency. Notice
that the above solutions can only support the case of static
data, and none of them can deal with dynamic data updates.
3.4 Our Construction
To effectively support public auditability without having to
retrieve the data blocks themselves, we resort to the
homomorphic authenticator technique [2], [4]. Homo-
morphic authenticators are unforgeable metadata generated
from individual data blocks, which can be securely
aggregated in such a way to assure a verifier that a linear
combination of data blocks is correctly computed by
verifying only the aggregated authenticator. In our design,
we propose to use PKC-based homomorphic authenticator
(e.g., BLS signature [4] or RSA signature-based authenti-
cator [2]) to equip the verification protocol with public
auditability. In the following description, we present the
BLS-based scheme to illustrate our design with data
dynamics support. As will be shown, the schemes designed
under BLS construction can also be implemented in RSA
construction. In the discussion of Section 3.4, we show that
direct extensions of previous work [2], [4] have security
problems, and we believe that protocol design for support-
ing dynamic data operation is a major challenging task for
cloud storage systems.
Now we start to present the main idea behind our
scheme. We assume that file F (potentially encoded using
Reed-Solomon codes [18]) is divided into n bloc ks
m
1
;m
2
; ...;m
n
,
1
where m
i
2 ZZ
p
and p is a large prime. Let
e : G G ! G
T
be a bilinear map, with a hash function
H : f0; 1g
! G, viewed as a random oracle [19]. Let g be
the generator of G. h is a cryptographic hash function. The
procedure of our protocol execution is as follows:
3.4.1 Setup
The client’s public key and private key are generated by
invoking KeyGenðÞ. By running SigGenðÞ, the data file F
is preprocessed, and the homomorphic authenticators
together with metadata are produced.
KeyGenð1
k
Þ. The client generates a random signing key
pair ðspk; sskÞ. Choose a random ZZ
p
and compute
v g
. The secret key is sk ¼ð; sskÞ and the public key is
pk ¼ðv; spkÞ.
SigGenðsk; F Þ.GivenF ¼ðm
1
;m
2
...;m
n
Þ, the client
choo ses a rando m e lement u G.Lett ¼ nameknkuk
SSig
ssk
ðnameknkuÞ be the file tag for F . Then, the client
computes signature
i
for each block m
i
ði ¼ 1; 2; ...;nÞ as
i
ðHðm
i
Þu
m
i
Þ
. Denote the set of signatures by
¼f
i
g; 1 i n. The client then generates a root R
based on the construction of the MHT, where the leave
nodes of the tree are an ordered set of hashes of “file tags”
Hðm
i
Þði ¼ 1; 2; ...;nÞ. Next, the client signs the root R
under the private key : sig
sk
ðHðRÞÞ ðHðRÞÞ
. The client
sends fF;t;; sig
sk
ðHðRÞÞg to the server a nd deletes
fF;; sig
sk
ðHðRÞÞg from its local storage (See Section 3.4
for the discussion of blockless and stateless verification).
3.4.2 Default Integrity Verification
The client or TPA can verify the integrity of the outsourced
data by challenging the server. Before challenging, the TPA
first use spk to verify the signature on t. If the verification
fails, reject by emitting FALSE; otherwise, recover u.To
generate the message “chal,” the TPA (verifier) picks a
random c-element subset I ¼fs
1
;s
2
; ...;s
c
g of set ½1;n,
where we assume s
1
s
c
. For each i 2 I the TPA
chooses a random element
i
B ZZ
p
. The message “chal”
specifies the positions of the blocks to be checked in this
challenge phase. The verifier sends the chalfði;
i
Þg
s
1
is
c
to
the prover (server).
GenP roofðF;; chalÞ. Upon receiving the challenge
chal ¼fði;
i
Þg
s
1
is
c
, the server computes
¼
X
s
c
i¼s
1
i
m
i
2 ZZ
p
and ¼
Y
s
c
i¼s
1
i
i
2 G;
where both the data blocks and the corresponding signature
blocks are aggregated into a single block, respectively. In
addition, the prover will also provide the verifier with a small
amount of auxiliary information f
i
g
s
1
is
c
, which are the
node siblings on the path from the leaves fhðHðm
i
ÞÞg
s
1
is
c
to
the root R of the MHT. The prover responds the verifier with
proof P ¼f; ; fHðm
i
Þ;
i
g
s
1
is
c
; sig
sk
ðHðRÞÞg.
V erifyP roofðpk; chal; P Þ. Upon receiving the responses
from the prover, the verifier generates root R using
fHðm
i
Þ;
i
g
s
1
is
c
and authenticates it by checking
eðsig
sk
ðHðRÞÞ;gÞ¼
?
eðHðRÞ;g
Þ. If the authentication fails,
the verifier rejects by emitting FALSE. Otherwise, the
verifier checks
eð; gÞ¼
?
e
Y
s
c
i¼s
1
Hðm
i
Þ
i
u
;v
!
:
If so, output TRUE; otherwise F ALSE. The protocol is
illustrated in Table 1.
WANG ET AL.: ENABLING PUBLIC AUDITABILITY AND DATA DYNAMICS FOR STORAGE SECURITY IN CLOUD COMPUTING 851
1. We assume these blocks are distinct with each other and a systematic
code is used for encoding.
