Identity-Based Remote Data Integrity Checking With Perfect Data Privacy Preserving for Cloud Storage
Summary (2 min read)
Introduction
- Cloud storage, data integrity, privacy preserving, identity-based cryptography.
- Cloud computing brings a number of advantages for cloud users.
- Recently, remote data integrity checking becomes more and more significant due to the development of distributed storage systems and online storage systems.
- The authors formally prove the correctness, soundness and zero knowledge privacy of their ID-based RDIC protocol in section V.
B. Equality of Discrete Logarithm
- An identity-based signature (IDS) scheme [38], [39] consists of four polynomial-time, probabilistic algorithms described below.
- This algorithm takes as input the security parameter k and outputs the master secret key msk and the master public key mpk.
- This algorithm takes as input a user’s identity ID, the master secret key msk and generates a secret key usk for the user.
III. SYSTEM MODEL AND SECURITY MODEL
- The authors describe the system model and security model of identity-based RDIC protocols.
- The RDIC protocols with public verifiability enable anyone to audit the integrity of the outsourced data.
- Four different entities namely the KGC, the cloud user, the cloud server and the TPA are involved in the system.
- Each entity has their own obligations and benefits respectively.
- The TPA’s job is to perform the data integrity checking on behalf the cloud user, but the TPA is also curious in the sense that he is willing to learn some information of the users’ data during the data integrity checking procedure.
B. System Components and its Security
- Six algorithms namely Setup, Extract, TagGen, Challenge, ProofGen and ProofCheck are involved in an identity-based RDIC system.
- It takes the system parameters param, the master secret key msk and a user’s identity ID ∈ {0, 1}∗ as input, outputs the secret key skID that corresponds to the identity ID.
- The authors consider three security properties namely completeness, security against a malicious server , and privacy against the TPA (perfect data privacy) in identity-based remote data integrity checking protocols.
- For a file F of which a TagGen query has been made, the adversary can undertake executions of the ProofGen algorithm by specifying an identity ID of the data owner and the file name Fn.
- The challenger plays the role of the TPA and the adversary A behaves as the prover during the proof generation.
IV. OUR CONSTRUCTION
- The authors provide a concrete construction of secure identity-based remote data integrity checking protocol supporting perfect data privacy protection.
- In the proof generation, the cloud server computes a response using the challenged blocks, obtains the corresponding plaintext and forwards it to the TPA.
- If the equality holds, the verifier accepts the proof; Otherwise, the proof is invalid.
V. SECURITY ANALYSIS OF THE NEW PROTOCOL
- The authors show that the proposed scheme achieves the properties of completeness, soundness and perfect data privacy preserving.
- Completeness guarantees the correctness of the protocol while soundness shows that the protocol is secure against an untrusted server.
- Perfect data privacy states that the protocol leaks no information of the stored files to the verifier.
C. Perfect Data Privacy Preserving
- To prove that the scheme preserve data privacy, the authors show how to construct a simulator S, having blackbox-access to verifier V , can simulate the remote data integrity checking protocol without the knowledge of the data file blocks {mi} nor their corresponding {σi}3.
- Next, S extracts from V the value ρ. Due 3Since {σi} also contains information about the file block mi.
A. Numerical Analysis
- The authors provide a numerical analysis of costs regarding computation, communication and storage of the proposed protocol in this part.
- The authors present the computation cost from the viewpoint of the KGC, the data owner, the cloud server and the verifier (TPA).
- This implies that the timing results for Setup, Extract and TagGen steps are constant for this part.
- The authors can see that it costs the verifier only about 3.0 seconds to verify a response and the server 0.7 seconds to generate a response when challenging 460 blocks.
- In the second part, the authors test the most expensive algorithm TagGen of the protocol by increasing the file size from 200 KB to 2 MB, that is, from 10, 000 blocks to 100, 000 blocks accordingly, and record the time for TagGen.
VII. CONCLUSION
- The authors investigated a new primitive called identity-based remote data integrity checking for secure cloud storage.
- The authors formalized the security model of two important properties of this primitive, namely, soundness and perfect data privacy.
- The authors provided a new construction of of this primitive and showed that it achieves soundness and perfect data privacy.
- Both the numerical analysis and the implementation demonstrated that the proposed protocol is efficient and practical.
Did you find this useful? Give us your feedback
Citations
1,783 citations
499 citations
182 citations
Cites background from "Identity-Based Remote Data Integrit..."
...[24] constructed a remote data integrity auditing scheme with perfect data privacy preserving in identity-based cryptosystems....
[...]
155 citations
123 citations
References
7,083 citations
3,697 citations
"Identity-Based Remote Data Integrit..." refers background in this paper
...Shacham and Waters [7] proposed the notion of compact proofs of retrievability by making use of publicly verifiable homomorphic authenticators from BLS signature [36]....
[...]
...[36] to sign a user’s identity ID ∈ {0, 1}∗ and obtain the user’s secret key....
[...]
2,238 citations
2,127 citations
1,783 citations
Related Papers (5)
Frequently Asked Questions (17)
Q2. How many exponentiations does the verifier need to perform to generate a challenge?
The verifier needs to perform 1 pairing operation, and 6 exponentiations in G1 to generate a challenge when using the proof of equality of discrete logarithm given in [37].
Q3. How much time does the extract algorithm need to perform?
The Setup algorithm picks some random values and compute a modular exponentiation in G1, which costs 4.8ms, and the Extract algorithm needs to perform one modular exponentiation in G1 for generating the private key of a cloud user, which cost 0.1ms.
Q4. What is the main computation cost of generating a proof by the cloud server?
The main computation cost of generating a proof by the cloud server is calculating the aggregation of σi, that is σ =∏ i∈I σ vi i , and the total cost is 2P+(2c−1)MG1+EG2+MG2.Communication cost.
Q5. How long does it take to generate tags?
The time cost of off-line computation of generating tags for 1 MB file is 241.9 seconds while the on-online time cost is 20.3 seconds.
Q6. What is the definition of an ID-RDIC scheme?
An ID-RDIC scheme is called -sound if there exists an extraction algorithm Extr such that, for every adversaryA, whenever A, playing the soundness game, outputs an -admissible cheating prover P † on identity ID† and file name Fn†, Extr recovers F † from P †, i.e., Extr(param, ID†, Fn†, P †) = F , except possibly with negligible probability.
Q7. What is the only way for A to return m′?
In the random oracle model, the only way for A to successfully return m′ = H3( ∏ i∈I e(H2(fname||i)vi , rρ)) is to make a query to H3 with an element ξ in group G2.
Q8. how does the challenger set up the system parameters?
The challenger runs the Setup algorithm to obtain the system parameters param and the master secret key msk, and forwards param to the adversary, while keeps5 msk confidential.
Q9. What is the cost of generating tags for file blocks?
The dominated computation of data owner is generating tags for file blocks as σi = smiH2(fname||i)η , which is the most expensive operation in the protocol but fortunately it can be done offline.
Q10. What is the simplest way to check if the file F is still in use?
It takes the system parameters param, the challenge chal, the data owner’s identity ID, the file name Fn and an alleged data possession proof P as input, outputs 1 or 0 to indicate if the file F keeps intact.
Q11. How much time does the taggen algorithm take to generate?
The TagGen algorithm is expensive and the authors show that the TagGen timing result consists of two phases, an off-line phase, where the data owner can preprocess H2(fname‖i)η without knowing the actual data; and an on-line phase, where the data owner needs to compute smi for each data block.
Q12. How many seconds does it take to generate a response?
The authors can see that it costs the verifier only about 3.0 seconds to verify a response and the server 0.7 seconds to generate a response when challenging 460 blocks.
Q13. Why is the taggen query able to return r?
Due to the unforgeability of the identity-based signature, the authors can safely assume r (represented by the element ξη used in the verification is the one given to A during the TagGen query.
Q14. How many blocks can be generated in the first part?
In the second part, the authors test the most expensive algorithm TagGen of the protocol by increasing the file size from 200 KB to 2 MB, that is, from 10, 000 blocks to 100, 000 blocks accordingly, and record the time for TagGen.
Q15. How can a data owner verify the integrity of their cloud data?
4 A. ID-based RDIC System Usually, data owners themselves can check the integrity of their cloud data by running a two-party RDIC protocol.
Q16. What is the simplest way to test the scheme?
To prove that the scheme preserve data privacy, the authors show how to construct a simulator S, having blackbox-access to verifier V , can simulate the remote data integrity checking protocol without the knowledge of the data file blocks {mi} nor their corresponding {σi}3.
Q17. How much time does it take to generate tags?
The implementation shows that generating tags is more expensive than other parts but fortunately, computing tags for a file is a one time task, as compared to challenging the outsourced data, which will be done repeatedly.