1
Privacy-Preserving Public Auditing for
Secure Cloud Storage
Cong Wang, Student Member, IEEE, Sherman S.-M. Chow, Qian Wang, Student Member, IEEE,
Kui Ren, Member, IEEE, and Wenjing Lou, Member, IEEE
Abstract—Using Cloud Storage, users can remotely store their data and enjoy the on-demand high quality applications and
services from a shared pool of configurable computing resources, without the burden of local data storage and maintenance.
However, the fact that users no longer have physical possession of the outsourced data makes the data integrity protection in
Cloud Computing a formidable task, especially for users with constrained computing resources. Moreover, users should be able
to just use the cloud storage as if it is local, without worrying about the need to verify its integrity. Thus, enabling public auditability
for cloud storage is of critical importance so that users can resort to a third party auditor (TPA) to check the integrity of outsourced
data and be worry-free. To securely introduce an effective TPA, the auditing process should bring in no new vulnerabilities towards
user data privacy, and introduce no additional online burden to user. In this paper, we propose a secure cloud storage system
supporting privacy-preserving public auditing. We further extend our result to enable the TPA to perform audits for multiple users
simultaneously and efficiently. Extensive security and performance analysis show the proposed schemes are provably secure
and highly efficient.
Index Terms—Data storage, privacy-preserving, public auditability, cryptographic protocols, cloud computing.
✦
1 INTRODUCTION
C
LOUD Computing has been envisioned as the
next-generation information technology (IT) ar-
chitecture for enterprises, due to its long list of un-
precedented advantages in the IT history: on-demand
self-service, ubiquitous network access, location in-
dependent resource pooling, rapid resource elasticity,
usage-based pricing and transference of risk [1]. As
a disruptive technology with profound implications,
Cloud Computing is transforming the very nature of
how businesses use information technology. One fun-
damental aspect of this paradigm shifting is that data
is being centralized or outsourced to the Cloud. From
users’ perspective, including both individuals and IT
enterprises, storing data remotely to the cloud in a
flexible on-demand manner brings appealing benefits:
relief of the burden for storage management, universal
data access with independent geographical locations,
and avoidance of capital expenditure on ha rdware,
software, and personnel maintenances, etc [2].
While Cloud Computing makes these advantages
more appealing tha n ever, it also brings new and chal-
lenging security threats towards users’ outsourced
data. Since cloud service providers (CSP) are separate
• Cong Wang, Qian Wang, and Kui Ren are with the Department of
Electrical and Computer Engineering, Illinois Institute of Technology,
Chicago, IL 60616. E-mail: {cong,qian,kren}@ece.iit.edu.
• Sherman S.-M. Chow is with the Department of Computer Science,
Courant Institute of Mathematical Sciences, New York University,
New York, NY 10012. E-mail: schow@cs.nyu.edu.
• Wenjing Lou is with the Department of Electrical and Computer
Engineering, Worcester Polytechnic Institute, Worcester, MA 01609.
E-mail: wjlou@ece.wpi.edu.
administrative entities, data outsourcing is actually
relinquishing user’s ultimate control over the f ate of
their data. As a result, the correctness of the data
in the cloud is being put at risk due to the follow-
ing reasons. First of a ll, although the infrastructures
under the cloud are much more powerful and reli-
able than personal computing devices, they are still
facing the broad range of both internal and external
threats for d ata integrity. Examples of outages and
security breaches of noteworthy cloud services appear
from time to time [3]–[7]. Secondly, there do exist
various motivations for CSP to behave unfaithfully
towards the cloud users regarding the status of their
outsourced data. For examples, CSP might reclaim
storage for monetary reasons by discarding data that
has not been or is rarely accessed, or even hide data
loss incidents so as to maintain a reputation [8]–[10].
In short, although outsourcing da ta to the cloud is
economically attractive for long-term large-scale data
storage, it does not immediately offer any guarantee
on data integrity and availability. This problem, if
not properly addressed, may impede the successful
deployment of the cloud architecture.
As users no longer physically possess the storage of
their data, traditional cryptographic primitives for the
purpose of data sec urity protection cannot be directly
adopted [ 11]. In particula r, simply downloading all
the data for its integrity verification is not a practica l
solution due to the expensiveness in I/O and trans-
mission cost across the network. Besides, it is often
insufficient to detect the data corruption only when
accessing the data, as it d oes not give users correctness
assurance for those unaccessed data and might be too
2
late to recover the da ta loss or damage. Considering
the large size of the outsourced data and the user’s
constrained resource capability, the tasks of auditing
the data correctness in a c loud environment can be
formidable and expensive for the cloud users [10],
[12]. Moreover, the overhead of using cloud storage
should be minimized as much as possible, such that
user does not need to perform too many operations
to use the data (in additional to retrieving the data).
For example, it is desirable that users do not need to
worry about the need to verif y the integrity of the da ta
before or after the data retrieval. Besides, there may be
more than one user accesses the same cloud storage,
say in an enterprise setting. For easier management,
it is desirable that the cloud server only entertains
verification request from a single designated party.
To fully e nsure the data integrity and save the cloud
users’ computation resources as well as online burden,
it is of critical importance to enable public auditing
service for cloud da ta storage, so that users may
resort to an independent third party auditor (T PA)
to audit the outsourced data when needed. The TPA,
who has expertise and capabilities that users do not,
can periodically check the integrity of all the data
stored in the cloud on behalf of the users, which
provides a much more e asier and affordable way for
the users to ensure their storage correctness in the
cloud. Moreover, in addition to help users to evaluate
the risk of their subscribed cloud data services, the
audit result from TPA would also be beneficial f or the
cloud service providers to improve their cloud based
service platform, and even ser ve for independent
arbitration purposes [ 9]. In a word, enabling public
auditing services will play an important role for this
nascent cloud economy to become fully established,
where users will need ways to assess risk and gain
trust in the cloud.
Recently, the notion of public audita b ility has been
proposed in the c ontext of ensuring remotely stored
data integrity under different system and security
models [8], [10], [11], [13]. Public auditability allows
an external party, in addition to the user himself,
to verify the correctness of remotely stored data.
However, most of these schemes [8], [10], [13] do not
consider the privacy protection of users’ data against
external auditors. Inde ed, they may p otentially re-
veal user data information to the auditors, as will
be discussed in Section 3.4. This severe drawback
greatly affects the security of these protocols in Cloud
Computing. From the perspective of protecting data
privacy, the users, who own the data and rely on
TPA just for the storage security of their data, do not
want this auditing p rocess introducing new vulnera-
bilities of unauthorized information leakage towards
their data security [ 14]. Moreover, there are legal
regulations, such as the US Health Insurance Porta-
bility and Accountability A ct (HIPAA) [15], further
demanding the outsourced data not to be leaked to
external par ties [9]. Exp loiting data encryption b efore
outsourcing [11] is one way to mitigate this privacy
concern, but it is only complementary to the privacy-
preserving public auditing scheme to be proposed
in this paper. Without a properly de signed auditing
protocol, encryption itself cannot prevent data from
“flowing away” towards external parties during the
auditing process. Thus, it does not completely solve
the problem of protecting data p rivacy but just re-
duces it to the key management. Unauthorized data
leakage still remains a problem due to the potential
exposure of decryption keys.
Therefore, how to enable a privacy-preserving
third-party auditing protocol, independent to data
encryption, is the problem we are going to tackle
in this paper. Our work is among the first few
ones to support privacy-preserving public auditing
in Cloud Computing, with a focus on data storage .
Besides, with the prevalence of Cloud Computing, a
foreseeable increase of auditing tasks from different
users may be delega ted to TPA. As the individual
auditing of these growing tasks can be tedious and
cumbersome, a natural dema nd is then how to enable
the TPA to efficiently perform multiple auditing tasks
in a batch manner, i.e., simultaneously.
To ad dress these problems, our work utilizes the
technique of public key based homomorphic linear
authenticator (or HLA for short) [8], [10], [13], which
enables TPA to perform the auditing without demand-
ing the local copy of data and thus drastically re-
duces the communication and computation overhead
as compared to the straightforward data auditing
approaches. By integrating the HLA with random
masking, our protocol guarantees that the TPA could
not learn any knowledge about the data content
stored in the cloud server during the efficient auditing
process. The aggregation and algebraic properties of
the authenticator further benefit our design for the
batch auditing. Specifically, our contribution can be
summarized as the following three aspects:
1) We motivate the public auditing system of data
storage security in Cloud Computing and pro-
vide a privacy-preserving a uditing protocol, i.e.,
our scheme e nables an external auditor to audit
user’s outsourced d ata in the cloud without
learning the data content.
2) To the best of our knowledge, our scheme is the
first to support scalable and efficient public au-
diting in the Cloud Computing. Specifically, our
scheme achieves batch auditing where multiple
delegated auditing tasks from different users can
be performed simultaneously by the TPA.
3) We prove the security and justify the perfor-
mance of our proposed schemes through con-
crete experiments and comparisons with the
state-of-the-art.
The rest of the pape r is organized as follows. Section
3
II introduces the system and threat model, and our de-
sign goals. Then we provide the detailed descr iption
of our scheme in Section III. Section IV gives the secu-
rity analysis and performance evaluation, followed by
Section V which overviews the related work. Finally,
Section VI gives the concluding remark of the whole
paper.
2 PROBLEM STATEMENT
2.1 The System and Threat Model
We consider a cloud data storage service involving
three different entities, as illustrated in Fig. 1: the cloud
user (U), who has large amount of data files to be
stored in the cloud; the cloud server (CS), which is
managed by the cloud service provider (C SP) to provide
data storage service and has significant storage space
and computation resources (we will not differentiate
CS and CSP hereafter); the third party auditor (TPA),
who has ex p ertise and capabilities that cloud users
do not have and is trusted to assess the cloud storage
service reliability on behalf of the user upon request.
Users rely on the CS for cloud data storage and
maintenance. T hey may also dynamica lly interact
with the CS to access and update their stored data for
various application purposes. To save the computa-
tion resource as well as the online burden, cloud users
may resort to TPA for ensuring the storage integrity
of their outsourced data, while hoping to keep their
data private from TPA.
We consider the e xistence of a semi-trusted CS
as [16] does. Namely, in most of time it behaves
properly and does not deviate f rom the prescribed
protocol execution. However, for their own benefits
the CS might neglect to keep or deliberately delete
rarely accessed data files which belong to ordinary
cloud users. Moreover, the CS may decide to hide the
data corruptions ca used by server hacks or Byzantine
failures to maintain reputation. We assume the TPA,
who is in the business of auditing, is reliable and
independent, and thus has no incentive to collude
with either the CS or the users during the auditing
process. However, it harms the user if the TPA could
learn the outsourced data after the audit.
To authorize the CS to respond to the audit dele-
gated to TPA’s, the user can sign a certificate granting
audit rights to the TPA’s public key, and all audits
from the TPA are authenticated against such a ce rtifi-
cate. These authentication handshakes are omitted in
the following presentation.
2.2 Design Goals
To enable privacy-preserving public auditing for
cloud data storage under the aforementioned model,
our protocol design should achieve the following
security and pe rformance guarantees.
1) Public auditability: to allow TPA to verify the
correctness of the cloud data on demand without
D a t
a F l o w
U s e r s
D a t
a A
u d i
t
i n
g
D e l
e
g
a t
i o
n
S e c u r i t y M
e s
s a g
e F l o w
P u b l i c D
a t
a
A
u d
i
t
i n g
T h i r d P a r t y A u d i t o r
C l o u d S e r v e r s
Fig. 1: The a rchitecture of cloud data storage service
retrieving a copy of the whole data or introduc-
ing additional online burden to the cloud users.
2) Storage correctness: to ensure that there exists
no cheating cloud server that can pass the TPA’s
audit without indeed storing users’ data intact.
3) Privacy-preserving: to ensure that the TPA can-
not derive users’ data content from the informa-
tion collected d ur ing the auditing process.
4) Batch auditing: to enable TPA with secure and
efficient auditing capability to cope with mul-
tiple auditing delegations f rom possibly large
number of different users simultaneously.
5) Lightweight: to allow TPA to perform auditing
with minimum communication and computa-
tion overhead.
3 THE PROPOSED SCHEMES
This section p resents our public auditing scheme
which provides a complete outsourcing solution of data
– not only the data itself, but also its integrity check-
ing. We start from an overview of our pub lic auditing
system and discuss two straightforward schemes and
their demerits. T hen we present our main scheme
and show how to extent our main scheme to support
batch auditing for the TPA upon delegations from
multiple users. Finally, we discuss how to generalize
our privacy-preserving public auditing scheme and its
support of data dynamics.
3.1 Definitions and Framework
We follow a similar definition of previously proposed
schemes in the context of remote data integrity check-
ing [8], [11], [13] and adapt the framework for our
privacy-preserving public auditing system.
A public auditing scheme consists of four
algorithms (KeyGen, SigGen, GenProof,
VerifyProof). KeyGen is a key generation
algorithm that is run by the user to setup the
scheme. SigGen is used by the user to generate
verification metadata, which may consist of MAC ,
signatures, or other related information that will be
used for auditing. GenProof is run by the cloud
server to generate a proof of data storage correctness,
while VerifyProof is run by the TPA to audit the
proof from the cloud server.
4
Running a public auditing system consists of two
phases, Setup a nd Audit:
• Setup: The user initializes the public and secret
parameters of the system by executing KeyGen,
and pre-processes the data file F by using
SigGen to generate the verification metadata.
The user then stores the d ata file F and the
verification metadata at the cloud server, a nd
deletes its local copy.
As part of pre-processing, the user may alter
the data file F by expanding it or including
additional metada ta to be stored at server.
• Audit: The TPA issues an audit message or chal-
lenge to the cloud server to make sure that the
cloud server has retained the data file F properly
at the time of the audit. The cloud server will
derive a response message from a function of the
stored data file F and its verification metadata by
executing GenProof. The TPA then verifies the
response via VerifyProof.
Our framework assumes the TPA is stateless, which
is a desirable property a chieved by our proposed
solution. It is easy to extend the framework above to
capture a stateful auditing system, essentially by split-
ing the verification metadata into two parts which are
stored by the TPA and the cloud server respectively.
Our design does not assume any additional prop-
erty on the data file. If the user wants to have more
error-resiliency, he/she can always first redundantly
encodes the data file and then uses our system with
the data file that has error-correcting codes integrated.
3.2 Notation and Preliminaries
• F – the data file to be outsourced, denoted as a
sequence of n blocks m
1
, . . . , m
n
∈ Z
p
for some
large prime p.
• M AC
(·)
(·) – message authentication code (MAC)
function, defined as: K × {0, 1}
∗
→ {0, 1}
l
where
K denotes the key space.
• H(·), h(·) – cr yptogra p hic hash functions.
We now introduce some necessary cryptographic
background for our proposed scheme.
Bilinear Map. Let G
1
, G
2
and G
T
be multiplicative
cyclic groups of prime order p. Let g
1
and g
2
be
generators of G
1
and G
2
, respectively. A bilinear map
is a map e : G
1
× G
2
→ G
T
such that for all u ∈ G
1
,
v ∈ G
2
and a, b ∈ Z
p
, e(u
a
, v
b
) = e(u, v)
ab
. This
bilinearity implies that for any u
1
, u
2
∈ G
1
, v ∈ G
2
,
e(u
1
· u
2
, v) = e(u
1
, v) · e(u
2
, v). Of course, there exists
an efficiently computable algorithm for computing
e and the map should be non-trivial, i.e., e is non-
degenerate: e(g
1
, g
2
) 6= 1.
3.3 The Basic Schemes
Before giving our main result, we study two classes of
schemes as a warm-up. The first one is a MAC-based
solution which suffers from undesirable systematic
demerits – bounded usage and stateful verification,
which may pose additional online burden to users, in
a public auditing setting. This somehow also shows
that the auditing problem is still not easy to solve
even we have introduced a TPA. The second one is a
system based on homomorphic linear authenticators
(HLA), which covers many recent proof of storage
systems. We will pinpoint the reason why all existing
HLA-based systems are not privacy-preserving. The
analysis of these basic schemes leads to our ma in
result, which overcomes all these drawbacks. Our
main scheme to be presented is based on a specific
HLA scheme.
MAC-based Solution. There are two possible ways to
make use of MAC to authenticate the data. A trivial
way is just upload ing the d ata blocks with their MACs
to the server, and sends the corresponding secret key
sk to the TPA. Later, the TPA ca n randomly retrieve
blocks with their MACs and check the correctness via
sk. Apart from the high (linear in the sampled data
size) communication and computation complexities,
the TPA requires the knowledge of the data blocks
for verification.
To circumvent the requirement of the data in
TPA verification, one may restrict the verification
to just consist of equality checking. The idea is
as follows. Before data outsourcing, the cloud user
chooses s random message authentication code keys
{sk
τ
}
1≤τ ≤s
, pre-computes s (deterministic) MACs,
{MAC
sk
τ
(F )}
1≤τ ≤s
for the whole data file F , and
publishes these verification metadata (the keys and
the MACs) to TPA. The TPA can reveal a secret key
sk
τ
to the cloud server a nd a sk for a fresh keyed
MAC for comparison in each audit. This is privacy-
preserving as long as it is impossible to recover F in
full given M AC
sk
τ
(F ) and sk
τ
. However, it suffers
from the following severe drawbacks: 1) the number
of times a particular data file can be audited is limited
by the number of secret keys that must be fixed a
priori. Once all possible secret keys a re exhausted, the
user then has to retrieve data in full to re-compute
and re-publish new MACs to TPA; 2) The TPA also
has to maintain and upda te state between audits, i.e.,
keep track on the revealed MAC keys. Considering
the potentially large number of audit de le gations from
multiple users, maintaining such states for TPA can
be difficult and error prone; 3) it can only support
static data, and cannot efficiently deal with d yna mic
data at all. However, supporting data dynamics is also
of critica l importance for cloud storage systems. For
the reason of brevity and clarity, our main protocol
will be presented based on static data. Section 3.6 will
describe how to adapt our protocol for dynamic data.
HLA-based Solution. To effectively support public
auditability without having to retrieve the data blocks
themselves, the HLA technique [8], [10], [13] can be
5
TPA Cloud Server
1. Retrieve file tag t, verify its
signature, and quit if fail;
2. Generate a random challenge
{(i,ν
i
)}
i∈I
−−−−−−−−−−−−−−→
challenge request chal
3. Compute µ
′
=
P
i∈I
ν
i
m
i
, and also
chal = {(i, ν
i
)}
i∈I
; σ =
Q
i∈I
σ
ν
i
i
;
4. Randomly pick r ← Z
p
, and compute
R = e(u, v)
r
and γ = h(R);
{µ,σ,R}
←−−−−−−−−−−−−−−−−
storage correctness proof
5. Compute µ = r + γµ
′
mod p ;
6. Compute γ = h(R), and then
verify {µ, σ, R} via Equation 1.
Fig. 2: The privacy-preserving public auditing protocol
used. HLAs, like MACs, are also some unforgeable
verification metadata that authenticate the integrity
of a data block. The difference is that HLAs can be
aggregated. It is possible to compute an aggregated
HLA which authenticates a linear combination of the
individual data blocks.
At a high level, an HLA-based proof of storage
system works as follow. The user still authenticates
each element of F = (m
1
, · · · , m
n
) by a set of HL As
Φ. The cloud server stores {F, Φ}. The TPA verifies the
cloud storage by sending a random set of c hallenge
{ν
i
}. (More p recisely, F , Φ and {ν
i
} are all vectors,
so {ν
i
} is an ordered set or {i, ν
i
} should be sent).
The cloud server then returns µ =
P
i
ν
i
· m
i
and an
aggregated authenticator σ (both are computed f rom
F , Φ and {ν
i
}) that is supposed to authenticate µ.
Though allowing efficient data auditing and con-
suming only constant bandwidth, the direct adoption
of these HLA-b ased techniques is still not suitable for
our purposes. This is because the linear combination
of blocks, µ =
P
i
ν
i
· m
i
, ma y potentially reveal user
data information to TPA, and violates the privacy-
preserving guarantee. Specifically, if an enough num-
ber of the linear combinations of the same blocks are
collected, the TPA can simply derive the user’s data
content by solving a system of linear equations.
3.4 Privacy-Preserving Public Auditing Scheme
Overview. To achieve p rivacy-preserving public au-
diting, we propose to uniquely integrate the homo-
morphic linear authenticator with random masking
technique. In our protocol, the linear combination of
sampled blocks in the server’s response is masked
with r andomness generated the server. With random
masking, the TPA no longer has all the necessary
information to build up a correct group of linear
equations a nd therefore cannot derive the user’s d ata
content, no matter how many linear combinations of
the same set of file blocks can be collected. On the
other hand, the correctness validation of the block-
authenticator pairs can still be carr ie d out in a new
way which will be shown shortly, e v en with the
presence of the randomness. Our design makes use
of a public key based HLA, to equip the auditing
protocol with public auditability. Specifically, we use
the HLA proposed in [13] , which is based on the
short signature scheme proposed by Boneh, Lynn and
Shacham (hereinafter referred as BLS signature) [17].
Scheme Details. Let G
1
, G
2
and G
T
be multiplicative
cyclic groups of prime order p, and e : G
1
× G
2
→
G
T
be a bilinear map as introduced in preliminaries.
Let g be a generator of G
2
. H(·) is a secure map-to-
point hash function: {0, 1}
∗
→ G
1
, which maps strings
uniformly to G
1
. Another hash function h(·) : G
T
→
Z
p
maps group element of G
T
uniformly to Z
p
. The
proposed scheme is as follows:
Setup Phase: The cloud user runs KeyGen to gener-
ate the public and secret parameters. Specifically, the
user chooses a random signing key pair (spk, ss k),
a random x ← Z
p
, a random element u ← G
1
,
and computes v ← g
x
. The secret parameter is
sk = (x, ssk) and the public parameters are pk =
(spk, v, g, u, e(u, v)).
Given a data file F = (m
1
, . . . , m
n
), the user runs
SigGen to compute authenticator σ
i
for each block
m
i
: σ
i
← (H(W
i
) · u
m
i
)
x
∈ G
1
. He re W
i
= name||i
and name is chosen by the user uniformly at random
from Z
p
as the identifier of file F . Denote the set of
authenticators by Φ = {σ
i
}
1≤i≤n
.
The last part of SigGen is for ensuring the integrity
of the unique file identifier name. One simple way to
do this is to compute t = name||SSig
ssk
(name) as the
file tag for F , where SSig
ssk
(name) is the signature
on name under the private key ssk. For simplicity,
we assume the TPA knows the number of blocks n.
The user then sends F along with the verification
metadata (Φ, t) to the server and deletes them from
local storage.
Audit Phase: The TPA first retrieves the file tag
t. With respect to the mechanism we describe in
the Setup phase, the TPA verifies the signature
