Storing Shared Data on the Cloud via Security-Mediator

Transcription

1 Storing Shared Data on the Coud via Security-Mediator Boyang Wang, Sherman S. M. Chow, Ming Li, and Hui Li State Key Laboratory of Integrated Service Networks, Xidian University, Xi an, China Department of Information Engineering, Chinese University of Hong Kong, Hong Kong Department of Computer Science, Utah State University, Logan, Utah, USA Emai: Abstract Nowadays, many organizations outsource data storage to the coud such that a member of an organization (data owner) can easiy share data with other members (users). Due to the existence of security concerns in the coud, both owners and users are suggested to verify the integrity of coud data with Provabe Data Possession (PDP) before further utiization of data. However, previous methods either unnecessariy revea the identity of a data owner to the untrusted coud or any pubic verifiers, or introduce significant overheads on verification metadata for preserving anonymity. In this paper, we propose a simpe, efficient, and pubicyverifiabe approach to ensure coud data integrity without sacrificing the anonymity of data owners nor requiring significant overhead. Specificay, we introduce a security-mediator (SEM), which is abe to generate verification metadata (i.e., signatures) on outsourced data for data owners. Our approach decoupes the anonymity protection mechanism from the PDP. Thus, an organization can empoy its own anonymous authentication mechanism, and the coud is obivious to that since it ony deas with typica PDP-metadata, Consequenty, the identity of the data owner is not reveaed to the coud, and there is no extra storage overhead unike existing anonymous PDP soutions. The distinctive features of our scheme aso incude data privacy, such that the SEM does not earn anything about the data to be upoaded to the coud at a, and thus the trust on the SEM is minimized. In addition, we extend our scheme to work with the muti-sem mode, which can avoid the potentia singe point of faiure. Security anayses prove that our scheme is secure, and experiment resuts demonstrate that our scheme is efficient. Keywords-Coud computing, shared data, security-mediator, data integrity, anonymity, provabe data possession I. INTRODUCTION Nowadays, many organizations outsource their arge-scae data storage to the coud for saving the cost in maintaining in-house storage. With coud storage service, the members of an organization can share data with other members easiy by upoading their data to the coud. Exampes of organizations which may benefit from this coud storage and sharing service are numerous, such as internationa enterprises with many empoyees around the word, coaborative web appication providers with a arge user base, or institutions deaing with big data, heathcare service providers coordinating medica data from doctors, researchers, patients, etc. Whie the economic benefits brought by outsourcing data can be attractive, security is one of the most significant factors that hinders its wide deveopment [1]. Since data operations in the coud are not transparent to users, and security breaches or improper practices are common and inevitabe, users sti have a huge concern about the security of their data on the coud, especiay on data integrity [2]. Generay speaking, to maintain data integrity, data owners can compute verification metadata on their data, then upoad both of them to the coud. These verification metadata shoud be verifiabe not ony by the data owner hersef but preferaby aso by any pubic verifiers [3], [4]. For instance, medica researchers need to make sure heath records contributed by data owners are free from any errors which may be introduced by mapractice of the coud or communication error before their anayses. However, the genera method for protecting data integrity wi confict with another significant concern of data owners identity privacy, or anonymity. Specificay, if digita signatures are used to serve as verification metadata, they can ony be verified with a data owner s pubic key. The unique binding between a pubic key and the identity of the data owner wi inevitaby revea the owner s identity to any pubic verifiers [5], especiay under pubic key infrastructure where such bindings are expicit via pubic-key certificates. Refer to the sampe scenario above, a patient may agree to et medica researchers to anayze her heath record stored in the coud for research purposes, but is often unwiing to revea her rea identity. Note that the existing techniques of Onion Routing (e.g., Tor [6]) can hep ensuring anonymity for data owners when they upoad or downoad their coud data, but it is not sufficient to hide the identities of data owners from pubic verifiers during the data integrity checking based on pubic keys and certificates. Besides protecting the anonymity of data owners, another important issue is how to aow integrity checking without requiring the entire data. Since the size of coud data coud be huge, if a verifier must need to downoad the entire data to verify, a major benefit of coud storage is ost, and this verifier wi waste a huge amount of computation and communication resource, especiay when the downoaded data has actuay been tampered with. Provabe data possession (PDP) proposed by Ateniese et a. [3] is a protoco which aows the integrity of data stored in an un-trusted server to be audited without retrieving the entire data. Many schemes [3], [7], [8], [9], [10], [11], [4], [12] aso aow pubic verifiers to perform such efficient data integrity checking. Unfortunatey, none of these schemes is abe to preserve the

2 identities of data owners from pubic verifiers. Recenty, some cryptographic schemes [5], [13] extend the basic PDP such that they are abe to hide the identities of data owners within an organization (or a group) from any verifiers in the muti-owner scenario, where data fies can be owned and modified by a number of d (d 2) members. However, both of these two schemes introduce significant overheads to ensure anonymity. Specificay, the ring-signature-based scheme [5] produces verification metadata of size increases ineary with the number of members in a group, which is quite inefficient when the size of a group is arge. Whie the size of verification metadata is independent of the group size in the group-signature-based scheme [13], it is sti much arger than its counterpart in traditiona non-anonymous PDP soutions. In addition, their fina scheme [13] even fais to support pubic verifiabiity 1. In this paper, we propose a simpe, efficient, and pubicy verifiabe approach to ensure coud data integrity, without compromising the anonymity of data owners nor introducing significant overhead to verification metadata. The major benefit of our approach is the decouping of anonymity protection mechanism from the PDP itsef. In other words, the protection of data owners anonymity incurs no extra cost for coud service providers or any pubic verifiers. A key observation we made is that the anonymity (here, and [5], [13]) is defined within the group of users of an organization. A direct approach is to have a security-mediator (SEM) from the organization to sign on behaf of its a members. Whie it appears to be conceptuay simpe in the first pace, we sti need to address a number of concerns for our fina soution. First, it shoud outperform the trivia approach of requiring a members to first upoad a their data to this SEM. Second, the trust on this SEM shoud be minimized. In particuar, this SEM shoud not earn anything about the upoaded data even though it is responsibe for generating signatures on data. Moreover, from the signing request, the SEM shoud not be abe to know who are the upoaders, nor distinguish their identities based on the data and corresponding signatures. With these ow computationa and bandwidth requirements, and the ow trust eve, a typica server of the organization can serve as the SEM. We beieve that the introduction of a security mediator for an organization is a right approach for our motivating canonica scenario of storing shared data on the coud. From the coud s perspective, it is the organization who pays for the storage service, so it is natura for the coud to accept upoading requests when a vaid signature issued by the organization is presented. The use of SEM, as described previousy, provides non-revokabe anonymity to the members 1 Whie group signatures are pubicy verifiabe in genera, a direct combination of group signatures and PDP techniques wi make the size of verification metadata even arger than the size of data itsef [13]. In order to minimize this overhead, an additiona private key is shared between the data owner and the verifier in order to reaize functionaities simiar to homomorphic MAC, which scarifies pubic verifiabiity. of the organization, which may be abused by misbehaving members in some cases. However, the organization can aways incorporate an externa anonymous authentication mechanism (e.g., [14], [15]) on top of our system to strike a right baance of anonymity and accountabiity. It is aso better to have the SEM maintained by the organization itsef since it is of the organization s interests to contro who can use the data storage on its paid coud service. In this way, ess trust is paced by the organization on the coud. As argued above, the roe of a SEM can be payed by a typica server of an organization which is used for the daiy authentication of its members. However, one important difference from a typica authentication server is that it owns the private signing key corresponding to the organization s pubic key recognized by the coud service provider and the rest of the word. It is thus important to ower this eve of trust by distributing the knowedge of this private key to mutipe parties. In addition, this aso avoids the botteneck of a singe SEM and the potentia singe point of faiure. Therefore, we further extend our scheme to the muti-sem mode with the technique of (w, t)-shamir secret sharing [16], where w = 2t 1. In the muti-sem mode with a tota number of w SEMs, even when a maximum number of(t 1) SEMs are unabe to sign data normay, data owners can sti obtain vaid signatures from the rest of SEMs. The rest of this paper is organized as foows. We present the system mode, security and privacy threats, design objectives, and overview of our design in Section II. We introduce the definition and properties of some techniques we utiized in the design of our scheme in Section III. The detais of our scheme and security anayses are described in Sections IV and V. Experiment resuts are shown in Section VI. Finay, we briefy discuss reated work in Section VII, and concude this paper in Section VIII. II. MODEL, OBJECTIVES, AND OUR DESIGN A. System Mode The system mode introduced in this paper consists of four entities, incuding data owners, data users, the coud server, and a security-mediator (SEM), which are described in Figure 1. Data owners generate data and upoad them to the coud for sharing. We wi first consider the singeowner scenario, where each data fie stored in the coud is managed and modified by ony a singe data owner. The muti-owner scenario wi be discussed ater in this paper. Data users are abe to access data upoaded by data owners, but are not aowed to modify data in the coud. Data owners and data users are sometimes coectivey termed as coud users in this paper. The coud server provides data storage and sharing services to data owners and data users. Both the coud server and data users are pubic verifiers, who are not the owner of data but need to verify data integrity when it is necessary. The SEM provides security services to data owners by generating signatures on data for owners before these data are outsourced to the coud.

3 We aso make the standard assumption (e.g., [10]) that the communication channe between the coud server and the verifier is authenticated. After a, one of the major purposes for using our system and other existing PDP soutions is to ensure that the coud users can obtain cryptographic evidences when the coud server fai to provide a reiabe storage service. Data Owner Data Fow Coud Server 1. Binded message 2. Signature 3. Chaenge 4. Response Security-Mediator Data User Figure 1. The system mode incudes data owners, data users, the coud server, and a security-mediator (SEM). B. Security Threats and Design Objectives Due to the existence of externa and interna attacks in the coud, coud users remain concerned about the integrity of their data in the coud. On the other hand, data owners want to preserve not ony their identity privacy but aso data privacy when they create the data to be shared. To address the above security and privacy threats, our system shoud achieve the foowing properties: Pubic Verifiabiity. The integrity of coud data (outsourced by data owners) shoud be verifiabe by a pubic verifier. Verification Efficiency. A pubic verifier, especiay who does not possess coud data, shoud be abe to verify the integrity of coud data without retrieving the entire data from the coud server. Unforgeabiity. The verification metadata (signatures) for ensuring data integrity shoud be existentiay unforgeabe under adaptive chosen-message attack. Anonymity. The identity of a data owner shoud not be reveaed to a pubic verifier during the verification of data integrity. In addition, a SEM shoud not be abe to revea the identity of a data owner based on coud data and corresponding signatures. Data Privacy. During the generation of signatures for a data owner, other parties, even a SEM, shoud not be abe to earn the content of data that the data owner wants to sign. Signing Efficiency. The communication requirement between a SEM and a data owner during signature generation shoud be smaer than directy transferring the data to be signed. Note that how the access contro of the data wi be enforced by the coud is an orthogona issue which can be deat with existing soution, e.g., [14], [15]. Aso, the communication channe between the SEM and a data owner can be chosen to provide various eve of anonymity, e.g., over an anonymous network (such as Tor [6]). The SEM can authenticate each data owner by anonymous credentia supporting both revocation and reputation, e.g., [17]. C. Soution Overview Unike traditiona PDP schemes for secure coud storage, which require a data owner to generate signatures by hersef, our scheme requires the data owner to first obtain signatures on her data with the hep of the SEM. More specificay, she first divides her data into many sma bocks, processes every bock with binding techniques, and then sends the binded version of these bocks to the SEM. The SEM then computes a bind signature with its private key, and returns this bind signature back to the data owner. Then, the data owner transforms this bind signature to obtain the actua signature on the origina bock. Finay, the data owner upoads a her data and corresponding signatures to the coud server. Dividing coud data into sma bocks and generating a signature on every one of them wi enabe a pubic verifier to check data integrity by retrieving ony a random combination of a the bocks instead of retrieving the entire coud data from the coud server, which is the typica approach in PDP schemes. When a pubic verifier checks the integrity of coud data based on its signatures, this pubic verifier ony earns the coud data is signed by the SEM, which proves that coud data is correct, but has no means to revea the identity of the data owner. Due to the properties of bind signatures, even the SEM is not abe to revea the content of data it bindy signed before, or ink a data owner to the data or signatures stored on the coud. A. Biinear maps III. PRELIMINARIES Let G 1 and G 2 be two mutipicative cycic groups of prime order p, g be a generator of G 1. Biinear map e is a map e: G 1 G 1 G 2 with the foowing properties: (1) Computabiity: map e can be efficienty computed. (2) Biinearity: for a u,v G 1 and a,b Z p, e(u a,v b ) = e(u,v) ab. (3) Non-degeneracy: e(g,g) 1. B. Bind Signatures Bind signatures, first proposed by Chaum [18], form a specia type of signatures where the message owner and the signer are different parties. More specificay, the message owner choose a binding factor to bind the content of her message and sends the binded message to the signer. After received the binded message, the signer generates a signature on the binded message and returns it to the message owner. The message owner is abe to recover and

4 output a reguar signature on the origina message based on the resut returned by the signer and the binding factor. The bindness properties requires that the signer cannot earn the content of the origina message during the generation of a signature. For uninkabiity, it requires that the signer cannot ink a binded message/signature to its corresponding unbinded form. C. Shamir Secret Sharing A (w,t)-shamir secret sharing scheme [16], where w = (2t 1), is abe to divide a secret s into w pieces in such a way that this secret s can be easiy recovered from any t pieces, whie the knowedge of any (t 1) pieces reveas absoutey no information about this secret s. The essentia idea of a (w, t)-shamir secret sharing scheme is that, a number of t points define a poynomia of degree (t 1). Suppose we want to share the secret s Z p. We set a 0 = s and define the foowing poynomia f(x) = a t 1 x t 1 + +a 1 x+a 0, (1) by picking a t 1,,a 1 uniformy at random from Z p. Each piece of the share is actuay a point of poynomia f(x), for exampe, (x i,f(x i )). The secret s can be recovered by at east a number of t points of poynomia f(x) with Lagrange poynomia interpoation. Shamir secret sharing is generay used in key management schemes [16] and secure muticomputation [19], [20]. A. Overview IV. OUR SOLUTION In our soution, it is the SEM who wi generate signatures on a the message bocks of a data owner. To do that, a data owner first sends a binded version of the bock to the SEM, obtain a signature on the binded bock, and eventuay recover the actua signature on this bock. To reduce the communication overhead and improve the efficiency of the signing services, we aow a data owner to bind an aggregation of mutipe data eements in a bock. Specificay, suppose a bock is denoted asm i = (m i,1,,m i,k ), where k is the number of data eements in a bock, then the size of an aggregate vaue and the size of the binded version of an aggregate vaue are both ony 1/k of the size of this bock. Unfortunatey, we cannot arbitrariy increase the vaue of k since it wi increase the communication overhead during pubic verification. The trade-off invoved wi be discussed ater in Section IV-C. B. Scheme Detais Our scheme incudes seven agorithms, incuding Setup, Bind, Sign, Unbind, Chaenge, Response, and Verify. Goba parameters (impicit input of a other agorithms), pubic keys and private keys are generated in Setup. A data owner is abe to generate signatures on her data with the hep of the SEM after performing Bind, Sign, and Unbind. A pubic verifier is abe to chaenge and verify the integrity of data stored in the coud by interacting with the coud server in Chaenge, Response, and Verify. The detais of each agorithm are described as foows: Setup: Given a security parameter λ, outputs goba parameters as (G 1,G 2,e,p,g,H,u 1,,u k ), where G 1, G 2 are two mutipicative groups of prime order p (with p, the size of p, determined by λ), g is a generator of G 1, e : G 1 G 1 G 2 is a biinear map, H : {0,1} G 1 is a is hash function, (u 1,,u k ) are k random G 1 eements. Data M, which wi be outsourced by a data owner, is divided into n bocks as M = (m 1,,m n ), and each bock m i = (m i,1,,m i,k ) contains k eements of Z p. The SEM generates its private key as sk = y Z p and pubic key as pk = g y G 1. Bind: Given a bock m i = (m i,1,,m i,k ), its bock identifier id i, a data owner first generates a random factor r Z p, then binds bock m i into a binded message m i by m i = [H(id i ) =1 u m i, ] g r G 1. (2) This binded message m i wi then be sent to the SEM. Sign: Given a binded message m i, private key sk = y, the SEM computes a signature on binded message m i by σ i = ( m i ) y G 1, (3) and returns this signature σ i back to the data owner. Unbind: Given binded message m i, its signature σ i, the random factorr used inbind, and pubic keypk = g y, a data owner first checks the correctness of signature σ i by e( σ i,g)? = e( m i,pk). (4) If it does not hod, the data owner discards this signature σ i and asks the SEM to generate a new one. Otherwise, the data owner obtains a signature σ i on bock m i by σ i = σ i pk r = [H(id i ) =1 u m i, ] y G 1. (5) The correctness of Equation 4 is presented as foows: e( σ i,g) = e( m y i,g) = e( m i,g y ) = e( m i,pk). The correctness of Equation 5 is easy to see. Finay, after the computation of a the signatures on a the bocks, the data owner outsources data M = (m 1,,m n ) and its corresponding signatures (σ 1,,σ n ) to the coud. Chaenge: A pubic verifier generates a chaengec = {id i,β i } i I, where {I : i I 1 i n} is the set of a the n bocks indices 2 and β i is a random eement of Z p. Response: Given a chaenge C, the outsourced data M and its signatures (σ 1,,σ n ), the coud 2 The size of this set is a tuneabe parameter. The trade-off invoved wi be discussed in Section IV-C.

5 Data Owner Bind m i = [H(id i ) u mi, ] g r =1 Unbind e( σ i,g) =? e( m i,pk) σ i = σ i pk r Figure 2. binded message m i signature σ i Bind, Sign, and Unbind SEM Sign σ i = ( m i ) y 1) computes σ = i I σβi i G 1, 2) computes α = i I β im i, Z p, where [1,k], and returns a response R = {σ,α 1,,α k } to the verifier. Verify: Given chaenge C = {id i,β i } i I, response R = {σ,α 1,,α k }, and pubic key pk, a pubic verifier checks the integrity of data M by e(σ,g)? = e( i IH(id i ) βi =1 u α,pk). (6) If the above equation hods, outsourced data M is correcty stored in the coud. Otherwise, data M is not correct. Chaenge Verify Pubic Verifier C = {id i,β i } i I χ = k H(id i ) βi i I =1 e(σ,g) =? e(χ,pk) Figure 3. u α chaenge C response R Coud Server Response σ = i Iσ βi i α = i I β i m i, R = {σ,α 1,...,α k } Chaenge, Response, and Verify The correctness of pubic verification is presented as RHS = e( i IH(id i ) βi = e( i I =1 H(id i ) βi = e( i I[H(id i ) = e(σ,g) =1 i I u βim i, i I =1 u m i, ] yβi,g),pk) u βim i,,g y ) where RHS denotes the right hand side of Equation 6. C. Discussions Performance Optimization. There are severa methods can be used to further improve the efficiency of our scheme. Batch Verification in Unbind. When checking the correctness ofnsignatures( σ 1,, σ n ) from the SEM, the data owner can perform batch verification by checking their correctness simutaneousy instead of verifying them one by one. Specificay, the data owner can verify the n signatures ( σ 1,, σ n ) by n e( i=1 σ γi i,g)? = e( n i=1 m γi i,pk), (7) where γ i Z p, for 1 i n, are random numbers generated by the data owner. The correctness of batch verification above can be easiy expained based on the properties of biinear maps. Parameter k. As shown in our scheme, a bock m i = (m i,1,,m i,k ) incudes k eements of Z p and the signature storage overhead of a bock is 1/k. Ceary, the data owner can choose a arger vaue of k to save the tota signature storage overhead in the coud. As a necessary trade off, the signature generation time, and aso communication overhead during pubic verification, wi ineary increase with an increase of k. Samping Strategies. During pubic verification, a pubic verifier can randomy seect a smaer number of bocks instead of a the n bocks, and is sti abe to detect the corrupted data with a high probabiity [3]. Sma Exponentiations. Random β i can be seected from Z q instead of Z p, where q is much smaer than p. One may refer to the discussion in [21] for reationship between the size of q and the probabiity of accepting a bad signature. Data Privacy. Data privacy is aso an important property that a secure coud data storage scheme shoud support. Generay speaking, the content of data shoud be encrypted by the data owner before data is outsourced to the coud server. In our scheme, to protect data privacy, a data owner can first encrypt a bock in her data by m = Enc key (m) using any symmetric key encryption, and foows agorithm Bind, Sign, Unbind to obtain a signature σ on the encrypted bock m. After receiving a the signatures on a encrypted bocks, the data owner outsources the encrypted version of her data and corresponding signatures to the coud. Other Features with Pubic Verification. During pubic verification, supporting other features, such as data dynamic [8], [9], are aso beieved to be important probems. Since the verification process of our scheme and these schemes are a based on BLS signatures [22], by everaging simiar techniques from these schemes [8], [9], data dynamic can be easiy supported by our scheme without affecting the security and privacy of our current scheme. Since the main purpose of our scheme is to provide identity privacy for the

6 data owner, we do not describe the detais of how to enabe data dynamic with our scheme in this paper. Muti-Owner Scenario. In many appications, coud data is maintained by mutipe owners. For exampe, a group of users can edit the same fie by using onine coaborative toos. As discussed in previous work, protecting the identity of the owner on each bock in coud data is aso very important to the privacy of this group and coud data itsef [5], [13]. For instance, without protecting anonymity on muti-owner data, a pubic verifier may easiy distinguish a particuar owner is a more important member in the group than other group members because this owner maintains and signs the argest number of bocks in coud data; a particuar bock can be indicated as a more important one than other bocks in the same data fie because this bock is frequenty modified and signed by different group members. Ceary, with our scheme, the identity privacy of group members under the muti-owner scenario can be preserved from a pubic verifier by asking a the members in the same group to generate signatures on coud data with a same pubic/private key pair managed by the SEM. For a pubic verifier, it is convinced a the bocks in coud data is signed by the SEM, but cannot distinguish any particuar member or bock during the verification of data integrity. Dynamic Groups and Instant Revocation Support. Compared to previous schemes [5], [13], which are aso abe to preserve the identity of the owner on each bock from a pubic verifier under the muti-owner scenario, another advantage of our scheme is its easy support of dynamic groups, where new users can be added into a group and existing members can be revoked from a group. More specificay, once a new user joins the group, the group manager wi instruct the SEM to add this new user into the group member ist, and the SEM wi provide signing services to this new user as other members in the group; if an existing member is revoked from the group, the group manager wi instruct the SEM to remove this member from the group member ist, and the SEM wi no onger provide signing services to the revoked user. In this way, our scheme can sti maintain identity privacy for dynamic group without the need of recomputing any signatures on coud data. For the previous schemes [5], [13], once the membership of the group is changed, a the signatures on coud data need to be recomputed to maintain identity privacy, which is quite inefficient. D. Security Anaysis Since the bind signatures [23] we used are essentiay extended from BLS signatures [22]. It is easy to see that the fina signature resuted from the signing protoco, and the chaenge-response protoco a foow exacty from the scheme in [7], which is aso based on BLS signatures [22]. This ceary ensures the pubic verifiabiity for data integrity. The identity privacy of a data owner is straightforward since a the data to be used in integrity verification is originated from the same private key of the SEM. Data privacy and anonymity during the generation of signatures foow exacty as the argument in [23]. In particuar, both our scheme and the bind signature scheme in [23] bind the message with the same mechanism invoving a random factor r. For every vaid signature, it is aways possibe to find the corresponding r to form a matching communication transcript, and hence the signature and the communication transcript during its generation are uninkabe. Finay, unforgeabiity can be proven in two steps. Firsty, the resuting signature is in the same form produced by the scheme in [7]. Moreover, the bind signing protoco can be proven to be unforgeabe under the one-more discreteogarithm assumption, simiar to the proof of unforgeabiity for the scheme in [23]. V. OUR SCHEME IN MULTI-SIGNER MODEL A. Scheme Overview To avoid the possibe singe point faiure and improve the reiabiity and security of our scheme, we can further extend our scheme to work with mutipe SEMs. Specificay, we utiize a(w, t)-shamir secret sharing scheme to distribute the private key sk, which is used to compute signatures for data owners, into w pieces as (sk 1,,sk w ), and share each piece with a SEM. When a data owner wishes to generate a signature on a bock m, it sends the binded version of this bock to every SEM, and each SEM is abe to compute a share of the bind signature with its own piece. Once the data owner obtains t vaid shares of bind signature from t SEMs, she is abe to recover the signature on her origina bock m by using Lagrange poynomia interpoation. B. Scheme Detais Simiar to our scheme in the singe-sem mode, the one in muti-sem mode aso consists of seven corresponding agorithms, incudingsetup,bind,sign,unbind, Chaenge, Response, and Verify. The detais of our scheme in muti-sem mode are presented as beow. Setup : A seected party acting as the manager of SEMs generates the private key sk = y Z p and pubic key pk = g y G 1. This manager randomy generates the foowing poynomia of degree (t 1): f(x) = a t 1 x t 1 + +a 1 x+a 0 (8) where a 0 = y. Then, this manager computes w points of f(x) by (x 1,y 1 ), (x 2,y 2 ),,(x w,y w ), where y j = f(x j ) for 1 j w, and securey distributes each point as a share of sk to each SEM. The private key of SEM S j is sk j = y j, and its pubic key is pk = g yj. After the distribution of a the w points, the manager can go offine. Bind : The binding process of a bock m i is the same as in agorithm Bind. The ony difference is that, after the binding, the data owner sends the binded message m to a the w SEMs instead of ony one SEM.

7 Sign : Given a binded message m i, private key sk j = y j, SEM S j computes a share of bind signature on m i by σ i,j = ( m i ) yj G 1, (9) and returns σ i,j back to the data owner. Unbind : Given binded message m i, a share of bind signature σ i, the random factor r used in Bind, and pubic key pk j = g yj, a data owner first checks the correctness of σ i,j by e( σ i,j,g)? = e( m i,pk j ). (10) If this equation does not hod, the data owner discard this share of bind signature σ i,j and asks SEM S j to generate a new one. Otherwise, the data owner beieves this share of bind signature is correcty given by SEM S j. After the data owner receives t correct shares of bind signature (without oss of generaity, we assume these t shares are σ i,1,, σ i,t ), the data owner computes L j (0) = x,1 j t, (11) x j x 0< t, j where Lagrange basis poynomia L j (0) is independent of poynomia f(x), and can be pre-computed. Then, the data owner computes bind signature σ i on m i by σ i = t j=1 σ Lj(0) i,j G 1 (12) The correctness of the above equation can be expained by the correctness of Lagrange poynomia interpoation: t j=1 σ Lj(0) i,j = = m t t [ m yj i ]Lj(0) j=1 = m Lj(0)yj i j=1 t j=1 Lj(0)f(xj) i = σ i. = m f(0) i = m y i Finay, the data owner recovers the actua signature σ i on bock m i = (m i,1,,m i,k ) by σ i = σ i pk r, (13) which is the same as Equation 5 in agorithm Unbind. After obtained a the n signatures (σ 1,,σ n ) on data M = (m 1,,m n ), the data owner outsources the entire data M and a n the signatures together to the coud server. Chaenge, Response and Verify : Since the fina signature remains the same no matter in the singe- SEM mode or muti-sem mode, a pubic verifier is abe to check the integrity of coud data in the same way as in the singe-sem mode by foowing agorithms Chaenge, Response, and Verify. Simiar to agorithm Unbind, we can aso adopt batch verification in agorithm Unbind to improve the efficiency of our scheme in the muti-sem mode. More concretey, a data owner can verify a the 2n t shares of bind signature with the foowing equation n t t n e( σ i,j,g) =? e( m i,pk j ), (14) i=1j=1 j=1 i=1 which can reduce the number of pairing operations from nt to (t+1). Simiary, the correctness of the above equation can be proved with the properties of biinear maps. VI. PERFORMANCE In this section, we anayze the computation and communication overhead of our scheme in both the singe-sem mode and muti-sem mode, and then we evauate the performance of our scheme by experiments. A. Computation and Communication Overhead Since exponentiation operations and pairing operations require more time to compute than other operations, we focus on these two kinds of operations during the anaysis of computation overhead. In the foowing, we use Exp G1 to denote the computation cost of one exponentiation in G 1, and Pair to denote the computation cost of one pairing operation on biinear map e : G 1 G 1 G 2. 1) Signature Generation: As described in Section IV, in order to generate a signature on a bock of data, a data owner first needs to aggregate and bind the bock with agorithm Bind, which costs (k+1)exp G1. After received a binded message from the data owner, the SEM computes a signature with agorithm Sign, which costs 1Exp G1. Finay, with agorithm Unbind, the data owner verifies the correctness of a bind signature, and recovers the actua signature of the origina bock, which costs 1Exp G1 +2Pair. So, to generate signatures for the entire data, the computation cost for unbinding n signatures is nexp G1 +2nPair. With batch verification, we can reduce the computation cost for unbinding n signatures to 3nExp G1 +2Pair based on Equation (7). The tota computation cost for the generation of a the n signatures are presented in Tabe I. Compare to the singe-sem mode, a data owner needs to spend a higher computation cost in agorithmunbind in the muti-sem mode, due to the verification of the n t bind signature shares and the recovery of n signatures on the n origina bocks with Lagrange poynomia interpoation. If a data owner verifies each bind signature separatey, this data owner needs to compute 2nt pairing operations, which significanty decreases the efficiency of unbinding. By everaging batch verification of the nt bind signatures and pre-computation on Lagrange basis poynomias, the tota computation cost in agorithm Unbind can be reduced to (3nt+n)Exp G1 +(t+1)pair. The communication cost between a data owner and the SEM during the generation of a signature is 2 p bits, where p denotes the size of an eement of Z p. In the muti-sem mode, the communication cost wi ineary increase with the number of SEMs. If the tota number of SEMs is w,

8 Tabe I COMPUTATION COST OF THE GENERATION FOR ALL THE n SIGNATURES Singe-SEM Mode Muti-SEM Mode Basic Performance n(k +3)Exp G1 +2nPair n(k +2t+1)Exp G1 +2ntPair Optimized Performance n(k +5)Exp G1 +2Pair n(k +4t+2)Exp G1 +(t+1)pair then the tota communication cost for generating a signature is 2w p bits per bock. 2) Pubic Verification: A pubic verifier checks the correctness of a response at a cost of (n+k)exp G1 +2Pair. The communication cost of a chaenge C = {id i,β i } i I is n( id + p ) bits, where id denotes the size of an identifier of a bock, the communication cost of a response R = {σ,α 1,...,α k } is (k + 1) p bits. Therefore, the tota communication cost of pubic verification is n id + (n + k + 1) p bits. Ceary, as mentioned in previous section, whie increasing k wi save the communication cost for data owners during signature generation, it wi increase the communication cost during pubic verification. The computation and communication overhead during pubic verification are sti the same as in the muti-sem mode, because the efficiency of pubic verification is independent of the number of SEMs. B. Experimenta Resuts We now evauate the performance of our scheme, and compare it with severa previous schemes using experiments. In the foowing experiments, we use Pairing Based Cryptography (PBC) ibrary to simuate cryptographic operations, and we test our experiments on a Linux system with Inte Core i GHz Processor and 1 GB Memory. We assume the tota size of coud data is 2 GB, and p = 160 bits. 1) Signature Generation: As we discussed before, the main difference between our scheme and previous schemes [7], [4] is that, we introduce a SEM to compute signatures for data owners to support anonymity. Therefore, we first evauate the performance of our scheme during signature generation, and compare it with previous schemes [7], [4] (denoted as SW08 and WCWRL11 in this paper), which are aso abe to support pubic verification based on BLS signatures [22] but not abe to provide identity privacy. From Figure 4(a), we can see that a data owner needs to spend much more time to generate a signature with the hep of the SEM than simpy generating it independenty by hersef, if she directy foows our scheme. For exampe, when k = 100, our scheme requires miiseconds to generate a signature on a bock whie SW08/WCWRL11 ony needs miiseconds. However, if we utiize batch verification during the verification of the tota number of n bind signatures on the entire data in agorithm Unbind, the average signature generation time can be reduced to miiseconds per bock, which is amost the same as the signature generation time in SW08/WCWRL11. It impies that introducing the SEM to provide identity privacy wi not bring a huge burden to a data owner. In the foowing figures, we use Our Scheme* to denote the performance of this optimized version. Simiar to batch verification in the singe-sem mode, we can aso reduce the signature generation time in the muti- SEM mode. As shown in Figure 4(b), the average signature generation time of our scheme in the muti-sem mode (if t = 3 and k = 100) is about miiseconds per bock, which is sighty higher than the average signature generation time of our scheme in the singe-sem mode. It means that appying mutipe signers to avoid the singe point of faiure wi not dramaticay affect the signature generation time. Generation Time (ms) Our Scheme Our Scheme* SW08/WCWRL k: the number of eements per bock (a) Impact of k on signature generation time (ms) Generation Time (ms) Singe-Singer* Muti-Signer* SW08/WCWRL k: the number of eements per bock (b) Impact of k on signature generation time (ms) Figure 4. Computation Cost of Signature Generation The performance of the signature generation time in muti-sem mode are presented in Figures 5(a) and 5(b). Ceary, if batch verification of bind signatures and precomputation of Lagrange basis poynomias are used in agorithmunbind, a data owner can save a ot of computation cost during the generation of a signature. Specificay, in Figure 5(a), when k = 100, the signature generation time is about 40 miiseconds per bock if batch verification is not used in agorithm Unbind. By taking advantage of batch verification, the average signature generation time can be reduced to miiseconds per bock. Generation Time (ms) Muti-Singer Muti-Signer* k: the number of eements per bock (a) Impact of k on signature generation time (ms), where t = 2 Generation Time (ms) k=100 k= t: the number of vaid SEMs (b) Impact of t on signature generation time (ms) Figure 5. Cost of Signature Generation in the Muti-SEM Mode During the signature generation, a data owner needs to send a bock to the SEM to obtain a bind signature, which wi cost a data owner extra communication overhead than generating signatures by hersef independenty. As we can see from Figure 6(a), by increasing parameter k, we can save the communication cost during the generation of signatures. When k = 100, the communication overhead is 40 MB, where the size of the entire data is 2 GB.

9 When k = 1, 000, the communication overhead is ony 4 MB, which is significanty smaer than the size of the entire data. In the muti-sem mode, the communication overhead increases ineary with the tota number of SEMs. For exampe, if the tota number of SEMs is w = 5 and the number of eements in each bock is k = 1,000, then the communication overhead during the generation of signatures is 20 MB in tota. The tota storage for storing signatures in the coud wi aso be dramaticay decreased if the vaue of k increases, which is iustrated in Figure 6(b). Finay, the number of SEMs does not affect the signature storage cost. Commmunication Cost (MB) Singe-Singer Muti-Signer (w=3) Muti-Signer (w=5) k: the number of eements per bock (a) Impact of k on commun. cost of signature generation (MB) Storage on Signatures(MB) 100 Our Scheme k: the number of eements per bock (b) Impact of k on signature storage (MB) Figure 6. Communication and Storage Cost of Signatures 2) Pubic Verification: Since the adoption of bind signatures in our scheme does not affect the verification, the performance of pubic verification in our scheme is the same as SW08 [7] if the same parameters are seected. As iustrated in [3], the efficiency of pubic verification can be significanty improved by seecting a number of c random bocks instead of seecting a thenbocks, wherec n. As we can see from Tabe II, if we choose k = 1,000, then the tota number of bocks in data is 100,000 (because the size of data is 2 GB and p = 160 bits). When a the n bocks are seected during pubic verification, the computation overhead is seconds and the communication is 2.27 MB. Whie if ony c = 460 random bocks are seected, the computation overhead during pubic verification is ony 0.21 seconds and the corresponding communication overhead is ony KB. According to previous work [3], [4], when c = 460, the probabiity to detect the incorrectness of coud data is greater than 99%. Tabe II PERFORMANCE OF PUBLIC VERIFICATION WHEN k = 1, 000 n = 100,000 c = 460 Computation Overhead seconds 0.21 seconds Communication Overhead 2.27 MB KB 3) Performance Comparison among the Schemes with Identity Privacy: We compare the performance of our scheme, incuding signature generation time, extra storage space on signatures, computation overhead, and communication overhead during pubic verification, with previous schemes [5], [13], which aso aimed to preserve identity privacy in the muti-owner scenario. In Tabe III, we assume the entire data is 2 GB, the size of an eement in a bock is p = 160 bits, the number of eements in a bock is k = 1,000, the tota number of bocks is n = 100,000, and the number of mutipe owners in a group is d = 10. During integrity verification, a number of c = 460 random bocks are seected. As shown in the foowing tabe, when protecting identity privacy for a group of mutipe owners, our scheme has a better performance than previous work [5], [13]. Besides, our scheme can easiy support group dynamic whie the other two schemes cannot. Tabe III COMPARISON AMONG SCHEMES WITH IDENTITY PRIVACY Our scheme [5] [13] Signature Generation Time (ms) Extra Storage for Signatures (MB) Computation Overhead (seconds) Communication Overhead (KB) Pubic Verification Yes Yes No Group Dynamic Yes No No VII. RELATED WORK To aow a data owner to verify the integrity of data that stored in a remote and untrusted server without downoading the entire data, Ateniese et a. [3] first proposed provabe data possession (PDP) based on homomorphic authenticators and samping strategies. In addition, this scheme can aso support pubic verification, Shacham and Waters [7] designed an improved pubic verification scheme based on BLS signatures [22]. In order to support dynamic data whie sti achieving pubic verification on the integrity of remote data, one may integrate the use of rank-based authenticated dictionary [8] or Merke Hash Tree [9]. Wang et a. [10] designed a pubic verification scheme for coud data, where data is encoded with erasure codes, so that the content of a user s data can be recovered even if some part of data is pouted. Moving a step forward, by using techniques from network coding, the scheme of Chan et a. [11] can minimize the data repair cost. Recenty, Cao et a. [12] everaged LT codes to make the data owner free from the burden of being onine after her data outsourcing. Apart from identity privacy, data privacy is aso an important issue during pubic verification of the coud data integrity. Wang et a. [4] considered how to preserve data privacy from a third party auditor (TPA) by using zeroknowedge proof techniques. In addition, their system aso supports batch verification of mutipe data auditing requests. More recenty, Wang et a. [24], [25] designed two schemes to verify the integrity of shared data whie supporting efficient user revocation with the techniques of proxy resignatures [26], [27]. In addition, Tate et a. [28] proposed a scheme for verifying the integrity of muti-user data with the hep of trusted hardware. However, these three schemes are not abe to preserve the identities of data owners. VIII. CONCLUSION In this paper, we introduce what we beieve is the right approach to achieve anonymity in storing data to the coud with pubicy-verifiabe data-integrity in mind. Our approach decoupes the anonymous protection mechanism from the

10 provabe data possession mechanism via the use of securitymediator. Our soution not ony minimizes the computation and bandwidth requirement of this mediator, but aso minimizes the trust paced on it in terms of data privacy and identity privacy. The efficiency of our system is aso empiricay demonstrated. ACKNOWLEDGEMENT This work is supported by the NSF of China (No and ), Fundamenta Research Funds for the Centra Universities (No. K ), Nationa 111 Program (No. B08038), Doctora Foundation of Ministry of Education of China (No ), Program for Changjiang Schoars and Innovative Research Team in University (PCSIRT 1078) and U.S. NSF CNS REFERENCES [1] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, A View of Coud Computing, Communications of the ACM, vo. 53, no. 4, pp , [2] K. Ren, C. Wang, and Q. Wang, Security Chaenges for the Pubic Coud, IEEE Internet Computing, vo. 16, no. 1, pp , [3] G. Ateniese, R. Burns, R. Curtmoa, J. Herring, L. Kissner, Z. Peterson, and D. Song, Provabe Data Possession at Untrusted Stores, in ACM CCS, 2007, pp [4] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, Privacy-Preserving Pubic Auditing for Secure Coud Storage, IEEE Transactions on Computers, vo. 62, no. 2, pp , [5] B. Wang, B. Li, and H. Li, Oruta: Privacy-Preserving Pubic Auditing for Shared Data in the Coud, in IEEE Coud, June 2012, pp [6] R. Dingedine, N. Mathewson, and P. Syverson, Tor: The Second-Generation Onion Router, in USENIX Security Symposium, [7] H. Shacham and B. Waters, Compact Proofs of Retrievabiity, in ASIACRYPT, 2008, pp [8] C. Erway, A. Kupcu, C. Papamanthou, and R. Tamassia, Dynamic Provabe Data Possession, in ACM CCS, 2009, pp [9] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, Enabing Pubic Verifiabiity and Data Dynamic for Storage Security in Coud Computing, in ESORICS. Springer-Verag, 2009, pp [10] C. Wang, Q. Wang, K. Ren, and W. Lou, Ensuring Data Storage Security in Coud Computing, in ACM/IEEE IWQoS, 2009, pp [11] B. Chen, R. Curtmoa, G. Ateniese, and R. Burns, Remote Data Checking for Network Coding-based Distributed Stroage Systems, in ACM CCSW, 2010, pp [12] N. Cao, S. Yu, Z. Yang, W. Lou, and Y. T. Hou, LT Codesbased Secure and Reiabe Coud Storage Service, in IEEE INFOCOM, 2012, pp [13] B. Wang, B. Li, and H. Li, Knox: Privacy-Preserving Auditing for Shared Data with Large Groups in the Coud, in ACNS, 2012, pp [14] S. S. M. Chow, C.-K. Chu, X. Huang, J. Zhou, and R. H. Deng, Dynamic Secure Coud Storage with Provenance, in Cryptography and Security - Dedicated to Jean-Jacques Quisquater. Springer, 2012, pp [15] S. S. M. Chow, Y.-J. He, L. C. K. Hui, and S. M. Yiu, SPICE: Simpe Privacy-Preserving Identity-Management for Coud Environment, in ACNS, 2012, pp [16] A. Shamir, How to Share a Secret, vo. 22, no. 11, pp , [17] K. Y. Yu, T. H. Yuen, S. S. M. Chow, S.-M. Yiu, and L. C. K. Hui, PE(AR) 2 : Privacy-Enhanced Anonymous Authentication with Reputation and Revocation, in ESORICS, 2012, pp [18] D. Chaum, Bind Signatures for Untraceabe Payments, in CRYPTO, 1982, pp [19] C.-K. Chu, W. T. Zhu, S. S. M. Chow, J. Zhou, and R. H. Deng, Secure Mobie Subscription of Sensor-Encrypted Data, in ASIACCS, 2011, pp [20] M. Li, N. Cao, S. Yu, and W. Lou, FindU: Private-Preserving Persona Profie Matching in Mobie Socia Networks, in IEEE INFOCOM, 2011, pp [21] A. L. Ferrara, M. Green, S. Hohenberger, and M. Ø. Pedersen, Practica Short Signature Batch Verification, in CT-RSA. Springer-Verag, 2009, pp [22] D. Boneh, B. Lynn, and H. Shacham, Short Signatures from the Wei Pairing, J. Cryptoogy, vo. 17, no. 4, pp , [23] A. Bodyreva, Threshod Signatures, Mutisignatures and Bind Signatures Based on the Gap-Diffie-Heman-Group Signature Scheme, in PKC, 2003, pp [24] B. Wang, B. Li, and H. Li, Pubic Auditing for Shared Data with Efficient User Revoation in the Coud, in IEEE INFOCOM, [25] B. Wang, H. Li, and M. Li, Privacy-Preserving Pubic Auditing for Shared Coud Data Supporting Group Dynamics, in IEEE ICC, [26] G. Ateniese and S. Hohenberger, Proxy Re-signatures: New Definitions, Agorithms and Appications, in ACM CCS, 2005, pp [27] S. S. M. Chow and R. C.-W. Phan, Proxy Re-signatures in the Standard Mode, in ISC. Springer, 2008, pp [28] S. R. Tate, R. Vishwanathan, and L. Everhart, Muti-user Dynamic Proofs of Data Possession Using Trusted Harware, in ACM CODASPY, 2013, pp