Provable Possession and Replication of Data over Cloud Servers

Transcription

1 Provble Possession nd Repliction of Dt over Cloud Servers Ayd F.Brsoum nd M.Anwr Hsn Deprtment of Electricl nd Computer Engineering University of Wterloo, Ontrio, Cnd. Abstrct. Cloud Computing (CC) is n emerging computing prdigm tht cn potentilly offer number of importnt dvntges. One of the fundmentl dvntges of CC is py-s-you-go pricing model, where customers py only ccording to their usge of the services. Currently, dt genertion is outpcing users storge vilbility, thus there is n incresing need to outsource such huge mount of dt. Outsourcing dt to remote Cloud Service Provider (CSP) is growing trend for numerous customers nd orgniztions lleviting the burden of locl dt storge nd mintennce. Moreover, customers rely on the dt repliction provided by the CSP to gurntee the vilbility nd durbility of their dt. Therefore, Cloud Service Providers (CSPs) provide storge infrstructure nd web services interfce tht cn be used to store nd retrieve n unlimited mount of dt with fees metered in GB/month. The mechnisms used for dt repliction vry ccording to the nture of the dt; more copies re needed for criticl dt tht cnnot esily be reproduced. This criticl dt should be replicted on multiple servers cross multiple dt centers. On the other hnd, non-criticl, reproducible dt re stored t reduced levels of redundncy. The pricing model is relted to the repliction strtegy. Therefore, it is of crucil importnce to customers to hve strong evidence tht they ctully get the service they py for. Moreover, they need to verify tht ll their dt copies re not being tmpered with or prtilly deleted over time. Consequently, the problem of Provble Dt Possession (PDP) hs been considered in mny reserch ppers. Unfortuntely, previous PDP schemes focus on single copy of the dt nd provide no gurntee tht the CSP stores multiple copies of customers dt. In this pper we ddress this chllenging issue nd propose Efficient Multi-Copy Provble Dt Possession (EMC-PDP) protocols. We prove the security of our protocols ginst colluding servers. Through extensive performnce nlysis nd experimentl results, we demonstrte the efficiency of our protocols. Keywords: Cloud computing, outsourcing dt storge, dt integrity, cryptogrphic protocols 1 Introduction Cloud Computing (CC) is n emerging computing prdigm tht cn be viewed s virtulized pool of computing resources (e.g. storge, processing power, memory, pplictions, services, nd network bndwidth), where customers re provisioned nd de-provisioned recourses s they need. CC represents the vision of providing computing services s public utilities like wter nd electricity. CC services cn be ctegorized into [1]: Softwre-s--Service (SS), Pltform-s-- Service (PS), nd Infrstructure-s--Service (IS). The widely used model of CC services is the SS model in which the customers hve ccess to the pplictions running on the cloud provider s infrstructure. Google Docs, Google Clendr, nd Zoho Writer re publicly known exmples of this model. In PS model, the customers cn deploy their pplictions on the

2 2 Ayd F.Brsoum nd M.Anwr Hsn provider infrstructure under condition tht these pplictions re creted using tools supported by the provider. IS model enbles customers to rent nd use the provider s resources (storge, processing, nd network). Hence, the customers cn deploy ny pplictions including operting systems. The considerble ttention of Cloud Computing prdigm is due to number of key dvntges which mke it chllenging reserch re in both cdemi nd industry. This prdigm of Informtion Technology (IT) rchitecture supplies cost effective mens of computing over shred pool of resources, where users cn void cpitl expenditure on hrdwre, softwre, nd services s they py only for wht they use [1]. Moreover, CC model provides low mngement overhed nd immedite ccess to brod rnge of pplictions. In ddition, mintennce cost is reduced s third prt is responsible for everything from running the cloud to storing dt. It is not only the economic benefits tht customers cn gin from CC model, but lso flexibility to scle up nd down IT cpcity over time to business needs. Furthermore, CC offers more mobility where customers cn ccess informtion wherever they re, rther thn hving to remin t their desks. CC llows orgniztions to store more dt on remote servers thn on privte computer systems. Orgniztions will no longer be worried bout constnt server updtes nd other computing issues; they will be free to concentrte on innovtions [2]. Outsourcing dt storge to remote Cloud Service Provider (CSP) is growing trend for more nd more customers nd orgniztions lleviting the burden of locl dt storge nd mintennce. In ddition, storing dt remotely llows mny uthorized users to ccess the dt from vrious different geogrphic loctions mking it more convenient to them. Also, some orgniztions my crete lrge dt files tht must be chieved for mny yers but re rrely ccessed, nd so there is no need to store such files on the locl storge of the orgniztions. According to recent survey, IT outsourcing hs grown by stggering 79% s compnies seek to reduce costs nd focus on their core competencies [3]. However, the fct tht dt owners re no longer physiclly possess their sensitive dt rises new formidble nd chllenging tsks relted to dt security nd integrity protection in Cloud Computing. Dt security cn be chieved by encrypting sensitive dt before outsourcing to remote servers. As such, it is crucil demnd of customers to hve strong evidence tht the cloud servers still possess their dt nd it is not being tempered with or prtilly deleted over time, especilly becuse the internl opertion detils of the CSP my not be known by cloud customers. It is unrguble tht, the completeness nd correctness of customers dt in the cloud is being put t risk due to the following resons. First, the CSP whose gol is to mke profit nd mintin reputtion hs n incentive to hide dt loss or reclim storge by discrding dt tht hs not been or is rrely ccessed. Second, greedy CSP might delete some of the dt or might not store ll dt in fst storge required by the contrct with certin customers, i.e., plce it on CDs or other offline medi nd thus using less fst storge. Third, the cloud infrstructures re subject to wide rnge of internl nd externl security threts. Exmples of security breches of cloud services pper from time to time [4, 5]. In short, lthough outsourcing dt into the cloud is economiclly ttrctive for the cost nd complexity of long-term lrge-scle dt storge, it does not offer ny gurntee on dt completeness nd correctness. This problem, if not properly hndled, my hinder the successful deployment of cloud rchitecture. Since customers dt hs been outsourced to remote servers, efficient verifiction of the completeness nd correctness of the outsourced dt becomes formidble chllenge for dt security in CC. The trditionl cryptogrphic primitives for dt integrity nd vilbility bsed on hshing nd signture schemes re not pplicble on the outsourced dt without hving locl copy of the dt. Of course, it is imprcticl for the clients to downlod ll stored dt in order to vlidte its integrity; this would require n expensive I/O cost nd immense

3 DEMC-PDP & PEMC-PDP 3 communiction overheds cross the network. Therefore, clients need efficient techniques to verify the integrity of their outsourced dt with minimum computtion, communiction, nd storge overhed. Consequently, mny reserchers hve focused on the problem of Provble Dt Possession (PDP) nd proposed different schemes to udit the dt stored on remote servers. Simply, Provble Dt possession (PDP) is technique for vlidting dt integrity over remote servers. Ateniese et l. [6] hve formlized PDP model. In tht model, the dt owner pre-processes the dt file to generte some metdt tht will be used lter for verifiction purposes through chllenge response protocol with the remote/cloud server. The file is then sent to be stored on n untrusted server, nd the owner my delete the locl copy of the file. Lter, the server demonstrtes tht the dt file hs not been deleted or tmpered with by responding to chllenges sent from the verifier who cn be the originl dt owner or other trusted entity tht shres some informtion with the owner. Reserchers hve proposed different vritions of PDP schemes under different cryptogrphic ssumptions [7 14]. We will present vrious PDP schemes in the literture survey section, nd will elborte how they vry from different perspectives. Unfortuntely, previous PDP schemes focus on single copy of the file nd provide no proof tht the CSP stores multiple copies of the owner s file. In this pper we ddress this chllenging problem, propose two Efficient Multi-Copy Provble Dt Possession (EMC-PDP) protocols, nd prove the security (correctness nd soundness) of our protocols ginst colluding servers. Extensive performnce nlysis which is vlidted through implementtion nd experimentl results illustrtes the efficiency of our protocols. Curtmol et l. [15] proposed Multiple-Replic PDP (MR-PDP) scheme, which is the only ttempt in the literture tht cretes multiple replics of owner s file nd udit them. Through extensive investigtion, we will detil the vrious fetures nd limittions of the MR-PDP model. Unfortuntely, Curtmol et l. [15] did not ddress how the uthorized users of the dt owner cn ccess the file copies from the cloud servers noting tht the internl opertions of the CSP re opque. This issue is not hndled in their protocol, nd thus we consider the protocol to be incomplete. We will demonstrte tht our protocols re complete nd outperform the MR-PDP model [15] from both the computtions nd communictions cost. The MR-PDP is investigted in more detils in section 5.2. The reminder of the pper is orgnized s follows: in Section 2 we provide our reserch problem definitions, motivtions, chllenges, nd our min contributions. Section 3 contins n extensive literture survey for the previous schemes of remote dt integrity, the fetures of these schemes, nd their limittions. Our system model nd design gols re presented in Section 4. In Section 5 we present nd nlyze the bsic nturl scheme for multi-copy provble dt possession nd the MR-PDP scheme due to Curtmol et l. [15]. Our EMC-PDP schemes re elborted in Section 6. In Section 7 we prove the security of our proposed schemes. The performnce nlysis nd experimentl results re done in Section 8. Our concluding remrks re given in Section 9. 2 Problem Definition, Motivtion, nd Min Contributions Users resort to dt repliction to ensure the vilbility nd durbility of their sensitive dt, especilly if it cnnot esily be reproduced. As simple exmple, when we re writing reserch pper, we re very creful to keep multiple copies of our pper to be ble to recover it in cse of ny filure or physicl dmge. Likewise, orgniztions, governments, nd universities replicte their finncil, personl, nd generl dt to gurntee its vilbility nd durbility over time. In the Cloud Computing prdigm, customers rely on the CSP to undertke the dt repliction tsk relieving the burden of locl dt storge nd mintennce, but they hve to py for their usge of the CSP s storge infrstructure. On the other side, cloud customers should be securely nd efficiently convinced tht the CSP is ctully possessing ll dt copies tht re greed

4 4 Ayd F.Brsoum nd M.Anwr Hsn upon, these dt copies re complete nd intct, nd thus customers re getting the service they re pying for. Therefore, in this pper we ddress the problem of creting multiple copies of owner s dt file over untrusted CSP nd uditing ll these copies to verify their completeness nd correctness. 2.1 Motivtion nd Chllenges The mechnisms used for dt repliction vry ccording to the nture of the dt; more copies re needed for criticl dt tht cnnot esily be reproduced. The pricing model of the CSPs is relted to the repliction strtegy. For exmple, Amzon S3 stndrd storge strtegy [16] mintins copies of customers dt on multiple servers cross multiple dt centers, while with Amzon Reduced Redundncy Storge (RRS) strtegy which enbles customers to reduce their costs noncriticl, reproducible dt is stored t reduced level of redundncy. As consequence, the pricing for the Amzon S3 stndrd storge is pproximtely 50% higher thn tht of the RRS. Cloud servers cn collude to chet the customers by showing tht they re storing ll copies, while in relity they re storing single copy. Therefore, cloud customers need secure nd efficient techniques to ensure tht the CSP is ctully keeping ll dt copies tht re greed upon, these copies re not corrupted, nd thus they py for rel services. 2.2 Contributions Our contributions cn be summrized s the following: 1. We propose two Efficient Multi-Copy Provble Dt Possession (EMC-PDP) protocols. These protocols efficiently provide the cloud customers with strong evidence tht the CSP is in relity possessing ll dt copies tht re greed upon nd these copies re intct. 2. We prove the security (correctness nd soundness) of our protocols ginst colluding servers. Cloud servers cn provide vlid responses to verifier s chllenges only if they ctully hve ll dt copies in n uncorrupted stte. 3. We justify the performnce of our proposed protocols through concrete nlysis nd comprison with the stte-of-the-rt. 4. We implement our proposed protocols using cryptogrphic librries. The experimentl results vlidte our performnce nlysis. To the best of our knowledge, the proposed protocols re the first complete nd efficient protocols tht ddress the storge integrity of multiple dt copies over Cloud Computing. 3 Literture Survey 3.1 Provble Dt Possession (PDP) Provble dt possession (PDP) is methodology for vlidting the integrity of dt in outsourcing storge service. The fundmentl gol of the PDP scheme is to llow verifier to efficiently, periodiclly, nd securely vlidte tht remote server which supposedly stores the owner s potentilly very lrge mount of dt is not cheting the verifier. The problem of dt integrity over remote servers hs been ddressed for mny yers nd there is simple solution to tckle this problem s follows. First, the dt owner computes messge uthentiction code (MAC) of the whole file before outsourcing to remote server. Then, the owner keeps only the computed MAC on his locl storge, sends the file to the remote server, nd deletes the locl copy of the file. Lter, whenever verifier needs to check the dt integrity, he sends request

5 DEMC-PDP & PEMC-PDP 5 to retrieve the file from the rchive service provider, re-computes the MAC of the whole file, nd compres the re-computed MAC with the previously stored vlue. Alterntively, insted of computing nd storing the MAC of the whole file, the dt owner divides the file F into blocks {b 1, b 2,..., b m }, computes MAC σ i for ech block b i : σ i = MAC sk (i b i ) 1 i m, sends both the dt file F nd the MACs {σ i } 1 i m to the remote/cloud server, deletes the locl copy of the file, nd stores only the secret key sk. During the verifiction process, the verifier requests for set of rndomly selected blocks nd their corresponding MACs, re-computes the MAC of ech retrieved block using sk, nd compres the re-computed MACs with the received vlues from the remote server [7]. The rtionle behind the second pproch is tht checking prt of the file is much esier thn the whole of it. However both pproches suffer from severe drwbck; the communiction complexity is liner with the queried dt size which is imprcticl especilly when the vilble bndwidth is limited. PDP Schemes of Deswrte et l. Deswrte et l. [8] thought of better solution by using two functions f nd H. H is one-wy function nd f is nother function such tht f(c, H (F ile)) = H(C F ile), where H is ny secure hsh function nd C is rndom chllenge number sent from the verifier to the remote server. Thus, the dt owner hs to compute H (F ile) nd store it on his locl storge. To udit the file, the verifier genertes rndom chllenge C, computes V = f(c, H (F ile)), nd sends C to the remote server. Upon receiving the chllenge C, the server computes R = H(C F ile) nd sends the response R to the verifier. To vlidte the file integrity, the verifier checks V =? R. At lest one of the two functions f nd H must be kept secret becuse if both were public, it would be esy for mlicious server to compute nd store only H (F ile) tht is not the entire file, nd then dynmiclly responds with vlid vlue f(c, H (F ile)) tht is not the expected one H(C F ile). Unfortuntely, Deswrte et l. [8] hve not found such functions f, H, nd H stisfying the desired verifiction rule. To workround this problem, finite number Ñ of rndom chllenges re generted offline for the file to be checked, the corresponding responses H(C i F ile) 1 i Ñ re pre-computed offline s well, nd then the pre-computed responses re stored on the verifier locl storge. To udit the file, one of the Ñ chllenges is sent to the remote server nd the response received from the server is compred with the pre-computed response which is previously stored on the verifier side. However, this solution limits the number of times prticulr dt file cn be checked by the number of rndom chllenges Ñ. Once ll rndom chllenges {C i} 1 i Ñ re consumed, the verifier hs to retrieve the dt file F from the storge server in order to compute new responses H(C i F ile), but this is unworkble. Deswrte et l.[8] proposed nother protocol to overcome the problem of limited number of udits per file. In their protocol the dt file is represented s n integer m. Figure 1 illustrtes the scheme proposed in [8] There re two min limittions in the protocol of Deswrte et l. [8]: In ech verifiction, the remote server hs to do the exponentition over the entire file. Thus, if we re deling with huge files, e.g., in order of Terbytes (s most prcticl pplictions require) this exponentition will be hevy. Storge overhed on the verifier side; it hs to store some metdt for ech file to be checked. This could be chllenge for the verifier if it uses smll devices, e.g., PDA or cell phone with limited storge cpcity. More RSA Bsed PDP Schemes. Filho et l. [9] proposed scheme to verify dt integrity using the RSA-bsed Homomorphic hsh function. A function H is Homomorphic if, given two

6 6 Ayd F.Brsoum nd M.Anwr Hsn Dt owner: Represents the dt file s n integer m Genertes RSA modulus N = pq (p & q re prime numbers) Pre-computes nd stores M = m mod N ( R Z N ) Sends the file vlue m to the remote server Chllenge Response Verifier Remote Server 1. Picks r R Z N 2. Computes chllenge A = r mod N A B 4. Computes C = M r mod N 5. Checks C =? B Fig. 1. The PDP protocol by Deswrte et l. [8]. 3. Computes response B = A m mod N opertion + nd, we hve H(d+d ) = H(d) H(d ). The protocol proposed in [9] is illustrted in figure 2. Note tht the response R = H(d) is homomorphic function in the dt file d; H(d + d ) r d+d r d r d H(d)H(d ) mod N. To find collision for this hsh function, one hs to find two messges d, d such tht r d r d, i.e., r d d 1 mod N. Thus, d d must be multiple of ϕ(n). Finding such two messges d, d is belived to be difficult since the fctoriztion of N is unknown. The limittions of the protocol proposed in [9] re similr to those of the protocol in [8]: the rchive service provider hs to exponentite the entire dt file plus the storge overhed on the verifier side. To circumvent the problem of exponentiting the entire file Sebé et l. [10] proposed to verify dt integrity by first frgmenting the file into blocks, fingerprinting ech block, nd then using n RSA-bsed hsh function on the blocks. Thus, the file F is divided into set of m blocks: F = {b 1, b 2,..., b m }, where m fingerprints {M i } 1 i m re generted for the file nd stored on the verifier locl storge. Their proposl does not require the exponentition of the entire file. Figure 3 demonstrtes the protocol proposed by Sebé et l. [10]. Limittions. Although the protocol proposed by Sebé et l. [10] does not require exponentition of the entire file, locl copy of the fingerprints whose size is liner in the number of file blocks must be stored on the verifier side. The verifier hs to store the fingerprints {M i } 1 i m, ech of size N bits consuming m N bits from the verifier locl storge, which my impede the verifiction process when using smll devices like PDAs or cell phones. Dt Storge Commitment Schemes. Golle et l. [11] proposed scheme to verify dt storge commitment, concept tht is weker thn integrity. They investigted storgeenforcing commitment scheme. Through their scheme storge server demonstrtes tht it is mking use of storge spce s lrge s the client s dt, but not necessrily the sme exct

7 DEMC-PDP & PEMC-PDP 7 Dt owner: Genertes RSA modulus N = pq (p & q re prime numbers) Computes ϕ(n) = (p 1)(q 1) Pre-computes nd stores h(d) = d mod ϕ(n) (d is the dt file) Sends the dt file d to the remote server Chllenge Response Verifier 1. Picks r R Z N r R 3. Computes R = r h(d) mod N 4. Checks R? = R Remote Server 2. Computes response R = H(d) = r d mod N Fig. 2. The PDP protocol by Filho et l. [9]. Dt owner: Genertes RSA modulus N = pq (p & q re prime numbers) Computes ϕ(n) = (p 1)(q 1) Splits the dt file F into m blocks: F = {b 1, b 2,..., b m } Pre-computes nd stores M i = b i mod ϕ(n) (1 i m) Sends the dt file F to the remote server Chllenge Response Verifier Remote Server 1. Picks R Z N 2. Genertes l( m) rndom vlues {c i } 1 i l,{c i} 1 i l 3. Computes r = 5. Computes r = R l c i M i mod ϕ(n) i=1 6. Computes R = r mod N 7. Checks R? = R Fig. 3. The protocol by Sebé et l. [10]. l c i b i i=1 4. Computes R = r mod N

8 8 Ayd F.Brsoum nd M.Anwr Hsn dt. The storge server does not directly prove tht it is storing file F, but proves tht it hs committed sufficient resources to do so. Their scheme is bsed on n-power Computtionl Diffie-Hellmn (n-pcdh) ssumption: for group Z p with genertor g, there is no known probbilistic polynomil time lgorithm A tht cn compute g xn given g x, g x2,..., g xn 1 with non-negligible probbility. The min scheme proposed by Golle et l. [11] is illustrted in figure 4. Setup File F = {b 1, b 2,..., b m }, b i Z p Let n = 2m + 1 Secret key sk = x R Z p Public key pk = (g x, g x2,..., g xn ) = (g 1, g 2,..., g n ) Dt owner computes nd stores f 0 = Chllenge Response m i=1 g bi i mod p Verifier 1. Picks rndom k [0, m] Remote Server k 3. Computes f k = 4. Checks f0 xk? = f k f k m i=1 g bi i+k Fig. 4. The protocol by Golle et l. [11]. Since ech file block b i Z p cn be represented by log 2 p bits, then the totl number of bits to store the file F = m log 2 p bits. For the storge server to chet by storing ll the possible vlues of f k (m + 1 vlues), it needs (m + 1) log 2 p bits which is slightly lrger thn the size of the originl file. Limittions. The gurntee provided by the proposed protocol in [11] is weker thn dt integrity since it only ensures tht the server is storing something t lest s lrge s the originl dt file but not necessrily the file itself. In ddition, the verifier s public key is bout twice s lrge s the dt file. Privcy-Preserving PDP Schemes. Shh et l. [12, 13] proposed privcy-preserving PDP protocols. Using their schemes, n externl Third Prty Auditor (TPA) cn verify the integrity of files stored by remote server without knowing ny of the file contents. The dt owner first encrypts the file, then sends both the encrypted file long with the encryption key to the remote server. Moreover, the dt owner sends the encrypted file long with key-commitment tht fixes vlue for the key without reveling the key to the TPA. The primry purposes of the schemes proposed in [12, 13] re to ensure tht the remote server is correctly possessing

9 DEMC-PDP & PEMC-PDP 9 the client s dt long with the encryption key, nd to prevent ny informtion lekge to the TPA which is responsible for the uditing tsk. Thus, clients especilly with constrined computing resources nd cpbilities cn resort to externl udit prty to check the integrity of outsourced dt, nd this third prty uditing process should bring in no new vulnerbilities towrds the privcy of client s dt. In ddition to the uditing tsk of the TPA, it hs nother primry tsk which is extrction of digitl contents. For the uditing tsk, the TPA intercts with the remote server to check tht the stored dt is intct. For the extrction tsk, the TPA intercts with both the remote server nd the dt owner to first check tht the dt is intct then delivers it to the owner. The protocols proposed by Shh et l. [12, 13] re illustrted in figure 5. The protocols proposed by Shh et l. [12, 13] hve the following key limittions: The number of times prticulr dt item cn be verified is limited nd must be fixed beforehnd. Storge overhed on the TPA; it hs to store Ñ hsh vlues for ech file to be udited. Lck of support for stteless verifiction; the TPA hs to updte its stte (the list L) between udits to prevent using the sme rndom number or the sme HMAC twice. Very high communiction complexity to retrieve E K (F ) if the TPA wnts to regenerte new list of hsh vlues to chieve unbounded number of udits. PDP in Dtbse Context. In dtbse outsourcing scenrio, the dtbse owner stores dt t storge service provider nd the dtbse users send queries to the service provider to retrieve some tuples/records tht mtch the issued query. Dt integrity is n impertive concern in the dtbse outsourcing prdigm; when user receives query result from the service provider, he wnts to be convinced tht the received tuples re not being tmpered with by mlicious service provider. Mykletun et l. [14] investigted the notion of signture ggregtion to vlidte the integrity of the query result. Signture ggregtion enbles bndwidth- nd computtionefficient integrity verifiction of query replies. In the scheme presented in [14], ech dtbse record is signed before outsourcing the dtbse to remote service provider. Mykletun et l. [14] provided two ggregtion mechnisms: one is bsed on RSA [17] nd the other is bsed on BLS signture [18]. For the scheme bsed on the RSA signture, ech record in the dtbse is signed s: σ i = h(b i ) d mod N, where h is one-wy hsh function, b i is the dt record, d is the RSA privte key, nd N is the RSA modulus. A user issues query to be executed over the outsourced dtbse, the server processes the query nd computes n ggregted signture σ = t i=1 σ i mod N, where t is the number of records in the query result. The server sends the query result long with the ggregted signture to the user. To verify the integrity of the received records, the user checks σ e =? t i=1 σ i mod N, where e is the RSA public key. The second scheme proposed by Mykletun et l. [14] which is bsed on the BLS signture [18] is similr to the first scheme but the record signture σ i = h(m i ) x, where x R Z p is secret key. To verify the integrity of the received records, the user checks ê(σ, g)? = ê( t i=1 h(b i), y), where g is genertor of the group Z p, y = g x (public key), nd ê is computble biliner mp tht will be explined lter. Although dt integrity (correctness) is n impertive concern in the dtbse outsourcing prdigm, completeness is nother crucil demnd for dtbse users. Completeness mens tht the service provider should send ll records tht stisfy the query criteri not just subset of them. The schemes proposed by Mykletun et l. [14] did not fulfill the completeness requirement. The completeness problem hs been ddressed by other reserchers (see for exmple [3, 19]). We emphsize tht the techniques bsed on ggregted signtures [14] would fil to provide blockless verifiction, which is needed by ny efficient PDP scheme. Indeed, the verifier hs to

10 10 Ayd F.Brsoum nd M.Anwr Hsn Setup Dt owner sends key K nd the encrypted file E K (F ) to the remote server Dt owner sends key-commitment vlue g K nd the encrypted file E K (F ) to the TPA (g is genertor for Z p ) The TPA genertes list L of rndom vlues nd HMACs: L = {(R i, H i )} 1 i Ñ, H i = HMAC(R i, E K (F )), nd R i is rndom number. TPA keeps L, H(E K (F )), g K, nd cn discrd E K (F ) (H is secure hsh function) TPA Checking Dt Integrity 1. Picks ny R i, H i from L Remote Server nd L = L\{(R i, H i )} R i 2. Computes H s =HMAC(R i, E K (F )) H s 3. Checks H? i = Hs Checking Key Integrit 1. Genertes β R Z p 3. Checks (g K ) β =? (W s ) Dt Extrction g β 2. Computes W s = (g β ) K W s D s =E K (F ) Checks hshing of its locl cched copy: H(E K (F ))? = H(D s ). If vlid, sends E K (F ) to the owner Key Extrction Assume tht the owner nd the server gree on shred rndom secret X K+X, g X Checks g K+X =? g K g X. If vlid, sends K + X to the owner Owner gets K = (K + X) X Fig. 5. The protocols by Shh et l. [12, 13].

11 DEMC-PDP & PEMC-PDP 11 hve the bility to verify dt integrity even though he does not possess ny of the file blocks. The schemes proposed in [14] depend on the retrieved records of the query result to verify the integrity of the outsourced dtbse. Blockless verifiction is min concern to minimize the required communiction cost over the network. Ateniese et l. [6] proposed model to overcome some of the limittions of the previous protocols: limited number of udits per file determined by fixed chllenges tht must be specified in dvnce, expensive server computtion by doing the exponentition over the entire file, storge overhed on the verifier side by keeping some metdt to be used lter in the uditing tsk, high communiction complexity, nd lck of support for blockless verifiction. Ateniese et l. [6] proposed PDP model in which the dt owner frgments the file F into blocks {b 1, b 2,..., b m } nd genertes metdt ( tg) for ech block to be used for verifiction. The file is then sent to be stored on remote/cloud server which my be untrusted nd the dt owner my delete the locl copy of the file. The remote server provides proof tht the dt hs not been tmpered with or prtilly deleted by responding to chllenges sent from the verifier. The scheme proposed by Ateniese et l. [6] provides probbilistic gurntee of dt possession, where the verifier checks rndom subset of stored file blocks with ech chllenge (spot checking). PDP Schemes Bsed on Homomorphic Verifible Tgs. Ateniese et l. [6] proposed using Homomorphic Verifible Tgs(HVTs)/Homomorphic Liner Authentictors(HLAs) s the bsic building blocks of their scheme. In short, the HVTs/HLAs re unforgeble verifiction metdt constructed from the file blocks in such wy tht the verifier cn be convinced tht liner combintion of the file blocks is ccurtely computed by verifying only the ggregted tg/uthentictor. In their work, Ateniese et l. [6] differentite between the concept of public verifibility nd privte verifibility. In public verifibility nyone not necessrily the dt owner who knows the owner s public key cn chllenge the remote server nd verify tht the server is still possessing the owner s files. On the other side, privte verifibility llows only the originl owner (or verifier with whom the originl owner shres secret key) to perform the uditing tsk. Ateniese et l. [6] proposed two min PDP schemes: Smpling PDP (S-PDP) nd Efficient PDP (E-PDP) schemes. In fct, there is slight difference between the S-PDP scheme nd the E-PDP model, but the E-PDP model provides weker gurntee of dt possession. The E-PDP scheme only gurntees possession of the sum of file blocks nd not necessrily possession of ech one of the blocks being chllenged. Both protocols proposed in [6] re illustrted in figure 6. Although the models proposed by Ateniese et l. [6] hve ddressed mny drwbcks of the previous protocols, they still hve some limittions: HVTs in [6] re bsed on RSA nd thus re reltively long; the HVT for ech file block is in order of N bits. Therefore, to chieve 80-bit security level, the generted tg should be of size 1024 bits. The time is tkes to generte the tgs is too long [7]. Since there is no indictor for the file identifier in the block tg, mlicious server cn chet by using blocks from different files if the dt owner uses the sme secret keys d nd v for ll his files. Ateniese et l. [6] clculted tht for mlicious server to ttck their E-PDP scheme, it hs to store vlues to be ble to chet with probbility 100% 1. Shchm nd Wters [20] presented simple ttck ginst the E-PDP scheme which enbles mlicious server to chet with probbility 91% requiring no more storge thn n honest server to store the file vlues if the number of the file blocks = 1000 nd the number of chllenged blocks = 101

12 12 Ayd F.Brsoum nd M.Anwr Hsn I. S-PDP scheme Setup N = pq is the RSA modulus (p & q re prime numbers) g is genertor of QR N (QR N is the set of qudrtic residues modulo N) Public key pk = (N, g, e), secret key sk = (d, v), v R Z N, nd ed 1 mod (p 1)(q 1) π is pseudo-rndom permuttion, f is pseudo-rndom function, nd H is hsh function File F = {b 1, b 2,..., b m } Dt owner genertes tg T i for ech block b i : T i = (H(v i) g b i ) d mod N Dt owner sends the dt file F = {b i } nd the tgs {T i } (1 i m) to the remote server Chllenge Response Verifier Remote Server 1. Picks two keys k 1 (key for π), k 2 (key for f), c(# of blocks to be chllenged ), nd g s = g s mod N(s R Z N ) c, k 1, k 2, g s 2. Computes the chllenged block indices: i j = π k1 (j) 1 j c 3. Computes the rndom vlues: j = f k2 (j) 1 j c c 4. Computes T = mod N T, ρ 6. Computes i j = π k1 (j), j = f k2 (j)(1 j c) T 7. Computes τ = c e H(v i j ) j j=1 8. Checks H(τ s mod N)? = ρ T j i j j=1 c j=1 bi j j 5. Computes ρ = H(gs mod N) II. E-PDP scheme The only difference between the E-PDP nd the S-PDP is tht : { j } 1 j c = 1, nd thus Step 4 : T = c T ij mod N j=1 c j=1 b i j Step 5 : ρ = H(gs mod N) T Step 7 : τ = c e H(v i j ) j=1 Fig. 6. The S-PDP nd E-PDP protocols by Ateniese et l. [6].

13 DEMC-PDP & PEMC-PDP 13 Recently, Ateniese et l. [21] showed tht the HLAs cn be constructed from homomorphic identifiction protocols. They provided compiler-like trnsformtion to build HLAs from homomorphic identifiction protocols nd showed how to turn the HLA into PDP scheme. As concrete exmple, they pplied their trnsformtion to vrint of n identifiction protocol proposed by Shoup [22] yielding fctoring-bsed PDP scheme. Comprison. We present comprison between the previous PDP schemes in tble 1. The comprison is bsed on the following: Owner pre-computtion: the opertions performed by the dt owner to process the file before being outsourced to remote server. Verifier storge overhed: the extr storge required to store some metdt on the verifier side to be used lter during the verifiction process. Server storge overhed: the extr storge on the server side required to store some metdt not including the originl file sent from the owner. Server computtion: the opertions performed by the server to provide the dt possession gurntee. Verifier computtion: the opertions performed by the verifier to vlidte the server s response. Communiction cost: bndwidth required during the chllenge response phse. Unbounded chllenges: to indicted whether the scheme llows unlimited number to udit the dt file. Frgmenttion: to indicte whether the file is treted s one chunk or divided into smller blocks. Type of gurntee: to indicte whether the gurntee provided from the remote server is deterministic gurntee which requires to ccess ll file blocks or probbilistic gurntee tht depends on spot checking. Prove dt possession: to indicte whether the scheme proves the possession of the file itself or proves tht the server is storing something t lest s lrge s the originl file. We will use the nottions EXF to indicte the EXponentition of the entire File, DET to indicte deterministic gurntee, nd PRO to indicte probbilistic gurntee. For simplicity, the security prmeter is not included s fctor for the relevnt costs. 3.2 Proof of Retrievbility (POR) A Proof of Retrievbility (POR) scheme is n orthogonl/ complementry pproch to Provble Dt Possession (PDP) system. A POR scheme is chllenge-response protocol which enbles remote server to provide n evidence tht verifier cn retrieve or reconstruct the entire dt file from the responses tht re relibly trnsmitted from the server. The min ide of the POR schemes is to pply ersure code to dt files before outsourcing to llow more errorresiliency. Thus, if it is criticl demnd to detect ny modifiction or deletion of tiny prts of the dt file, then ersure code could be used before outsourcing. The work done by Juels nd Kliski [23] ws from the first ppers to consider forml models for POR schemes. In their model, the dt is first encrypted then disguised blocks (clled sentinels) re embedded into the ciphertext. The sentinels re hidden mong the regulr file blocks in order to detect dt modifiction by the server. In the uditing phse, the verifier requests for rndomly picked sentinels nd checks whether they re corrupted or not. If the server corrupts or deletes prts of the dt, then sentinels would lso be influenced with certin probbility. The min limittion of the scheme in [23] is tht it llows only limited number of chllenges on the

14 14 Ayd F.Brsoum nd M.Anwr Hsn Scheme [8] [9] [10] [11] [12, 13] [6] Owner pre-computtion EXF O(1) O(m) O(m) O(1) O(m) Verifier storge overhed O(1) O(1) O(m) O(1) O(Ñ) - Server storge overhed O(m) Server computtion EXF EXF O(c) O(m) O(1) O(c) Verifier computtion O(1) O(1) O(c) O(1) O(1) O(c) Communiction cost O(1) O(1) O(1) O(1) O(1) O(1) Unbounded chllenges Frgmenttion Type of gurntee DET DET DET/ PRO DET DET PRO Prove dt possession Tble 1. Comprison of PDP schemes for file consisting of m blocks, c is the number of chllenged blocks, nd Ñ is finite number of rndom chllenges. Verifier pre-computtion is O(Ñ) to generte list L of HMACs. [6] cn be esily modified to support deterministic gurntee dt files, which is specified by the number of sentinels embedded into the dt file. This limited number of chllenges is due to the fct tht sentinels nd their position within the file must be reveled to the server t ech chllenge nd the verifier cnnot reuse the reveled sentinels. Schwrtz nd Miller [24] proposed using lgebric signture to verify dt integrity cross multiple servers using error-correcting codes. Through keyed lgebric encoding nd strem cipher encryption, they re ble to detect file corruptions. The min limittion of their proposl is tht the communiction complexity is liner with respect to the queried dt size. Moreover, the security of their proposl is not proven nd remins in question [7]. Shchm nd Wters [20] proposed compct proof of retrievbility model tht enbles the verifier to unboundedly chllenge the server solving the limittion of Juels nd Kliski [23]. The min contribution of Shchm nd Wters [20] is the construction of HLAs tht enble the server to ggregte the tgs of individul file blocks nd to generte single short tg s response to the verifier s chllenge. Shchm nd Wters [20] proposed two HLAs: one is bsed on the Pseudo-Rndom Function (PRF), nd the other is bsed on the BLS signture [18]. Other vrious POR schemes cn be found in the literture (see for exmple [25 28]). 3.3 Dynmic Provble Dt Possession (DPDP) The PDP nd POR schemes focus on sttic or wrehoused dt which is essentil in numerous different pplictions such s librries, rchives, nd stronomicl/medicl/scientific/legl repositories. On the other side, Dynmic Provble Dt Possession (DPDP) schemes investigte the dynmic file opertions such s updte, delete, ppend, nd insert opertions. There re some DPDP constructions in the literture stisfying different system requirements. Ateniese et l. [29] proposed DPDP model bsed on cryptogrphic hsh function nd symmetric key encryption. The min drwbck of their scheme is tht the number of updtes nd chllenges is limited nd fixed in dvnce. Moreover, their model does not support block insertion opertion. Erwy et l. [30] extended the work of Ateniese et l. [29] to support dt dynmics using uthenticted skip list. However, the efficiency of their scheme remins in question. Wng et l. [31] presented DPDP scheme by integrting the compct proof of retrievbility model due to Shchm nd Wters [20] nd Merkle Hsh Tree (MHT). Zhu et l. [32] ddressed the construction of DPDP schemes on hybrid clouds to support sclbility of service nd dt migrtion. A hybrid cloud is

15 DEMC-PDP & PEMC-PDP 15 CC deployment model in which n orgniztion provides nd hndles some internl nd externl resources. For exmple, n orgniztion cn use public cloud service s Amzon EC2 [33] to perform the generl computtion, while the dt files re stored within the orgniztion s locl dt center in privte cloud. Zhu et l. [32] proposed two DPDP schemes: Interctive Provble Dt Possession (IPDP) scheme nd Coopertive Provble Dt Possession (CPDP) scheme. It is importnt to note tht none of the bove pproches (PDP, POR, DPDP) ddress the problem of creting multiple copies of dt file over cloud servers, uditing ll these copies to verify their completeness nd correctness, nd providing strong evidence to the owners tht they re getting wht they re pying for. There re some previous work on mintining the file copies throughout distributed systems to chieve vilbility nd durbility, but none of them gurntee tht multiple copies of the dt file re ctully mintined [34, 35]. 4 System Model nd Design Gols 4.1 System Model In our work we consider model of cloud computing dt storge system consisting of three min components s illustrted in figure 7: (i) dt owner customer or n orgniztion originlly possessing lrge mount of dt to be stored in the cloud; (ii) Cloud Servers (CSs) mnged by CSP which provides pid storge spce on its infrstructure to store owner s files; nd (iii) uthorized users set of owner s clients llowed to use the owner s files nd shre some keying mteril with the dt owner. The uthorized users receive the dt from the cloud servers in n encrypted form, nd using the secret key shred with the owner they get the plin dt. The uthoriztion between the dt owner nd the legl users is out of our scope, nd we ssume tht it is ppropritely done. Through the pper we do not differentite between cloud server nd cloud service provider. Fig. 7. Cloud Computing Dt Storge System Model There re mny pplictions tht cn be envisioned to dopt this model of outsourced dt storge system. For ehelth pplictions, dtbse contining sensitive nd lrge mount of informtion bout ptients medicl history is to be stored on the cloud servers. We cn consider the ehelth orgniztion to be the dt owner nd the physicins to be the uthorized users with pproprite ccess right to the dtbse. Finncil pplictions, scientific pplictions, nd eductionl pplictions contining sensitive informtion bout students trnscripts cn lso be envisioned in similr settings.

16 16 Ayd F.Brsoum nd M.Anwr Hsn 4.2 Design Gols From the extensive literture survey of the previous PDP schemes, we hve explored nd investigted the vrious fetures nd limittions of such schemes. Now, we im t designing efficient nd secure protocols tht overcome the identified limittions in the previous models nd t the sme time to ddress the problem of creting multiple copies of dt files over cloud servers, uditing ll these copies to verify their completeness nd correctness, nd providing strong evidence to the dt owner tht he is getting wht he is ctully pying for. Our design gols cn be summrized in the following points: 1. Designing Efficient Multi-Copy Provble Dt Possession (EMC-PDP) protocols. These protocols should efficiently nd securely provide the owner with strong evidence tht the CSP is in relity possessing ll dt copies tht re greed upon nd these copies re intct. 2. Allowing the uthorized users of the dt owner to semlessly ccess the file copy received from the CSP. 3. Scling down the storge overhed on both the server nd the verifier sides. 4. Minimizing the computtionl complexity on both the server nd the verifier sides. 5. Limiting the bndwidth required by the protocols during the uditing phse. 6. Enbling public verifibility where nyone not necessrily the dt owner who knows the owner s public key cn chllenge the remote servers nd verify tht the CSP is still possessing the owner s files. 7. Supporting blockless verifiction where the verifier hs to hve the bility to verify the dt integrity even though he neither possesses nor retrieves the file blocks from the server. 8. Allowing unbounded number of uditing rther thn imposing fixed limit on the number of interctions between the verifier nd the CSP. 9. Fcilitting stteless verifiction where the verifier is not needed to hold nd upgrde stte between udits. Mintining such stte is unmngeble in cse of physicl dmge of the verifier s mchine or if the uditing tsk is delegted to TPA. 10. Enbling both probbilistic nd deterministic gurntees. In probbilistic gurntee the verifier checks rndom subset of stored file blocks with ech chllenge (spot checking), while the verifier checks ll the stored file blocks in the deterministic gurntee. Remrk 1. We re considering economiclly-motivted CSPs tht my ttempt to use less storge thn required by the contrct through deletion of few copies of the file. The CSPs hve lmost no finncil benefit by deleting only smll portion of copy of the file. As result, in our work we do not encode the dt file before outsourcing. Such encoding, for exmple using ersure codes, is minly to reconstruct the file from limited mount of dmges. In our proposed schemes, multiple copies of the file re generted nd stored on number of servers; hence server s copy cn be reconstructed even from complete loss using duplicted copies on other servers. More importntly, unlike ersure codes, duplicted files enble sclbility vitl issue in the Cloud Computing system. Also, file tht is duplicted nd stored strtegiclly on multiple servers locted t vrious geogrphic loctions cn help reduce ccess time nd communiction cost for users. Remrk 2. In this work we focus on sensitive rchivl nd wrehoused dt, which is essentil in numerous different pplictions such s digitl librries nd stronomicl/medicl/scientific/legl repositories. Such dt re subject to infrequent chnge, so we tret them s sttic. Since we re deling with sensitive dt like ptients medicl history or finncil dt, this dt must be encrypted before outsourcing to cloud servers. In our schemes we utilize the BLS uthentictors [20] to build public verifible model.

17 DEMC-PDP & PEMC-PDP 17 5 Multi-Copy Provble Dt Possession (MC-PDP) schemes Suppose tht CSP offers to store n copies of n owner s file on n different servers to prevent simultneous filure of ll copies nd to chieve the vilbility spect in exchnge for prespecified fees metered in GB/month. Thus, the dt owner needs strong evidence to ensure tht the CSP is ctully storing no less thn n copies, ll these copies re complete nd correct, nd the owner is not pying for service tht he does not get. A nïve solution to this problem is to use ny of the previous PDP schemes to seprtely chllenge nd verify the integrity of ech copy on ech server. This is certinly not workble solution; cloud servers cn conspire to convince the dt owner tht they store n copies of the file while indeed they only store one copy. Whenever request for PDP scheme execution is mde to one of the n severs, it is forwrded to the server which is ctully storing the single copy. The CSP cn use nother trick to prove dt vilbility by generting the file copies upon verifier s chllenge; however, there is no evidence tht the ctul copies re stored ll the time. The min core of this cheting is tht the n copies re identicl mking it trivil for the servers to deceive the owner. Therefore, one step towrds the solution is to leve the control of the file copying opertion in the owner s hnd to crete unique distinguishble/differentible copies. Before presenting our min protocols, we strt with wrmup scheme Bsic Multi-Copy Provble Dt Possession (BMC-PDP) scheme which leds to severe computtionl, communiction, nd mngement overhed. We then present the Multiple-Replic Provble Dt Possession (MR-PDP) scheme due to Curtmol et l. [15]. To the best of our knowledge, this is the only scheme in the literture tht ddressed the uditing tsk of multiple copies of dt file. Through extensive nlysis, we will elborte the vrious fetures nd limittions of the MR-PDP model especilly from the uthorized users side. Curtmol et l. [15] did not consider how the uthorized users of the dt owner cn ccess the file copies from the cloud servers noting tht the internl opertions of the CSP re opque. Moreover, we will demonstrte the efficiency of our protocols from the storge, computtion, nd communiction spects. We believe tht the investigtion of both BMC-PDP nd MR-PDP models will led us to our min schemes. 5.1 Bsic Multi-Copy Provble Dt Possession (BMC-PDP) scheme As explined previously, the cloud servers cn conspire to convince the dt owner tht they store n copies of the file while indeed they store fewer thn n copies, nd this is due to the fct tht the n copies re identicl. Thus, the BMC-PDP scheme tries to solve the problem by leving the control of the file copying opertion in the owner s hnd to generte unique distinguishble/differentible copies of the dt file. To this end, the dt owner cretes n distinct copies by encrypting the file under n different keys keeping these keys secret from the CSP. Hence, the cloud servers could not conspire by using one copy to nswer the chllenges for nother. This nturl solution enbles the verifier to seprtely chllenge ech copy on ech server using ny of the PDP schemes, nd to ensure tht the CSP is possessing not less thn n copies. Although the BMC-PDP scheme is workble solution, it is imprcticl nd hs the following criticl drwbcks: The computtion nd communiction complexities of the verifiction tsk grow linerly with the number of copies. Essentilly, the BMC-PDP scheme is equivlent to pplying ny PDP schemes to n different files. Key mngement is severe problem with the BMC-PDP scheme. Since the dt file is encrypted under n different keys, the dt owner hs to keep these keys secret from the CSP nd t the sme time to shre these n keys with ech uthorized user. Moreover, when the uthorized user intercts with the CSP to retrieve the dt file, it is not necessrily to receive the sme copy ech time. According to the lod blncing mechnism used by the

18 18 Ayd F.Brsoum nd M.Anwr Hsn CSP to orgnize the work of the servers, the uthorized user s request is directed to the server with the lowest congestion. Consequently, ech copy should contin some indictor bout the key used in the encryption to enble the uthorized users to properly decrypt the received copy. 5.2 Multiple-Replic Provble Dt Possession (MR-PDP) scheme Curtmol et l. [15] proposed Multiple-Replic PDP (MR-PDP) scheme where dt owner cn verify tht severl copies of file re stored by storge service provider. The MR-PDP scheme is n extension to the PDP models proposed by Ateniese et l. [6]. Curtmol et l. [15] proposed creting distinct replics/copies of the dt file by first encrypting the file then msking the encrypted version with some rndomness generted from Pseudo-Rndom Function (PRF). The MR-PDP scheme of creting nd uditing n distinct copies is illustrted in figure 8. Key limittions of the MR-PDP scheme of Curtmol et l. [15] re s follows: Since the MR-PDP scheme is n extension to the PDP models proposed by Ateniese et l. [6], it inherits ll the limittions of these models identified erlier in the literture survey section: long tgs (1024 bits to chieve 80-bit secuirty level), computtion overhed on both the verifier nd server side, bility of CSP to chet by using blocks from different files if the dt owner uses the sme secret key (d, v) for ll his files. A slightly modified version of the criticl key mngement problem of the BMC-PDP scheme is nother concern in the MR-PDP scheme. The uthorized users hve to know which copy hs been specificlly retrieved from the CSP to properly unmsk it before decryption. Due to the opqueness nture of the internl opertions of the CSP, the server on which specific copy is exctly stored is unknown to cloud customers the MR-PDP scheme does not ddress how the uthorized users of the dt owner cn ccess the file copies from the cloud servers. The MR-PDP supports only privte verifibility, where just the dt owner (or verifier with whom the originl owner shres secret key) cn do the uditing tsk. Essentilly, the MR-PDP is n extension to the E-PDP version proposed by Ateniese et l. [6], nd thus it only proves possession of the sum of the chllenged blocks not the blocks themselves. Moreover, the CSP cn corrupt the dt blocks nd the summtion is still vlid. For the CSP to prove possession of the blocks, it should multiply ech of the chllenged blocks with rndom vlue. 6 The Proposed Efficient Multi-Copy Provble Dt Possession (EMC-PDP) schemes To chieve the design gols outlined in section 4.2, we propose Efficient Multi-Copy Provble Dt Possession (EMC-PDP) schemes utilizing the BLS Homomorphic Liner Authentictors (HLAs)[20]. In short, the HLAs enble dt owner to fingerprint ech block b i of file F in such wy tht for ny chllenge vector C = {c 1, c 2,..., c r } the server cn homomorphiclly construct tg uthenticting the vlue r i=1 c i b i. The direct doption of the HLAs proposed in [20] is not suitble nd leds to two min ttcks. The first ttck rises when the dt owner delegtes the uditing tsk to TPA: by collecting enough number of liner combintions of the sme blocks, the TPA cn obtin the dt blocks by solving system of liner equtions breking the privcy of the owner s dt. This ttck cn be prevented by encrypting the dt file before outsourcing to the CSP, nd thus the TPA cnnot get ny informtion bout the collected blocks. The second ttck rises if the file identifier is not included in the block tg nd

19 DEMC-PDP & PEMC-PDP 19 Setup N = pq is the RSA modulus (p & q re prime numbers) g is genertor of QR N (QR N is the set of qudrtic residues modulo N) Public key pk = (N, g, e), secret key sk = (d, v, x), v, x R Z N, nd ed 1 mod (p 1)(q 1) π is pseudo-rndom permuttion, f x is pseudo-rndom function keyed with the secret key x, nd H is hsh function File F = {b 1, b 2,..., b m } E K is n encryption lgorithm under key K Dt Owner Obtins n encrypted file F by encrypting the originl file F using the encryption key K: F = { b 1, b 2,... b m }, where b j = E K (b j ), 1 j m. Uses the encrypted version of the file F to crete set of tgs {T j } 1 j m for ll copies to be used in the verifiction process: T j = (H(v j) g b j ) d mod N Genertes n distinct replics { F i } 1 i n, F i = {ˆb i,1, ˆb i,2,..., ˆb i,m }, using rndom msking s follows. for i = 1 to n do for j = 1 to m do 1. Computes rndom vlue r i,j = f x (i j) 2. Computes the replic s block ˆb i,j = b j + r i,j (dded s lrge integers in Z) Dt owner sends the specific replic F i to specific server S i, 1 i n Checking possession of replic F z To check the possession of the replic F z = {ˆb z,1, ˆb z,2,... ˆb z,m }, the owner chllenges the specific server S z s follows: Owner Remote Server S z 1. Picks key k for the π function, c(# of blocks to be chllenged), nd g s = g s mod N (s R Z N ) c, k, g s 2. Computes the chllenged block indices: j u = π k (u) 1 u c c 3. Computes T = mod N 4. Computes ρ = g c u=1 ˆb z,j u s T, ρ 5. Computes j u = π k (u) 1 u c T 6. Checks ( c e g r chl ) s =? ρ, H(v j u ) u=1 where r chl = c u=1 r z,ju is the sum of the rndom vlues used to obtin the blocks in the replic F z Fig. 8. The MR-PDP protocol by Curtmol et l. [15]. u=1 T ju mod N

20 20 Ayd F.Brsoum nd M.Anwr Hsn the sme owner s secret key is used with ll the owner s files. This llows the CSP to chet by using blocks from different files during verifiction. Since the min core to design multi-copy provble dt possession model is to generte unique distinguishble/differentible copies of the dt file, we use simple yet efficient wy to generte these distinct copies. In our EMC-PDP models we resort to the diffusion property of ny secure encryption scheme. Diffusion mens tht the output bits of the ciphertext should depend on the input bits of the plintext in very complex wy. In n encryption scheme with strong diffusion property, if there is chnge in one single bit of the plintext, then the ciphertext should completely chnge in n unpredictble wy [36]. Our methodology of generting distinct copies is not only efficient, but lso successful in solving the uthorized users problem of the MR- PDP scheme [15] to ccess the file copy received from the CSP. In our schemes, the uthorized users need only to keep single secret key shred with the dt owner to decrypt the file copy; it is not necessrily to recognize the specific server from which the copy is received. In our work, the dt owner hs file F nd the CSP offers to store n copies, {F 1, F 2,..., F n }, of the owner s file in exchnge for pre-specified fees metered in GB/month. We provide two versions of our EMC-PDP scheme: Deterministic EMC-PDP (DEMC-PDP) nd Probbilistic EMC-PDP (PEMC-PDP). In the DEMC-PDP version, the CSP hs to ccess ll the blocks of the dt file, while in the PEMC-PDP we depend on spot checking by vlidting rndom subset of the file blocks. It is trde-off between the performnce of the system nd the strength of the gurntee provided by the CSP. 6.1 Preliminries nd Nottions F is dt file to be outsourced, it is composed of sequence of m blocks, i.e., F = {b 1, b 2,..., b m }, where ech block b i Z p for some lrge prime p. π key ( ) is Pseudo-Rndom Permuttion(PRP): key {0, 1} log(m) {0, 1} log(m) ψ key ( ) is Pseudo-Rndom Function (PRF): key {0, 1} Z p Biliner Mp/Piring. The biliner mp is one of the essentil building blocks of our proposed schemes. Let G 1, G 2, nd G T be cyclic groups of prime order p. Let g 1 nd g 2 be genertors of G 1 nd G 2, respectively. A biliner piring is mp ê : G 1 G 2 G T with the following properties [37]: 1. Biliner: ê(u 1 u 2, v 1 ) = ê(u 1, v 1 ) ê(u 2, v 1 ), ê(u 1, v 1 v 2 ) = ê(u 1, v 1 ) ê(u 1, v 2 ) u 1, u 2 G 1 nd v 1, v 2 G 2 2. Non-degenerte: ê(g 1, g 2 ) 1 3. Computble: there exists n efficient lgorithm for computing ê 4. ê(u, v b ) = ê(u, v) b u G 1, v G 2, nd, b Z p H( ) is mp-to-point hsh function : {0, 1} G 1 E K is n encryption lgorithm with strong diffusion property, e.g., AES 6.2 Deterministic EMC-PDP (DEMC-PDP) scheme The DEMC-PDP consists of five polynomil time lgorithms: KeyGen, CopyGen, TgGen, Proof, nd Verify. (pk, sk) KeyGen(). This lgorithm is run by the dt owner to generte public key pk nd privte key sk. F = {F i } 1 i n CopyGen(CN i, F ) 1 i n. This lgorithm is run by the dt owner. It tkes s input copy number CN i nd file F nd genertes unique differentible copies F = {F i } 1 i n, where ech copy F i is n ordered collection of blocks {b ij } 1 i n. 1 j m