CLOUD service providers manage an enterprise-class

Transcription

1 IEEE TRANSACTIONS ON XXXXXX, VOL X, NO X, XXXX 201X 1 Oruta: Privacy-Preserving Pubic Auditing for Shared Data in the Coud Boyang Wang, Baochun Li, Member, IEEE, and Hui Li, Member, IEEE Abstract With coud storage services, it is commonpace for data to be not ony stored in the coud, but aso shared across mutipe users However, pubic auditing for such shared data whie preserving identity privacy remains to be an open chaenge In this paper, we propose the first privacy-preserving mechanism that aows pubic auditing on shared data stored in the coud In particuar, we expoit ring signatures to compute the verification information needed to audit the integrity of shared data With our mechanism, the identity of the signer on each bock in shared data is kept private from a third party auditor (TPA), who is sti abe to pubicy verify the integrity of shared data without retrieving the entire fie Our experimenta resuts demonstrate the effectiveness and efficiency of our proposed mechanism when auditing shared data Index Terms Pubic auditing, privacy-preserving, shared data, coud computing 1 INTRODUCTION CLOUD service providers manage an enterprise-cass infrastructure that offers a scaabe, secure and reiabe environment for users, at a much ower margina cost due to the sharing nature of resources It is routine for users to use coud storage services to share data with others in a team, as data sharing becomes a standard feature in most coud storage offerings, incuding Dropbox and Googe Docs The integrity of data in coud storage, however, is subject to skepticism and scrutiny, as data stored in an untrusted coud can easiy be ost or corrupted, due to hardware faiures and human errors [1] To protect the integrity of coud data, it is best to perform pubic auditing by introducing a third party auditor (TPA), who offers its auditing service with more powerfu computation and communication abiities than reguar users The first provabe data possession (PDP) mechanism [2] to perform pubic auditing is designed to check the correctness of data stored in an untrusted server, without retrieving the entire data Moving a step forward, Wang et a [3] (referred to as WWRL in this paper) is designed to construct a pubic auditing mechanism for coud data, so that during pubic auditing, the content of private data beonging to a persona user is not discosed to the third party auditor We beieve that sharing data among mutipe users is perhaps one of the most engaging features that motivates coud storage A unique probem introduced during the Boyang Wang and Hui Li are with the State Key Laboratory of Integrated Services Networks, Xidian University, Xi an, , China Boyang Wang is aso a visiting PhD student at Department of Eectrica and Computer Engineering, University of Toronto E-mai: {bywang,ihui}@maixidianeducn Baochun Li is with the Department of Eectrica and Computer Engineering, University of Toronto, Toronto, ON, M5S 3G4, Canada E-mai: bi@eecgtorontoedu process of pubic auditing for shared data in the coud is how to preserve identity privacy from the TPA, because the identities of signers on shared data may indicate that a particuar user in the group or a specia bock in shared data is a higher vauabe target than others For exampe, Aice and Bob work together as a group and share a fie in the coud The shared fie is divided into a number of sma bocks, which are independenty signed by users Once a bock in this shared fie is modified by a user, this user needs to sign the new bock using her pubic/private key pair The TPA needs to know the identity of the signer on each bock in this shared fie, so that it is abe to audit the integrity of the whoe fie based on requests from Aice or Bob Auditing Task 1 Auditing Task 2 Auditing Task 3 A A A A A A B A B B A A A A A A A B B B A A A A B A A A B B A a bock signed by Aice 8th 8th 8th B a bock signed by Bob Fig 1 Aice and Bob share a fie in the coud The TPA audits the integrity of shared data with existing mechanisms As shown in Fig 1, after performing severa auditing tasks, some private and sensitive information may revea to the TPA On one hand, most of the bocks in shared fie are signed by Aice, which may indicate that Aice is a important roe in this group, such as a group eader On the other hand, the 8-th bock is frequenty modified by different users It means this bock may contain highvaue data, such as a fina bid in an auction, that Aice TPA

2 2 IEEE TRANSACTIONS ON XXXXXX, VOL X, NO X, XXXX 201X and Bob need to discuss and change it severa times As described in the exampe above, the identities of signers on shared data may indicate which user in the group or bock in shared data is a higher vauabe target than others Such information is confidentia to the group and shoud not be reveaed to any third party However, no existing mechanism in the iterature is abe to perform pubic auditing on shared data in the coud whie sti preserving identity privacy In this paper, we propose Oruta 1, a new privacypreserving pubic auditing mechanism for shared data in an untrusted coud In Oruta, we utiize ring signatures [4], [5] to construct homomorphic authenticators [2], [6], so that the third party auditor is abe to verify the integrity of shared data for a group of users without retrieving the entire data whie the identity of the signer on each bock in shared data is kept private from the TPA In addition, we further extend our mechanism to support batch auditing, which can audit mutipe shared data simutaneousy in a singe auditing task Meanwhie, Oruta continues to use random masking [3] to support data privacy during pubic auditing, and everage index hash tabes [7] to support fuy dynamic operations on shared data A dynamic operation indicates an insert, deete or update operation on a singe bock in shared data A high-eve comparison between Oruta and existing mechanisms in the iterature is shown in Tabe 1 To our best knowedge, this paper represents the first attempt towards designing an effective privacypreserving pubic auditing mechanism for shared data in the coud TABLE 1 Comparison with Existing Mechanisms PDP [2] WWRL [3] Oruta Pubic auditing Yes Yes Yes Data privacy No Yes Yes Identity privacy No No Yes The remainder of this paper is organized as foows In Section 2, we present the system mode and threat mode In Section 3, we introduce cryptographic primitives used in Oruta The detaied design and security anaysis of Oruta are presented in Section 4 and Section 5 In Section 6, we evauates the performance of Oruta Finay, we briefy discuss reated work in Section 7, and concude this paper in Section 8 2 PROBLEM STATEMENT 21 System Mode As iustrated in Fig 2, our work in this paper invoves three parties: the coud server, the third party auditor (TPA) and users There are two types of users in a group: the origina user and a number of group users The origina user and group users are both members 1 Oruta: One Ring to Rue Them A of the group Group members are aowed to access and modify shared data created by the origina user based on access contro poices [8] Shared data and its verification information (ie signatures) are both stored in the coud server The third party auditor is abe to verify the integrity of shared data in the coud server on behaf of group members Users 1 Auditing Request Third Party Auditor (TPA) 4 Auditing Report Shared Data Fow 2 Auditing Message 3 Auditing Proof Coud Server Fig 2 Our system mode incudes the coud server, the third party auditor and users In this paper, we ony consider how to audit the integrity of shared data in the coud with static groups It means the group is pre-defined before shared data is created in the coud and the membership of users in the group is not changed during data sharing The origina user is responsibe for deciding who is abe to share her data before outsourcing data to the coud Another interesting probem is how to audit the integrity of shared data in the coud with dynamic groups a new user can be added into the group and an existing group member can be revoked during data sharing whie sti preserving identity privacy We wi eave this probem to our future work When a user (either the origina user or a group user) wishes to check the integrity of shared data, she first sends an auditing request to the TPA After receiving the auditing request, the TPA generates an auditing message to the coud server, and retrieves an auditing proof of shared data from the coud server Then the TPA verifies the correctness of the auditing proof Finay, the TPA sends an auditing report to the user based on the resut of the verification 22 Threat Mode 221 Integrity Threats Two kinds of threats reated to the integrity of shared data are possibe First, an adversary may try to corrupt the integrity of shared data and prevent users from using data correcty Second, the coud service provider may inadvertenty corrupt (or even remove) data in its storage due to hardware faiures and human errors Making matters worse, in order to avoid jeopardizing its reputation, the coud server provider may be reuctant to inform users about such corruption of data

3 WANG et a: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD Privacy Threats The identity of the signer on each bock in shared data is private and confidentia to the group During the process of auditing, a semi-trusted TPA, who is ony responsibe for auditing the integrity of shared data, may try to revea the identity of the signer on each bock in shared data based on verification information Once the TPA reveas the identity of the signer on each bock, it can easiy distinguish a high-vaue target (a particuar user in the group or a specia bock in shared data) 23 Design Objectives To enabe the TPA efficienty and securey verify shared data for a group of users, Oruta shoud be designed to achieve foowing properties: (1) Pubic Auditing: The third party auditor is abe to pubicy verify the integrity of shared data for a group of users without retrieving the entire data (2) Correctness: The third party auditor is abe to correcty detect whether there is any corrupted bock in shared data (3) Unforgeabiity: Ony a user in the group can generate vaid verification information on shared data (4) Identity Privacy: During auditing, the TPA cannot distinguish the identity of the signer on each bock in shared data 3 PRELIMINARIES In this section, we briefy introduce cryptographic primitives and their corresponding properties that we impement in Oruta 31 Biinear Maps We first introduce a few concepts and properties reated to biinear maps We foow notations from [5], [9]: 1) G 1, G 2 and G T are three mutipicative cycic groups of prime order p; 2) g 1 is a generator of G 1, and g 2 is a generator of G 2 ; 3) ψ is a computabe isomorphism from G 2 to G 1, with ψ(g 2 ) g 1 ; 4) e is a biinear map e: G 1 G 2 G T with the foowing properties: Computabiity: there exists an efficienty computabe agorithm for computing the map e Biinearity: for a u G 1, v G 2 and a,b Z p, e(u a,v b ) e(u,v) ab Non-degeneracy: e(g 1 1 These properties further impy two additiona properties: (1) for any u 1, u 2 G 1 and v G 2, e(u 1 u 2,v) e(u 1,v) e(u 2,v); (2) for any u, v G 2, e(ψ(u),v) e(ψ(v),u) 32 Compexity Assumptions Definition 1: Discrete Logarithm Probem For a Z p, given g,h g a G 1, output a The Discrete Logarithm assumption hods in G 1 if no t-time agorithm has advantage at east ǫ in soving the Discrete Logarithm probem in G 1, which means it is computationa infeasibe to sove the Discrete Logarithm probem in G 1 Definition 2: Computationa Co-Diffie-Heman Probem For a Z p, given g 2,g2 a G 2 and h G 1, compute h a G 1 The co-cdh assumption hods in G 1 and G 2 if no t- time agorithm has advantage at east ǫ in soving the co-cdh probem in G 1 and G 2 When G 1 G 2 and g 1 g 2, the co-cdh probem can be reduced to the standard CDH probem in G 1 The co-cdh assumption is a stronger assumption than the Discrete Logarithm assumption Definition 3: Computationa Diffie-Heman Probem For a,b Z p, given g 1,g1,g a 1 b G 1, compute g1 ab G 1 The CDH assumption hods in G 1 if no t-time agorithm has advantage at east ǫ in soving the CDH probem in G 1 33 Ring Signatures The concept of ring signatures is first proposed by Rivest et a [4] in 2001 With ring signatures, a verifier is convinced that a signature is computed using one of group members private keys, but the verifier is not abe to determine which one This property can be used to preserve the identity of the signer from a verifier The ring signature scheme introduced by Boneh et a [5] (referred to as BGLS in this paper) is constructed on biinear maps We wi extend this ring signature scheme to construct our pubic auditing mechanism 34 Homomorphic Authenticators Homomorphic authenticators (aso caed homomorphic verifiabe tags) are basic toos to construct data auditing mechanisms [2], [3], [6] Besides unforgeabiity (ony a user with a private key can generate vaid signatures), a homomorphic authenticabe signature scheme, which denotes a homomorphic authenticator based on signatures, shoud aso satisfy the foowing properties: Let (pk, sk) denote the signer s pubic/private key pair, σ 1 denote a signature on bock m 1 Z p, σ 2 denote a signature on bock m 2 Z p Bockess verification: Given σ 1 and σ 2, two random vaues α 1, α 2 Z p and a bock m α 1 m 1 +α 2 m 2 Z p, a verifier is abe to check the correctness of bock m without knowing bock m 1 and m 2 Non-maeabiity Given σ 1 and σ 2, two random vauesα 1,α 2 Z p and a bockm α 1 m 1 +α 2 m 2 Z p, a user, who does not have private key sk, is not abe to generate a vaid signature σ on bock m by ineary combining signature σ 1 and σ 2 Bockess verification aows a verifier to audit the correctness of data stored in the coud server with a singe bock, which is a inear combination of a the bocks in data If the combined bock is correct, the verifier

4 4 IEEE TRANSACTIONS ON XXXXXX, VOL X, NO X, XXXX 201X beieves that the bocks in data are a correct In this way, the verifier does not need to downoad a the bocks to check the integrity of data Non-maeabiity indicates that an attacker cannot generate vaid signatures on invaid bocks by ineary combining existing signatures Other cryptographic techniques reated to homomorphic authenticabe signatures incudes aggregate signatures [5], homomorphic signatures [10] and batchverification signatures [11] If a signature scheme is bockess verifiabe and maeabe, it is a homomorphic signature scheme In the construction of data auditing mechanisms, we shoud use homomorphic authenticabe signatures, not homomorphic signatures 4 HOMOMORPHIC AUTHENTICABLE RING SIGNATURES 41 Overview In this section, we introduce a new ring signature scheme, which is suitabe for pubic auditing Then, we wi show how to buid the privacy-preserving pubic auditing mechanism for shared data in the coud based on this new ring signature scheme in the next section As we introduced in previous sections, we intend to utiize ring signatures to hide the identity of the signer on each bock, so that private and sensitive information of the group is not discosed to the TPA However, traditiona ring signatures [4], [5] cannot be directy used into pubic auditing mechanisms, because these ring signature schemes do not support bockess verification Without bockess verification, the TPA has to downoad the whoe data fie to verify the correctness of shared data, which consumes excessive bandwidth and takes ong verification times Therefore, we first construct a new homomorphic authenticabe ring signature (HARS) scheme, which is extended from a cassic ring signature scheme [5], denoted as BGLS The ring signatures generated by HARS is abe not ony to preserve identity privacy but aso to support bockess verification 42 Construction of HARS HARS contains three agorithms: KeyGen, RingSign and RingVerify In KeyGen, each user in the group generates her pubic key and private key In RingSign, a user in the group is abe to sign a bock with her private key and a the group members pubic keys A verifier is aowed to check whether a given bock is signed by a group member in RingVerify Scheme Detais Let G 1, G 2 and G T be mutipicative cycic groups of order p, g 1 and g 2 be generators of G 1 and G 2 respectivey Let e : G 1 G 2 G T be a biinear map, and ψ : G 2 G 1 be a computabe isomorphism with ψ(g 2 ) g 1 There is a pubic map-to-point hash function H 1 : {0,1} G 1 The goba parameters are (e,ψ,p,g 1,G 2,G T,g 1,g 2,H 1 ) The tota number of users in the group is d Let U denote the group that incudes a the d users KeyGen For a user u i in the group U, she randomy picks x i Z p and computes w i g xi 2 G 2 Then, user u i s pubic key is pk i w i and her private key is sk i x i RingSign Given a the d users pubic keys (pk 1,, pk d ) (w 1,,w d ), a bock m Z p, the identifier of this bock id and the private key sk s for some s, user u s randomy chooses a i Z p for a i s, where i [1,d], and et σ i g ai 1 Then, she computes and sets β H 1 (id)g m 1 G 1, (1) ( ) 1/xs β σ s ψ( i s wai i ) G 1 (2) And the ring signature of bock m is σ (σ 1,,σ d ) G d 1 RingVerify Given a the d users pubic keys (pk 1,, pk d ) (w 1,,w d ), a bock m, an identifier id and a ring signature σ (σ 1,,σ d ), a verifier first computes β H 1 (id)g m 1 G 1, and then checks e(β? e(σ i,w i ) (3) If the above equation hods, then the given bock m is signed by one of these d users in the group Otherwise, it is not 43 Security Anaysis of HARS Now, we discuss some important properties of HARS, incuding correctness, unforgeabiity, bockess verification, non-maeabiity and identity privacy Theorem 1: Given any bock and its ring signature, a verifier is abe to correcty check the integrity of this bock under HARS Proof: To prove the correctness of HARS is equivaent of proving Equation (3) is correct Based on properties of biinear maps, the correctness of this equation can be proved as foows: e(σ i,w i ) e(σ s,w s ) e(σ i,w i ) e( ( i s ) 1 xs β ψ( i s wai i ),g xs 2 ) i s i s e(g ai 1,gxi 2 ) β e( ψ( i s gxiai 2 ),g 2) e(g aixi 1 β e( i s g aixi,g 2) e( g aixi 1 1 i s β e( a i s g g ix i aixi 1 1 e(β i s

5 WANG et a: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD 5 Now we prove that HARS is abe to resistance to forgery We foow the security mode and the game defined in BGLS [5] In the game, an adversary is given a the d users pubic key (pk 1,, pk d ) (w 1,,w d ), and is given access to the hash orace and the ringsigning orace The goa of the adversary is to output a vaid ring signature on a pair of bock/identifier (id, m), where this pair of bock/identifier (id,m) has never been presented to the ring-signing orace If the adversary achieves this goa, then it wins the game Theorem 2: Suppose A is a (t,ǫ )-agorithm that can generate a forgery of a ring signature on a group of users of size d Then there exists a (t,ǫ)-agorithm that can sove the co-cdh probem witht 2t +2c G1 (q H +dq s +q s +d)+2c G2 d and ǫ (ǫ /(e+eq s )) 2, where A issues at most q H hash queries and at most q s ring-signing queries,e im qs (1+ 1/q s ) qs, exponentiation and inversion on G 1 take time c G1, and exponentiation and inversion on G 2 take time c G2 Proof: The co-cdh probem can be soved by soving two random instances of the foowing probem: Given g1 ab, g2 a (and g 1, compute g1 b We sha construct an agorithm B that soves this probem This probem is easy if a 0 In what foows, we assume a 0 Initiay, B randomy picks x 2,,x n from Z p and sets x 1 1 Then, it sets pk i w i (g2) a xi Agorithm A is given the pubic keys (pk 1,, pk d ) (w 1,,w d ) Without oss of generaity, we assume A can submit distinct queries, which means for every ring-signing query on a bock m and its identifier id, A has previousy issued a hash query on bock m and identifier id On a hash query, B fips a coin that shows 0 with probabiity p c and 1 otherwise, where p c wi be determined ater Then B randomy picks r Z p, if the coin shows 0, B returns (g1 ab ) r, otherwise it returns ψ(g2) a r Suppose A issues a ring sign query on a bock m and its identifier id By the assumption, a hash query has been issued on this pair of bock/identifier (m,id) If the coin B fipped for this hash query showed 0, then B fais and exits Otherwise B has returned H(id)g1 m ψ(g2) a r for some r In this case, B chooses random a 2,,a d Z p, computes a 1 r (a 2 x a d x d ), and returns the signature σ (g a1 1,,ga d 1 ) Eventuay A outputs a forgery σ (σ 1,,σ d ) on bock m and identifier id Again by the assumption, a hash query has been issued on this pair of bock/identifier (m,id) If the coin fipped by B for this hash query did not show 0 then B fais Otherwise, H(id)g1 m g1 abr for some r chosen by B, and B can output g1 b by computing ( d σxi i ) 1/r Agorithm A cannot distinguish between B s simuation and rea ife If A successfuy forges a ring signature, then B can output g1 b The probabiity that B wi not fai is p qs c (1 p), which is maximized when p c q s /(q s + 1), then the bound of this probabiity is 1/(e (1+q s )), where e im qs (1+1/q s ) qs Agorithm B requires d exponentiations on G 2 in setup, one exponentiations on G 1 for each of A s hash queries, d + 1 exponentiations on G 1 for each of A s signature queries, and d exponentiations on G 1 in the output phase, so the running time of B is the running time of A pus c G1 (q H +dq s +q s +d)+c G2 d Because the co-cdh probem can be soved by soving two random instances of agorithm B Therefore, if A is a (t,ǫ )-agorithm that can generate a forgery of ring signature on a group of users of size d, then there exists a (t, ǫ)-agorithm that can sove the co-cdh probem with t 2t + 2c G1 (q H + dq s + q s + d) + 2c G2 d and ǫ (ǫ /(e+eq s )) 2 Theorem 3: For an adversary, it is computationa infeasibe to forge a ring signature under HARS Proof: As we aready proved in Theorem 2, if an adversary can forge a ring signature, then we can find a (t,ǫ)-agorithm to sove the co-cdh probem in G 1 and G 2, which contradicts to the fact that the co-cdh probem in G 1 and G 2 is hard Therefore, for an adversary, it is computationa infeasibe to forge a ring signature under HARS Then, based on Theorem 1 and 3, we show that HARS is a homomorphic authenticabe ring signature scheme Theorem 4: HARS is a homomorphic authenticabe ring signature scheme Proof: To prove HARS is a homomorphic authenticabe ring signature scheme, we first prove that HARS is abe to support bockess verification, which we defined in Section 3 Then we show HARS is aso non-maeabe Given a the d users pubic keys (pk 1,, pk d ) (w 1,,w d ), two identifiers id 1 and id 2, two ring signaturesσ 1 (σ 1,1,,σ 1,d ) andσ 2 (σ 2,1,,σ 2,d ), and two random vaues y 1, y 2 Z p, a verifier is abe to check the correctness of a combined bock m y 1 m 1 +y 2 m 2 Z p without knowing bock m 1 and m 2 by verifying: e(h 1 (id 1 ) y1 H 1 (id 2 ) y2 g m 1? e(σ y1 1,i σy2 2,i,w i) Based on Theorem 1, the correctness of the above equation can be proved as: e(h 1 (id 1 ) y1 H 1 (id 2 ) y2 g1 m e(h 1 (id 1 ) y1 g y1m1 1 e(h 1 (id 2 ) y2 g y2m2 1 e(β 1 y1 e(β 2 y2 e(σ 1,i,w i ) y1 e(σ 2,i,w i ) y2 e(σ y1 1,i σy2 2,i,w i) If the combined bock m is correct, the verifier aso beieves that bock m 1 and m 2 are both correct Therefore, HARS is abe to support bockess verification Meanwhie, an adversary, who does not have any user s private key, cannot generate a vaid ring signature σ on an invaid bock m by ineary combining σ 1 and σ 2 with y 1 and y 2 Because if an eement σ i in σ is computed as σ i σy1 1,i σy2 2,i, the whoe ring signature σ (σ 1,,σ d ) cannot pass Equation (3) in RingVerify

6 6 IEEE TRANSACTIONS ON XXXXXX, VOL X, NO X, XXXX 201X More specificay, if bock m 1 and m 2 are signed by the same user, for exampe, useru s, thenσ s can be computed as σ s σ y1 1,s σy2 2,s ( β y1 1 βy2 2 i s wy1a1,i 1,i w y2a2,i 2,i ) 1/xs For a i s, σ i σy1 1,i σy2 2,i g(y1a1,i+y2a2,i) 1, where a 1,i and a 2,i are random vaues When ring signature σ (σ 1,,σ d ) is verified with the invaid bock m using Equation (3): e(σ i,w i ) e(β y1 1 βy2 2,g 2) e(β, which means it aways fais to pass the verification Because β y1 1 βy2 2 H(id 1 ) y1 H(id 2 ) y2 g1 m is not equa to β H(id )g1 m If bock m 1 and m 2 are signed by different users, for exampe, user u s and user u t, then σ s and σ t can be presented as ( ) 1/xs σ s g y2a2,s 1, σ t g y1a1,t 1 β y1 1 i s wy1a1,i i ( β y2 2 i t wy2a2,i i ) 1/xt For a i s and i t, σ i σy1 1,i σy2 2,i g(y1a1,i+y2a2,i) 1, where a 1,i and a 2,i are random vaues When ring signature σ (σ 1,,σ d ) is verified with the invaid bock m using Equation (3): e(σ i,w i ) e(β y1 1 βy2 2,g 2) e(β, which means it aways fais to pass the verification Therefore, an adversary cannot output vaid ring signatures on invaid bocks by ineary combining existing signatures, which indicates that HARS is non-maeabe Because HARS is not ony bockess verifiabe and but aso non-maeabe, it is a homomorphic authenticabe signature scheme Now, foowing the theorem in [5], we show that a verifier cannot distinguish the identity of the signer among a group of users under HARS Theorem 5: For any agorithm A, any group U with d users, and a random user u s U, the probabiity Pr[A(σ) u s ] is at most 1/d under HARS, where σ is a ring signature generated with user u s s private key sk s Proof: For any h G 1, and any s, 1 s d, the distribution {g a1 1,,ga d R 1 : a i Zp for i s, a s chosen such that d gai 1 h} is identica to the distribution {g a1 1,,ga d d 1 : gai 1 h} Therefore, given σ (σ 1,,σ d ), the probabiity agorithm A distinguishes σ s, which indicates the identity of the signer, is at most 1/d Detais of the proof about identity privacy can be found in [5] 5 PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD 51 Overview Using HARS and its properties we estabished in the previous section, we now construct Oruta, our privacypreserving pubic auditing mechanism for shared data in the coud With Oruta, the TPA can verify the integrity of shared data for a group of users without retrieving the entire data Meanwhie, the identity of the signer on each bock in shared data is kept private from the TPA during the auditing 52 Reduce Signature Storage Another important issue we shoud consider in the construction of Oruta is the size of storage used for ring signatures According to the generation of ring signatures in HARS, a bock m is an eement of Z p and its ring signature contains d eements of G 1, where G 1 is a cycic group with order p It means a p -bit bock requires a d p -bit ring signature, which forces users to spend a huge amount of space on storing ring signatures It is very frustrating for users, because coud service providers, such as Amazon, wi charge users based on the storage space they used To reduce the storage for ring signatures and sti aow the TPA to audit shared data efficienty, we expoit an aggregated approach from [6] Specificay, we aggregate a bock m j (m j,1,,m j,k ) Z k p in shared data as k ηm j, instead of computing g m 1 in Equation (1), where η 1,,η k are random vaues of G 1 With the aggregation, the ength of a ring signature is ony d/k of the ength of a bock Simiar methods to reduce the storage space of signatures can aso be found in [7] Generay, to obtain a smaer size of a ring signature than the size of a bock, we choose k > d As a trade-off, the communication cost wi be increasing with an increase of k 53 Support Dynamic Operations To enabe each user in the group to easiy modify data in the coud and share the atest version of data with the rest of the group, Oruta shoud aso support dynamic operations on shared data An dynamic operation incudes an insert, deete or update operation on a singe bock However, since the computation of a ring signature incudes an identifier of a bock (as presented in HARS), traditiona methods, which ony use the index of a bock as its identifier, are not suitabe for supporting dynamic operations on shared data The reason is that, when a user modifies a singe bock in shared data by performing an insert or deete operation, the indices of bocks that after the modified bock are a changed (as shown in Figure 3 and 4), and the changes of these indices require users to re-compute the signatures of these bocks, even though the content of these bocks are not modified

7 WANG et a: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD 7 Index Bock 1 m 1 2 m 2 3 m 3 n m n Insert Index Bock 1 m 1 2 m 2 3 m 2 4 m 3 n+1 m n Index Bock V R 1 m 1 δ r 1 2 m 2 2δ r 2 3 m 3 3δ r 3 n m n nδ r n Insert Index Bock V R 1 m 1 δ r 1 2 m 2 3δ/2 r 2 3 m 2 2δ r 2 4 m 3 3δ r 3 n+1 m n nδ r n Fig 3 After inserting bock m 2, a the indices after bock m 2 are changed Fig 5 Insert bock m 2 into shared data using an index hash tabe as identifiers Index Bock 1 m 1 2 m 2 3 m 3 4 m 4 n m n Deete Index Bock 1 m 1 2 m 3 3 m 4 n 1 Fig 4 After deeting bock m 2, a the indices after bock m 1 are changed By utiizing index hash tabes [7], our mechanism can aow a user to efficienty perform a dynamic operation on a singe bock, and avoid this type of re-computation on other bocks Different from [7], in our mechanism, an identifier from the index hash tabe is described as id j {v j,r j }, where v j is the virtua index of bock m j, and r j is a random generated by a coision-resistance hash function H 2 : {0,1} Z q with r j H 2 (m j v j ) Here, q is a much smaer prime than p The coision-resistance of H 2 ensures that each bock has a unique identifier The virtua indices are abe to ensure that a the bocks in shared data are in the right order For exampe, if v i < v j, then bock m i is ahead of bock m j in shared data When shared data is created by the origina user, the initia virtua index of bock m j is computed as v j j δ, where δ is a system parameter decided by the origina user If a new bock m j is inserted, the virtua index of this new bock m j is v j (v j 1 + v j )/2 Ceary, if bock m j and bock m j+1 are both originay created by the origina user, the maxima number of inserted bocks that is aowed between bock m j and bock m j+1 is δ The origina user can estimate and choose a proper vaue of δ based on the origina size of shared data, the number of users in the group, the subject of content in shared data and so on, Generay, we beieve δ 10,000 or 100,000 is good enough for the maxima insert bocks between two bocks, which are originay created by the origina user Exampes of different dynamic operations on shared data with index hash tabes are described in Figure 5 and 6 54 Construction of Oruta Now, we present the detais of our pubic auditing mechanism, Oruta It incudes five agorithms: KeyGen, SigGen, Modify, ProofGen and ProofVerify In Key- Gen, users generate their own pubic/private key pairs m n Index Bock V R 1 m 1 δ r 1 2 m 2 2δ r 2 3 m 3 3δ r 3 4 m 4 4δ r 4 5 m 5 5δ r 5 n m n nδ r n Update Deete Index Bock V R 1 m 1 δ r 1 2 m 2 2δ r 2 3 m 4 4δ r 4 4 m 5 5δ r 5 n 1 m n nδ r n Fig 6 Update bock m 1 and deete bock m 3 in shared data using an index hash tabe as identifiers In SigGen, a user (either the origina user or a group user) is abe to compute ring signatures on bocks in shared data Each user in the group is abe to perform an insert, deete or update operation on a bock, and compute the new ring signature on this new bock in Modify ProofGen is operated by the TPA and the coud server together to generate a proof of possession of shared data In ProofVerify, the TPA verifies the proof and sends an auditing report to the user Note that the group is pre-defined before shared data is created in the coud and the membership of the group is not changed during data sharing Before the origina user outsources shared data to the coud, she decides a the group members, and computes a the initia ring signatures of a the bocks in shared data with her private key and a the group members pubic keys After shared data is stored in the coud, when a group member modifies a bock in shared data, this group member aso needs to compute a new ring signature on the modified bock Scheme Detais Let G 1, G 2 and G T be mutipicative cycic groups of order p, g 1 and g 2 be generators of groups G 1, G 2, respectivey Let e : G 1 G 2 G T be a biinear map, and ψ : G 2 G 1 be a computabe isomorphism with ψ(g 2 ) g 1 There are three hash functions H 1 : {0,1} G 1, H 2 : {0,1} Z q and h : G 1 Z p The goba parameters are (e,ψ,p,q,g 1,G 2,G T,g 1,g 2,H 1,H 2,h) The tota number of users in the group is d Let U denote the group that incudes a the d users Shared datam is divided intonbocks, and each bock m j is further divided into k eements in Z p Therefore,

8 8 IEEE TRANSACTIONS ON XXXXXX, VOL X, NO X, XXXX 201X shared data M can be described as a n k matrix: m 1 m 1,1 m 1,k M Zp n k m n m n,1 m n,k KeyGen For user u i in the group U, she randomy picks x i Z p and computes w i g xi 2 The user u i s pubic key is pk i w i and her private key is sk i x i The origina user aso randomy generates a pubic aggregate key pak (η 1,,η k ), where η are random eements of G 1 SigGen Given a the d group members pubic keys (pk 1,, pk d ) (w 1,,w d ), a bock m j (m j,1,,m j,k ), its identifier id j, a private key sk s for some s, user u s computes the ring signature of this bock as foows: 1) She first aggregates bock m j with the pubic aggregate key pak, and computes β j H 1 (id j ) η m j, G 1 (4) 2) After computing β j, user u s randomy chooses a j,i Z p and sets σ j,i g aj,i 1, for a i s Then she cacuates ( ) 1/xs β j σ j,s ψ( G 1 (5) i s waj,i i ) The ring signature of bock m j is σ j (σ j,1,,σ j,d ) G d 1 Modify A user in the group modifies the j-th bock in shared data by performing one of the foowing three operations: Insert This user inserts a new bock m j into shared data She computes the new identifier of the inserted bock m j as id j {v j,r j } The virtua index v j (v j 1 + v j )/2, and r j H 2(m j v j ) For the rest of bocks, the identifiers of these bocks are not changed (as expained in Figure 5) This user outputs the new ring signature σ j of the inserted bock m j with SigGen, and upoads {m j,id j,σ j } to the coud server The tota number of bocks in shared data increases to n+1 Deete This user deetes bock m j, its identifier id j and ring signature σ j from the coud server The identifiers of other bocks in shared data are remain the same The tota number of bocks in shared data decreases to n 1 Update This user updates the j-th bock in shared data with a new bock m j The virtua index of this bock is remain the same, and r j is computed as r j H 2(m j v j) The new identifier of this updated bock is id j {v j,r j } The identifiers of other bocks in shared data are not changed This user outputs the new ring signature σ j of this new bock with SigGen, and upoads {m j,id j,σ j } to the coud server The tota number of bocks in shared data is sti n ProofGen To audit the integrity of shared data, a user first sends an auditing request to the TPA After receiving an auditing request, the TPA generates an auditing message [2] as foows: 1) The TPA randomy picks a c-eement subset J of set [1,n] to ocate the c seected bocks that wi be checked in this auditing process, where n is tota number of bocks in shared data 2) For j J, the TPA generates a random vaue y j Z q Then, the TPA sends an auditing message {(j,y j )} j J to the coud server (as iustrated in Fig 7) Third Party Auditor {(j,y j )} j J Coud Server Fig 7 The TPA sends an auditing message to the coud server After receiving an auditing message {(j,y j )} j J, the coud server generates a proof of possession of seected bocks with the pubic aggregate key pak More specificay: 1) The coud server chooses a random eement r Z q, and cacuates λ η r G 1, for [1,k] 2) To hide the inear combination of seected bocks using random masking, the coud server computes µ j J y jm j, +r h(λ ) Z p, for [1,k] 3) The coud server aggregates signatures as φ i, for i [1,d] j J σyj j,i After the computation, the coud server sends an auditing proof {λ,µ,φ,{id j } j J } to the TPA, where λ (λ 1,,λ k ), µ (µ 1,,µ k ) and φ (φ 1,,φ d ) (as shown in Fig 8) Third Party Auditor {λ,µ,φ,{id j } j J } Coud Server Fig 8 The coud server sends an auditing proof to the TPA ProofVerify With an auditing proof {λ,µ,φ,{id j } j J }, an auditing message {(j,y j )} j J, pubic aggregate key pak (η 1,,η k ), and a the group members pubic keys (pk 1,, pk d ) (w 1,,w d ), the TPA verifies the correctness of this proof by checking the foowing

9 WANG et a: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD 9 equation:? e( j J H 1 (id j ) yj η µ ( ) e(φ i,w i ) e( λ h(λ ) (6) If the above equation hods, then the TPA beieves that the bocks in shared data are a correct, and sends a positive auditing report to the user Otherwise, it sends a negative one Discussion Based on the properties of biinear maps, we can further improve the efficiency of verification by computingd+2 pairing operations in verification instead of computing d + 3 pairing operations with Equation (6) Specificay, Equation (6) can aso be described as e( j J H 1 (id j ) yj η µ ( λ h(λ ) ) 1? e(φ i,w i ) In the construction of Oruta, we everage random masking [3] to support identity privacy If a user wants to protect the content of private data in the coud, this user can aso encrypt data before outsourcing it into the coud server with encryption techniques, such as attribute-based encryption (ABE) [8], [12] With samping strategies [2], the TPA can detect any corrupted bock in shared data with a high probabiity by ony choosing a subset of a bocks in each auditing task Previous work [2] has aready proved that, if the tota number of bocks in shared data is n 1,000,000 and 1% of a the bocks are ost or removed, the TPA can detect these corrupted bocks with a probabiity greater than 99% by choosing 460 random bocks 55 Security Anaysis of Oruta Now, we discuss security properties of Oruta, incuding its correctness, unforgeabiity, identity privacy and data privacy Theorem 6: During an auditing task, the TPA is abe to correcty audit the integrity of shared data under Oruta Proof: To prove the correctness of Oruta is equivaent of proving Equation (6) is correct Based on properties of biinear maps and Theorem 1, the right-hand side (RHS) (7) of Equation (6) can be expanded as foows: RHS e( σ yj j,i,w i) e( λ h(λ ) j J e(σ yj j,i,w i)) e( η r h(λ ) ( j J j J( e(σ j,i,w i ) yj ) e( η r h(λ ) j J e( j J(H 1 (id j ) e(β j yj e( η r h(λ ) e( j J H 1 (id j ) yj e( j J H 1 (id j ) yj e( j J H 1 (id j ) yj η m j, ) yj e( j J η m j,y j η r h(λ ) η r h(λ ) j J η m j,y j+r h(λ ) η µ Theorem 7: For an untrusted coud, it is computationa infeasibe to generate an invaid auditing proof that can pass the verification under Oruta Proof: As proved in Theorem??, for an untrusted coud, if co-cdh probem in G 1 and G 2 is hard, it is computationa infeasibe to compute a vaid ring signature on an invaid bock under HARS In Oruta, besides generating vaid ring signatures on arbitrary bocks, if the untrusted coud can win Game 1, it can generate an invaid auditing proof for corrupted shared data, and successfuy pass the verification We define Game 1 as foows: Game 1: The TPA sends an auditing message {j,y j } j J to the coud, the correct auditing proof shoud be {λ,µ,φ,{id j } j J }, which can pass the verification with Equation (6) The untrusted coud generates an invaid proof as{λ,µ,φ,{id j } j J }, whereµ (µ 1,,µ k ) Define µ µ µ for 1 k, and at east one eement of { µ } 1 k is nonzero If this invaid proof sti pass the verification, then the untrusted coud wins Otherwise, it fais Now, we prove that, if the untrusted coud can win Game 1, we can find a soution to the Discrete Logarithm probem, which contradicts to the fact We first assume the untrusted coud can win Game 1 Then, according to Equation (6), we have e( j J H 1 (id j ) yj η µ ( e(φ i,w i ))e( λ h(λ )

10 10 IEEE TRANSACTIONS ON XXXXXX, VOL X, NO X, XXXX 201X Because{λ,µ,φ,{id j } j J } is a correct auditing proof, we aso have e( j J H 1 (id j ) yj Then, we can earn that η µ η µ ( η µ, e(φ i,w i ))e( η µ 1 λ h(λ ) For two eements g, h G 1, there exists x Z p that g h x because G 1 is a cycic group Without oss of generaity, given g, h G 1, each η is abe to randomy and correcty generated by computing η g ξ h γ G 1, where ξ and γ are random vaues of Z p Then, we have 1 η µ (g ξ h γ ) µ g k ξ µ h k γ µ Ceary, we can find a soution to the discrete ogarithm probem More specificay, given g, h x G 1, we can compute k ξ µ k γ h g µ g x uness the denominator is zero However, as we defined in Game 1, at east one eement of{ µ } 1 k is nonzero, and γ is random eement of Z p, therefore, the denominator is zero with probabiity of 1/p, which is negigibe It means, if the untrusted coud wins Game 1, we can find a soution to the Discrete Logarithm probem with a probabiity of 1 1/p, which contradicts the fact that the Discrete Logarithm probem is hard in G 1 Therefore, for an untrusted coud, it is computationa infeasibe to win Game 1 and generate an invaid proof, which can pass the verification Now, we show that the TPA is abe to audit the integrity of shared data, but the identity of the signer on each bock in shared data is not discosed to the TPA Theorem 8: During an auditing task, the probabiity for the TPA to distinguish the identities of a the signers on the c seected bocks in shared data is at most 1/d c Proof: With Theorem 5, we have, for any agorithm A, the probabiity to revea the signer on one bock in shared data is 1/d Because the c seected bocks in an auditing task are signed independenty, the tota probabiity that the TPA can distinguish a the signers identities on the c seected bocks in shared data is at most 1/d c Let us reconsider the exampe in Sec 1 With Oruta, the TPA knows each bock in shared data is either signed by Aice or Bob, because it needs both users pubic keys to verify the correctness of shared data However, it cannot distinguish who is the signer on a singe bock (as shown in Fig 9) Therefore, this third party cannot obtain private and sensitive information, such as who signs the most bocks in shared data or which bock is frequenty modified by different group members Auditing Task 1 Auditing Task 2 Auditing Task 3 N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N 8th 8th 8th a bock signed by a user in the group Fig 9 Aice and Bob share a fie in the coud, and the TPA audit the integrity of shared data with Oruta Foowing a simiar theorem in [3], we show that our scheme is aso abe to support data privacy Theorem 9: Given an auditing proof {λ,µ,φ,{id j } jj }, it is computationa infeasibe for the TPA to revea any private data in shared data under Oruta Proof: If the combined eement j J y jm j,, which is a inear combination of eements in bocks, is directy sent to the TPA, the TPA can earn the content of data by soving inear equations after coecting a sufficient number of inear combinations To preserve private data from the TPA, the combined eement is computed with random masking as µ j J y jm j, +r h(λ ) In order to sti sove inear equations, the TPA must know the vaue of r Z p However, given η G 1 λ η r G 1, computing r is as hard as soving the Discrete Logarithm probem in G 1, which is computationa infeasibe Therefore, give λ and µ, the TPA cannot directy obtain any inear combination of eements in bocks, and cannot further revea any private data in shared data M by soving inear equations 56 Batch Auditing With the usage of pubic auditing in the coud, the TPA may receive amount of auditing requests from different users in a very short time Unfortunatey, aowing the TPA to verify the integrity of shared data for these users in severa separate auditing tasks woud be very inefficient Therefore, with the properties of biinear maps, we further extend Oruta to support batch auditing, which can improve the efficiency of verification on mutipe auditing tasks More concretey, we assume there are B auditing tasks need to be operated, the shared data in a theb auditing tasks are denoted as M 1,,M B and the number of users sharing data M b is described as d b, where 1 b B To efficienty audit these shared data for different users in a singe auditing task, the TPA sends an auditing message as {(j,y j )} j J to the coud server After receiving the auditing message, the coud server generates an auditing proof {λ b,µ b,φ b,{id b,j } j J } for each shared data M b as we presented in ProofGen, where 1 b B, 1 k, TPA

11 WANG et a: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUD 11 1 i d b and λ b, η r b, b, µ b, j J y jm b,j, +r b, h(λ b, ) φ b,i j J σyj b,j,i Here id b,j is described as id b,j {f b,v j,r j }, where f b is the identifier of shared data M b, eg the name of shared data M b Ceary, if two bocks are in the same shared data, these two bocks have the same identifier of shared data As before, when a user modifies a singe bock in shared data M b, the identifiers of other bocks in shared data M b are not changed After the computation, the coud server sends a the B auditing proofs together to the TPA Finay, the TPA verifies the correctness of these B proofs simutaneousy by checking the foowing equation with a the B b1 d b users pubic keys:? B e( H(id b,j ) yj j J b1 b1 η µ b, b, b1 ( B ) d b B e(φ b,i,w b,i ) e( λ h(λ b,) b,, (8) where pk b,i w b,i If the above verification equation hods, then the TPA beieves that the integrity of a the B shared data is correct Otherwise, there is at east one shared data is corrupted Based on the correctness of Equation (6), the correctness of batch auditing can be presented as foows: ) ( B d b e(φ b,i,w b,i ) b1 d b b1 ( d b B e( b1 ( B ) B e(φ b,i,w b,i ) e( B b1 b1 ( e(φ b,i,w b,i )) e( B b1e( H(id b,j ) yj j J B e( H(id b,j ) yj j J b1 λ h(λ b,) b, λ h(λ b,) b, λ h(λ b,) b, η µ b, b, η µ b, b, If a the B auditing requests on B shared data are from the same group, the TPA can further improve the efficiency of batch auditing by verifying? B e( H(id b,j ) yj j J b1 b1 η µ b, b, b1 ( ) B B e( φ b,i,w i ) e( λ h(λ b,) b, (9) Note that batch auditing wi fai if at east one incorrect auditing proof exists in a the B auditing ) proofs To aow most of auditing proofs to sti pass the verification when there is ony a sma number of incorrect auditing proofs, we can utiize binary search [3] during batch auditing More specificay, once the batch auditing of the B auditing proofs fais, the TPA divides the set of a the B auditing proofs into two subsets, which contains B/2 auditing proofs in each subset, and re-checks the correctness of auditing proofs in each subset using batch auditing If the verification resut of one subset is correct, then a the auditing proofs in this subset are a correct Otherwise, this subset is further divided into two sub-subsets, and the TPA rechecks the correctness of auditing proofs in the each sub-subsets with batch auditing unti a the incorrect auditing proofs are found Ceary, when the number of incorrect auditing proofs increases, the efficiency of batch auditing wi be reduced Experimenta resuts in Section 6 shows that, when ess than 12% of auditing proofs among a the B auditing proofs are incorrect, batching auditing is sti more efficient than verifying these auditing proofs one by one 6 PERFORMANCE In this section, we first anaysis the computation and communication costs of Oruta, and then evauate the performance of Oruta in experiments 61 Computation Cost The main cryptographic operations used in Oruta incude mutipications, exponentiations, pairing and hashing operations For simpicity, we omit additions in the foowing discussion, because they are much easier to be computed than the four types of operations mentioned above During auditing, the TPA first generates some random vaues to construct the auditing message, which ony introduces a sma cost in computation Then, after receiving the auditing message, the coud server needs to compute a proof {λ,µ,φ,{id j } j J } The computation cost of cacuating a proof is about (k +dc)exp G1 +dcmu G1 + ckmu Zp + khash Zp, where Exp G1 denotes the cost of computing one exponentiation in G 1, Mu G1 denotes the cost of computing one mutipication in G 1, Mu Zp and Hash Zp respectivey denote the cost of computing one mutipcation and one hashing operation in Z p To check the correctness of the proof {λ,µ,φ,{id j } j J }, the TPA verifies it based on Equation (6) The tota cost of verifying the proof is (2k + c)exp G1 + (2k + c)mu G1 + dmu GT +chash G1 +(d+2)pair G1,G 2 We use Pair G1,G 2 to denote the cost of computing one pairing operation in G 1 and G 2 62 Communication Cost The communication cost of Oruta is mainy introduced by two factors: the auditing message and the auditing proof For each auditing message {j,y j } j J, the

12 12 IEEE TRANSACTIONS ON XXXXXX, VOL X, NO X, XXXX 201X Generation time (ms) k100 k d: the size of the group Fig 10 Impact of d on signature generation time (ms) Auditing time (s) c460 c k: the number of eements per bock Fig 13 Impact of k on auditing time (s), where d 10 Average auditing time (ms) Seperate Auditing Batch Auditing-D Batch Auditing-S B: the number of audting tasks Fig 16 Impact of B on the efficiency of batch auditing, where k 100 and d 10 Generation time (ms) d10 d k: the number of eements per bock Fig 11 Impact of k on signature generation time (ms) Communication cost (KB) c460 c d: the size of the group Fig 14 Impact of d on communication cost (KB), where k 100 Average auditing time (ms) Seperate Auditing Batch Auditing-S A: the number of incorrect proofs Fig 17 Impact of A on the efficiency of batch auditing, where B 128 Auditing time (s) c460 c d: the size of the group Fig 12 Impact of d on auditing time (s), where k 100 Communication cost (KB) c460 c k: the number of eements per bock Fig 15 Impact of k on communication cost (KB), where d 10 Average auditing time (ms) Seperate Auditing Batch Auditing-D A: the number of incorrect proofs Fig 18 Impact of A on the efficiency of batch auditing, where B 128 communication cost is c( q + n ) bits, where q is the ength of an eement of Z q and n is the ength of an index Each auditing {λ,µ,φ,{id j } j J } contains(k+d) eements of G 1, k eements of Z p and c eememts of Z q, therefore the communication cost of one auditing proof is (2k +d) p +c q bits 63 Experimenta Resuts We now evauate the efficiency of Oruta in experiments To impement these compex cryptographic operations that we mentioned before, we utiize the GNU Mutipe Precision Arithmetic (GMP) 2 ibrary and Pairing Based Cryptography (PBC) 3 ibrary A the foowing experiments are based on C and tested on a 226 GHz Linux system over 1, 000 times Because Oruta needs more exponentiations than pairing operations during the process of auditing, the eiptic curve we choose in our experiments is an MNT curve with a base fied size of 159 bits, which has a better performance than other curves on computing exponentiations We choose p 160 bits and q 80 bits We assume the tota number of bocks in shared data is n 1,000,000 and n 20 bits The size of shared data is 2 GB To keep the detection probabiity greater than 99%, we set the number of seected bocks in an auditing task as c 460 [2] If ony 300 bocks are seected, the detection probabiity is greater than 95% We aso assume the size of the group d [2,20] in the foowing experiments Certainy, if a arger group size is used, the tota computation cost wi increase due to the increasing number of exponentiations and pairing operations 631 Performance of Signature Generation According to Section 5, the generation time of a ring signature on a bock is determined by the number of users in the group and the number of eements in each