Research Article Efficient Pairing-Free Privacy-Preserving Auditing Scheme for Cloud Storage in Distributed Sensor Networks

Internationa Journa of Distributed Sensor Networks Voume 2015, Artice ID 593759, 10 pages http://dx.doi.org/10.1155/2015/593759 Research Artice Efficient Pairing-Free Privacy-Preserving Auditing Scheme for Coud Storage in Distributed Sensor Networks Xinpeng Zhang, Chunxiang Xu, and Xiaojun Zhang Schoo of Computer Science and Engineering, University of Eectronic Science and Technoogy of China, Chengdu 611731, China Correspondence shoud be addressed to Xinpeng Zhang; carriage1029@163.com Received 21 November 2014; Accepted 19 January 2015 Academic Editor: u-an Tang Copyright 2015 Xinpeng Zhang et a. This is an open access artice distributed under the Creative Commons Attribution icense, which permits unrestricted use, distribution, and reproduction in any medium, provided the origina work is propery cited. With the rapid growth of the distributed sensor networks, the distributed sensor network data security probems begin to attract the attention of peope. The previous research of distributed sensor network security has focused on secure information in communication; however the research of secure data storage has been overooked. As we know, coud data storage and retrieva have become popuar for efficient data management in distributed sensor networks; thus they can enjoy the on-demand high-quaity coud storage service. Meanwhie, it aso introduces new security chaenges. To tacke with these security chaenges, many cassic auditing schemes of coud storage have been proposed. However, these schemes a need very expensive pairing computation, which is not suitabe for sensor networks. In this paper, we propose an efficient pairing-free auditing scheme for data storage of distributed sensor networks. We expoit homomorphic message authentication codes (MACs) to reduce the space used to store the verification information. We aso empoy the random masking technique to make sure the TPA cannot recover the primitive data bocks of the sensor networks data manager. Experimenta resuts show that our auditing scheme is more ight-weight than previous auditing schemes and more practica in appied distributed sensor networks environments. 1. Introduction Nowadays, distributed sensor networks have been rapidy appied in many practica environments in our socia ife [1, 2]. With distributed sensor networks being appied widey, the sensor network data managers often need to coect massivedataandchoosetobestoredinthecoudserver,whiethe security and privacy of sensor networks storage data become increasingy important [3, 4]. Asweknow, coudcomputing is an aternative to conventiona computing mode since it can provide a fexibe, resiient, and cost-effective infrastructure [5]. So it is suitabe option to store the massive sensor network data on coud server [6]. Whie coud storage is an important service of coud computing, which aows coud users to move data from their oca computing systems to the coud, by data outsourcing, the coud users can be reieved from the burden of oca data storage and maintenance. Thus the coud servers can concentrate on their core business issues and operate other business appications through the Internet, rather than incurring substantia hardware, software, and personne costs invoved in depoying and maintaining appications in-house. Athough the coud storage service makes these advantages more appeaing than ever before, it aso introduces new security chaenges towards user s outsourced data [7 9]. Firsty, the coud users woud worry their data coud be misused or accessed by unauthorized users. Many researches have been done on this security issue of data hosting [10 12].Secondy,thecouduserswoudworrytheirdatacoud be ost in the coud. This is because data oss coud happen in any infrastructure, no matter what high degree of reiabe measures the coud service providers woud take [13, 14]. Sometimes, the coud service providers may be dishonest and they may discard the data which have not been accessed or rarey accessed to save the storage space or keep fewer repicas than promised. Moreover, the coud service providers may choose to hide data oss and caim that the data are sti correcty stored in the coud. Consequenty, the coud users need to be convinced that their data are correcty stored in the coud. As the coud users no onger physicay possess the storage of their data, traditiona cryptographic primitives for the purpose of data security protection can not be

2 Internationa Journa of Distributed Sensor Networks directy adopted. Thus how to efficienty verify the integrity of outsourced coud data without the oca copy of data fies becomes a big chaenge for data storage security in coud computing. Checking on retrieva is a common method for checking the data integrity, which means coud users check the data integrity when accessing their data. This method has been used in peer-to-peer storage systems [15], network fie systems [16, 17], web-service object stores [18], and database systems [19]. However, checking on retrieva is not sufficient to check the integrity for a the data stored in the coud. There is usuay a arge amount of data stored in the coud; the abiity to audit the correctness of the data in a coud environment can be formidabe and expensive for the coud users [20, 21]. Therefore, in order to save the communication resources as we as the onine burden potentiay brought by the periodic storage correctness verification, coud users can deegate a third party (TPA) to perform security auditing tasksasitisnoteconomicayfeasibeforthemtohandeit bythemseves.meanwhie,thecoudusersasohopetokeep their data private from the TPA and the coud server. 1.1. Reated Work. Unti now, a number of auditing schemes have been proposed in the context of ensuring remotey stored data integrity without the knowedge of the entire data with different requirements [20, 22 24]. However, these schemes need the expensive pairing computation; it is a burden for the sensor network. And most of these schemes [20, 22, 24] do not consider the privacy protection of user s data. Indeed, the user s data may be reveaed to some curious adversaries. This shortcoming wi greaty affect the security of these schemes in coud computing. In the view of protecting the data privacy, the users can rey on the TPA forthestoragesecurityoftheirdata,andtheyasodonot want this auditing process to introduce new vunerabiities of unauthorized information eakage toward their data security [25]. The unauthorized data eakage sti remains possibe due to the potentia exposure of decryption keys. In 2013, Wang et a. s [26] has presented a privacy-preserving pubic auditing scheme for coud storage; it resorts to the homomorphic authenticator technique and random masking technique to achieve privacy-preserving pubic auditing and utiizes the technique of biinear aggregate signature to reaize batch auditing. However it aso acquires very expensive pairing computation, which is time-consuming. Therefore, how to design an efficient privacy-preserving auditing scheme for coud storage in distributed sensor networks, especiay without needing the expensive pairing computation, is the important work we are going to do in this paper. 1.2. Our Contribution. Motivated by the above, in this paper, we propose an efficient pairing-free privacy-preserving auditing scheme for coud storage in distributed sensor networks. In particuar, we utiize the modified Schnorr signature to construct homomorphic authenticator so that the TPA can verify the integrity of the data without retrieving the entire data. Additionay, we expoit homomorphic MACs [27] to reduce the space used to store the verification information. Asanecessarytradeoff,weaowtheTPAtoshareaprivate key pair with the DSN data manager, which we refer to as authorized auditing. Due to the function of the random masking, even if the authorized TPA possesses the private key pair, the TPA cannot recover the primitive data bocks of the DSN data manager. As the individua auditing of these growing auditing tasks can be tedious, we extend our basic scheme to support batch auditing for mutiuser, which can thus enabe the TPA to efficienty perform mutipe auditing tasks in a batch manner simutaneousy. Furthermore, compared with the previous cassic auditing scheme [26], our experimenta resuts show that our auditing scheme is more ight-weight, and this is mainy because our auditing scheme does not need the expensive pairing operations, which can satisfy the requirement of the sensor network. 1.3. Organization. The rest of this paper is organized as foows. We introduce the preiminaries of our work in Section 2. We give the forma pairing-free privacy-preserving auditing scheme for coud storage with distributed sensor networks in Section 3. Wegivetheanaysisoftheproposedauditing scheme in Section 4.Wemakeaperformancecomparisonin Section 5. We make a concusion in Section 6. 2. Preiminaries 2.1. The Coud Data Storage Mode in Sensor Network. We exempify the security needs in data storage with a distributed sensor networks appication scenario. Here, for simpicity, after coecting the data by the sink node, we assume that we assume that a DSN (distributed sensor network) data storage manager processes and transfers sensor networks data to the coud sever. Since DSN data storage manager does not own additiona computing resources, it ony takes advantage of the imited computing capacity of the sink node to finish the secure DSN data storage. For the part of DSN, it can beconsideredasadatastoragemanager,whie,forthepart of the CSP (coud service provider), it can be considered as a specia coud user. In our distributed sensor networks appication scenario, we suppose Pob is a DSN data owner; hisbusinessisthattocoectsensornetworkdatawhichare processedtosuppyvariousservicetocients.sincehedoes nothaveenoughmoneytobuydevicesandhireprofessionas, he wishes to turn to CSP and outsource his data to CSP. However, he wi worry about the foowing questions: (1) he cannot physicay contro the data, and CSP may repudiate that the data are ost, which makes him verify the integrity ofdataatanytime;(2)cspishonestandcurious,pobwants to guarantee his data confidentiaity, and he must assure his storagemodehasthefunctionofprivacy-preserving;(3)pob s main work is responsibe for sensor network, and he needs an efficient audit scheme to compete this task. As iustrated in Figure 1, sensor nodes coect data from the target setting and send them to sink node; Pob is a distributed sensor networks data owner; he can assign a DSN data storage manager to sign and encrypt data, then outsource data and tags to CSP, and deete oca data simutaneousy. If the DSN data storage manager wants to verify data integrity stored in the coud server, he makes a request for TPA; TPA verifies tags after it receives the requests.

Internationa Journa of Distributed Sensor Networks 3 Sink node SigGen Encrypt CSP Chaenge Proof Sensor node Verify request Verify TPA DSN manager Resut Figure 1: DSN data storage in the CSP. If it is true, it generates a chaenge message. After receiving the chaenge message request, CSP suppies the response proof to TPA; TPA verifies the response proof message and returns the verified resut to the DSN data storage manager. Finay, the DSN data storage manager submits the auditing resut to Pob. The sensor network (DSN) data manager can rey on the coud server for coud data storage and maintenance. They may aso dynamicay interact with the coud server to access and update their stored data for various appication purposes. The DSN data manager may resort to the TPA for ensuring the storage security of their outsourced data, whie hoping to keep their data private from the TPA. We consider that a semitrusted coud server exists. Namey, in most of time it behaves propery and does not deviate from the prescribed protoco execution. However, during providing the coud data storage based services, for the benefits the coud server might negect to keep or deiberatey deete rarey accessed data fies which beong to the DSN data manager. Moreover, the coud server may decide to hide the data corruptions caused by server hacks or faiures to maintain reputation. We assume that the TPA, who is in the business of auditing, is reiabe and independent and thus has no incentive to coude with either the coud server or the DSN data manager duringtheauditingprocess.thetpashoudbeabeto efficienty audit the coud data storage without oca copy of data and without bringing in additiona onine burden to the DSN data manager. However, any possibe eakage of DSN manager s outsourced data towards the TPA through the auditing protoco shoud be prohibited. 2.2. Design Goas. To enabe privacy-preserving auditing for coud data storage under the aforementioned mode, our auditing scheme shoud achieve the foowing security and performance guarantee: (i) pubic auditabiity: to aow the TPA to verify the correctness of the coud data on demand without retrievingacopyofthewhoedataorintroducing additiona onine burden to the DSN data manager, (ii) storage correctness: to ensure that there is not a cheating coud server that can pass the auditing from the TPA without indeed storing DSN data manager data intact, (iii) privacy-preserving: to ensure that there exists no way for the TPA to derive DSN data managers data contentfromtheinformationcoectedduringthe auditing process, (iv) batch auditing: to enabe the TPA with secure and efficient auditing capabiity to cope with mutipe auditing deegations from possiby arge number of different DSN data managers simutaneousy, (v) ightweight: to aow the TPA to perform auditing with minimum communication and computation overhead. 2.3. Cryptographic Definition Definition 1. Discrete ogarithm probem states that, given a mutipicative cycic group of order of p and g, d G as input, compute η Z p such that dg η. The Discrete ogarithm assumption hods in G if no poynomia time agorithm has a nonnegigibe probabiity in soving the Discrete ogarithm probem, which means it is computationay infeasibe to sove the Discrete ogarithm probem in G. Now we introduce homomorphic MAC, described in [27].

4 Internationa Journa of Distributed Sensor Networks Tabe 1: The privacy-preserving auditing scheme. TPA (1) Retrieve fie tag, verify its signature, and quit if it faied. (2) Generate a chaenge message cha {(j, ] j )} j J. (6) Generate ρ(ρ 1,...,ρ k ) PRG(sk prg ) Z k q and ρ j PRF(sk prf, id j ) Z q. (7) Compute λ 1 k 1 ρ μ j J ] j ω j Z q, λ 2 k 1 j J ρ ] j f τ (, id j ) Z q,andh(w ),where {1,...,k},andthenverify{μ,r,s,W,{id j } j J } via the verification equation. cha {(j, ] j )} j J {μ,r,s,w,{id j } j I } The coud server (3) Compute r j J r ] jr j j and compute s j J V j s j mod q, μ j J ] jm j, Z p,where {1,...,k}. (4) Choose a random eement η Z q and cacuate W y η. (5) Compute μ(μ 1,...,μ k ),whereμ μ η h(w ) and W(W 1,...,W k ). Definition 2 (Homomorphic MAC). Given a data bock m j (m j,1,...,m j,k ) Z k q, the homomorphic MAC of this data bock can be computed as t j k 1 ρ m j, ω j Z q,where ρ(ρ 1,...,ρ k ) is generated by a pseudorandom generator and a secret key sk prg and ω j is cacuated by a pseudorandom function and a secret key sk prf. We know that, given t 1 and t 2, an intermediate node can compute a vaid MAC of a new date bock m m 1 m 2 by cacuating t t 1 t 2 without knowing the secret key pair (sk prg, sk prf ). 3. Pairing-Free Privacy-Preserving Auditing Scheme for Coud Storage in Distributed Sensor Networks In this section, we propose our privacy-preserving authorized auditing scheme for coud storage in distributed sensor networks, and our scheme does not need pairing computation and thus can reduce much computation cost. The privacypreserving auditing scheme is iustrated in Tabe 1.Here,we need to define a semitrusted TPA, who is ony responsibe for auditing the integrity of data bocks honesty; however, it is curious and may try to revea the DSN managers primitive data bocks based on verification information. Our scheme consists of the foowing four agorithms. They are Setup, SigGen, ProofGen, and Proof Verify, respectivey. Setup. The initia system chooses two arge prime numbers p and q, satisfyingthatq is a prime factor of p 1.Choose an integer g, suchthatg q 1 ; g is a generator of mutipicative cycic group of order q; denote it by G. Data fie M is divided into n bocks, and each data bock is further divided into k eements of Z q. Therefore, M can be presented as M (m 1,m 2,...,m n ) Z n k q ; each m j (m j,1,m j,2,...,m j,k ) Z k q, 1 j n.thesystemsetsa pseudorandom generator PRG : K prg Z k q and a pseudorandom function PRF : K prf I Z q,wherek prg and K prf denotethesetofsecretkeysforprgandprf, respectivey, and I denotes the set of a identities of each databockindatafiem.then,thedsndatamanagerseects x Z q randomy, and x 0 computes y g x. Meanwhie, the DSN data manager aso randomy computes asecretkeypairskp(sk prg, sk prf ),wheresk prg K prg and sk prf K prf. The system sets a ightweight symmetry encryption agorithm f, with its private key being τ. Thesystem aso sets a secure hash function h:g Z q.inparticuar, to generate the data bock tag, the DSN data manager chooses a random signing key pair (spk, ssk). Thus the pubic parameters are pk {G, g, y, spk}, and the private parameters are sk {x,τ,ssk}. SigGen. Givenadatabockm j (m j,1,...,m j,k ),thisdata bock s identifier id j I. Toensuretheintegrityofunique data bock identity, the DSN data manager computes tag j id j SSig ssk (id j ) as the data bock tag for m j.thedsndata manager computes ρ(ρ 1,...,ρ k ) PRG(sk prg ) Z k q and ω j PRF(sk prf, id j ) Z q. Then the DSN data manager cacuates the homomorphic MAC of data bock m j (m j,1,...,m j,k ) as t j k 1 ρ m j, ω j Z q.thedsndata manager begins to compute the signature of t j as foows: (1) choose k j Z q and compute r j g k j and r j r j mod q; (2) s j (r j k j t j x) mod q; (3) output σ j (r j,s j ) as the signature of t j. Denote the set of signatures by Φ{σ j } 1 j n. Meanwhie, to guarantee the confidentiaity of the data fie, the DSN data manager empoys the ightweight symmetry encryption

Internationa Journa of Distributed Sensor Networks 5 agorithm f to encrypt each data bock m j (m j,1,...,m j,k ) as m j (m j,1 f τ (1, id j ),...,m j,k f τ (k, id j )) under the symmetry private key τ.thus,thedatafiem(m 1,...,m n ) is encrypted to be M (m 1,...,m n ).Finay,theDSN data manager sends {M, tag 1 j n,φ}to the coud server and deetes them from oca storage. ProofGen.Inthisphase,foreachdatabockm j, the TPA first retrieves the data bock tag, verifies the signature SSig ssk (id j ) with spk, and aborts if the verification fais. Otherwise, the DSN data manager recovers id j. Now it comes to the important part of the auditing process. To audit the integrity of data fie, a DSN data manager first sends an auditing request to the TPA. After receiving an auditing request, the TPA generates an auditing chaenge message as foows. (1) Randomy choose a c-eement subset J of set {1,...,n} to ocate the c seected data bocks in this auditing task. (2) For each j J, the TPA aso chooses a random vaue ] j. (3) Output an auditing chaenge message cha {(j, ] j )} j J andsendittothecoudserver;thecha message specifies the positions of the data bocks required to be checked. After receiving an auditing chaenge message cha, the coud server generates a response proof of possession of seected data bocks storage correctness as foows. (1) Compute r j J r ] jr j j. (2) Compute s j J ] j s j mod q. (3) Compute μ as the inear combination of samped bocks: μ j J ] jm j, Z q,where {1,...,k}. To bind μ, the coud server chooses a random eement η Z q, and then it cacuates W y η and μ μ η h(w ). Finay, the coud server sends {μ,r,s,w,{id j } j J } to the TPA for auditing, where μ (μ 1,...,μ k ) and W (W 1,...,W k ). ProofVerify. Given an auditing response proof {μ,r,s,w,{id j } j J },anauditingmessagecha {(j, ] j )} j J. The TPA verifies the correctness of this proof as foows. (1) Generate ρ(ρ 1,...,ρ k ) PRG(sk prg ) Z k q and ω j PRF(sk prf, id j ) Z q, j J. (2) Compute λ 1 k 1 ρ μ j J ] j ω j Z q, λ 2 k 1 j J ρ ] j f τ (, id j ) Z q,andh(w ),where {1,...,k}. (3) Verify the response proof by checking whether the verification equation g s ry λ 1 λ 2 k 1 W ρ h(w ) modp hods or not. If the verification equation g s ry λ 1 λ 2 k 1 W ρ h(w ) hods, the DSN data manager can beieve that the integrity of the data fie stored in the coud server is correct, it is not modified by others, and, with the random masking codes W {1 k}, the TPA can never recover the primitive data bocks from the DSN manager s data fie. 4. Anaysis of the Proposed Auditing Scheme In this section, we begin to anayze the proposed auditing scheme, incuding its correctness, unforgeabiity, and privacy-preserving. Considering the scaabiity of the auditing scheme, we aso extend it to support batch auditing. 4.1. Correctness. According to the ProofVerify phase of the auditing scheme, the correctness of the verification equation is eaborated as foows: g s g j J ] js j g j J ] j(r j k jt j x( mod q)) g j J ] jr j k j g j J ] jt j x r ] jr j j y j J ] jt j j J ry j J ( k 1 ρ m j, ω j )] j ry j J k 1 ρ ] j m j, j J ω j ] j ry k 1 ρ j J ] j m j, j J ω j ] j ry k 1 ρ (μ j J ] j f τ (,id j ) η h(w )) j J ] j ω j ry k 1 ρ μ j J ] j ω j y k 1 j J ρ ] j f τ (,id j ) y k 1 ρ η h(w ) ry λ k 1 λ 2 W ρ h(w ) 1. Thus the verification equation g s ry λ 1 λ 2 k 1 hods. W ρ h(w ) 4.2. Unforgeabiity Theorem 3. With the from DSN data manager s data fie M and the corresponding signatures stored in the coud server, a maicious coud server is computationay infeasibe to generate an invaid auditing response proof that can pass the verification equation. Intheproposedauditingscheme,wemakeuseofhomomorphic MACs to compress each data bock to efficienty decrease the amount of storage space needed to store verification information. According to the discussions and proofs in [27], we know that the probabiity for an adversary to break one homomorphic MAC on a data bock is 1/q, whichis negigibe. (1)

6 Internationa Journa of Distributed Sensor Networks Besides generating a forgery of a homomorphic MAC, if the maicious coud server can win Game 1, it can generate an invaid auditing response proof for the chaenged data bocks andenabethisinvaidauditingresponseprooftosuccessfuy pass the verification. Now we describe Game 1 as foows. Game 1. After receiving an auditing message from the DSN data manager, the TPA sends an auditing chaenge message cha {(j, ] j )} j J to the coud server, and the correct auditing response proof shoud be {μ,r,s,w,{id j } j J },where μ (μ 1,...,μ k ), W (W 1,...,W k ).Theresponseproof can pass the verification equation. Now, instead of generating the correct auditing response proof, the maicious coud server generates an invaid auditing proof as {μ,r,s,w,{id j } j J } based on the corrupted data fie M, where μ (μ 1,...,μ k ), μ μ η h(w ),andμ j J ] j m j, Z q.defineδμ μ μ for 1 k,since M M, and thus there is at east one eement of {Δμ } 1 k whichisnonzero.ifthisinvaidresponseproofcanstipass the verification, the maicious coud wins Game 1. Otherwise, it fais. Now we begin to show that if the maicious coud can wintheabovegame1,wecanfindasoutiontothediscrete ogarithm probem. We first assume that the maicious coud wins Game 1. Then, according to the verification equation, we have g s ry λ 1 λ 2 k 1 W ρ h(w ), whereλ 1 k 1 ρ μ j J ] jω j Z q.since{μ,r,s,w,{id j } j J } is the correct auditing response proof, we aso have g s ry λ 1 λ 2 k 1 W ρ h(w ). Then, according to the two verification equations, we earn that y λ 1 y λ 1.Thus y k 1 ρ μ j J ] jω j y k 1 ρ μ j J ] j ω j, y k 1 ρ μ y k 1 ρ μ, y k 1 ρ Δμ k 1 (y ρ ) Δμ 1. Because G is a mutipicative cycic group of order q, for two random eements α, β G, there exists η Z q such that βα η. Without oss of generaity, given α, β G, each y ρ is abe to randomy and correcty be generated by computing y ρ α ξ β γ,whereξ and γ are random vaues in Z q.then we get 1 k 1 k 1 (y ρ ) Δμ (α ξ β γ ) Δμ α k 1 ξ Δμ β k 1 γ Δμ. Obviousy, we can find a soution to the Discrete ogarithm probem. Particuary, given α, β α η G, we can output β α η α k 1 ξ Δμ / k 1 γ Δμ ; thus (2) (3) η k 1 ξ Δμ / k 1 γ Δμ, uness the denominator is zero. However, as we defined in Game 1, there is at east one eement of {Δμ } which is nonzero, and γ is a random eement of Z q. Therefore, the denominator is zero with probabiity of 1/q, which is negigibe. It means that once the maicious coud wins Game 1, we can find a soution to the Discrete ogarithm probem with a nonnegigibe probabiity of 1 1/q, which contradicts to the assumption that Discrete ogarithm probem is computationay infeasibe in G. Moreover, if the maicious coud server tries to forge the aggregate signature, that means the coud server generates an invaid response proof as {μ, r,s,w,{id j } j J },this invaid response proof can sti pass the verification equation g s r y λ 1 λ 2 k 1 W ρ h(w ),andthemaiciouscoud server can succeed. As we know that the correct auditing response proof shoud be {μ,r,s,w,{id} j J },whichcanpass the verification equation g s ry λ 1 λ 2 k 1 W ρ h(w ), according to the two verification equations, we get that g s s r r 1 ; thuswegetss and rr,orwecanfinda soution of the Discrete ogarithm probem between g and d (herewesetdr r 1 ), and these two resuts both contradict to our assumption. Therefore, it is computationay infeasibe for the maicious coud to generate an invaid auditing proof, which can pass the verification equation. 4.3. Privacy-Preserving Theorem 4. Given an auditing response proof message proof {μ, r, s, W, {id j } j J } from the coud server, it is computationay infeasibe for the curious TPA to revea any private data bock from the data fie of the DSN data manager. Proof. Ifthecombinedmessageμ j J ] j m j, Z q, which is a inear combination of eements in data bocks, is directy sent to the TPA, the curious TPA can earn the content of data bocks by soving inear equations after coectingasufficientnumberofinearcombinations.to preserve private data bocks from the TPA, the combined message is computed with random masking as μ μ η h(w ). In order to sti sove inear equations, the TPA must know the vaue of η. However, given y, W y η G, computing η is as hard as soving the Discrete ogarithm probem in G, which is computationay infeasibe. Therefore, given the auditing response proof message, the TPA cannot directy obtain any inear combination of eements in data bocks and cannot further revea any private data bock from the data fie by soving inear equations. 4.4. Support for Batch Auditing. With the usage of privacypreserving auditing scheme in the coud storage, the TPA may receive amount of mutipe auditing requests from different DSNdatamanagersinashorttime.Unfortunatey,aowing the TPA to execute the separate auditing task can be tedious and very inefficient. Therefore, we further extend our scheme to support batch auditing. Batch auditing not ony aows the TPA to execute the mutipe auditing tasks simutaneousy,

Internationa Journa of Distributed Sensor Networks 7 but aso dramaticay decreases the computation cost on the TPA side.this is because aggregating verification equations into one heps save a considerabe amount of auditing time. The detais are described as foows. Setup Phase. The DSN data managers just perform setup independenty. Suppose there are DSN data managers in theauditingsystem,andeachdsndatamanager has a data fie M {m,1,...,m,n } to be outsourced to the coud server, where m,j (m,j,1,...,m,j,k ), j 1,2,...,n.For simpicity, we assume each data fie M has the same number of n data bocks. Particuary, for a DSN data manager, denote his private parameters by (x, ssk, sk prg, sk prf ) and the corresponding pubic parameters by (G,g,y, spk ), where y g x. As it is simiar to the singe DSN data manager case, each DSN data manager has aready randomy chosen a different identity id,j for the data bock m,j and has correcty generated the corresponding data bock tag,j id,j SSig ssk (id,j ). Then each DSN data manager computes ρ (ρ,1,...,ρ,k ) PRG(sk prg ) Z k q and ω,j PRF(sk prf, id,j ) Z q. Then the DSN data manager cacuates the homomorphic MAC of data bock m,j (m,j,1,...,m,j,k ) as t,j k 1 ρ,m,j, ω,j Z q.the DSNdatamanagerbeginstocomputethesignatureoft,j as foows. (1) Choose k,j Z q and compute r,j g k,j and r,j r,j mod q; (2) s,j (r,j k,j t,j x) mod q, (3) output σ,j (r,j,s,j ) as the signature of t,j. Denote the set of signatures by Φ {σ,j } 1 j n. Meanwhie, to guarantee the confidentiaity of the data fie, the DSN data manager empoys the ightweight symmetry encryption agorithm f to encrypt each data bock m,j (m,j,1,...,m,j,k ) as m,j (m,j,1 f τ (1, id,j ),...,m,j,k f τ (k, id,j )) under the symmetry private key τ.thus,the data fie M (m,1,...,m,n ) is encrypted to be M (m,1,...,m,n ). Finay, the DSN data manager sends {M,{tag,j } 1 j n,φ } to the coud server and deetes them from oca storage. Audit Phase. The TPA first retrieves and verifies the data bock tag,j for each DSN data manager for ater auditing. If the verification fais, the TPA aborts. Otherwise, the TPA recovers id j, and sends the auditing chaenge message cha {(j, ] j )} j J to the coud server. Meanwhie, for each DSN data manager, the coud server chooses η, Z q randomy as before and computes W, y η, and μ, j J ] j m,j, η,h(w, );thus,thecoudservercan compute μ (μ,1,...,μ,,...,μ,k ). Then the coud server makes the aggregation as r Π 1 Π j Jr ] jr,j,j and sσ 1 Σ j J] j s,j mod q. Finay, the coud server responses with ({μ } 1,r,s,{W } 1,{id,j } j J,1 ),wherew (W,1,...,W,,...,W,k ). To verify the response, the TPA first does as foows. (1) Generate ρ (ρ,1,...,ρ,k ) PRG(sk prg ) Z k q and ω,j PRF(sk prf, id,j ) Z q, j J. (2) Compute λ,1 k 1 ρ,μ, j J ] j ω,j Z q, λ,2 k 1 j J ρ,] j f τ (, id,j ) Z q,andh(w, ), where 1 kand 1. Then the TPA checks if the foowing verification equation hods: g s r 1 yλ,1 λ,2 ( k 1 W ρ,h(w, ), ). The correctness of the verification equation can be shown as foows: g s g Σ 1 Σ j J] j s,j g j J ] js,j 1 1 1 r g j J ] j(r,j k,jt,j x (mod q)) g j J ] jr,j k,j g j J ] jt,j x r ] jr,j,j 1j J y j J ] jt,j y j J ] j( k 1 ρ,m,j, ω,j ) 1

8 Internationa Journa of Distributed Sensor Networks r r r r y k 1 ρ, j J ] j m,j, j J ] j ω,j 1 y k 1 ρ,(μ, j J ] j f τ (,id,j ) η, h(w, )) j J ] j ω,j 1 y k 1 ρ,μ, j J ] j ω,j k 1 j J ρ,] j f τ (,id,j ) k 1 ρ,η, h(w, ) 1 y λ,1 λ,2 y k 1 ρ,η, h(w, ) 1 r y λ k,1 λ,2 ( W ρ,h(w, ), 1 1 ). (4) Thus the verification equation g s r 1 yλ,1 λ,2 ( k 1 W ρ,h(w, ), ) hods. 5. Performance Comparison In this section, we begin to compare the performance of our privacy-preserving auditing scheme for coud storage with the auditing scheme in [26]. We first focus on discussing the computation cost and the communication cost. Then we evauate the performance comparison between the two schemes in experiments to show our auditing scheme advantages. 5.1. Computation Cost. We first give the computation cost of our pairing-free auditing scheme for coud storage with the auditing scheme in [26]. The main cryptographic operations used in our scheme incude mutipications, additions, and hash operations. For simpicity, we omit the computation cost of the pseudorandom number generator PRG and pseudorandom function PRF because they are much easier to be computed than the three types of operations mentioned above.here,wedenotemut G,Add G,andExp G by mutipication, addition, and moduar exponentiation operation in group G, respectivey; we aso denote Hash G by hash operationintothegroupg,andwedenotepair G1,G 2 by pairing operation. During the auditing process, the TPA first generates some random vaues to construct the auditing message, which ony introduces a sma cost in computation. Then, after receiving the auditing message, the coud server needs to compute a proof {μ,r,s,w,{id j } j J } to the TPA for auditing, where μ (μ 1,...,μ k ) and W(W 1,...,W k ). The computation cost of aproofisabout(kc2ck)mut Zp cmut Zq kcadd Zp (c 1)Add Zq kexp Zp khash Zp, whie the computation cost of a proof in [26]isabout(c 1)Mut G1 (c1)mut Zp cexp G1 Exp GT cadd Zp Hash Zp. To check the correctness of the proof, the TPA verifies it based on verification equation and the computation cost of verifying the auditing proof is (2kc2ck)Mut Zq kmut Zp (k2)exp Zp (ckck 2)Add Zq 2kHash Zq cenc ε, whie the computation cost of verifying the auditing proof in [26]is (c 1)Mut G1 Mut GT (c3)exp G1 2Pair G1,G 2 Hash Zp chash G1. 5.2. Communication Cost. The communication cost of our scheme is mainy introduced by two factors: the auditing message and the auditing proof. For the auditing message cha {(j, ] j )} j J, the auditing proof information generated by the coud server is {μ,r,s,w,{id j } j J },whereμ (μ 1,...,μ k ) and W (W 1,...,W k ); thus the tota communication cost of our auditing scheme is (ck1) q c n (k1) p, whie the tota communication cost of the auditing scheme in [26] isc( p n ) p G 1 G T id, where n is the ength of an index and G T is the ength of an eement of G T. Moreover, the communication overhead of G 1 and G T in [26] is much arger than others; therefore our auditing scheme is more ight-weight than [26] in communication cost. 5.3. Experimenta Resuts. We now compare the coud server computation cost and the TPA auditing computationa cost of our auditing scheme with the work of [26] in experiments. Since the random mask needs one exponentiation operation, one mutipication operation, one hash and one addition operation, so the sum of the extra cost that resuted from the random mask ony needs a constant, Exp GT Mut Zp Hash Zp Add Zp, which has nothing to do with the number of samped bocks c. Whenc is set to be 400 to 600 for high assurance of auditing, the extra cost on the coud server side for privacy-preserving guarantee woud be negigibe against the tota server computation for response generation. Therefore, the main computation cost of the coud server in [26]is(c 1)Mut G1 cmut Zp cexp G1 (c 1)Add Zp in our experiments. However, in our auditing scheme, the extra cost resuting from the random masking is ony a sma constant: k(exp Zp Mut Zp Hash Zq Add Zq ),wherek is much ess than

Internationa Journa of Distributed Sensor Networks 9 The computation cost of coud server (ms) 600 500 400 300 200 100 Auditing time per task (ms) 700 600 500 400 300 200 100 0 200 250 300 350 400 450 500 550 600 Auditing scheme in [26] Our auditing scheme Number of auditing tasks Figure 2: Comparison on the computation cost of coud server. the practica chaenge number of the data bocks. Here we can omit the computation cost k(mut Zp Hash Zq Add Zq ). Therefore, in our experiments we set the main coud server computation cost to be (kc 2c)Mut Zp cmut Zq (kc k)add Zp (c 1)Add Zq kexp Zp. As aso discussed in [26], the extra cost resuting from the random masking is ony a constant: Mut GT 2Exp G1 Hash Zp, which has nothing to do with the number of samped bocks c. As considering the reativey expensive pairing operations, the extra cost for privacy-preserving guarantee woud be aso negigibe against the overa cost of response vaidation. Therefore, here we set the main auditing computation cost of the TPA to be cmut G1 (c1)exp G1 2Pair G1,G 2 chash G1 in our experiments. However, in our auditing scheme, the extra cost resuting from the random masking is k(mut Zp Mut Zq Hash Zq Exp Zp ),wherek is much ess than the practica chaenge number of the data bocks. Since the moduar exponentiation operation is much arger than others, here we can omit the computation cost k(mut Zp Mut Zq Hash Zq ). For consistence, we aso set the main auditing computation cost of the TPA to be (kc2ck)mut Zq (k2)exp Zp (ckck 2)Add Zq khash Zq cenc ε. Our experiments are impemented on a Windows 7 system with an Inte Core 2 i5 CPU running at 2.53 GHz, 2 GB DDR 3 of RAM (1.74 GB avaiabe). A agorithms are impemented by C anguage, and our code uses the MIRAC ibrary version 5.6.1. The eiptic curve we use is a MNT curve, thebasefiedsizeis159bits,andtheembeddingdegreeis 6. The security eve is chosen to be 80 bit, and p q 160. For simpicity, we aso set k 20.Atheresutsof experiments are represented as the average of 30 trias. As described in Figures 2 and 3, the experimenta resuts show that, compared with the auditing scheme in [26], the computationcostofthecoudserverandthetpaauditing 0 200 250 300 350 400 450 500 550 600 Auditing scheme in [26] Our auditing scheme Number of auditing tasks Figure 3: Comparison on the auditing time between our scheme and the scheme in [26]. time of our auditing scheme are much more ight-weight than [26]. More specificay, with the increasing of the number of chaenge data bocks, our auditing scheme is more advantageous than [26] in computation cost. This is mainy because the auditing scheme in [26] needs very expensive pairing computation which is much more time-consuming. 6. Concusions Data outsourcing, one of the fundamenta components of coud computing, centraizes DSN data manager s data to the coud server and enabes the DSN data managers to enjoy high quaity service. However, the DSN data managers do nothavephysicapossessionontheirowndata;henceit is indispensabe to create schemes on how to protect the security of the data, unike the previous auditing schemes [26] which need expensive pairing operations. In this paper, we propose a pairing-free privacy-preserving auditing scheme for data storage security in distributed sensor networks. We empoy the homomorphic inear authenticator and random masking to guarantee that the TPA woud not ony eiminate the burden of the DSN data managers from the tedious and possibe expensive auditing task, but aso aeviate the DSN data managers fear of their outsourced data eakage. We aso utiize homomorphic MACs to effectivey reduce the amount of storage space needed to store verification information. Moreover, we further extend our auditing scheme to support batch auditing for mutipe DSN data managers, where the TPA can perform mutipe auditing tasks simutaneousy. Extensivesecurityandperformancecomparedanaysisshows that the proposed auditing scheme is more ight-weight and more practica in distributed sensor networks environments.

10 Internationa Journa of Distributed Sensor Networks Confict of Interests The authors decare that there is no confict of interests regarding the pubication of this paper. Acknowedgments ThisworkissupportedbytheNationaNaturaScienceFoundation of China (no. 61370203) and the Science and Technoogy on Communication Security aboratory Foundation (Grant no. 9140C110301110C1103). References [1] F.Ye,H.uo,J.Cheng,S.u,and.Zhang, Atwo-tierdata dissemination mode for arge-scae wireess sensor networks, in Proceedings of the 8th ACMe on Mobie Computing and Networking (MOBICOM 02), pp. 148 159, September 2002. [2] G. Wang, G. Cao, T. a Porta, and W. Zhang, Sensor reocation in mobie sensor networks, in Proceedings of the IEEE INFO- COM, pp. 2302 2312, March 2005. [3] E. Myketun, J. Girao, and D. Westhoff, Pubic key based cryptoschemes for data conceament in wireess sensor networks, in Proceedings of the IEEE Internationa Conference on Communications (ICC 06), vo. 5, pp. 2288 2295, Juy 2006. [4]J.Girao,D.Westhoff,E.Myketun,andT.Araki, TinyPEDS: tiny persistent encrypted data storage in asynchronous wireess sensor networks, Ad Hoc Networks, vo. 5, no.7, pp. 1073 1089, 2007. [5] P. Me and T. Grance, The NIST definition of coud computing, Nationa Institute of Standards and Technoogy, vo. 53, no. 6, p. 50, 2009. [6] N. Subramanian, C. Yang, and W. Zhang, Securing distributed data storage and retrieva in sensor networks, Pervasive and Mobie Computing,vo.3,no.6,pp.659 676,2007. [7] J. Kincaid, MediaMax/Theinkup Cose Its Doors, 2009, http://techcrunch.com/2008/07/10/mediamaxtheinkup-cosesits-doors/. [8] Amazon.com, Amazon s3 Avaiabiity Events: Juy 20, 2008, 2008, http://status.aws.amazon.com/s3-20080720.htm. [9] Coud Security Aiance, Top Threats to Coud Computing,2010, http://www.coudsecurityaiance.org. [10] T. Schwarz and E.. Mier, Store, forget, and check: using agebraic signatures to check remotey administered storage, in Proceedingsofthe26thIEEEInternationaConferenceon Distributed Computing Systems (ICDCS 06),Juy2006. [11] S. Yu, C. Wang, K. Ren, and W. ou, Achieving secure, scaabe, and fine-grained data access contro in coud computing, in Proceedings of the 29th IEEE Conference on Information Communications (INFOCOM 10), pp. 534 542, March 2010. [12] M. i, S. Yu, K. Ren, and W. ou, Secure persona heath records in coud computing:patient-centric and fine-grained data access contro in muti-owner settings, in Security an Privacy in Communication Networks, pp. 89 106, Springer, Berin, Germany, 2010. [13] V. Kher and Y. Kim, Securing distributed storage: chaenges, techniques, and systems, in Proceedings of the ACM Workshop on Storage Security and Survivabiity (StorageSS 05), pp.9 25, November 2005. [14] B. Schroeder and G. A. Gibson, Disk faiures in the rea word: what does an MTTF of 1,000,000 hours mean to you? in Proceedings of the 5th USENIX Conference on Fie and Storage Technoogies (FAST 07), pp.1 16,ACM,NewYork,NY,USA, 2007. [15] A. Muthitacharoen, R. Morris, T. M. Gi, and B. Chen, Ivy: a read/write peer to peer fie system, in Proceeding of the 5th Symosium on Operation Systems Design and Impementation (OSDI 02),pp.31 44,ACM,2002. [16] M. Kaahaa, E. Riede, R. Swaminathan, Q. Wang, and K. Fu, Putus: scaabe secure fie sharing on untrusted storage, in Proceedings of the 2nd USENIX Conference on Fie and Storage Technoogies, pp. 29 42, USENIX Association, San Francisco, Caif, USA, 2003. [17] J. i, M. Krohn, D. Mazieres, and D. Shasha, Secure untrusted data repository (sundr), in Proceedings of the 6th Conference on Symposium on Operating Systems Design and Impementation,p. 9, USENIX Association, Berkeey, Caif, USA, 2004. [18] A. R. Yumerefendi and J. S. Chase, Strong accountabiity for network storage, ACM Transactions on Storage, vo. 3, no. 3, artice 11, 2007. [19] U. Maheshwari, R. Vingraek, and W. Shapiro, How to buid a trusted database system on untrusted storage, in Proceedings of the 4th Conference on Symposium on Operating System Design and Impementation (OSDI 00), USENIX Association, San Diego, Caif, USA, 2000. [20] Q. Wang, C. Wang,. i, K. Ren, and W. ou, Enabing pubic verifiabiity and data dynamics for storage security in coud computing, in Proceedings of the 14th European Symposium Research in Computer Security (ESORICS 09), pp.355 370, Saint Mao, France, 2009. [21] Coud Security Aiance, Security guidance for critica areas of focus in coud computing, 2009, http://coudsecurityaiance.org/. [22] G. Ateniese, R. Burns, R. Curtmoa et a., Provabe data possession at untrusted stores, in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 07), pp. 598 609, November 2007. [23] A. Jues, J. Burton, and S. Kaiski, Pors: proofs of retrievabiity for arge fies, in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 07),pp.584 597, Aexandia, Va, USA, October 2007. [24] H. Shacham and B. Waters, Compact proofs of retrievabiity, in Proceedings of the 14th Internationa Conference on the Theory and Appication of Cryptoogy and Information Security (ASIACRYPT 08), Mebourne, Austraia, December 2008, vo. 5350 of ecture Notes in Computer Science,pp.90 107,Springer, 2008. [25]M.A.Shah,M.M.Baker,J.C.Mogu,andR.Swaminathan, Auditing to keep onine storage services honest, in Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems (HOTOS 07), pp. 1 6, USENIX Association, Berkeey, Caif, USA, 2007. [26] C. Wang, S. M. Chow, Q. Wang, K. Ren, and W. ou, Privacypreserving pubic auditing for secure coud storage, IEEE Transactions on Computers, vo. 62, no. 2, pp. 362 375, 2013. [27] S. Agrawa and D. Boneh, Homomorphic MACs: MACbased integrity for network coding, in Proceedings of the 7th Internationa Conference on Appied Cryptography and Network Security (ACNS 09), Paris-Rocquencourt, France, June 2009,pp. 292 305, Springer, 2009.

Internationa Journa of Rotating Machinery Engineering Journa of The Scientific Word Journa Internationa Journa of Distributed Sensor Networks Journa of Sensors Journa of Contro Science and Engineering Advances in Civi Engineering Submit your manuscripts at Journa of Journa of Eectrica and Computer Engineering Robotics VSI Design Advances in OptoEectronics Internationa Journa of Navigation and Observation Chemica Engineering Active and Passive Eectronic Components Antennas and Propagation Aerospace Engineering Voume 2010 Internationa Journa of Internationa Journa of Internationa Journa of Modeing & Simuation in Engineering Shock and Vibration Advances in Acoustics and Vibration