Cluster Comput DOI 10.1007/s10586-017-0804-9
Achieving public verifiability and data dynamics for cloud data in the standard model Jianhong Zhang1,2 · Hongxin Meng1 · Yong Yu3
Received: 27 September 2016 / Revised: 22 November 2016 / Accepted: 17 February 2017 © Springer Science+Business Media New York 2017
Abstract As an important cloud service, cloud storage can provide flexible data outsourcing services for data users. After the data are outsourced to the cloud, data user no longer physical controls over the stored data. To ensure these data to be kept intact at the cloud servers, many different solutions have been proposed. Whereas most of existing solutions can only deal with static data. To support dynamic data, some schemes solve it by adopting authenticated data structure. To the best of our knowledge, these schemes may exist the following flaws: (1) they bring heavy communication/computation burdens to the auditor; (2) they exist some security attack; (3) they are only proven to be secure in the random orale model; (4) data may be leaked in the auditing. Motivated by the above problems, we propose two novel public auditing schemes by introducing rb23Tree data structure. They can not only achieve public verification, but also support dynamics data updating. Furthermore, our second scheme also supports data privacy. As for the auditor, to reduce its computational cost and communication cost, our scheme migrates the partial auditing metadata from the cloud server to the auditor, it makes that communication overhead between the auditor and cloud server is constant. Finally, we show that our schemes are proven to be secure in the standard model, and evaluate the auditing performance by simulation
B
Yong Yu
[email protected] Jianhong Zhang
[email protected]
1
College of Science, North China University of Technology, Beijing 100144, China
2
Guangxi Key Lab of Multi-source Information Mining & Security, Guilin, China
3
School of Computer Science, Shaanxi Normal University, Xi’an 710062, China
experiment and comparison with Wang et al.’s scheme. The results demonstrate that our schemes outperforms Wang et al.’s scheme in terms of computation costs and communication overhead. Keywords Data integrity checking · Dynamics data · Data privacy · rb23Tree · Standard model
1 Introduction As a promising computing paradigm, cloud computing can centralizes remote server resources on a scalable platform to provide on-demand computing resources and services. Compared with traditional storage, cloud storage has many advantages: less maintenance, ubiquitous network access, location independent resource pooling, usage-based pricing and rapid resource elasticity. Nowadays, it becomes a very popular trend for many individuals and organizations to outsource their data and services to public cloud (e.g. Dropbox [1] and GoogleDrive [2]), since users can enjoy high quality computing resources and economic savings at the same time [3]. Despite many beneficial services provided by the cloud computing, security and privacy of the outsourced data during computation/storage are two primary concerns [4–7] in the cloud since the data owner no longer physical controls over the storage after the data are outsourced to the cloud. Data owners might worry that if the stored data in cloud are corrupted? if the incorrect operations are performed on the stored data due to human errors? if the stored data in cloud are disclosed? What is worse, cloud server might deliberately delete rarely accessed data files which belong to ordinary data owner for saving storage space. Therefore, without the strong guarantee of data integrity and
123
Cluster Comput
security, it is hard for data users to migrate their data and services to cloud servers just for economic saving and services. To effectively achieve remote data integrity checking, many solutions have been proposed to solve this problem. As for design goals, these solutions mainly are divided into two categories: Provable data possession (PDP) model [8] and proof of retrievability (PoR) model [9]. Provable data possession (PDP) was put forward by Ateniese et al., it is able to make a verifier to publicly check data integrity without retrieving the entire data; PoR was proposed by Juels and Kaliski, the model can not only verify the remote data integrity, but also convince data users that their data are able to be retrieved with high probability. The main distinction between POR and PDP is the employment of erasure codes on top of data files. By utilizing erasure codes, POR can realize much better error detection probability than PDP. However, applying erasure codes also makes POR unable to efficiently support dynamic data updates as PDP does. To support the dynamic updating of data, based on PDP model [8], Erway et al. proposed the first dynamic provable data possession (DPDP) scheme in [10] by introducing a rank-based authenticated skip list. And it provides a general approach “dynamic authenticated data structures” to achieve data dynamic. However, their scheme cannot support public auditing. In 2011, Wang et al. proposed a public auditing scheme with supporting data dynamics by introducing Merkle Hash Tree (MHT). However, their scheme incurs heavy computation costs in terms of the the third party auditor (TPA) and large communication overhead during the data updating and the auditing verification processes. Meanwhile, their scheme exists replace attacks. To overcome the above problems, Zhu et al. proposed another public auditing scheme [10] based on an index-hash table, it can effectively reduce both computational costs and communication overhead by storing the index-hash table in the TPA instead of the CSP. However, each data updating needs to send the updating information to TPA, and it is inefficient for dynamic operations, especially insertion operation and deletion operations. In an auditing scheme, the auditor needs to periodically audit the integrity of the outsourced data, communication overhead and computational costs have important influences on auditing efficiency. However, in some public auditing schemes with supporting data dynamics, the auditor’s communication overhead and computational costs are linear with the number of the challenged blocks, periodical auditing will bring the heavy burden to the auditor. Our contribution In view of the above problems, we put forward two novel privacy-preserving public auditing schemes by using a new authenticated data structure called
123
range-based 2–3 tree (rb23Tree). Our contribution in this paper is summarized as follows: 1. Our proposed schemes can achieve dynamic data auditing and public verification, and the second scheme can also achieve data private-preserving. 2. In the auditing verification, the auditor has constant communication overhead and less computational cost. 3. Our proposed schemes are proven to be secure in the standard model, the security of the scheme is related to the CDH problem. 4. We justify evaluate the performance of our scheme through simulation experiments and comparisons with the state-of-the-art Wang et al.’s scheme. The rest of this paper is organized as follows. Section 2 described system model and security requirements; We briefly review some preliminary materials in Sect. 3; Our basic proposal is proposed in Sect. 4, and analyze its security in Sect. 5. The second auditing protocol is given in Sect. 6; After analyzing the performance of the proposed scheme in Sect. 7, We conclude the paper in Sect. 8.
2 System model and security goals In a number of auditing schemes [2,3,8,9,11–29], a tripartite system architecture is adopted. Thus, our protocol also adopts such framework. In this framework, three different entities, data owner, cloud server and the TPA, were involved. The framework is illustrated in Fig. 1. Each entity’s role is identified as follows: – Data user In general, it is a source-restricted entity and has a great quantity of files to be stored in cloud server. – The cloud server it has significant storage space and computation resources to provide data storage service. And it is responsible for maintaining the stored data and can provide the data access to the data user. Nevertheless, it is not fully trusted since it may fail to report these data failures in order to save the reputation of their services. – The third auditor In general, it is an honest third-party. It executes the data integrity checking on behalf of data user periodically since it has expertise and capabilities to provide auditing service. In the following, we discuss the role of each entity in the security model. For TPA, it is regarded as a honest-butcurious entity, that is to say, it can perform honestly the auditing, but might be curious about the stored data. Furthermore, the cloud server is considered as an untrusted entity. It may hide the fact of some data being deleted or corrupted
Cluster Comput Fig. 1 Cloud data storage model
for self-interest. Thus, for a cloud server,it may launch the following attacks to successfully cheat the third party auditor. 1. Forge attack During the auditing procedure, cloud server may forge a proof information P or an authentication tag of a data block to deceive the auditor. 2. Replacing attack If the challenged data blocks were corrupted, to pass the verification, cloud server may replace the corresponding pair of data block and data tag (m j , δ j ) by choosing a valid uncorrupted pair of data block and data tag (m i , δi ). 3. Reply attack To energetically pass the verification, cloud server may produce a proof information P by using the previous proof information or other former information, under the condition of not retrieving the challenged data of data user. To resist the above attacks and construct a secure public auditing protocol, the design goals of our scheme are done as follows: 1. Correctness If the stored data in cloud are not corrupted, then the returned proof information by cloud server must pass the verification of the auditor. 2. Public auditing Besides data user, anyone is allowed to audit the integrity of the stored data in cloud without knowing secret key. 3. Unforgeability An adversary is not able to forge a proof information on corrupted data to cheat the TPA. 4. Data Privacy preserving In the whole auditing procedure, the auditor cannot derive any information of the stored data from the returned proof information. 5. Dynamic data auditing After the stored data in cloud is dynamically updated, public auditing can be efficiently achieved yet. In other words, our auditing protocol supports dynamic data operations.
3 Preliminary In this section, we briefly review the properties of the bilinear pairings. Let G1 , G2 , GT be three cyclic multiplicative groups with the prime order q. Let g1 , g2 be the generator of groups G1 and G2 , respectively. An admissible pairing e : G1 ×G2 −→ GT , which satisfies the following three properties: – Bilinear If u ∈ G1 , v ∈ G2 and a, b ∈ Z q∗ , then e(u a , v b ) = e(u, v)ab ; – Non-degenerate There exists a g1 ∈ G1 , g2 ∈ G2 such that e(g1 , g2 ) = 1; – Computable If u ∈ G1 , v ∈ G2 , one can compute e(u, v) ∈ GT in polynomial time. We note the modified Weil and Tate pairings associated with supersingular elliptic curves are examples of such admissible pairings. Range-base 2–3 Tree For a standard 2–3 tree, all of its leaves are at the same level and all internal nodes has two or three children. It only requires O(logn) expected running time for insert and delete operations since these operations only involve the nodes related to the path from the relevant leaf to the root. Range-based 2-3 trees is a variant of standard 2–3 tree, it can not only authenticate the stored values at the specific leaves, but also authenticate the index positions of the leaves. This nice property motives us to introduce range-based 2–3 tree to investigate data dynamics in public auditing. For a range-based 2-3 tree, its each node includes three types of data (l(v), r (v), s(v), where – l(v) denotes the height of node v, the height of each leaf is defined 1.
123
Cluster Comput Fig. 2 An instance of rb23 tree
– r (v) denotes the range value of node v, namely the number of leaves corresponding to the subtree with root v. When v is the leaf, we define r (v) = 1; when v = N U L L, r (v) = 0 – s(v) denotes the authentication value of node v, the value is defined as follows: ⎧ ⎪ ⎨h(l(v)||r (v)||s(ch 1 )||s(ch 2 )||s(ch 3 ) if l(v) > 1 s(v) = ei v is the ith leaf ⎪ ⎩ 0 v = NU L L
(1) where || is the concatenation operation, ch 1 , ch 2 , ch 3 are the three left-to-right children of the node v (Note that when v has two children, we set ch 3 = null), and h() is a collision-resistant hash function, ei is the hash value of the stored random number in the i-th leaf node, ei = Fk (ri ), ri is a random number. Following notion in [30], let πi be an auxiliary information, it denotes a proof path for locating the i-th leaf by traversing the path starting at the root node. To traversing the path, let min(v) and max(v) denote the minimum and maximum leaf indices that can be reached via node v, respectively. Supposing that πi = {k1 , . . . , kr } is a proof path,where k1 is the i-th leaf node, kr denotes the root node, and each inner node k j ∈ πi is associated with a tuple of the form mar k(k j ) = {l(k j ), r (k j ), r (ch 1 ), s(ch 1 ), r (ch 2 ), s(ch 2 ), r (ch 3 ) , s(ch 3 )}. When k j is a leaf node, r (k j ) in mar k(k j ) is s(k j ), i.e., the authentication value of the leaf node. ch 1 , ch 2 , ch 3 are three left-to-right children of the node k j . For t = 1 to 3, if ch t ∈ πi , r (ch t ) = s(ch t ) = −1, if ch t does not exist, r (ch t ) = s(ch t ) = 0. To demonstrate proof path, we take an example of rb23 tree. It is shown in Fig 2. Let ki j denote a node where i is the height, and j is the index. For each inner node
123
Table 1 Information on proof path of the 4th leaf node l(v) r (v)
r (ch 1 ) s(ch 1 ) r (ch 2 ) s(ch 2 ) r (ch 3 ) s(ch 3 )
v41
4
12
−1
−1
v31
3
8
3
s(v21 ) −1
v22
2
3
−1
−1
1
s(v1,5 ) 1
s(v1,6 )
0
0
0
0
v1,4 1
s(v1,4 ) 0
4
s(v32 ) 0
0
−1
s(v23 )
2 0
v, it stores (l(v), r (v), s(v)). Assume that we need to verify the information of the 4th leaf node, its proof path is χ4 = {v1,4 , v22 , v31 , v41 }. The tuples along the proof path are shown in Table 1. The computational Diffie–Hellman problem (CDH) According to security parameter, a challenger chooses a cyclic group G1 of prime order q. Let a, b ∈ Z q be two unknown numbers and g be a generator of group G1 , given g a , g b ∈ G1 , the adversary must compute g ab . An algorithm B that outputs g ab has the advantage ε in solving CDH problem in group G if |Pr [B(g, g a , g b )] = g ab | ≤ ε The modified generalized bilinear inversion (MGBI) [31] Given T ∈ GT and the generator g ∈ G1 , its goal is to find a point h ∈ G1 such that e(g, h) = T , where e denotes the bilinear pairing map.
4 Our basic public auditing scheme In this section, we use verifiable computation as basic idea to propose a public auditing protocol which can achieve public verification of the outsourced data and support data dynamics. The construction consists of six algorithms: Setup,
Cluster Comput
KeyGen, TagGen, Challenge, Proof and Verifying. The detail execution procedure of our scheme is as follows.
I of the set [1, n] and a random number ς ∈ Z p to produce the following challenging information
4.1 Setup
Chall = {ς, I }
Let λ be a security parameter, pick two multiplicative cyclic groups (G1 , G2 ) of the same prime order p > 2ξ . Let e : G1 ×G1 → G2 be a bilinear map and g ∈ R G1 be a generator of group G1 . Fξ is a pseudo-random function PRF with key ξ . Finally, publish the following system parameters Param = (G1 , G2 , p, e, g, Fξ ) 4.2 KeyGen For a data owner, it randomly chooses a, b ∈ Z p as its private keys and computes the corresponding public key Ya = e(g a , g) and Yb = g b . At the same time, it chooses a secret hash key ξ for PRF Fξ , and a random key pair (sk, pk) for signature. Finally, it secretly keeps his private keys (a, b, sk) and secret key ξ . 4.3 TagGen
and sends it the cloud server. 4.5 Prove Upon receiving the challenging information Chall = {I, ς }, the cloud storage server first computes a l-element set Q = (i, vi ) where i ∈ I, vi = ς i mod p. Then based on the stored data file M = {m 1 , . . . , m n } and authentication tags δi , 1 ≤ i ≤ n, it computes
ρ=
m j · vj
(2)
(δ j )v j
(3)
j∈I
and π=
j∈I
To outsource a data file M, it first splits M into n data blocks, namely, M = m 1 || · · · ||m n , and then introduces a timestamp Tc to set t = Fname||n||Tc ||Sign sk (Fname||n) as file tag,where “Fname||n and Sign sk (Fname||n) denotes the file name and the corresponding signature with private key sk. For j = 1 to n, it computes δ j = g am j Fξ (r j )b for data block m j to produce its authentication tag, where r j is a random number of Z 2|Z p |/2 , in a sense, it is associated with the index of data block m j . Then data owner builds a rb23 tree Tr b where the leave nodes of tree are an ordered set of “index values” e j = r j ||Fξ (r j ), ( j = 1, 2, . . . , n). Next, the data owner produces a signature on the tree root R under its private key sk:Sign sk (R) ← H (R)sk . Finally, the data user uploads (M, t, φ = {δi }1≤i≤n , Sign sk (R)) to the cloud server, and keeps the information (Fname, Sign sk (R), Tr b ) locally.
Finally, the cloud storage server outputs the proof information Pr f = (ρ, π ) the auditor. 4.6 Verifying After obtaining the proof information Pr f , the auditor executes the following process with public keys Ya and Yb . 1. For i ∈ I , based on rb23Tree Tr b , the auditor first retrieves all the corresponding Fξ (ri ), then it computes vi i∈I Fk (ri ) by using multi-exponentiation algorithm. 2. Then, it verifies whether ?
e(π, g) =
Yaρ
·e
vi
Fξ (ri ) , Yb
(4)
i∈I
4.4 Challenge phase When data owner wants to the auditor to execute integrity checking of the data, it sends the Fname, the rb23Tree Tr b and the value of root node R = s(r oot) to the auditor via a secure channel. To audit data integrity of the outsourced data, the auditor first retrieves the information t and Sign sk (R), and verifies whether signatures Sign sk (Fname||n) and Sign sk (R) are valid. If they are not , reject and abort them; otherwise, the auditor parse Fname||n to recover the file name Fname and the number n of data blocks. Subsequently, it randomly chooses a l-element subset
If the above equation holds, then it outputs TRUE; otherwise FALSE. Correctness For a cloud storage server, if it honestly responds to the challenge with Pr f , then it must pass the above verification. Since ⎛ e(π, g) = e ⎝
⎞ (δ j )v j , g ⎠
j∈I
= e (g am i Fξ (ri )b )vi , g
123
Cluster Comput
⎛ = e(g a , g)ρ · e ⎝ ⎛ = Yaρ · e ⎝
⎞ Fξ (ri ))vi , g b ⎠
j∈I
⎞
Fξ (ri ))vi , Yb ⎠
j∈I
Obviously, the scheme is correct if the cloud storage server honestly responds the information Pr f . On the contrary, any of the challenged data block m i or data authentication tag δi is corrupted or modified, the above verification equation will not satisfy, it means that that cloud storage server would not pass the verification. 4.7 Dynamic data operation In the following, we discuss the three dynamic update operations: modification, insertion and deletion for the outsourced data in cloud. In the following descriptions of dynamic operation, we assume that the data file M, the rb23tree root’s signature and authentication tag φ have already been produced and properly stored in cloud. And the rb23tree Tr b is stored at the auditor. Data modification Data modification is the simplest operation in dynamic data operation, and is also one of the most frequently used operations in cloud data storage. Suppose that data owner wants to modify the i-th data block m i to m i . The protocol procedures are described as follows: 1. First, data owner randomly chooses ri ∈ Z p and sends the modified request (M, i, ri ) to the auditor, where i the index of the modified block, and M denotes update operation type. 2. Upon receiving the modified request, the auditor returns the corresponding proof path χi to data owner who will call Algorithm 1.Examine (s(r oot), χi ) to ensure ri stored exactly at the i-th leaf of the rb23tree Tr b , where χi = {v1 , v2 , . . . , vk }. Note that Algorithm1.Examine() is given in appendix. 3. If all verifications have been passed, data owner replaces the value of the i-th leaf of rb23tree Tr b with ri , namely, ei = ri ||Fξ (ri ). Then for j = 1 to k, it updates the range value r (v j ) and authentication value s(v j ). the updated rb23tree is denoted as Trb . 4. Finally, it produces a signature on the updated rb23tree Tr b ’s root as Sign sk (s(r oot )) and sends (Sign(s(r oot )), χi ) to the auditor for data update and rb23tree update. 5. At the same time, data owner produces authentication tag δi = g am i Fk (ri )b on data block m i and sends it to (M, i, δi , Sign sk (s(r oot ))) to the cloud for updating.
123
Data insertion Compared to the above data modification, data insertion does not change the logic structure of data file, it refers to inserting a new data block after some specified positions of the data file M. Suppose that data owner wants to insert block mˆ after the i-th data block m i , the protocol procedures are executed as follows: 1. First, data owner sends the insertion request (I, I2 = {i, i + 1}) to the auditor, where i the index of the inserted data block. 2. Upon receiving the insertion request, the auditor returns the corresponding proof path {χi }i∈I2 , where χi = {v1 , v2 , . . . , vk }. 3. According to the proof path {χ }i∈I2 received from cloud server, data owner can construct a partial rb23Tree, then data owner chooses a random number rˆi ∈ Z p and inserts a new leaf with rˆi after the i-th leaf of Tr b . Meanwhile, it also produces the authentication tag δˆi = g a mˆ Fk (ˆri )b on inserted data block mˆ i . 4. Then, it updates the information on {χ }i∈I2 by himself. Let Trb denote the updated rb23tree. 5. Finally, it produces a signature on the updated rb23tree Tr b ’s root as Sign sk (s(r oot )) and sends (Sign sk (s(r oot )), {χ }i∈I2 ) to the auditor for rb23Tree updating. 6. At the same time, it sends (I, I2 = {i, i + 1}, δi ) to the cloud server for authentication tag updating. Data deletion Data deletion is just the opposite operation of data insertion. Its goal refers to deleting some a specified data block. Suppose that data owner wants to delete the i-th data block m i , the protocol procedures are executed as follows: 1. First, data owner sends the deletion request (D, I2 = {i − 1, i, i + 1}) to the auditor, where i the index of the deleted data block. 2. Upon receiving deletion request, the auditor returns the corresponding proof path {χi }i∈I2 to data owner who will call the Examine (s(r oot), χi ) to verify the validity of the proof path, where χi = {v1 , v2 , . . . , vk }. 3. According to the proof path {χ }i∈I2 received from the auditor, data owner deletes the i-th leaf of rb23Tree Tr b and updates rang value r (v j ) and authentication value s(v j ) on {χ }i∈I2 by himself. The updated rb23tree is denoted as Trb . 4. Finally, it produces a signature on the updated rb23tree Tr b ’s root as Sign sk (s(r oot )) and sends (Sign sk (s(r oot )), {χi }i∈I2 ) to the auditor for rb23Tree update, where χi is the updated proof path of the i-th leaf in the updated rb23tree Trb .
Cluster Comput
5. Meanwhile, it sends (D, i) to the cloud for deleting the authentication tag δi of the i-th data block.
5 Security analysis In this section, we show that our public auditing scheme its provably secure under our security model. In the above protocol, we introduce the rb23tree in order to support dynamic data and to prevent that the dishonest cloud server does not update data’s change. In the following security proof, to conveniently description, we do not consider dynamic data. Theorem 1 If there exists an adversary A which can forge a false proof information to pass the verification with probability ε, then the CDH problem can be solved. Proof Suppose that there exists an adversary A which forges a false proof information to pass the verification of the auditor without knowing data owner’s private key, when the outsourced data or authentication tag is corrupted, then we will build an algorithm B which can solve the CDH problem. First, let us recall the CDH problem, given a random instance (g, g a , h) ∈ G31 of the CDH problem , its goal is to output ha . Setup Let G1 and G2 be two cyclic groups of the prime order p. The algorithm B sets the public key Ya = e(g a , h) and randomly chooses b ∈ Z p to set Yb = g b . Let Fk be a pseudo-random function with key k. In the following, the adversary A adaptively makes a polynomial number of queries: TagGen queries and Prove queries. TagGen queries When the adversary A makes a TanGen query with data file M, all of first, B divides M into n blocks, namely, M = m 1 ||m 2 || · · · ||m n , then it does as follows. 1. It produces a signature Sign sk (Fname||n) with private key sk. 2. Then, for i = 1 to n, it computes δi = (g a )m i Fk (ri )b , where ri is random number; 3. Finally, it returns δ = (δ1 , . . . , δn ) to the adversary A. Prove queries For a data file M of which a TagGen query has been made, the adversary A can undertake the challenge– response protocol with the algorithm B. The algorithm B plays the role of the verifier and the adversary A behaves as the prover during the protocol execution. They interactively proceed as below. 1. B randomly chooses an l-element subsect I and an integer ω, and sends them to A. 2. A computes v j = ω j , j ∈ I . And it computes π = v j and ρ = j∈I (σ j ) j∈I m j · v j . Finally, it sends (ρ, π ) to B
3. Finally, B gives the output of V eri f y(ρ, π, k) to A. Output Eventually, A outputs a forgeable proof information (ρ ∗ , π ∗ ) on a challenge information (I ∗ , ω∗ ) with nonnegligent probability ε. The adversary A wins this game only if (ρ ∗ , π ∗ ) can pass the verification algorithm and (ρ ∗ , π ∗ ) = (ρ, π ), where (ρ, π ) is the valid proof information under the challenge information (I ∗ , ω∗ ). As (ρ, π ) and (ρ ∗ , π ∗ ) can pass the verification algorithm, we can obtain the following equation:
∗ ρ∗ vi Fk (ri ) , Yb e(π , g) = Ya · e i∈I
e(π, g) = Yaρ · e
Fk (ri )vi , Yb
i∈I
where vi = (ω∗ )i , i ∈ I ∗ . Thus, we have the following relation e e
π∗ ,g π π∗ π
,g π∗ π
π ∗ ρ ∗ −ρ
= Yaρ
∗ −ρ
⇓ = e(g a , h)ρ
∗ −ρ
⇓ = (h a )ρ
∗ −ρ
⇓
1
π
= (h a )
It means that the adversary A can solve the computational Diffie–Hellman problem with non-negligible probability ε . Obviously, it is in contradiction with the difficulty of solving the CDH problem.
Theorem 2 Our proposed auditing protocol is able to resist the Replace Attack from the cloud server. Proof As for the dynamic auditing protocol, replace attack is a powerful attack since after data block is modified, the malicious cloud server may reserve the precious data block instead of modifying data block. In our auditing, If any of the challenged data block m k or its data authentication tag δk is corrupted or not updated by cloud server, the returned proof information by cloud server cannot pass the verification of the auditing since the verification equation cannot hold. Then cloud server may launch the replace attack to pass the audit. Therefore,it chooses another pair of data block and data tag (m j , δ j ) to replace the challenged one (m k , δk ). Then ρ ∗ and π ∗ are denoted as follows:
123
Cluster Comput
ρ ∗ = vk · m j +
vi · m i
i∈I,i=k
π ∗ = (δ j )vk ·
(δi )vi
i∈I,i=k
Thus,the left hand of the verification equation can be transformed into
vk δ j e(π ∗ , g) = e (δi )vi , g δk i∈I vk δj vk (m k −m j ) = Ya e ,g δk ⎛ ⎞ ∗ ·Yaρ · e ⎝ Fk (ri ))vi , Yb ⎠ j∈I
To pass verification equation, the above equation must satisfy v (m k −m j )
Ya k
e
δj δk
vk
v (m k −m j )
However, Ya k Ya = e
δk δj
,g
(5)
δ
e(( δkj )vk , g) = 1, it means that
(m k −m j )−1
−1
Namely, cloud server can find a point Y = ( δδkj )(m k −m j ) such that e(Y, g) = Ya . Obviously, it is in contradiction with the difficulty of solving the MGBI problem. It means that such proof from the cloud server cannot pass the auditing. Therefore, our dynamic auditing protocol can resist the replace attack.
Theorem 3 The proposed dynamic auditing protocol can resist the Replay Attack. Proof On one hand , in our proposed scheme, to produce a challenge, the auditor chooses different random number ς . Thus, the computed {vi }i∈I are also different. Cloud server cannot only use the previous proof information pr f to produce a new proof information to pass the auditing without retrieving the challenged data blocks and the corresponding tags. On the other hand, in our scheme, each data block corresponds to a random number ri . And ri is involved in the authentication tag δi . When the auditing is verified, these random numbers are required. Because the rb23Tree Tr b which stores these random numbers information is stored in the auditor, cloud server cannot launch reply attack with precious proof information due to the unforgeablity of signature.
123
6 The second public auditing scheme For the above protocol, ρ in the returned proof information Pr f = (ρ, π ) is a linear combination of the challenged data blocks. According to [32], such protocol exists active attack, it might result in data leak. To resist such attack, we will extend the above scheme to support data privacy. In the following, we only give the algorithms which are other than those of basic scheme. 6.1 KeyGen
, g = 1.
When data block is modified or new data block is inserted, a new random number ri is produced and the corresponding authentication tag which includes ri is also generated. For precious random number in rb23Tree which corresponds to the modified data block will be replaced by new ri . These update operations may not allow cloud server to launch the replay attack by possessing precious authentication and data block.
For a data owner, it randomly chooses a, c, b ∈ Z p as its private keys and computes the corresponding public key Ya1 = e(g a , g),Ya2 = e(g c , g) and Yb = g b . At the same time, it chooses a random pair (sk, pk) for signature. Let o(x) be a hash function. At the same time, it chooses a secret hash key k for PRF Fk , and secretly keeps his private keys (a, b, c, sk) and secret key k. 6.2 TagGen To outsource a data file M, it first splits M into n data blocks, namely, M = m 1 || · · · ||m n , and then includes a timestamp Tc to set t = Fname||n||Sign sk (Fname||n) as file tag,where Fname||n and Sign (Fname||n) denotes the file name sk and the corresponding signature with private key sk. For j = 1 to n, it computes δ j = g am j +c·o(m j ) Fk (r j )b·o(m j ) for each data block to produce authentication tag, where r j is a random number. Then data owner builds a rb23tree Tr b where the leave nodes of rb23tree are an ordered set of “index tags” e j = r j ||Fk (r j ), ( j = 1, 2, . . . , n). Next, the data owner produces a signature on the rb23Tree’s root R under its private key sk:Sign sk (R) ← H (R)sk . Finally, the data user uploads (M, t, φ = {δi }1≤i≤n , Sign sk (R)) to the cloud server, and keeps the information (Fname, Tr b , Sign sk (R)) locally. 6.3 Challenge phase When data owner wants to the auditor to execute integrity checking of the data, it sends the Fname,rb23Tree Tr b and its root node s(r oot) to the auditor. To verify data integrity of the outsourced data, the auditor first retrieves t and Sign sk (R)
Cluster Comput
from the cloud server and verifies whether the signature Sign sk (Fname||n) and Sign sk (R) are valid with public key pk. If they are not , reject and abort them; otherwise, the auditor parse Fname||n to recover the file name Fname and the number n of data blocks. Subsequently, it randomly chooses an l-element subset I of the set [1, n] and a number τ ∈ Z p to produce the following challenging information Chall = {τ, I } and sends it the cloud server. 6.4 Prove Upon receiving the challenging information Chall = {I, τ }, the cloud storage server first computes an l-element set Q = (i, vi ) where i ∈ I, vi = τ i mod p. Then based on the stored data file M = {m 1 , . . . , m n } and authentication tags δi , 1 ≤ i ≤ n, it computes ρ1 =
m j · v j , ρ2 =
j∈I
o(m j ) · v j
j∈I
ρ1 ρ= ρ2
π =⎝
Proof Due to the similar proof with Theorem 1, we omit it here for the limited space. Privacy-preserving of the stored data is a very important property in public auditing protocol since anyone can audit the integrity of the data. As for our proposed second auditing protocol, its goal is to achieve privacy-preserving of the stored data based on our basic protocol. Data privacypreserving is stated as follows: Theorem 5 In our second auditing scheme, the auditor can not obtain any information about the stored data during the whole auditing procedure. Proof As for the auditor, it can only obtain the product of all the challenged data tags π and all the challenged data’s combination ρ in the whole auditing. From the generation of π , we know that it has the following format ⎛ π =⎝
⎞ρ −1 2
(δ j )
vj ⎠
j∈I
where ρ2 is unknown to the auditor. Due to the unknown number ρ2 , the auditor can not obtain any information about the data. For the value ρ, it is associate with the challenged blocks, however, ρ is the format
Then, it computes ⎛
Theorem 4 Our second auditing scheme can resist forgeable attack, replay attack and replay attack.
⎞ρ −1 2
(δ j )v j ⎠
j∈I
Finally, the cloud storage server outputs the proof information Pr f = (π, ρ the auditor. 6.5 Verifying After obtaining the proof information Pr f , the auditor executes the following process with public key Ya . 1. For i ∈ I , based on rb23Tree T r b , it first retrieves all PRF v i values Fk (ri ) and computes i∈I Fk (ri )vi by adopting multi-exponentiation algorithm. 2. Then, it verifies whether
? ρ e(π, g) = Ya1 · Ya2 · e Fk (ri )vi , Yb (6) i∈I
If the above equation holds, then it outputs TRUE; otherwise FALSE. For the second protocol, it is the same as the basic protocol in essence. Thus, for the security of the protocol, we don’t discuss it here.
ρ=
vj ρ1 = ·mj ρ2 ρ2 j∈I
where ρ2 is a sum of all the challenged data’s hash value and it is unknown for the auditor. And we find that it is not a linear combination of the challenged data since its coefficients are unknown. It means that the auditor can not retrieve any data block by solving homogeneous equation system. Thus, the auditor is not able to obtain any information about the stored data content. It denotes that our auditing scheme achieves data privacy-preserving.
7 Performance analysis In the following, we only analyze performance of the first auditing protocol since it is the basis for building the second auditing protocol. To evaluate the practicality of the proposed protocol, in our experiment, we utilize an MNT curve [33] with the embedding degree k = 6 and base field size of 159bits. The implementation was executed on a processor 2.4 GHz Intel i5 520M. The security level is chosen to be 80 bits, which means |vi | = 80 and | p| = 160.
123
Cluster Comput
7.3 Computational cost
Table 2 Time and storage cost of different-size files File size (MB)
128
256
512
1024
2048
rb23Tree height 11–16
11–17
12–18
13–19
13–20
Time cost (s)
2.019
4.218
8.217
16.284
31.215
Storage cost (MB)
2.25–3.0 4.5–6.0 9.0–12.0 18.0–24.0 36.0–48.0
Table 3 Comparison of communication costs Schemes
Comm. cost of verification
Comm. cost of Updating
Wang scheme (MHT)
l · O(logn)
O(logn)
Our scheme b(rb23Tree)
O(1)
O(logn)
n is the number of data blocks in a file; and l is the number of the challenged blocks during auditing
7.1 Overhead of building and storing RB23TRee In order to support dynamic data, we introduce rb23tree. In TagGen phase, data owner needs to build rb23tree, and cloud server also needs to store this rb23tree. We will show the time cost and storage cost for building and storing differentsize data files. For a data file,the height of the rb23Tree is determined by the file size and the number of data blocks. If the data block size is set to be 2kB, then different-size data files’ storage cost and building time are shown as Table 2. According to Table 2, we know that the time cost and space cost of building and storing an rb23Tree are approximately linear with the data file’s size. For the height of rb23Tree, it should satisfy [log3n] + 1 ≤ height ≤ [log2n] + 1 and the number num of all nodes satisfies [(3n − 1)/2] ≤ num ≤ 2n − 1.
7.2 Communication costs To achieve dynamic data updating, our scheme introduces authentication data structure rb23Tree, Wang et al.’s scheme incorporates MHT. In terms of communication costs during the verification and updating, The comparison between our scheme and Wang et al.’s scheme is given in Table 3. From Table 3, we know that the communication costs of our scheme has apparent advantage over that of Wang et al’s scheme, it has constant communication costs. The reason for that is that all the information of MHT for auditing in Wang et al.’s scheme is stored in the cloud server while in our scheme all the information of rb23Tree is stored in the auditor. In other words, to reduce the communication costs, our scheme migrates the required information during the auditing from the cloud server to the auditor.
123
Here, we only discuss computational cost in terms of generating authentication tag and verifying proof information. To show our protocol’s advantages, we make a comparison of our protocol and Wang et al.’s protocol [34] which is the stateof-the-art public auditing scheme with supporting dynamic data. For Wang et al.’s scheme [34] and our scheme, TagGen algorithm requires O(n) exponentiations in G1 and O(n) hash function, where n is the number of data blocks of a data file. And the TagGen algorithm is one-time cost in the outsourced stage. In Proof phase, our scheme and Wang et al.’s scheme also require O(|I |) exponentiations in G1 and O(|I |) multiplications in G1 . Obviously, cloud server’s computational cost is linear with the number of the challenged blocks. In the Verifying phase, our scheme needs |I | exponentiations in G1 ,(|I | − 1) multiplication in G1 and 2 constant pairings as well as 1 exponentiations in GT ; whereas, Wang et al.’s scheme requires O(|I | + 1) exponentiations in G1 , |I | multiplication in G1 and 4 constant pairings, and it also needs to verify the validity of each auxiliary information Ωi (i ∈ I ), where Ωi denotes the node siblings on the path from the leaves i to the root R of the MHT. Their detail comparison is shown in Table 3. According to Table 4, our scheme has the same computational cost as Wang et al.’s scheme in terms of TagGen algorithm and Proof algorithm. In Verify phase, our scheme has the advantage over Wang et al.’s scheme since computational cost of an exponentiation G1 is more than that of an exponentiation GT . However, for Wang et al.’s scheme, besides the above computational cost, the auditor needs to the validity of each auxiliary information Ωi yet, but our scheme does not exist such problem since rb23Tree is stored at the auditor instead of the cloud server. At the same time,we find that the number of the challenged data blocks has important influence on computational cost in the Proof phase and Verify phase. Because our scheme adopts spot-check technique, the number of the challenged data blocks also determines the detection probability of the auditor. Suppose that the probability of each data block which is corrupted in cloud is ζ and the number of the challenged blocks is t, then the auditor’s error detection probability can be calculated as Pr (t) = 1 − (1 − ζ )t
(7)
If all the data blocks are chosen, then the error detection probability is 100%. When t = 300 and the 1% all the data blocks are corrupted, the corresponding detection probability is over 95%. Thus, when we set t = 300, the protocol can achieve the trade-off between efficiency and detection probability. In the following, we will evaluate the verification costs with a file of 1GB under the condition of sampling 300 and
Cluster Comput Table 4 Comparison of computation cost between our scheme and Wang et al.’s scheme
Scheme
Algorithm
Wang et al.’s scheme
TagGen
Our scheme
Computational cost (n − 1)MG 1 + n E G 1
Proof
(|I | − 1)MG 1 + |I |(E G 1 + M Z p )
Verify
(|I | + 1)E G 1 + |I |MG 1 + 4P + |I | · |Ω|
TagGen
(n − 1)MG 1 + n E G 1
Proof
(|I | − 1)MG 1 + |I |(E G 1 + M Z p )
Verify
|I |E G 1 + 1E G T + (|I | − 1)MG 1 + 2P
P.V
D
√
√
√
√
Where E G1 and E G T denote exponentiations in G1 and GT respectively. M Z p and MG 1 denote multiplications in Z p and G1 respectively, P is a pairing operation, |Ω| denote the required computation to verify auxiliary information Ωi , P.V denotes public verifiability and D denotes dynamicity
Table 5 Comparison of verification cost of sampling 300 and 460 between our scheme and Wang et al.’s scheme Our scheme
Wang’s scheme
The challenged blocks
300
460
300
460
Path generation (ms)
1.463
1.712
1.461
1.712
Path verification (ms)
5.851
9.127
5.851
9.127
Proof (ms)
201.315
296.125
200.843
294.862
Verifying (ms)
193.541
280.226
200.104
290.026
Security proof
Standard-model
ROM
Security
Yes
No
460 blocks adifferent algorithms. For a 1GB file, the height of its rb23Tree is 15. In Table 5, we give the comparison of time cost between our scheme and Wang et al.’s scheme [34]. In the whole verification, verification cost of our scheme has the advantage over that of Wang et al.’s scheme even if additional hash value and proof path checks are included. Obviously, our scheme has the greater advantages over Wang et al.’s scheme. At the same time, we note that our scheme is proven to be secure in the standard model, whereas, Wang et al.’s scheme is only proven to be secure in the random orale model. And their scheme is susceptible to attack from the dishonest cloud server. In Wang et al.’s scheme [34], the returned proof information is the format P = {μ, σ, {H (m i ), Ωi }i∈I , Sign sk (R)}. For the auditor, it does not know whether the returned H (m i ), i ∈ I is the hash value of the corresponding challenged data blocks since m i is unknown for the auditor. Therefor, for a dishonest cloud server, if data block m i is corrupted, then it might replace m i with the another data block m k . Thus, (H (m k ), Ωk ) will replace (H (m i ), Ωi ) in the returned proof information. And it can still pass verification checking. It means that Wang et al.’s scheme cannot resist replace attack. The main reason to produce such attack is that the auditor does not know whether the hash values of the returned data blocks corresponds to the challenged subset.
However, we introduce the rb23tree in our scheme, and the leave nodes of rb23tree is not data blocks. It makes the auditor can not only infer the index of each data block, but also data user can verify the validity of the return the proof paths which correspond to the required blocks through Algorithm 1.Examine in the appendix. Thus, our scheme does not exist replace attack. According to the statement above, our scheme can not only support dynamic data update and data privacy, but also resist replace attack. To the best of our knowledge, our scheme is the first public auditing scheme with supporting dynamic data and data privacy in the standard model.
8 Conclusion To achieve public verification and data dynamics, in this works, we proposed two new public auditing protocols by using the rb23Tree. Because the auditor needs to periodically audit the integrity of the outsourced data, its efficiency has significant effects on the whole auditing system. To reduces the computational cost and communication overhead, our schemes migrate the partial auditing metadata from cloud server to the auditor, it makes that the auditor has O(1) communication. At the same time, we show that our schemes are provable secure in the standard model. And we also evaluate the performance of our auditing protocol by simulation experiment and comparison with Wang et al.’s scheme. The results show that our scheme has the advantage over Wang et al.’s schemes in terms of computation costs and communication overhead. Acknowledgements This work was supported by Beijing Municipal Natural Science Foundation (Nos. 4162020, 4132056), Research Fund of Guangxi Key Lab of Multi-source Information Mining & Security (No. MIMS16-01) and the Fundamental Research Funds for the Central Universities under Grant ZYGX2015J059, GK201702004.
123
Cluster Comput
Appendix Algorithm 1 Examine(s(root), χi ): This algorithm can verify the i-th element ri of the ordered set W = (r1 , · · · , rn ) is stored exactly at the i-th leaf according to s(root) and the ordered proof path χi = (v1 , · · · , vk ) provided by the auditor. The array position tracks the index of the leaf that will be checked with s(·) = ri , and the array sa tracks s(vj ) where vj ∈ χi . 1: position[1 · · · k] ← 0, sa[1 · · · k] ← 0. 2 : position[1] = 1, va[1] = ri ; % in the following, check whether {vi has three children ch1 , ch2 , ch3 } 3: For j = 2 to k do if ch1 ∈ χi , i.e, r(ch1 ) = −1 and s(ch1 ) = −1; then position[j] = position[j − 1]; sa[j] = H(l(vj )||r(vj )||va[j − 1]||s(ch2 )||s(ch3 )); end if if ch2 ∈ χi , i.e, r(ch2 ) = −1 and s(ch2 ) = −1; then position[j] = position[j − 1] + r(ch1 ); sa[j] = H(l(vj )||r(vj )||s(ch1 )||sa[j − 1]||s(ch3 )); end if if ch3 ∈ χi , i.e, r(ch3 ) = −1 and s(ch3 ) = −1; then position[j] = position[j − 1] + r(ch1 ) + r(ch2 ); sa[j] = H(l(vj )||r(vj )||s(ch1 )||s(ch2 )||sa[j − 1]); end if end for 4. if position[k] = i and sa[k] = s(root) then return TRUE; 5. else return FALSE; 6. end if
References 1. Dropbox. https://www.dropbox.com 2. GoogleDrive. http://www.google.com/drive/index.html 3. Yuan, J.: Secure and verifiable data storage and utilization in cloud computing, Ph.D. dissertation, Stanford University (2015). http:// pages.erau.edu/~yuanj/cloud-research.html 4. Li, Y., Yu, Y., Min, G., Susilo, W., Ni, J., Choo K-K.R.: Fuzzy identity-based data integrity auditing for reliable cloud storage systems. IEEE Trans. Dependable and Secure Comput. doi:10.1109/ TDSC.2017.2662216 5. Choo, Kim-Kwang Raymond, Domingo-Ferrer, Josep, Zhang, Lei: Cloud cryptography: theory, practice and future research directions. Future Gener. Comput. Syst. 62, 51–53 (2016) 6. Juliadotter, N.V., Choo, K.K.R.: Cloud Attack. IEEE Cloud Computing, 2(1): 14–20 7. Osanaiyea, Opeyemi, Choo, Kim-Kwang Raymond, Dlodloa, Mqhele: Distributed denial of service (DDoS) resilience in cloud: review and conceptual cloud DDoS mitigation framework. J. Netw. Comput. Appl. 67, 147–165 (2016) 8. Ateniese, S.G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., Song, D.: Provable Data Possession at Untrusted Stores. In: Proceedings of 14th ACM Conference Computer and Communication Security (CCS 07), pp. 598–609 (2007)
123
9. Juels, A., Kaliski Jr., B.S.: PORs: Proofs of retrievability for large files. In: Proceedings of 14th ACM Conference Computer and Communication Security (CCS’07), pp. 584–597 (2007) 10. Erway, C.C., Kupcu, A., Papamanthou, C., Tamassia, R.: Dynamic provable data possession. In: Proceedings of 16th ACM Conference Computer and Communication Security, pp. 213–222 (2009) 11. Shacham, H., Waters, B.: Compact proofs of retrievability. In: Proceedings of 14th International Conference Theory and Application of Cryptology and Information Security: Advances in Cryptology (ASIACRYPT’08), pp. 90–107 (2008) 12. Xiong, H., Beznosov, K., Qin, Z., Ripeanu, M.: Efficient and spontaneous privacy-preserving protocol for secure vehicular communication. In: IEEE-ICC, pp. 1–6 (2010) 13. Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Internet Comput. 16(1), 69–73 (2012) 14. Wang, H., Wu, Q., Qin, B., Domingo-Ferrer, J.: Identity-based remote data possession checking in public clouds. IET Inf. Secur. doi:10.1049/iet-ifs.2012.0271 15. Sebe, F., Domingo-Ferrer, J., Martnez-Balleste, A., Deswarte, Y., Quisquater, J.-J.: Efficient remote data possession checking in critical information infrastructures. IEEE Trans. Knowl. Data Eng. 20(8), 1034–1038 (2008) 16. Shah, M.A., Baker, M., Mogul, J.C., Swaminathan, R.: Auditing to keep online storage services honest. In: Hunt, G.C. (ed.), Proceed-
Cluster Comput
17.
18.
19. 20.
21.
22.
23.
24.
25.
26.
27. 28.
29.
30. 31.
32.
33.
34.
ings of 11th USENIX Workshop Hot Topics in Operating Systems (HOTOS) (2007) Chang, E.-C., Xu, J.: Remote integrity check with dishonest storage server. In: Proceedings of 13th European Symposium Research in Computer Security (ESORICS’08), pp. 223–237 (2008) Quick, Darren, Choo, Kim-Kwang Raymond: Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl. 40, 179–193 (2014) Quick, D., Martini, B., Choo, K.K.R.: Cloud Storage Forensics. Syngress Publishing, Elsevier, Waltham (2013) Zhu, Y., Wang, H., Hu, Z., Ahn, G.J., Hu, H., Yau, S.S.: Dynamic audit services for outsourced storage in clouds. IEEE Trans. Serv. Comput. 6(2), 227–238 (2013) Daza, V., Domingo-Ferrer, J., Seb, F., Viejo, A.: Trustworthy privacy-preserving car-generated announcements in vehicular ad hoc networks. IEEE Trans. Veh. Technol. 58(4), 1876–1886 (2009) Gamage, C., Gras, B., Tanenbaum, A.S.: An identity-based ring signature scheme with enhanced privacy. In: Proceedings of IEEE SecureComm Conference, pp. 1–5 (2006) Chen, L., Morrissey, P., Smart, N.P.: DAA: Fixing the pairing based protocols. Cryptology ePrint Archive: Report 2009/198. http:// eprint.iacr.org/2009/198. Accessed 10 Dec 2009 Jiang, Y., Shi, M., Shen, X., Lin, C.: BAT: a robust signature scheme for vehicular communications using binary authentication tree. IEEE Trans. Wirel. Commun. 8(4), 1974–1983 (2009) Ferrara, A.L., Green, M., Hohenberger, S., Pedersen, M.Ø.: On the practicality of short signature batch verification. http://eprint.iacr. org/2008/015 Gritti(B), C., Susilo, W., Plantard, T.: Efficient dynamic provable data possession with public verifiability and data privacy. In: ACISP 2015, LNCS 9144, pp. 395–412 (2015) Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: EUROCRYPT. LNCS, vol. 1070, pp. 387–398 (1996) Goh, E.-J., Jarecki, S.: A signature scheme as secure as the Diffie– Hellman problem. In: EUROCRYPT. LNCS, vol. 2656, pp. 401– 415 (2003) Yu, Y. Au, M. H., Ateniese, G., Huang, X., Susilo, W., Dai, Y., Min, G.: Identity-based remote data integrity checking with perfect data privacy preserving for cloud storage. IEEE Trans. Inf. Forensic Secur. 12, 767–778 (2017) Zheng, Q., Xu, S.: Fair and dynamic proofs of retrievability. In: CODASPY’11, ACM, pp. 237–248 (2011) Zhang, J.H., Chen, H., Yang, Y.X.: Efficient blind signature scheme based on modified generalized bilinear inversion. Key Eng. Mater. 439–440, 1265–1270 (2010) Ni, Jianbing, Yong, Yu., Yi, Mu, Xia, Qi: On the security of an efficient dynamic auditing protocol in cloud storage. IEEE Trans. Parallel Distrib. Syst. 25(10), 2760–2761 (2014) Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84–A(5), 1234-123 (2001) Wang, Q., Wang, C., Ren, K., Lou, W., Li, J.: Enabling public auditability and data dynamics for storage security in cloud computing. IEEE Trans. Parallel Distrib. Syst. 22(5), 847–859 (2011)
Jianhong Zhang obtained the Ph.D. degree in the communication and engineering school at Xidian University, China, in 2004. Now he is an associate professor in the North China University of Technology. His research interests include network security, cloud security and applied cryptography.
Hongxin Meng is a master student at North China University of Technology, Beijing, China. She received his B.S. degree from the North China University of Technology, China, in Applied Mathematics. Her research interests include computer networking, and information security systems.
Yong Yu is currently a full professor of Shaanxi Normal University, China. He also holds the prestigious one hundred talent professorship of Shaanxi province, China. He received his Ph.D. degree from the Xidian University, China, in Cryptography. He has been a Vice Chancellor’s research fellow of University of Wollongong, Australia. His research interests are applied cryptography, cloud computing security, and network security. He has published over 50 research papers at domestic and international conferences and journals, including the well-respected IEEE Transactions on Information Forensics and Security, IEEE Transactions on Dependable and Secure Computing etc.
123