IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. X, NO.
IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. X, NO. X, XXXX 201X1Oruta: Privacy-Preserving Public Auditingfor Shared Data in the CloudBoyang Wang, Baochun Li, Senior Member, IEEE, and Hui Li, Member, IEEEAbstract—With cloud data services, it is commonplace for data to be not only stored in the cloud, but also shared across multipleusers. Unfortunately, the integrity of cloud data is subject to skepticism due to the existence of hardware/software failures and humanerrors. Several mechanisms have been designed to allow both data owners and public verifiers to efficiently audit cloud data integritywithout retrieving the entire data from the cloud server. However, public auditing on the integrity of shared data with these existingmechanisms will inevitably reveal confidential information — identity privacy — to public verifiers. In this paper, we propose a novelprivacy-preserving mechanism that supports public auditing on shared data stored in the cloud. In particular, we exploit ring signaturesto compute verification metadata needed to audit the correctness of shared data. With our mechanism, the identity of the signer oneach block in shared data is kept private from public verifiers, who are able to efficiently verify shared data integrity without retrievingthe entire file. In addition, our mechanism is able to perform multiple auditing tasks simultaneously instead of verifying them one byone. Our experimental results demonstrate the effectiveness and efficiency of our mechanism when auditing shared data integrity.Index Terms—Public auditing, privacy-preserving, shared data, cloud computing. 1I NTRODUCTIONCLOUD service providers offer users efficient andscalable data storage services with a much lowermarginal cost than traditional approaches [2]. It is routine for users to leverage cloud storage services to sharedata with others in a group, as data sharing becomes astandard feature in most cloud storage offerings, including Dropbox, iCloud and Google Drive.The integrity of data in cloud storage, however, issubject to skepticism and scrutiny, as data stored in thecloud can easily be lost or corrupted due to the inevitablehardware/software failures and human errors [3], [4]. Tomake this matter even worse, cloud service providersmay be reluctant to inform users about these data errorsin order to maintain the reputation of their services andavoid losing profits [5]. Therefore, the integrity of clouddata should be verified before any data utilization, suchas search or computation over cloud data [6].The traditional approach for checking data correctnessis to retrieve the entire data from the cloud, and thenverify data integrity by checking the correctness of signatures (e.g., RSA [7]) or hash values (e.g., MD5 [8])of the entire data. Certainly, this conventional approachis able to successfully check the correctness of clouddata. However, the efficiency of using this traditionalapproach on cloud data is in doubt [9]. Boyang Wang and Hui Li are with the State Key Laboratory of IntegratedService Networks, Xidian University, Xi’an, 710071, China.E-mail: {bywang,lihui}@mail.xidian.edu.cn Baochun Li is with the Department of Electrical and Computer Engineering, University of Toronto, Toronto, ON, M5S 3G4, Canada.E-mail: bli@eecg.toronto.edu This work is supported by NSFC 61272457, National Project2012ZX03002003-002, 863 Project 2012AA013102, 111 Project B08038,IRT1078, FRF K50511010001 and NSFC 61170251. Most part of this work was done at University of Toronto. A short version[1] of this paper is in Proceedings of the 5th IEEE International Conferenceon Cloud Computing (IEEE Cloud 2012).The main reason is that the size of cloud data is largein general. Downloading the entire cloud data to verifydata integrity will cost or even waste users amounts ofcomputation and communication resources, especiallywhen data have been corrupted in the cloud. Besides,many uses of cloud data (e.g., data mining and machinelearning) do not necessarily need users to download theentire cloud data to local devices [2]. It is because cloudproviders, such as Amazon, can offer users computationservices directly on large-scale data that already existedin the cloud.Recently, many mechanisms [9]–[17] have been proposed to allow not only a data owner itself but alsoa public verifier to efficiently perform integrity checkingwithout downloading the entire data from the cloud,which is referred to as public auditing [5]. In these mechanisms, data is divided into many small blocks, whereeach block is independently signed by the owner; anda random combination of all the blocks instead of thewhole data is retrieved during integrity checking [9].A public verifier could be a data user (e.g. researcher)who would like to utilize the owner’s data via the cloudor a third-party auditor (TPA) who can provide expertintegrity checking services [18]. Moving a step forward,Wang et al. designed an advanced auditing mechanism[5] (named as WWRL in this paper), so that duringpublic auditing on cloud data, the content of privatedata belonging to a personal user is not disclosed to anypublic verifiers. Unfortunately, current public auditingsolutions mentioned above only focus on personal datain the cloud [1].We believe that sharing data among multiple users isperhaps one of the most engaging features that motivatescloud storage. Therefore, it is also necessary to ensure theintegrity of shared data in the cloud is correct. Existingpublic auditing mechanisms can actually be extended toverify shared data integrity [1], [5], [19], [20]. However,a new significant privacy issue introduced in the case of
IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. X, NO. X, XXXX 201X2TABLE 1Comparison among Different Mechanisms8th!"# %&'()* ,(- A A A A A A B A B BPublic Verifier8thPublic AuditingData PrivacyIdentity Privacy!"# %&'()* ,(. A A A A A A A B B B8th!"# %&'()* ,(/ A A A A B A A A B BA A block signed by AliceB A block signed by BobFig. 1. Alice and Bob share a data file in the cloud, anda public verifier audits shared data integrity with existingmechanisms.shared data with the use of existing mechanisms is theleakage of identity privacy to public verifiers [1].For instance, Alice and Bob work together as a groupand share a file in the cloud (as presented in Fig. 1).The shared file is divided into a number of small blocks,where each block is independently signed by one of thetwo users with existing public auditing solutions (e.g.,[5]). Once a block in this shared file is modified by auser, this user needs to sign the new block using his/herprivate key. Eventually, different blocks are signed bydifferent users due to the modification introduced bythese two different users. Then, in order to correctlyaudit the integrity of the entire data, a public verifierneeds to choose the appropriate public key for eachblock (e.g., a block signed by Alice can only be correctlyverified by Alice’s public key). As a result, this publicverifier will inevitably learn the identity of the signeron each block due to the unique binding between anidentity and a public key via digital certificates underPublic Key Infrastructure (PKI).Failing to preserve identity privacy on shared dataduring public auditing will reveal significant confidential information (e.g., which particular user in the groupor special block in shared data is a more valuable target)to public verifiers. Specifically, as shown in Fig. 1, afterperforming several auditing tasks, this public verifiercan first learn that Alice may be a more important rolein the group because most of the blocks in the sharedfile are always signed by Alice; on the other hand, thispublic verifier can also easily deduce that the 8-th blockmay contain data of a higher value (e.g., a final bid inan auction), because this block is frequently modifiedby the two different users. In order to protect theseconfidential information, it is essential and critical topreserve identity privacy from public verifiers duringpublic auditing.In this paper, to solve the above privacy issue onshared data, we propose Oruta1 , a novel privacypreserving public auditing mechanism. More specifically,we utilize ring signatures [21] to construct homomorphicauthenticators [10] in Oruta, so that a public verifier isable to verify the integrity of shared data without retrieving the entire data — while the identity of the signer oneach block in shared data is kept private from the public1. Oruta stands for “One Ring to Rule Them All.”PDP [9] WWRL [5] Oruta verifier. In addition, we further extend our mechanismto support batch auditing, which can perform multipleauditing tasks simultaneously and improve the efficiencyof verification for multiple auditing tasks. Meanwhile,Oruta is compatible with random masking [5], which hasbeen utilized in WWRL and can preserve data privacyfrom public verifiers. Moreover, we also leverage indexhash tables from a previous public auditing solution[15] to support dynamic data. A high-level comparisonamong Oruta and existing mechanisms is presented inTable 1.The remainder of this paper is organized as follows.In Section 2, we present the system model, threat modeland design objectives. In Section 3, we introduce cryptographic primitives used in Oruta. The detailed designand security analysis of Oruta are presented in Section 4and Section 5. In Section 6, we evaluate the performanceof Oruta. Finally, we briefly discuss related work inSection 7, and conclude this paper in Section 8.2P ROBLEM S TATEMENT2.1 System ModelAs illustrated in Fig. 2, the system model in thispaper involves three parties: the cloud server, a groupof users and a public verifier. There are two types ofusers in a group: the original user and a number ofgroup users. The original user initially creates shareddata in the cloud, and shares it with group users. Boththe original user and group users are members of thegroup. Every member of the group is allowed to accessand modify shared data. Shared data and its verificationmetadata (i.e. signatures) are both stored in the cloudserver. A public verifier, such as a third-party auditor(TPA) providing expert data auditing services or a datauser outside the group intending to utilize shared data, isable to publicly verify the integrity of shared data storedin the cloud server.When a public verifier wishes to check the integrityof shared data, it first sends an auditing challenge tothe cloud server. After receiving the auditing challenge,the cloud server responds to the public verifier with anauditing proof of the possession of shared data. Then,this public verifier checks the correctness of the entiredata by verifying the correctness of the auditing proof.Essentially, the process of public auditing is a challengeand-response protocol between a public verifier and thecloud server [9].2.2 Threat ModelIntegrity Threats. Two kinds of threats related to theintegrity of shared data are possible. First, an adversarymay try to corrupt the integrity of shared data. Second,
WANG et al.: ORUTA: PRIVACY-PRESERVING PUBLIC AUDITING FOR SHARED DATA IN THE CLOUDPublic Verifier1. A2. AududitingCitinhallengegProofCloud ServerShared Data FlowUsersFig. 2. Our system model includes the cloud server, agroup of users and a public verifier.the cloud service provider may inadvertently corrupt(or even remove) data in its storage due to hardwarefailures and human errors. Making matters worse, thecloud service provider is economically motivated, whichmeans it may be reluctant to inform users about suchcorruption of data in order to save its reputation andavoid losing profits of its services.Privacy Threats. The identity of the signer on eachblock in shared data is private and confidential to thegroup. During the process of auditing, a public verifier,who is only allowed to verify the correctness of shareddata integrity, may try to reveal the identity of thesigner on each block in shared data based on verificationmetadata. Once the public verifier reveals the identity ofthe signer on each block, it can easily distinguish a highvalue target (a particular user in the group or a specialblock in shared data) from others.2.3Design ObjectivesOur mechanism, Oruta, should be designed to achievefollowing properties: (1) Public Auditing: A public verifier is able to publicly verify the integrity of shared datawithout retrieving the entire data from the cloud. (2)Correctness: A public verifier is able to correctly verifyshared data integrity. (3) Unforgeability: Only a user inthe group can generate valid verification metadata (i.e.,signatures) on shared data. (4) Identity Privacy: A publicverifier cannot distinguish the identity of the signer oneach block in shared data during the process of auditing.2.4Possible Alternative ApproachesTo preserve the identity of the signer on each blockduring public auditing, one possible alternative approach is to ask all the users of the group to sharea global private key [22], [23]. Then, every user is ableto sign blocks with this global private key. However,once one user of the group is compromised or leavingthe group, a new global private key must be generatedand securely shared among the rest of the group, whichclearly introduces huge overhead to users in terms of keymanagement and key distribution. While in our solution,each user in the rest of the group can still utilize its ownprivate key for computing verification metadata withoutgenerating or sharing any new secret keys.3Another possible approach to achieve identity privacy,is to add a trusted proxy between a group of users andthe cloud in the system model. More concretely, eachmember’s data is collected, signed, and uploaded to thecloud by this trusted proxy, then a public verifier canonly verify and learn that it is the proxy signs the data,but cannot learn the identities of group members. Yet,the security of this method is threatened by the singlepoint failure of the proxy. Besides, sometimes, not allthe group members would like to trust the same proxyfor generating signatures and uploading data on theirbehalf. Utilizing group signatures [24] is also an alternative option to preserve identity privacy. Unfortunately, asshown in our recent work [25], how to design an efficientpublic auditing mechanism based on group signaturesremains open2 .Trusted Computing offers another possible alternativeapproach to achieve the design objectives of our mechanism. Specifically, by utilizing Direct Anonymous Attestation [26], which is adopted by the Trusted ComputingGroup as the anonymous method for remote authentication in Trusted Platform Module, users are able topreserve their identity privacy on shared data from apublic verifier. The main problem with this approach isthat it requires all the users using designed hardware,and needs the cloud provider to move all the existingcloud services to the trusted computing environment,which would be costly and impractical.3P RELIMINARIESIn this section, we briefly introduce cryptographicprimitives and their corresponding properties that weimplement in Oruta.3.1 Bilinear MapsLet G1 , G2 and GT be three multiplicative cyclicgroups of prime order p, g1 be a generator of G1 , andg2 be a generator of G2 . A bilinear map e is a map e:G1 G2 GT with the following properties: Computability: there exists an efficiently computable algorithm for computing map e. Bilinearity: for all u G1 , v G2 and a, b Zp ,e(ua , v b ) e(u, v)ab . Non-degeneracy: e(g1 , g2 ) 6 1.Bilinear maps can be generally constructed from certainelliptic curves [27]. Readers do not need to learn thetechnical details about how to build bilinear maps fromcertain elliptic curves. Understanding the properties ofbilinear maps described above is sufficient enough forreaders to access the design of our mechanism.3.2 Security AssumptionsThe security of our proposed mechanism is based onthe two following assumptions.2. The direct leverage of group signatures in an public auditingmechanism makes the size of verification metadata extremely huge,which is much larger than the size of data itself. See [25] for details.
IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. X, NO. X, XXXX 201X4Computational Co-Diffie-Hellman (Co-CDH) Problem. Let a Z p , given g2 , g2a G2 and h G1 as input,output ha G1 .Definition 1: Computational Co-Diffie-Hellman (CoCDH) Assumption. The advantage of a probabilisticpolynomial time algorithm A in solving the Co-CDHproblem on (G1 , G2 ) is defined asRRAdvCoCDHA Pr[A(g2 , g2a , h) ha : a Z p , h G1 ],where the probability is over the choice of a and h, andthe coin tosses of A. The Co-CDH assumption means,for any probabilistic polynomial time algorithm A, theadvantage of it in solving the Co-CDH problem on(G1 , G2 ) is negligible.For the ease of understanding, we can also say solvingthe Co-CDH problem on (G1 , G2 ) is or computationallyinfeasible or hard under the Co-CDH assumption.Discrete Logarithm (DL) Problem. Let a Z p , giveng, g a G1 as input, output a.Definition 2: Discrete Logarithm (DL) Assumption.The advantage of a probabilistic polynomial time algorithm A in solving the DL problem in G1 is defined asRAdvDLA Pr[A(g, g a ) a : a Z p ],where the probability is over the choice of a, and the cointosses of A. The DL Assumption means, for any probabilistic polynomial time algorithm A, the advantage ofit in solving the DL problem in G1 is negligible.3.3 Ring SignaturesThe concept of ring signatures was first proposed byRivest et al. [28] in 2001. With ring signatures, a verifieris convinced that a signature is computed using oneof group members’ private keys, but the verifier is notable to determine which one. More concretely, given aring signature and a group of d users, a verifier cannotdistinguish the signer’s identity with a probability morethan 1/d. This property can be used to preserve theidentity of the signer from a verifier.The ring signature scheme introduced by Boneh etal. [21] (referred to as BGLS in this paper) is constructedon bilinear maps. We will extend this ring signaturescheme to construct our public auditing mechanism.3.4 Homomorphic AuthenticatorsHomomorphic authenticators (also called homomorphic verifiable tags) are basic tools to construct publicauditing mechanisms [1], [5], [9], [10], [12], [15]. Besidesunforgeability (i.e., only a user with a private key cangenerate valid signatures), a homomorphic authenticable signature scheme, which denotes a homomorphicauthenticator based on signatures, should also satisfy thefollowing properties:Let (pk, sk) denote the signer’s public/private keypair, σ1 denote a signature on block m1 Zp , σ2 denotea signature on block m2 Zp . Blockless verifiability: Given σ1 and σ2 , two random values α1 , α2 Zp and a block m′ α1 m1 α2 m2 Zp , a verifier is able to check thecorrectness of block m′ without knowing block m1and m2 . Non-malleability Given σ1 and σ2 , two randomvalues α1 , α2 Zp and a block m′ α1 m1 α2 m2 Zp , a user, who does not have private key sk, is notable to generate a valid signature σ ′ on block m′ bylinearly combining signature σ1 and σ2 .Blockless verifiability allows a verifier to audit thecorrectness of data stored in the cloud server with aspecial block, which is a linear combination of all theblocks in data. If the integrity of the combined block iscorrect, then the verifier believes that the integrity of theentire data is correct. In this way, the verifier does notneed to download all the blocks to check the integrityof data. Non-malleability indicates that an adversarycannot generate valid signatures on arbitrary blocks bylinearly combining existing signatures.4 N EW R ING S IGNATURE S CHEME4.1 OverviewAs we introduced in previous sections, we intend toutilize ring signatures to hide the identity of the signeron each block, so that private and sensitive informationof the group is not disclosed to public verifiers. However,traditional ring signatures [21], [28
IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. X, NO. X, XXXX 201X 1 . on Cloud Computing (IEEE Cloud 2012). The main reason is that the size of cloud data is large in general. Downloading the entire cloud data to verify data i
IEEE 3 Park Avenue New York, NY 10016-5997 USA 28 December 2012 IEEE Power and Energy Society IEEE Std 81 -2012 (Revision of IEEE Std 81-1983) Authorized licensed use limited to: Australian National University. Downloaded on July 27,2018 at 14:57:43 UTC from IEEE Xplore. Restrictions apply.File Size: 2MBPage Count: 86Explore furtherIEEE 81-2012 - IEEE Guide for Measuring Earth Resistivity .standards.ieee.org81-2012 - IEEE Guide for Measuring Earth Resistivity .ieeexplore.ieee.orgAn Overview Of The IEEE Standard 81 Fall-Of-Potential .www.agiusa.com(PDF) IEEE Std 80-2000 IEEE Guide for Safety in AC .www.academia.eduTesting and Evaluation of Grounding . - IEEE Web Hostingwww.ewh.ieee.orgRecommended to you b
IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. XX, NO. XX, MONTH YEAR 1 Cost-Aware Multimedia Data Allocation for Heterogeneous Memory Using Genetic Algorithm in Cloud Computing Keke Gai, Student Member, IEEE, Meikang Qiu, Member, IEEE, Hui Zhao Student Member, IEEE Abstract—Recent expansions of Internet-of-Things (IoT) applying cloud computing .
IEEE Transactions on Cloud Computing IEEE TRANSACTIONS ON CLOUD COMPUTING 1 xxxx Application-Aware Big Data Deduplication in Cloud Environment . Yinjin Fu, Nong Xiao, Hong Jiang, Fellow, IEEE, Guyu Hu, and Weiwei Chen. Abstract —Deduplication has become a widely deployed technology in cloud
Signal Processing, IEEE Transactions on IEEE Trans. Signal Process. IEEE Trans. Acoust., Speech, Signal Process.*(1975-1990) IEEE Trans. Audio Electroacoust.* (until 1974) Smart Grid, IEEE Transactions on IEEE Trans. Smart Grid Software Engineering, IEEE Transactions on IEEE Trans. Softw. Eng.
10.1109/TCC.2014.2350475, IEEE Transactions on Cloud Computing IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. XX, NO. YY, MONTH 2014 1 Workload Prediction Using ARIMA Model and Its Impact on Cloud Applications’ QoS Rodrigo N. Calheiros, Enayat Masoumi, Rajiv Ranjan, Rajkumar Buyya Abstract—As companies shift from d
IEEE Transactions on Cloud Computing IEEE Transactions on Cloud Computing (TCC) publishes peer reviewed articles that provide innovative research ideas and applications results in all areas relating to cloud computing. Topics relating
Chapter 10 Cloud Computing: A Paradigm Shift 118 119 The Business Values of Cloud Computing Cost savings was the initial selling point of cloud computing. Cloud computing changes the way organisations think about IT costs. Advocates of cloud computing suggest that cloud computing will result in cost savings through
Curriculum Framework. In addition, the Enhanced Scope and Sequence provides teachers with sample lesson plans aligned with the standards and their related essential understandings, knowledge, and skills. School divisions and teachers can use the Enhanced Scope and Sequence as a resource for developing sound curricular and instructional programs. These materials are intended as examples of ways .
