This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
1

An Efficient and Secure Dynamic Auditing

Protocol for Data Storage in Cloud Computing
Kan Yang, Student Member, IEEE, Xiaohua Jia, Senior Member, IEEE

Abstract—In cloud computing, data owners host their data on cloud servers and users (data consumers) can access the data
from cloud servers. Due to the data outsourcing, however, this new paradigm of data hosting service also introduces new security
challenges, which requires an independent auditing service to check the data integrity in the cloud. Some existing remote integrity
checking methods can only serve for static archive data and thus cannot be applied to the auditing service since the data in the
cloud can be dynamically updated. Thus, an efficient and secure dynamic auditing protocol is desired to convince data owners
that the data are correctly stored in the cloud. In this paper, we first design an auditing framework for cloud storage systems
and propose an efficient and privacy-preserving auditing protocol. Then, we extend our auditing protocol to support the data
dynamic operations, which is efficient and provably secure in the random oracle model. We further extend our auditing protocol
to support batch auditing for both multiple owners and multiple clouds, without using any trusted organizer. The analysis and
simulation results show that our proposed auditing protocols are secure and efficient, especially it reduce the computation cost
of the auditor.

Index Terms—Storage Auditing, Dynamic Auditing, Privacy-Preserving Auditing, Batch Auditing, Cloud Computing.

1 I NTRODUCTION protocol should have the following properties: 1) Confi-

Cloud storage is an important service of cloud computing
[1], which allows data owners (owners) to move data from
their local computing systems to the cloud. More and more
owners start to store the data in the cloud [2]. However,
this new paradigm of data hosting service also introduces
new security challenges [3]. Owners would worry that the
data could be lost in the cloud. This is because data loss
could happen in any infrastructure, no matter what high
degree of reliable measures cloud service providers would
take [4]–[8]. Sometimes, cloud service providers might be
dishonest. They could discard the data which has not been
accessed or rarely accessed to save the storage space and
claim that the data are still correctly stored in the cloud.
Therefore, owners need to be convinced that the data are
correctly stored in the cloud.
Traditionally, owners can check the data integrity based
on two-party storage auditing protocols [9]–[17]. In cloud
storage system, however, it is inappropriate to let either
side of cloud service providers or owners conduct such
auditing, because none of them could be guaranteed to
provide unbiased auditing result. In this situation, third
party auditing is a natural choice for the storage auditing
in cloud computing. A third party auditor (auditor) that has
expertise and capabilities can do a more efficient work and
convince both cloud service providers and owners.
For the third party auditing in cloud storage systems,
there are several important requirements which have been
proposed in some previous works [18], [19]. The auditing
• Kan Yang and Xiaohua Jia are with the Department of Computer
Science, City University of Hong Kong, Kowloon, Hong Kong
Email:
dentiality. The auditing protocol should keep owner’s data
confidential against the auditor. 2) Dynamic Auditing. The
auditing protocol should support the dynamic updates of
the data in the cloud. 3) Batch Auditing. The auditing
protocol should also be able to support the batch auditing
for multiple owners and multiple clouds.
Recently, several remote integrity checking protocols
were proposed to allow the auditor to check the data
integrity on the remote server [20]–[28]. Table 1 gives
the comparisons among some existing remote integrity
checking schemes in terms of the performance, the privacy
protection, the support of dynamic operations and the batch
auditing for multiple owners and multiple clouds. From
Table 1, we can find that many of them are not privacy-
preserving or cannot support the data dynamic operations,
so that they cannot be applied to cloud storage systems.
In [23], the authors proposed a dynamic auditing protocol
that can support the dynamic operations of the data on the
cloud servers, but this method may leak the data content
to the auditor because it requires the server to send the
linear combinations of data blocks to the auditor. In [24],
the authors extended their dynamic auditing scheme to be
privacy-preserving and support the batch auditing for multi-
ple owners. However, due to the large number of data tags,
their auditing protocols may incur a heavy storage overhead
on the server. In [25], Zhu et al. proposed a cooperative
provable data possession scheme that can support the batch
auditing for multiple clouds and also extend it to support
the dynamic auditing in [26]. However, their scheme cannot
support the batch auditing for multiple owners. That is
because parameters for generating the data tags used by

[email protected], [email protected] each owner are different and thus they cannot combine
the data tags from multiple owners to conduct the batch

Digital Object Indentifier 10.1109/TPDS.2012.278 1045-9219/12/$31.00 © 2012 IEEE

 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
2

TABLE 1
Comparison of Remote Integrity Checking Schemes

Computation Batch Operation

Commu- Prob. of
Scheme Privacy Dynamic multi- multi-
Sever Verifier nication Detection
owner cloud
PDP [20] O(t) O(t) O(1) Yes No No No 1 − (1 − ρ)t
CPDP [21] O(t + s) O(t + s) O(t + s) No No No No 1 − (1 − ρ)ts
DPDP [22] O(t log n) O(t log n) O(t log n) No No No No 1 − (1 − ρ)t
Audit [23], [24] O(t log n) O(t log n) O(t log n) Yes Yes Yes No 1 − (1 − ρ)t
IPDP [25], [26] O(ts) O(t + s) O(t + s) Yes Yes No Yes 1 − (1 − ρ)ts
Our Scheme O(ts) O(t) O(t) Yes Yes Yes Yes 1 − (1 − ρ)ts
n is the total number of data blocks of a file; t is the number of challenged data blocks in an auditing query;
s is the number of sectors in each data block; ρ is the probability of block/sector corruption (suppose the
probability of corruption is the same for the equal size of data block or sector)

auditing. Another drawback is that their scheme requires
an additional trusted organizer to send a commitment to the
auditor during the multi-cloud batch auditing, because their
scheme applies the mask technique to ensure the data pri-
vacy. However, such additional organizer is not practical in
cloud storage systems. Furthermore, both Wang’s schemes
and Zhu’s schemes incur heavy computation cost of the
auditor, which makes the auditor a performance bottleneck.
In this paper, we propose an efficient and secure dynamic
auditing protocol, which can meet the above listed require-
ments. To solve the data privacy problem, our method is
to generate an encrypted proof with the challenge stamp
by using the Bilinearity property of the bilinear pairing,
such that the auditor cannot decrypt it but can verify the
correctness of the proof. Without using the mask technique,
our method does not require any trusted organizer during
the batch auditing for multiple clouds. On the other hand,
in our method, we let the server compute the proof as
an intermediate value of the verification, such that the
auditor can directly use this intermediate value to verify the
correctness of the proof. Therefore, our method can greatly
reduce the computing loads of the auditor by moving it to
the cloud server.
Our original contributions can be summarized as follows.
1) We design an auditing framework for cloud storage
systems and propose a privacy-preserving and effi-
cient storage auditing protocol. Our auditing proto-
col ensures the data privacy by using cryptography
method and the Bilinearity property of the bilinear
pairing, instead of using the mask technique. Our
auditing protocol incurs less communication cost
not require any additional trusted organizer. The
multi-owner batch auditing can greatly improve the
auditing performance, especially in large scale cloud
storage systems.
The remaining of this paper is organized as follows. In
Section 2, we describe definitions of the system model and
security model. In Section 3, we propose an efficient and
inherently secure auditing protocol and extend it to support
the dynamic auditing in Section 4. We further extend our
auditing protocol to support the batch auditing for multiple
owners and multiple clouds in Section 5. Section 6 give the
performance analysis of our proposed auditing protocols in
terms of communication cost and computation cost. The
security proof will be shown in the supplemental file. In
Section 7, we give the related work on storage auditing.
Finally, the conclusion is given in Section 8.
2 P RELIMINARIES AND D EFINITIONS
In this section, we first describe the system model and give
the definition of storage auditing protocol. Then, we define
the threat model and security model for storage auditing
system.
2.1 Definition of System Model
&KDOOHQJH
$XGLWRU 6HUYHUV
3URRI
Q
WLR
,Q

D
LWL

between the auditor and the server. It also reduces OL]

DO

D
L]

the computing loads of the auditor by moving it to LWL

DW

,Q
LR
Q

the server. 2ZQHUV

2) We extend our auditing protocol to support the data
dynamic operations, which is efficient and provably
secure in the random oracle model. Fig. 1. System Model of the Data Storage Auditing
3) We further extend our auditing protocol to support
batch auditing for not only multiple clouds but also We consider an auditing system for cloud storage as
multiple owners. Our multi-cloud batch auditing does shown in Fig.1, which involves data owners (owner), the
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
cloud server (server) and the third party auditor (auditor).
The owners create the data and host their data in the cloud.
The cloud server stores the owners’ data and provides the
data access to users (data consumers). The auditor is a
trusted third party that has expertise and capabilities to
provide data storage auditing service for both the owners
and servers. The auditor can be a trusted organization
managed by the government, which can provide unbiased
auditing result for both data owners and cloud servers.
Before describing the auditing protocol definition, we
first define some notations as listed in Table 2.
TABLE 2
Notations
Symbol Physical Meaning
skt secret tag key
pkt public tag key
skh secret hash key
M data component
T set of data tags
n number of blocks in each component
s number of sectors in each data block
Minfo abstract information of M
C challenge generated by the auditor
P proof generated by the server
Definition 1 (Storage Auditing Protocol). A storage au-
diting protocol consists of the following five algorithms:
KeyGen, TagGen, Chall, Prove and Verify.
KeyGen(λ ) → (skh , skt , pkt ). This key generation algorithm
takes no input other than the implicit security parameter λ .
It outputs a secret hash key skh and a pair of secret-public
tag key (skt , pkt ).
TagGen(M, skt , skh ) → T . The tag generation algorithm
takes as inputs an encrypted file M, the secret tag key skt
and the secret hash key skh . For each data block mi , it
computes a data tag ti based on skh and skt . It outputs a
set of data tags T = {ti }i∈[1,n] .
Chall(Minfo ) → C. The challenge algorithm takes as input
the abstract information of the data Minfo (e.g., file identity,
total number of blocks, version number and timestamp etc.).
It outputs a challenge C.
Prove(M, T, C) → P. The prove algorithm takes as inputs
the file M, the tags T and the challenge from the auditor
C. It outputs a proof P.
Verify(C, P, skh , pkt , Minfo ) → 0/1. The verification algo-
rithm takes as inputs the P from the server, the secret hash
key skh , the public tag key pkt and the abstract information
of the data Minfo . It outputs the auditing result as 0 or 1.
2.2 Definition of Security Model
We assume the auditor is honest-but-curious. It performs
honestly during the whole auditing procedure but it is
curious about the received data. But the sever could be
dishonest and may launch the following attacks:
3
1) Replace Attack. The server may choose another valid
and uncorrupted pair of data block and data tag
(mk ,tk ) to replace the challenged pair of data block
and data tag (mi ,ti ), when it already discarded mi or
ti .
2) Forge Attack. The server may forge the data tag of
data block and deceive the auditor, if the owner’s
secret tag keys are reused for the different versions
of data.
3) Replay Attack. The server may generate the proof
from the previous proof or other information, without
retrieving the actual owner’s data.
3 E FFICIENT AND P RIVACY - PRESERVING
AUDITING P ROTOCOL
In this section, we first present some techniques we ap-
plied in the design of our efficient and privacy-preserving
auditing protocol. Then, we describe the algorithms and
the detailed construction of our auditing protocol for cloud
storage systems. The correctness proof will be shown in
the supplemental file.
3.1 Overview of Our Solution
The main challenge in the design of data storage auditing
protocol is the data privacy problem (i.e., the auditing pro-
tocol should protect the data privacy against the auditor.).
This is because: 1) For public data, the auditor may obtain
the data information by recovering the data blocks from the
data proof. 2) For encrypted data, the auditor may obtain
content keys somehow through any special channels and
could be able to decrypt the data. To solve the data privacy
problem, our method is to generate an encrypted proof with
the challenge stamp by using the Bilinearity property of the
bilinear pairing, such that the auditor cannot decrypt it. But
the auditor can verify the correctness of the proof without
decrypting it.
Although the auditor has sufficient expertise and ca-
pabilities to conduct the auditing service, the computing
ability of an auditor is not as strong as cloud servers.
Since the auditor needs to audit for many cloud servers
and a large number of data owners, the auditor could be the
performance bottleneck. In our method, we let the server
compute the proof as an intermediate value of the verifi-
cation (calculated by the challenge stamp and the linear
combinations of data blocks), such that the auditor can
use this intermediate value to verify the proof. Therefore,
our method can greatly reduce the computing loads of the
auditor by moving it to the cloud server.
To improve the performance of an auditing system, we
apply the Data Fragment Technique and Homomorphic
Verifiable Tags in our method. The data fragment technique
can reduce number of data tags, such that it can reduce the
storage overhead and improve the system performance. By
using the homomorphic verifiable tags, no matter how many
data blocks are challenged, the server only responses the
sum of data blocks and the product of tags to the auditor,
whose size is constant and equal to only one data block.
Thus, it reduces the communication cost.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
3.2 Algorithms for Auditing Protocol
Suppose a file F has m data components as F =
(F1 , · · · , Fm ). Each data component has its physical mean-
ings and can be updated dynamically by the data owners.
For public data components, the data owner does not need
to encrypted it, but for private data component, the data
owner needs to encrypt it with its corresponding key.
Each data component Fk is divided into nk data blocks
denoted as Fk = (mk1 , mk2 , · · · , mknk ). Due to the security
reason, the data block size should is restricted by the
security parameter. For example, suppose the security level
is set to be 160-bit (20Byte), the data block size should be
20-Byte. A 50-KByte data component will be divided into
2500 data blocks and generate 2500 data tags, which incurs
50-KByte storage overhead.
By using the data fragment technique, we further split
each data block into sectors. The sector size is restricted
by the security parameter. We generate one data tag for each
data block which consists of s sectors, such that less data
tags are generated. In the same example above, a 50 KByte
data component only incurs 50/s KByte storage overhead.
In real storage systems, the data block size can be various.
That is different data blocks could have different number of
sectors. For example, if a data block mi will be frequently
read, then si could be large, but for those frequently updated
data blocks, si could be relatively small.
For simplicity, we only consider one data component in
our construction and constant number of sectors for each
data block. Suppose there is a data component M, which
is divided into n data blocks and each data block is further
split into s sectors. For data blocks that have different
number of sectors, we first select the maximum number of
sectors smax among all the sector numbers si . Then, for each
data block mi with si sectors, si < smax , we simply consider
that the data block mi has smax sectors by setting mi j = 0 for
si < j ≤ smax . Because the size of each sector is constant
and equal to the security parameter p, we can calculate
f (M)
the number of data blocks as n = sizeo s·log p . We denote the
encrypted data component as M = {mi j }i∈[1,n], j∈[1,s] .
Let G1 , G2 and GT be the multiplicative groups with
the same prime order p and e : G1 × G2 → GT be the
bilinear map. Let g1 and g2 be the generators of G1 and G2
respectively. Let h : {0, 1}∗ → G1 be a keyed secure hash
function that maps the Minfo to a point in G1 .
Our storage auditing protocol consists of the following
algorithms:
KeyGen(λ ) → (pkt , skt , skh ). The key generation algorithm
takes no input other than the implicit security parameter λ .
It chooses two random number skt , skh ∈ Z p as the secret
tag key and the secret hash key. It outputs the public tag
key as pkt = gsk 2 ∈ G2 , the secret tag key skt and the secret
t
hash key skh .
TagGen(M, skt , skh ) → T . The tag generation algorithm
takes each data component M, the secret tag key skt and
the secret hash key skh as inputs. It first chooses s random
x
values x1 , x2 , · · · , xs ∈ Z p and computes u j = g1 j ∈ G1 for
all j ∈ [1, s]. For each data block mi (i ∈ [1, n]), it computes
4
a data tag ti as
s
ti = (h(skh ,Wi ) · ∏ u j i j )skt ,
m
j=1
where Wi = FID||i (the “||” denotes the concatenation
operation), in which FID is the identifier of the data and
i represents the block number of mi . It outputs the set of
data tags T = {ti }i∈[1,n] .
Chall(Minfo ) → C. The challenge algorithm takes the ab-
stract information of the data Minfo as the input. It selects
some data blocks to construct the Challenge Set Q and
generates a random number vi ∈ Z∗p for each chosen data
block mi (i ∈ Q). Then, it computes the challenge stamp
R = (pkt )r by randomly choosing a number r ∈ Z∗p . It
outputs the challenge as C = ({i, vi }i∈Q , R).
Prove(M, T, C) → P. The prove algorithm takes as inputs
the data M and the received challenge C = ({i, vi }i∈Q , R).
The proof consists of the tag proof T P and the data proof
DP. The tag proof is generated as
T P = ∏ tivi .
i∈Q
To generate the data proof, it first computes the sector linear
combination of all the challenged data blocks MPj for each
j ∈ [1, s] as
MPj = ∑ vi · mi j .
i∈Q
Then, it generates the data proof DP as
s
DP = ∏ e(u j , R)MPj .
j=1
It outputs the proof P = (T P, DP).
Verify(C, P, skh , pkt , Minfo ) → 0/1. The verification algo-
rithm takes as inputs the challenge C, the proof P, the
secret hash key skh , the public tag key pkt and the abstract
information of the data component. It first computes the
identifier hash values h(skh ,Wi ) of all the challenged data
blocks and computes the challenge hash Hchal as
Hchal = ∏ h(skh ,Wi )rvi .
i∈Q
It then verifies the proof from the server by the following
verification equation:
DP · e(Hchal , pkt ) = e(T P, gr2 ). (1)
If the above verification equation Eq.1 holds, it outputs 1.
Otherwise, it outputs 0.
3.3 Construction of Our Privacy-preserving Au-
diting Protocol
As illustrated in Fig. 2, our storage auditing protocol
consists of three phases: Owner Initialization, Confirmation
Auditing and Sampling Auditing. During the system initial-
ization, the owner generates the keys and the tags for the
data. After storing the data on the server, the owner asks
the auditor to conduct the confirmation auditing to make
sure that their data is correctly stored on the server. Once
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
5

confirmed, the owner can choose to delete the local copy of Phase 3: Sampling Auditing
the data. Then, the auditor conducts the sampling auditing The auditor will carry out the sampling auditing peri-
periodically to check the data integrity. odically by challenging a sample set of data blocks. The
frequency of taking auditing operation depends on the
$XGLWRU 2ZQHU 6HUYHU service agreement between the data owner and the auditor
(and also depends on how much trust the data owner has
C]q?]f  kc` 3 kcl 3 hcl !
over the server). Similar to the confirmation auditing in
2ZQHU
LY_?]f E3 kcl3 kc`!  L Phase 2, the sampling auditing procedure also contains two-
,QLWLDOL]DWLRQ
Eaf^g 3 kc` 3 hcl ! E3 L ! way communication as illustrated in Fig. 2.
Suppose each sector will be corrupted with a probability
;`Ydd Eaf^g !  ; ; of ρ on the server. For a sampling auditing involved with t
&RQILUPDWLRQ &KDOOHQJH challenged data blocks, the probability of detection can be
$XGLWLQJ Hjgn] E3 L3 ;!  H
H calculated as
3URRI
N]ja^q ;3 H3 kc` 3 hcl !  (5)
Pr(t, s) = 1 − (1 − ρ)t·s .
5HVXOW

That is this t-block sampling auditing can detect any data

;`Ydd Eaf^g !  ; ;
6DPSOLQJ &KDOOHQJH
$XGLWLQJ Hjgn] E3 L3 ;!  H
H
3URRI
N]ja^q ;3 H3 kc` 3 hcl !  (5)
Fig. 2. Framework of Our Privacy-preserving Auditing
Protocol
Phase 1: Owner Initialization
The owner runs the key generation algorithm KeyGen to
generate the secret hash key skh , the pair of secret-public
tag key (skt , pkt ). Then, it runs the tag generation algorithm
TagGen to compute the data tags. After all the data tags
are generated, the owner sends each data component M =
{mi }i∈[1,n] and its corresponding data tags T = {ti }i∈[1,n] to
the server together with the set of parameters {u j } j∈[1,s] .
The owner then sends the public tag key pkt , the secret
hash key skh and the abstract information of the data Minfo
to the auditor, which includes the data identifier FID, the
total number of data blocks n.
Phase 2: Confirmation Auditing
In our auditing construction, the auditing protocol only
involves two-way communication: Challenge and Proof.
During the confirmation auditing phase, the owner requires
the auditor to check whether the owner’s data is correctly
stored on the server. The auditor conducts the confirmation
auditing phase as
1) The auditor runs the challenge algorithm Chall to
generate the challenge C for all the data blocks in
the data component and sends the C = ({i, vi }i∈Q , R)
to the server.
2) Upon receiving the challenge C from the auditor, the
server runs the prove algorithm Prove to generate the
proof P = (T P, DP) and sends it back to the auditor.
3) When the auditor receives the proof P from the
server, it runs the verification algorithm Verify to
check the correctness of P and extract the auditing
result.
The auditor then sends the auditing result to the owner. If
the result is true, the owner is convinced that its data is
correctly stored on the server and it may choose to delete
the local version of the data.
corruption with a probability of Pr(t, s).
4 S ECURE DYNAMIC AUDITING
In cloud storage systems, the data owners will dynamically
update their data. As an auditing service, the auditing proto-
col should be designed to support the dynamic data, as well
as the static archive data. However, the dynamic operations
may make the auditing protocols insecure. Specifically, the
server may conduct two following attacks: 1) Replay Attack.
The server may not update correctly the owner’s data on
the server and may use the previous version of the data to
pass the auditing. 2) Forge Attack. When the data owner
updates the data to the current version, the server may get
enough information from the dynamic operations to forge
the data tag. If the server could forge the data tag, it can
use any data and its forged data tag to pass the auditing.
4.1 Our Solution
To prevent the replay attack, we introduce an Index Table
(ITable) to record the abstract information of the data. The
ITable consists of four components: Index, Bi , Vi and Ti .
The Index denotes the current block number of data block
mi in the data component M. Bi denotes the original block
number of data block mi and Vi denotes the current version
number of data block mi . Ti is the timestamp used for
generating the data tag.
This ITable is created by the owner during the owner
initialization and managed by the auditor. When the owner
completes the data dynamic operations, it sends an update
message to the auditor for updating the ITable which is
stored on the auditor. After the confirmation auditing, the
auditor sends the result to the owner for the confirmation
that the owner’s data on the server and the abstraction infor-
mation on the auditor are both up-to-date. This completes
the data dynamic operation.
To deal with the forge attack, we can modify the tag
generation algorithm TagGen. Specifically, when generat-
ing the data tag ti for the data block mi , we insert all
the abstract information into the data tag by setting Wi =
FID||i||Bi ||Vi ||Ti , such that the server cannot get enough
information to forge the data tag from dynamic operations.
The detailed proof will be given in the supplemental file. ?
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
6

TABLE 3
ITable of the Abstract Information of Data M
(c) After inserting before m2 , all items (d) After deleting m2 , all items
(a) Initial Abstract Information (b) After modifying m2 , V2 and before m2 move backward with the after m2 move forward with the
of M. T2 are updated index increased by 1. index decreased by 1.
Index Bi Vi Ti Index Bi Vi Ti Index Bi Vi Ti Index Bi Vi Ti
1 1 1 T1 1 1 1 T1 1 1 1 T1 1 1 1 T1
2 2 1 T2 2 2 2 T2∗ 2 n+1 1 Tn+1 2 3 1 T3
3 3 1 T3 3 3 1 T3 3 2 1 T2 3 4 1 T4
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . .
n n 1 Tn n n 1 Tn n+1 n 1 Tn n−1 n 1 Tn

4.2 Algorithms and Constructions for Dynamic message Msgmodi f y = (i, Bi ,Vi∗ , Ti∗ ). Then, it sends the new
Auditing pair of data block and tag (m∗i ,ti∗ ) to the server and sends
The dynamic auditing protocol consists of four phases: the update message Msgmodi f y to the auditor.
Owner Initialization, Confirmation Auditing, Sampling Au- Insert(m∗i , skt , skh ) → (Msginsert ,ti∗ ). The insertion algo-
diting and Dynamic Auditing. rithm takes as inputs the new data block m∗i , the secret tag
key skt and the secret hash key skh . It inserts a new data
$XGLWRU 2ZQHU 6HUYHU block m∗i before the i-th position. It generates an original
number B∗i , a new version number Vi∗ and a new timestamp
Eg\a^q e{a 3 kcl 3 kc` !  Ek_eg\a^q 3 l{a !
Ti∗ . Then, it calls the TagGen to generate a new data tag ti∗
'DWD 5Afk]jl e{a 3 kcl 3 kc` !  Ek_afk]jl 3 l{a !
8SGDWH 5<]d]l] ea !  Ek_\]d]l] for the new data block m∗i . It outputs the new tag ti∗ and the
Ek_eg\a^q 5Ek_afk]jl
update message Msginsert = (i, B∗i ,Vi∗ , Ti∗ ). Then, it inserts
e{a 3 l{a !
5Ek_\]d]l] the new pair of data block and tag (m∗i ,ti∗ ) on the server
and sends the update message Msginsert to the auditor.
,QGH[ Aeg\a^q Ek_eg\a^q ! Delete(mi ) → Msgdelete . The deletion algorithm takes as
8SGDWH 5Aafk]jl Ek_afk]jl ! input the data block mi . It outputs the update message
5A\]d]l] Ek_\]d]l] !
Msgdelete = (i, Bi ,Vi , Ti ). It then deletes the pair of data
{ {
block and its tag (mi ,ti ) from the server and sends the
;`Ydd Eaf^ g!  ; ;{ update message Msgdelete to the auditor.
&KDOOHQJH
8SGDWH Hjgn] E { 3 L { 3 ; { !  H { Step 2: Index Update
&RQILUPDWLRQ H{
3URRI Upon receiving the three types of update messages, the
N]ja^q ; { 3 H { 3 kc` 3 hcl !  (5) auditor calls three corresponding algorithms to update the
5HVXOW
ITable. Each algorithm is designed as follows.
IModify(Msgmodi f y ). The index modification algorithm
Fig. 3. Framework of Auditing for Dynamic Operations takes the update message Msgmodi f y as input. It replaces
the version number Vi by the new one Vi∗ and modifies Ti
The first three phases are similar to our privacy- by the new timestamp Ti∗ .
preserving auditing protocol as described in the above IInsert(Msginsert ). The index insertion algorithm takes as
section. The only differences are the tag generation algo- input the update message Msginsert . It inserts a new record
rithm TagGen and the ITable generation during the owner (i, B∗i ,Vi∗ , Ti∗ ) in i-th position in the ITable. It then moves
initialization phase. Here, as illustrated in Fig. 3, we only the original i-th record and other records after the i-th
describe the dynamic auditing phase, which contains three position in the previous ITable backward in order, with the
steps: Data Update, Index Update and Update Confirmation. index number increased by one.
Step 1: Data Update IDelete(Msgdelete ). The index deletion algorithm takes as
There are three types of data update operations that can input the update message Msgdelete . It deletes the i-th record
be used by the owner: Modification, Insertion and Deletion. (i, Bi ,Vi , Ti ) in the ITable and all the records after the i-th
For each update operation, there is a corresponding algo- position in the original ITable moved forward in order, with
rithm in the dynamic auditing to process the operation and the index number decreased by one.
facilitate the future auditing, defined as follows. Table 3 shows the change of ITable according to the
Modify(m∗i , skt , skh ) → (Msgmodi f y ,ti∗ ). The modification different type of data update operation. Table 3(a) describe
algorithm takes as inputs the new version of data block the initial table of the data M = {m1 , m2 , · · · , mn } and Table
m∗i , the secret tag key skt and the secret hash key skh . It 3(b) describes the ITable after m2 is updated. Table 3(c) is
generates a new version number Vi∗ , new timestamp Ti∗ the ITable after a new data block is insert before m2 and
and calls the TagGen to generate a new data tag ti∗ for Table 3(d) shows the ITable after m2 is deleted.
data block m∗i . It outputs the new tag ti∗ and the update Step 3: Update Confirmation
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
After the auditor updates the ITable, it conducts a con-
firmation auditing for the updated data and sends the result
to the owner. Then, the owner can choose to delete the
local version of data according to the update confirmation
auditing result.
5 BATCH AUDITING FOR M ULTI - OWNER
AND M ULTI - CLOUD
Data storage auditing is a significant service in cloud
computing which helps the owners check the data integrity
on the cloud servers. Due to the large number of data
owners, the auditor may receive many auditing requests
from multiple data owners. In this situation, it would greatly
improve the system performance, if the auditor could
combine these auditing requests together and only conduct
the batch auditing for multiple owners simultaneously. The
previous work [25] cannot support the batch auditing for
multiple owners. That is because parameters for generating
the data tags used by each owner are different and thus the
auditor cannot combine the data tags from multiple owners
to conduct the batch auditing.
On the other hand, some data owners may store their data
on more than one cloud servers. To ensure the owner’s data
integrity in all the clouds, the auditor will send the auditing
challenges to each cloud server which hosts the owner’s
data, and verify all the proofs from them. To reduce the
computation cost of the auditor, it is desirable to combine
all these responses together and do the batch verification.
In the previous work [25], the authors proposed a coop-
erative provable data possession for integrity verification in
multi-cloud storage. In their method, the authors apply the
mask technique to ensure the data privacy, such that it re-
quires an additional trusted organizer to send a commitment
to the auditor during the commitment phase in multi-cloud
batch auditing. In our method, we apply the encryption
method with the Bilinearity property of the bilinear pairing
to ensure the data privacy, rather than the mask technique.
Thus, our multi-cloud batch auditing protocol does not have
any commitment phase, such that our method does not
require any additional trusted organizer.
5.1 Algorithms for Batch Auditing for Multi-owner
and multi-cloud
Let O be the set of owners and S be the set of cloud servers.
The batch auditing for multi-owner and multi-cloud can be
constructed as follows.
Phase 1: Owner Initialization
Each owner Ok (k ∈ O) runs the key generation algo-
rithm KeyGen to generate the pair of secret-public tag key
(skt,k , pkt,k ) and a set of secret hash key {skh,kl }l∈S . That
is, for different cloud servers, the owner has different secret
hash keys. We denote each data component as Mkl , which
means that this data component is owned by the owner
Ok and stored on the cloud server Sl . Suppose the data
component Mkl is divided into nkl data blocks and each
data block is further split into s sectors. (Here we assume
that each data block is further split into the same number
7
of sectors. We can use the similar technique proposed in
Section 3.2 to deal with the situation that each data blocks
is split into different number of sectors. ) The owner Ok
runs the tag generation algorithm TagGen to generate the
data tags Tkl = {tkl,i }i∈[1,nkl ] as
s
m
tkl,i = (h(skh,kl ,Wkl,i ) · ∏ uk,kl,i
j )
j skt,k
.
j=1
where Wkl,i = FIDkl ||i||Bkl,i ||Vkl,i ||Tkl,i .
After all the data tags are generated, each owner Ok (k ∈
O) sends the data component Mkl = {mkl,i j }k∈O,l∈S
i∈[1,n ], j∈[1,s]kl
and the data tags Tkl = {tkl,i }k∈O,l∈S to the corresponding
i∈[1,nkl ]
server Sl . Then, it sends the public tag key pkt,k , the set of
secret hash key {skhl,k }l∈S , the abstract information of data
{Minfo,kl }k∈O,l∈S to the auditor.
Phase 2: Batch Auditing for Multi-owner and Multi-
Cloud
Let Ochal and Schal denote the involved set of owners and
cloud servers involved in the batch auditing respectively.
The batch auditing also consists of three steps: Batch
Challenge, Batch Proof and Batch Verification.
Step 1: Batch Challenge
During this step, the auditor runs the batch challenge
algorithm BChall to generate a batch challenge C for a set
of challenged owners Ochal and a set of clouds Schal . The
batch challenge algorithm is defined as follows.
BChall({Minfo,kl }k∈O,l∈S ) → C. The batch challenge algo-
rithm takes all the abstract information as input. It selects a
set of owners Ochal and a set of cloud servers Schal . For each
data owner Ok (k ∈ Ochal ), it chooses a set of data blocks
as the challenged subset Qkl from each server Sl (l ∈ Schal ).
It then generates a random number vkl,i for each chosen
data block mkl,i (k ∈ Ochal , l ∈ Schal , i ∈ Qkl ). It also chooses
a random number r ∈ Z∗p and computes the set of challenge
stamp {Rk }k∈Ochal =pkt,k
r . It outputs the challenge as
C = ({Cl }l∈Schal , {Rk }k∈Ochal ),
where Cl = {(k, l, i, vkl,i )}k∈Ochal .
Then, the auditor sends each Cl to each cloud server
Sl (l ∈ Schal ) together with the challenge stamp {Rk }k∈Ochal .
Step 2: Batch Proof
Upon receiving the challenge, each server Sl (l ∈ Schal )
generates a proof Pl = (T Pl , DPl ) by using the following
batch prove algorithm BProve and sends the proof Pl to
the auditor.
BProve({Mkl }k∈Ochal , {Tkl }k∈Ochal , Cl , {Rk }k∈Ochal ) → Pl .
The batch prove algorithm takes as inputs the data
{Mkl }k∈Ochal , the data tags {Tkl }k∈Ochal , the received
challenge Cl and the challenge stamp {Rk }k∈Ochal . It
generates the tag proof T Pl as
v
T Pl = ∏ ∏ tkl,ikl,i .
k∈Ochal i∈Qkl
Then, for each j ∈ [1, s], it computes the sector linear
combination MPkl, j of all the chosen data blocks of each
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
owner Ok (k ∈ Ochal ) as
MPkl, j = ∑ vkl,i · mkl,i j ,
i∈Qkl
and generates the data proof DPl as
s
DPl = ∏
∏ e(uk, j , Rk )MPkl, j .
j=1 k∈Ochal
It outputs the proof Pl = (T Pl , DPl ).
Step 3: Batch Verification
Upon receiving all the proofs from the challenged
servers, the auditor runs the following batch verification
algorithm BVerify to check the correctness of the proofs.
BVerify(C, {Pl }, {skh,lk }, {pkt,k }, {Min f o,kl }) → 0/1. The
batch verification algorithm takes as inputs the chal-
lenge C, the proofs {Pl }l∈Schal , the set of secret hash
keys {skh,kl }k∈Ochal ,l∈Schal , the public tag keys {pkt,k }k∈Ochal
and the abstract information of the challenged data
blocks {Min f o,kl }k∈Ochal ,l∈Schal . For each owner Ok (k ∈
Ochal ), it computes the set of identifier hash values
{h(skh,kl ,Wkl,i )}l∈Schal ,i∈Qkl for all the chosen data blocks
from each challenged server, and use these hash values to
compute a challenge hash Hchal,k as
Hchal,k = ∏ ∏ h(skh,kl ,Wkl,i )rvkl,i .
l∈Schal i∈Qkl
When finished the calculation of all the data owners’
challenge hash {Hchal,k }k∈Ochal , it verifies the proofs by the
batch verification equation as
e(∏l∈Schal T Pl , gr2 )
∏ DPl =
∏k∈Ochal e(Hchal,k , pkt,k )
. (2)
l∈Schal
If Eq.2 is true, it outputs 1. Otherwise, it outputs 0.
6 P ERFORMANCE A NALYSIS OF
DITING P ROTOCOLS
Storage auditing is a very resource demanding service in
terms of computational resource, communication cost and
memory space. In this section, we give the communication
cost comparison and computation complexity comparison
between our scheme and two existing works: the Audit
protocol proposed by Wang et al. [23], [24] and the IPDP
proposed by Zhu et al. [25], [26]. The storage overhead
analysis will be shown in the supplemental file.
6.1 Communication Cost
Because the communication cost during the initialization is
almost the same in these three auditing protocols, we only
compare the communication cost between the auditor and
the server, which consists of the challenge and the proof.
Consider a batch auditing with K owners and C cloud
servers. Suppose the number of challenged data block from
each owner on different cloud servers is the same, denoted
as t, and the data block are split into s sectors in Zhu’s
IPDP and our scheme. We do the comparison under the
same probability of detection. That is, in Wang’s scheme,
8
TABLE 4
Communication Cost Comparison of Batch Auditing
for K Owners and C Clouds
Scheme Challenge Proof
Wang’s Audit [23], [24] O(KCst) O(KCst log n)
Zhu’s IPDP [25], [26] O(KCt) O(KCs)
Our Scheme O(KCt) O(C)
t is the number of challenged data blocks from each
owner on each cloud server; s is the number of sectors
in each data block; n is the total number of data
blocks of a file in Wang’s scheme.
the number of data blocks from each owner on each cloud
server should be st. The result is described in Table 4.
From the table, we can see that the communication cost
in Wang’s auditing scheme is not only linear to C, K ,
t, s, but also linear to the total number of data blocks
n. As we know, in large scale cloud storage systems, the
total number of data blocks could be very large. Therefore,
Wang’s auditing scheme may incur high communication
cost.
Our scheme and Zhu’s IPDP have the same total commu-
nication cost during the challenge phase. During the proof
phase, the communication cost of the proof in our scheme is
only linear to C, but in Zhu’s IPDP, the communication cost
of the proof is not only linear to C and K, but also linear
to s. That is because Zhu’s IPDP uses the mask technique
to protect the data privacy, which requires to send both the
masked proof and the encrypted mask to the auditor. In our
scheme, the server is only required to send the encrypted
proof to the auditor and thus incurs less communication
cost than Zhu’s IPDP.
O UR AU - 6.2 Computation Complexity
We simulate the computation of the owner, the server and
the auditor on a Linux system with an Intel Core 2 Duo
CPU at 3.16GHz and 4.00GB RAM. The code uses the
Pairing-Based Cryptography (PBC) library version 0.5.12
to simulate our auditing scheme and Zhu’s IPDP scheme
(Under the same detection of probability, Wang’s scheme
requires much more data blocks than our scheme and Zhu’s
scheme, such that the computation time is almost s times
more than our scheme and Zhu’s IPDP and thus it is
not comparable). The elliptic curve we used is a MNT
d159-curve, where the base field size is 159-bit and the
embedding degree is 6. The d159-curve has a 160-bit group
order, which means p is a 160-bit length prime. All the
simulation results are the mean of 20 trials.
6.2.1 Computation Cost of the Auditor
We compare the computation time of the auditor versus
the number of data blocks, the number of clouds and the
number of owners in Fig. 4.
Fig. 4(a) shows the computation time of the auditor
versus the number of challenged data blocks in the single
cloud and single owner case. In this figure, the number of
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
9

2XU6FKHPH 2XU6FKHPH.%\WH  2XU6FKHPH.%\WH

  =KX
V,3'3.%\WH
=KX
V,3'3 =KX
V,3'3.%\WH

&RPSXWDWLRQ7LPHRQ$XGLWRUV

&RPSXWDWLRQ7LPHRQ$XGLWRUV

&RPSXWDWLRQ7LPHRQ$XGLWRUV
 


  


 



 


  
                 
1XPEHURI&KDOOHQJHG'DWD%ORFNV 1XPEHURI&KDOOHQJHG&ORXGV 1XPEHURI&KDOOHQJHG2ZQHUV

(a) Single Owner, Single Cloud (b) Single Owner, 5 blocks/Cloud (c) Single Cloud, 5 blocks/Owner

Fig. 4. Comparison of Computation Cost of the Auditor (s = 50)


2XU6FKHPH 2XU6FKHPH.%\WH
data blocks goes to 500 (i.e., the challenged data size equals 
=KX
V,3'3  =KX
V,3'3.%\WH

&RPSXWDWLRQ7LPHRQ6HUYHUV

&RPSXWDWLRQ7LPHRQ6HUYHUV

to 500KByte), but it can illustrate the linear relationship 


between the computation cost of the auditor versus the  


challenged data size. From the Fig. 4(a), we can see that 


our scheme incurs less computation cost of the auditor than 


Zhu’s IPDP scheme, when coping with large number of  

           

challenged data blocks. 1XPEHURI&KDOOHQJHG'DWD%ORFNV 1XPEHURI&KDOOHQJHG2ZQHUV

In real cloud storage systems, the data size is very (a) Single Owner, Single Cloud (b) Single Cloud, 5 blocks/Owner
large (e.g., petabytes), our scheme apply the sampling
Fig. 5. Comparison of Computation Cost on the Serer
auditing method to ensure the integrity of such large data.
(s = 50)
The sample size and the frequency are determined by
the service level agreement. From the simulation results,
we can estimate that it requires 800 seconds to audit for of the auditing from the auditor to the server, such that it
1GByte data. However, the computing abilities of the cloud can greatly reduce the computation cost of the auditor.
server and the auditor are much more powerful than our
simulation PC, so the computation time can be relatively
small. Therefore, our auditing scheme is practical in large 7 R ELATED W ORK
scale cloud storage systems. To support the dynamic auditing, Ateniese et al. developed
Fig. 4(b) describes the computation cost of the auditor of a dynamic provable data possession protocol [29] based on
the multi-cloud batch auditing scheme versus the number cryptographic hash function and symmetric key encryption.
of challenged clouds. It is easy to find that our scheme Their idea is to pre-compute a certain number of metadata
incurs less computation cost of the auditor than Zhu’s IPDP during the setup period, so that the number of updates and
scheme, especially when there are a large number of clouds challenges is limited and fixed beforehand. In their protocol,
in the large scale cloud storage systems. each update operation requires recreating all the remaining
Because Zhu’s IPDP does not support the batch auditing metadata, which is problematic for large files. Moreover,
for multiple owners, in our simulation, we repeat the their protocol cannot perform block insertions anywhere
computation for several times which is equal to the number (only append-type insertions are allowed). Erway et al. [22]
of data owners. Then, as shown in Fig. 4(c), we compare the also extended the PDP model to support dynamic updates
computation cost of the auditor between our multi-owner on the stored data and proposed two dynamic provable data
batch auditing and the general auditing protocol which does possession scheme by using a new version of authenticated
not support the multi-owner batch auditing (e.g., Zhu’s dictionaries based on rank information. However, their
IPDP). Fig. 4(c) also demonstrates that the batch auditing schemes may cause heavy computation burden to the server
for multiple owners can greatly reduce the computation since they relied on the PDP scheme proposed by the
cost. Although in our simulation the number of data owners Ateniese.
goes to 500, it can illustrate the trend of computation cost In [23], the authors proposed a dynamic auditing protocol
of the auditor that our scheme is much more efficient than that can support the dynamic operations of the data on
Zhu’s scheme in large scale cloud storage systems that may the cloud servers, but this method may leak the data
have millions to billions of data owners. content to the auditor because it requires the server to send
the linear combinations of data blocks to the auditor. In
[24], the authors extended their dynamic auditing scheme
6.2.2 Computation Cost of the Server
to be privacy-preserving and support the batch auditing
We compare the computation cost of the server versus the for multiple owners. However, due to the large number
number of data blocks in Fig. 5(a) and the number of data of data tags, their auditing protocols will incur a heavy
owners in Fig. 5(b). Our scheme moves the computing loads storage overhead on the server. In [25], Zhu et al. proposed
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
a cooperative provable data possession scheme that can
support the batch auditing for multiple clouds and also
extend it to support the dynamic auditing in [26]. However,
it is impossible for their scheme to support the batch
auditing for multiple owners. That is because parameters for
generating the data tags used by each owner are different
and thus they cannot combine the data tags from multiple
owners to conduct the batch auditing. Another drawback is
that their scheme requires an additional trusted organizer
to send a commitment to the auditor during the batch
auditing for multiple clouds, because their scheme applies
the mask technique to ensure the data privacy. However,
such additional organizer is not practical in cloud storage
systems. Furthermore, both Wang’s schemes and Zhu’s
schemes incur heavy computation cost of the auditor, which
makes the auditing system inefficient.
8 C ONCLUSION
In this paper, we proposed an efficient and inherently secure
dynamic auditing protocol. It protects the data privacy
against the auditor by combining the cryptography method
with the bilinearity property of bilinear paring, rather than
using the mask technique. Thus, our multi-cloud batch
auditing protocol does not require any additional organizer.
Our batch auditing protocol can also support the batch
auditing for multiple owners. Furthermore, our auditing
scheme incurs less communication cost and less compu-
tation cost of the auditor by moving the computing loads
of auditing from the auditor to the server, which greatly
improves the auditing performance and can be applied to
large scale cloud storage systems.
R EFERENCES
[1] P. Mell and T. Grance, “The NIST definition of cloud computing,”
National Institute of Standards and Technology, Tech. Rep., 2009.
[2] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz,
A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and
M. Zaharia, “A view of cloud computing,” Commun. ACM, vol. 53,
no. 4, pp. 50–58, 2010.
[3] T. Velte, A. Velte, and R. Elsenpeter, Cloud Computing: A Practical
Approach, 1st ed. New York, NY, USA: McGraw-Hill, Inc., 2010,
ch. 7.
[4] J. Li, M. N. Krohn, D. Mazières, and D. Shasha, “Secure untrusted
data repository (sundr),” in Proceedings of the 6th conference on
Symposium on Operating Systems Design & Implementation, Berke-
ley, CA, USA, 2004, pp. 121–136.
[5] G. R. Goodson, J. J. Wylie, G. R. Ganger, and M. K. Reiter,
“Efficient byzantine-tolerant erasure-coded storage,” in DSN. IEEE
Computer Society, 2004, pp. 135–144.
[6] V. Kher and Y. Kim, “Securing distributed storage: challenges,
techniques, and systems,” in StorageSS, V. Atluri, P. Samarati,
W. Yurcik, L. Brumbaugh, and Y. Zhou, Eds. ACM, 2005, pp.
9–25.
[7] L. N. Bairavasundaram, G. R. Goodson, S. Pasupathy, and
J. Schindler, “An analysis of latent sector errors in disk drives,” in
SIGMETRICS, L. Golubchik, M. H. Ammar, and M. Harchol-Balter,
Eds. ACM, 2007, pp. 289–300.
[8] B. Schroeder and G. A. Gibson, “Disk failures in the real world:
What does an mttf of 1, 000, 000 hours mean to you?” in FAST.
USENIX, 2007, pp. 1–16.
[9] M. Lillibridge, S. Elnikety, A. Birrell, M. Burrows, and M. Isard, “A
cooperative internet backup scheme,” in USENIX Annual Technical
Conference, General Track. USENIX, 2003, pp. 29–41.
10
[10] Y. Deswarte, J. Quisquater, and A. Saidane, “Remote integrity
checking,” in The Sixth Working Conference on Integrity and Internal
Control in Information Systems (IICIS). Springer Netherlands,
November 2004.
[11] M. Naor and G. N. Rothblum, “The complexity of online memory
checking,” J. ACM, vol. 56, no. 1, 2009.
[12] A. Juels and B. S. K. Jr., “Pors: proofs of retrievability for large
files,” in ACM Conference on Computer and Communications Secu-
rity, P. Ning, S. D. C. di Vimercati, and P. F. Syverson, Eds. ACM,
2007, pp. 584–597.
[13] T. J. E. Schwarz and E. L. Miller, “Store, forget, and check: Using
algebraic signatures to check remotely administered storage,” in
ICDCS. IEEE Computer Society, 2006, p. 12.
[14] D. L. G. Filho and P. S. L. M. Barreto, “Demonstrating data
possession and uncheatable data transfer,” IACR Cryptology ePrint
Archive, vol. 2006, p. 150, 2006.
[15] F. Sebé, J. Domingo-Ferrer, A. Martı́nez-Ballesté, Y. Deswarte,
and J.-J. Quisquater, “Efficient remote data possession checking in
critical information infrastructures,” IEEE Trans. Knowl. Data Eng.,
vol. 20, no. 8, pp. 1034–1038, 2008.
[16] G. Yamamoto, S. Oda, and K. Aoki, “Fast integrity for large data,”
in Proceedings of the ECRYPT workshop on Software Performance
Enhancement for Encryption and Decryption. Amsterdam, the
Netherlands: ECRYPT, June 2007, pp. 21–32.
[17] M. A. Shah, M. Baker, J. C. Mogul, and R. Swaminathan, “Auditing
to keep online storage services honest,” in HotOS, G. C. Hunt, Ed.
USENIX Association, 2007.
[18] C. Wang, K. Ren, W. Lou, and J. Li, “Toward publicly auditable
secure cloud data storage services,” IEEE Network, vol. 24, no. 4,
pp. 19–24, 2010.
[19] K. Yang and X. Jia, “Data storage auditing service in cloud com-
puting: challenges, methods and opportunities,” World Wide Web,
vol. 15, no. 4, pp. 409–428, 2012.
[20] G. Ateniese, R. C. Burns, R. Curtmola, J. Herring, L. Kissner,
Z. N. J. Peterson, and D. X. Song, “Provable data possession at
untrusted stores,” in ACM Conference on Computer and Communi-
cations Security, P. Ning, S. D. C. di Vimercati, and P. F. Syverson,
Eds. ACM, 2007, pp. 598–609.
[21] H. Shacham and B. Waters, “Compact proofs of retrievability,” in
ASIACRYPT, ser. Lecture Notes in Computer Science, J. Pieprzyk,
Ed., vol. 5350. Springer, 2008, pp. 90–107.
[22] C. C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, “Dy-
namic provable data possession,” in ACM Conference on Computer
and Communications Security, E. Al-Shaer, S. Jha, and A. D.
Keromytis, Eds. ACM, 2009, pp. 213–222.
[23] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, “Enabling public
auditability and data dynamics for storage security in cloud comput-
ing,” IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 5, pp. 847–859,
2011.
[24] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving
public auditing for data storage security in cloud computing,” in
INFOCOM. IEEE, 2010, pp. 525–533.
[25] Y. Zhu, H. Hu, G. Ahn, and M. Yu, “Cooperative provable data
possession for integrity verification in multi-cloud storage,” Parallel
and Distributed Systems, IEEE Transactions on, pp. 1–14, 2011.
[26] Y. Zhu, H. Wang, Z. Hu, G.-J. Ahn, H. Hu, and S. S. Yau, “Dynamic
audit services for integrity verification of outsourced storages in
clouds,” in SAC, W. C. Chu, W. E. Wong, M. J. Palakal, and C.-
C. Hung, Eds. ACM, 2011, pp. 1550–1557.
[27] K. Zeng, “Publicly verifiable remote data integrity,” in ICICS, ser.
Lecture Notes in Computer Science, L. Chen, M. D. Ryan, and
G. Wang, Eds., vol. 5308. Springer, 2008, pp. 419–434.
[28] G. Ateniese, S. Kamara, and J. Katz, “Proofs of storage from
homomorphic identification protocols,” in ASIACRYPT, ser. Lecture
Notes in Computer Science, M. Matsui, Ed., vol. 5912. Springer,
2009, pp. 319–333.
[29] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, “Scalable
and efficient provable data possession,” IACR Cryptology ePrint
Archive, vol. 2008, p. 114, 2008.
[30] P. Ning, S. D. C. di Vimercati, and P. F. Syverson, Eds., Proceedings
of the 2007 ACM Conference on Computer and Communications
Security, CCS 2007, Alexandria, Virginia, USA, October 28-31,
2007. ACM, 2007.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
11

Kan Yang received his B. Eng. degree from University of Science

and Technology of China in 2008. He is currently a Ph.D. candidate
in Department of Computer Science at City University of Hong Kong.
His research interests include cryptography, information security,
cloud computing and distributed systems.

Xiaohua Jia received his BSc (1984) and MEng (1987) from Uni-
versity of Science and Technology of China, and DSc (1991) in
Information Science from University of Tokyo. He is currently Chair
Professor with Dept of Computer Science at City University of Hong
Kong. His research interests include cloud computing and distributed
systems, computer networks, wireless sensor networks and mobile
wireless networks. Prof. Jia is an editor of IEEE Trans. on Parallel
and Distributed Systems (2006-2009), Wireless Networks, Journal
of World Wide Web, Journal of Combinatorial Optimization, etc. He
is the General Chair of ACM MobiHoc 2008, TPC Co-Chair of IEEE
MASS 2009, Area-Chair of IEEE INFOCOM 2010, TPC Co-Chair of
IEEE GlobeCom 2010 Ad Hoc and Sensor Networking Symp, and
Panel Co-Chair of IEEE INFOCOM 2011.