Public Auditing
Public Auditing
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2019.2912379, IEEE
Edited with the trial version of
Transactions on Services Computing
Foxit Advanced PDF Editor
IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. , NO. , 2019 1
To remove this notice, visit:
www.foxitsoftware.com/shopping
I. I NTRODUCTION
1939-1374 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2019.2912379, IEEE
Edited with the trial version of
Transactions on Services Computing
Foxit Advanced PDF Editor
IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. , NO. , 2019 2
To remove this notice, visit:
www.foxitsoftware.com/shopping
with a single DO as follows. Below, we will show the malicious cloud can forge a proof
to pass the verification of TPA even if it has deleted the
N otations used in this scheme : p is a large prime user’s data. Assume the data owner wants to upload the file
satisfying that the discrete logarithm problem (DLP) in Zp∗ M = {m1 , m2 , . . . , mn } to the cloud, where mi ∈ Zp∗ .
is difficult to be solved. g is a primitive element in a cyclic R
The data owner selects r ← Zp∗ , and computes R = g r
multiplication group G. H(k) (·) is a keyed-hash function with and si = (mi − Hk (R||i)x)r−1 , i = 1, 2, . . . , n. And then
R
key k. x ← X represents randomly selecting x from X. a||b the data owner uploads file M = {m1 , m2 , . . . , mn } and
represents concatenating a with b. G, p, q and H(·) (·) are signature σ = hR, s1 , s2 , . . . , sn i to the cloud server. When the
system parameters and available to all the entities. cloud server receives these messages, it computes δi = g mi ·
1) Key Generation Phase: Let G be a group of large prime R−si , i = 1, 2, . . . , n. And then the cloud server deletes the
order p and g be a primitive element of group G. DO selects file M = {m1 , m2 , . . . , mn } and messages {s1 , s2 , . . . , sn }.
a keyed-hash function H(k) (·) defined as {0, 1}∗ × K → Zp∗ . When the cloud server receives the challenge {(i, vi )}i∈Q
She sends the shared key k ∈ K to TPA secretly. She selects from the TPA, it forges the proof as follows.
R
x ← Zp∗ as the private key, and calculates the public key Y = The cloud server randomly selects α0 ∈ G, and computes
x Y
g . γ 0 = α0 · δivi
2) Signature Generation Phase: The file M is divided i∈Q
into n blocks M = {m1 , m2 , . . . , mn }, where mi ∈ Zp∗ .
R
Finally, the cloud server sends the forgery (α0 , γ 0 , R) to the
Firstly, DO selects a secret random number r ← Zp∗ to gen- TPA as the proof.
erate signatures for blocks mi (i = 1, ..., n). The signature This forgery can pass the verification of the TPA because
σ = hR, s1 , ..., sn i is constructed as follows. the following equations hold.
R = gr (1)
γ 0 = α0 · i∈Q δivi
Q
v
= α0 · i∈Q (g mi · R−si ) i
Q
si = (mi − Hk (R||i)x)r−1 , i = 1, 2, . . . , n (2) 0
Q mi −rsi vi
= α · i∈Q (g · g )
v
Then, DO uploads the file M and the signature σ to the CSP. 0
Q mi
= α · i∈Q (g · g −r((mi −Hk (R||i)x)r −1 ) i
)
3) Audit Phase: Firstly, TPA randomly selects a subset Q vi
= α0 · i∈Q (g mi · g −mi +Hk (R||i)x )
Q
with c elements from set [1, n]. For each i ∈ Q, TPA generates
= α0 · P xHk (R||i)vi
Q
a random number vi ∈ Zq∗ , where q p. And then, TPA sends i∈Q g
After receiving the TPA’s challenge message, CSP computes Therefore, this forgery is valid. It means the CSP can
the proof according to file M = {m1 , m2 , . . . , mn } and deceive the TPA that it correctly stores the user’s data even
signature σ = hR, s1 , ..., sn i as follows. when it has deleted the whole file. In [2], the authors extended
P
vi si SEPDP to support multiple data owners, batch auditing, and
α=R i∈Q
(3) dynamic data operations. The similar method can also be
used to attack these extended schemes. We do not repeat it
X
β= vi mi (4) here considering the page limitation. Note that the proof of
i∈Q Theorem 2 in [2] is not correct. We show how the security
proof in [2] fails and correct the flaw of previous security
γ = gβ (5) game in the Appendix.
1939-1374 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2019.2912379, IEEE
Edited with the trial version of
Transactions on Services Computing
Foxit Advanced PDF Editor
IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. , NO. , 2019 3
To remove this notice, visit:
www.foxitsoftware.com/shopping
1939-1374 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.