This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2019.2912379, IEEE
Edited with the trial version of
Transactions on Services Computing
Foxit Advanced PDF Editor
IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. , NO. , 2019 1
To remove this notice, visit:
www.foxitsoftware.com/shopping

Comments on “SEPDP: Secure and Efficient

Privacy Preserving Provable Data Possession in
Cloud Storage”
Jia Yu, Rong Hao

Abstract—Provable Data Possession is viewed as an important

technique to check the integrity of the data stored in remote
servers. Recently, a new provable data possession scheme [Secure
and Efficient Privacy Preserving Provable Data Possession in
Cloud Storage, IEEE Transactions on Services Computing, (2019)
Doi: 10.1109/TSC.2019.2820713] was proposed. The authors
claimed this scheme can guarantee the storage correction. In
this paper, we show this scheme cannot satisfy this fundamental
security. Specifically, we demonstrate the malicious cloud can
generate a proof to pass the third party auditor’s verification
even if it does not store the user’s whole file.
Index Terms—Cloud computing; Provable Data Possession;
Storage-as-a-Service; Privacy preserving; Security

I. I NTRODUCTION

P ROVABLE Data Possession (PDP) schemes for cloud

storage are able to ensure that the cloud correctly stores
the user’s data. They allow the the third party auditor (TPA)
to check the integrity of the data stored in the cloud. The
first PDP scheme was proposed by Ateniese [1], which made
use of the technique of homomorphic linear authenticator and
random sample to ensure the integrity of cloud data. Recently,
Nayak and Tripathy proposed a new provable data possession
Fig. 1. System model
scheme [2]. They claimed their scheme was able to guarantee
the storage correctness. In this paper, we show the scheme
[2] does not satisfy the fundamental security. We show that
provider(CSP), and the third party auditor(TPA). The data
the malicious cloud can successfully forge a proof to pass
owner stores his data in the cloud. The data user can access and
the TPA’s verification even if this cloud has deleted the user’s
operate on these data kept at cloud service provider. The cloud
file. The similar attacking method can be applied to their other
service provider owns enormous storage space and provides
extended schemes in [2].
storage service to users. The cloud service provider is semi-
trusted. It may delete the data and lie about the incorrectness
II. R EVIEW NAYAK ET AL .’ S S CHEME
of the data to save its reputation. Therefore, the integrity of
A. System Model cloud data should be audited. The TPA is responsible for
As illustrated in Fig.1, the system model in [2] includes periodically auditing the integrity of cloud data on behalf of
four entities: data owner(DO), data user(DU), cloud service users. When the integrity of cloud data is audited, the TPA
sends a challenge message to the cloud. After receiving this
This research is supported by National Natural Science Foundation of
China (61572267), National Development Foundation of Cryptography (M-
message, the cloud responds with a proof of data possession.
MJJ20170118),the Open Research Project (2019-MS-03) of State Key Labora- Finally, the TPA verifies whether this proof is correct or not,
tory of Information Security in Institute of Information Engineering, Chinese and returns the verification results to users.
Academy of Sciences, Jiangsu Key Laboratory of Big Data Security and
Intelligent Processing, NJUPT(BDSIP1806)
J. Yu is with the College of Computer Science and Technology, Qingdao
University, Qingdao 266071, China, with Jiangsu Key Laboratory of Big B. Description of Nayak et al.s Scheme
Data Security and Intelligent Processing, Nanjing University of Posts and
Telecommunications, 210023 Nanjing, China, and with State Key Labora- In this section, we review the provable data possession
tory of Information Security, Institute of Information Engineering, Chinese scheme proposed in [2] which is named as SEPDP. SEPDP
Academy of Sciences, Beijing 100093, China. E-mail:[email protected].
R. Hao is with the College of Computer Science and Technology, Qingdao comprises three phases: key generation phase, signature
University, Qingdao 266071, China. E-mail:[email protected]. generation phase, and audit phase. We describe their scheme

1939-1374 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2019.2912379, IEEE
Edited with the trial version of
Transactions on Services Computing
Foxit Advanced PDF Editor
IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. , NO. , 2019 2
To remove this notice, visit:
www.foxitsoftware.com/shopping

with a single DO as follows. Below, we will show the malicious cloud can forge a proof
to pass the verification of TPA even if it has deleted the
N otations used in this scheme : p is a large prime user’s data. Assume the data owner wants to upload the file
satisfying that the discrete logarithm problem (DLP) in Zp∗ M = {m1 , m2 , . . . , mn } to the cloud, where mi ∈ Zp∗ .
is difficult to be solved. g is a primitive element in a cyclic R
The data owner selects r ← Zp∗ , and computes R = g r
multiplication group G. H(k) (·) is a keyed-hash function with and si = (mi − Hk (R||i)x)r−1 , i = 1, 2, . . . , n. And then
R
key k. x ← X represents randomly selecting x from X. a||b the data owner uploads file M = {m1 , m2 , . . . , mn } and
represents concatenating a with b. G, p, q and H(·) (·) are signature σ = hR, s1 , s2 , . . . , sn i to the cloud server. When the
system parameters and available to all the entities. cloud server receives these messages, it computes δi = g mi ·
1) Key Generation Phase: Let G be a group of large prime R−si , i = 1, 2, . . . , n. And then the cloud server deletes the
order p and g be a primitive element of group G. DO selects file M = {m1 , m2 , . . . , mn } and messages {s1 , s2 , . . . , sn }.
a keyed-hash function H(k) (·) defined as {0, 1}∗ × K → Zp∗ . When the cloud server receives the challenge {(i, vi )}i∈Q
She sends the shared key k ∈ K to TPA secretly. She selects from the TPA, it forges the proof as follows.
R
x ← Zp∗ as the private key, and calculates the public key Y = The cloud server randomly selects α0 ∈ G, and computes
x Y
g . γ 0 = α0 · δivi
2) Signature Generation Phase: The file M is divided i∈Q
into n blocks M = {m1 , m2 , . . . , mn }, where mi ∈ Zp∗ .
R
Finally, the cloud server sends the forgery (α0 , γ 0 , R) to the
Firstly, DO selects a secret random number r ← Zp∗ to gen- TPA as the proof.
erate signatures for blocks mi (i = 1, ..., n). The signature This forgery can pass the verification of the TPA because
σ = hR, s1 , ..., sn i is constructed as follows. the following equations hold.
R = gr (1)
γ 0 = α0 · i∈Q δivi
Q
v
= α0 · i∈Q (g mi · R−si ) i
Q
si = (mi − Hk (R||i)x)r−1 , i = 1, 2, . . . , n (2) 0
Q mi −rsi vi
= α · i∈Q (g · g )
v
Then, DO uploads the file M and the signature σ to the CSP. 0
Q mi
= α · i∈Q (g · g −r((mi −Hk (R||i)x)r −1 ) i
)
3) Audit Phase: Firstly, TPA randomly selects a subset Q vi
= α0 · i∈Q (g mi · g −mi +Hk (R||i)x )
Q
with c elements from set [1, n]. For each i ∈ Q, TPA generates
= α0 · P xHk (R||i)vi
Q
a random number vi ∈ Zq∗ , where q  p. And then, TPA sends i∈Q g

the challenge {(i, vi )}i∈Q to the cloud server. = α · Y i∈Q k (R||i)vi

0 H

After receiving the TPA’s challenge message, CSP computes Therefore, this forgery is valid. It means the CSP can
the proof according to file M = {m1 , m2 , . . . , mn } and deceive the TPA that it correctly stores the user’s data even
signature σ = hR, s1 , ..., sn i as follows. when it has deleted the whole file. In [2], the authors extended
P
vi si SEPDP to support multiple data owners, batch auditing, and
α=R i∈Q
(3) dynamic data operations. The similar method can also be
used to attack these extended schemes. We do not repeat it
X
β= vi mi (4) here considering the page limitation. Note that the proof of
i∈Q Theorem 2 in [2] is not correct. We show how the security
proof in [2] fails and correct the flaw of previous security
γ = gβ (5) game in the Appendix.

and returns (α, γ, R) to TPA as the proof. IV. C ONCLUSION

TPA checks whether the proof is correct by the Equation(6).
P
Hk (R||i)vi
?
γ = αY i∈Q
If the Equation(6) holds, then it means the cloud keeps the
file M correctly. Otherwise, not.
III. R EMARKS ON NAYAK ET AL .’ S S CHEME
In this section, we give an effective attack on the security of
SEPDP in [2]. Firstly, we review the security of PDP schemes.
PDP schemes are designed to ensure that the cloud server
correctly stores the user’s data. If the cloud server deletes
or modifies the user’s data, it should not pass the auditing
verification from TPA. We say a PDP scheme is secure if the
following condition holds: CSP can pass the audit phase only
if it possesses the whole outsourced data [2].
In this paper, we give the security analysis of a PDP scheme
proposed in [2]. We show this scheme does not guarantee the
(6) storage correction. The malicious cloud can forge a proof to
pass the verification from TPA even if it has deleted the whole
user’s file.
R EFERENCES
[1] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner,
Z. Peterson and D. Song, “Provable Data Possession at
Untrusted Stores,” In Proc. of ACM CCS 2007, pp. 598-
610, 2007.
[2] S. K. Nayak and S. Tripathy, “SEPDP: Secure and
Efficient Privacy Preserving Provable Data Posses-
sion in Cloud Storage,” IEEE Transactions on Ser-
vices Computing, Available online 29 March 2019 Doi:
10.1109/TSC.2019.2820713.

1939-1374 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2019.2912379, IEEE
Edited with the trial version of
Transactions on Services Computing
Foxit Advanced PDF Editor
IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. , NO. , 2019 3
To remove this notice, visit:
www.foxitsoftware.com/shopping

A PPENDIX Jia Yu is a professor of the College of Computer

Science and Technology at Qingdao University. He
In this appendix, we firstly explain why the proof of received the M.S. and B.S. degrees in School of
Theorem 2 (page 6, right column) in [2] is not correct. Computer Science and Technology from Shandong
The PDP schemes are proposed to ensure the cloud server University in 2003 and 2000, respectively. He re-
ceived Ph. D. degree in Institute of Network Secu-
does not delete or change the user’s data. One PDP scheme is rity from Shandong University, in 2006. He was a
secure if and only if CSP cannot pass the audit challenge when visiting professor with the Department of Computer
it does not possess the whole outsourced data. The authors Science and Engineering, the State University of
New York at Buffalo, from Nov. 2013 to Nov.
in [2] provide a security proof of Theorem 2, however, this 2014. His research interests include cloud computing
security proof (page 6, right column) is not valid. In the proof, security, key evolving cryptography, digital signature, and network security.
the authors define a security game. Unfortunately, this game
is not correct. The security game was defined as follows. TPA
sends a verification request {(i, vi )}i∈Q to CSP. The response
β
P original M would be (α, γ, R), where γ = g and β =
on
v
i∈Q i i m . Instead of generating the correct response, CSP
generates a forgery for the response over the corrupt data M0
β0
as (α, γ , R), where γ = g and β = i∈Q vi mi and m0i ∈
0 0 0 0
P
M 0 for i ∈ Q. Define ∆β = β 0 − β. Here, ∆β is non-zero as
vi ’s are random numbers and M 0 6 =M . CSP wins the security
game if this forgery on M 0 clears the verification Equation
(6) at the TPA. Otherwise, it loses the game. In this game, the
authors assume that, instead of generating the correct response,
CSP generates a forgery (α, γ 0 , R) for the response over the
corrupt data M 0 , in which α and R are the real α and R.
But this assumption does not hold. The reason is that, in the
forgery, α and R can be different from the real α and R. If
the adversary provides the forged α and R, this proof will not
hold.
Then, we correct the flaw in security game and give the cor-
rected security game as follows. TPA sends a verification re-
quest {(i, vi )}i∈Q to CSP. The response Pon original M would
be (α, γ, R), where γ = g β and β = i∈Q vi mi . Instead of
generating the correct response, CSP generates a forgery for Rong Hao works in the College of Computer
Science and Technology, Qingdao University. Her
the response over the corrupt data M 0 as (α0 , γ 0 , R0 ), where research interest is cloud computing security and
(α0 , γ 0 , R0 ) is different from the real (α, γ, R). CSP wins the cryptography.
security game if this forgery on M 0 satisfies the verification
Equation (6) at the TPA. Otherwise, it loses the game.
Note that it is impossible to prove the scheme [2] is secure
according to our improved security game. From the attack
of our paper, we can clearly know that the malicious cloud
can successfully forge a proof to pass the verification of TPA
even if it has deleted the user’s cloud data in scheme [2].
So the scheme [2] is insecure. As for an insecure scheme, it
is very natural that there is no valid security proof to show
it is secure. In addition, we also find that this scheme is
difficult to be improved to become a secure PDP scheme
with provable security. This paper focuses on pointing out the
security weakness of the scheme [2]. We hope the comments
are useful for researchers to avoid security flaws when they
design new PDP schemes.

1939-1374 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.