Ain Shams Engineering Journal 10 (2019) 275–285

Contents lists available at ScienceDirect

Ain Shams Engineering Journal

journal homepage: www.sciencedirect.com

Integrity and Confidentiality in Cloud Outsourced Data

Mai Rady ⇑, Tamer Abdelkader, Rasha Ismail
Information System Department, Ain Shams University, Cairo, Egypt

a r t i c l e i n f o a b s t r a c t

Article history: Cloud services have become an increasingly popular solution to provide different services to clients. One
Received 2 April 2017 of the cloud services is database as a service (DBaaS), in which the service provider offers different
Revised 11 October 2018 resources such as software, hardware and network to the clients to be able to manage and administer
Accepted 14 March 2019
the database. However, the data and the execution of database queries are under control of the distrustful
Available online 4 April 2019
service provider. This lack of trust opens up new security issues and serves as the chief motivation of our
work. This study presents an overview of different cryptographic algorithms, based on different schemes
Keywords:
in the outsourced database security and query authentication. We conclude the paper by proposing a new
Cloud storage
Data confidentiality
architecture that achieves the confidentiality and integrity of query results of the outsourced database.
Data integrity Ó 2019 The Authors. Published by Elsevier B.V. on behalf of Faculty of Engineering, Ain Shams University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-
nd/4.0/).

1. Introduction to maintain the system [2]. A cloud computing environment offers

Cloud services are recently in widespread due to the advance-
ment in networking and high performance computing hardware
and software. In addition, there is an increasing trend from pc
users to move the burden of huge storage, and fast and complex
computing to cloud servers, which will save time, space and power.
Therefore, a growing business of service providing, run by Cloud
service providers (CSPs), has been marked recently, especially from
big companies, such as Amazon, Google and Microsoft. The clients
of a CSP pay for services according to the service type and their
usage of the service [1]. Cloud services can be classified into three
models, Infrastructure as a service IaaS, Platform as a service PaaS,
and Software as a service SaaS. The digital data amount is increas-
ing at a phenomenal rate, outpacing the storage ability of many
organizations. Therefore, outsourcing data to cloud servers is con-
sidered a solution to store greater data into efficient distributed
servers. By storing data in the cloud, the data management
becomes one of the CSP tasks, and the organization can concentrate
on its main tasks. This reduces fundamental costs on different
resources such as software, hardware and even professionals hired
⇑ Corresponding author.
E-mail addresses:
storage as a service under Infrastructure as a service by different
CSPs that allow users or organizations to store data on remote ser-
vers, other than organization servers. Database outsourcing intro-
duces a new paradigm, called database as a service (DBaaS).
Database Service Providers have the infrastructure to host out-
sourced databases at distributed servers and provide efficient facil-
ities for their clients to create, store, update and access databases
anytime from any place through Internet. Fig. 1, shows the interac-
tion between the data owner or user and the CSP where data is
stored. Structured databases and non-structured databases can
be outsourced. Amazon’s SimpleDB, Amazon RDS, Google’s BigTa-
ble, Yahoo’s Sherpa and Microsoft’s SQL Azure Databases are the
commonly used databases in the Cloud [3].
One of the main security issues in outsourcing data or databases
to cloud servers is that the data owner loses control of the data,
and the CSP becomes the main data manager [4]. By outsourcing
the database, the cloud servers and the networks are often the tar-
get of malicious attacks. Moreover, the server itself might be mali-
cious and may attempt to insert fake records into the database,
modify existing records, or even delete it [2]. We can summarize
the security requirements that should be considered when out-
sourcing data to the cloud as follows:

[email protected] (M. Rady), [email protected]. 1. Confidentiality: Data must be encrypted before it is outsourced,
edu.eg (T. Abdelkader), [email protected] (R. Ismail).
to protect it from malicious internal or external attacks.
Peer review under responsibility of Ain Shams University.
2. Integrity: Protect the data from the unauthorized insert, update,
or delete. The data owner and authorized users should be able
to recognize if the data is corrupted or incomplete, and receive
the most recent updated version of the data, which guarantees
Production and hosting by Elsevier
accuracy and consistency of data.

https://doi.org/10.1016/j.asej.2019.03.002
2090-4479/Ó 2019 The Authors. Published by Elsevier B.V. on behalf of Faculty of Engineering, Ain Shams University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
276 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
Fig. 1. An overview of query interaction in the cloud environment.
3. Availability: The data in the cloud servers should be accessible
to its users. Major threats to availability are denial of service
(DOS) attacks, natural disasters, and equipment failures at the
service provider’s end [5].
4. Access control: The outsourced data should be accessed only by
authorized users.
5. Firewall: The CSP must be safeguarded against false accusations
that may be claimed by dishonest owners or users [15].
We detail these security requirements with the techniques
developed to handle them in the following section. Therefore, our
main contributions in this paper can be outlined as follows:
– We survey and discuss the important security requirements to
store the data or database in the cloud. Security requirements
include data confidentiality, data integrity, and query process-
ing over encrypted data.
– We provide a comparative summary of the different algorithms
and techniques to resolve security issues.
– We conclude the survey by proposing a design of a new archi-
tecture to achieve the confidentiality and integrity of query
results on outsourced data.
The rest of the paper is organized as follows. In Section 2, we
address the different cryptographic primitives and definitions used
to ensure data security. In Section 3, data confidentiality is dis-
cussed. In Section 4, different ways to process query over
encrypted data is outlined. In Sections 5 and 6, data integrity and
data-integrity-using-TTP different approaches are presented,
respectively. In Section 7, we provide a comparison of the different
algorithms and techniques used to solve the main security issues.
In Section 8, the new architecture is proposed. In section 9, the
conclusion of the paper is presented.
2. Cryptographic algorithms
Many cryptographic algorithms are used in different crypto-
graphic protocols to ensure data security, database security, and
query authentication. In the following subsections, we present
the main and widely used algorithms and techniques used in sat-
isfying security requirements.
2.1. Hash function
It is a one-way function, which takes a variable length input and
produces a short fixed length output, called digest. It is used in
many encryption algorithms, as well as to index and retrieve items
in a database. Examples include MD5, SHA1 and SHA2 [28].
2.2. Digital signature
Data owners’ generate two keys: public key, Pk, and private key,
Sk. A digital signature is created by a signing function, sign, which
takes as input a message, m, and Sk, and outputs a signature r,
such that: sign (Sk,m) ? r. To verify the message, a verification
function is used, which uses the signature, r, and Pk, and provides
y if verification succeeds such that: verify (Pk,m,r) ? y. However,
the digital signature is an expensive operation compared to hash-
ing operations. In some cases, both digital signature and hash oper-
ations are used, where the message can be hashed first then the
digest is signed. Examples include RSA, DSA, and BGLS [7], pre-
sented in the following sub-subsections.
2.2.1. RSA (Rivest-Shamir-Adleman signature)1
The RSA is an asymmetric cryptographic algorithm, in which each
signer has a public key, Pk = (n,e), and a private key, Sk = (d), where n is
a k-bit modulus generated as the product of two random k/2-bit prime
numbers, p and q, while Z n
¼ f0; 1; 2;    :; n  1g and e; d 2 Z
n , which
satisfy: ed  1 mod £ðnÞ, where £ðnÞ ¼ ðp  1Þðq  1Þ; which is the
number of elements in Z n
.The message hashed first as: h(m) then sig-
d
nature generated as: r ¼ hðmÞ ðmod nÞ: To verify the signature,
re  hðmÞ mod n, is used. The signature generation and verification
involve computing one modular exponentiation [7].
2.2.2. DSA (digital signature algorithm)
DSA, same as RSA, is an asymmetric cryptographic algorithm, in
which each signer has two keys Pk and Sk. The private key Sk is
chosen randomly, where 0 < Sk < q. The public key is calculated
as k ¼ nSk mod p. To sign a message, a random per-message value,
k, is generated, where 0 < k < q. Then a value r is calculated as:


r ¼ nk mod p mod q. The signature is a pair of r and s,
r ¼ ðr; sÞ, and computed on the hash of the message h(m), where
1
s ¼ k ðhðmÞ þ Sk r Þmod q. The signature verification requires at



rs
least two modular exponentiations as: r ¼ nm s :Pk mod q, where
s ¼ s1 mod q [28].
1
RSA is a public key encryption algorithm developed by Ron Rivest, Adi Shamir and
Len Adlemen in 1977 [8].
 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
2.2.3. BGLS (an aggregate signature scheme by Boneh et al.)
Let G1 ,G2 and G be cyclic groups of the same prime order q.
G1 and G2 are cyclic additive groups with generator g1, g2, and G
is a cyclic multiplicative group, and e is computable bilinear map
e: G1  G2 ! G, which satisfies the following properties:


– Bilinear: for all  2 G1 , y 2 G2 , and a; b 2 Z, e xa ; yb ¼ eðx; yÞab :
– Non-degenerate: eðg 1 ; g 2 Þ–1.
BGLS requires the use of the hash function that maps binary
strings to non-zero points in G1 and G2 . Similar to RSA, BGLS is
an asymmetric cryptographic algorithm, in which each signer has
two keys Pk and Sk, picking a random private key as: Sk 2 Z x ,
and computing the public key Pk ¼ Sk:g 1 , Pk 2 G1 ; G2 . To sign a
message m, compute the hash of the message H ¼ hðmÞ, where
H 2 G1 and r ¼ Sk::H. To verify a signature, compute H ¼ hðmÞ,
then check if eðr; g 1 Þ ¼ eðH; PkÞ [7].
2.3. Signature aggregation
Signature aggregation is used to reduce the cost of digital signa-
tures and to validate a number of messages with a single signature
instead of validating each message individually and the aggregate
signature is the same size as a standard signature [9].
2.3.1. RSA signature aggregation
The signatures generated by the same signer are aggregated
into one signature.
2.3.2. DSA and BGLS signature aggregation
Signatures generated by different signers are aggregated, but
this is more expensive than RSA [29].
2.4. Authenticated data structure
The data structure authenticates the result by providing verifi-
cation object VO associated with it. Verification usually occurs by
using hash functions and digital signature schemes together. In
the following, the most common authenticated data structures
are abstracted.
2.4.1. Message authentication code (MAC)
MAC mechanism takes as input a variable length message and
an owner private key to produce an authenticator (MAC). When
Fig. 2. Merkle Hash tree with 8 values.
277
the user sends a query, she/he will receive the response in a mes-
sage with the MAC. The user can authenticate the message by gen-
erating the MAC of the message and comparing it to the received
MAC. This mechanism assumes that all users possess the same
owners’ private key [13,30].
2.4.2. Hash-based message authentication code (HMAC)
The HMAC is generated by combining the hash function with
the owners’ private key. It takes a message, hash it and takes the
digest with the private key to produce the MAC output. The user
authenticates the message the same way as in the MAC mechanism
[13,30].
2.4.3. Public key based homomorphic linear authentication (HLA)
It is like MAC, verification metadata that authenticates the data
integrity; in addition, it can be aggregated [10].
2.4.4. Merkle hash tree (MHT)
The data is fragmented into blocks. Each block is hashed and the
leaves of the tree are the values of the block hashes. The inner
nodes, and the root, are the hash of the concatenation of the hash
values of their children as shown in Fig. 2. The root also can be
signed using the owners’ private key to ensure more security
[2,9,31].
2.4.5. Merkle B-tree (MBT)
MBT uses a balanced tree, and consists of ordinary nodes that
are extended with one hash value associated with every pointer
entry. The leaf nodes contain the hash values of data blocks and
the hash values associated with index node and the root is com-
puted on the concatenation of the hash values of their children
as shown in Fig. 3. As MHT, the root can also be signed [9,21,31].
3. Data confidentiality
Data confidentiality is the process of protecting data from illegal
access and disclosure from the outsourced server and unautho-
rized users. This is done by encrypting the data so that only the
authorized users can decrypt it.
The authors, in [32], added the encryption properties as follows:
1- Sensitive data only is encrypted while insensitive data is kept
unencrypted, 2- Different parts of data can be encrypted using dif-
ferent encryption keys, 3- During query execution, data relevant to
this query only is encrypted/decrypted.
278 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
Fig. 3. Merkle B-Tree with 8 values.
The authors in [23], used a prototype toolset, called ‘‘Silverline”,
to provide data confidentiality on the cloud. The procedure under-
goes as follow: 1 – Identify subsets of data, which can be function-
ally encrypted without breaking application functionality, by using
an automated technique that marks data objects using tags, and
tracking their usage and dependencies. 2 – Discard all data that
is involved in computations on the cloud. 3 – Each subset is
encrypted using symmetric encryption with different keys and
accessed by different sets of users. 4 – Store the subsets in the
cloud. The keys used to decrypt the data are stored by the data
owner. To fetch data from the cloud, the user first contacts the data
owner to get the appropriate keys, and then sends the query to the
cloud. The input parameters to the query are also sent in an
encrypted form so that the cloud could execute the encrypted
query, and then sends back the encrypted results. Then, the user
decrypts the result. This technique suffers from a lot of pre-
computation functions to ensure data confidentiality, and the data
owner server must be online all the time that she/he have the
decryption keys.
In [34] the authors proposed a new scheme called Dual Encryp-
tion to ensure data confidentiality, which enables cross-
examination of the outsourced data. The data owner generates
two keys using DES (cipher block chaining MAC) algorithm, pri-
mary key and secondary key. Before outsourcing the data, the
whole data is encrypted using the primary key, and only small sub-
set of the data is encrypted using the secondary key. Then, the
encrypted data is merged together and stored in the cloud. This
scheme suffers from storage overhead, which includes the
encrypted data, dual column, and the subset of the data.
In [35], the authors proposed using biometric encryption to
encrypt the biometric outsourced data which includes iris recogni-
tion, voice, fingerprint, and face reorganization. Biometric encryption
is done by generating a random key, and then using a binding algo-
rithm to merge the biometric image with this key to generate the
Biometrically-encrypted key to encrypt the data. To decrypt the data,
using biometric encryption retrieval algorithm, the Biometrically-
encrypted key is merged with the biometric image to retrieve the
key. And this technique is useful only with biometric data.
The authors in [36] proposed a scheme, which is appropriate in
a hybrid cloud to ensure the data confidentiality on the public
cloud. First, the data file to be outsourced is fragmented into smal-
ler file chunks, and these chunks are encrypted and then stored in
the public cloud with different locations. The process of file frag-
mentation occurs on the private cloud and then the chunks sent
in a different order than obtained from the original file to the pub-
lic cloud. Every data chunk upload operation is recorded in a Chunk
Distribution Dictionary (CDD) that is stored in the private cloud.
Every record from the CDD has three fields: 1-the index of the
chunk in the original file, 2-the location of where the chunk is
stored (in the case of using disturbed CSP), and 3-the hash value
of the chunk to integrity check purposes. This scheme applicable
in strong medical or business data and it suffers from an important
challenge, data fragmentation in the private cloud. In [37] the
authors proposed a cryptography technique that integrates both
encryption and obfuscation techniques of data before outsourcing.
It begins by checking the data type. If the data is in the form of dig-
its, obfuscation technique is applied through specific mathematical
functions without using a key, and if the data is in the form of
alphabets or alphanumeric, then it is encrypted by using symmet-
ric encryption. This integration technique provides more data secu-
rity rather than encryption or obfuscation only.
4. Query processing over encrypted data
After the data is encrypted and stored in the cloud, the question
is how the encrypted data would be processed without decrypting
it. If the user decrypts the data each time he/she would use it, it
might affect the confidentiality of data. To solve this problem, dif-
ferent solutions have been proposed in the literature. The authors
in [25–27], suggest new security method called the Homomorphic
Encryption method, which enables performing operations on
encrypted data without decrypting it. These operations might be
multiplication or addition, which fit the processing and retrieval
of the encrypted data. For example, two messages m1and m2 are
encrypted to m1
and m2,
it is possible to compute: Fðm1,
m2Þ,


where F can be: addition or multiplication function, without
decrypting the encrypted messages. However, it is not suitable
for many real world applications, because of its computational
complexity.
In [17], the authors provide a system that can process a match-
ing query over the encrypted data. The proposed system consists of
four phases. In the first phase, pre-processing and outsourcing: the
data is encrypted and sent to the CSP to be stored. In the second
phase, query pre-processing: the query is pre-preprocessed before
sending to the CSP, which means each value in the query will be
encrypted, so the query can be searched over the encrypted data
in the cloud without the need to decrypt the data. This depends
on the encrypted key used to encrypt the data itself. This key must
be the same as the one used to encrypt the value. In the third
phase, query processing and response: the received query is pro-
cessed by the CSP. The server will search for the first match for
the query condition, scan each attribute to get the matches, and
then send the encrypted results to the query issuer. In the fourth
phase, query post-processing and result: the received encrypted
result is decrypted by the query issuer.
The authors in [18] proposed encrypting the sensitive attributes
of each table in the database, and then storing the encrypted table
in the cloud, EncryptedDataTable (EDT). After that, another table is
created from the original table that contains two columns: a data
 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
column, which contains a copy of the sensitive data columns, but
kept unencrypted, and a key column, where encrypted data is kept.
This table is called QuerySearchTable (QST). The records in QST are
re-ordered randomly, as not as the same in the EDT. Only autho-
rized users are allowed to access the encrypted data, when a search
query issues, the search is done first in the QST, find the key to EDT,
decrypt the key and then decrypt the result from EDT and the
resulting records will be returned to the user. This technique
returns only those records satisfying the user query and no addi-
tional record will be given.
5. Data integrity
Data integrity includes three aspects:
– Correctness: the query issuer is able to validate that the
returned results do exist.
– Completeness: the result is complete and no answers have been
omitted from it.
– Freshness: the results are based on the last version of the data.
Two models to store the data in the cloud, database as a service
and data as a service.
– In the database as a service model: the integrity guarantee is
applied on the query result returned from the CSP. The integrity
is provided at four different levels: table (entire relation), column
(attribute of the relation), field level (individual value), or row
(record/ tuple from the table). The integrity verification at the
table/column level is expensive since it can be performed only
by the query issuer, in which all the data corresponds to that
table/ column should be returned in the result. Because the table
or column was signed, the signature should be decrypted to
detect any unauthorized modification. At the field level, it is too
complex to sign each value in the table. Therefore, data integrity
suffers from a high verification overhead for the query issuer and
for the server as well as table/ column level. At the record level,
the integrity guarantee is only on the entire record, which con-
tains the query result, as each individual record was signed,
and it is the best solution to provide data integrity [6,7].
– In the data as a service model: The integrity guarantee is applied
on the data returned from the CSP. This data could be a message,
file, block of a file, or even sector of the block of the file [15].
Data integrity can be done between:
– Two entities: CSP and the owner/user, which discussed in this
section.
Fig. 4. Query execution between owner/ user and the CSP.
279
– Three entities: CSP, the owner/user and Trusted Third Party
(TTP), which will be explained in the next section.
Data integrity between CSP and Owner/User: As shown in Fig. 4,
the data owner stores the encrypted data in the CSP, and can insert,
update or delete data from CSP. Then, the data owner authorizes
users, who will have the ability to issue a query and get the result
from the CSP. The integrity check of query result done by the query
issuer that check if the answer is correct, complete and from the
last updated version uploaded to CSP.
Data integrity based different approaches: Different approaches
have been proposed to provide integrity guarantees of query
results. These approaches have been categorized into four types:
Digital Signature based schemes, Data structure based schemes,
Deterministic based schemes, and Bucket-based index schemes.
5.1. Digital signature based schemes
In [7,24], the authors apply different signature schemas to a dif-
ferent outsourced database model. The outsourced database mod-
els are: Unified Client Model (each database is used by only one
entity), Multi- Querier Model (owner and queriers), and Multi-
Owner Model (one database can have multiple owners).
In [6], the message is hashed first using a hash algorithm such
as: SHA1, then the signature is computed on the hash value.
Because of RSA signature multiplicatively homomorphic property,
it allows multiple signatures generated by a single signer to be
aggregated into one condensed signature and to verify this signa-
ture, and it ensures that each signature has been generated by
the actual signer. Condensed-RSA is appropriate to Unified-Client
as well as Multi-Querier models. BGLS signature allows multiple
signatures generated by different signers on different messages
to be aggregated into single signature based on elliptic curves
and bilinear maps, this appropriate to all three models of the out-
sourced database. DSA signatures allow a certain amount of pre-
computation, in which the signature is computed on the hash value
for each message individually and to verify different signatures
aggregated based on the multiplicative homomorphic property of
DSA. DSA signature aggregation is appropriate to all three models
of the outsourced database.
In [24], the authors proposed a technique to make the con-
densed RSA and BGLS signatures immutable, in which new signa-
tures computed from a set of other aggregated signatures to
protect it from the adversary, as it would be hidden. There are
two extensions of Condensed RSA: 1-Interactive, and 2-Non-
interactive. In the Interactive approach, the server attaches a tag
with a result to the query issuer, and sends a random challenge
to the server, which gives a valid response, together, convinces
280 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285

the query issuer of server’s knowledge of signature. In the non- with the owners’ private key. To verify the query result, aggregate
interactive approach, uses a signature of knowledge method the individual signatures of tree roots, which involved in the query
‘‘SKROOTLOG” that is universally verifiable; the server sends the result by using the aggregated signature scheme.
result with SKROOTLOG proof and the query issuer verifies by In [9], the authors proposed different data structures to both
checking this proof. The extension of aggregated BGLS, the server static and dynamic scenario. Aggregated Signatures with B + trees
computes its own signature on the query answer and aggregates schema, the data owner creates B + Tree for each attribute, which
it with the aggregated BGLS signature of the owner. contains the hashes of all consecutive pairs of records, and then
In [19], the authors use Signature Aggregation and Chaining the root signed. In the static scenario, the server constructs a VO
approach to authenticate the query. Before outsourcing the data- contains one consecutive pair per query result and one record from
base, each record is signed and the signature is outsourced too. the left and one from the right. In the dynamic scenario, the left
To answer a query, the server sends the matching records and their and right neighbors have to compute their signature also. This
signatures, which are aggregated into a single signature using schema drawback is the very high verification cost. While the Mer-
Condensed-RSA signature or Aggregated-BGLS scheme. This kle B-tree consists of ordinary B + tree nodes that are extended
ensures the query correctness. To achieve the query completeness, with one hash value associated with every pointer entry. The leaf
it proposes a signature chain of record, which is computed as: the nodes contain the hash value of records associated with index node
hash of the record concatenation with the hashes of all immediate computed on the concatenation of the hash values of their children
predecessor records, which is a record with the highest value of and the hash of the root signed using the owners’ private key. In
attribute that is less than the value of the given record along with the static scenario, to answer a range query the server builds a
this attribute, and the owners’ private key. VO that returns the data in the nodes between the discovered
leaves, the hash values of the left and the right nodes and the
5.2. Data structure based schemes signed root of the tree. In the dynamic scenario, Merkle B-tree is
very efficient in update operations, to update such a record, only
The data structure provides a verification object, VO, with the the path from the affected leaf node to the root need to be updated.
answers for authenticating the results. It occurs by using both hash In [21,31], Merkle B-tree created based on the table in the
functions and digital signature schemes. record level as shown in Table 1, the attribute values are used as
In [2], the authors proposed an authentication scheme, by con- keys in the MBT to index. To identify and preserve the order of
structing Merkle Hash Tree (MHT) on individual records. The leaf the pointers in internal nodes and records in leaf nodes of a MBT,
nodes contain the hash value of each record from such a table. Radix-Path Identifier scheme is proposed as shown in Fig. 5, which
The ascendant nodes are the concatenation of the descendant use numbers based on a certain radix to identify each pointer or
hashed nodes and the root after all nodes hashed would be signed record in a MBT depends on its level and position in the MBT.
The root of MBT will be updated each time a database updated,
and by sharing the new root signature with the users, freshness
Table 1 can be guaranteed. After the pointers are identified, the authentica-
Data table.
tion data associated with them stores into a database as Single
ID Name Email Salary Authentication Table (SAT) or Level-based Authentication
1 Mai [email protected] 1000 Table (LBAT). In SAT, store all authentication data as data records
2 Sarah [email protected] 1200 called Authentication Data Record (ADR) into one table in a data-
3 Len [email protected] 1400 base, where its corresponding data table is stored. In LBAT, store
4 John [email protected] 1700 ADRs in different levels to different tables and create one table
5 Ahmed [email protected] 2000
6 Nancy [email protected] 2500
per level for an MBT except for the leaf level along with a mapping
7 Lina [email protected] 3000 table to indicate which table corresponds to which level.
8 Will [email protected] 4000 In [20], a verification metadata (tree) is generated over data-
base, used by the user to verify the query freshness. A signature

Fig. 5. The data table converts to Merkle B-Tree with Radix Path Identifier.
 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
Certificate is assigned to each root within an expiration time d, as
every expiration units of time the certificate will be replaced on
the current signature no matter there is an update or not. The sig-
nature will be changed, and the new signature is stored in the out-
sourced database.
5.3. Deterministic based schemes
In [20,22], the authors proposed a probabilistic method to
check the query completeness. Before the database is outsources,
fake records are inserted to it. When query issues, the fake
records, which is satisfying the conditions returned with the
result. In order to know which set of the inserted records should
be returned, use deterministic function, to definite the inserted
records and send this definition of the function to the users,
and the user would be verified whether all the fake records is
presented within the query result. If at least a fake record is miss-
ing, the query result is not complete. Query freshness can be
guaranteed using this method also; as the function determined
by a randomly chosen key to definite the set of fake records
and the time the function should be next used is also decided
on a randomly chosen key.
In [34], the authors proposed a scheme called Dual Encryption
to ensure query integrity, as using two different keys, a primary
and a secondary, and the query result would be duplicated, com-
paring the returned result to obtain the integrity assurance.
Table 2
Bucket based index.
BID (L,U) Checksum
1 [1000,2000) MN + i pi9x
2 [2000,3000) Ljklkml + @
3 [3000,4000) Olkcldmcl
Fig. 6. Using TTP to provide mutual trust between owner/ user and the CSP.
281
5.4. Bucket-based index schemes
Authentication is performed at bucket level rather than record
level. A bucket is generated by partitioning database with the
equivalent data range (values) or with the equal number of data
(count). Such that all buckets are security satisfied and efficiency
optimized [38]. Bucket-based index contains a bucket id BID, data
range (upper-lower bound) (U,L), a number of records in the
bucket and a checksum as shown in Table 2 using the data table
from Table 1. A bucket checksum is a hash digest, returned with
a result. When the result received, the user calculates the check-
sum of the result again and compares it with received ones. If
equal, this guarantees the query result authenticity [33].
6. Data integrity between CSP, owner/user and TTP
The database owner outsources their data management to a
trusted third party to check the integrity of data and save their
computation resources. As shown in Fig. 6, the data owner stores
the encrypted data in the CSP, and can insert data, update or delete
data from CSP. Then, the data owner authorizes users. The data
owner delegates the integrity check of the query result to the
trusted third party server that checks if the answer is correct, com-
plete and from the last updated version uploaded to CSP.
Data integrity based different approaches: Different approaches
have been proposed to provide integrity guarantees of query
results. These approaches have been categorized into three types:
Hash based schemes, Data structure based schemes, and other
schemes.
6.1. Hash based schemes
In [11], the authors use SHA-1 to verify the query, the owner
first encrypts the message M0 then hashed using SHA-1 algorithm
to get the digest D = h (M0 ), then sign the digest with the owner
282 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
private key D0 . The encrypted message and the signature are stored
in CSP. In this system there are three different ways to check integ-
rity, 1-Integrity check between user and CSP, the CSP uses the
receiver’s public key on the signature to retrieve the digest D and
runs the hash algorithm on the encrypted message to get the digest
D, then compares the two digests, if equal, the message is accepted.
Otherwise, send to the user that the message in the cloud is mod-
ified. 2-Integrity check between user and TTP, TTP would take the
digest from the CSP and the message signature. Then, decrypt the
message signature with the public key and finds the message
digest. Compare the two digests and then let know the user if
the CSP was trusted or not. 3-Integrity check between TTP and
CSP, the CSP takes the digest from TPA (D). CSP would takes the
data signed from the TTP and decrypts it with public key and finds
the message digest. Compare the two digests, and then the CSP will
inform the user if the TTP was trusted or not.
6.2. Data structure based schemes
In [10], the authors use a HLA to generate verification metadata
over data and store it with the data in CSP, used by the user to ver-
ify the correctness of data. The proposed scheme consists of four
algorithms: 1-KeyGen, runs by the owner to generate the public
and secret keys of the system. 2-SigGen, preprocesses the data file
as the owner generates the verification metadata, stores it in CSP
and deletes its local copy. 3-GenProof, a proof is generated by using
the data file and its verification metadata as inputs. 4-VerifyProof,
verifies the proof by the TTP, and decrypts the result.
The authors in [16], use Message Authentication Code Chain
(MACC) scheme to ensure Query Authentication. The verification
process is implemented in the TTP server. The table structure is
modified before outsourced to support integrity verification as fol-
lows: R(A1,. . .. . ..., An, version, precursor, checksum), where A
denotes as attribute, ‘‘version” contains the update numbers of a
record, ‘‘Precursor” field stores the concatenation of precursor’s
primary key of each searchable attribute and the MAC value of a
record calculated and is saved in ‘‘checksum” field. When the user
issues a query, the result received from CSP send to the TTP that
reconstructs each record’s MAC value and compare it with the
checksum, if equal, then the record is correct, and send the result
to the user. If the result set forms a complete chain from the first
record boundary to the last record boundary, then the query
results are complete. The data freshness is guaranteed as the data
owner stores freshness summary information (FIS) in the TTP,
which includes the primary key and the version of each updated
record.
While in [13], the data owner chooses certain keywords from
the data and creates an index table to search efficiently using
public-key encryption with keyword search (PEKS) scheme. And
also generates public/private key pair for the PEKS tokens genera-
tion and moves the encrypted index table to two index clouds.
Then encrypts the data and generates HMAC to the encrypted data
and store them in the CSP. Then, the CSP returns a unique identifier
of the data to the owner and by specifying it, the query issuer can
use it to retrieve, add or delete data. By using TTP, the user issues
queries to both the index clouds to compare the identifiers to check
the data correctness. Unqualified files in query results can be found
once the HMAC verification is complete. To check query result
completeness, there is a counter for each keyword, because
unqualified files can be included in query result and the number
of returned files is correct, but it will be found once the HMAC ver-
ification is complete.
Adopting a new data structure in [14], which is version authen-
tication tree (VAT), constructed by employing the Merkle Hash
Tree. In this system, the file is divided into blocks and there are
groups, each group consists of a number of blocks. For each block
group, there is an encryption key (KE) and an asymmetric key pair
(KS, KV) for signing and verification. Using broadcast encryption to
distribute the keys and data storage. The data organized as follows
(encrypted block, metadata, signature, tag). A block’s metadata
includes a global id, data block identification, a version number,
KV and the broadcast messages of KE and KS. A signature com-
puted from the concatenation of the encrypted block and its meta-
data, along with a tag computed from the encrypted data block,
which is used as proof to verify the data. A version authentication
tree (VAT) would be constructed for each block group and stored in
the CSP along with the data. The tree root is signed with the latest
version signing key KS of a block group. The integrity checked with
the signature attached to group block to ensure the data correct-
ness and completeness. To ensure the data freshness, when a data
block in a group is updated, the metadata attached to the block is
updated. The metadata contains the version number of this block
which increments when an update is done. The version authentica-
tion tree (VAT) of the block group will also be updated. The fresh-
ness verified each time a query issuer request query from the
cloud, where the VAT root is authenticated using the latest version
of root signing key.
As in [20], an expiration time is assigned to the FIS, if the data is
updated or not, the version number saved in TTP is updated. When
this expiration time is short, the data freshness guarantee is higher,
but this will increase the network transmission overhead. In [15],
the authors use block status table (BST) data structure to recon-
struct the file to blocks and outsource it to the CSP. The BST con-
sists of three columns: (1) serial number (SN): an indexing to the
file blocks, (2) block number (BN): counter used to make logical
numbering to the file blocks, and (3) key version (KV): indicates
the version of the key used to encrypt each block. The BST imple-
mented as a linked list to simplify the insertion and deletion of
table entries. The data owner enforces access control by revoking
access rights to the outsourced data and by using the broadcast
encryption to encrypt the message for a group of users. To access
the data, the authorized users send a request to the CSP, and
receive the data file in an encrypted form.
The authors in [39] propose a new scheme for query correctness
and completeness based on invertible Bloom filter (IBF) and use
trusted third party server (TTP) and this scheme supports multi-
user setting by incorporating multi-party searchable encryption.
The IBF is constructed over the whole database, for each attribute
column in table; all distinct attribute values are treated as key-
words to construct an index. For each attribute column value, com-
pute a hash. Then, construct MHT and the hashes stored in the leaf
nodes. Each attribute value together with its index is encrypted
using symmetric encryption. When the user receives the query
result, he/ she reconstruct the hash of the record to check its cor-
rectness. If an empty set is returned, the user can verify the query
correctness by checking whether the search request belongs to the
IBF. Besides, using the property of member enumeration of IBF, the
data user can check whether all the desired records are returned.
6.3. Other schemes
In [12], the authors proposed a scheme that can handle multiple
sessions of various users at the same time by using TTP to audit
their external knowledge files by batch for higher potency. By
implementing this scheme, reduce the computation and the com-
munication overhead between the owner/user and the CSP. And
to evaluate this mechanism, they use the CLOUDBEES service
(the first PaaS to support the entire application lifecycle from
development to deployment) to host the cloud application and per-
forming the multiple users to upload data and performing auditing
service using the TTP and maintain generation proof from CSP.
 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285 283

7. A comparative summary of data confidentiality and integrity
techniques
As explained in previous sections, many studies have been dis-
cussed or implemented to check the outsourced data confidential-
ity and integrity based on different approaches. Early works [6,7],
use digital signatures to ensure the data correctness. In addition,
the digital signature is used in [19,24] to ensure the data correct-
ness and completeness. In [6,11,19], the hash algorithm is used
to ensure the data correctness. In [6,19], after the data is hashed,
the data would be signed using the digital signature as RSA. More-
over, the digital signature can also ensure the data confidentiality
as in [17], where the data is encrypted before it is outsourced.
The data structure is also used to ensure data integrity and confi-
dentiality. In [2], MHT is used to ensure data correctness. In
[10,13,16], verification data are generated using a MAC or HLA on
the hash value of data, and is stored with data, to verify the data
correctness. In [13], the data completeness can also be verified,
using PEKS scheme. In [16], the data completeness verified by
the MAC chain and the freshness guaranteed by the information
that stored in TTP. In [14], collecting number of blocks from file
into group and for each block group create VAT, sign the root,
the data correctness, completeness and also the freshness can be
guaranteed by the signature. In [15], BST is implemented to recon-
struct the file into blocks, this ensures data correctness and confi-
dentiality. In [21,31], MBT is used to ensure data integrity, as MHT
the root signature can guarantee the data correctness and fresh-
ness, and if the result set forms a complete signature chain, data
completeness is also guaranteed. In [20,22], the data integrity is
ensured by inserting or deleting fake records to the DB and the data
freshness is guaranteed by using an expiration time to the function
of inserting or deleting fake record. In [34], the dual encryption
scheme is used; this scheme can guarantee data confidentiality,
correctness, and completeness. In [39], using IBF over the whole
database and construct MHT, this guarantee the data correctness
and by using the property of member enumeration of IBF, the data
completeness is guaranteed. In [33,38], the data correctness and
completeness are guaranteed at bucket level. Most of the previous
works are ensure the data integrity and few give attentions to the
data confidentiality, as the data must be encrypted before out-
sourced. In [23], prototype toolset called ‘‘Silverline” is used to pro-
vide data confidentiality. In [35], use biometric encryption to
encrypt the biometric data. In [37] integrate encryption and
obfuscation techniques to data before outsourced. In [25–27], a
new method called the Homomorphic Encryption is used. In [36],
using both private and public cloud to store data to ensure the data
confidentiality and this scheme can also guarantee data
correctness.

Table 3
Comparative summary.

Schemes Algorithm/technique Reference Data Type Confidentiality Integrity Using

TTP
Correctness Completeness Freshness
Digital Signature SHA1,RSA, Condensed RSA, BGLS, DSA 6 [2004] Database U U
Condensed RSA, BGLS, DSA, 7 [2006] Database U U
Immutable Condensed RSA,
Immutable BGLS
AES 17 [2012] Database U U U
Hash, Condensed RSA, Aggregated 19 [2006] Database U U U
BGLS
Immutable Condensed RSA, 24 [2004] Database U U U
Immutable BGLS
Hash SHA215 11 [2014] Message U U U
Data structure MHT, Condensed RSA, Aggregated 2 [2005] Database U U U
BGLS
HLA, Hash 10 [2013] File U U U
Public key encryption with keyword 13 [2012] File U U U
search (PEKS), HMAC
Version Authentication tree, RSA, AES 14 [2015] File U U U U U
Block Status Table 15 [2013] File U U U U
MACC, hash 16 [2014] Database U U U U
MBT, Radix Path Identifier, hash 21 [2014] Database U U U U U
MHT, MBT, Radix Path Identifier 31[2015] Database U U U U U
IBF, MHT 39 [2016] Database U U U
Deterministic Deterministic fake tuples 20 [2008] Database U U U U
22 [2007]
Cipher block chaining MAC 34 [2008] Database U U U U U
Bucket based index Bucket-based index, hash 33 [2010] Database U U U U
Bucket-based index 38 [2008] Database U U U U
Other Public audit scheme with 4 algorithms 12 [2014] File U U
(KeyGen, SigGen, GenProof and
VerifyProof).
Silverline Tool set, symmetric 23 [2011] Database U
encryption
Biometric encryption 35 [2014] Biometric U
data
Store data chunks in CCD in private 36 [2014] File U U
cloud
Encryption and obfuscation 37 [2014] Database U
techniques
Fully homomorphic encryption 25 [2013] Message U
26 [2014]
27 [2012]
284 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
Fig. 7. The proposed architecture.
An overview of different algorithms and techniques to check
data confidentiality and integrity based on different schemes is
presented in Table 3.
8. Proposed architecture for secure outsourcing
To achieve data security, while the database is outsourced to
CSPs, we proposed a system that can handle data security prob-
lems including, data confidentiality, data availability, data privacy,
query integrity verification, and query processing over encrypted
data. We propose an architecture, which integrates different tech-
niques to ensure the data security, and we use trusted third party
(TTP) server to verify data integrity as it reduces the computation
and the communication complexity and cost on the data owner
and the user servers.
This architecture consists of two phases as shown in Fig. 7:
1. Setup phase, which contains the database pre-processing, out-
sourcing and the user authorization.
(a) we assume that the data owner encrypts the sensitive attri-
butes using symmetric encryption algorithm (advanced
encryption standard) AES, and gives authorization to users.
The AES key is delivered to the authorized users by using
the broadcast encryption, which is used to decrypt the
result later. By using the AES and broadcast encryption,
the data confidentiality of the outsourced database can be
guaranteed. The encrypted database is stored in the CSP.
(b) The data owner creates a Merkle B-Tree data structure over
the encrypted database. Each tree is built on one attribute
from one table; each value is hashed using MD5, and stored
in the leaf nodes, which contains pointers to those values.
The inner nodes contain the concatenation of the hash val-
ues of their children nodes and then the root of the tree will
be signed using asymmetric encryption algorithm BGLS. The
Merkle B-Tree is stored in TTP as metadata to check the
query result integrity.
2. Audit and Result phase, which contains query pre-processing,
querying and result integrity checking.
(a) The user logins and sends the original query, which is pro-
cessed by the Query filter. If it contains values that are
encrypted in the outsourced database, these values will be
encrypted using AES key.
(b) The query is executed in the CSP, and the received result is
processed by the Query filter. In the Query filter, the
received result is hashed, and using the metadata, the tree
root signature is decrypted. Then we can compare between
the new computed hash values of the result and the leaf val-
ues; if equal then the integrity check result is correct.
(c) The result is returned to the query translator, which
decrypts the result and sends them to the user. The data
correctness and completeness of the query result can be
guaranteed using this comparison. Data freshness assured
by the root signature that each update done in the out-
sourced database, the root signature will be reassigned with
new signature; and the owner will publish the new key to
the authorized users using broadcast encryption.
Data availability can be achieved by storing several data copies
on multiple cloud servers; so that if the server is down because of
the different threats, such as the denial of service attacks and nat-
ural disasters, we can use another server.
9. Conclusions and future work
Despite the significant growth of data and database as services
(DaaS, DBaas), there are still challenges to the widespread adoption
 M. Rady et al. / Ain Shams Engineering Journal 10 (2019) 275–285
of these services. The most significant challenge is data security.
There have been a number of contributions to satisfy the security
requirements to outsource the data: data confidentiality, query
integrity verification, and query processing over encrypted data.
References
[1] Attas D, Batrafi O. Efficient integrity checking technique for securing client
data in cloud computing. Int J Comput Sci Issues (IJCSI) 2011;11.
[2] Ma D, Deng RH, Pang H, Zhou J. Authenticating Query Results in Data
Publishing. The International Conference on Information and Communications
Security, Berlin 2005.
[3] Arora I, Gupta A. Cloud databases: a paradigm shift in databases. Int J Comput
Sci Issues (IJCSI) 2012;9.
[4] Ferrari E. Database-as-a-Service: challenges and solutions for privacy and
security. In: Services computing conference IEEE, Asia; 2009.
[5] Mehak F, Masood R, Ghazi Y, Shibli MA, Khan S. Security aspects of database-
as-a-service (DBaaS) in cloud computing. Switzerland: Springer International
Publishing; 2014.
[6] Hacigumus H, Iyer B, Mehrotram S. Ensuring the integrity of encrypted
databases in the database as a service model. In: Data and Applications
Security XVII. US: Springer; 2004. p. 61–74.
[7] Mykletun E, Narasimha M, Tsudik G. Authentication and integrity in
outsourced databases. ACM Trans Comput Logic 2006.
[8] Singh S, Maakar SK, Kumar S. A performance analysis of DES and RSA
cryptography. Int J Emerg Trends Technol Comput Sci (IJETTCS) 2013.
[9] Li F, Hadjieleftheriou M, Kollios G, Reyzin L. Dynamic authenticated index
structures for outsourced databases. USA: ACM Management of Data
(SIGMOD); 2006.
[10] Wang C, Sherman SM, Wang Q, Ren K, Lou W. Privacy-preserving public
auditing for secure cloud storage. IEEE Trans Comput 2013;62.
[11] Shantala C, Kumar A. Integrity check mechanism in cloud using SHA-512
algorithm. Int J Eng Comput Sci 2014;3.
[12] Lakshmi A, Kavitha D. An implementation of public auditing mechanism for
secure cloud storage. Int J Adv Res Comput Sci Softw Eng 2014;4.
[13] Fu, Tseng K, Liu YH, Chen RJ,Toward authenticated and complete query results
from cloud storages. In: 11th international conference on trust, security and
privacy in computing and communications; 2012.
[14] Jin H, Jiang H, Zhou K, Wei R, Lei D, Huang P. Full integrity and freshness for
outsourced storage. In: IEEE/ACM international symposium on cluster, cloud
and grid computing; 2015.
[15] Barsoum A, Hassan A. Enabling dynamic data and indirect mutual trust for
cloud computing storage systems. IEEE Trans Parallel Distrib Syst 2013;24.
[16] Hong J, Wen T, Guo Q, Sheng G. Query integrity verification based-on mac
chain in cloud storage. Int J Netw Distrib Comput 2014;2.
[17] Purushothama BR, Amberker BB. Efficient query processing on outsourced
encrypted data in cloud with privacy preservation. In: International
symposium on cloud and services computing; 2012.
[18] Sharma M, Chaudhary A, Kumar S. Query processing performance and
searching over encrypted data by using an efficient algorithm. Int J Comput
Appl 2013;62.
[19] Narasimha M, Tsudik G. Authentication of outsourced databases using
signature aggregation and chaining. In: International conference on database
systems for advanced applications (DASFAA); 2006.
[20] Xie M, Wang H, Yin J, Meng X. Providing freshness guarantees for outsourced
databases. The 11th International conference on extending database
technology: advances in database technology (EDBT). USA: ACM; 2008.
[21] Wei W, Yu T. Integrity assurance for outsourced databases without DBMS
modification. Int Federat Inform Process 2014.
[22] Xie M, Wang H, Yin J, Meng X. Integrity auditing of outsourced
data. Austria: Very Large Data Bases (VLDB); 2007.
285
[23] Puttaswamy KPN, Kruegel C, Zhao BY. Silverline: toward data confidentiality in
storage intensive cloud applications. In: Symposium on cloud computing
(SOCC), Portugal; 2011.
[24] Mykletun E, Narasimha M, Tsudik G. Signature bouquets: immutability for
aggregated/ condensed signatures. In: European symposium on research in
computer security, France; 2004.
[25] Ryan Mark D. Cloud computing security: the scientific challenge, and a survey
of solutions. Elsevier; 2013.
[26] Zhao F, Li C, Liu CF. A cloud computing security solution based on fully
homomorphic encryption. In: International conference on advanced
communication technology (ICACT); 2014.
[27] Tebaa M, El-Hajji S, El-Ghazi A. Homomorphic encryption applied to the cloud
computing security. In: The World Congress on Engineering, vol. I, London, U.
K; 2012.
[28] Raghuvanshi K, Khurana P, Bindal P. Study and comparative analysis of
different hash algorithm. J Eng Comput Appl Sci (JECAS) 2014;3.
[29] Boneh D, Lynn B, Shacham H. Short signatures from the weil pairing. In: The
7th international conference on the theory and application of cryptology and
information security: advances in cryptology, London; 2001.
[30] Silverio A, Custodio R, Carlos M, Mello R. Efficient data integrity checking for
untrusted database systems. In: The 6th international conference on advances
in databases, knowledge and data applications; 2014.
[31] Niaz M, Saake G. Merkle hash tree based techniques for data integrity of
outsourced data. In: The 27th GI-workshop on foundations of databases,
Germany; 2015.
[32] Shmueli E, Vaisenberg R, Gudes E, Elovici Y. Implementing a database
encryption solution, design and implementation issues. Elsevier; 2014.
[33] Wang J, Du X, Lu J, Lul W. Bucket-based authentication for outsourced
databases. J Concurr Comput: Pract Exp 2010.
[34] Wang H, Yin J, Perng C, Yu PS. Dual encryption for query integrity assurance.
In: Conference on information and knowledge management; 2008.
[35] Omar MN, Salleh M, Bakhtiari M. Biometric encryption to enhance
confidentiality in cloud computing. In: International symposium on
biometrics and security technologies (ISBAST); 2014.
[36] Butoi A, Tomai N. Secret sharing scheme for data confidentiality preserving in
a public-private hybrid cloud storage approach. In: IEEE/ACM 7th international
conference on utility and cloud computing; 2014.
[37] Arockiam L, Monikandan S. Efficient cloud storage confidentiality to ensure
data security. In: International conference on computer communication and
informatics (ICCCI), India; 2014.
[38] Wang J, Du X. LOB: Bucket based index for range queries. In: 9th international
conference on web-age information management, China; 2008.
[39] Wang J, Chen X, Li J, Zhao J, Shen J. Towards achieving flexible and verifiable
search for outsourced database in cloud computing. Future Gener Comput Syst
2016.
Mai Rady received a B.Sc. degree in Information Technology and Computing in 2011
from Arab Open University, Jeddah, Saudi Arabia. Currently, she is a master student
in information system department, Ain Shams University, Egypt, Cairo. Her current
research interests include cloud computing, database security, and data mining.
Tamer Abdelkader received a B.Sc. degree in electrical and computer engineering
and an M.Sc. degree in 2003 from Ain Shams University, Cairo, Egypt. He received
M.Sc. and Ph.D. degrees in 2012 in electrical and computer engineering from the
University of Waterloo, Ontario, Canada. He worked in the University of Waterloo as
a postdoctoral, and a network consultant in Egypt. Currently, he is an associate
professor at Ain Shams University. He is the author of several publications in IEEE
journals and conferences. His current research interests include mobile computing,
vehicular networks, energy-efficient protocols, mobile social networks, and cloud
computing.
Rasha Ismail worked in Ain Shams University as associate professor. she is the
author of several publications in IEEE journals and conferences.