Received July 25, 2020, accepted August 11, 2020, date of publication August 14, 2020, date of current

version August 27, 2020.

Digital Object Identifier 10.1109/ACCESS.2020.3016760

An Authorized Public Auditing Scheme for

Dynamic Big Data Storage in Cloud Computing
HAN YU 1,2 , XIUQING LU 1,3 , AND ZHENKUAN PAN1
1 College of Computer Science and Technology, Qingdao University, Qingdao 266071, China
2 College of Computer, National University of Defense Technology, Changsha 410073, China
3 Department of Management Science and Engineering, College of Business, Qingdao University, Qingdao 266071, China

Corresponding author: Xiuqing Lu ([email protected])

This work was supported in part by the Natural Science Foundation of China under Grant 61772294 and Grant 61602214, and in part by
the Natural Science Foundation of Shandong Province under Grant ZR2019LZH002.

ABSTRACT Nowadays, to utilize the abundant resources of cloud computing, most enterprise users prefer
to store their big data on cloud servers for sharing and utilization. However, storing data in remote cloud
servers is out of user’s control and exposes to lots of security problems such data availability, unauthorized
access and data integrity, among which data integrity is a challenging and urgent task in cloud computing.
Many auditing schemes have been proposed to check the integrity of data in cloud, but these schemes usually
have some disadvantages. One is that these auditing schemes cannot check which block is corrupt when the
data is not integrated. The other is that there’s no efficient authenticated data structure helping to achieve
accurate auditing when the data needs to update frequently. To solve the problems, we propose a public
auditing scheme for dynamic big data storage in cloud computing. Firstly, we design a dynamic index table,
in which no elements need to be moved in insertion or deletion update operations. Secondly, when data in
cloud is not integrated, the third-party auditor can detect which block is corrupt. Finally, an authorization
is employed between the third party and cloud servers to prevent denial of service attack. The theoretical
analysis and the simulation results demonstrate that our scheme is more secure and efficient.

INDEX TERMS Dynamic auditing, authorization, cloud storage, data security.

I. INTRODUCTION is utilized by users. How to ensure the integrity of the data

Cloud computing is a fast-developing business computing
model and has many advantages, such as large storage, low
cost, and scalability. More and more enterprise users are apt
to outsource their big data to cloud servers for storage and
processing. After outsourcing, the enterprise users usually
choose to delete their original big data from their local storage
servers for saving storage space. Despite of the convenience
of cloud computing, storing the data on cloud servers without
possessing the original copy may bring about many security
problems. Cloud servers are subject to hardware or software
failures and malicious attacks occasionally [1]–[3]. And for
their own benefits, cloud service providers (CSP) are reluc-
tant to tell users the truth when the failures or attacks occur.
Even worse, CSP might discard the data that the users are
not or rarely accessed for saving maintenance cost or cloud
storage space [4]–[6]. So CSP must provide proof to ensure
the data is correctly stored on cloud servers before the data
The associate editor coordinating the review of this manuscript and
approving it for publication was Adnan Abid.
in cloud servers is a challenging and urgent task in cloud
computing. Data auditing schemes can enable users to verify
the integrity of their data in remote cloud servers without
retrieving the data. Based on the role of verifier, data auditing
schemes can be divided into two categories: private auditing
and public auditing. In private auditing schemes [7]–[9],
the data integrity is only verified by the users and accordingly
increases the overhead of users that they cannot afford. While
public auditing schemes allow any public verifier who has the
user’s public key to execute the auditing process. Commonly,
a third-party auditor (TPA) who has expertise and capabil-
ities is involved and executes the verification performance.
Many auditing schemes have been proposed to check the
data integrity in cloud. However, these schemes cannot check
which block is corrupt when the data is modified. Further-
more, there’s no efficient authenticated data structure helps
to achieve accurate auditing when the data needs to update
frequently. Therefore, it is essential to propose an efficient
public auditing scheme for dynamic big data storage in cloud
computing.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 8, 2020 151465

In this paper, we propose an authorized dynamic public
auditing scheme by introducing a new data structure named
dynamic index table (DIT). Through the DIT, our scheme can
achieve dynamic updating without the elements’ adjustments.
Additionally, our scheme can judge which block is lost or
corrupt when data integrity fails. Our contributions are sum-
marized as follows.
1) We propose an authorized dynamic public auditing
scheme that can check which block is corrupt.
2) We design an efficient authenticated data struc-
ture named dynamic index table (DIT), which is
used to store block properties to help TPA achieve
data auditing and can be updated without element
moving.
3) We prove the security of the proposed scheme and
evaluate the performance of computation and commu-
nication cost. The results show that our scheme is more
efficient than the other ones.
The rest of the paper is organized as follows. Section II
introduces the related works on integrity verification.
Section III describes the system model, threat model and the
design goals of the scheme. Section IV addresses the prelim-
inaries of the scheme. In section V, we present the proposed
scheme in detail. Section VI and section VII demonstrates
the security analysis and the performance of the scheme in
computation and communication cost. Finally, we conclude
this paper in section VIII.
II. THE RELATED WORKS
So far, many typical public auditing schemes have been
proposed to verify the integrity of data stored in remote
untrusted servers. In 2007, Ateniese et al. [10] proposed the
first public auditing scheme which proposed provable data
possession (PDP). This scheme allows any public verifier to
check the data integrity without retrieving the data. How-
ever, this scheme can only verify static data integrity. Later
Ateniese et al. [11] proposed another scheme based on the
symmetric key PDP scheme to audit the dynamic data in
cloud servers. This scheme supports dynamic modification
and deletion operations, but does not support the insertion
operation. To improve update efficiency, an authenticated
data structure is always introduced. Erway et al. [12] intro-
duced an authenticated skip list in his dynamic provable data
possession (DPDP) scheme. Later, Wang et al. [13] proposed
a dynamic public auditing scheme based on Merkle Hash Tree
(MHT). The scheme can achieve dynamic data operations,
but it would incur multitude computation and communication
overhead during the verification process. In scheme [14],
Zhu et al. introduced an index-hash table (IHT) stored at
TPA side to help dynamic verification. Compared with other
schemes, it is more efficient in computation and communica-
tion costs. However, in updating process, as IHT is a sequence
data structure, it would cause an average of half adjustment
of elements in IHT, resulting in the decrease of the system
efficiency. In 2013, Yang and Jia [15] proposed an index
table (ITable) to store the abstract information of blocks,
151466
H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage
including the current and original index number, current
version number and time stamp of each block. It is efficient
to prevent the replay attack, but in insert and delete opera-
tions, all the tags of blocks after deleted or inserted need to
be recomputed as the indexes of these blocks are changed.
Liu et al. [16] put forward an authorized public auditing
scheme for big data with efficient verifiable fine-grained
updates. Later in 2017, Tian et al. [17] proposed a Dynamic-
Hash-Table based auditing scheme for cloud storage. In 2018,
Gan et al. [18] designed an efficient and secure auditing
scheme for outsourced big data with algebraic signature.
Zhang et al. [19] proposed a cloud storage auditing for shared
big data. In 2020, Lu et al. [20] propose an integrity verifi-
cation scheme for Internet of Things (IoT) mobile terminal
devices. In the scheme, block-tag generation and integrity
verification operations are executed at third-party auditor
(TPA) side, which achieves lightweight operations of data
owners. However, the employed data structures in all the
schemes cannot ensure the replay attack during integrity
verification process. Therefore, it is crucial to develop a
more secure auditing scheme for achieving dynamic integrity
verification services. Table. 1 compares the scheme with
other typical schemes in terms of dynamic auditing, batch
auditing, data structure and authorized auditing. Nowadays,
many other integrity verification schemes have been pro-
posed and prompted the security development of cloud com-
puting. Because the data stored in cloud for sharing can
face many privacy challenge such as identity privacy and
sharing data privacy. Scheme [2], [21]–[28] proposed pri-
vacy preserving auditing protocols to prevent privacy leak-
ing. At the same time, with the development of Internet of
things and mobile devices, lightweight schemes [29]–[35]
are proposed to satisfying the efficiency needs of auditing
process. In recent years, many schemes [36]–[40] based
on identity encryption and attribute encryption are put for-
ward to realize data sharing with other authorized users in
cloud.
TABLE 1. Comparison of integrity verification schemes.
VOLUME 8, 2020
H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage
III. SYSTEM MODEL, SECURITY REQUIREMENT AND
DESIGN GOALS
A. SYSTEM MODEL
We describe the system model as illustrated in fig. 1.
It involves four entities named enterprise user (user), Cloud
Server Provider (CSP) and the Third-Party Auditor (TPA).
The user generates and outsource massive amount of data to
Cloud Servers (CS) which has large capacity to maintain the
user’s data. CSP manages the cloud servers and gives user
access anywhere with an Internet service. TPA is an entity that
is authorized by user and has much expertise and resources to
verify data integrity efficiently.
FIGURE 1. System model.
In the system, we assume that both TPA and CSP are semi-
trusted. TPA is semi-trusted because he may be curious about
user’s data. The scheme must preserve the outsourced data
privacy from TPA. CSP is semi-trusted because when some
data in cloud servers is corrupt or lost, CSP may launch forge
attack or replace attack to TPA for economic reasons.
B. SECURITY REQUIREMENT
Public auditing. TPA can publicly verify the integrity of
outsourced data for user.
Authorized auditing. Only the authorized TPA can launch
auditing challenge to avoid replay attack.
Data Privacy. TPA cannot learn the content of data stored
in cloud servers in public auditing process.
Unforgeability. Only the user can generate the block tags
for auditing.
Storage integrity. The integrity verification can be
achieved only if CSS correctly stores data blocks and the
corresponding block tags.
C. DESIGN GOALS
Based on the system model and security requirements, our
scheme should achieve the following properties.
VOLUME 8, 2020
Security requirements. The scheme should satisfy the
security requirements including data privacy, authorization
and unforgeability during integrity verification process.
Lightweight operations. Both the computation and com-
munication costs of user are greatly reduced in our auditing
scheme because TPA is responsible for generating block tags
and managing DIT.
Effectiveness. The scheme should effectively achieve data
auditing process under user’s authorization.
IV. PRELIMINARIES
A. NOTATIONS
The notations in this paper are described in Table. 2.
TABLE 2. Main notations of the scheme.
B. BILINEAR MAPS
Suppose G1 ,G2 are two multiplicative groups with same
large prime order q, and G is a generator of G1 .
A bilinear map e is a map function e:G1 ×G2 →G1
with the following properties: i) Computability. ∀u,v∈G1 ,
an efficient algorithm exists
to compute e(u, v). ii) Bin-
earity. ∀a,b∈Zq , ∃e ua ,vb =e (u,v)ab . iii) Nondegeneracy.
e [g,g] 6 = 1. iv) Security. It is hard to compute Discrete Log-
arithm (DL) in G1 .
C. COMPLEXITY ASSUMPTIONS
1) Discrete Logarithm (DL) Assumption. Suppose g
is a generator of multiplicative cyclic group G with
prime order q. On input y ∈G, there does not exist
probabilistic polynomial time algorithm that outputs
a value x ∈ Z ∗q such that gx = y with non-negligible
probability.
2) Computational Diffie-Hellman (CDH) Assumption.
Suppose g is a generator of multiplicative cyclic
group G with prime order q. On input gx ,gy ∈ G, there
does not exist probabilistic polynomial time algorithm
that outputs gxy ∈ G with non-negligible probability.
V. CONSTRUCTIONS OF SECURE DATA SHARING SCHEME
A. DYNAMIC INDEX TABLE
To achieve the public integrity verification efficiently,
an authenticated data structure named Dynamic Index
Table (DIT) is employed. To avoid the elements in DIT mov-
ing when blocks are inserted or deleted, we use static linked
list to construct DIT. DIT is a one-dimensional structural
151467
 H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage

0
array and includes five structural members: block number TABLE 5. Modified DIT after mi is inserted after mi −1 .
(Bid i ), hash value of each blind block (Hashi ), time stamp
of block (Ti ), version number of block (Vi ) and the static
pointer pointing to the subordinate of next block (Next i ).
Hashi is mainly used to check which block is corrupt when
data is not integrated. Ti and Vi are used to avoid attacks
from adversaries. Next i points to subordinate of next block for
connecting the file together. For example, Next 1 is 2 means
the next block data of m1 is m2 . Next n is 0 means mn is the
final block data of the file. The initial DIT information is
described as Table. 3.

TABLE 3. Initial DIT.

1) Setup phase
In this phase, KGC generate system parameters and
keys for user and TPA in algorithm Initial. The user
is responsible to divide big data into blocks and blinds
each in algorithm BlockBlind. TPA is in charge of
generating block tags in algorithm TagGen and deriving
DIT in algorithm DITGen. The user computes chal-
lenge authority for TPA in algorithm AuthorityGen.
The dataflow in each algorithm of this phase is
described in fig. 2.

When block mi is deleted, Next i−1 is set to value i + 1 from

the obvious value i, which means the next block data of mi−1
is mi+1 . Moreover, Next i is set to value −1, indicating that mi
is deleted from the file F and a new element information can
be stored here. Table. 4. Describes modified DIT after mi is
deleted.

TABLE 4. Modified DIT after mi is deleted.

FIGURE 2. Dataflow in setup phase.

0
When a new block mi is inserted after mi−1 , Next i−1 is
changed to i and previous Next i is changed to i + 1. If there
are no ineffective lines, the information of mi can be added in
the last position only with the corresponding static pointer are
0
updated. Table. 5. Describes modified DIT after mi is inserted
after block data mi−1 .
B. DETAILED INTEGRITY VERIFICATION SCHEME
The efficient and secure auditing scheme consists of three
phases including setup phase, integrity verification phase and
dynamic update phase. The three phases are described in
detail as follows.
Initial (λ) → {2,α, sk} . Given system security
parameter λ, KGC constructs the bilinear map group
system 2 = (G1 , G2 , p, g, e) where G1 , G2 are mul-
tiplicative groups with prime order p, g is a generator
of G1 and e is a bilinear map e:G1 ×G1 → G2 . KGC
selects sk∈ Z ∗p as user’s private key and computes pk =
gsk as the corresponding public key. Then KGC selects
α∈ Z ∗p as TPA’s private key and computes w = gα
as the corresponding public key. Next, KGC chooses
secure one-way hash functions π : G1 → G1 , h :
{0, 1}∗ → G1 , H : G1 → Zp∗ . Finally, KGC sends sk

151468 VOLUME 8, 2020

H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage

to user with identity Uid, α to TPA securely and make

{G1 , G2 , p, g, e, π, h, H , w, pk} public.
BlockBlind (F,SK) → M. The user first divides F
with identifier Fid into n data block named m∗i by
erasure code algorithm. To keep the data private to
others, user blinds each block before outsourcing F to
CSS. The user selects ri ∈ Z∗p , i ∈ [1,n] randomly and
computes δi = gri . Then user blinds each block as mi =
m∗i + π (σi ) and denotes M = {mi }i∈[1,n] . Furtherly,
user divides each block mi into s sectors. That means
M = {mi } ,mi = mij , i ∈ [1,n] , j ∈ [1,s]. Finally,


user transfers Finfo = mij , ti , vi to TPA, where ti and



vi is the timestamp and version of each block.

TagGen (M,α) → σ i . TPA selects uj ∈ G1 , j ∈ [1, s]
and computes block tags σi for each block mi , i ∈ [1, n]
as follows.
Ys m α
σi = h (vi ||ti ) · uj ij ) (1)
j=1

Then TPA sends
W = (Fid, M , σi ) to CSP.
DITGen Finfo → DIT . TPA generates DIT includ-
ing Bid i , Hashi , Ti , Vi , Next i and stores it locally for
dynamic updates later. To save space, then TPA deletes
mi from local server.
AuthorityGen (sk) → sig . Only authorized TPA can
launch auditing challenge to prevent malicious attack-
ers from generating denial-of-service attacks on CSP.
The user with identity Uid randomly selects x ∈ Zp∗ and
computes y = gx . Then user generates authorization for
TPA to launch auditing challenge as follows.
sig = gsk+xH (Uid)
Finally, the user sends sig to TPA.
2) Integrity verification phase In this phase, TPA first
generates a challenge and sends it to CSP in algorithm
ChallGen. Next, CSP computes integrity proof and
sends it to TPA for verification in algorithm ProofGen.
Then TPA verifies whether the data is intact through the
proof in algorithm ProofVerify. The dataflow in each
algorithm of this
phase is described in fig. 3.
ChallGen Finfo . When TPA gets the verification
delegation from the user, he selects some blocks
to construct a random c-element subset C from set
[1, n] and generates random numbers li ∈ Z∗p ,
i ∈ C. Then TPA sends the challenge Chall =
{sig, (i, li ) , Fid, Uid} , i ∈ C to CSP.
ProofGen (F, T , Chall) : On receiving the challenge,
CSP verifies the equation sig = pk · yH (Uid) . If it fails,
it outputs NO, otherwise, CSP computes tag proof and
data proof as follows.
FIGURE 3. Dataflow of dynamic integrity verification phase.
ProofVerify (P, w) → {1, 0} . After receiving the
proof P from CSP, TPA verifies the proof P as follows.
 Y 
e D· (h (vi ||ti ))li , w = e (S, g) . (5)
i∈C
If the equation holds, the algorithm outputs 1. Other-
wise, the algorithm checks which block is not correctly
stored as follows. TPA sends check request to CSP.
(2) Then CSP computes L= {h0i = H (mi ) , i ∈ C, where
mi is block data stored on CSS, and transfer L to
TPA. Next, TPA compares L with H (mi ) stored in DIT
sequentially. If h0i is not equal to H (mi ), TPA informs
CSP the ith block is corrupt and CSP recovers it.
3) Integrity verification phase
The user can update the data outsourced to the cloud
whenever needed. The user can execute insertion,
deletion and modification operations on block level.
Algorithm BlockInsert executes block insertion
BlockDelete realizes block deletion. Block modifica-
tion can be executed with algorithm ockModify. The
dataflow in this
 0phase is  described in fig. 4.
BlockInsert mi ,i,SK . Suppose a new block m0 is to
be inserted after block mi . The user first calls algo-
rithm BlockBlind to blind the block as m∗ = m0 +
π (σi ). Then TPA calls algorithm TagGen to com-
pute a new tag σ 0 for m0 and sends
m∗ , σ 0 to CSP.

0
Meanwhile, TPA
computes
H mi and adds a new
item i + 1, H m , t , v at the position where Next i
0 0 0

σili is −1 or at the last position of DIT.

Y
S = (3)
Ys
i∈C P BlockDelete (mi ). Assume block mi is to be deleted.
l ·m
D= uj i∈C i ij (4) CSP deletes mi and σi from CSS. Then TPA finds the
j=1
position of mi based on block number and modifies
Then CSP sends P = {S, D} to TPA. Next i to −1, indicating new item can be inserted her.

VOLUME 8, 2020 151469

 H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage

Theorem 1: An authorized public verifier can correctly

verify the integrity of the file stored in cloud servers in our
scheme.
Proof: Theorem 1 can be proved through verifying the
correctness of eq. (5). The proof is as follows:
 Y 
e D· (h (vi ||ti ))li , w
i∈C
s
Y P 
l ·m Y
=e uj i∈C i ij · (h (vi ||ti ))li , w
j=1 i∈C
Y Ys li ·mij Y

=e uj · (h (vi ||ti ))li , w
i∈C j=1 i∈C
Y Ys 
(h (vi ||ti ))li , gα
li ·mij Y
=e uj ·
i∈C j=1 i∈C
= e (S, g)

From the proof of eq. (5), TPA can verify the integrity of the
file outsourced to the CSP.
Theorem 2: It is computationally impossible for CSP to
FIGURE 4. Dataflow of dynamic update phase.
forge an integrity proof to pass the public verification, if the
Computational Diffie-Hellman (CDH) problem is hard in
 0  bilinear group.
BlockModify mi , α, sk . Assume block mi is modi-
Proof: After CSP receives the challenge Chall =
fied to m0i . The user first calls algorithm BlockBlind {sig, (i, li ) , Fid} , i ∈ C from TPA, he should send the
to blind the block as m0i = m0i + π (σi ). Then TPA correct proof P = {S, D} to TPA.Instead, suppose CSP
calls algorithm
 0 TagGen to compute a new tag σ 0 for m0i generates an incorrect proof P0 = S, D0 to TPA, where
and sends mi , σ to CSP. Meanwhile, TPA computes
0
Qs λ0j
D0 = , λ0j = i∈C li × mij , j ∈ [1, s]. Define
0
P
H m0i and modifies the

u

previous element in DIT to P j=1 j
new element i, H m0i , t 0 , v0 at the correct position. λj = i∈C li × mij , 1λj = λj − λj . It is obvious at least
0

After each updating, the user delegate TPA to verify the one 1λj is nonzero. If CSP can pass the verification with P0 ,
update block. When the verification is passed, the user the CSP wins the game, otherwise, it fails.
chooses to delete the local data. Suppose CSP can win the game, the following equation can
be inferred according to eq. (5).
C. BATCH AUDITING FROM MULTIUSERS λ0j Y
Y 
s
Batch auditing can concurrently process multiple verifica- e uj · (h (vi ||ti )) , w = e (S, g) .
li
j=1 i∈C
tions from different users. Suppose U is collection of k
different users. When receiving k challenges from k users, Furthermore, P = {S, D} is the correct proof, so the following
CSP computes tag proof Si , i ∈ [1, k] and data proof Di , i ∈ equation also satisfies.
[1, k]. Then CSP gets SU and DU by aggregating Si and Di λ Y
Ys 
e uj j · (h (vi ||ti ))li , w = e (S, g)
respectively according to the following equations: j=1 i∈C
Yk From the above two equations and the properties of bilinear
SU = Si (6) λ0 λj
maps, it can be concluded that sj=1 uj j =
i=1 Q Qs
Yk j=1 uj ⇒
DU = Di (7) Qs 1λj
i=1 j=1 uj = 1. Because G1 is a cyclic group, then for two
When receiving the proof SU and DU from CSP, TPA elements b1 , b2 ∈ G1 , ∃x ∈ Zp such that b2 = bx1 . Further-
µ ν
checks the proof through the following verification equation: more, given b1 , b2 , uj can be generated as uj = b1 j b2j ∈ G1,
where µj , νj ∈ Zp . Then we have the following. P
Qs  µj νj 1λj
  s
1λj j=1 µj 1λj
Yk Y

li,j 
, wi = e (SU , g) .
Qs
e DU · h vi,j ||ti,j u
j=1 j = j=1 b b
1 2 = b 1 ·
i=1 j∈C Ps
νj 1λj
(8) b2 j=1 = 1. Obviously, a solution to the DL problem can
be found. The value x can be computed as follows unless 1λj
If the equation holds, it outputs YES, meaning all the files of
is zero.
the k users are correctly stored on cloud servers. Otherwise, Psmax
it outputs NO, meaning one or more files are corrupt. j=1 µj 1λj
Psmax
j=1 νj 1λj
b2 = bx1 = b1 ,
VI. SECURITY ANALYSIS Psmax
j=1 µj 1λj
In this section, the security of the proposed scheme, including x = Psmax .
correctness, unforgeability and privacy is analyzed. j=1 νj 1λj

151470 VOLUME 8, 2020

H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage
However, at least one 1λj is defined nonzero and νj is a
random element of Zp ,which means the probability of νj
being equal to zero is 1 p. Therefore, we can find  a solution
to the DL problem with a probability of 1 − 1 p, which is
conflict with the suppose that the DL problem is hard in G1 .
This is the proof of the theorem 2.
Theorem 3: As long as the DL assumption holds, it is
computationally infeasible for TPA to get any private data
during the integrity verification.
Proof: After CSS gets P the challenge Chall from TPA,
i∈C li ·mij
Qs
he sendsP D = u
j=1 j to TPA as the data proof.
Because i∈C li · mij is at the exponent position of D, accord-
ing to DL assumption, TPA cannot get any information on the
user’s private data.
VII. PERFORMANCE EVALUATION
A. COMMUNICATION COSTS
According to the proposed scheme, in setup phase, the main
communication cost is generated between user and TPA and
between TPA and CSP. Suppose an element’s size of Zp is
|p|. In algorithm BlockBlind, after user blinds each block,
he sends Finfo = mij , ti , vi to TPA. Therefore, the commu-
nication cost is n |p| + n (|ti | + |vi |), where |ti |, |vi | are size of
ti and vi . In algorithm TagGen, TPA sends W = (Fid, M , σi )
to CSP. Therefore, the communication cost is 2n |p| + 1.
In integrity verification phase, the main communication cost
is mainly generated between TPA and CSP. When launching
a challenge in algorithm ChallGen, TPA sends Chall =
{sig, (i, li ) , Fid, Uid} to CSP and the main communication
cost is c (|i| +|p|) bits, where |i| is the size of the block index.
In algorithm Proof Gen, CSP sends P = {S, D} to TPA and
the communication is 2|p|, which is constant and can be
ignored. In updating phase, the communication cost between
the user and TPA and between the TPA and CSP is a constant.
We compare our scheme with scheme [12]–[14], [17] in the
complexity of communication costs as Table. 6. From the
table, it can be concluded that the communication cost of our
scheme is more efficient than Wang’s and the same as Zhu’s.
TABLE 6. Comparison of communication costs.
B. STORAGE COSTS
Our scheme consists of three phases and the storage costs
mainly generate in setup phase. Suppose the file outsourced
to cloud named F includes n data blocks and each block
size is |p|. In algorithm BlockBlind, user transfers Finfo =
mij , ti , vi to TPA. In algorithm DITGen, TPA generates
VOLUME 8, 2020
DIT including Bid i , Hashi , Ti , Vi , Next i . To save space, TPA
deletes mi from the local server. Therefore, the total storage
cost of TPA in setup phase is nl3 , where l3 = |Bid i | +
|ti | + |vi | + |Hashi | + |Next i | and indicates the bit size of
each element of DIT. In algorithm TagGen, TPA sends W =
(Fid, M , σi ) to CSP and CSP stores W . Therefore, the main
storage cost of CSP in setup phase is 2n |p| which is mainly
generated by block data M and block tag σi . In scheme [14],
Index Hash Table (IHT) is used to indicate the changes of
blocks and generate hash block value during integrity veri-
fication process. In IHT, Bi , Vi and Ri respectively represent
block number, version number and random value. Therefore,
the total storage cost of TPA is nl1 , where l1 = |Bi | +
|V i | + |Ri | indicating the bit size of each element of IHT.
In scheme [17], Each block element is one node of the file
list, including the block version vi , time stamp ti and a pointer
indicating the next node next i . Accordingly, the total storage
cost of TPA is nl2 , where l2 = |vi |+ |t i | +|next i | representing
bit size of each element of Dynamic hash table (DHT). The
storage costs of the scheme is evaluated and compared with
scheme [12]–[14], [17] as described in Table. 7. Although the
size of l3 is a bit larger than l1 and l2 , DIT is more secure than
IHT and DHT because of the employment of hash value of
each block.
TABLE 7. Comparison of storage costs.
C. COMPUTATION COSTS
In this section, we will evaluate the computation time of
the scheme with experiments and compare it with the Zhu’s
scheme [14]. The scheme simulates on a Linux system with
an Intel Core i5 1.60GHz processor and 1G RAM. The
Pairing based Cryptography (PBC) library of version 0.5.14
is used to implement our simulation. Furtherly, in the exper-
iment, an MNT d159 curve with 160-bit group order is
utilized. All the experiment results represent the average
of 20 trials.
1) Computation time of the user in setup phase
In our experiment of setup phase, the computation time
by different numbers of blocks is tested with the max
block size of 1KB. From fig. 5, it can be concluded
that the user’s computation time is proportional to the
number of blocks, and the computation cost of our
protocol is lower than Zhu’s.
151471

FIGURE 5. Computation time with block number in setup phase.
FIGURE 6. Verification time with different block size.
FIGURE 7. Insertion time with file size.
2) Computation Cost in Verification Phase
In verification phase, the relationship between compu-
tation costs and the block size is tested with the same
file size of 1MB. In the simulation, the challenged
block number accounts for 20% of the total block
number. From fig. 6, it can be concluded that with
the block size increasing, the verification cost of our
scheme is decreasing. However, the verification time
in Zhu’s scheme is increasing, because the verification
equation in Zhu’s scheme has relation with the sectors
of each block.
3) Computation cost in update phase
In the experiment of update phase, it supposes that
the max block size is 1KB. The update time with
file size from 1MB to 50MB is tested respectively.
From Fig. 7 and Fig. 8, it can be conclude that either
in insertion operation or in deletion operation, our
scheme is more efficient. In Zhu’s scheme, as IHT is
151472
H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage
FIGURE 8. Deletion time with file size.
a sequence data structure, it would cause an average
of half adjustment of elements, resulting in the update
operation efficiency’s decrease. While in our scheme,
only the static pointer needs to be changed without any
moving of elements.
VIII. CONCLUSION
The paper proposes an efficient dynamic auditing scheme for
outsourced data in cloud servers. In the scheme, a dynamic
index table (DIT) where no elements need to be moved in
insertion or deletion update operations is designed to improve
data update efficiency. Furtherly, when file in cloud is not
integrated, TPA can detect and recover the corrupt block.
Moreover, an authorization is used between users and cloud
servers to prevent denial of service attack. The scheme can
achieve authorized and efficient secure integrity verification
for big data in clouds and the simulation results demonstrate
that the scheme costs less communication and computation
than the previous schemes.
For further work, we should point out that the efficiency
and security of the integrity verification scheme can be fur-
therly developed, because they are most important issues in
cloud storage of big data. For efficiency, we should minimize
the communication costs between users and cloud servers
to improve integrity verification speed. Moreover, storage
cost in cloud server should also be considered. For security,
the privacy of user data should be emphasized, because pri-
vacy is another key point in data security of cloud computing.
Efficiency and security are two important directions of our
future work.
REFERENCES
[1] M. Armbrust, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee,
D. Patterson, A. Rabkin, and I. Stoica, ‘‘Above the clouds: A berkeley view
of cloud computing,’’ Univ. California at Berkeley, Berkeley, CA, USA,
Tech. Rep. UCBEECS, Feb. 2009, pp. 1–23, vol. 28.
[2] X. Lu and X. Cheng, ‘‘A secure and lightweight data sharing scheme for
Internet of medical things,’’ IEEE Access, vol. 8, pp. 5022–5030, 2020,
doi: 10.1109/ACCESS.2019.2962729.
[3] Y. Zhang, M. Qiu, C.-W. Tsai, M. M. Hassan, and A. Alamri, ‘‘Health-
CPS: Healthcare cyber-physical system assisted by cloud and big data,’’
IEEE Syst. J., vol. 11, no. 1, pp. 88–95, Mar. 2017.
VOLUME 8, 2020
H. Yu et al.: Authorized Public Auditing Scheme for Dynamic Big Data Storage
[4] Z. Guan, Z. Lv, X. Du, L. Wu, and M. Guizani, ‘‘Achieving data
utility-privacy tradeoff in Internet of medical things: A machine learning
approach,’’ Future Gener. Comput. Syst., vol. 98, pp. 60–68, Sep. 2019.
[5] V. Chang, ‘‘Towards data analysis for weather cloud computing,’’ Knowl.-
Based Syst., vol. 127, pp. 29–45, Jul. 2017.
[6] A. B. Lewko and B. Waters, ‘‘Decentralizing attribute-based encryption,’’
in Proc. 30th Annu. Int. Conf. Theory Appl. Cryptogr. Techn., Tallinn,
Estonia, May 2011, pp. 568–588.
[7] Y. Deswarte, J. J. Quisquater, and A. Saïdane, ‘‘Remote integrity check-
ing,’’ in Proc. 6th Working Conf. Integrity Internal Control Inf. Syst.
(IICIS), Nov. 2004, pp. 1–11.
[8] A. Juels and B. S. Kaliski, ‘‘Pors: Proofs of retrievability for large files,’’ in
Proc. 14th ACM Conf. Comput. Commun. Secur. - CCS, 2007, pp. 584–597.
[9] G. Yamamoto, S. Oda, and K. Aoki, ‘‘Fast integrity for large data,’’ Proc.
ECRYPT Workshop Softw. Perform. Enhancement Encryption Decryption,
pp. 21–32, 2007.
[10] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson,
and D. Song, ‘‘Provable data possession at untrusted stores,’’ in Proc. 14th
ACM Conf. Comput. Commun. Secur. CCS, 2007, pp. 598–610.
[11] G. Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik, ‘‘Scalable and
efficient provable data possession,’’ in Proc. 4th Int. Conf. Secur. Privacy
Commun. Netowrks SecureComm, 2008, pp. 1–10.
[12] C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, ‘‘Dynamic prov-
able data possession,’’ in Proc. 16th ACM Conf. Comput. Commun. Secur.
CCS, 2009, pp. 213–222.
[13] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, ‘‘Enabling public auditability
and data dynamics for storage security in cloud computing,’’ IEEE Trans.
Parallel Distrib. Syst., vol. 22, no. 5, pp. 847–859, May 2011.
[14] Y. Zhu, G.-J. Ahn, H. Hu, S. S. Yau, H. G. An, and C.-J. Hu, ‘‘Dynamic
audit services for outsourced storages in clouds,’’ IEEE Trans. Services
Comput., vol. 6, no. 2, pp. 227–238, Apr. 2013.
[15] K. Yang and X. Jia, ‘‘An efficient and secure dynamic auditing protocol
for data storage in cloud computing,’’ IEEE Trans. Parallel Distrib. Syst.,
vol. 24, no. 9, pp. 1717–1726, Sep. 2013.
[16] C. Liu, J. Chen, L. T. Yang, X. Zhang, C. Yang, R. Ranjan, and K. Rao,
‘‘Authorized public auditing of dynamic big data storage on cloud with
efficient verifiable fine-grained updates,’’ IEEE Trans. Parallel Distrib.
Syst., vol. 25, no. 9, pp. 2234–2244, Sep. 2014.
[17] H. Tian, Y. Chen, C.-C. Chang, H. Jiang, Y. Huang, Y. Chen, and J. Liu,
‘‘Dynamic-Hash-Table based public auditing for secure cloud storage,’’
IEEE Trans. Services Comput., vol. 10, no. 5, pp. 701–714, Sep. 2017, doi:
10.1109/TSC.2015.2512589.
[18] Q. Gan, X. Wang, and X. Fang, ‘‘Efficient and secure auditing scheme for
outsourced big data with dynamicity in cloud,’’ Sci. China Inf. Sci., vol. 61,
no. 12, pp. 93–107, Dec. 2018.
[19] Y. Zhang, J. Yu, and R. Hao, ‘‘Enabling efficient user revocation in identity-
based cloud storage auditing for shared big data,’’ IEEE Trans. Depend.
Sec. Comput., vol. 17, no. 3, pp. 608–619, May/Jun. 2020.
[20] X. Lu, Z. Pan, and H. Xian, ‘‘An integrity verification scheme of cloud
storage for Internet-of-things mobile terminal devices,’’ Comput. Secur.,
vol. 92, May 2020, Art. no. 101686, doi: 10.1016/j.cose.2019.101686.
[21] Q. Zhang, L. T. Yang, and Z. Chen, ‘‘Privacy preserving deep computation
model on cloud for big data feature learning,’’ IEEE Trans. Comput.,
vol. 65, no. 5, pp. 1351–1362, May 2016.
[22] Y. Ming and T. Zhang, ‘‘Efficient privacy-preserving access control scheme
in electronic health records system,’’ Sensors, vol. 18, no. 10, p. 3520,
Oct. 2018.
[23] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, ‘‘Privacy-
preserving public auditing for secure cloud storage,’’ IEEE Trans. Comput.,
vol. 62, no. 2, pp. 362–375, Feb. 2013.
[24] B. Wang, B. Li, and H. Li, ‘‘Oruta: Privacy-preserving public auditing
for shared data in the cloud,’’ IEEE Trans. Cloud Comput., vol. 2, no. 1,
pp. 43–56, Jan. 2014.
[25] J. Yu and R. Hao, ‘‘Comments on ‘SEPDP: Secure and efficient pri-
vacy preserving provable data possession in cloud storage,’’’ IEEE Trans.
Serv. Comput., early access, Mar. 29, 2019, doi: 10.1109/TSC.2018.
2820713.
[26] Q. Zhou, C. Tian, H. Zhang, J. Yu, and F. Li, ‘‘How to securely
outsource the extended Euclidean algorithm for large-scale polynomi-
als over finite fields,’’ Inf. Sci., vol. 512, pp. 641–660, Feb. 2020, doi:
10.1016/j.ins.2019.10.007.
[27] D. Halperin, T. Kohno, T. S. Heydt-Benjamin, K. Fu, and W. H. Maisel,
‘‘Security and privacy for implantable medical devices,’’ IEEE Pervasive
Comput., vol. 7, no. 1, pp. 30–39, Jan./Mar. 2008.
VOLUME 8, 2020
[28] Y. Li, H. Xia, R. Zhang, B. Hu, and X. Cheng, ‘‘A novel community
detection algorithm based on paring, splitting and aggregating in Internet
of Things,’’ IEEE Access, vol. 8, pp. 123938–123951, 2020.
[29] G. Yang, L. Xie, M. Mantysalo, X. Zhou, Z. Pang, L. D. Xu, S. Kao-Walter,
Q. Chen, and L.-R. Zheng, ‘‘A health-IoT platform based on the inte-
gration of intelligent packaging, unobtrusive bio-sensor, and intelligent
medicine box,’’ IEEE Trans. Ind. Informat., vol. 10, no. 4, pp. 2180–2191,
Nov. 2014.
[30] J. Zhang, F. Ren, S. Gao, H. Yang, and C. Lin, ‘‘Dynamic routing for data
integrity and delay differentiated services in wireless sensor networks,’’
IEEE Trans. Mobile Comput., vol. 14, no. 2, pp. 328–343, Feb. 2015.
[31] J. Lai, R. H. Deng, C. Guan, and J. Weng, ‘‘Attribute-based encryption with
verifiable outsourced decryption,’’ IEEE Trans. Inf. Forensics Security,
vol. 8, no. 8, pp. 1343–1354, Aug. 2013.
[32] H. Shacham and B. Waters, ‘‘Compact Proofs of Retrievability,’’ Proc.
14th Int. Conf. Theory Appl. Cryptol. Inf. Secur., Adv. Cryptol., 2008,
pp. 90–107.
[33] D. Cash, A. Kupcu, and D. Wichs, ‘‘Dynamic proofs of retrievability via
oblivious RAM,’’ in Proc. EUROCRYPT, 2013, pp. 279–295.
[34] K. S. Kim and I. R. Jeong, ‘‘Efficient verifiable data streaming,’’ Secur.
Commun. Netw., vol. 8, no. 18, pp. 4013–4018, Dec. 2015.
[35] H. Cai, B. Xu, L. Jiang, and A. V. Vasilakos, ‘‘Iot-based big data storage
systems in cloud computing: Perspectives and challenges,’’ IEEE Internet
Things J., vol. 4, no. 1, pp. 75–87, Jan. 2017.
[36] C. Hu, W. Li, X. Cheng, J. Yu, S. Wang, and R. Bie, ‘‘A secure and
verifiable access control scheme for big data storage in clouds,’’ IEEE
Trans. Big Data, vol. 4, no. 3, pp. 341–355, Sep. 2018.
[37] J. Zhao, C. Xu, F. Li, and W. Zhang, ‘‘Identity-based public verification
with privacy-preserving for data storage security in cloud computing,’’
IEICE Trans. Fundam. Electron., Commun. Comput. Sci., vol. E96.A,
no. 12, pp. 2709–2716, 2013.
[38] Y. Zhang, D. Zheng, and R. H. Deng, ‘‘Security and privacy in smart
health: Efficient policy-hiding attribute-based access control,’’ IEEE Inter-
net Things J., vol. 5, no. 3, pp. 2130–2145, Jun. 2018.
[39] X. Liu, J. Ma, J. Xiong, T. Zhang, and Q. Li, ‘‘Personal health records
integrity verification using attribute based proxy signature in cloud com-
puting,’’ in Internet and Distributed Computing Systems (Lecture Notes in
Computer Science), vol. 8223, 2013, pp. 238–251.
[40] H. Jin, K. Zhou, H. Jiang, D. Lei, R. Wei, and C. Li, ‘‘Full integrity
and freshness for cloud data,’’ Future Gener. Comput. Syst., vol. 80,
pp. 640–652, Mar. 2018.
HAN YU received the master’s degree in
cyberspace security from the National Univer-
sity of Defense Technology, China, in 2019. His
research interests include information security and
deep learning.
XIUQING LU received the M.S. degree from the
College of Computer Science, Shandong Univer-
sity, China. She is currently an Assistant Professor
with the Computer Science Technology College,
Qingdao University, China. Her current research
interests include security of cloud computing and
privacy of big data.
ZHENKUAN PAN received the M.S. and Ph.D.
degrees from Shanghai Jiao Tong University. He is
currently a Professor with the Computer Science
Technology College, Qingdao University, China.
His main research interests include virtual reality
technology and computer vision.
151473