This article has been accepted for inclusion in a future issue of this journal.
Content is final as presented, with the exception of pagination.
IEEE SYSTEMS JOURNAL
Identity-Based Privacy Preserving Remote Data
Integrity Checking for Cloud Storage
Jiguo Li , Hao Yan, and Yichen Zhang
Abstract—Although cloud storage service enables people easily
maintain and manage amounts of data with lower cost, it cannot
ensure the integrity of people’s data. In order to audit the cor-
rectness of the data without downloading them, many remote data
integrity checking (RDIC) schemes have been presented. Most ex-
isting schemes ignore the important issue of data privacy preserving
and suffer from complicated certificate management derived from
public key infrastructure. To overcome these shortcomings, this
article proposes a new Identity-based RDIC scheme that makes
use of homomorphic verifiable tag to decrease the system com-
plexity. The original data in proof are masked by random integer
addition, which protects the verifier from obtaining any knowledge
about the data during the integrity checking process. Our scheme
is proved secure under the assumption of computational Diffie–
Hellman problem. Experiment result exhibits that our scheme is
very efficient and feasible for real-life applications.
Index Terms—Cloud storage, identity-based cryptography,
remote data checking, privacy preserving.
I. INTRODUCTION
S A novel computation model, cloud computing [1] at-
A tracts lots of interest from academic field and industrial
field [2]–[4]. By the virtualization technology, cloud computing
is able to converge and integrate huge computation resource
and powerful computation ability to supply services needed by
client. To date, more and more clients and companies rent the
cloud storage service to maintain their massive data. On the one
hand, compared with deploying and maintaining expensive IT
infrastructure, renting the cloud service requires less investment.
Client’s cost of storing and managing data is decreased greatly.
On the other hand, it is efficient and flexible for client to access
the data by the Internet without any geographical restriction.
However, critical security problems still exist when data are
outsourced to cloud storage [5]–[16]. The most important one is
whether the cloud server keeps data intact [17]. As well known,
Manuscript received September 25, 2019; revised March 1, 2020; accepted
March 1, 2020. This work was supported in part by the National Natural Science
Foundation of China under Grant 61972095, Grant U1736112, Grant 61772009,
Grant 61902140, Grant 61822202, and Grant 61872089, and in part by the
Anhui Provincial Natural Science Foundation under Grant 1908085QF288.
(Corresponding author: Jiguo Li.)
Jiguo Li is with the Fujian Provincial Key Laboratory of Network Security and
Cryptology, College of Mathematics and Informatics, Fujian Normal University,
Fuzhou 350117, China, and also with the State Key Laboratory of Cryptology,
Beijing 100878, China (e-mail: [email protected]).
Hao Yan is with the College of Cyber Security, Jinling Institute of Technology,
Nanjing 211169, China (e-mail: [email protected]).
Yichen Zhang is with the College of Mathematics and Informatics, Fujian
Normal University, Fuzhou 350117, China (e-mail: [email protected]).
Digital Object Identifier 10.1109/JSYST.2020.2978146
1937-9234 © 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
1
cloud server is not trusted fully. Hardware and software excep-
tions of cloud server may cause data corruption or loss. Even,
the cloud server deletes client’s data to save the storage space.
Of course, cloud server will conceal these mistakes to maintain
the reputation. Consequently, the client needs an efficient way
to verify the integrity of the data.
In order to address this problem, several remote data integrity
checking (RDIC) schemes [18]–[50] have been presented. The
RDIC scheme enables client to efficiently audit the integrity
for outsourced data on cloud server without downloading them.
In the RDIC scheme, the auditor sends a challenge to cloud
server to query data integrity. Upon receiving the challenge,
cloud server generates a proof with the challenged data to prove
the data integrity. According to the correctness of the proof,
the auditor decides the data are kept well or not. Usually, the
cloud server or data owner is not appropriate to execute such
auditing work, because they may be biased toward the auditing
result. Therefore, the third party auditor (TPA) is often chosen
to conduct the data integrity auditing in cloud computing.
At present, most of the existing schemes [18]–[23], [25], [27],
[29], [30], [32], [36]–[41], [45]–[47], and [50] are based on
the public key infrastructure (PKI) technique. PKI is one of the
most well-established technologies and also widely applied in
many fields, but the PKI-based scheme must deal with com-
plex certificate management, including certificate generation,
storage, delivery, renewing, and revocation. Furthermore, the
security of PKI cannot be guaranteed completely, especially
when the certificate authority (CA) is intruded or controlled
by the malicious hacker. Compared with PKI, identity-based
cryptography (IBC) [51] does not suffer such problems. In IBC,
user’s identity such as name, identity-card number is regard as
public key. The identity is unique, so the user does not require
certificate to authenticate its validity. As a result, IBC eliminates
the heavy cost of certificate management. Thus, IBC is a good
choice to construct secure and efficient RDIC schemes.
In most existing RDIC schemes, the TPA is often assumed to
be fully honest that actually does not always hold. In fact, the
TPA is curious about client’s data and tries to obtain the data from
the integrity proof. It is very dangerous especially when the data
are a sensitive one such as bid document or business contract.
Thus, the privacy of data should be preserved against the TPA.
That is, the TPA cannot get any information for user’s data within
the process of integrity checking. Of course, data encryption is a
simple way to achieve data privacy-preserving against the TPA,
but this passive method reduces the flexibility of the system [49],
and is not always valid. For example, important data like health
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE SYSTEMS JOURNAL
record, personal assets, etc., should be protected from others but
it must open to hospital and government. In such application
scenarios, the data must be held as plaintext meanwhile other
client is not allowed to access. Therefore, encrypting the data
is not a flexible method to preserve the data privacy. It is
noted that in such scenario the cloud server is assumed to be
semitrusted, which means the server does not actively access
and leak the data to others. Otherwise, the cloud server should
not be chosen for such applications. We do not consider this case
here.
To date, many identity-based RDIC schemes [31], [33]–[35],
[42], and [48]–[49] have been proposed. However, there are only
two schemes [48], [49] that consider the issue of data privacy
preserving. Unfortunately, He et al. [52] showed that the scheme
[48] cannot resist the attack of the malicious cloud server. The
scheme [49] requires very heavy computation cost in the proof
verification phase. To overcome the shortcomings, we propose
a new identity-based RDIC scheme.
A. Motivation and Contribution
At present, data are one of the most important wealth for
enterprise. With the development of cloud computing, more and
more enterprises outsource their amount of data to cloud storage.
In order to improve the efficiency of data integrity checking, the
data owner usually delegates the data verification work to the
TPA. The TPA can perform the work honestly but may be curious
about client’s data. To avoid the risk of information leakage,
the data privacy must be protected. Therefore, it is necessary
to research the identity-based RDIC scheme with data privacy
preserving.
Motivated by the aforementioned requirement, we present an
efficient identity-based RDIC scheme to check integrity of data
on the cloud storage server.
The main contributions of this article are summarized as
follows.
1) We present a new identity-based RDIC scheme, which is
able to efficiently audit data integrity and eliminate the
problem of certificate management.
2) By randomizing the challenged data block, our scheme
preserves the data privacy against the TPA, namely, the
TPA learns nothing about the data within the process of
data integrity checking.
3) We prove the security of our scheme under the given
security model. Experiment result exhibits that our scheme
has better performance and feasibility.
B. Related Work
In 2003, Deswarte et al. [18] first presented a protocol to check
the data integrity on the remote server. To improve the efficiency,
Ateniese et al. [19] presented a provable data possession (PDP)
model to realize the integrity checking. The PDP model uses
the idea like “spot checking” to verify the entire data integrity,
which improves the efficiency greatly. At the same time, Juels
and Kaliski [20] presented a proofs-of-retrievability (POR)
model that cannot only check data integrity but also recover the
Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
corrupted data. To improve the security, Shacham and Waters
[21] proposed a stronger security model and gave a compact
POR scheme, which is provably secure under the model. To
support data dynamic, Ateniese et al. [22] proposed a scalable
PDP scheme, which supports block appending, updating and
deleting. Following the work [22], several schemes [23]–[30]
were proposed to strength the data security or to support data
dynamics.
To eliminate the certificate management, Wang et al. [31]
proposed an identity-based RDIC protocol. Zhu et al. [32]
presented a PDP scheme in the multiple-cloud setting, in which
the data blocks were stored on different cloud servers. To im-
prove the security, Wang [33] proposed a new PDP scheme for
multiple-cloud setting. Li et al. [34] extended the application
of multicopy on multicloud server and gave a concrete PDP
scheme. In order to reduce the tag generation burden of data
owner, Wang et al. [35] proposed an identity-based PDP scheme
to delegate the work of tag generation to a proxy. Yan et al. [36]
considered placing restrictions on data verifier and proposed a
PDP scheme with designated verifier. Yu et al. [37] presented a
public RDIC protocol resisting the key exposure attack. Based
on the group signature technique, Wang et al. [38] provided
a privacy-preserving auditing scheme that not only checks the
integrity for shared data with large group but also preserves
the tag generator’s privacy. To decrease the computation cost,
Wang et al. [39] further presented a new scheme using a ring
signature technique. Unfortunately, these two schemes [38], [39]
were proved insecure, which cannot resist the attack launched by
active adversary [40]. Wang et al. [41] presented a PDP scheme
that utilized the proxy resignature technique to revoke user. Yu
et al. [42] presented an identity-based PDP scheme for mobile
cloud storage, which also supported dynamic group and user
privacy preserving. To get rid of key escrow and certification,
Li et al. [43] proposed a certificateless public integrity checking
scheme for group shared data in public computing storage. Feng
et al. [44] provided a public remote integrity checking scheme
with the protection of user identity. However, the scheme only
supports to check the data integrity on file level that limits real
application.
To protect the data privacy, Hao et al. [45] proposed an RDIC
protocol with the properties of public verification and dynamic
data operation. Unfortunately, Zhou and Li [46] showed that
Hao’s protocol [45] can be broken by the active attack. Wang et
al. [47] provided a public PDP scheme with zero knowledge of
the data. However, the scheme [47] did not give a formal security
model to prove the security. Zhang and Dong [48] proposed an
ID-based public auditing scheme with data privacy preserving,
but it needs large storage cost and cannot resist the attack of
malicious cloud server [52]. Yu et al. [49] proposed a new
identity-based public RDIC protocol with data privacy preserv-
ing. However, the integrity verification of this scheme required
heavy computation cost. Zhang et al. [50] presented an RDIC
scheme, which utilized the indistinguishability obfuscation to
achieve data privacy preserving and improve the efficiency.
However, this scheme is not flexible and difficult to apply in real
applications.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

LI et al.: IDENTITY-BASED PRIVACY PRESERVING REMOTE DATA INTEGRITY CHECKING FOR CLOUD STORAGE 3

C. Organization
The remainder of this article is organized as follows. Prelim-
inary knowledge is introduced in Section II. Section III gives
the concrete construction of our scheme. Section IV shows
the security proof. In Section V, we demonstrate performance
analysis and experimental results of our scheme. Section VI
concludes this article.

II. PRELIMINARIES
A. Bilinear Maps
Let G1 and G2 be multiplicative cyclic groups with large
prime order q. g is a generator of G1 . e : G1 × G1 → G2 is a
bilinear map with the following properties;
1) Computability: ∀u, v ∈ G1 , there exists efficient algo-
rithm to calculate e(u, v).
2) Bilinearity: ∀a, b ∈ Zq∗ and ∀u, v ∈ G1 , it has e(ua , v b ) =
e(u, v)ab .
3) Non-degeneracy: ∃u, v ∈ G1 , it has e(u, v) = 1G2 .
B. Complexity Assumption
Definition 1 (Computational Diffie–Hellman (CDH)
problem): Suppose G1 is a multiplicative cyclic group. g is a
generator of G1 . Given the tuple (g, g a , g b ) with the unknown
elements a, b ∈ Zq∗ , the CDH problem is to calculate g ab .
Definition 2 (CDH assumption): The advantage for any
probabilistic polynomial time (PPT) algorithm A to solve the
CDH problem in G1 is negligible. It is defined as: AdvCDH G1 A =
R
Pr[A(g, g a , g b ) = g ab : a, b ← Zq∗ ] ≤ ε. Here, ε denotes a neg-
ligible value.
C. System Model
The system of the identity-based RDIC scheme is composed
of four entities: Key generation center (KGC), data owner, TPA,
and cloud storage server.
1) KGC is responsible for generating private key for client.
With client’s identity, the KGC calculates the private key
and transmits it to the client by the secure channel.
2) Data owner rents the cloud storage service and outsources
massive data to cloud storage server. Data owner may be
the individual consumer or the organization consumer.
3) TPA audits the integrity of outsourced data for data owner.
The TPA is trusted by data owner and cloud storage
server, and it has capability and knowledge to execute the
verification work. After the checking process, the TPA
outputs the verification results honestly.
4) Cloud storage server has significant storage capacity and
powerful computation ability. It supplies cloud storage
services to data owner and returns data integrity proofs
to the TPA when receiving data integrity challenges.
Fig. 1 shows the system model of our scheme. We assume that
cloud server is semitrust, namely, it will return one response for
each challenge, but may forge proofs to deceive the TPA about
data corruption so as to keep its reputation or get extra benefit.
Moreover, the cloud server does not actively access and leak
Fig. 1. System model.
data information to others. The TPA is honest-but-curious. It is
able to honestly perform the data integrity work and return the
real result to data owner. However, the TPA is curious about
the client’s data and tries to get information of the data when
executing data integrity verification.
D. Outline of Our RDIC Scheme
The identity-based RDIC scheme includes six algorithms.
1) Setup(1k ) → (params, msk): The algorithm is executed
by the KGC. It takes security parameter k as input, outputs
the master secret key msk and the system parameter:
params.
2) Extract(ID, msk) → skID : This algorithm is executed by
the KGC to generate user’s secret key. It inputs the mas-
ter secret key msk and the user’s identity ID ∈ {0, 1}∗ ,
outputs the secret key skID .
3) TagGen(skID , F ) → T : The algorithm is executed by data
owner. It inputs data owner’s secret key skID and the data
F , outputs tag collection T .
4) Challenge(F id) → chal: The TPA executes this algo-
rithm, which inputs the challenged data file name F id,
outputs the challenge chal.
5) ProofGen(F, T, chal) → P : The cloud server executes
this algorithm, which inputs the challenged data F , the
corresponding tag collection T , and TPA’s challenge chal,
outputs the integrity proof P .
6) ProofVerify(ID, chal, P, F id) → {1, 0}: The TPA exe-
cutes this algorithm, which inputs identity ID of data
owner, TPA’s challenge chal, the integrity proof P, and
the challenged data name F id, outputs 1 if P passed the
verification, else outputs 0.
E. Security Model
We consider the security requirement of the identity-based
RDIC scheme from three aspects. First, if the cloud server
and TPA honestly execute the protocol, the integrity of the
challenged file is verified correctly. Second, the scheme can
resist the semitrusted cloud server to deceive the TPA about the
integrity of challenged data. That is, if the cloud server does not
possess the true data blocks, it cannot generate the correct data
integrity proof. Third, the privacy of challenged data is preserved
against the TPA. It means that the TPA knows nothing about the
challenged blocks during the interaction with cloud server.

Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE SYSTEMS JOURNAL
The first security requirement is defined as follows.
Definition 3: An identity-based RDIC scheme is valid
for data integrity checking, if for any ID, F and chal,
the equation ProofVerify(ID, chal, ProofGen(F, T, chal, ID),
F id) = 1 holds.
The second security requirement aims to resist three attacks
[30] launched by cloud server, namely forge attack, replay
attack, and replace attack.
1) Forge attack: Cloud server forges a valid tag for the
challenged block to cheat the TPA.
2) Replay attack: Cloud server replies a previous proof to the
TPA.
3) Replace attack: Cloud server uses the other valid proof as
the proof for new challenge.
A secure RDIC protocol should be able to resist all
the aforementioned attacks. Therefore, we can use a se-
curity game that covers all the three attacks to capture
the second security requirement. The security game in-
volves the adversary A and the challenger C. A plays the
role of semitrusted server, who tries to deceive the TPA
through forging data integrity proof. The game is depicted as
follows.
Setup: C runs Setup algorithm to generate the master secret
key msk and the public parameter params. C sends params to A
and keeps the msk confidential.
Queries: A executes polynomial times of queries to C. C
responses the queries of A as follows.
1) Hash query. A adaptively executes hash query to C. C
calculates and returns the hash value to A.
2) Extract query. A queries the private key for any identity
IDi . C runs Extract algorithm to compute the private key
ski for IDi and returns ski to A.
3) Tag query. A queries the tag of any data block with any
user identity. C runs TagGen algorithm to compute the tag
for the block and returns the tag to A.
ProofCheck: A executes the ProofGen algorithm to generate
integrity proofs for blocks of the data F id with an identity IDi .
All these blocks have been made “Tag Query” by A. Areturns
the proofs to C. C runs ProofVerify algorithm to check these
proofs and returns the checking results to A.
Output: Finally, A gives a proof P on a set blocks of data
F id with an identity ID . It is restricted that the identity at least
one block in P has not been executed “Tag-Query” with identity
ID . If P passes the integrity verification, A wins the game.
Definition 4: An identity-based RDIC scheme is secure, if
any PPT adversary A wins the aforementioned security game
only at negligible probability.
The third security requirement is defined as follows.
Definition 5: An identity-based RDIC scheme is data pri-
vacy preserving against the TPA, if the TPA does not get any
information about the original data within the process for data
auditing.
III. OUR CONSTRUCTION
We give the construction of our new identity-based RDIC
protocol, which supports public verification and data privacy
protection.
Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
Without loss of generality, suppose the data F is stored
on cloud server. According to the file size, data owner splits
F into n blocks, namely, F = {m1 , m2 , · · · , mn }, in which
mi represents the ith block of F . The detailed algorithms of our
protocol are described as follows.
Setup(1k ) → (params, msk): With the security parameter
k, the KGC randomly selects a big prime q and two cyclic
multiplicative groups G1 and G2 with order q. g is a gen-
erator of G1 . e is bilinear map of G1 × G1 → G2 . H1 :
{0, 1}∗ → G1 and H2 : {0, 1}∗ → G1 are different hash func-
tions. φ: Zq∗ × {1, 2, · · · n} → Zq∗ is pseudorandom function
and π: Zq∗ × {1, 2, · · · , n} → {1, 2, . . . , n} is pseudorandom
permutation. The KGC selects a random value s ∈ Zq∗ as the
master secret key and calculates the master public key P0 = g s .
params = (q, g, G1 , G2 , e, P0 , H1 , H2 , φ, π) is the pub-
lic parameters.
Extract(ID, msk) → skID : When receiving the identity ID,
the KGC calculates skID = H1 (ID)s as the secret key of the
user with identity ID.
TagGen(skID , F ) → T : On input data F named Fid, the
algorithm generates all the tags for the blocks of F . Data owner
selects two random values χ ∈ G1 and λ ∈ Zq∗ . The tag of block
mi ∈ Zq is computed as follows.
Ti = skID · (H2 (Fid||i) · χmi )λ . (1)
Data owner repeats the (1) for n times to get all the tags of
F . Finally, data owner computes R = g λ and selects a signature
algorithm Sig such as BLS [54] to compute the file tag TFid =
Sig(R||χ||Fid). Then, data owner uploads (F, R, χ, {Ti |i ∈
[1, n]}, TFid ) to the cloud server. The cloud server checks the
correctness of each tag by
e(Ti , g) = e(H1 (ID), P0 ) · e(H2 (F id||i) · χmi , R). (2)
The correctness of each tag can be proved as follow.
e(Ti , g) = e(H1 (ID), P0 ) · e(H2 (F id||i) · χmi , R)
= e(H1 (ID), g s ) · e(H2 (F id||i) · χmi , g λ )
= e(H1 (ID)s · (H2 (F id||i) · χmi )λ , g)
= e(skID · (H2 (F id||i) · χmi )λ , g)
= e(Ti , g).
Challenge(F id) → chal: To check the integrity of data F
named F id, the TPA randomly picks two values k1 , k2 ∈ Zq∗ and
the challenged block count c (1 ≤ c ≤ n), then sends chal =
(c, k1 , k2 ) with file name F id to cloud server.
ProofGen(F, T, chal) → P : On receiving chal = (c, k1 , k2 ),
the cloud server calculates challenge set C = {(vi , ai )|i ∈
[1, c]}, where vi = π(k1 , i) is the index of the ith challenged
block and ai = φ(k2 , i) is random parameter. The cloud server
selects a random value r
 ∈ Zq∗ , and computes W = χ−r , σ =
ai
(vi ,ai )∈C Tvi , M = (vi ,ai )∈C ai (r + mvi ). Finally, the
cloud server sends the proof P = (W, σ, M, R, χ, TF id ) to the
TPA.
ProofVerify(ID, chal, P, F id) → 1, 0: Upon receiving P
from the cloud server, the TPA first checks if the TF id is a valid
signature of the message R||χ||F id. If not, the TPA refuses the
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

LI et al.: IDENTITY-BASED PRIVACY PRESERVING REMOTE DATA INTEGRITY CHECKING FOR CLOUD STORAGE 5

⎛ ⎞
proof and outputs “0”. Otherwise, the TPA calculates the set 
C = {(vi , ai )|i ∈ [1, c]}and checks = e⎝ (H1 (ID)s · (H2 (F id||vi ) · χmvi )λ )ai , g ⎠
   (vi, ai )∈C
ai
e(σ, g) = e H1 (ID)(vi, ai )∈C , P0
= e(σ, g).
⎛ 
⎞
 ai For the second security requirement, we give the proof as
· e⎝ H2 (F id||vi ) ai
·χ M
·W (vi, ai )∈C
, R⎠ .
follow.
(vi, ai )∈C
Theorem 1: If a PPT adversary A wins the security game
(3) defined previously with the advantage ε within time t, after
If this equation holds, it outputs “1”, else outputs “0”. making H1 -Query, Extract-Query, H2 -Query, and Tag-Query for
at most qH1 , qk , qH2 , and qT times, then a simulator B breaks
IV. SECURITY ANALYSIS the CDH problem with the probability ε ≥ ε/((qk + qT ) · 2e)
within the time t ≤ t + O(qH1 + qk + qH2 + qT ).
If both the cloud server and TPA honestly execute the proto-
Proof: Given a CDH instance (g, G1 , g a , g b ). We construct
col, the first security requirement in Section II-E, namely, the
a simulator B to calculate the value of g ab relying on A. B
integrity of the challenged data is verified as follows.
simulates each interaction step with Aas follows.
For the left side of (3), it has
⎛ ⎞ Setup: B selects the public parameters, and then, sets P0 =
a
 g in which the master key is the unknown value aimplicitly.
e(σ, g) = e ⎝ Tvaii , g ⎠ Furthermore, B randomly selects values χ ∈ G1 , λ ∈ Zq∗ and
(vi ,ai )∈C computes R = g λ . B sends public parameters, χ and R to A.
⎛ ⎞ H1 -Query: A adaptively carries out the H1 -Query for any
 identity ID∗ . B maintains a list L1 = {(ID, h1 , Q1 , τ )} for the
⎝ s m vi λ ai ⎠
=e (H1 (ID) · (H2 (F id||vi ) · χ ) ) , g .
H1 -Query. If the tuple (ID∗ , ∗, ∗, ∗) exists in L1 , B retrieves
the tuple (ID∗ , h1 ∗ , Q∗1 , τ ∗ ) and returns Q∗1 to A. Otherwise, B
(vi ,ai )∈C

For the right side of (3), it has randomly selects h1 ∗ ∈ Zq∗ and tosses a coin τ ∈ {0, 1} that τ =
   1 with the probability γ and τ = 0 with the probability 1 − γ. If
ai ∗ ∗
e H1 (ID) (vi, ai )∈C
,g s τ = 0, B computes Q∗1 = g h1 . If τ = 1, B sets Q∗1 = (g b )h1 .
∗
B responses Q∗1 to A and adds the new tuple (ID∗ , h1 , Q∗1 , τ )
⎛ 
⎞ to L1 .
 ai
Extract-Query: A adaptively executes the Extract-Query
· e⎝ H2 (F id||vi )ai · χM · W (vi, ai )∈C , R⎠
for any identity ID∗ . B searches the tuple (ID∗ , h1 ∗ , Q∗1 , τ ∗ )
(vi, ai )∈C
⎛ ⎞ from L1 . If it does not exist, B makes the H1 -Query for
 ID∗ itself. After retrieving the corresponding (ID∗ , h1 ∗ , Q∗1 , τ ∗ )
= e⎝ H1 (ID) i , g ⎠
a s
from L1 , B checks the value of τ ∗ . If τ ∗ = 0, B computes
∗ ∗
(vi, ai )∈C and returns (Q∗1 )a = (g h1 )a = (g a )h1 to A. Otherwise, B
⎛ aborts.
 H2 -Query: At any time, A submits (F id, i) to B for the
· e⎝ H2 (F id||vi )ai H2 -Query. To response the query, B keeps L2 with tuple
(vi, ai )∈C
(F id, i, Q2 ). If (F id, i, ∗) ∈ L2 , B retrieves the tuple and returns
  
ai (r+mvi ) −r ai Q2 to A. Otherwise, B selects a random value Q2 ∈ G1 and
· χ(vi, ai )∈C · χ (vi, ai )∈C , g λ returns Q2 to A. Then, B adds the new tuple (F id, i, Q2 ) to L2 .
Tag-Query: A can query the tag of the any block with
⎛ ⎞ any identity ID. A sends the tuple (F id, i, mi , ID) to B

= e⎝ H1 (ID)ai , g s ⎠ for querying the tag of the block mi . On receiving the tag
(vi, ai )∈C
query, B first searches the tuple (ID, h1 , Q1 , τ ) from L1 and
⎛ ⎞ (F id, i, Q2 )from L2 . If the two tuples do not exist, B exe-

 ai m vi cutes H1 -Query and H2 -Query to get them. If τ = 0, B cal-
· e⎝ H2 (F id||vi )ai · χ(vi, ai )∈C , gλ ⎠ culates the tag by Ti = (g a )h1 · (Q2 · χmi )r . Otherwise, B
(vi, ai )∈C aborts.
⎛ ⎞ ProofCheck: At any time, A can generate proofs for any
 blocks that have been made Tag-Query. A sends the proofs to
= e⎝ H1 (ID) i , g ⎠
a s
B. B runs the ProofVerify algorithm to check the correctness of
(vi, ai )∈C
⎛ ⎞ these proofs and returns the check results to A.
 Output: At last, A outputs a forged tag Ti of the block mi
· e⎝ (H2 (F id||vi ) · χmvi )ai λ , g ⎠ with any identity ID . It is required that the block mi should not
(vi, ai )∈C be executed Tag-Query with ID .

Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6 IEEE SYSTEMS JOURNAL
Analysis: If A wins the game, B can get e(Ti , g) =
e(H1 (ID ), P0 ) · e(H2 (F id||i) · χm i , R) according to the ver-
ification (2). Bgets the (ID , h1 , Q1 , τ ) from L1 and checks the
value of τ . If τ = 0, B aborts. Otherwise, B searches the tuple
(Fid , i, Q2 ) from L2 . By the verification equation mentioned
previously, B gets e(Ti , g) = e(g bh 1 , g a ) · e(Q2 · χm i , g r ) by
which the result for the given CDH instance can be deduced:
g ab = ( (Q Tχmi i )r )1/h 1 . From the aforementioned process, we
2
see that if B does not abort, B performs a perfect interaction
simulation with A. The abortion of B only happens in the phase
of Extract-Query and Tag-Query. Therefore, the probability that
B successfully interacts with A without abortion is higher than
(1 − γ)qk +qT . Thus, B outputs the right value of g ab with the
probability of ε ≥ ε · γ · (1 − γ)qk +qT ≥ ε/((qk + qT ) · 2e).
The corresponding time cost is t ≤ t + O(qH1 + qk + qH2 +
qT ).
From the Theorem 1, we see that single tag cannot be forged
by the cloud server. Next, we prove the entire proof cannot be
forged by the cloud server either.
Theorem 2: The probability that the cloud server forges a
proof to pass the integrity verification without the real data
blocks is negligible.
Proof: This proof is the continuation of Theorem 1. In the
game for this proof, the challenger sets the parameters and
replies the queries as in proof of Theorem 1. After completing
all the queries, the adversary randomly generates a proof for any
challenge in which at least one block has not done tag-query. If
the proof passes the verification, the adversary wins the game.
Then, we give the analysis of the probability for the winning
game.
It is easy to see that the complete proof includes five
components, but the values of χ,R, and TF id are preseted. If any
of them is wrong, the verification of TF id must fail and the forged
proof is refused at once. Hence, if the forged proof can pass
the verification, the values of χ, R and TF id in the proof must
definitely correct. Thus, in the following analysis, we omit χ, R
and TF id . Let the challenge information be chal = (c, k1 , k2 ),
we compute the challenged block indices and the parameters
by vi = π(k1 , i) and ai = φ(k2 , i) respectively. Suppose the
forgedaggregate proof is P = (W, σ , M ), where W = χ−r ,
ai
σ = (vi ,ai )∈C T vi , M = (vi ,ai )∈C ai (r + mvi ). Since
the forged proof can pass the verification,  we get the
a
verification equation: e(σ , g) = e(H1 (ID) (vi, ai )∈C i , P0 ) · e
 a
( (vi, ai )∈C H2 (F id||vi )ai · χM · W (vi, ai )∈C i , R). Assume
the real proof for the chal = (c, k1 , k2 ) with the random
value r is P = (W, σ, M ), we can get the equation: e(σ, g) =
a 
e(H1 (ID) (vi, ai )∈C i , P0 ) · e( (vi, ai )∈C H2 (F id||vi )ai · χM
 blocks are challenged. The KGC runs Extract algorithm to
a
· W (vi, ai )∈C i , R). Compared with the aforementioned two
equations, we can see that there only exist three cases: (1) if
χM = χM , it must have σ = σ, so proof is the correct one,
which is contrast to the game assumption; (2) if χM = χM ,
and σ = σ, it is contrast to the Theorem 1. Otherwise, the
single tag can be forged by challenging its data block. Thus,
there must be only  the case (3): χ
M
=
χ
M
and σ = σ.
a (r+m )
Then it has χ (vi ,ai )∈C i vi
= χ (vi ,ai )∈C ai (r+mvi ) ,
Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
  
i.e., (vi ,ai )∈C ai m vi = (vi ,ai )∈C ai mvi ,i.e., (vi ,ai )∈C
ai (m vi − mvi ) = 0. According to the assumption, the cloud
server does not have the true data blocks, so there must be at
least one index vi with mvi = mvi . Without loss of generality,
we suppose there are β (1 ≤ β ≤ c) different blocks. Then, the
count of tuples (a1 , . . . , ac ) satisfying the condition is at most
q β−1 . Since (a1 , . . . , ac ) is a random vector, the probability
of the equation (vi ,ai )∈C ai (m vi − mvi ) = 0 is less than
q β−1 β−1
≤ qqβ = 1q , which is negligible. Therefore, without the
qc
real data, the adversary could generate the correct proof only
with negligible probability.
Next, we show that our scheme is data privacy preserving.
That is, the TPA cannot derive any information about user’s
data from the integrity proof.
Theorem 3: TPA cannot recover any information for the data
blocks from the proof.
Proof: It is no doubt that the values of χ,R, and TF id in P
contain no information about data block. Because single tag
cannot be forged, the TPA cannot derive the data blocks from σ.
The value r is randomly selected by the cloud server, the TPA
cannot get the value of r from W= χ−r due to the discrete
logarithm hard problem. For M = (vi ,ai ∈C) ai (r + mvi ), the
TPA at most gets the value of r + mvi but cannot compute mvi
either even though there is only one block because r is unknown.
On the contrary, if TPA derives data block mvi , it can also get the
value of r. It means we can find a simulator to solve the problem
of the discrete logarithm problem by using the capability of the
TPA. It is impossible. Therefore, the TPA does not learn any
information about the challenged data by the integrity proof.
V. PERFORMANCE ANALYSIS
We evaluate the performance for our scheme by theoretical
analysis and experiment results in this section.
A. Performance Evaluation
The performance of our scheme is summarized from compu-
tation cost and communication cost, which are shown as follows.
1) Computation Cost: The computation cost of our scheme
mainly lies in the expensive operations such as pairing and
exponentiation. Other operations like hash function and addi-
tion only incur negligible cost, so we omit them when ana-
lyzing the computation cost. For simplicity, we use Tmul ,Tp ,
and Texp to represent the overhead of multiplication operation,
pairing operation, and exponentiation operation on group G1 ,
respectively. Suppose there are n blocks in total, of which c
generate private key for user, which needs one Texp operation.
The TagGen algorithm needs to run n times to generate all the
tags of data blocks, it costs 2nTexp + 2nTmul . The Challenge
algorithm only causes negligible cost. To generate the integrity
proof, ProofGen is run by the cloud server, which needs
(c + 1) · Texp + (c − 1) · Tmul computation cost. To check the
data integrity, the TPA runs the ProofVerify algorithm, the
computation cost is3Tp + (c + 3)Texp + (c + 1)Tmul .
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

LI et al.: IDENTITY-BASED PRIVACY PRESERVING REMOTE DATA INTEGRITY CHECKING FOR CLOUD STORAGE 7

TABLE I
COMPARISON OF COMPUTATION COST

Moreover, to show the efficiency advantage of our scheme, we

compare it with the schemes [47] and [49] and list the results in
the Table I. It is easy to find that our scheme costs one more mul-
tiple operation than the schemes [47] and [49] in tag generation.
However, the computation cost of the multiplication operation is
much less than exponentiation operation’s cost, in some degree,
the two schemes have the same scale of computation cost in
tag generation. In proof generation, our scheme reduces one
pairing operation compared with the scheme in [47] and two
paring operations compared with the scheme [49]. In proof ver-
ification, the scheme [47] needs two pairing operations and our
scheme needs three paring operations, but in the scheme [49], the
paring operation is linear with the number of challenged blocks,
while the three schemes have almost the same exponentiation
operations. Note that the cost of multiplication operation is far
less than pairing operation. Moreover, our scheme and scheme
[49] are identity based that avoids certificate management cost
compared with the scheme [47]. Fig. 2. Computation cost of tag generation.
2) Communication Cost:: To audit the integrity for the data
on cloud server, the TPA submits the data name F id and the chal-
lenge information chal = (c, k1 , k2 ) to the cloud server. Thus,
the communication cost of the challenge request is (log c +
2|q| + |F id|) bits. The cloud server gives the integrity proof
P = (W, σ, M, R, χ, TF id )to the TPA. Therefore, communica-
tion cost of challenge response is (|q| + 4|G1 | + |TF id |)bits.

B. Experimental Results
We fully implement our scheme based on the GNU multi-
ple arithmetic precision (GMP) library [55] and pairing based
cryptography (PBC) Library [56]. All of the experiments are
conducted on the VMware Workstation 10 with the configuration
of 1 CPU, 4-G Ram, and 20-G Rom. The work station is run on
the host computer of Lenovo Laptop L440, the environment of
which is Win7 operation system, 8-G Ram and Core i7-4712MQ
at 2.3-GHz CPU. The operation system is Ubuntukylin-15.10-
desktop-i386. In our experiments, we choose the parameter
Fig. 3. Computation cost for proof generation and verification.
a.param to be the parameters of the PBC library. To get more
precise results, each experiment is conducted 50 trials.
The Extract algorithm only needs one exponentiation oper-
ation on group G1 , which costs almost 2.76 ms. We evaluate to generate tags for 10 000 blocks only needs about 58.2 s, which
the tag generation cost by the following experiments. First, we is accepted by most groups. Furthermore, tag generation for data
create a file with the size of 2 M. Because the size of data block is is usually conducted only once that brings little influence on the
bounded by the order of the group 160 bit, the number of blocks is performance of integrity checking.
100 000 in total. Without loss of generality, we change the block For the entire scheme, the algorithms of Challenge,
count from 1000 to 10 000 with an increment of 1000 in each ProofGen, and ProofVerify are the main components that are
test. The results are shown in Fig. 2. As observed, the cost of tag executed more frequently. It is easy to see that the entire effi-
generation grows linearly with the number of blocks. However, ciency of the scheme is mainly dependent on the efficiency of the

Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
8 IEEE SYSTEMS JOURNAL
algorithms Challenge, ProofGen, and ProofVerify. However,
the Challenge algorithm only selects two random numbers from
Zq∗ , so its computation cost is negligible. Therefore, in the
second part, we make experiments to evaluate the efficiency
of the algorithms ProofGen and ProofVerify. Furthermore, we
implement the scheme [49] under the same experiment setting
and compare the efficiency of the two schemes. We increase the
counter of challenged blocks from 100 to 1000 with an increment
of 100 in each experiment. The results are illustrated in Fig. 3.
Note that two schemes have the similar computation cost for
proof generation, but our scheme is a little more efficient than
the scheme [49]. For the proof verification, the gap between our
scheme and the scheme [49] becomes bigger. For example, to
challenge 1000 blocks, the scheme [49] needs about 6.1 s, while
our scheme only costs about 2.8 s. Thus, our scheme is very
efficient and feasible for real-life applications.
VI. CONCLUSION
In this article, we present a novel identity-based RDIC scheme
for secure cloud storage. Our scheme removes the complex
certificate management in PKI and guarantees the data privacy
against the TPA. The security model of our scheme is formalized
from the following three aspects.
1) TPA checks the integrity for the stored data with the RDIC
scheme;
2) The semitrusted cloud server without true data cannot
generate the correct data integrity proof;
3) The data privacy is preserved against the TPA.
We provide the concrete construction of our scheme. Based
on the CDH hard problem, we prove security of our scheme.
The experiment exhibits that our scheme is very efficient and
feasible.
REFERENCES
[1] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, and I. Brandic, “Cloud
computing and emerging IT platforms: Vision, hype, and reality for
delivering computing as the 5th utility,” Future Gener. Comp. Sys., vol. 25,
no. 6, pp. 599–616, 2009.
[2] G. C. Deka and R. S. Bhadoria, “Role of G-cloud in citizen centric
governance,” in Proc. IEEE 2nd Int. Conf. Parallel, Distributed Grid
Comput., 2012, pp. 44–48.
[3] M. K. Srivastav, R. S. Bhadoria, and T. Pramanik, “Integration of mul-
tiple cache server scheme for user-based fuzzy logic in content deliv-
ery networks,” in Handbook of Research on Advanced Applications of
Graph Theory in Modern Society. Hershey, PA, USA: IGI Global, 2020,
pp. 386–396.
[4] C. Wang, C. Wang, Z. Wang, X. Ye, J. X. Yu, and B. Wang, “DeepDirect:
Learning directions of social ties with edge-based network embedding,”
IEEE Trans. Knowl. Data Eng., vol. 31, no. 12, pp. 2277–2229, Dec. 2019.
[5] M. Ali, S.U. Khan, and A.V. Vasilakos, “Security in cloud computing:
opportunities and challenges,” Inf. Sci., vol. 305, no. 1, pp. 357–383, 2015.
[6] C. Zuo, J. Shao, J. K. Liu, G. Wei, and Y. Ling, “Fine-grained two-factor
protection mechanism for data sharing in cloud storage,” IEEE Trans. Inf.
Forensics Secur., vol. 13, no. 1, pp. 186–196, Jan. 2018.
[7] J. Li, W. Yao, J. Han, Y. Zhang, and J. Shen, “User collusion avoidance
CP-ABE with efficient attribute revocation for cloud storage,” IEEE Syst.
J., vol. 12, no. 2, pp. 1767–1777, Jun. 2018.
[8] C. Zuo, J. Shao, G. Wei, M. Xie, and M. Ji, “CCA-secure ABE with
outsourced decryption for fog computing,” Future Gener. Comput. Syst.,
vol. 78, pp. 730–738, 2018.
Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
[9] H. Qian, J. Li, Y. Zhang, and J. Han, “Privacy preserving personal health
record using multi-authority attribute-based encryption with revocation,”
Int. J. Inf. Secur., vol. 14, no. 6, pp. 487–497, 2015.
[10] J. Ning, X. Dong, Z. Cao, L. Wei, and X. Lin, “White-box trace-
able ciphertext-policy attribute-based encryption supporting flexible at-
tributes,” IEEE Trans. Inf. Forensics Secur., vol. 10, no. 6, pp. 1274–1288,
Jun. 2015.
[11] H. Li, Q. Chen, H. Zhu, D. Ma, H. Wen, and X. Shen, “Privacy
leakage via de-anonymization and aggregation in heterogeneous social
networks,” IEEE Trans. Dependable Secure Comput., to be published,
doi:10.1109/TDSC.2017.2754249.
[12] H. Li, H. Zhu, S. Du, X. Liang, and X. Shen, “Privacy leakage of location
sharing in mobile social networks: Attacks and defense,” IEEE Trans.
Dependable Secure Comput., vol. 15, no. 4, pp. 646–660, Jul./Aug. 2018.
[13] J. Li, Q. Yu, and Y. Zhang. “Key-policy attribute-based encryption against
continual auxiliary input leakage,” Inf. Sci., vol. 470, pp. 175–188, 2019.
[14] J. Li, Q. Yu, and Y. Zhang, “Hierarchical attribute based encryption with
continuous leakage-resilience,” Inf. Sci., vol. 484, pp. 113–134, 2019.
[15] L. Zhang, H. Xiong, Q. Huang, J. Li, K. K. R. Choo, and
J. Li, “Cryptographic solutions for cloud storage: Challenges and re-
search opportunities,” IEEE Trans. Services Comput., to be published,
doi: 10.1109/TSC.2019.2937764
[16] Y. Lu, J. Li, and Y. Zhang, “Privacy-preserving and pairing-free multi-
recipient certificateless encryption with keyword search for cloud-
assisted IIoTs,” IEEE Internet Things J., to be published, doi:
10.1109/JIOT.2019.2943379.
[17] R. S. Bhadoria, “Security architecture for cloud computing,” in Cyber
Security and Threats: Concepts, Methodologies, Tools, and Applications.
Hershey, PA, USA: IGI Global, 2018, pp. 729–755.
[18] Y. Deswarte, J. J. Quisquater, and A. Saïdane, “Remote integrity checking,”
in Proc. 6th Working Conf. Integr. Internal Control Inf. Syst., 2003,
pp. 1–11.
[19] G. Ateniese et al., “Provable data possession at untrusted stores,” in Proc.
14th ACM Conf. Comput. Commun. Secur., 2007, pp. 598–609.
[20] A. Juels and B.S. Kaliski, Jr., “PORs: Proofs of retrievability for large files,”
in Proc. 14th ACM Conf. Comput. Commun. Secur., 2007, pp. 584–597.
[21] H. Shacham and B. Waters, “Compact proofs of retrievability,” in Proc.
14th Int. Conf. Theory Appl. Cryptol. Inf. Secur., 2008, pp. 90–107.
[22] G. Ateniese, R. D. Pietro, L. V. Mancini, and G. Tsudik, “Scalable and
efficient provable data possession,” in Proc. 14th In.t Conf. Secur. Privacy
Commun. Netw., 2008, pp. 1–10.
[23] C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, “Dynamic prov-
able data possession,” in Proc. 16th ACM Conf. Comput. Commun. Secur.,
2009, pp. 213–222.
[24] J. Li, X. Lin, Y. Zhang, and J. Han, “KSF-OABE: Outsourced attribute-
based encryption with keyword search function for cloud storage,” IEEE
Trans. Service Comput., vol. 10, no. 5, pp. 715–725, Sep./Oct. 2017.
[25] F. Sebé, J. Domingo-Ferrer, A. Martinez-balleste, Y. Deswarte, and
J. Quisquater, “Efficient remote data possession checking in critical in-
formation infrastructures,” IEEE Trans. Knowl. Data Eng., vol. 20, no. 8,
pp. 1034–1038, Aug. 2008.
[26] J. Li, Y. Wang, Y. Zhang, and J. Han, “Full verifiability for outsourced
decryption in attribute based encryption,” IEEE Trans. Service Comput.,
to be published, doi: 10.1109/TSC.2017.2710190.
[27] K. Yang and X. Jia, “An efficient and secure dynamic auditing protocol
for data storage in cloud computing,” IEEE Trans. Parallel Distrib. Syst.,
vol. 24, no. 9, pp. 1717–1726, Sep. 2013.
[28] J. Li, W. Yao, Y. Zhang, H. Qian, and J. Han, “Flexible and fine-grained
attribute-based data storage in cloud computing,” IEEE Trans. Service
Comput., vol. 10, no. 5, pp. 785–796, Sep./Oct. 2017.
[29] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, “Enabling public auditability
and data dynamics for storage security in cloud computing,” IEEE Trans.
Parallel Distrib. Syst., vol. 22, no. 5, pp. 847–859, May 2011.
[30] H. Yan, J. Li, J. Han, and Y. Zhang, “A novel efficient remote data
possession checking protocol in cloud storage,” IEEE Trans. Inf. Forensics
Secur., vol. 12, no. 1, pp. 78–88, Jan. 2017.
[31] H. Wang, Q. Wu, B. Qin, and J. Domingo-Ferrer, “Identity-based remote
data possession checking in public clouds,” IET Inf. Secur., vol. 8, no. 2,
pp. 114–121, 2014.
[32] Y. Zhu, H. Hu, G. J. Ahn, and M. Yu, “Cooperative provable data possession
for integrity verification in multicloud storage,” IEEE Trans. Parallel
Distrib. Syst., vol. 23, no. 12, pp. 2231–2244, 2012.
[33] H. Wang, “Identity-based distributed provable data possession in multi-
cloud storage,” IEEE Trans. Service Comput., vol. 8, no. 2, pp. 328–340,
Mar./Apr. 2015.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LI et al.: IDENTITY-BASED PRIVACY PRESERVING REMOTE DATA INTEGRITY CHECKING FOR CLOUD STORAGE
[34] J. Li, H. Yan, and Y. Zhang, “Efficient identity-based provable multi-copy
data possession in multi-cloud storage,” IEEE Trans. Cloud Comput., to
be published, doi: 10.1109/TCC.2019.2929045.
[35] H. Wang, D. He, and S. Tang, “Identity-based proxy-oriented data upload-
ing and remote data integrity checking in public cloud,” IEEE Trans. Inf.
Forensics Secur., vol. 11, no. 6, pp. 1165–1176, Jun. 2016.
[36] H. Yan, J. Li, and Y. Zhang, “Remote data checking with desig-
nated verifier in cloud storage,” IEEE Syst. J., to be published, doi:
10.1109/JSYST.2019.2918022.
[37] J. Yu, K. Ren, C. Wang, and V. Varadharajan, “Enabling cloud storage
auditing with key-exposure resistance,” IEEE Trans. Inf. Forensics Secur.,
vol. 10, no. 6, pp. 1167–1179, Jun. 2015.
[38] B. Wang, B. Li, and H. Li, “Knox: Privacy-preserving auditing for shared
data with large groups in the cloud,” in Proc. 10th Int. Conf. Appl.
Cryptography Netw. Secur., 2012, pp. 507–525.
[39] B. Wang, B. Li, and H. Li, “Oruta: Privacy-preserving public auditing
for shared data in the cloud,” IEEE Trans. Cloud Comput., vol. 2, no. 1,
pp. 43–56, Jan.–Mar. 2014.
[40] Y. Yu, L. Niu, G. Yang, Y. Mu, and W. Susilo, “On the security of auditing
mechanisms for secure cloud storage,” Future Gener. Comput. Sys., no. 30,
pp. 127–132, 2014.
[41] B. Wang, B. Li, and H. Li, “Panda: Public auditing for shared data with
efficient user revocation in the cloud,” IEEE Trans. Service Comput., vol. 8,
no. 1, pp. 92–106, Jan./Feb. 2015.
[42] Y. Yu, Y. Mu, J. Ni, J. Deng, and K. Huang, “Identity privacy-preserving
public auditing with dynamic group for secure mobile cloud storage,” Proc.
8th Int Conf. Netw. Syst. Secur., 2014, pp. 28–40.
[43] J. Li, H. Yan, and Y. Zhang, “Certificateless public integrity checking
of group shared data on cloud storage,” IEEE Trans. Services Comput.,
to be published, doi: 10.1109/TSC.2018.2789893.
[44] Y. Feng, Y. Mu, G. Yang, and J.K Liu, “A new public remote integrity
checking scheme with user privacy,” in Proc. 20th Australasian Conf. Inf.
Secur. Privacy, 2015, pp. 377–394.
[45] Z. Hao, S. Zhong, and N. Yu, “A privacy-preserving remote data integrity
checking protocol with data dynamics and public verifiability,” IEEE
Trans. Knowl. Data Eng., vol. 23, no. 9, pp. 1432–1437, Sep. 2011.
[46] E. Zhou and Z. Li, “An improved remote data possession checking protocol
in cloud storage,” in Proc. 14th Int Conf. Algorithms. Archit. Parallel, 2014,
pp. 611–617.
[47] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy
preserving public auditing for secure cloud storage,” IEEE Trans. Comput.,
vol. 62, no. 2, pp. 362–375, Feb. 2013.
[48] J. Zhang and Q. Dong, “Efficient ID-based public auditing for the out-
sourced data in cloud storage,” Inf. Sci., no. 343, pp. 1–14, 2016.
[49] Y. Yu et al., “Identity-based remote data integrity checking with perfect
data privacy preserving for cloud storage,” IEEE Trans. Inf. Forensics
Secur., vol. 12, no. 4, pp. 767–778, Apr. 2017.
[50] Y. Zhang, C. Xu, X. Liang, H. Li, Y. Mu, and X. Zhang, “Efficient
public verification of data integrity for cloud storage systems from in-
distinguishability obfuscation,” IEEE Trans. Inf. Forensics Secur., vol. 12,
no. 3, pp. 676–688, Mar. 2017.
[51] D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil
Pairing,” in Proc. Annu. Int. Cryptol. Conf., 2001, vol. 2139, pp. 213–229.
[52] D. He, H. Wang, J. Zhang, and L. Wang, “Insecurity of an identity-based
public auditing protocol for the outsourced data in cloud storage,” Inf. Sci.,
vol. 375, pp. 48–53. 2017.
[53] G. Ateniese, S. Kamara, and J. Katz, “Proofs of storage from homomorphic
identification protocols,” in Proc. Advances Cryptol., 2009, pp. 319–333.
[54] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil
pairing,” J. Cryptol., vol. 17, no. 4, pp. 297–319, Sep. 2004.
[55] The GNU Multiple Precision Arithmetic Library (GMP), Accessed
Sep. 16, 2016. [Online]. Available: http://gmplib.org/
[56] The Pairing-based Cryptography Library (PBC). Accessed: Sep. 16, 2016.
[Online]. Available: https://crpto.stanford.edu/pbc/download.html
Authorized licensed use limited to: University of Exeter. Downloaded on May 03,2020 at 18:33:41 UTC from IEEE Xplore. Restrictions apply.
9
Jiguo Li received the B.S. degree in mathemat-
ics from Heilongjiang University, Harbin, China, in
1996, and the M.S. degree in mathematics and the
Ph.D. degree in computer science from the Harbin
Institute of Technology, Harbin, in 2000 and 2003,
respectively.
From September 2006 to March 2007, he was a
Visiting Scholar with the Centre for Computer and
Information Security Research, School of Computer
Science and Software Engineering, the University of
Wollongong, Wollongong, NSW, Australia. From
February 2013 to January 2014, he was a Visiting Scholar with the Institute for
Cyber Security, University of Texas at San Antonio. He is currently a Professor
with the College of Mathematics and Informatics, Fujian Normal University,
Fuzhou, China, and the College of Computer and Information, Hohai University,
Nanjing, China. His research interests include cryptography and information
security, cloud computing security, wireless security, trusted computing, etc.
He has authored and coauthored more than 160 research papers in refereed
international conferences and journals. His work has been cited more than 3300
times at Google Scholar.
Dr. Li has served as a Program Committee Member in more than 30 interna-
tional conferences and as the Reviewers in more than 90 international journals
and conferences.
Hao Yan received the B.S. and M.S. degrees in com-
puter science and technology from the Nanjing Uni-
versity of Science and Technology, Nanjing, China,
in 2003 and 2006, respectively, and the Ph.D. degree
in computer science and technology from Hohai Uni-
versity, Nanjing, China, in 2019.
He is currently an Associate Professor with the
Jinling Institution of Technology, Nanjing, China. His
research interests include cloud computing security
and applied cryptography.
Yichen Zhang received the Ph.D. degree from the
College of Computer and Information, Hohai Uni-
versity, Nanjing, China, in 2015.
She is currently an Associate Professor with
Fujian Normal University, Fuzhou, China. Her re-
search interests include cryptography, information
security, and cloud computing security. She has au-
thored and coauthored more than 40 research papers
in refereed international conferences and journals.