Privacy-preserving public auditing for educational multimedia data in cloud computing

Abstract

Nowadays, as distance learning is being widly used, multimedia data becomes an effective way for delivering educational contents in online educational systems. To handle the educational multimedia data efficiently, many distance learning systems adopt a cloud storage service. Cloud computing and storage services provide a secure and reliable access to the outsourced educational multimedia contents for users. However, it brings challenging security issues in terms of data confidentiality and integrity. The straightforward way for the integrity check is to make the user download the entire data for verifying them. But, it is inefficient due to the large size of educational multimedia data in the cloud. Recently many integrity auditing protocols have been proposed, but most of them do not consider the data privacy for the cloud service provider. Additionally, the previous schemes suffer from dynamic management of outsourced data. In this paper, we propose a public auditing protocol for educational multimedia data outsourced in the cloud storage. By using random values and a homomorphic hash function, our proposed protocol ensures data privacy for the cloud and the third party auditor (TPA). Also, it is secure against lose attack and temper attack. Moreover, our protocol is able to support fully dynamic auditing. Security and performance analysis results show that the proposed scheme is secure while guaranteeing minimum extra computation costs.

1 Introduction

Nowadays, distance learning has become one of the rapidly growing trends for both the students and educational institutions. It is an effective method of delivering educational contents to remote users. As traditional distance learning provides a text or picture at the designated time, students were only able to study during a fixed amount of time. Due to rapid growth of the multimedia Web [17], distance learning has enabled students to study without time and space constraints by using educational multimedia data. In addition, since students can learn more effectively when the learning materials are presented in multimedia data such as video, audio and text, utilization of multimedia data has become increasingly common in learning systems. However, as the volume of educational multimedia data is enriched, huge amounts of educational multimedia have been difficult to be handled in multimedia Web. e,g., storing/editing/deleting the data. To handle the educational multimedia data efficiently, distance learning systems are likely to use the cloud computing [10, 12]. Since, the cloud computing provides dynamically scalable infrastructure to support computing power, storage and communication capabilities as services, it is suitable for distance learning environments. Data users, that is educational contents owners, can easily access and store educational multimedia data in the cloud storage. However, it also brings new and challenging security issues in terms of confidentiality and integrity of the user’s outsourced data. Since the cloud has full control of the stored educational multimedia data, a malicious cloud may be able to perform attacks on the data so as to maintain reputation and financial benefit. Therefore, the data user needs to check that educational multimedia data is correctly stored in the cloud.

Since size of educational multimedia data in the cloud is very large, it is a very inefficient in terms of the communication and computation overhead for a verifier, that is the data user or owner, to retrieve entire data from the cloud and check the integrity of it. Therefore, to save the computation and communication cost, a public auditing protocol, which enables a third party auditor (TPA) to verify it on behalf of users is critically important. Recently, many integrity public auditing schemes [1, 2, 5, 7, 8, 11, 13–16, 18–20] have been proposed to check the integrity of the data without retrieving the whole data. These schemes perform the partial integrity check by random sampling using challenge queries. Another issue is supporting dynamic data operation for outsourced data in the cloud. Supporting dynamic data is a one of the most challenging and practical requirements since the cloud data could be dynamically updated during their lifetime, such as data insertion/deletion/modification. Unfortunately, many schemes [1, 2, 8, 13] focus on static data and cannot support data update. In addition, most of these schemes [1, 2, 5, 8, 11, 13–15] do not support the privacy protection of data against the cloud. These schemes provide only the data privacy for the TPA. If the data and index are encrypted to ensure data privacy for the cloud, they cannot support fully dynamic data.

In this paper, we focus on the way to provide the data privacy and integrity for the educational multimedia data in the cloud. We propose a public auditing scheme that supports fully dynamic data as well as data privacy against both the untrusted cloud server and the TPA under the loss and tamper attacks [11] by using the random values and homomorphic hash function [6, 9]. Specifically, in the proposed scheme, we allow the data user to combine data block with random value which is not known to the cloud, thereby providing data privacy against the cloud. Similarly, we allow the cloud to combine homomorphic authenticator with random value which is not known to the TPA, thereby providing data privacy against the TPA. Since the TPA checks the integrity using homomorphic property, the TPA cannot learn any information about the cloud data during the auditing process. On the basis of the security and efficiency analysis results, the proposed scheme is secure against the attacks while guaranteeing minimum extra computation costs.

The rest of this paper is organized as follows. We overview the related work in Section 2, and we introduce the system and threat model, and our design goal in Section 3. Then we provide the preliminaries and the detailed description of our scheme in Section 4. In Section 5, we give security and performance analysis. Finally we conclude our work in Section 6.

2 Related work

Ateniese et al.’s [1] proposed Provable Data Possession (PDP) that allows public auditing without retrieving entire data. They utilize the RSA-based homomorphic linear authenticator (HLA). However, this scheme does not consider dynamic data. To support dynamic data, Ateniese et al.’s [2] designed an improved PDP scheme using symentric keys. However, their scheme is limited number of verification challenge queries. And it does not support fully dynamic data operation. i.e., block insertion cannot be supported. In addition, these two schemes did not consider data privacy. Thus, these schemes may leak users’ data contents to the cloud and the TPA. Juels and Kaliski [8] defined another scheme called proof of retrievability (POR) that ensures both possession and retrievability of data file by using error correcting. However, the number of challenge queries is fixed. In addition, public auditing is not supported in their scheme. To support public auditing, Shacham and Waters [13] proposed an improve POR scheme based on BLS (Boneh-Lynn-Shacham) signature [4]. It provides proof of security for the POR scheme. However this scheme only consider static data files. Erway et al.’s [5] designed a dynamic provable data possession (DPDP) scheme based on rank-based authenticated skip list. Wang et al.’s [15] proposed a public auditing scheme that combines HLA with Merkle hash tree to support fully dynamic data. However, these schemes suffer from weak privacy against the cloud and the TPA. In other related works, Wang et al.’s [14] proposed a public auditing scheme for data privacy against the TPA using random mask technique. Liu et al.’s [11] proposed a secure and efficient public auditing scheme using homomorphic hash function [6, 9]. However, their protocols did not provide data privacy at the cloud. Thus, these schemes may leak users’ data contents to the cloud. To provide the data privacy against the cloud, Zhu et al.’s [19] proposed a scheme that supports data integrity auditing in hybrid cloud. This scheme is suitable for providing integrity of the data users’ important data. Govinda et al.’s [7] proposed a scheme that guarantees both the data integrity and confidentiality using somewhat homomorphic encryption. Thus, this protocol considers the data privacy against both the cloud and the TPA. However, this protocol did not support data dynamics including block insertion and deletion because the index and data block are encrypted.

3 Problem statement

3.1 System model

As illustrated in Fig. 1, the system model includes three entities: (1) Users who have educational multimedia data files to be stored in the cloud. (2) Cloud which provides data storage services and computing resources for user data. (3) TPA that checks the integrity of data stored in the cloud on behalf of users upon request. Our scheme consists of six algorithms. (Setup, KeyGen, SigGen, Challenge, ProofGen, ProofVerify)

Fig. 1

The system model of the cloud data storage service

A user is given a public key and a secret key by executing KeyGen, and generates a signature by using SigGen. The user divides original data into multiple blocks of data before storing it in the cloud. And the user sends the blocks and the corresponding signatures to the cloud. The user deletes data blocks and signatures from the local storage. When the user wants to verify the stored data in the cloud, the user sends auditing request to the TPA. After receiving the auditing request from the user, the TPA generates a challenge message by executing Challenge. Then, the TPA sends a challenge message to the cloud server. The cloud server will derive a proof from the stored data by executing ProofGen. The TPA verifies the correctness of the proof by ProofVerify.

3.2 Threat model

In this paper, we assume that the cloud is not fully trusted in terms of the data confidentiality and integrity, and the TPA is semi-trusted such that it is trusted for auditing process but untrusted for data confidentiality.

Data integrity threats

Malicious cloud may discard the data that have not been accessed or rarely accessed, or tampered the data so as to maintain reputation. It is called loss attack and tamper attack respectively [11].

Data privacy threat

During the auditing process, the cloud and the TPA may try to reveal the users information. We also assume that there is no collusion between the cloud and the TPA.

3.3 Design goal

The proposed scheme should achieve the following properties: (1) Public auditing: The TPA is able to check the integrity of data without retrieving the whole data. (2) Privacy preserving: The cloud and the TPA cannot obtain users plain data during the auditing process. (3) Fully dynamic data: The user is able to perform block-level operations on the outsourced data including block insertion, deletion and modification.

4 Public auditing scheme

4.1 Preliminaries

4.1.1 Bilinear maps

Let 𝔾₁ and 𝔾₂ be two multiplicative cyclic groups of order p. g is the generator of 𝔾₁. A bilinear mapping e : 𝔾₁ × 𝔾₁ → 𝔾₂ must satisfy the following properties:

• Bilinearity: e(u ^a, v ^b) = e(u, v)^ab for all u, v ∈ 𝔾₁ and a, b ∈ ℤ _p .

• Non-degeneracy: There are u, v ∈ 𝔾₁ such that e(u, v) ≠ 1.

• Computability: There is an efficient algorithm to compute e(u, v) for any u, v ∈ 𝔾₁.

4.1.2 Homomorphic hash function

Homomorphic hash function [6, 9] is hash function satisfying:

Homomorphism

For any two message m ₁, m ₂ and scalars α ₁, α ₂, it holds

$${H}(\alpha_{1}{m}_{{1}} + \alpha_{2}{m}_{{2}}) = {H}({m}_{{1}})^{\alpha_{1}} \cdot {H}({m}_{{2}})^{\alpha_{2}}. $$

Collision resistance

There is no probabilistic polynomial-time (PPT) adversary capable of forging (m ₁, m ₂, m ₃, α ₁, α ₂) satisfying both

$${m}_{3} \neq \alpha_{1}{m}_{1} + \alpha_{2}{m}_{2}, \quad and \quad {H}({m}_{3}) = {H}({m}_{1})^{\alpha_{1}} \cdot {H}({m}_{2})^{\alpha_{2}}. $$

4.2 Proposed scheme

In the section, we present our proposed scheme that ensures data privacy against both the cloud and the TPA. In our protocol, since the user and the cloud choose random values and combine them with date file F and proof respectively, contents of data fila F and proof cannot be exposed. To perform the operation of the homomorphic hash function, our scheme uses the signature of Liu et al.’s scheme [11]. Homomorphic hash function can support the operations that is required for the verification. Our scheme consists of six algorithms; Setup, KeyGen, SigGen, Challenge, ProofGen, ProofVerify and are defined as follows:

Setup

To store user data file F in the cloud, F is divided into n blocks as m ₁,…m _n , m _i ∈ \({\mathbb {Z}_{p}}^{*}\)

KeyGen(1 ^λ ) → {Sk,Pk}

A user chooses a large prime p randomly. Define 𝔾₁ and 𝔾₂ to be multiplicative cyclic groups with order p. Let g be a generator of 𝔾₁. H: \({\mathbb {Z}_{p}}^{*}\) → 𝔾₁ is a homomorphic hash function. The user chooses \({\mathbb {Z}_{p}}^{*}\) → x randomly, and computes g ∈ 𝔾₁. Public key is Pk = { g, v} and secret key is Sk = { x}.

SigGen(F, Sk) → { F′, σ }

Define the identity of the file F to be \(id \in {\mathbb {Z}_{p}}^{*}\) for each i ∈ {1, … , n}. Then, the user computes the signature as

$$\sigma_{i} \gets \left({H}(id||i) {H}({m}_{i}))^{x}\right) \in \mathbb{G}_{1} $$

To protect data privacy against the cloud, the user chooses a n random value \(r_{n} \gets {\mathbb {Z}_{p}}^{*}\). Then, the user combines random r-values with each block as F′={m ₁ + r ₁, … , m _n + r _n }. Then, the user sends F′ and the corresponding signature {σ ₁, … , σ _n } to the cloud. Finally the user deletes the data file F from local storage.

Challenge(request, index table) → { F′, σ }

To verify the integrity of outsourced data, the user sends auditing request and the index table to the TPA which includes index, random r-value and r-index the user selected. Subsequently, the TPA defines the subset of set [1,n] to be I = {s _j }(1 ≤ j ≤ c) and s ₁ ≤ … ≤ s _c . For each i ∈ I, the TPA chooses a random \(\nu _{i} \gets {\mathbb {Z}_{p}}^{*}\), and generates chal = {i, ν _i } _{i ∈ I} as a challenge message. Then, the TPA sends chal to the cloud.

ProofGen({ m _i + r _i } _{i ∈ I} , { σ _i } _{i ∈ I} , chal, P k ) → { proof }

Upon receiving the chal, the cloud computes as

$$\mu=\sum\limits_{i=s_{i}}^{s_{c}}\nu_{i}(m_{i}+r_{i})+r^{\prime}, \qquad \sigma=\prod\limits_{i=s_{1}}^{s_{c}}\sigma_{i}^{\nu_{i}}. $$

To prevent the TPA from learning the data content stored in the cloud during the auditing process, the cloud chooses a random \(r^{\prime } \gets {\mathbb {Z}_{p}}^{*}\) the cloud combines homomorphic authenticator with random r′-value. Then, the cloud sends proof = {σ, μ, H(r′)} to the TPA.

ProofVerify( proof , Pk, r )

The TPA combines the challenge message with r-value received from the user as \(H({\sum }_{i=s_{1}}^{s_{c}}\nu _{i}r_{i})^{-1}\). Upon receiving proof, the TPA can verify the integrity as a follow:

$$\begin{array}{@{}rcl@{}} e(\sigma, g)\stackrel{?}{=}e\left(\prod\limits_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H(\mu) \cdot H\left(\sum\limits_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} \cdot H\left(r^{\prime}\right)^{-1}, v\right). \end{array} $$

(1)

by using the properties of the homomorphic hash properties, the correctness of above equation can be shown as follows:

$$\begin{array}{@{}rcl@{}} e(\sigma, g)&=&e\left(\prod_{i=s_{1}}^{s_{c}}\sigma_{i}^{\nu_{i}}, g\right) \\[1pt] &=&e\left(\prod_{i=s_{1}}^{s_{c}}(H(id||i) H(m_{i}))^{\nu_{i}}, g^{x}\right) \\[1pt] &=&e\left(\prod_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot \prod_{i=s_{1}}^{s_{c}} H(m_{i})^{\nu_{i}}, v\right) \\&=&e\left(\prod_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H\left(\sum_{i=s_{1}}^{s_{c}} \nu_{i} m_{i}\right) \cdot H\left(\sum_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right) \cdot H\left(\sum_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} {}\right.\\[1pt] & & {} \cdot H\left(r^{\prime}\right) \cdot H\left(r^{\prime}\right)^{-1} , v)\\[1pt] &=&e\left(\prod_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H\left(\sum_{i=s_{1}}^{s_{c}} \nu_{i}(m_{i}+r_{i})\right) \cdot H\left(\sum_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} \cdot H\left(r^{\prime}\right) \cdot H\left(r^{\prime}\right)^{-1} , v\right)\\[1pt] &=&e\left(\prod_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H\left(\sum_{i=s_{1}}^{s_{c}} \nu_{i}(m_{i}+r_{i})+r^{\prime}\right) \cdot H\left(\sum_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} \cdot H\left(r^{\prime}\right)^{-1} , v\right)\\[1pt] &=&e\left(\prod_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H(\mu) \cdot H\left(\sum_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} \cdot H\left(r^{\prime}\right)^{-1}, v\right).\end{array} $$

4.3 Dynamic update

We show how to design our proposed scheme to support fully dynamic data including block level operations of insertion, modification and deletion. Figures 2 and 3 show some examples which demonstrate the changes using index table. Figure 2a describes that the cloud stores the block \(m_{2}^{\prime }+r_{2}^{\prime }\) and signature \(\sigma _{2}^{\prime }\). Figure 2b shows that the TPA inserts a new random r-value \(r_{2}^{\prime }\) in the index table. Figure 3a describes that the cloud replaces m ₁ + r ₁ and deletes m ₃ + r ₃. Figure 3b shows that the TPA deletes a random r-value r ₃ in the index table.

Fig. 2

Block insertion process using index table

Fig. 3

Block modification and deletion process using index table

4.3.1 Block insertion

When a user inserts data, the user must choose a new random r-value r _x , add it to the corresponding block m _x for 1 ≤ x ≤ n, and computes the signature σ _x . Then, the user sends an index information i, σ _x and m _x + r _x to the cloud. Upon receiving these, the cloud stores σ _x and m _x + r _x on the index i, and moves all the subsequent blocks of index, say from j to j + 1. Also, the user sends an update message which includes i, r-value and r-index, to the TPA so as to update the r-value and r-index in the index table stored in the TPA.

4.3.2 Block modification

When a user wants to modify a specific block of index i in the cloud, the user modifies the block m _i for 1 ≤ i ≤ n to m _i ^∗ and and adds existing r _i -value to \(m_{i}^{*}\), and generates the signature \(\sigma _{i}^{*}\) for m _i ^∗. Then, the user sends an index information i, \(\sigma _{i}^{*}\) and m _i ^∗+r _i to the cloud. Upon receiving these, the cloud replaces m _i + r _i , σ _i with m _i ^∗+r _i , \(\sigma _{i}^{*}\).

4.3.3 Block deletion

Block deletion is the opposite operation of block insertion. When a user wants to delete data block of index i from the cloud, the user sends the index information i to the cloud. Then, the cloud deletes the corresponding block and signature, and moves all the blocks of index j into j − 1, for j > i. Also, the user sends update message to the TPA so as to update the the r-value and r-index in the index table stored in the TPA.

5 Security and performance analysis

5.1 Security analysis

In this section, we provide a security analysis for our scheme into two parts. The first part deals with data integrity guarantee. The second part deals with data privacy guarantee. Security of the proposed scheme is based on the computational Diffie-Hellman assumption (CDH) [3]. The following definition recalls CDH.

Definition 1

CDH problem states that, given \(g, g^{a},g^{b} \in \mathbb {G}\), it is computationally intractable to compute the value as g ^ab.

Data integrity guarantee

We need to prove that the untrusted cloud cannot loss and tamper the users’ data. This is equivalent to prove the Theorem 1.

Theorem 1

The untrusted cloud cannot generate a forgery of an auditing proof.

Proof

Our proof is based on Liu et al.’s scheme [11].

Suppose A malicious cloud losses the user’s data m _j + r _j , and tries to pass an auditing from the TPA.

The malicious cloud outputs P r o o f = {σ ^∗, μ ^∗, H(r ^∗)} as

$$\sigma^{*} = \prod\limits_{i={s_{1}}, i\ne j}^{s_{c}} \sigma_{i}^{\nu_{i}},\quad \mu^{*}=\sum\limits_{i={s_{1}}, i\ne j}^{s_{c}}\nu_{i}(m_{i}+r_{i})+r^{*}. $$

Since, the proof of malicious cloud can also satisfy the (1), the following equation holds.

$$\begin{array}{@{}rcl@{}} e\left(\sigma^{*}, g\right)=e\left(\prod\limits_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H\left(\mu^{*}\right) \cdot H\left(r^{*}\right)^{-1} \cdot H\left(\sum\limits_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} , v\right). \end{array} $$

(2)

If we multiply (2) by the expected signature \(\sigma _{j}^{\nu _{j}}\) which is derived from (1), the following equation holds.

$$\begin{array}{@{}rcl@{}} e\left(\sigma^{*}\sigma_{j}^{\nu_{j}}, g\right) &=& e\left(\prod\limits_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H\left(\mu^{*}\right) \cdot H\left(r^{*}\right)^{-1}\cdot H\left(\nu_{j}\left(m_{j}+r_{j}\right)\right) {}\right.\\ &&{} \cdot \left. H\left(\sum\limits_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1}, v\right). \end{array} $$

(3)

Then, we divide (3) by (2), we obtain:

$$ e\left(\sigma_{j}^{\nu_{j}}, g\right)=e\left( H\left(\nu_{j}(m_{j}+r_{j})\right), v\right). $$

(4)

If (4) is succeeds, we can compute H(i d||i)^x in forged signature σ ^∗, it is a violation of the assumption the assumption that the CDH assumption is hard.

Likewise, suppose A malicious cloud tampers the users data m _j + r _j to (m _j + r _j )^∗, the user’s signature σ _j to \(\sigma _{j}^{*}\), and tries to pass an auditing from the TPA.

The malicious cloud outputs P r o o f = {σ ^∗, μ ^∗, H(r ^∗)} as

$$\sigma^{*} = \prod\limits_{i={s_{1}}, i\ne j}^{s_{c}} \sigma_{i}^{\nu_{i}} \cdot \left(\sigma_{j}^{*}\right)^{\nu_{j}},\quad \mu^{*}=\sum\limits_{i={s_{1}}, i\ne j}^{s_{c}}\nu_{i}\left(m_{i}+r_{i}\right)+r^{*}+\nu_{j}\left(m_{j}+r_{j}\right)^{*}. $$

Since, the proof of malicious cloud can also satisfy the (1), the following equation holds.

$$ e\left(\sigma^{*}, g\right)=e\left(\prod\limits_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H(\mu^{*}) \cdot H\left(r^{*}\right)^{-1} \cdot H\left(\sum\limits_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} , v\right). $$

(5)

When we multiply (5) by the signature \(\left (\sigma _{j}\sigma _{j}^{*-1}\right )^{\nu _{j}}\), we obtain:

$$\begin{array}{@{}rcl@{}} e\left(\sigma^{*}\left(\sigma_{j}\sigma_{j}^{*-1}\right)^{\nu_{j}},g\right)&=&e\left(\prod\limits_{i=s_{1}}^{s_{c}}H(id||i)^{\nu_{i}} \cdot H\left(\mu^{*}\right) \cdot H\left(r^{*}\right)^{-1} \cdot H\left(\nu_{j}\left(m_{j}+r_{j}\right)\right) {}\right.\\ &&{} \left. \cdot H\left(\nu_{j}\left(m_{j}+r_{j}\right)^{*}\right)^{-1} \cdot H\left(\sum\limits_{i=s_{1}}^{s_{c}}\nu_{i}r_{i}\right)^{-1} , v\right). \end{array} $$

(6)

When we divide (6) by (5), we obtain:

$$\begin{array}{@{}rcl@{}} e\left(\sigma_{j}\sigma_{j}^{*-1},g\right)&=&e\left(H\left(m_{j}+r_{j}\right)\cdot H\left(\left(m_{j}+r_{j}\right)^{*}\right)^{-1}, v\right)^{\nu_{j}}. \end{array} $$

(7)

If (7) is succeeds, we can compute H(i d||i)^x in forged signature σ ^∗, it is a violation of the assumption that the CDH assumption is hard. In short, if success probability of the loss and tamper attacker in our scheme is non-negligible, it solves the CDH problem. This implies that the attacker cannot forge signature σ _i in the proposed scheme. In addition, The TPA combines the challenge message with r-value received from the user as \(H\left ({\sum }_{i=s_{1}}^{s_{c}}\nu _{i}r_{i}\right )^{-1}\) to verify the proof in ProofVerify. Accordingly, when the r-value of data file F′ in the cloud is equal to r-value in the TPA, the TPA can verify the proof. Thus, if the cloud forges the data, r-value of data file F′ in the cloud is changed. Therefore, the TPA cannot calculate the correct verification result for the proof. □

Data privacy guarantee

We want to make sure that the cloud and the TPA cannot derive user’s data information during auditing process. This is equivalent to Theorem 2.

Theorem 2

During auditing process, no information of μ will be leaked to the TPA and no information of data file F will be leaked to the cloud

Proof

We show that the TPA and the cloud cannot derive information from μ. Since the data is hashed in proof and obfuscated by random r′ as \(\mu ={\sum }_{i=s_{i}}^{s_{c}}\nu _{i}(m_{i}+r_{i})+r^{\prime }\), where r′ is chosen randomly by the cloud. In addition, r′ is unknown to the TPA. Therefore, the TPA cannot learn user data. Likewise, Since user data is obfuscated as F′={m ₁ + r ₁, … , m _n + r _n }, where r is random value chosen by the user. In addition, r is unknown to the cloud. Thus, the cloud cannot learn user data. □

5.2 Performance analysis

Communication cost

As shown in Table 1, we analyze the communication cost at data auditing process. The size of the challenge message chal = {i, ν _i } _{i ∈ I} is c⋅(|s| + |p|) bits, where c is the number of select blocks, |s| is the size of set {s ₁, … , s _c } and |p| is the size of an element of ℤ _p . The size of an auditing proof is 2|p| + c⋅(|i d|) bits, where |i d| is the size of a block identifier. Communication costs of between the cloud and the TPA are the same as the previous scheme (Wang et al.’s scheme [14] and Liu et al.’s scheme [11]). However, the additional communication cost occurs between the user and the TPA as n(|p|) which is necessary to ensure the security.

Table 1 Communication costs

Computation cost

We will focus on the additional computation overhead as compared to Wang et al.’s scheme [14] and Liu et al.’s scheme [11]. The experiment is conducted using JAVA in windows 7 with an Intel Core i7 processor running at 3.4 GHz, 8GB of RAM. Computation costs compared to the previous scheme [11, 14] are summarized in Table 2. Let H a s h is hash value, A d d is additions, M u l t is multiplications, E x p is exponentiations, M u l t E x p is \(\prod \) exponentiation and P a i r is paring. Then, suppose there are c random blocks specified in the chal during auditing process. The size of block can be set 20 byte, and c is set to be 300 or 460 for high assurance of auditing process. According to Wang et al.’s scheme [14], if the server is missing 1 % of the data file F, the TPA only needs to audit for c = 300 or 460 randomly chosen blocks of data file F in order to detect misbehavior with probability lager than 95 % or 99 %, respectively.

Table 2 Computataion costs

Under this setting, we provide the quantify of additional computation cost into the user side and the TPA side. On the user side, additional computation costs of user are n A d d in SigGen. As shown in Fig. 4, we implemented the additional computation cost on the user side. The time of addition reaches 8.1 sec for data file with size 1GB, and it increases linearly. It is a small additional computation cost for ensuring the security. Similarly, on the TPA side, additional computation costs of the TPA are 1H a s h, (c + 1)M u l t in ProofVerify. According to previous work [9], we conducted a benchmarking for hash generation time. As a result, when c is 300 and 460, homomorphic hash generation time is 0.509m s and 0.780m s respectively. It require computationally negligible overhead. Thus, our scheme preserves data privacy against both the cloud and the TPA while requiring a small amount of additional computation overhead.

Fig. 4

Additional computation cost on the user side

6 Conclusion

In this paper, we propose a privacy preserving public auditing scheme for educational multimedia data without retrieving the whole data. The proposed scheme is secure against the loss attack and tamper attack. Also, both the cloud and the TPA could not learn user data content by utilizing the random value and homomorphic hash function. Furthermore, our proposed scheme is able to support fully dynamic data. Our scheme ensures data privacy with a small amount of additional computation costs.