PrivacyPreserving Public Auditing for Nonmanager Group Shared Data
 240 Downloads
 1 Citations
Abstract
By the widespread use of cloud storage service, users get a lot of conveniences such as lowprice file remote storage and flexible file sharing. The research points in cloud computing include the verification of data integrity, the protection of data privacy and flexible data access. The integrity of data is ensured by a challengeandresponse protocol based on the signatures generated by group users. Many existing schemes use group signatures to make sure that the data stored in cloud is intact for the purpose of privacy and anonymity. However, group signatures do not consider user equality and the problem of frameability caused by group managers. Therefore, we propose a data sharing scheme PSFS to support user equality and traceability meanwhile based on our previous work HADGSP. PSFS has some secure properties such as correctness, traceability, homomorphic authentication and practical data sharing. The practical data sharing ensures that the data owner won’t loss the control of the file data during the sharing and the data owner will get effective incentive of data sharing. The effective incentive is realized by the technology of blockchain. The experimental results show that the communication overhead and computational overhead of PSFS is acceptable.
Keywords
File sharing Nonmanager group Privacy protection Homomorphic authentication Blockchain1 Introduction
By the widespread use of cloud computing [1], it gives users various capabilities such as storing and accessing their data in the centres, which greatly reduce users’ pressure on storage overhead and calculation. What’s more, this technology also makes it easier for data owners to share data with group members in the cloud than before [2]. The major popular research points in this area include data integrity [3], data privacy [4] and data access [5]. The integrity of files stored in the cloud must be guaranteed [6], as data owners may delete the files they stored physically after uploading the files to the cloud to save storage space. However, the data stored in the cloud may be invalid because of hardware failures or error behaviours of users. What’s worse, to keep reputation or avoid losing its profits, the cloud may even conceal accidents about data errors [7]. Besides security threats mentioned forward, attacks outside may also put data at risk [8]. Therefore, it is an urgent security demand to ensure the integrity of shared data stored in the cloud.
So far, various integrity checking schemes [9, 10, 11, 12, 13, 14] have been proposed based on different signatures. Most of the existing public auditing schemes are proposed for groups with managers and only a few schemes [11, 12, 13] support data sharing for nonmanager groups. In a group with manager, the manager has the ability to trace user identity and manager data, which may causes the problem of frameability [14]. Once a group manager discloses information, serious threats to data integrity and identity privacy will appear. On the other hand, such centralized control is undesirable in many applications. For example, if users want to be in a group where the group membership is managed jointly by all group members, none of these schemes is suitable. Nonmanager groups provide users an equal environment for data sharing, which is in line with the needs of modern people. To avoid the participation of unqualified data owners, it’s essential to trace the identity of data signer in nonmanager groups [13]. It is necessary for all members to share the responsibility of data management and identity tracing [15]. Therefore, a public auditing scheme which supports nonmanager groups is pratical in a practical cloud data sharing.
In a secure public auditing scheme, the problem of privacy disclosure during the integrity verification should be avoided. To support privacy protection, Wang et al. [6] used the technology of random masking and public keybased homomorphic linear authenticator to prevent TPA from learning any message of the data stored in the cloud server during the process of auditing. Yu et al. [16] also applied “zeroknowledge privacy” to ensure that verifier cannot obtain any information from publicly available data.
The practicality and security during the data sharing among group members should be taken into consideration. The existing public auditing schemes which support data sharing mainly focus on the updating of the outsourced data [17] and the authentication of users [18]. However, none scheme considers the fact that the data owner will lose the control of the data once the data is copied. What’s more, the data owners of the shared data should get reward according to the access of the data. In this paper, we construct a practical and secure file sharing scheme for nonmanager groups based on public auditing and blockchain [19, 20].
To address these above problems, our work distributes trapdoor of the signer identity in nonmanager groups by utilizing publicly verifiable secret sharing (PVSS) [21], which enables equal group members work together to trace the malicious signers. To handle the problem in HADGSP [13], we propose a practical data sharing scheme for nonmanager groups. By using random masking, our protocol protects the data content stored in the cloud server against the verifier during the process of integrity verification. In addition, we introduce a novel technology blockchain in this paper to realize effective incentive for data sharing.
1.1 Related Work
Ateniese et al. [22] are the first researchers who proposed the provable data possession (PDP) model, which is the base of integrity checking schemes which allow a user who stores data in an untrusted server to check that whether the server indeed stores the original data without retrieving the whole data. However, it cannot guarantee that the data can be retrieved. Then, Juels and Kaliski [23] proposed proofs of retrievability (POR) scheme which enables a backup or archive service to produce a proof that the data can be retrieved by the verifier. Based on PDP and PoR models, many extended schemes [6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 24] have been proposed to solve different problems. To release users’ burden on calculation, public auditing [6, 7, 8, 10, 11, 12, 13, 14, 15, 16, 17, 18] was proposed to make a third party auditor (TPA) verify the integrity of data instead of users. In this process, the TPA may get some important message and carry on statistical analysis to get privacy information. Therefore, the property of privacypreserving [6] should be considered seriously.
The aforementioned researches [6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18] studied data integrity in different groups, but none of them considers the group without manager but with the ability of traceability. To realize integrity checking in data sharing groups, Wang et al. [9] proposed Knox to construct homomorphic authenticators based on group signatures. Thus, the TPA verifies the integrity of the shared data without retrieving the whole data. In Knox, group managers have the ability of tracing the identity of signer. But Knox cannot support public auditing, and it can’t be used in a group with equal members because of high authority of group manager. Oruta [11] was the first privacy protection mechanism which supports public auditing for the shared data stored in the cloud. Oruta exploited ring signatures to generate the information for the integrity verification of shared data. However, Oruta cannot against the attack of group member changing. Then, Wang et al. [12] proposed IAID to handle the attack and introduced the concept of incentive in public auditing.
Oruta and IAID both use ring signature to construct the public auditing scheme. This kind of public auditing provides users with an equal environment, but the identity of the real signer cannot be traced by other users, which may cause malicious data uploading. HADGAP claimed that it realizes traceability and equal powder. But it used the public key of signers to verify the correctness, which runs counter to the aims of identity privacy. In this paper, we construct a secure and practical file sharing scheme with the methods in IAID and HADGSP. The incentive in IAID is proposed for data signers, not for data sharing groups. To construct an efficient incentive in data sharing group, we introduce blockchain in this paper.
1.2 Our Contributions
 1.
We present a practical and secure file sharing scheme PSFS in nonmanager group with the properties of traceability and privacypreserving. In PSFS, each member is given equal power and the identity of the malicious user can be traced.
 2.
PSFS makes the data file controllable during the sharing by providing visitors with access interface instead of sharing the data file.
 3.
Blockchain technology is used in this paper to ensure effective incentive for data owners, which has never been proposed before in data sharing schemes.
 4.
We prove the security of PSFS and evaluate the performance to show that the overhead is acceptable.
1.3 Organization
Section 2 introduces some preliminaries used in this paper. Then, the security problems, the design objectives and the system models are described in Sect. 3. In Sect. 4, we show the details of the proposed scheme and present the security analysis, followed by Sect. 5 that the performance of PSFS is evaluated. Finally, Sect. 6 gives the concluding remark of this paper.
2 Preliminaries
In this section, we introduce some preliminaries, including bilinear maps, homomorphic verifiable tags and blockchain technology.
2.1 Bilinear Map
 1.
For all \(u, v \in G_{1}\) and all \(a, b \in Z_{q}\), \(e\left( {u^{a} ,v^{b} } \right) = e\left( {u,v} \right)^{ab} = e\left( {u^{b} ,v^{a} } \right)\).
 2.
For any \(u_{1} ,u_{2} ,v \in G_{1}\), \(e\left( {u_{1} \cdot u_{2} ,v} \right) = e\left( {u_{1} ,v} \right) \cdot e\left( {u_{2} ,v} \right)\).
 3.
There exists an efficiently computable algorithm for computing e and the map should be nontrivial, i.e., e is nondegenerate: \(e\left( {g,g} \right) \ne 1\).

Discrete Logarithm (DL) Problem Given \(g\) and \(Y = g^{x} \in G_{1}\), it is computational infeasible to compute \(x \in Z_{q}\).

Computational DiffieHellman (CDH) Problem Given \(\left( {g,g^{\alpha } ,g^{\beta } } \right) \in G_{1}\), it is computational infeasible to compute \(g^{\alpha \beta } \in G_{1}\) without knowing \(\alpha ,\beta \in Z_{q}\).
2.2 Homomorphic Verifiable Tags
Homomorphic Verifiable Tags [11] enable a public verifier to audit the integrity of remote data without downloading the whole data. Besides unforgeability, a homomorphic verifiable signature scheme should also satisfies blockless verification and nonmalleability:
Assume that \((sk,pk)\) denotes the private/public key pair of a signer, \(\sigma_{1}\) and \(\sigma_{2}\) denote the signatures on block \(m_{1} ,m_{2} \in Z_{q}\) respectively.
Unforgeability Only a party with the right private key can generate a valid signature, this property relies on the hardness of CDH.
Blockless verification A verifier only needs to verify the correctness of the data stored in the cloud with a linear combination of all blocks via a challengeandresponse protocol without knowing the content of blocks. Specifically, given two signatures \(\sigma_{1}\) and σ_{2} on blocks \(m_{1} ,m_{2}\) respectively, random values \(y_{1} ,y_{2} \in Z_{q}\) and a linear combined block \(m' = y_{1} m_{1} + m_{2}\), a verifier can check the correctness of the combined block \(m'\) without knowing blocks \(m_{1} ,m_{2}\).
Nonmalleability The one who does not have the valid private keys is unable to generate valid signatures on the combined blocks only by combining the existing signatures. Specifically, with two signatures \(\sigma_{1}\) and \(\sigma_{2}\) on blocks \(m_{1} ,m_{2}\) respectively, random values \(y_{1} ,y_{2} \in Z_{q}\) and a linear combined block \(m' = y_{1} m_{1} + m_{2}\), a user who does not obtain the secret key sk cannot generate a valid signature \(\sigma '\) on block \(m'\) by combining \(\sigma_{1}\) and \(\sigma_{2}\).
2.3 Blockchain Technology
Blockchain, a wellknown technology nowadays comes out with the development of Bitcoin, provides users with a distributed peertopeer network where untrusted members are able to interact with each other and no trusted intermediary is needed, in a verifiable manner [19]. Zyskind et al. [20] ensured users to own and control their data by using blockchain technology in a decentralized personal data management system. In the protocol, they combine blockchain and offblockchain storage to realize a data management platform, which can be further used in cloud storage. In this paper, the storage and access mechanisms are based on blockchain technology, which improves the security level of the proposed scheme.
3 Problem Statements
In this section, we illustrate the security problems in data sharing schemes, the design objectives of our proposed mechanism and the system models of the proposed scheme including data sharing model, public auditing model and file management model.
3.1 Security Problems
In public auditing schemes for data sharing groups, the integrity of files stored in the cloud is the most important issue as the file owner may no longer store the files after uploading it to the cloud. However, the cloud may conceal accidents about data errors. Thus, it’s necessary to ensure the validity of shared files. What’s more, the file owner loses the control of the file once it has been copied, which leads to the impairment of benefit. Therefore, the uncontrollable of shared files should been taken into consideration, which is the first time proposed in public auditing schemes for data sharing.
Integrity Threat If users do not store their data after outsourcing it to the cloud, they will no longer possess the outsourced data physically. When cloud server inadvertently modifies or even removes data due to hardware or software errors or attackers from outside, the integrity of data will be threaten. What’s worse, the cloud service will conceal the fact that the data has been damaged in order to maintain their interests and reputation. Then users will no longer get the right data.
Identity and Data Privacy Threat During the auditing, a semitrusted verifier may try to get identity information or data information from verification information. For example, the block which has been modified frequently may be more important, and after several auditing performances, some private and sensitive information may reveal to the verifier.
Uncontrollable file sharing Due to the property of digital files, the file owner cannot control the ownership of the file once it has been copied, which seriously damages the interests of the file owner. What’s worse, this problem has never been considered in public auditing schemes for data sharing.
3.2 Design Goals
 1.
Homomorphic verifiable: A public verifier is allowed to check the integrity of data stored in the cloud without knowing the whole data.
 2.
Public auditing: A verifier has the ability to audit the integrity of the data stored in the cloud without knowing the secret keys of data owners.
 3.
Identity and data privacy: The public verifier couldn’t retrieve any identity information or data information from the message he get during the auditing.
 4.
Traceability: The identity of signers can be figured out when some group members work together.
 5.
Unforgeability: Only the data owner has the ability to sign for the file data.
 6.
Practical file access: When a user applies file access, the system gives the visitor the access interface instead of sending the file data. In addition, the data owner will get rewards according to the unchangeable access history of the files he shared in the group.
3.3 The System Model
The public auditing model has three kinds of parties: a user group, a verifier and the cloud server. Besides checking the integrity of files stored in the cloud, a group member may send a verification request when he wants to ensure the validity of files stored in the cloud as each group user has validity. The files and signatures are useless when the validity of a file uploader is no longer in force.
4 Practical and Secure File Sharing Scheme
In this section, we design a practical and secure file sharing scheme PSFS for nonmanager groups in the cloud based on secret share technology [21] and Wang et al.’s public auditing scheme IAIDPDP [12]. In PSFS, each member in the group is able to upload file to get reward if other group members access the upload file. Other group members need to pay for his access. To ensure the integrity of the accessed files, each group member has the ability to initiate integrity verification. If the file is not valid, in other words, the file does not pass the verification, t group members can work together to trace the file uploader. Noting that the initiator of integrity checking can delegate a public auditor to verify and he also can check data integrity himself.
4.1 Construction of Scheme
PSFS includes nine algorithms: Setup, KeyGen, ShareGen, SignGen, ChallGen, ProofGen, ProofVerify, Access and Trace, where algorithms Setup, KeyGen and SignGen provide file uploading and storing, algorithms ChallGen, ProofGen and ProofVerify realize public auditing, algorithms ShareGen and Trace make other group members work together to trace the file signer, and algorithm Access answers file access requests from group members. The details of these algorithms are shown as follows.
Setup This algorithm runs by a trusted centre. Input a security parameter \(\lambda\), this algorithm establishes the public parameters \(\left( {G_{1} , G_{2} , q, e, g, h, H} \right)\), wher \(q\) is a large prime number,\(G_{1}\) and \(G_{2}\) are two cyclic multiplicative groups with order \(q\) which satisfies a bilinear map \(e: G_{1} \times G_{1} \to G_{2}\), \(g\) is a generator of group \(G_{1}\) and \(h, H\) are two hash functions with \(h: \left\{ {0, 1} \right\}^{*} \to Z_{q}\) and \(H: \left\{ {0, 1} \right\}^{*} \to G_{1}\) respectively. This algorithm also outputs the secret key and the public key of PKG. PKG picks a random number \(x \in Z_{q}\), where \(Z_{q}\) denotes a prime finite field, as the secret key and calculates \(P = g^{x} \in G_{1}\) as the public key, where \(q\) is a large prime number, \(G_{1}\) is a cyclic multiplicative group with order \(q\). Noting that PKG keeps \(x\) secretly and publishes the public key \(g^{x}\).
KeyGen This algorithm runs by the PKG. Input a user’s identity \(ID_{i}\), validity \(T_{i}\) the public parameters, the secret key and public key of PKG, it outputs the private key of the user with identity \(ID_{i}\). In this step, the user first sends the identity \(ID_{i}\) to PKG. Then, PKG randomly chooses a number \(r_{i} \in Z_{q}\), and calculates \(R_{i} = g^{{r_{i} }}\), \(sk_{i} = r_{i} + xh\left( {ID_{i} , T_{i} } \right)\) and \(pk_{i} = g^{{sk_{i} }}\). Finally, PKG returns \(\left( {R_{i} , sk_{i} } \right)\) to the user with identity \(ID_{i}\). Upon received \(\left( {R_{i} , sk_{i} } \right)\), the user verifies the correctness of it by checking \(g^{{sk_{i} }} = R_{i} P^{{h\left( {ID_{i} , T_{i} } \right)}}\). If the equality holds, the user accepts the key pair and publishes \(R_{i}\) as user public key.
ShareGen This algorithm runs by a signer to distribute his public key to other members. Input the public key \(R_{k}\) of signer with identity \(ID_{k}\) where \(1 \le k \le n\), it outputs the signer’s public key sharing \(share\). To realize the property of identity traceability, the signer needs to computer secret sharing \(share\) of his identity. Firstly, the signer with identity \(ID_{k}\) randomly chooses \(\alpha_{j} \in Z_{q} , 0 \le j \le t  1\) to formulate a random polynomial \(p(z) = \alpha_{0} + \alpha_{1} z + \cdots + \alpha_{t  1} z^{t  1}\). The signer computes \(\tau_{j} = g^{{\alpha_{j} }} , 0 \le j \le t  1\) and \(\chi_{i} = \prod\nolimits_{j = 0}^{t  1} {\tau_{j}^{{i^{j} }} } ,i \in \left[ {1,n} \right]\). The signer will keep the polynomial secretly and share \(\tau_{j} = g^{{\alpha_{j} }} , 0 \le j \le t  1\) with other group members. Secondly, the signer calculates \(\eta_{i} = pk_{i}^{p\left( i \right)} ,1 \le i \le n\) and publishes to all group users. Finally, the signer computes \(s = H\left( {\chi_{1} , \ldots ,\chi_{n} ,\eta_{1} , \ldots ,\eta_{n} } \right)\) and sets \(share = \left( {\tau_{0} , \ldots ,\tau_{t  1} ,\eta_{1} , \ldots ,\eta_{n} , s} \right)\).
SignGen This algorithm runs by a user who uploads files to the cloud for sharing. Input the set of all users’ identities \(ID = \left\{ {ID_{1} , ID_{2} , \ldots , ID_{n} } \right\}\), the key pair of signer \(u_{k}\), and the file block \(m_{y}\) with name \(FID_{y}\) and index \(y\), it outputs the signature of the file. For each block \(m_{y}\), the signer first picks \(a_{y,i} \in Z_{q} ,\) and calculates \(\rho_{y,i} = g^{{a_{y,i} }} \in G_{1}\) for all \(i = \left\{ {1,2, \ldots ,k  1,k + 1, \ldots ,n} \right\}\). The signer also computes \(\rho_{y,k} = \left( {\frac{{H\left( {y,FID_{y} } \right)g^{{m_{y} }} }}{{\mathop \prod \nolimits_{i \ne k} \left( {R_{i} P^{{h\left( {ID_{i} , T_{i} } \right)}} } \right)^{{a_{y,i} }} }}} \right)^{{1/sk_{k} }} \in G_{1}\) and \(c_{y} = g^{{a_{0} }} pk_{k}\). The signature of block \(m_{y}\) is \(\rho_{y} = \left( {\rho_{y,1} , \ldots ,\rho_{y,n} , c_{y} } \right)\). At last, the signer uploads blocksign pairs \(\left( {FID_{y} , m_{y} , \rho_{y} } \right)\) to the cloud for file sharing and records \(\left( {FID_{y} , ID_{k} ,T_{k} } \right)\) in the trusted service provider.
ChallGen This algorithm runs by a public verifier. Input a checking request of any user \(T_{i}\), it outputs challenge message or reject. The public verifier first checks the validity \(T_{i}\). If \(T_{i}\) is useless, the verifier ignores the request; otherwise the verifier randomly picks a celement subset C of set [1, d] to locate the c selected random blocks that will be checked in this auditing task. Then the verifier chooses c random values \(v_{j} \to Z_{q} , j \in C\) and sends challenge message \(chall = \left\{ {\left( {j,v_{j} } \right)} \right\}_{j \in C}\) to the cloud.
ProofGen This algorithm runs by the cloud. Input the challenge message, it outputs the proof message. After receiving the challenge message \(chall = \left\{ {\left( {j,v_{j} } \right)} \right\}_{j \in C}\), the cloud calculates \(\mu^{\prime} = \sum\nolimits_{j \in C} {v_{j} m_{j} }\) and aggregates all the blocks’ tags \(o_{i} = \prod\nolimits_{j \in C} {\rho_{j,u}^{{v_{j} }} } \in G_{1} ,1 \le i \le n\). Then the cloud randomly picks \(\kappa \to Z_{q}\), calculates \(K = g^{\kappa }\), \(\mu = \kappa + \mu '\), and sends audit proof \(\left\{ {\{ o_{i} \}_{1 \le i \le n} ,{\text{K}},\mu , \{ I_{j} \}_{j \in C} } \right\}\) to the verifier.
Access This algorithm runs by the trusted service. Input a user’s identity \(ID_{i}\) and the file identity \(FID_{\beta }\) which the user wants to access, it outputs the access interface of file block whose file identity is \(FID_{\beta }\). The trusted service provider records \(IDA_{\varepsilon }\) as the user’s identity \(ID_{i}\) and the access time \(t_{\varepsilon }\) in the access blockchain of the file block whose file identity is \(FID_{\beta }\). The user who uploaded and signed the file block whose file identity is \(FID_{\beta }\) will get award according the valuation standard. For example, reward the file owner according to the times of access or total access time. If the data owner is rewarded according to the times of access, the trusted service provider outputs the length of the access blockchain of the data owner’s file block. Otherwise, the trusted service provider computes the sum of the access time stored in the access blockchain of the data owner’s file block and outputs the sum.
Trace This algorithm runs by \(t\) valid group users. Input the signer’s public key sharing \(share\) and a signature \(\rho_{y} = \left\{ {\rho_{y,1} , \ldots ,\rho_{y,n} , c_{y} } \right\}\), it outputs the public key of the signer. With public key sharing information \(share = \left( {\tau_{0} , \ldots ,\tau_{t  1} ,\eta_{1} , \ldots ,\eta_{n} , s} \right)\), any valid group user calculates \(\chi_{i} = \prod\nolimits_{j = 0}^{t  1} {\tau_{j}^{{i^{j} }} } ,i \in \left[ {1,n} \right]\), and checks the correctness of \(share\) by verify the equality \(s = H\left( {\chi_{1} , \ldots ,\chi_{n} ,\eta_{1} , \ldots ,\eta_{n} } \right)\). Only when the above equality holds, \(t\) valid group members trace the identity of signer as follow. Each one of \(t\) valid group members uses his secret key \(sk_{i}\) calculates \(\xi_{i} = \eta_{i}^{{sk_{i}^{  1} }} ,\lambda_{i} = \prod\nolimits_{j = 1, \ldots ,t,j \ne i} {\frac{i}{j  i}}\), and gets \(\theta = \prod\nolimits_{i = 1}^{t} {\xi_{i}^{{\lambda_{i} }} }\). Finally, the public key of the signer is calculated by \(pk_{k} = c_{y} \theta^{  1}\).
4.2 Security Analysis of PSFS
In this section, we prove the security of the proposed scheme PSFS from the following five parts: homomorphic authentication, public auditing, identity privacy and data privacy, traceability and unforgeability.
4.2.1 Homomorphic Authentication
We need to prove that the signature algorithm in PSFS supports homomorphic authentication, the basic theory used in public auditing. As a homomorphic verifiable signature scheme should satisfy blockless verification and nonmalleability, we need to prove that the signature algorithm satisfy these two properties.
It is clear that the signature algorithm in PSFS supports blockless verifiability.
Thus, we have \(\left( {H\left( {1,FID_{1} } \right)} \right)^{{b_{1} }} \cdot \left( {H\left( {2,FID_{2} } \right)} \right)^{{b_{2} }} = H\left( {X,FID_{X} } \right)\), in other words, the attacker find a \(\left( {X, FID_{X} } \right)\) which makes \(\prod\nolimits_{i = 1}^{n} {e\left( {R_{i} P^{{h\left( {ID_{i} ,T_{i} } \right)}} ,\rho_{i}^{{\prime }} } \right)} = e\left( {R_{i} P^{{h\left( {ID_{i} ,T_{i} } \right)}} ,H\left( {X, FID_{X} } \right)g^{m^{\prime}} } \right)\), he successes in the attack. However, it contradicts to the assumption that H is a oneway hash function. If \(sig_{1}\) and \(sig_{2}\) are generated by two users, the attacker certainly can not generate a correct signature either, which can be proved similarly. Thus, it is clear that the signature algorithm in PSFS can support nonmalleability.
Therefore, the signature algorithm in PSFS supports homomorphic authenticable, which meets the requirement of public auditing.
4.2.2 Public Auditing
It’s clear that a correct proof message can pass the verification and the verifier does not need to use the secret key of signer.
4.2.3 Identity Privacy and Data Privacy
Identity privacy is guaranteed if no one can guess the identity of the party who generates the signature, and data privacy make the verifier learns no knowledge from the proof message he received.
Identity privacy Given a signature \(\rho_{y} = \left\{ {\rho_{y,1} , \ldots ,\rho_{y,n} , c_{y} } \right\}\), the probability of getting the block signed by the signer from \(\rho_{y,1} , \ldots ,\rho_{y,n} ,\) is 1/n and 1/(n − 1) for group member and nonmember respectively. In addition, c signatures are randomly chosen in the integrity auditing, so the probability becomes about 1/\(n^{c}\). What’s more, even an attacker finds the right signature block generated with the signer’s secret key, he cannot get the identity message. Details of this proof can be found in [11]. In addition, an attacker can get identity information from \(c_{y}\). Due to the technology of secret share [21], he cannot recover the public key of the signer even he obtains all public key sharings. However, when t members work together, they can trace the signer’s public key, which will be proven later. Otherwise, retrieving the identity of the signer on each block during the auditing process is as hard as solving DL problem in group \(G_{1}\). Therefore, signer’s identity privacy is protected in PSFS.
Data privacy An attacker can get the proof message \(\left\{ {\left\{ {o_{i} } \right\}_{1 \le i \le n} ,{\text{K}},\mu ,\left\{ {FID_{j} } \right\}_{j \in C} } \right\}\) generated by the cloud, where \(\mu = \kappa + \mu^{{\prime}}\) has been blinded by random number. If a public verifier get the combined message \(\sum\nolimits_{j \in C} {v_{j} m_{j} }\), he can get the content of data by collecting a sufficient number of linear combinations [11]. However, PSFS only transmits \(\mu = \kappa + \mu^{{\prime}}\), which masks \(\sum\nolimits_{j \in C} {v_{j} m_{j} }\) with a random element \(\kappa\) by random masking technology. In order to solve bilinear equations, the public verifier must get the value of the random \(\kappa\). Given \({\text{K}} = g^{\kappa }\), the public verifier cannot obtain \(\kappa\) as obtaining \(\kappa\) from \({\text{K}}\). s as hard as solving the DL problem in \(G_{1}\), which is computationally infeasible. In other words, the attacker cannot get any \(m_{j}\) by solving linear equations by collecting a sufficient number of linear combinations. Therefore, PSFS protects data privacy.
4.2.4 Traceability
Due to the technology of secret share [21], no less than t members work together to reconstruct some information for the revealing of the signer identity. The details of tracing method can be found in 4.1. Unlike other group signature public auditing scheme [9], our scheme’s traceability has (t, n)threshold property, which means that even t − 1 group members have been corrupted by an adversary, the scheme is remain secure. And any subset of more than t members can jointly reveal the identity of the signer. Details of this proof can be found in (t, n) threshold mechanism [25].
4.2.5 Unforgeability
Therefore, we have \(e\left( {g^{{m_{i} }} H\left( {j,FID_{j} } \right),g} \right) = \prod\nolimits_{1 \le i \le n} {e\left( {R_{i} P^{{h\left( {ID_{i} ,T_{i} } \right)}} ,\rho_{j,i} } \right)}\), which contradicts the unforgeability in the signature scheme. In other words, it is infeasible to retrieve the valid blocktag pairs if the cloud has modified the message in \(\mu = \kappa + \mu^{{\prime }}\).
5 Performance Analysis
Notation of cryptographic operations
Notation  Descriptions 

\(Exp_{{G_{1} }} ,Exp_{{Z_{q} }}\)  Exponentiation in \(G_{1}\), \(Z_{q}\) 
\(Mul_{{G_{1} }} ,Mul_{{Z_{q} }} ,Mul_{{G_{2} }}\)  Multiplication in \(G_{1}\), \(Z_{q}\), \(G_{2}\) 
Hash  Hash operation in \(G_{1}\) 
hash  Hash operation in \(Z_{q}\) 
Pair  Pair operation 
f  Pseudorandom function 
\(\pi\)  Pseudorandom permutation 
c  Numbers of auditing blocks 
n  Number of group users 
5.1 Computation Cost
During an auditing task in PSFS, the total computation overhead is about \(\left( {n + 2} \right)Pair + cHash + nhash + cMul_{{Z_{q} }} + \left( {c + 1} \right)Exp_{{Z_{q} }} + \left( {nc  n + c  1} \right)Mul_{{G_{1} }} + \left( {nc + n + 1} \right)Exp_{{G_{1} }} + nMul_{{G_{2} }} .\)
Computation cost comparison
Scheme  Computation cost 

Oruta [11]  \(\left( {n + 2} \right)Pair + cHash + dhash + d\left( {c + 1} \right)Mul_{{Z_{q} }} + \left( {c + d} \right)Exp_{{Z_{q} }} + \left( {n + 2d  2} \right)Mul_{{G_{1} }} + \left( {2d + n} \right)Exp_{{G_{1} }} + nMul_{{G_{2} }}\) 
IAID [12]  \(2cf + 2c\pi + \left( {n + 1} \right)Pair + cHash + nhash + cMul_{{Z_{q} }} + \left( {nc + c  1} \right)Mul_{{G_{1} }} + \left( {nc + n + c + 1} \right)Exp_{{G_{1} }} + \left( {n  1} \right)Mul_{{G_{2} }}\) 
PSFS  \(\left( {n + 2} \right)Pair + cHash + nhash + cMul_{{Z_{q} }} + \left( {c + 1} \right)Exp_{{Z_{q} }} + \left( {nc  n + c  1} \right)Mul_{{G_{1} }} + \left( {nc + n + 1} \right)Exp_{{G_{1} }} + nMul_{{G_{2} }}\) 
5.2 Communication Cost
From Table 4, we can find that communication cost in these three schemes are all linearly related to the size of group, where Oruta and PSFS needs to transmit more elements than IAID. The reason is that IAID uses a pseudorandom function and a pseudorandom permutation to compute challenge message sets instead of selecting two sets and then sending them. Noting that the communication cost of Oruta and PSFS is the same if d = 1, when Oruta does not further split the file block.
5.3 Experimental Results
In the following experiments, we utilize the Pairing Based Cryptography (PBC) [26] library to simulate the cryptographic operations in HADGSP, and all experiments are tested on Ubuntu system with Intel Core i7 3.40 GHz over 1000 times. We assume \(Z_{q}\) = 160bit, \(G_{1}\) = 160 bit, the number of users in the group is n = 100. Every block has d elements where d = 10. According to previous work [27], to keep detection probability greater than 99%, we set c = 460, the number of selected blocks in an auditing task.
6 Conclusions
In this paper, we proposed a practical and secure file sharing scheme for nonmanager group based on public auditing, PSFS for short, which solves the disadvantage of signer identity privacy in HADGSP [13], and supports nonmanager groups to share data in the cloud securely. PSFS protects the privacy of signer identity and file, which makes verifier cannot get any information of the signer or file during the verification. PSFS also provides identity traceability but it is independent of any centralized control as each member is provided with equal power and t group members can work together to trace the identity of the signer if there is something wrong with the file. Noting that PSFS is the first practical data sharing scheme in cloud storage, which only provides access interface to protect file, and effective incentive for data sharing based on the technology of blockchain. From performance analysis, we can see that the communication overhead and computational overhead of PSFS is acceptable. However, PSFS does not support dynamic group operations, which is a disadvantage in public auditing schemes based on ring signature. Thus, we will further discuss group dynamic and data processing in public auditing based on blockchain in our future research.
Notes
Acknowledgements
This work is supported by National Science Foundation of China (61572255), Six talent peaks project of Jiangsu Province, China (XYDXXJS032), CERNET Innovation Project (NGII20170205). We would like to appreciate the anonymous referees for their helpful comments.
References
 1.Yang, H. S., & Yoo, S. J. (2015). A study on smartwork security technology based on cloud computing environment. Wireless Personal Communications, 94(3), 1–10.CrossRefGoogle Scholar
 2.Yuan, J., & Yu, S. (2015). Public integrity auditing for dynamic data sharing with multiuser modification. IEEE Transactions on Information Forensics and Security, 10(8), 1717–1726.CrossRefGoogle Scholar
 3.Huang, L., Zhang, G., & Fu, A. (2016). Privacypreserving public auditing for dynamic group based on hierarchical tree. Journal of Computer Research and Development, 53(10), 2334–2342.Google Scholar
 4.Yu, S. (2017). Big privacy: Challenges and opportunities of privacy study in the age of big data. IEEE Access, 4, 2751–2763.CrossRefGoogle Scholar
 5.Li, X., Kumari, S., Shen, J., Wu, F., & Chen, C. (2017). Secure data access and sharing scheme for cloud storage. Wireless Personal Communications, 96(4), 5295–5314.CrossRefGoogle Scholar
 6.Wang, C., Chow, S. S. M., Wang, Q., Ren, K., & Lou, W. (2013). Privacypreserving public auditing for secure cloud storage. IEEE Transactions on Computers, 62(2), 362–375.MathSciNetCrossRefzbMATHGoogle Scholar
 7.Huang, L., Zhang, G., & Fu, A. (2017). Certificateless public verification scheme with privacypreserving and message recovery for dynamic group. In Australasian computer science week multiconference (p. 76). ACM.Google Scholar
 8.Li, J., Zhang, L., Liu, J. K., Qian, H., & Dong, Z. (2016). Privacypreserving public auditing protocol for lowperformance end devices in cloud. IEEE Transactions on Information Forensics and Security, 11(11), 2572–2583.CrossRefGoogle Scholar
 9.Wang, B., Li, B., & Li, H. (2012). Knox: Privacypreserving auditing for shared data with large groups in the cloud. In International conference on applied cryptography and network security (pp. 507–525). Springer.Google Scholar
 10.Li, H., Sun, W., Li, F., & Wang, B. (2014). Secure and privacypreserving data storage service in public cloud. Journal of Computer Research & Development, 51(7), 1397–1409.Google Scholar
 11.Wang, B., Li, B., & Li, H. (2014). Oruta: Privacypreserving public auditing for shared data in the cloud. IEEE Transactions on Cloud Computing, 2(1), 43–56.CrossRefGoogle Scholar
 12.Wang, H., He, D., Yu, J., & Wang, Z. (2016). Incentive and unconditionally anonymous identitybased public provable data possession. IEEE Transactions on Services Computing, PP(99), 1.Google Scholar
 13.Huang, L., Zhang, G., & Fu, A. (2017). Privacypreserving public auditing for nonmanager group. In IEEE international conference on communications (pp. 1–6). IEEE.Google Scholar
 14.Fu, A., Yu, S., Zhang, Y., Wang, H., & Huang, C. (2017). NPP: A new privacyaware public auditing scheme for cloud data sharing with group users. IEEE Transactions on Big Data, PP(99), 1.Google Scholar
 15.Yang, G., Yu, J., Shen, W., Su, Q., Fu, Z., & Hao, R. (2016). Enabling public auditing for shared data in cloud storage supporting identity privacy and traceability. Journal of Systems & Software, 113(C), 130–139.CrossRefGoogle Scholar
 16.Yu, Y., Man, H. A., Mu, Y., Tang, S., & Ren, J. (2015). Enhanced privacy of a remote data integritychecking protocol for secure cloud storage. International Journal of Information Security, 14(4), 307–318.CrossRefGoogle Scholar
 17.Zhang, J., Li, P., & Mao, J. (2015). An orientedgroup supporting multiuser public auditing for data sharing. In IEEE international conference on smart city (pp. 996–1002). IEEE.Google Scholar
 18.Achhra, A., Vaswani, P., Agale, R., & Chheda, M. (2015). Public auditing for the shared data in the cloud. International Journal of Advance Foundation and Research in Computer, 2(4), 125–129.Google Scholar
 19.Christidis, K., & Devetsikiotis, M. (2016). Blockchains and smart contracts for the internet of things. IEEE Access, 4, 2292–2303.CrossRefGoogle Scholar
 20.Zyskind, G., Nathan, O., Pentland, A. (2015). Decentralizing privacy: Using blockchain to protect personal data. IEEE security and privacy workshops (pp. 180–184). IEEE Computer Society.Google Scholar
 21.Blömer, J. (2011). How to share a secret. Communications of the ACM, 22(11), 612–613.MathSciNetGoogle Scholar
 22.Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., et al. (2007). Provable data possession at untrusted stores. In ACM conference on computer and communications security (pp. 598–609). ACM.Google Scholar
 23.Juels, A., & Kaliski, B. S. (2007). Pors: Proofs of retrievability for large files. In ACM conference on computer and communications security (pp. 584–597). ACM.Google Scholar
 24.Fu, A., Li, Y., Yu, S., Yu, Y., & Zhang, G. (2018). DIPOR: An IDAbased dynamic proof of retrievability scheme for cloud storage systems. Journal of Network & Computer Applications, 104, 97–106.CrossRefGoogle Scholar
 25.Li, X., Qian, H., & Li, J. (2011). Democratic group signatures with threshold traceability. Journal of Shanghai Jiaotong University, 16(5), 530–532.CrossRefzbMATHGoogle Scholar
 26.Lynn, B. (2012). The pairingbased cryptography (pbc) library. http://crypto.stanford.edu/pbc.
 27.Huang, L., Zhang, G., Yu, S., Fu, A., & Yearwood, J. (2017). SeShare: Secure cloud data sharing based on blockchain and public auditing. Concurrency & Computation Practice & Experience. https://doi.org/10.1002/cpe.4359.