Efficient Identity-Based Dynamic Cloud Storage Data Integrity Auditing with Incremental Updates for Handheld Mobile Devices

Abstract

With rapid advancements in handheld mobile devices (HMDs), striking a balance between storage and data security is crucial. Cloud storage has attracted great attention of users for its convenience and availability. However, data integrity becomes challenging once data is uploaded to the cloud, as physical control is lost. In this paper, we propose an efficient identity-based dynamic cloud storage data integrity auditing protocol for HMDs. Our protocol simplifies certificate management and avoids the use of Map to Point (MtP) operation during private key extraction, resulting in a 50% improvement in private key verification efficiency compared to other protocols. We optimize tag generation computation, enhancing efficiency for computation-constrained users. Furthermore, our protocol supports incremental updates for dynamic data operations. We provide detailed system and security models, demonstrating the protocol’s security in ensuring data integrity and auditing soundness. Performance comparisons reveal the computation cost advantages of our protocol, making it ideal for application in cloud-based HMDs.

Appendices

Appendix A: Proof of Theorem 1

Proof

Suppose \(\mathcal {A}_{I}\) is a PPT adversary capable of generating a valid forgery under adaptively choosen file and identity attacks with a non-negligible advantage. We can construct an algorithm \(\mathcal {B}\) that can utilize \(\mathcal {A}_{I}\)’s capabilities to solve the q-SDH problem with a non-negligible advantage.

Algorithm \(\mathcal {B}\) takes as input a q-SDH instance \((g,h,h^\alpha ,h^{\alpha ^2},\dots ,h^{\alpha ^q})\) over the bilinear groups, where \(g\in \mathbb {G}_1,h \in \mathbb {G}_2, g=\psi (h)\), and aims to find a pair \((c,g^{\frac{1}{c+\alpha }})\). \(\mathcal {B}\) interacts with \(\mathcal {A}_{I}\) as follows.

• Initialization. \(\mathcal {B}\) chooses a generator \(g' \in _R \mathbb {G}_1\) such that it knows \(q-1\) pairs \((w_i,{g'}^{\frac{1}{w_i+\alpha }})\) for \(w_1,w_2,\dots ,w_{q-1} \in _R \mathbb {Z}_p^*\). Indeed, the master public key \(mpk={h'}^\alpha \) also can be computed without the knowledge of \(\alpha \). Specific steps are as follows.

  • It randomly picks \(w_1,w_2,\dots ,w_q \in \mathbb {Z}_p^*\) and expends \(f(x)=\prod _{i=0}^{q-1} (x+w_i) \) to obtain \(\rho _0,\rho _1,\dots ,\rho _q \in \mathbb {Z}_p^*\) so that \(f(x)=\sum _{i=0}^{q} \rho _i x^i\).

  • It sets a generator \(h'=\prod _{i=0}^{q-1} (h^{\alpha ^i} )^{\rho _i}=h^{f(\alpha )} \) and \(g'=\psi (h')=g^{f(\alpha )}\). The public key mpk is fixed to \(\prod _{i=1}^{q} (h^{\alpha ^i} )^{\rho _{i-1}}\) so that \(mpk={h'}^\alpha \) although it does not know \(\alpha \).

  • For \(1 \le i\le q-1\), it expends \(f_i(x)/(x+w_i)=\sum _{i=0}^{q-2} c_i x^i\) and \({\textstyle \prod _{i=0}^{q-2}} \psi ( h^{\alpha ^i} ) ^{c_i} =g^{f_i(\alpha )}=g^{\frac{f(\alpha )}{\alpha +w_i}}={g'}^{\frac{1}{\alpha +w_i}}\). Thus, the pairs \((w_i,{g'}^{\frac{1}{w_i+\alpha }})\) are computed.

• Queries. \(\mathcal {B}\) initializes a counter \(\zeta \) to 1 and randomly selects a challenge identity \(ID^* \in \left\{ 0,1 \right\} ^* \). And then it controls random oracles to respond to \(\mathcal {A}_{I}\).

  • \(H_1\)-Query\(\left\langle ID\right\rangle \). \(\mathcal {B}\) answers \(w=w_\zeta \) if \(ID\ne ID^*\) and increment \(\zeta \). Otherwise, it returns \(w=w^* \in _R \mathbb {Z}_p^*\) if \(ID=ID^*\). Simultaneously, \(\mathcal {B}\) sustains an initially empty hash list \(L_{H_1}\), logging (ID, w) entries.

  • K-Query\(\left\langle ID\right\rangle \). \(\mathcal {B}\) aborts if \(ID=ID^*\). Otherwise, \(\mathcal {B}\) obtains the matching pair \(\left( ID,w \right) \) from \(L_{H_1}\), returns the previously computed \(g'^{\frac{1}{\alpha +w}}\).

  • \(H_2\)-Query\(\left\langle ID, \boldsymbol{F}\right\rangle \). The file \(\boldsymbol{F}\) is encrypted and depicted as \(\boldsymbol{F}=\{(1,\vec{m}_1),\)

    \((2,\vec{m}_2),\dots ,(n,\vec{m}_n)\}\). Additionally, an element \(fid \in \mathbb {Z}_p^*\) is selected as the unique identifier of \(\boldsymbol{F}\). Then, \(\mathcal {B}\) performs the following operations.

    • It picks \(\ell \) random elements \(g_1,g_2,\dots ,g_\ell \in \mathbb {G}_1\) and computes \(M_i=\prod _{j=1}^{\ell } {g_j}^{m_{ij}}\) for each data block \(\vec{m}_i= \left( m_{i1},m_{i2},\dots ,m_{i\ell }\right) \).

    • For \(\left( ID,w \right) \) from \(L_{H_1}\),it computes \(h'_{ID}=h'^w \cdot mpk\) and sets \(H_2(fid \parallel i ) = {\psi (h'_{ID} ) }^{\gamma _i} / M_i\) for each \(i \in [1,n]\), where \(\gamma _i \in \mathbb {Z}_p^*\) .

    • It maintains a hash list \(L_{H_2}\) which is initially empty, responds to \(\mathcal {A}_{I}\) with \(\{{\psi (h'_{ID} ) }^{\gamma _i} / M_i\}_{i\in [1,n]}\), and records \((ID,\boldsymbol{F},fid,h'_{ID}, \{g_j\}_{j\in [1,\ell ]},\)

      \(\{H_2(fid \parallel i )\}_{i\in [1,n]} )\) in \(L_{H_2}\).

  • T-Query\(\left\langle ID,\boldsymbol{F}\right\rangle \). \(\mathcal {B}\) performs the following operations.

    • It aborts if \(ID=ID^*\). Otherwise, It obtians \(\left( ID,w \right) \) from \(L_{H_1}\) and extracts the private key \(g'^{\frac{1}{\alpha +w}} \).

    • It recovers query records from \(L_{H_2}\), chooses \(x_{ID} \in _R \mathbb {Z}_p^*\) and computes \(\sigma _i=g'^{\frac{1}{\alpha +w}}\cdot (H(fid\parallel i)\cdot {\textstyle \prod _{j=1}^{\ell } g_j^{m_{ij}}} )^{x_{ID}}=g'^{\frac{1}{\alpha +w}}\cdot ({\psi (h'_{ID} ) }^{\gamma _i} )^{x_{ID}}\) for \(i\in [1,n]\). Moreover, the verification value \(h''_{ID}=(h'_{ID})^{x_{ID}}\).

    • It encapsulates the file metadata into the file tag \(\tau \).

    • It returns (\(\{(\vec{m}_i,\sigma _i)\}_{1\le i \le n},\tau \)) to \(\mathcal {A}_{I}\) and records \(\tau \) in the set \(\varGamma \).

• Forgery. Eventually, \(\mathcal {A}_{I}\) outputs (\(ID^*\),\(\tau ^*\),\((i,\vec{m}^*,\sigma ^*)\)). \(\mathcal {A}_{I}\) wins the aforementioned game iff its output satisfies the conditions described in Sect. 3.2.

From \(\sigma _i^*\), \(\mathcal {B}\) can extract \(s_{ID}^*=g^{\frac{1}{\alpha +w^*}}\): it parses \(\tau ^*\) to obtain the verification value \(h''^*_{ID}\), chooses \(\xi _{-1},\xi _0,\dots ,\xi _{q-1} \in _R \mathbb {Z}_p^*\) for which \(f(x) / (x+w^*) = \xi _{-1} / (x+w^*) + \sum _{i=0}^{q-2} \xi _i x^i\) and eventually computes \( S^*={\sigma _i^*}/{\psi \left( h''^*_{ID} \right) ^{\gamma _i}} = g'^{\frac{1}{\alpha +w^*}}\), \(s_{ID^*}=( {S^*}/{\prod _{i=0}^{q-2}\psi ( h^{\alpha ^i})^{\xi _i}})^{\frac{1}{\xi _{-1}}} =g^{\frac{1}{\alpha +w^*}}\). Finally, \(\mathcal {B}\) returns \(\left( w^*,g^{\frac{1}{\alpha +w^*}}\right) \) as the solution to the q-SDH instance.

Appendix B: Proof of Theorem 2

Proof

We prove this theorem by the following series of games and analysis.

Game 0. The first game, the interaction process between \(\mathcal {A}_{II}\) and challenger \(\mathcal {C}\) is defined in the security model of Sect. 3.2.

Game 1. Game 1 mirrors Game 0, except for one variation. The aggregate tag \(\hat{\sigma }\) in \(\mathcal {P}^*\) generated by \(\mathcal {A}_{II}\) differs from the value \(\prod _{(i,c_i)\in \mathcal {Q}} {\sigma _i}^{c_i}\) produced by the ChalProof algorithm based on the challenge \(\textsf{Chal}^*\), yet it can pass the verification of the ProofVerify algorithm, then \(\mathcal {A}_{II}\) wins the game.

Assuming \(\mathcal {A}_{II}\) has a non-negligible probability of winning Game 1, we can construct a simulator to solve the co-CDH problem with a non-negligible advantage. Given \(g\in \mathbb {G}_1,h,h^\alpha \in \mathbb {G}_2\), the simulator aims to outputs \(g^\alpha \in \mathbb {G}_1\). It operates similarly to challenger \(\mathcal {C}\) in Game 0, with the differences as follows:

• Initialization. It picks an element \(s \in _R \mathbb {Z}_p^*\) as the master secret key msk, and computes \(h^s \in \mathbb {G}_2\) as the master public key mpk.

• Store. \(\mathcal {A}_{II}\) adaptively initiates K-Query and T-Query to \(\mathcal {C}\) as follows:

  • K-Query\(\left\langle ID\right\rangle \). It returns the private key \(s_{ID}=g^{\frac{1}{H_1(ID)+s}}\) to \(\mathcal {A}_{II}\) and records \((ID,H_1(ID),s_{ID})\) in the list.

  • T-Query\(\left\langle ID,\boldsymbol{F}\right\rangle \). The file \(\boldsymbol{F}\) is encrypted and depicted as \(\{m_{ij}\}_{1\le i \le n,1 \le j \le \ell }\) where \(m_{ij} \in \mathbb {Z}_p\). Additionally, an element \(fid \in \mathbb {Z}_p^*\) is selected as the unique identifier of \(\boldsymbol{F}\). Then, \(\mathcal {B}\) performs the following operations.

    • It selects a random element \(\pi \in \mathbb {Z}_p^*\), and computes the verification value \(h^\theta =\left( h^\alpha \right) ^\pi \), which implies \(\theta =\alpha \pi \). For \(i\in [1,n]\), it picks \(\pi _i \in _R \mathbb {Z}_p^*\) and sets \(H_2(fid \parallel i) =\psi (h)^{\pi _i}/ ( \psi (h)^{\sum _{j=1}^{\ell } m_{ij}\beta _j} \cdot g^{\sum _{j=1}^{\ell } m_{ij}\delta _j})\).

    • It obtians \((ID,H_1(ID),s_{ID})\) from the list, computes \(h'_{ID}=h^{H_1(ID)}\cdot mpk\), \(h''_{ID}={h'}_{ID}^\theta ={\left( h^\theta \right) }^{s+H_1(ID)}\), and encapsulates the file metadata into the file tag \(\tau \).

    • Since \(H_2(fid\parallel i) \cdot \prod _{j=1}^{\ell } {g_j}^{m_{ij}}=\psi (h)^{\pi _i } \) it can computes \(\sigma _i=s_{{ID}} \cdot ( H_2({fid} \parallel i) \cdot \prod _{j=1}^{\ell } {g_j}^{{m_{ij}}})^\theta =s_{{ID}} \cdot \psi (h^\theta )^{\pi _i }\).

    • Finally, it returns (\(\{(\vec{m}_i,\sigma _i)\}_{1\le i \le n},\tau \)) to \(\mathcal {A}_{II}\).

• Forgery. Finally, \(\mathcal {A}_{II}\) outputs a proof of data possession \(\mathcal {P}^*\) for a challenge file \(\boldsymbol{F}^*\) with the tag \(\tau ^*\) under the identity \(ID^*\), where \(\boldsymbol{F}^*\) is incompletely stored and \(\mathcal {P}^*\) is generated based on the challenge \(\textsf{Chal}^*=(\tau ^*,\mathcal {Q}^*=\lbrace (i,c_i) \rbrace )\) launched by \(\mathcal {C}\) for \(\boldsymbol{F}^*\). \(\mathcal {A}_{II}\) wins the aforementioned game iff its output satisfies the conditions described in Sect. 3.2.

Analysis. Suppose \(\mathcal {A}_{II}\)’s \(\mathcal {P}^*\) responses to \(\textsf{Chal}^*\) is \(( \hat{\mu _1},\dots ,\hat{\mu _\ell }) \) together with \(\hat{\sigma }\). Let \(( \mu _1,\dots ,\mu _\ell ) \) and \(\sigma \) be \(\mathcal {P}\) generated correctly using ChalProof based on \(\textsf{Chal}^*\), where \(\sigma =\prod _{(i,c_i)\in \mathcal {Q}} {\sigma _i}^{c_i}\) and \(\mu _j=\sum _{(i,c_i)\in \mathcal {Q}} c_i m_{ij} \) for \(1 \le j \le \ell \). By the correctness of the proof, we know the \(\mathcal {A}_{II}\)’s \(\mathcal {P}^*\) and the correct one satisfies the verification equation:

$$\begin{aligned} e\left( \hat{\sigma },h'_{ID} \right) = T^{\sum _{(i,c_i)\in \mathcal {Q} } c_i} \cdot e\left( {\textstyle \prod _{(i,c_i)\in \mathcal {Q}} } {H_2(fid^* \parallel i)}^{c_i} \cdot {\textstyle \prod _{j=1}^{\ell } }{g_j}^{\hat{\mu _j}},h''_{ID} \right) , \end{aligned}$$

(2)

$$\begin{aligned} e\left( \sigma ,h'_{ID} \right) = T^{\sum _{(i,c_i)\in \mathcal {Q} } c_i} \cdot e\left( {\textstyle \prod _{(i,c_i)\in \mathcal {Q}} } {H_2(fid^* \parallel i)}^{c_i} \cdot {\textstyle \prod _{j=1}^{\ell }} {g_j}^{\mu _j},h''_{ID} \right) . \end{aligned}$$

(3)

Indeed, if \(\hat{\mu _j} = \mu _j\) for each j, it can be deduced that \(\hat{\sigma } = \sigma \), contradicting our previous assumption. Let \(\varDelta \mu _j= \mu _j-\hat{\mu _j}\). Dividing equation (2) by equation (3), we have \(e(\hat{\sigma } / \sigma ,h'_{ID}) =e({\textstyle \prod _{j=1}^{\ell }}{g_j}^{\varDelta \mu _j},( {h'_{ID}}) ^{\theta }~\hbox {)} =e( \psi (h)^{\sum _{j=1}^{\ell }\beta _j\varDelta \mu _j}\cdot g^{\sum _{j=1}^{\ell }\delta _j\varDelta \mu _j},(h^\theta )^{s+H_1(ID)} ).\) Rearranging, we get \( e(\hat{\sigma }\cdot \sigma ^{-1}\cdot \psi (h^\theta )^{-\sum _{j=1}^{\ell }\beta _j\varDelta \mu _j}, h'_{ID}) =e(g, (h^\theta )^{s+H_1(ID)})^{\sum _{j=1}^{\ell }\delta _j\varDelta \mu _j}. \) Thus, \(g^\alpha =(\hat{\sigma }\cdot \sigma ^{-1}\cdot \psi (h^\theta )^{-\sum _{j=1}^{\ell }\beta _j\varDelta \mu _j} )^{\frac{1}{\pi \sum _{j=1}^{\ell }\delta _j\varDelta \mu _j}}\) is the solution of the given co-CDH instance as long as \(\pi \sum _{j=1}^{\ell }\delta _j\varDelta \mu _j \ne 0\; \text {mod}\; p\). Since we note that not all of \(\lbrace \varDelta \mu _j\rbrace \) can be zero and \(\pi ,\delta _j\) for \(1 \le j \le \ell \) are random values and information theoretically hidden from \(\mathcal {A}_{II}\), so the probability \(\text {Pr}\left[ \pi \sum _{j=1}^{\ell }\delta _j\varDelta \mu _j=0 \; \text {mod}\; p \right] =1/p \), which is negligible.

Thus if there is a non-negligible difference between \(\mathcal {A}_{II}\)’s probabilities of success in Games 0 and 1, we can construct a simulator that utilizes \(\mathcal {A}_{II}\) to solve co-CDH problem.

Game 2. Game 1 mirrors Game 0, except for one variation. At least one aggregate data block \(\hat{\mu _j}\) in \(\mathcal {P}^*\) is not equal to the value \(\sum _{(i,c_i)\in \mathcal {Q}} c_i m_{ij}\) generated using the ChalProof algorithm based on the challenge \(\textsf{Chal}^*\), yet it can pass the verification of the ProofVerify algorithm, then \(\mathcal {A}_{II}\) wins the game.

Assuming that the probability of \(\mathcal {A}_{II}\) winning Game 2 is non-negligible,e can construct a simulator that utilizes \(\mathcal {A}_{II}\) to solve the DL problem with a non-negligible advantage. Given \(g,k \in \mathbb {G}_1\), the simulator aims to find a value \(\alpha \) such that \(k=g^\alpha \). It behaves like the \(\mathcal {C}\) in Game 1, but with the following differences:

• Store. It responds to K-Query and T-Query in the same way as Game 1, expect that for each sector j, \(1\le j \le \ell \), it picks \(\beta _j,\delta _j \in _R \mathbb {Z}_p^*\) and sets \(g_j=g^{\beta _j} \cdot k^{\delta _j}\).

• Forgery. The conditions for \(\mathcal {A}_{II}\) to win the above game are the same as those in Game 1.

Analysis. In \(\mathcal {A}_{II}\)’s response \(\mathcal {P}^*\), there is at least one \(\lbrace \hat{\mu _j} \rbrace \) is not equal to the correct \(\lbrace \mu _j \rbrace \) generated using the ChalProof algorithm based on \(\textsf{Chal}^*\). Because of the change made in Game 1 we know that \(\hat{\sigma }=\sigma \). Equating the verification equations gives us \(T^{\sum _{(i,c_i)\in \mathcal {Q} } c_i} \cdot e({\textstyle \prod _{(i,c_i)\in \mathcal {Q}} } {H_2(fid^* \parallel i)}^{c_i} \cdot {\textstyle \prod _{j=1}^{\ell }} {g_j}^{\hat{\mu _j}},h''_{ID} ) =e(\hat{\sigma },h'_{ID} ) =e\left( \sigma , h'_{ID} \right) =T^{\sum _{(i,c_i)\in \mathcal {Q} } c_i} \cdot e({\textstyle \prod _{(i,c_i)\in \mathcal {Q}} } {H_2(fid^* \parallel i)}^{c_i} \cdot {\textstyle \prod _{j=1}^{\ell }} {g_j}^{\mu _j},h''_{ID} )\), and further implies that \({\textstyle \prod _{j=1}^{\ell }} {g_j}^{\hat{\mu _j}} ={\textstyle \prod _{j=1}^{\ell }} {g_j}^{{\mu _j}}.\) Let \(\varDelta \mu _j=\hat{\mu _j}-\mu _j\) for each \(1\le j\le \ell \), and we get \( ~\hbox {1} ={\textstyle \prod _{j=1}^{\ell }} {g_j}^{\varDelta {\mu _j}} ={\textstyle \prod _{j=1}^{\ell }} \left( {g^{\beta _j}\cdot k^{\delta _j}}\right) ^{\varDelta {\mu _j}} =g^{\sum _{j=1}^{\ell }\beta _j\varDelta \mu _j}\cdot k^{\sum _{j=1}^{\ell }\delta _j\varDelta \mu _j}.\) Thus, \(\alpha =-{\sum _{j=1}^{\ell }\beta _j\varDelta \mu _j}/{\sum _{j=1}^{\ell }\delta _j\varDelta \mu _j}\; \text {mod} \; p\) is the solution of the given DL instance, as long as \(\sum _{j=1}^{\ell }\delta _j\varDelta \mu _j \ne 0\; \text {mod}\; p\). Since not all of \(\lbrace \varDelta \mu _j\rbrace \) can be zero and \(\delta _j\) for each j are random values and information theoretically hidden from \(\mathcal {A}_{II}\), we know \(\text {Pr}\left[ \sum _{j=1}^{\ell }\delta _j\varDelta \mu _j=0 \; \text {mod}\; p \right] =1/p \), which is negligible.

Thus if there is a non-negligible difference between \(\mathcal {A}_{II}\)’s probabilities of success in Games 1 and 2, we can construct a simulator that utilizes \(\mathcal {A}_{II}\) to solve DL problem.

In Game 2, assuming the Barreto et al.’s IBS scheme for file tag \(\tau \) generation and the TagGen algorithm for block tags are existentially unforgeable, and co-CDH problem and DL problem are hard in bilinear groups, there is only a negligible difference in the success probability of \(\mathcal {A}_{II}\) in this game compared to Game 0. Moreover, since the hardness of co-CDH problem implies that of DL problem, we complete the proof of Theorem 2 by combing Game 0, Game 1 and Game 2.