This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

Submission
Digital Object Identifier DOI for IEEE Access

Efficient Client-Side Deduplication of

Encrypted Data with Public Auditing in
Cloud Storage
TAEK-YOUNG YOUN1 , KU-YOUNG CHANG1 , KYUNG HYUNE RHEE2 , AND SANG UK SHIN2 ,
(Member, IEEE)
1
Electronics and Telecommunications Research Institute (ETRI), Republic of KOREA (e-mail: {taekyoung, jang1090}@etri.re.kr)
2
Dept. of IT Convergence and Application Engineering, Pukyong National University, Republic of KOREA (e-mail: {khrhee, shinsu}@pknu.ac.kr)
Corresponding author: Sang Uk Shin (e-mail: shinsu@pknu.ac.kr).
This work was supported by Electronics and Telecommunications Research Institute (ETRI) grant funded by the Korean government
[18ZH1200, Core Technology Research on Trust Data Connectome], Institute for Information & communications Technology
Promotion(IITP) grant funded by the Korea government(MSIT) (No.2017-0-00213, Development of Cyber Self Mutation Technologies for
Proactive Cyber Defence), and Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea
government (MSIT) (No.2017-0-00156, The Development of a Secure Framework and Evaluation Method for Blockchain).

ABSTRACT At present, there is a considerable increase in the amount of data stored in storage services,
along with dramatic evolution of networking techniques. In storage services with huge data, the storage
servers may want to reduce the volume of stored data, and the clients may want to monitor the integrity of
their data with a low cost, since the cost of the functions related to data storage increase in proportion to the
size of the data. To achieve these goals, secure deduplication and integrity auditing delegation techniques
have been studied, which can reduce the volume of data stored in storage by eliminating duplicated copies
and permit clients to efficiently verify the integrity of stored files by delegating costly operations to a trusted
party, respectively. So far many studies have been conducted on each topic, separately, whereas relatively
few combined schemes, which supports the two functions simultaneously, have been researched. In this
paper, we design a combined technique which performs both secure deduplication of encrypted data and
public integrity auditing of data. To support the two functions, the proposed scheme performs challenge-
response protocols using the BLS signature based homomorphic linear authenticator. We utilize a third party
auditor for performing public audit, in order to help low-powered clients. The proposed scheme satisfies all
the fundamental security requirements. We also propose two variances that provide higher security and
better performance.

INDEX TERMS Cloud storage, Cryptography, Data security, Information security, Public audit, Secure
deduplication

I. INTRODUCTION that the size of data that is dealt by cloud storage services
N cloud storage services, clients outsource data to a will increase due to the performance of the new networking
I remote storage and access the data whenever they need
the data. Recently, owing to its convenience, cloud storage
technique. In this viewpoint, we can characterize the volume
of data as a main feature of cloud storage services. Many ser-
services have become widespread, and there is an increase in vice providers have already prepared high resolution contents
the use of cloud storage services. Well-known cloud services for their service to utilize faster networks. For secure cloud
such as Dropbox and iCloud are used by individuals and services in the new era, it is important to prepare suitable
businesses for various applications. A notable change in security tools to support this change.
information-based services that has happened recently is the Larger volumes of data require higher cost for managing
volume of data used in such services due to the dramatic evo- the various aspects of data, since the size of data influences
lution of network techniques. For example, in 5G networks, the cost for cloud storage services. The scale of storage
gigabits of data can be transmitted per second, which means should be increased according to the quantity of data to be

VOLUME 4, 2016 1

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

stored. In this viewpoint, it is desirable for storage servers to and communication.

reduce the volume of data, since they can increase their profit In this paper, we design a new scheme for secure and
by reducing the cost for maintaining storage. On the other efficient cloud storage service. The scheme supports both
hand, clients are mainly interested in the integrity of their secure deduplication and integrity auditing in a cloud envi-
data stored in the storage maintained by service providers. ronment. In particular, the proposed scheme provides secure
To verify the integrity of stored files, clients need to perform deduplication of encrypted data. Our scheme performs PoW
costly operations, whose complexity increases in proportion for secure deduplication and integrity auditing based on the
to the size of data. In this viewpoint, clients may want to homomorphic linear authenticator (HLA), which is designed
verify the integrity with a low cost regardless of the size of using BLS signature. The proposed scheme also supports
data. Owing to the demands of storage servers and clients, public auditing using a TPA (Third Party Auditor) to help
many researches on this topic are available in the literature. low-powered clients. The proposed scheme satisfies all fun-
To reduce the volume of data, deduplication has to be per- damental security requirements, and is more efficient than the
formed in servers so that the storage space efficiency can be existing schemes that are designed to support deduplication
improved by removing duplicated copies. According to the and public auditing at the same time. Note that the prelim-
research report of EMC, about 75% of the data are duplicated inary version of this paper appeared in MobiSec2017 [16].
[7]. This fact raises the need for design of deduplication The main improvement in this paper is that we propose two
technology. In the literature, there are studies on two types variations to provide higher security and better performance.
of deduplication techniques. Among them, client-side dedu- In the first variance, which is designed for stronger secu-
plication has attracted the interest of researchers more than rity, we assume a stronger adversary and provide a counter
server-side deduplication due to its efficiency in computation measure against the adversary. In the second variance, we
and communication. Unfortunately, client-side deduplication design a technique that supports a very low-powered client
has a number of problems. In [9], Harnik et al. discovered and entrusts more computation to the cloud storage server in
some attack scenarios related to client-side deduplication, the upload procedure.
which can lead to data leakage in the worst case. So far, many This paper is organized as follows. Section 2 describes
schemes and techniques have been introduced to support related works. In Section 3, we propose a secure dedupli-
secure deduplication. In [8], Halevi et al. introduced the cation technique, which supports integrity auditing based on
concept of proofs of ownership (PoW). In [11], Bellare et al. BLS signature, and analyze it in Section 4. In addition, we
formalized a class of message-locked encryptions including suggest two improved protocols in Section 5. Finally, Section
an existing convergent encryption (CE), and presented a new 6 provides the conclusion.
deduplication technique called DupLESS which is the first
deduplication mechanism that can ensure semantic security. II. RELATED WORKS
When clients use cloud storage services, the integrity of Secure deduplication is interesting for both industrial and
stored data is the most important requirement. In other words, research communities; therefore, several secure deduplica-
clients want to be guaranteed about the integrity of their data tion schemes have been proposed. Harnik et al. [9] showed
in the cloud. In cloud storage services, we cannot exclude some attacks in the case of client-side deduplication, which
the possibility of weak cloud servers, which are vulnerable causes data leakage. To counter the attacks, the concept of
to internal and external security threats. In the case of data POR was introduced in [8]. Later, in [11], the convergent
loss due to some incident, weak servers may try to hide the encryption, which is defined as message-locked encryption,
fact that they lost some data, which were entrusted by their was formalized and then, Bellare et al. presented another
clients. More seriously, servers delete rarely accessed users’ scheme called DupLESS for semantic security.
data in order to increase the profit. Therefore, it is a natural To support data integrity, two concepts, PDP and POR,
requirement of clients to periodically check the current state have been introduced. Ateniese et al. [1] introduced PDP for
of their data. To do this in practice, we need a way to ensuring that the cloud storage providers actually possess the
efficiently check the integrity of data in remote storage. So files without retrieving or downloading the entire data. It is
far, various schemes have been proposed including proof basically a challenge-response protocol between the verifier
of retrievability (POR) schemes [4], [10], [14], [17] and (a client or TPA) and the prover (a cloud). Compared to PDP,
provable data possession (PDP) schemes [1], [2], [6], [15]. POR not only ensures that the cloud servers possess the target
Secure deduplication and integrity auditing are fundamen- files, but also guarantees their full recovery [10]. Since then,
tal functions required in cloud storage services. Hence, indi- a number of POR schemes [4], [14], [17] and PDP schemes
vidual researches have been actively conducted on these two [2], [6], [15] have been proposed.
topics. However, relatively few studies have been conducted A simple combination of two independent techniques de-
for designing a combined scheme that can support these two signed for the two above mentioned issues does not effi-
functions at the same time. The fundamental goal of the de- ciently deal with the issues at once, because achieving storage
sign of a combined model is to guarantee less overhead than efficiency contradicts with the deduplication of authenti-
a trivial combination of existing schemes. In particular, the cation tags. In [18], public auditing with a deduplication
goal of this paper is to improve the cost of both computation scheme based on homomorphic linear authentication tags
2 VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

was proposed. Each user has to generate the integrity tags,

even for the file in the cloud. Moreover, the file is available
in its plain form on the cloud side. Li et al. [12] proposed
an integrity auditing scheme for encrypted deduplication
storage. This scheme is based on homomorphic verifiable
tags and Merkle hash tree. A user encrypts his file by using
a convergent encryption technique and uploads the file to a
fully trusted TPA.

III. THE PROPOSED SCHEME

Here, we describe the system model of our scheme. We also FIGURE 1: System model
give the corresponding security model. After that, we will
give a detailed description of our scheme according to the
models. intercept the transmitted data. An outside attacker at-
tempts to pass the PoW process as if it were the proper
A. SYSTEM AND SECURITY MODEL owner of the data.
Our scheme utilizes the BLS signature-based Homomorphic • Insider adversary CSS: The CSS assumes that it can act
Linear Authenticator (HLA), which was proposed in [14], for maliciously. It attempts to get information out of the
integrity auditing and secure deduplication. We also intro- user’s encrypted data, and modify or delete the user’s
duce TPA to support public integrity auditing. The proposed data.
scheme consists of the following entities. • Semi-honest adversary TPA: The TPA is assumed to
• Client (or user).
perform the protocol correctly; however, in the process
Outsources data to a cloud storage. CE-encrypted data it tries to obtain information about the user’s data.
is first generated, and then uploaded to the cloud storage In addition, the proposed scheme should satisfy the following
to protect confidentiality. The client also needs to verify security objectives.
the integrity of the outsourced data. To do this, the client • Privacy: Except for the information about duplication,
delegates integrity auditing to the TPA. no information about the outsourced data is revealed to
• Cloud Storage Server (CSS). an adversarial party.
Provides data storage services to users. Deduplication • Secure deduplication: Secure deduplication is supported
technology is applied to save storage space and cost. without revealing any information except for the infor-
We consider that the CSS may act maliciously due to in- mation about duplication.
sider/outsider attacks, software/hardware malfunctions, • Public verifiability: The TPA is able to examine the
intentional saving of computational resources, etc [13]. accuracy and availability of the outsourced data without
During the deduplication process, the CSS carries out querying the entire data and without intervention by the
the PoW protocol to verify that the client owns the file. data owner.
Moreover, in the integrity audit process, it is necessary • Storage correctness: If the CSS is keeping the user’s data
to generate and respond to a proof corresponding to the intact, it can pass the TPA’s verification.
request of the TPA.
• TPA (Third Party Auditor). B. DETAILED OPERATION OF THE PROPOSED
Performs integrity auditing on behalf of the client to METHOD
reduce the client’s processing cost. Instead of the client, The proposed scheme does not compute authentication val-
the auditor sends a challenge to the storage server to ues separately for a proof of the PoW process and for a
periodically perform an integrity audit protocol. TPA is proof of the integrity auditing; instead, it computes only
assumed to be a semi-trust model, that is, an honest but one authentication value depending on the duplication. The
curious model. Under the assumption, it is assumed that proposed scheme uses the BLS signature based homomor-
the TPA does not collude with other entities. phic authenticator [14] to generate the authentication value
The relation between entities can be seen in Fig. 1. A client to provide secure deduplication and public integrity auditing.
and a CSS perform PoW for secure deduplication, and a TPA Let e : G × G → GT be a computable bilinear map with
is placed between the client and the CCS to execute integrity group G’s support being Zp for some large prime p. g is a
auditing instead of the client. generator of G, and BLSHash : {0, 1}∗ → G is the BLS
Here, we consider the following types of adversary mod- R
hash [3]. A user chooses a random α ← − Zp , and computes
els: outside adversary, insider adversary CSS, and semi- α
v = g (∈ G). The user’s private key is sk = α, and the
honest adversary TPA. public key is pk = v. The user also generates (spk, ssk) to
• Outside adversary: Assuming that the communication digitally sign a file using a cryptographically secure signature
channel is not secure, an outside attacker can easily scheme such as RSA PSS, or DSA. It is assumed that the
VOLUME 4, 2016 3

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

public key is distributed securely to the entities. the client only needs to keep mk secret. However, the CSS
The proposed method includes the following three proce- should store ek of each user for the duplicate file.
dures.
• First upload procedure: In this case, a user first uploads 2) Integrity auditing procedure
a file that is not stored in the CSS. First, a file ID/Tag The TPA periodically checks the integrity of the data stored
and a convergent encryption key K are generated, and in the CSS. To do this, the TPA first selects a random subset
the file is encrypted using CE with K and then uploaded I ∈ [1, n], and then randomly selects vi from Zp , for
to the CSS. The CSS maintains the list owner, tag, and each i ∈ I. The challenge values for integrity auditing are
ciphertext. The user computes an authentication tag for Q = {I, (vi )}. The TPA sends the Audit_Chall message with
the integrity auditing and sends it to the TPA. (TF , Q) to the CSS. Then, the CSS computes the proof values
• Subsequent upload procedure: This procedure is per-
{µ, τ } corresponding to the challenge as follows;
formed when a duplicate file is uploaded. The CSS
checks for the duplication using the file tag, and in the Y
µ← tvi i (∈ G) (1)
event of duplication, it proceeds with the PoW protocol
(i,vi )∈Q
to examine the ownership of the user. If a user passes
this process, the CSS adds the file ownership of the user and
to the stored file. X
• Integrity auditing procedure: Periodic auditing is re-
τ← vi · CTi (∈ Zp ). (2)
quired to ensure that the files stored on the CSS are (i,vi )∈Q

fully and intactly maintained. To reduce the user over-

head, the TPA performs periodic integrity audits. To do The CSS replies to the Audit_Res message with {µ, τ }. The
this, the TPA first chooses a random challenge and it TPA verifies the proof as follows:
sends it to the CSS. The CSS responds by generating !
Y
a corresponding proof using the stored file. Then the e(µ, g) == e vi τ
(BLSHash(i) · u ) , v . (3)
TPA verifies that the response is valid and completes i∈I
the integrity audit.
Fig. 3 shows the Integrity auditing procedure.
1) First upload procedure
Let us consider the case where a client UID uploads F to 3) Subsequent upload procedure
CSS. To do this, he should first generate a convergent key If the CSS has already stored the same file, the Subsequent
K and a file ID TF . This process can be performed using upload procedure is performed for the deduplication (see
existing schemes such as DupLESS [11]; this is omitted in Fig. 4). To verify the ownership of the client UID0 , the CSS
this paper. The client sends the Upload Req message to the runs the PoW protocol. To do this, the CSS generates the
CSS including {UID , TF }. The CSS checks if a duplicated challenge values Q = {I, (vi )}, where I is a random subset
file exists using TF . If so, the CSS performs the First upload of the set [1, n] and vi is a random element selected in Zp .
procedure by sending the First upload Req message to the The CSS sends the PoW Chall message with (u, Q) to the
client. Then, the client computes the ciphertext CT by en- client. Then, the client derives the corresponding proof values
crypting F with the convergent key K. CT = EncK (F ), 0

0
CTi α
{µ, τ }, computes ti = BLSHash(i) Q ·u for each
where Enck () is an encryption mechanism such as AES 0 vi
i ∈ I, and then computes µ ← t
(i,vi )∈Q i (∈ G),
in CTR mode [5] and k is a private key. We assume that P
τ ← (i,vi )∈Q vi · CTi (∈ Zp ). The client sends the PoW
CT is divided into n blocks. The client also computes audit
Res message with the proof {µ, τ } to the CSS. Finally, the
tags {ti }ni=1 to periodically run the integrity

αaudit procedure CSS verifies the proof by checking that the following holds:
by the TPA. ti = BLSHash(i) · uCTi , where u is a
generator selected randomly by the client, and CTi is the i-th !
ciphertext block. The client replies {CT, {ti }ni=1 } to CSS,
Y
vi τ 0
e(µ, g) == e (BLSHash(i) · µ ) , v . (4)
and then CSS stores {TF , CT, {ti }ni=1 , UID }. In addition, i∈I
the CSS issues a receipt including SigCSS (TF , UID ) to the
client. The client sends the Audit Info message including Upon successful completion of the PoW procedure, the
{TF , UID , u, n, SigCSS (TF , UID )} to the TPA. The client CSS can issue a receipt to the client by adding a user ID,
keeps only (TF , n) and deletes the other information. Fig. 2 UID0 and a reference for the file to the list of corresponding
shows the First upload procedure. file access rights in order to confirm the file ownership. The
One consideration here is the management of the con- client may give the receipt to the TPA. Then, the TPA may
vergence key K. The convergence key K may be stored examine the file’s integrity using the receipt. If the CSS
securely by each client individually. Alternatively, it can manages encrypted convergent keys, the client must upload
upload ek = Encmk (K), which is encrypted using the ek 0 = Encmk0 (K), encrypted using its secret master key
secret master key mk of each client, to the CSS. In this case, mk 0 , to the CSS.
4 VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

FIGURE 2: First upload procedure

FIGURE 3: Integrity auditing procedure

VOLUME 4, 2016 5

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

FIGURE 4: Subsequent upload procedure with PoW

IV. ANALYSIS homomorphic authentication tag, and its security has been
The proposed scheme satisfies the security objectives men- analyzed in [14]. Thus, the proposed scheme supports public
tioned above. From the privacy perspective, the proposed verifiability. Finally, if the CSS keeps the data intact, it can
method outsources the encrypted ciphertext to the CSS us- pass the verification by the TPA. This is also provided by the
ing the convergent encryption key. In the integrity auditing security of the BLS-based homomorphic authentication tag
process, the TPA can also partially obtain the information used, thus ensuring the correctness of the storage.
about the ciphertext. Assuming that the convergent key gen- In order to provide a comparison with the existing
eration process is performed through the OPRF (oblivious schemes, first, the scheme proposed in [18] is considered.
pseudo random function) protocol with the trusted key server This scheme supports integrity auditing and deduplication
as in DupLESS [11], it provides security against offline using a polynomial-based authentication tag and a homomor-
brute-force attacks. An attacker who does not obtain the phic linear tag. During the setup process, the user computes a
convergent key K cannot get any information from the homomorphic linear tag and uploads it to the cloud server.
outsourced ciphertext, except the information of duplication. Then, the TPA performs integrity auditing with the cloud
The proposed scheme also supports secure deduplication by server through the interaction using a polynomial-based au-
providing deduplication for the ciphertext and performing thentication tag. In the deduplication process, when the cloud
the PoW protocol. This also depends on the security of the server randomly selects a set of block indexes for the PoW,
convergent key, as mentioned above, and the security of BLS the server sends them to the user. Then, the user transmits
signature based HLA [14]. the corresponding plaintext blocks as the response. Then,
The TPA then audits the integrity of the data without user the cloud server verifies the file ownership by verifying the
intervention. It depends on the security of the BLS-based validity of the received blocks using the pairing operation.
6 VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

The biggest problem with this scheme is that the data is authentication tag of the already uploaded file and using it to
used as a plain text on the cloud side; therefore, it does not pass the ownership proof procedure. When the adversary is
support secure deduplication. In addition, regardless of the an outsider who cannot easily obtain the tag, it is not easy
file duplication, users always have to compute authentication to mount the attack. However, if the original data holder
tags. This results in a high computational overhead. helps an adversary to obtain the authentication tag, it is easy
In the scheme proposed in [12], the client uploads a file to mount the attack. As recognized in [8], the original file
to a TPA that is assumed to be honest. This is a very holder can utilize the storage service as a content distribution
strong assumption, since most of TPAs in the existing public network, and this could be a threat to storage services.
auditing-related papers are assumed to be semi-honest. It also Hence, if we consider such a stronger adversary, we need
wastes the bandwidth on the client side, because it always a countermeasure to prevent a legitimate user from helping
transmits the file to the TPA. When the client uploads the others to obtain the stored data.
file to the TPA, the TPA computes a homomorphic signature Note that it is not possible to prevent the data holder
for integrity auditing and uploads it to the cloud server along from giving his data to others, and therefore the goal of the
with the file. countermeasure is to make it difficult for an adversarial user
The proposed scheme improves the problems of the above to use the storage service as a content distribution network.
two methods. Table 1 shows the comparison with the existing As a concrete countermeasure to alleviate this threat, we
schemes. The TPA of the proposed scheme is assumed to be can consider a random selection of a generator for each
semi-honest, and also does not upload the file to the TPA. PoW process. The CSS randomly chooses a generator u0
In addition, the proposed method supports deduplication and and sends it to the client as the PoW Chall message. Then,
integrity auditing for the encrypted data, and the client only it is possible for the CSS to perform more secure PoW by
needs to perform a single authentication tag computation. verifying whether an appropriate response is returned by the
It has similar computational overhead in each case of the client. Even though the original file holder can still help other
first upload and duplicate upload. That is, in the case of the users to obtain the ownership, the user should have the entire
first upload, the authentication tag for the integrity audit is file and perform costly operations to do so. Hence, in the data
computed, and in the case of deduplication, the authenti- holder’s viewpoint, it is better to give the file to the adversary
cation tag for the PoW is generated. Therefore, it provides instead of helping the adversary to pass the PoW procedure.
better efficiency than the existing schemes in the viewpoint Fig. 5 shows the Subsequent upload process with improved
of client-side computational overhead. security.
In the case of a duplicate file upload, the CSS performs
the PoW process. To do this, the CSS chooses a random
generator u0 and challenge values Q = {I, (vi )}, where
V. VARIANCES the challenge Q is generated as in Section III. The CSS
In Section III, we designed a new secure deduplication sends the PoW Chall message with (u0 , Q) to the client.
supporting public auditing, and proved its security and ef- Then, the client returns the corresponding proof values (µ, τ )
ficiency in Section IV. The proposed scheme is secure under computed by using the generator u0 and its own public key α0 .
a reasonable security model and its performance is better The CSS verifies the proof with u0 and the client’s public key
than the existing schemes as shown in Section IV. Here, v 0 by checking whether the following holds;
we provide some techniques to achieve greater security and !
better performance. Y
e(µ, g) == e (BLSHash(i)vi · µ0τ ) , v 0 . (5)
i∈I
A. IMPROVEMENT FROM THE VIEWPOINT OF
SECURITY After obtaining the ownership, the client and the CCS
In this section, we will consider a slightly stronger attack use the same generator u to perform the integrity auditing.
scenario, which was not considered in Section IV. Recall that However, it does not a matter anymore since the client cannot
we assumed the original data holder to be a reliable entity help others by using the values to pass the PoW to obtain the
who behaves honestly. Hence, we used the assumption to ownership of the file F .
analyze the proposed scheme. However, in this section, we
discuss a possible attack scenario, which can be performed B. IMPROVEMENT FROM THE VIEWPOINT OF
by the valid user who is a legitimate data holder, and provide EFFICIENCY
a countermeasure for the attack by slightly modifying the At present, a variety of devices are used to generate and use
scheme in Section IV. data in storage services. Though the capability of the devices
Recall that the proposed model described in Section III has improved more than ever before, we still need to design
uses the same generator u to generate the authentication light schemes for storage services due to the increase in size
tag for integrity verification and the authentication tag for of data. In this viewpoint, we design a technique that can
PoW. In the case of the duplicated upload, it may be pos- permit a client to pass some costly operations to the CSS in
sible to attack the server in PoW process by acquiring the the upload procedure.
VOLUME 4, 2016 7

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

TABLE 1: Comparison with existing schemes

Secure deduplication Privacy-preserving public Efficiency
auditing
[18] X (because of available in O Require two different authentication tags for
its plain form on CSS) PoW and for auditing, respectively, regardless of
duplication.
[12] O X (because the file is up- Loss of bandwidth advantages in the client side
loaded to TPA)
Proposed scheme O O Require a computation of only one tag of both
authentication tags, and ensure bandwidth advan-
tages in the client side

FIGURE 5: Subsequent upload process with improved security

To reduce the computational complexity, as shown in Fig. than the client. Moreover, we can implement the online step
6, the process of uploading duplicate files can be modified. by choosing Q = {I, (vi )} and pre-computing µ before a
The client uploading the duplicate file computes only the subsequent upload process is initiated by a new client. If
authentication tag τ for each CTi , unlike in Section III. That we apply the pre-computation technique, we can reduce the
is, the client does not compute µ and sends the PoW Res computational complexity without increasing the cost for the
message with only the proof τ to the CSS. Then, the CSS CSS in the online step.
computes µ and verifies τ .
This reduces the amount of computation on the client side, VI. CONCLUSION
while the CSS’s computational overhead increases relatively. When storing data on remote cloud storages, users want to be
However, when the client is a lightweight device such as a assured that their outsourced data are maintained accurately
mobile device it is advantageous to transfer a part of the in the remote storage without being corrupted. In addition,
computation to the CSS, which has a a higher performance cloud servers want to use their storage more efficiently. To
8 VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

FIGURE 6: Subsequent upload process for improving the computational overhead on the client side

satisfy both the requirements, we proposed a scheme to REFERENCES

achieve both secure deduplication and integrity auditing in a [1] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson,
cloud environment. To prevent leakage of important informa- and D. Song, “Provable data possession at untrusted stores,” in Proc. of
the 14th ACM conference on Computer and communications security
tion about user data, the proposed scheme supports a client- (CCS’07), Alexandria, Virginia, USA, 2007, pp. 598–609.
side deduplication of encrypted data, while simultaneously [2] G. Ateniese, R. Di Pietro, L.V. Mancini and G. Tsudik, “Scalable and effi-
supporting public auditing of encrypted data. We used BLS cient provable data possession,” in Proc. of the 4th international conference
on Security and privacy in communication netowrks (SecureComm’08),
signature based homomorphic linear authenticator to com-
Istanbul, Turkey, 2008, pp. 1–10.
pute authentication tags for the PoW and integrity auditing. [3] D. Boneh, B. Lynn and H. Shacham, “Short signatures from the Weil
The proposed scheme satisfied the security objectives, and pairing,” Journal of Cryptology, vol. 17, no. 4, pp. 297–319, Sept. 2004.
improved the problems of the existing schemes. In addition, [4] Y. Dodis, S. Vadhan and D. Wichs, “Proofs of retrievability via hardness
amplification,” in Proc. of the 6th Theory of Cryptography Conference on
it provides better efficiency than the existing schemes in Theory of Cryptography (TCC’09), San Francisco, CA, USA, 2009, pp.
the viewpoint of client-side computational overhead. Finally, 109–127.
we designed two variations for higher security and better [5] M. Dworkin, “Recommendation for block cipher modes of operation.
methods and techniques,” NIST, USA, No. NIST-SP-800-38A., 2001.
performance. The first variance guarantees higher security
[6] C. Erway, A. Küpçü, C. Papamanthou and R. Tamassia, “Dynamic prov-
in the sense that a legitimate user can be an adversary. able data possession,” in Proc. of the 16th ACM conference on Computer
The second variance provides better performance from the and communications security (CCS’09), Chicago, Illinois, USA, 2009, pp.
perspective of the clients, by permitting low-powered clients 213–222.
[7] J. Gantz and D. Reinsel, “The digital universe decade - are you ready?,”
to perform upload procedure very efficiently by passing on IDC White Paper, 2010.
their costly operations to the CSS. [8] S. Halevi, D. Harnik and B. Pinkas and A. Shulman-Peleg, “Proofs of own-
ership in remote storage systems,” in Proc. of the 18th ACM conference on
Computer and communications security (CCS’11), Chicago, USA, 2011,
pp. 491–500.
[9] D. Harnik, B. Pinkas and A. Shulman-Peleg, “Side channels in cloud

VOLUME 4, 2016 9

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2018.2836328, IEEE Access

T.-Y. Youn et al.: Efficient Client-Side Deduplication with Public Auditing

services: Deduplication in cloud storage,” IEEE Security & Privacy, vol. KYUNG-HYUNE RHEE received his M.S. and
8, no. 6, pp. 40–47, Dec. 2010. Ph.D. degrees from Korea Advanced Institute of
[10] A. Juels and B.S. Kaliski Jr, “Pors: proofs of retrievability for large files,” Science and Technology (KAIST), Daejeon, Ko-
in Proc. of the 14th ACM conference on Computer and communications rea in 1985 and 1992, respectively. He worked
security (CCS’07), Alexandria, Virginia, USA, 2007, pp. 584–597. as a senior researcher in Electronic and Telecom-
[11] S. Keelveedhi and M. Bellare and T. Ristenpart, “DupLESS: server- munications Research Institute (ETRI), Daejeon,
aided encryption for deduplicated storage,” in Proc. of the 22nd USENIX Korea from 1985 to 1993. He also worked as a
Security Symposium (USENIX Security 13), Washington, D.C. USA,
visiting scholar in the University of Adelaide in
2013, pp. 179–194.
Australia, the University of Tokyo in Japan, the
[12] J. Li, J. Li, D. Xie and Z. Cai, “Secure auditing and deduplicating data in
cloud,” IEEE Transactions on Computers, vol. 65, no. 8, pp. 2386–2396, University of California at Irvine in USA, and
Aug. 2016. Kyushu University in Japan. He has served as a Chairman of Division of
[13] X. Liu, W. Sun, H. Quan, W. Lou, Y. Zhang and H. Li, “Publicly verifiable Information and Communication Technology, Colombo Plan Staff College
inner product evaluation over outsourced data streams under multiple for Technician Education in Manila, the Philippines. He is currently a pro-
keys,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 826- fessor in the Department of IT Convergence and Application Engineering,
838, Sept.-Oct. 2017. Pukyong National University, Busan, Korea. His research interests center
[14] H. Shacham and B. Waters, “Compact proofs of retrievability,” in Proc. of on multimedia security and analysis, key management protocols and mobile
the 14th International Conference on the Theory and Application of Cryp- ad-hoc and VANET communication security.
tology and Information Security, Advances in Cryptology - ASIACRYPT
2008, Melbourne, Australia, 2008, pp. 90–107.
[15] Q. Wang, C. Wang, K. Ren, W. Lou and J. Li, “Enabling public auditability
and data dynamics for storage security in cloud computing,” IEEE Trans-
actions on Parallel and Distributed Systems, vol. 22, no. 5, pp. 847–859,
Dec. 2011.
[16] T. Y. Youn, K. Y. Chang, K. R. Rhee and S. U. Shin, “Public Audit
and Secure Deduplication in Cloud Storage using BLS signature,” Re-
search Briefs on Informaiton & Communication Technology Evolution
(ReBICTE), vol. 3, article no. 14, pp. 1-10, Nov. 2017.
[17] J. Yuan and S. Yu, “Proofs of retrievability with public verifiability and
constant communication cost in cloud,” in Proc. of the 2013 international
workshop on Security in cloud computing, Hangzhou, China, 2013, pp.
19–26.
[18] J. Yuan and S. Yu, “Secure and constant cost public cloud storage auditing
with deduplication,” in Communications and Network Security (CNS),
2013 IEEE Conference on, National Harbor, MD, USA, 2013, pp. 145-
153.

SANG UK SHIN received his M.S. and Ph.D.

degrees from Pukyong National University, Busan,
TAEK-YOUNG YOUN received his BS, MS, and Korea in 1997 and 2000, respectively. He worked
Ph.D from Korea University in 2003, 2005, and as a senior researcher in Electronics and Tele-
2009, respectively. He is currently a senior re- communications Research Institute, Daejeon Ko-
searcher at Electronics and Telecommunications rea from 2000 to 2003. He is currently a professor
Research Institute (ETRI), Daejeon, Korea. From in Department of IT Convergence and Applica-
2016, he serve as an associate professor in Univer- tion Engineering, Pukyong National University.
sity of Science and Technology (UST), Daejeon, His research interests include digital forensics,
Korea. His research interests include cryptogra- e-Discovery, cryptographic protocol, mobile and
phy, information security, authentication, data pri- wireless network security and multimedia content security.
vacy, and security issues in various communica-
tions.

KU-YOUNG CHANG received his B.S., M.S.

and Ph.D. degrees in mathematics from Korea
University, Seoul, Korea on 1995, 1997, and 2000,
respectively. He is currently a principal researcher
of Cryptography Research Section at Electronics
and Telecommunication Research Institute, Dae-
jeon, Korea. His research interests include cryp-
tography, data privacy, and finite field theory.

10 VOLUME 4, 2016

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.