Cloud Storage Data Verification Using Signcryption Scheme
Abstract
:1. Introduction
- Public verifiability. The size of data to be verified may vary. Users may have limited resources which can cause an expensive verification process cost. Therefore, public verifiability enables other parties to do a verification process.
- Privacy-preserving. Prevent data leaks to the verifier during the verification process. Concerns about data privacy arise as a result of the public verifiability characteristic. This property requires that the verifier, as an outsider, not receive any confidential information but still be able to verify the data integrity.
- Blockless verification. The verifier does not need to download all the data for the verification process. Furthermore, it will decrease communication overhead at the server and increase the efficiency of the verification scheme.
- Proposed an improved signcryption scheme that provides three desirable properties in data verification, public verifiability, privacy-preserving, and blockless verification.
- Presented a use case of data verification for data stored in cloud storage using a signcryption scheme to ensure data integrity, confidentiality, and non-repudiation.
2. Preliminaries
2.1. Bilinear Pairings
- Bilinearity:, and , .
- Computability: There is an efficient algorithm to compute .
- Non-degeneracy: There exists such that .
- Discrete Logarithm Problem (DLP): Given two group elements P and Q, find an integer , such that whenever such an integer exists.
- Computational Diffie-Hellman Problem (CDHP): For , given , compute .
- Inverse Computational Diffie-Hellman Problem (Inv-CDHP): For , given , compute .
- Square Computational Diffie-Hellman Problem (Squ-CDHP): For , given , compute .
2.2. ZSS Signature
- ParamGen. The system parameters are .
- KeyGen. Randomly selects , and computes . The public key is .
- Sign. Given a secret key x, and a message m, computes signature .
- Ver. Given a public key , a message m, and a signature S, verify if . The verification works because of the following Equation (1).
2.3. ZSS Signcryption
- ComGen. Given the security parameter k and n. Two cyclic groups () and () of the same prime order , a generator P of , a bilinear map , three hash functions and , and an symmetric encryption scheme . Then, .
- KeyGen. Every user picks his private key from randomly and uniformly. Then, he computes his public key .
- Signcrypt. Given a message , the recipient’s public key and the sender’s private key . The sender computes:
- -
- pick and compute p.
- -
- compute and then where .
Finally, form the signcryptext . - Unsigncrypt by recipient upon receiving .
- -
- parse C as () and compute .
- -
- compute where .
- -
- if , then return the message m; otherwise return ⊥ means unsigncryption failure.
- Public Verifiability. The recipient wants to prove that sender actually signcrypted a message m to the trusted third party (TTP). So, the recipient forwards to the TTP. Then, TTP accepts the proof if this equation is valid .
3. Proposed Scheme
3.1. ZSS Signcryption
- Setup Phase
- -
- ParamGen. Given security parameter b and d. Let be a cyclic additive group and be multiplicative cyclic groups with prime order p, P is the generator of group . The bilinear mapping , three hash functions and , and symmetric encryption scheme (). Therefore, the system parameters are . We provided a list of notations that we used in Table 1.
- -
- KeyGen. The sender chooses a random number from , sets it as their secret key and computes their public key . The recipient chooses a random number from , sets it as their secret key , and computes their public key .
- Signcryption. User as sender S generated a signcryption for each message m as follows.
- Generates .
- Choose and generate , . Then, generate , which is a symmetric encryption key. So, .
- Therefore, the signcryption where V is a ZSS signature of message m, X is the randomness of encryption key generation, and Y is the encryption of message m.
- Unsigncryption. After receiving from the sender S, the recipient R start unsigncryption process.
- R parse to get .
- Computes and .
- Decrypt Y to get message m. So, .
3.2. Data Verification Use Case
- User divided data F into n shards of m. .
- User does a signcryption process for each data shard and generates , where i is the index of each data shard.
- Therefore, the Signcryption . Set of signcrypted data is .
- User stores set of signcryption to the CSP.
- User stores set of Signature to their local storage.
- CSP verify data from user by parsing each to . Then CSP does the unsigncryption process. If successful, store the user’s data; otherwise, reject it.
- When the user wants to verify their stored data in CSP, they generate a set of random numbers and also the set of the signature of the challenged data shards , where i is the index of stored challenged data shards. Then, they send those two variables to the TPA.
- Upon receiving the request from the user, the TPA randomly chooses from and generates a challenge . Then, it sends to the corresponding CSP.
- After receiving from the TPA, the CSP computes . Then, they can compute to decrypt . Therefore, . After that, the CSP generates proof and sends it to the TPA.
- The TPA generates proof .
- Subsequently, the TPA checks whether Equation (5) holds.
- Finally, the TPA reports the verification results to the user.
4. Discussion and Security Analysis
4.1. Correctness
4.2. Unforgeability
- Malicious CSP.A malicious CSP cannot forge proof because every time the TPA sends a challenge, a random value f will be given in the variable. The CSP will generate proof based on f from the TPA as shown in Equation (3) and value f is different for each data shard. Even if we further assume that the malicious CSP forges , namely , the verification process done by TPA in Equation (5) shows that the TPA must validate with two other variables, the sender’s public key and proof generated by TPA, which also consist of f value. Therefore, the cannot make Equation (5) hold. Another case is when a malicious CSP tries to deceive the verifier by replacing challenged data block with another data block when the former data block is broken. Accordingly, the proof becomesSo, the Equation (5) can be represented asHence, we have . However, cannot be equal to due to the anti-collision property of the hash function. Therefore, it is infeasible to make Equation (9) hold, and the proof from CSP cannot pass the verification process.
- Malicious Verifier.A malicious verifier/TPA cannot forge verification results because verifier/TPA must generate proof that required V, which is a signature generated by the user as shown in Equation (4). We further assume that the malicious verifier forges proof . To generate variable V, the malicious verifier needs the user’s private key and original message . Our proposed scheme provides privacy-preserving and blockless verification properties, meaning the verifier capable of verifying the data without receiving the original message from the user or CSP. So, without the possession of those two variables, and , it is impossible to generate a forged and make equation hold. Both malicious CSP and verifier cannot calculate the user’s private key from the public key under the Inv-CDHP assumption. Furthermore, in the verification process, the verifier needs to validate with two other variables, the sender’s public key and proof generated by CSP as shown in Equation (5). Therefore, it is infeasible to make equation hold, where .
4.3. Desirable Properties Analysis
- Public verifiability.Our proposed scheme provides the public verifiability property shown in Equation (5), where we presented a use case in which a TPA can verify data stored in CSP. So, the user can appoint another party besides CSP to do the data integrity verification process. The comparison with four other works in Table 2 shows that only [14] fulfilled this property. Unfortunately, in [19,20,21], only the appointed recipient that can verify the data because their protocols did not permit other parties to verify stored data.
- Privacy-preserving.Our scheme can guarantee that the TPA cannot know the users’ data during a verification process. As shown in Equation (3), the CSP sends proof to the TPA that is not generated from the user’s original data. Furthermore, in Equation (4) generation, the TPA only computes the message’s signature , not the original data. Thus, our scheme can prevent data leaks to the TPA during the verification process. The other works that provide this property are [19,20,21]. Meanwhile, [14] does not support this property because, in his protocol, the user must send the verifier the original message that wants to be verified. By doing so, the user’s confidential data would be leaked to other parties.
- Blockless Verification.Our scheme supports blockless verification. In blockless verification, the verifier does not need to download all the challenged data blocks to do the verification process. Equation (5) shows that no original data is downloaded from CSP when TPA does a verification process. It increases efficiency rather than downloading the data beforehand. Table 2 shows that only [20] supports this property. While three other works [14,19,21] did not offer the availability of this property because the verifier must possess the original message before he can do the verification process.
4.4. Computational Cost
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Sookhak, M.; Gani, A.; Talebian, H.; Akhunzada, A.; Khan, S.U.; Buyya, R.; Zomaya, A.Y. Remote data auditing in cloud computing environments: A survey, taxonomy, and open issues. ACM Comput. Surv. (CSUR) 2015, 47, 1–34. [Google Scholar] [CrossRef]
- Garg, N.; Bawa, S. Comparative analysis of cloud data integrity auditing protocols. J. Netw. Comput. Appl. 2016, 66, 17–32. [Google Scholar] [CrossRef]
- Zhang, C.; Xu, Y.; Hu, Y.; Wu, J.; Ren, J.; Zhang, Y. A blockchain-based multi-cloud storage data auditing scheme to locate faults. IEEE Trans. Cloud Comput. 2021. [Google Scholar] [CrossRef]
- He, K.; Shi, J.; Huang, C.; Hu, X. Blockchain based data integrity verification for cloud storage with T-merkle tree. In International Conference on Algorithms and Architectures for Parallel Processing; Springer: Berlin/Heidelberg, Germany, 2020; pp. 65–80. [Google Scholar]
- Xie, G.; Liu, Y.; Xin, G.; Yang, Q. Blockchain-Based Cloud Data Integrity Verification Scheme with High Efficiency. Secur. Commun. Netw. 2021, 2021, 9921209. [Google Scholar] [CrossRef]
- Ateniese, G.; Burns, R.; Curtmola, R.; Herring, J.; Kissner, L.; Peterson, Z.; Song, D. Provable data possession at untrusted stores. In Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 28–31 October 2007; pp. 598–609. [Google Scholar]
- Juels, A.; Kaliski, B.S., Jr. PORs: Proofs of retrievability for large files. In Proceedings of the the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 28–31 October 2007; pp. 584–597. [Google Scholar]
- Ping, Y.; Zhan, Y.; Lu, K.; Wang, B. Public data integrity verification scheme for secure cloud storage. Information 2020, 11, 409. [Google Scholar] [CrossRef]
- Zheng, Y. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (signature)+ cost (encryption). In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1997; pp. 165–179. [Google Scholar]
- Zheng, Y. Signcryption and its applications in efficient public key solutions. In International Workshop on Information Security; Springer: Berlin/Heidelberg, Germany, 1997; pp. 291–312. [Google Scholar]
- Libert, B.; Quisquater, J.J. A new identity based signcryption scheme from pairings. In Proceedings of the 2003 IEEE Information Theory Workshop (Cat. No. 03EX674), Paris, France, 31 March–4 April 2003; pp. 155–158. [Google Scholar]
- Boyen, X. Multipurpose Identity-Based Signcryption: A Swiss Ary Knife for Identity-Based Cryptology, Crypto’03, LNCS 2729; Springer: Berlin/Heidelberg, Germany, 2003. [Google Scholar]
- Cui, W.J.; Jia, Z.J.; Hu, M.S.; Wang, L.P. A new signcryption scheme based on elliptic curves. In International Conference on Security and Privacy in New Computing Environments; Springer: Berlin/Heidelberg, Germany, 2019; pp. 538–544. [Google Scholar]
- Ma, C. Efficient Short Signcryption Scheme with Public Verifiability. In Information Security and Cryptology; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4318, pp. 118–129. [Google Scholar] [CrossRef]
- Bao, F.; Deng, R.H. A signcryption scheme with signature directly verifiable by public key. In International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 1998; pp. 55–59. [Google Scholar]
- Chow, S.S.; Yiu, S.M.; Hui, L.C.; Chow, K. Efficient forward and provably secure ID-based signcryption scheme with public verifiability and public ciphertext authenticity. In International Conference on Information Security and Cryptology; Springer: Berlin/Heidelberg, Germany, 2003; pp. 352–369. [Google Scholar]
- Toorani, M.; Beheshti, A. A directly public verifiable signcryption scheme based on elliptic curves. In Proceedings of the 2009 IEEE Symposium on Computers and Communications, Sousse, Tunisia, 5–8 July 2009; pp. 713–716. [Google Scholar]
- Zhang, F.; Safavi-Naini, R.; Susilo, W. An Efficient Signature Scheme from Bilinear Pairings and Its Applications. In Public Key Cryptography—PKC 2004, Proceedings of the 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 1–4 March 2004; Springer: Berlin/Heidelberg, Germany, 2004; Volume 2947, pp. 277–290. [Google Scholar] [CrossRef]
- Eltayieb, N.; Elhabob, R.; Hassan, A.; Li, F. A blockchain-based attribute-based signcryption scheme to secure data sharing in the cloud. J. Syst. Archit. 2020, 102, 101653. [Google Scholar] [CrossRef]
- Yang, X.; Li, T.; Xi, W.; Chen, A.; Wang, C. A blockchain-assisted verifiable outsourced attribute-based signcryption scheme for EHRs sharing in the cloud. IEEE Access 2020, 8, 170713–170731. [Google Scholar] [CrossRef]
- Alamer, A. An efficient group signcryption scheme supporting batch verification for securing transmitted data in the Internet of Things. J. Ambient. Intell. Humaniz. Comput. 2020, 1–18. [Google Scholar] [CrossRef]
- Boneh, D.; Lynn, B.; Shacham, H. Short signatures from the Weil pairing. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2001; pp. 514–532. [Google Scholar]
Notation | Description |
---|---|
Security parameter | |
Cyclic additive group | |
Multiplicative cyclic group | |
P | Generator of group |
Symmetric encryption operation | |
Symmetric decryption operation | |
Sender’s secret key | |
Sender’s public key | |
Recipient’s secret key | |
Recipient’s public key | |
m | Original message |
n | Total number of shards |
V | ZSS signature of message m |
X | Randomness of encryption key generation |
Y | Encryption of message m |
Ref | Public Verifiability | Privacy-Preserving | Blockless Verification |
---|---|---|---|
[14] | √ | × | × |
[19] | × | √ | × |
[20] | × | √ | √ |
[21] | × | √ | × |
Proposed Scheme | √ | √ | √ |
Ref | S/R | Signature Type | Signature Size (bits) | Computational Cost | Time Complexity |
---|---|---|---|---|---|
[19] | S | Attribute- based | n/a | ||
R | P | ||||
[20] | S | Attribute- based | n/a | ||
R | |||||
[21] | S | BLS | 160 | ||
R | n/a | n/a | |||
[14] | S | ZSS | 260 | ||
R | |||||
Proposed Scheme | S | ZSS | 260 | ||
R |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Witanto, E.N.; Lee, S.-G. Cloud Storage Data Verification Using Signcryption Scheme. Appl. Sci. 2022, 12, 8602. https://doi.org/10.3390/app12178602
Witanto EN, Lee S-G. Cloud Storage Data Verification Using Signcryption Scheme. Applied Sciences. 2022; 12(17):8602. https://doi.org/10.3390/app12178602
Chicago/Turabian StyleWitanto, Elizabeth Nathania, and Sang-Gon Lee. 2022. "Cloud Storage Data Verification Using Signcryption Scheme" Applied Sciences 12, no. 17: 8602. https://doi.org/10.3390/app12178602
APA StyleWitanto, E. N., & Lee, S.-G. (2022). Cloud Storage Data Verification Using Signcryption Scheme. Applied Sciences, 12(17), 8602. https://doi.org/10.3390/app12178602