Data Security Protocol with Blind Factor in Cloud Environment

: Compared with the traditional system, cloud storage users have no direct control over their data, so users are most concerned about security for their data stored in the cloud. One security requirement is to resolve any threats from semi-trusted key third party managers. The proposed data security for cloud environment with semi-trusted third party (DaSCE) protocol has solved the security threat of key managers to some extent but has not achieved positive results. Based on this, this paper proposes a semi-trusted third-party data security protocol (ADSS), which can effectively remove this security threat by adding time stamp and blind factor to prevent key managers and intermediaries from intercepting and decrypting user data. Moreover, the ADSS protocol is proved to provide indistinguishable security under a chosen ciphertext attack. Finally, the performance evaluation and simulation of the protocol show that the ADSS security is greater than DaSCE, and the amount of time needed is lower than DaSCE.


Introduction
Cloud computing is expected to be the next generation of IT enterprise architecture. It is one of the best choices for big data processing and analysis, allowing users to remotely store and analyze their data with shared computing resources [1]. With the rapid growth in user data scale, cross-user cloud storage has become the mainstream application form for data storage; from simple backup systems to cloud storage systems, users can use low-cost, scalable online services [2]. Users outsource data to the cloud server, which performs data storage and management. This form of application fundamentally changes the way resources are deployed and services are provided, avoiding the heavy costs of local hardware maintenance [3].
At present, in the scenario of data storage encryption hosted by a third party, the common products are: Ali ESC cloud disk encryption, Tencent data encryption service CloudHSM, etc., which have the advantages of minor changes, minor expenses, being suitable for large-scale data storage, and remote reading [4]. Cloud computing has many advantages, but it also faces some problems and challenges, such as the security, performance, and quality of the cloud, mentioned in the literature [5][6][7].
A cloud computing environment means that users will work within the network environment. User data security is restricted by the level of service technology provided by cloud computing service providers, and users themselves also affect the security of the cloud computing environment [8]. The potential of cloud services has yet to be fully realized due to user concerns about the security and privacy of their data in cloud services. These concerns are primarily about cloud operators reducing access to sensitive data, making cloud computing less acceptable in many areas, such as the financial sector and with government agencies. Cloud providers and tenants may be untrusted entities attempting to tamper with or compute data storage [9,10]. These threats to data security have spurred the need to use encryption to achieve cloud computing security goals.
Encryption technology provides an alternative method to ensure data privacy and confidentiality. However, in cases with encryption, key management becomes the primary issue [11]. Therefore, in the cloud environment, it is imperative to put forward a protocol that can guarantee user data security.
In 2019, Wu and Ling [12] proposed an improved cloud storage data integrity verification method, using bilinear to verify the data integrity of the technology to achieve an open verification function, and they designed an index table mechanism for dynamic verification. However, this method does not introduce the key manager and does not encrypt the files uploaded to the cloud storage.
To isolate user data information from user identity information, Zhan and Nie [13] proposed a cloud storage architecture protocol based on trusted third parties, which realized service quality evaluations for cloud storage providers to trusted third parties and used quality evaluation systems of trusted third parties to evaluate cloud storage providers. He et al. [14] proposed a data security protocol for trusted third-party platforms based on RSA one-time keys. RSA one-time key technology is used to realize the functions of secure encryption data. Then, one-time key generation is managed by a trusted third-party platform. Qian and Xie [15] proposed a CP-ABE cloud storage access control protocol based on trusted third parties. Based on the data block, the protocol effectively solves problems in data security, client key management and distribution, and excessive loads by introducing a trusted third party and uses CP-ABE mechanisms to ensure secure access control. To solve the problem of data sharing security in the multicloud storage system (MC-SS), Zhou et al. [16] designed an attribute mapping mechanism, which extended the attribute-based encryption based on ciphertext policy (CP-ABE) and proposed an ABE access control model with multi-authority CP to meet access control requirements for multicloud storage. However, in the real environment, access control protocols based on trusted third parties are ideal, and the protocols based on semi-trusted third parties are more practical and operable than the protocol based on trusted third parties.
Akhila et al. [17] proposed a data security system protocol based on a semi-trusted third parties in the cloud environment. The system provides key management, access controls, and file confirmation and deletion. The protocol uses the Shamir threshold secret sharing algorithm to manage the keys. Jin et al. [18] proposed BTDA, a semi-trusted third-party dynamic cloud data update audit protocol. The semi-trusted third party deals with update audits instead of users, so during the update audit process, the user can be offline, thereby reducing the communication costs and the computational costs on the user side. BTDA uses data blind and proxy re-signature technology to prevent semi-trusted third parties and cloud servers from obtaining sensitive user data. Tang et al. [19] designed and implemented file assure deletion (FADE) protocol, a secure overlay cloud storage system that achieves fine-grained, policy-based access control and assured file deletion. It associates outsourced files with file access policies, and assuredly deletes files to ensure they are unrecoverable by anyone upon revocations of file access policies. FADE is built upon a set of cryptographic key operations that are self-maintained by a quorum of key managers that are independent of third-party clouds. In addition, as an extension of FADE, Tang and other methods are still based on CP-ABE for access control. Ali et al. [20] considered that there is a man-in-the-middle attack between clients and key managers in FADE, so they added key exchanges and digital signatures, and proposed DaSCE, in which key managers are semi trusted third parties, and the system also provides key management, access controls, file guarantee deletion, and other functions. Reviewing the DaSCE for cloud environments with semi-trusted third parties proposed, in [21], although Ali analyzed some problems existing in the FADE protocol, they believed that the key manager was a semi-trusted third party and protected the man-in-the-middle attack between the client and key managers (KM), but it did not resolve the security threat from KM well (KM intercepts and decrypts the communication data between the client and cloud). Even in the case of multiple key managers, if they conspire to attack, the threat still exists. Based on this, we propose a more secure protocol-ADSS.
Adversary A input 1 n , output a pair of messages m 0 , m 1 of the same length.

2.
Run Gen(1 n ) to generate a key k, select a random bit b, b ← {0, 1} , ciphertext c ← Enc k (m b ) is computed and given A, c is the challenge ciphertext.
If Priv eav A,∏ (n) = 1, it means success. A private key encryption protocol ∏ is indistinguishable from eavesdropping adversaries. For any PPT adversary A, there exists a negligible function negl(n), such that:

Indistinguishability of Chosen Ciphertext Attack
The test Priv cca A,∏ (n) is defined as follows: 1.

2.
Adversary A input 1 n , using the oracle Enc k and Dec k , output two messages of equal length m 0 , m 1 .

4.
Adversary A continues to use oracle Enc k and Dec k . Restriction: Cannot query the plaintext of ciphertext c. Output a bit b ∈ {0, 1}.
If Priv cca A,∏ (n) = 1, then A is successful. A private key encryption protocol ∏ has indistinguishable encryption under the chosen ciphertext attack (CCA), for any PPT adversary A, there exists a negligible function negl(n), such that:

Large Integer Factorization
Large integer factorization problem (IF problem): Given odd complex number N, solve its prime factorization N = p e 1 1 p e 2 2 · · · p e r r , where p i is the distinct prime number, e i is the number of p i and e i ≥ 1.
Large integer factorization difficult hypothesis (IF hypothesis): An integer resolver is a PPT algorithm A, which satisfies the probability ω > 0 : Let IG be an integer generator, input 1 λ , and output N = pq of 2λ bit in polynomial time of λ, where p and q are random odd prime numbers of λ bits. For all sufficiently large λ, there is no large integer factorization algorithm generated by IG 1 λ .

FADE Security
In FADE [19], the symbols and their meanings are used (see Table 1), and K and S i are random symmetric keys generated by the client. In the file upload phase, the client sends a policy file P i to KM; KM generates private key (d i , n i ) (secret preservation) and public key (e i , n i ) (sent to client) associated with P i ; the client encrypts S i to obtain S i e i modn i , and then S i encrypts K to get {K} S i . After that, the client will upload P i , {F} K , {K} S i , S i e i modn i to the cloud, and the client finally clears the local keys and files. For the sake of simplicity, we will omit "modn i " in the discussion. In the file download phase, after downloading the file and encryption key from the cloud, the client generates a random value R as the blinding factor and calculates R e i , multiplies it by S i e i to obtain (S i R) e i , and sends (S i R) e i to the key manager KM to decrypt. KM decrypts (S i R) e i with d i and returns S i R to the client. The client decomposes S i from S i R, and decrypts K, and finally decrypts F. The aforementioned is the file upload and download situation of a single key manager, and a case of multiple key managers will not be repeated. Ali [16] believes that when there is an intruder attack between the client and KM in the file upload phase of the FADE protocol (see Figure 1), the intermediary can intercept P i and send P j (forged P i ) to KM, and then KM sends (e i , n i ). The intermediary intercepts (e i , n i ) and sends the forged parameter (e j , n j ) to the client. The client uses the (e j , n j ) encryption key and uploads to the cloud, and the client cannot determine whether the (e j , n j ) received is from KM or other parties.

DaSCE File Upload
To determine a session key, Ali assumes that parameters α and p are fixed and open to all parties, where α is a large number as the primitive root and p is a big prime number. The entire process consists of the following steps: and uses the session key to In the file download stage, the intermediary can use its private key (d j , n j ) to intercept and decrypt the data. Similarly, in cases of multiple key managers, upload and download also face the same security problems.

DaSCE File Upload
To determine a session key, Ali assumes that parameters α and p are fixed and open to all parties, where α is a large number as the primitive root and p is a big prime number. The entire process consists of the following steps: The client generates a random number x and calculates α x modp, and sends it to KM.

2.
KM generates a random number y and computes α y modp. KM also computes (α x ) y as the session key K between him and the client. 3.
KM generates {α y , α x } digital signature (S KM {α y , α x }) and uses the session key to The client first computes the session key K = (α y ) x , and declassifies E k (S KM {α y , α x }), then verifies the signature. 6.
The client calculates E k (S Cli {α x , α y }) and E k (P i ), and sends them to KM. 7.
KM verifies the digital signature of the client, after which KM declassified P i and generates (e i , n i ) related to P i and saves P i . 8.
KM calculates E k (e i , n i ) and sends it to the client. 9.
The client encrypts the file F with the data key K, computes the MAC with IK (to verify the integrity of F), S i encrypted K and IK, then uses e i to encrypt S i , and the client uploads the encrypted data to the cloud. 10. The client deletes all keys except the public key parameters sent by KM.
The file upload process can be seen in Figure 2. For simplicity, the modp used in calculating the session key is omitted. The multi-key managers file upload, according to the Shamir ( , ) k N threshold secret sharing algorithms, can be seen in Figure 3. i S is divided into N shares, and each N KM generates a pair of public and private keys.

DaSCE File Download
The DaSCE single key manager file download process is similar to FADE, but to pre- Single key manager DaSCE file upload.
The multi-key managers file upload, according to the Shamir (k, N) threshold secret sharing algorithms, can be seen in Figure 3. S i is divided into N shares, and each N KM generates a pair of public and private keys. The multi-key managers file upload, according to the Shamir ( , ) k N threshold secret sharing algorithms, can be seen in Figure 3. i S is divided into N shares, and each N KM generates a pair of public and private keys.

DaSCE File Download
The DaSCE single key manager file download process is similar to FADE, but to prevent man-in-the-middle attacks, the session key should be established before the client and KM, and then encrypted by the key.

DaSCE File Download
The DaSCE single key manager file download process is similar to FADE, but to prevent man-in-the-middle attacks, the session key should be established before the client and KM, and then encrypted by the key.
DaSCE file downloads of multi-key managers (see Figure 4). After downloading ciphertext from the cloud, the client determines the session key with N KM, it selects a random number R and performs S ei1 i1 R ei1 , · · · , S eiN iN R eiN operation, then separately sends them to N KM decrypts. The client extracts S i from the received S i R. According to the Shamir (k, N) threshold secret sharing algorithm, S i can be generated by at least K copies of S iS , and finally decrypts the file F.

System Model
The system model for this paper (see Figure 5) includes the following entities: User (US), (single or multiple) KM, and the Cloud. Considering that the user may change the client (so use US instead of Client), save local storage space, and avoid information disclosure due to attacks, users will clear a large number of local keys and files after uploading data to the cloud. To share the security risks, restrict the cloud, and save computing resources, the user US connects with the key manager KM, which is the entity managing the key certificates in the network. It can provide high-performance computing services and can quickly encrypt or decrypt data for users. The general process for the model is below: 1. The user encrypts the data by using the public key provided by the key manager KM, and then uploads the ciphertext to the cloud, then clears a large number of local keys and files, and only stores the blind factor and associated information in its USB-key (UKey). 2. After downloading the ciphertext from the cloud, the user transmits some ciphertext to KM for decryption, and then the user decrypts the plain text by using its blind factor.

System Model
The system model for this paper (see Figure 5) includes the following entities: User (US), (single or multiple) KM, and the Cloud. Considering that the user may change the client (so use US instead of Client), save local storage space, and avoid information disclosure due to attacks, users will clear a large number of local keys and files after uploading data to the cloud. To share the security risks, restrict the cloud, and save computing resources, the user US connects with the key manager KM, which is the entity managing the key certificates in the network. It can provide high-performance computing services and can quickly encrypt or decrypt data for users. The general process for the model is below: The user encrypts the data by using the public key provided by the key manager KM, and then uploads the ciphertext to the cloud, then clears a large number of local keys and files, and only stores the blind factor and associated information in its USB-key (UKey).

2.
After downloading the ciphertext from the cloud, the user transmits some ciphertext to KM for decryption, and then the user decrypts the plain text by using its blind factor.
1. The user encrypts the data by using the public key provided by the key manager KM, and then uploads the ciphertext to the cloud, then clears a large number of local keys and files, and only stores the blind factor and associated information in its USB-key (UKey). 2. After downloading the ciphertext from the cloud, the user transmits some ciphertext to KM for decryption, and then the user decrypts the plain text by using its blind factor.

Security Model
In ADSS, KM is semi-trusted. It may launch an active attack on the communication between users and the cloud to intercept and decrypt the data uploaded or downloaded

Security Model
In ADSS, KM is semi-trusted. It may launch an active attack on the communication between users and the cloud to intercept and decrypt the data uploaded or downloaded by users. Of course, a middleman can launch the same attack. In cases of multiple key managers, it is also possible to intercept and decrypt user data if the key managers conspire to attack. In the ADSS security model, the KM or middleman is called attacker A, which requires that the nsew protocol can resist the attack from A. The indistinguishability under the chosen ciphertext attack (IND-CCA) security of the protocol is defined by the interactive game between attacker A and challengers:

1.
Initialization. Challenger generation system ADSS, adversary A obtains the public key of ADSS.

2.
Ask. Adversary A makes a decryption inquiry to the challenger. After the challenger decrypts, he will give the plain text to adversary A.

3.
Challenge. Adversary A outputs two messages of the same length m 0 , m 1 , and then receives ciphertext C b from the challenger, where the random value b ← {0, 1} .

4.
Guess. Adversary output b , if b = b, then the adversary A attack is successful.

ADSS Protocol
To make up for the shortcomings of FADE and DaSCE protocols, completely eliminating the security threat of KM, we propose the ADSS protocol. K i is a random symmetric key generated by user Us, corresponding to P i . Us encrypts file F with data key K i , and encrypts K i with public and private key pair (e i , n i ) generated by KM.

File Upload
When the data are uploaded to the cloud (see Figure 6), the user sends a policy file P i to KM, and it requests to generate a pair of public and private keys. KM generates a public-private key pair associated with P i and sends the public key (e i , n i ) to the user. Different from the DaSCE protocol, the user encrypts file F i with K i to generate {F i } K i , and generates a random blinding factor R i with time stamp t, calculates R i e i , and multiplies it by K i e i to obtain (K i R i ) e i . After that, the user uploads P i , , t to the cloud. Finally, the user clears all local keys and files and only stores the related policy file P i , blinding factor R i , and time stamp t in his personal UKey. The case of multiple key managers (see Figure 7). The biggest difference from a single key manager is that: users use threshold secret sharing algorithm Shamir ( , ) k N (where    and finally decrypts to get i F . The specific process is shown in Figure 8. The case of multiple key managers (see Figure 7). The biggest difference from a single key manager is that: users use threshold secret sharing algorithm Shamir (k, N) (where 1 ≤ b ≤ N) to divide K i into N shares of K i1 , · · · , K iN , and then blind encrypt them, respectively.
Us → KM 1 , · · · , KM N : P i KM 1 , · · · , KM N → Us : (e i1 , n i1 ), · · · , (e iN , n iN ) Us :  The case of multiple key managers (see Figure 7). The biggest difference from a single key manager is that: users use threshold secret sharing algorithm Shamir ( , ) k N (where

File Download
After downloading the file and encryption key from the cloud, the user sends

File Download
After downloading the file and encryption key from the cloud, the user sends P i , (K i R i ) e i to the key manager KM for decryption. KM decrypts (K i R i ) e i with d i and returns K i R i to the user. The user finds the corresponding blinding factor R i from its UKey through the Information 2021, 12, 340 9 of 14 policy file P i and time stamp t, then decomposes K i from K i R i , and finally decrypts to get F i . The specific process is shown in Figure 8. The case of multiple key managers (see Figure 9). Users download from the cloud and send  Figure 9. ADSS multi-KM file download. The case of multiple key managers (see Figure 9). Users download P i , (K i1 R i ) e i1 , · · · , (K iN R i ) e iN , {F i } K i , t from the cloud and send P i , (K i1 R i ) e i1 , · · · , P i , (K iN R i ) e iN to KM 1 , · · · , KM N to decrypt. b key managers perform decryption and return bK ii R i to the user, users find the corresponding blinding factor R i from their Ukey through the policy file P i and time stamp t, and then decompose bK ii from bK ii R i . Then, the user can recover K i from K ii , · · · , K i,i+b−1 by Shamir (k, N), and finally decrypt {F i } K i with K i . The case of multiple key managers (see Figure 9). Users download from the cloud and send   Figure 9. ADSS multi-KM file download.

Security Analysis
To prevent network sniffing attacks and security threats from the key manager, DaSCE does not add the blind factor R before the user uploads the file. After downloading the file, the blind factor R is added before sending i e i S to KM. Although this can Figure 9. ADSS multi-KM file download.

Security Analysis
To prevent network sniffing attacks and security threats from the key manager, DaSCE does not add the blind factor R before the user uploads the file. After downloading the file, the blind factor R is added before sending S i e i to KM. Although this can prevent network sniffing attacks, it cannot prevent the KM from actively attacking the communication between users and the cloud to intercept and decrypt the data. To prevent man-in-themiddle attacks, Ali exchanged the key between the client and KM first and added a digital signature, but this measure still cannot prevent KM from intercepting S i e i and decrypting S i in advance. In cases of multiple key managers, it is also possible to intercept and decrypt user data if the key managers conspire to attack.
In this protocol, users add the blinding factor R i before uploading files. The specific operation is that the user first generates R i locally, calculates (K i R i ) e i , and uploads it to cloud storage, along with other data. After that, when users communicate with the cloud (whether uploading or downloading files), only users know R i ; even if KM or middleman intercepts data, it is difficult to decompose K i by K i R i (K i and R i are random large prime numbers) [22]. In the case of multiple key managers, if the key managers conspire to attack, they will encounter the same difficulty.

Theorem 1.
In the case of large integer factorization difficulties, the ADSS protocol is IND-CCA secure for semi-trusted third-party KM attacks or man-in-the-middle attacks.
Specifically, if an IND-CCA adversary A (KM or middleman) attacks ADSS with a non-negligible advantage ε, then there must be an adversary B who can solve the IF problem with at least a non-negligible advantage 2ε.
Prove: First, we give the IND-CCA game of ADSS as follows: to represent the IND-CCA game of ADSS, then: 1. Run GenADSS to generate n i , e i , d i , K i , R i , where n i , e i , d i are known, and K i , R i are unknown; 2.
Randomly select a bit b ← {0, 1} , let Send n i , e i , d i , C * to A, A outputs b .
The adversary cannot decrypt the target ciphertext C * . The advantage of adversary A is defined as: The following proves that the ADSS protocol can be reduced to the IF (large integer factorization) problem.
Adversary B knows that (n i , e i , d i ,Ĉ 1 ), using A (attack ADSS) as a subroutine, executes the following process: the goal is to calculateK Choose a random numberK i as a guess for (but B does not actually knoŵ R i ), and give (n i , e i , d i ) to A.

2.
K i asked: B creates a list L, the element type is triple (R i , C 1 , K i ), and the initial value is ( * ,Ĉ 1 , K i ), where * indicates that the value of the component is currently unknown.
A can ask L at any time. Let A query K i , B calculate K i = (C 1 ) d i modn i R i and make the following response: a.
If there is one item (R i , C 1 , K i ) in L, answer with K i . b.
If there is one item ( * , C 1 , K i ) in L, answer with K i and replace ( * ,

c.
Otherwise, select a random number K i , answer with K i and store (R i , C 1 , K i ) in the table. 3. Decryption inquiry: When A asks B to ask (C 1 , C 2 ), B responds below: a.
If there is a first term in L, and the second element is C 1 (the term (R i , C 1 , K i ) or ( * , C 1 , K i )), then C 2 K i is used to answer. b.
Otherwise, select a random number K i , answer with C 2 K i and store ( * , C 1 , K i ) in L.

5.
Guess: A output guesses b , B checks L, and if there are items (R i ,Ĉ 1 ,K i ), then outputR i .
Let D be the event: when A asks forK i (that is ) in the simulation,K i appears in L.
In the above attack, ifK i does not appear in L, then A fails to obtainK i . According to the security ofĈ 2  That is: Therefore, in the above simulation process,R i appears in L at least with the probability of 2ε, B checks the elements in L one-by-one in step 5, so the probability of success of B is equal to Pr[D]; therefore, B at least solves the IF problem with a non-negligible advantage 2ε, which is obviously in contradiction with the difficulty of large integer factorization, so the advantage ε of an IND-CCA adversary A (KM or middleman) to break ADSS is negligible. Therefore, the ADSS protocol is IND-CCA secure, and the theorem is proved.

Simulation Experiment
The protocol has been verified in some universities for simulation experiments, in which the performance parameters of the cloud server are: 600 MB bandwidth, 16-core CPU, 64 GB memory, 8 TB storage; the performance parameters for the KM server are: 32-core CPU, 128 GB memory, 1 TB storage. Two computers are used to simulate the user to upload and download. Both computers are desktop computers (4-core CPU, 8 GB memory, 500 GB storage). We select files with sizes of 1 KB, 3 KB, 10 KB, 30 KB, 100 KB, 300 KB, 1 MB, 3 MB and 10 MB, respectively, for simulation test. In the upload and download phase, the time cost of ADSS and DaSCE protocols is shown in Tables 2 and 3, the unit of time cost is seconds.

Performance Analysis
In the file upload stage, compared with DaSCE, this solution adds blinding calculation and UKey storage, eliminating key exchange (including digital signature) and one encryption calculation {K} S i , so the running time for this solution should be shorter than DaSCE at this stage.
In the file download stage, compared with DaSCE, this solution increases the user's reading from UKey, eliminating the need for blind calculations, key exchanges (including digital signature), and one-time encryption calculation {K} S i . Therefore, the running time of this solution at this stage should be longer than DaSCE is short.
In summary, the total running time for this program should be shorter than DaSCE.

Performance Analysis
In the file upload stage, compared with DaSCE, this solution adds blinding calculation and UKey storage, eliminating key exchange (including digital signature) and one encryption calculation { } i S K , so the running time for this solution should be shorter than DaSCE at this stage.
In the file download stage, compared with DaSCE, this solution increases the user's reading from UKey, eliminating the need for blind calculations, key exchanges (including digital signature), and one-time encryption calculation { } i S K . Therefore, the running time of this solution at this stage should be longer than DaSCE is short.
In summary, the total running time for this program should be shorter than DaSCE.

Conclusions
Data security on the cloud affects the development of cloud technology applications. Reasonable and effective security algorithms and access control methods can improve Figure 11. Comparison of file download times in two protocols.

Conclusions
Data security on the cloud affects the development of cloud technology applications. Reasonable and effective security algorithms and access control methods can improve user trust in cloud storage services, and the performance cost for the cloud storage system should also be considered. This paper fully considers security threats from the semi-trusted third-party KM and proposes an ADSS protocol. The analysis and simulation show that the security of this protocol is higher than that of DaSCE, and the running time is shorter than DaSCE, so it has higher practicality and operability.