Efﬁcient Dynamic Integrity Veriﬁcation for Big Data Supporting Users Revocability

.


Introduction
Nowadays, a large amount of data has been gathered and produced by individuals, companies and organizations.Moore's law is broken by the rapid growth of the data scale.The growth of the data scale is far more than the growth of the processing and storage capacity of computer.For companies and organizations, the volumes of those data are often so tremendous that they cannot process and manage it effectively by themselves.In fact, some of them even don't have sufficient disk space to store their data because it's an enormous burden to purchase such a large number of disks.Facing this reality, companies and organizations have to turn to cloud service provider (CSP) for help, e.g., Dropbox, Google Drive and skyDrive.
As one of the dominate services in cloud computing, cloud storage allows users to store data on clouds instead of their local computing systems.By data outsourcing, this kind of new storage service has many advantages such as relieving users' burden in terms of data management and maintenance, universal data access with independent geographical locations and avoiding capital cost on hardware and software.However, at the meantime, cloud storage also brings a number of challenging security problems [1-3] despite its appealing features.Security concerns still deter potential consumers from using the service.One of the major security concerns [1] on the cloud storage service is whether the cloud could ensure the integrity of the stored data.Integrity challenges of data corruption are inevitable [4][5][6], but cloud service providers may not be fully trusted from the view of the interests.Cloud Security Alliance (CSA) conducted a systematic investigation into reported vulnerabilities in cloud computing such as outages, downtimes, and data loss.CSA also released a white paper [7] in 2013 which revealed that the top three threats were "Insecure Interfaces & APIs", "Data Loss & Leakage" and "Hardware Failure".These three threats accounted for 64% of all cloud outage incidents while "Data Loss & Leakage" accounted for 25%.Consequently, guaranteeing the integrity of the data, or data auditing, in cloud is a highly desirable security demand for secure cloud storage.Many researches have been done on checking the integrity for outsourcing data in the cloud.Despite a number of cloud data auditing schemes [8][9][10][11][12][13][14][15] have been proposed with different requirements so far, they are all designed for traditional cloud storage environment without considering the applications for user revocable.
We notice that almost all of the previous public auditing systems are fixed by the user who computes the block tags.In other words, those auditing schemes require that the user of the cloud storage service is always the same one during the entire data period.However, it is impractical.On one hand, the verification information of an auditing system such as the user's public key may expire after a period of time.On the other hand, the user may be a data manager of a company for a time and may leave for some reasons.For example, the data manager may go to work in another company for a higher salary.Therefore, for practical considerations, an auditing scheme should support efficient user revocation.
Recently, a few public auditing schemes for cloud storage systems with user revocation have been presented, e.g., [16][17][18].However those schemes are designed for auditing shared cloud data rather than for revoking inappropriate users when auditing owned cloud data.Moreover, we note that the existing users revocable public cloud storage auditing schemes are either involved or less secure.Specifically, the revocable public cloud storage auditing schemes in [17] and [18] employ the unwieldy dynamic broadcast encryption [19] and group signature [20] techniques respectively.Although the scheme in [16] is more efficient, it can't resist collusion attacks between the cloud and a revoked user.That is, the collusion of the cloud and a revoked user could always deceive an incumbent user into belief that the data in the cloud remains intact even if it's actually not.Thus collusion attack resistance is indispensable in a revocable public cloud storage auditing schemes.As a result, it's crucial to design efficient and collusion-resistant user revocable public auditing schemes.

Related Work
Juels et al. proposed an auditing scheme called Proofs Of Retrievability (POR) while the auditing scheme proposed by Ateniese et al. is called Provable Data Possession (PDP).Shacham-Waters used BLS signature constructed an efficient public verifiable POR scheme [13].Based on their research, many cloud storage auditing schemes have been proposed to verify the data integrity without needing to retrieve entire data [8][9][10][11][12][13].However, the privacy protection of user's data has not yet been considered in most of these schemes [11,13].This shortcoming can greatly affect the safety of these schemes.Therefore, the auditing process should not leak the knowledge of the challenged files to the third-party auditor.In 2013, Wang et al. [9] presented a privacy-preserving public auditing scheme for cloud storage; it resorts to the homomorphic authenticator technique and random masking technique to realize privacy-preserving public auditing and take advantage of the technique of bilinear aggregate signature to realize batch auditing.
All the auditing schemes mentioned above do not consider the user revocation problem, thus those schemes can only be applied to static users.However, user revocation is an obviously inevitable problem.Recently, a few auditing schemes supporting user revocation are published for realizing multi-user shared cloud storage audit.In 2012 Wang et al. [21] first introduced the shared cloud storage auditing issue and proposed a private auditing scheme with user revocation based on group signature [20].In 2013, Wang et al. [17] presented a public auditing scheme with user revocation for shared cloud storage, based on the dynamic broadcast encryption scheme of [19] and the bidirectional proxy re-signature scheme of [21].Later, using a group signature like technique, Yuan and Yu proposed a public version of the scheme in [18].As group signature and dynamic broadcast encryption techniques are both involved, the above revocable auditing schemes are all less efficient in practice.To address this problem, in 2015 Wang et al. presented an efficient revocable public auditing scheme in [16] by just using the bidirectional proxy re-signature scheme of [22].However, we note that the bidirectional proxy re-signature scheme cannot resist the collusion attack of the cloud and a revoked user since an incumbent user's secret key can be recovered from the cloud's update key and a revoked user's secret key.
We also notice that all the previous papers focus on the data integrity and security are under the shared cloud storage model [23,24].Although these schemes involve user revocation problem, the main research is still cloud data sharing, where security problems cannot be ignored.Therefore, we analyze the revocation need of companies and organizations cloud storage data users, propose the model of user revocable auditing schemes and design an efficient dynamic integrity verification scheme for big data supporting user revocability.This is the major work we are doing in this paper.

Our Contributions
Motivated by above, in this paper, an efficient dynamic integrity verification for big data supporting users revocability and third-party privacy-preserving auditing scheme be proposed.To achieve this, we make the following contributions: we analyze the revocation need of companies and organizations cloud storage data users.Based on technique of bilinear aggregate signature, a specific revocable public cloud storage third-party auditing scheme be presented.It can help the current user audit the data which was sent to the cloud by all the previous users, and can satisfy the user transfer demand of large companies and organizations.Meanwhile cloud users can delegate a third party (TPA) to perform security auditing tasks as it is not economically feasible for them to handle it by themselves.By given a precise definition of security that collusion resistance is mandatory.At last by analyzing the performance of scheme and the results, we demonstrate that our scheme is efficient.

Paper Organization
The remainder of this paper is organized as follows.Preliminaries is described in Section 2. Section 3 formalizes the concept of revocable third-party privacy-preserving auditing scheme for cloud storage and also presents our design goals.The revocable third-party privacy-preserving auditing scheme for cloud storage is given in Section 4. Section 5 analyzes the scheme security.Section 6 analyzes the performance of it.Finally, Section 7 concludes this paper.

The User Data Stored in the Cloud
As illustrated in Figure 1, a basic cloud storage auditing system involves two main entities: a user and the CSP.The user would be a company or an organization (more precisely, it is usually a data manager of them who uses the cloud storage service to store its superabundant data.The CSP is cloud service provider who has ample storage space, and could offer economical and professional storage services to users.Specifically, a cloud storage auditing scheme works as follows.A user first splits the data M into n blocks such that each block is m i in Z p , i.e., M = (m 1 , . . . ,m n ) ∈ Z p n , M ∈ {0, 1} * , i ∈ {1, • • • , n}, and computes the signatures of all blocks using its secret key like σ = σ 1 , . . ., σ n .Here the signatures are known as block tags.Then the user sends the data and all tags to the cloud, and deletes them locally.When their outsourced data needs to be checked, the user picks a random set of data blocks and sends a corresponding Q = {(i, v i )} to the cloud, where i and v i indicate the identity and random coefficient of a selected data block respectively.After receiving Q , the cloud calculates and returns a proof by using those data blocks as well as the corresponding tags.Finally, the user verifies the validity of the proof.If the proof is invalid then the user can confirm that its data has been damaged.Otherwise, it may be intact; the user could repeat the challenge verification procedure until getting a confirmation.It obviously shows that the cloud only stored the user data block and the corresponding blocks tags.

Multi-User Data Stored in the Cloud with the Revocable System
As shown in Figure 2, cloud storage system supporting revocable user is quite different from the basic cloud storage auditing system, as there are many users who are able to manage the same piece of data.In reality, the data stored in the cloud belongs to the company, not to the data manager.In a specific period, there is usually one data manger that is responsible for managing the data, but in a longer time period, there might be many users who are able to managing the data.That is, after some time, a data manager who is responsible for managing the data is no longer suitable to manage the data, e.g., the data manager leaves the company and work for another company, thus, a successor of the data manager is needed.We assume that there is an initial user who uploads the company's data to the cloud on behalf of the company, we regard this initial user as U 0 , then the company recruit a data manger to manage those data stored on the cloud.Clearly the data manager is not tenure.Before leaving, a data manger needs to transfer all data he managed to his successor.The successor also needs to verify these data to make sure all the data stored on the cloud is intact.Assume that a company or organization only needs one data manager to manage the data in a specific period.Then we have U 1 , U 2 , • • • , U m users in the company or organization where m is a positive integer.So the data management period is divided into T 1 , T 2 , • • • , T m accordingly.And the user has to transfer the data to the successor at the end of the period.( Note: In the paper the initial user U 0 can't do anything except uploads the data to the cloud.Only U 1 , U 2 , • • • , U m can management the data.) The initial user U 0 first divides all the files into n blocks, and calculates its corresponding tag σ using his secret key, then uploads the data and tag to the cloud.U 1 manages the data during the period of T 1 , then U 1 will be replaced by its successor U 2 at the end of T 1 , U 2 will also be replaced by U 3 some time later, and so on till the U j replaces U j−1 ,where j ∈ { 0, • • • , m} and U j is the current user.
As the tag is signed by the user, if a user has been revoked, the tags computed by the user should be modified.An obvious approach to update those tags is re-computing the tags of data blocks using the current user's secret key.However, this is not a cloud storage auditing scheme supporting user revocation, as this method introduces large communication and computation overhead.All the data manager can add, modify and delete the data which is stored on the cloud.For the current user U j all these operations can only happen during the T j period.For the add operation, U j divides the data into blocks, computes the tags of each block and sends all the blocks and tags to the cloud.For the modify operation, U j first retrieves the data which needs to be modified and its corresponding tags.U j verifies the correctness of the data, and discards the tags.If the data is intact, then U j modifies the data and computes the tags for the data using his secret key and uploads the data and tags to the cloud.For simplicity, we assume that the cloud server can handle the delete operation effectively.(e.g., if some deleted data are selected by a challenge, all the data are set to 0, this will not affect the alter verification process of the data.In fact, those deleted data will no longer take any space on the cloud server.)Thus for serial number of blocks, its value will never decrease.
The value of the i − th of blocks C is related to the period T and the operation P. For a more realistic cloud storage system supporting user revocation, all the data stored on the cloud included the data m 1 , . . ., m C m and its corresponding tags σ 1 , . . ., σ C m , and its corresponding period T 1 , T 2 , • • • , T m .They are uploaded by the initial users U 0 and all the other data managers U 1 , U 2 , • • • , U m .So as shown in Figure 3, the integrity verification of m i will be verified by σ i , C, T. As mentioned above, U j can only add and modify data at the time period of T j , and compete the tags of data blocks using his own secret key.In order to distinguish those tags, we use σ i to represent the tags computed by the user U j for data block m i .For the current user, he has to not only manage the data blocks m C ( j−1)+1 , . . ., m C j ,k and their corresponding tags, but also manage all the data blocks and tags which were uploaded to the cloud by all of his predecessors.Some of the tags might be signed by different users.For example, in time period T 1 , user U 1 did modify operation which gets data block m 2 and tag σ (1) 2 ; at the current period, user U j modifies data block m i and computes its tag σ (j) i .

The Revocable Scheme Supported Third-Party Privacy-Preserving Auditing
Due to reason of the online burden which potentially brought by the periodic storage correctness verification, cloud users tend to delegate a third-party auditor (TPA) to execute security auditing tasks.Through the TPA automatic execution periodic auditing tasks can save communication resources effectively.Therefore, the third-party auditing schemes are more desirable in the real world.As illustrated in Figure 4, a revocable cloud storage third-party auditing scheme works as follows.When the user wants to check its outsourced data, it sends a verify request to the TPA.When the TPA receives the request, it picks a random set of data blocks and sends a corresponding Q = {(i, v i )} to the cloud, where i and v i indicate the identity and random coefficient of a selected data block respectively.After receiving Q, the cloud calculates and returns a proof using those data blocks as well as the corresponding tags.Then, the user verifies the validity of the proof.If the proof is invalid then the TPA can confirm that its data has been damaged.Otherwise, it may be intact; the TPA could repeat the challenge verification procedure until getting a confirmation.Finally, the TPA sends the result to the user.It is obvious that the cloud only stored the user's data block and the corresponding blocks tags.

Formalization and Definitions
Without loss of generality , a revocable third-party privacy-preserving auditing scheme for cloud is assumed as shown in Figure 4, which involves in m + 1 authorized users for some m ∈ Z > 0 and their sequence is (Notice that unauthorized users can be easily recognized and additionally they cannot impair the integrity of the outsourced data.Thus it can be assumed that there is no unapproved user in our auditing schemes.)Then such an auditing scheme can be defined as below.

Definition 1: Revocable Third-Party Privacy-Preserving Auditing Scheme for Cloud Storage
A revocable third-party privacy-preserving auditing scheme for cloud storage consists of six probabilistic polynomial time (PPT) algorithms (Setup, SigGen, U pdate, Challeng, Proo f Gen, Proo f Veri f y), where: Setup: This algorithm is to generate each user's public/secret keys and run by each user U j , where j ∈ {0, • • • , m}.For the j − th user U j , the algorithm takes as input a security parameter λ and outputs U j s public-secret key pair pk j , sk j .
SigGen: This algorithm is to generate the tags of the stored data.It consists of three child probabilistic polynomial time algorithms(SigGen (U 0 ), SigGen U j , SigGen U → U j ).
SigGen (U 0 ): This algorithm is to generate the initial block tags of the stored data in the initial time and thus will be run by the initial user U 0 The algorithm takes as input U 0 s secret key sk 0 and block data (m 1 , . . . ,m n ), m i ∈ {0, 1} * , i ∈ {1, • • • , n}, and outputs the verification metadata V of (m 1 , . . . ,m n ) associated with the user U 0 .After that, U 0 sends V and (m 1 , . . . ,m n ) to the cloud and deletes them locally.
SigGen U j : This algorithm is to generate the block tags of the stored data in the period T j on the operation p j,k , k ∈ {1, • • • , θ}, k ∈ {1, . . . ,k} and thus will be run by the current user U j .
The algorithm takes as input U j s secret key sk j and block data m C j,(k −1) +1 , . . ., m C j,k , m i ∈ {0, 1} * , where C j,k is a positive integer.And the output of verification metadata is associated with the user U j .After that, U j sends V and m C j,(k −1) +1 , . . ., m C j,k to the cloud and then deletes them locally.
SigGen U → U j : This algorithm is to generate the block tags of the stored data in the period T j when U j wants to update the data which the previous user U uploaded to the cloud.So it will be run by the current user U j .The algorithm first retrieving the data block m i and it corresponding tags, then verified it if invalid turn out, if valid U j replaced the m i by m * i (For simple reason we also record it as m i too).Later the algorithm takes U j 's secret key sk j and block data m i as input and the outputs of verification metadata V of m i associated with the user U j .After that, U j sends V and m i to the cloud and then deletes them locally.
U pdate: This is an interactive algorithm for updating users.Suppose the user U j needs to be replaced by the user U j+1 , then U j+1 will initiate the algorithm.After the algorithm ends, U j+1 would obtain an update uk j→ j+1 for the cloud, and finally sends it to the cloud.
Challeng: This is an interactive algorithm for users send checking order.Assume U j is the current user and wants to check its outsourced data, it sends a verify request to the TPA.When TPA received the request, it picks a random set of data blocks and sends a corresponding Q = {(i, v i )} to the cloud, where i and v i indicate the identity and random coefficient of a selected data block respectively.
Proo f Gen: After receiving Challeng, the cloud would run the algorithm to return a response.To do this, the algorithm takes as input the Challeng, the block data m i , i ∈ Q and the verification metadata V of {m i } i∈Q , and outputs a verification proo f .Proo f Veri f y: This algorithm is run by the TPA to verify the correctness of the proo f .The algorithm takes as input U j s public key pk j , the Challeng and the corresponding proo f , and outputs VALID if proo f is valid; INVALID otherwise.Finally, the TPA sends the result to the U j .
For easier understanding, the revocable third-party privacy-preserving auditing scheme for cloud storage intuition behind the definition is given here.The basic idea of our security definition is: if the data in the cloud is indeed damaged but the cloud cannot admit, even by colluding with the revoked users, fool the current user into believing that the data remains intact.Let the cloud be an adversary A. To model the collusion between the cloud and revoked users, we permit to query a Corrupt oracle which takes a revoked user's identity as input and outputs the user's secret key.However, according to the aforementioned reasons we prohibit A from querying the Corrupt oracle on the user's identity.Additionally, like other security models, our security model also allows A to query SigGen oracle, U pdate oracle as well as the Proo f Gen oracle for obtaining the initial block tags, all update keys and valid proofs of any challenges.

Definition 2: Security Model
Now we describe the security definition of revocable third-party privacy-preserving auditing scheme for cloud storage.A revocable third-party privacy-preserving auditing scheme for cloud storage is secure if for any polynomial time adversary A the probability wins the following game played between a challenger C and the adversary A is negligible.
Setup: The challenger C first runs the algorithm KeyGen(λ) to generate U j s public-secret key pair pk j , sk j for all j ∈ {0, • • • , m}, and then sends all public pk j m 0 to the adversary A. Query: The adversary A could query the following oracles adaptively.SigGen-Oracle: For any data block m ∈ {0, 1} * , if A wants to get the initial block tags of m, it will query the oracle on m.After receiving the query, the challenger C first runs the algorithm SigGen(sk 0 , m) to produce a result V 0 and then returnsV 0 as response.
Update-Oracle: When A believes some user is not suitable for auditing, A will query the oracle on the user's identity to replace the user with its successor.Assume the user to be replaced is U j+1 for j ∈ {1, • • • , m − 1}.The challenger C first runs the algorithm U pdate U j+1 to produce a update key uk j→ j+1 and then sends it to A. After receiving uk j→ j+1 , A could generate the verification metadata V j+1 of a data block m associated with the user U j+1 using the update key uk j→ j+1 , the data block m and the verification metadata V j of m associated withU j .
Corrupt-Oracle: Suppose all revoked users at present are U 0 , U 1 , • • • , U d for some d ∈ {0, . . . ,m − 1}, then the adversary A could query the oracle on any of them, with the exception of only U 0 .When receiving such a query on the user U for ∈ {1, . . . ,d}, the challenger C returns U s secret key sk as response.
Proof.In order to verify whether the data block m stored in the cloud is the same as before, the challenger C generates a random challenge Chal and requests the adversary A to return a proof of m associated with user U j where j ∈ {0, . . . ,m}.On input the challenge Chal, the data block m and the verification metadata U j of M associated with U j , the adversary A outputs a proof as response.
Forgery.When the above process ends, the adversary A finally outputs a proof of some challenge Chal on file M with respect to user U j , where j ∈ {0, . . . ,m}.We say A wins the game if the following conditions hold: 1. Veri f ication (pk , chal, proo f ) → Valid; 2. The data block m is not the original one.

Design Goals
To support secure and efficient user revocable and data privacy preserving in a public cloud data auditing scheme, we have the following design goals: (i) TPA is allowed to verify the correctness of the cloud data.It executes data auditing without retrieving entire data and introduces none additional online burden to the user.(ii) Storage correctness: If the cloud indeed stores entire data, then it would always output valid proofs.(iii) Privacy-preserving: TPA learns no information of the stored data from information collected during the auditing process.(iv) Revocability: If a user is revoked, then its successor could establish a new auditing procedure efficiently.(v) Collusion resistance: If the data stored in the cloud is changed, then the auditing scheme should be able to detect it with high probability even though the cloud colludes with revoked users.(vi) Efficiency: the computation, communication and storage overhead should be as small as possible.
SigGen U j .This algorithm is to generate the block tags of the stored data in the period T j on the operation p j,k , k ∈ {1, • • • , θ}, k ∈ {1, . . . ,k}.
1.The data blocks is processed as {m i } C j,(k −1) ≤i≤C j,k by current user U j , where C j,k is a positive integer.The increment of the data block by the operations denoted by p j,k , which user U j will add these data to the cloud in the period T j .2. For all {m i } C j,(k −1) +1≤i≤C j,k , U j compute the tag of i − th data block m i as where u is a public parameter chosen randomly from G, W i = i||T j and j ∈ {1, • • • , m}.Send the verification metadata V = {σ i , t i } C j,(k −1) +1≤i≤C j,k and data blocks {m i } C j,(k −1) +1≤i≤C j,k to the cloud and then deletes them locally.
SigGen U → U j .This algorithm is to generate the block tags of the stored data in the period T j .If the current user U j wants to update the data of previous user U do.
1.When the current user U j wants to update the data m i in the previous T period for some reason, the m i and V = {σ i , t i , C } should be retrieved firstly.2. Then the user U j verified the t i = W i ||Sig ssk (W i ) with the previous user public key.If wrong the auditing scheme ends, if right the user U j deals with the data block as m i and replaced the tag σ At the same time the user U j replaced the t i = (i||T ) ||Sig ssk(U ) (i||T ) by t i = i||T j ||Sig ssk(U j ) i||T j .3. At last the user U j sends verification metadata V = {σ i , t i } and the block m i to the cloud and then deletes them locally.
U pdate.If the user U j+1 would take the place of the user U j , then U j+1 computes the update key uk j→j+1 as uk j→j+1 = (g x j ) x j+1 , and sends it to the cloud.
For the sake of clarity, we list some used signals in Table 1.The protocol is illustrated in Figure 5.
Table 1.Signal and its explanation.

Sig. Repression
n the number of the initial data block; the period of data manager's management; T j the current period is correspondence the current user U j ; C the number of the total data blocks at the auditing time: p j,1 , p j,2 , • • • , p j,θ the increment of the data block by the operation P j,1 , P j,2 , • • • , P j,θ during the period T j ; the tag is generated by the U j and data block m i ; t it used to verify if the block i-th match the data block; V the response for the challenge Q;

TPA
The cloud server (1) Retrieve file tag, verify its signature, and quit if fail; (2) Generate a challenge message challenge: , then verify (µ, σ, t, α, β) via the verification equation.Challeng.When the U j wants to verify the integrity of the data block stored in the cloud in the period of T j ( U j 's period), it would send a verity request to the TPA.
Proo f Gen.When the TPA receives the request of user, it would issue a random set Q = {(i, v i )} and a communication key k 3 to the cloud as a Challeng, where i ∈ 1, • • • , C j,k and v i ∈ Z p .
After receiving Challeng, the cloud can spilt this Q to Q T 0 , . . ., Q T , . . ., Q T j then computes and returns (µ, σ, t, α, β) as a proo f , where r = f k 3 (challenge) i ∈ G 1 , and t = {t i } i∈Q .Proo f Veri f y.When the TPA receives the proo f , input the public key pk of user U , the Challeng, Q = {(i, v i )}, k 3 and the proo f , (µ, σ, t, α, β), the algorithm outputs VALID to the U j as the Result if the following equalities simultaneously hold.
First for each t i verifies PK (U ) Sig ssk(U ) (W i ) = (i||T ).
Remark 1.The update process of the revocable third-party privacy-preserving auditing scheme is simple and is also efficient in terms of both computation and communication costs because it only needs to compute and send one update key uk l→l+1 .
Remark 2. There is only one public key, i.e., the current user's public key, in the revocable third-party privacy-preserving auditing scheme for any period of time.All public keys of revoked users are not certified any more, and thus a malicious cloud could modify them discretionarily.

Correctness
Now we prove the correctness and security of our revocable third-party privacy-preserving auditing scheme.
Theorem 1.The auditing scheme satisfies correctness.

Security Analysis
Theorem 2. The auditing scheme is secure in the random oracle model under the CDH assumption.
Proof.According to Definition 2, if there exists a polynomial time adversary A who breaks the scheme with non-negligible probability , we construct an algorithm B that uses the adversary A as a subroutine to solve a hard CDH problem with probability too.Algorithm B does so by interacting with A as follows.
Setup.Given a security parameter λ , the algorithm B first randomly picks a generator g of G, g α ∈ G and a hash function H : {0, 1} * → G that will be modeled as a random oracle in the proof.B also chooses random g x 0 from G for an unknown x 0 as U 0 's public key and computes U j 's public key g x j for all j ∈ {0, • • • , m}, where x j is picked from Z q .Then B sets u = g α and sends the system parameters g, u and all users' public keys {g x j } m 0 to the adversary A. Query.The adversary A can query the following types of oracles adaptively.It is assumed that for any data block m i , A will first make a H-Oracle query on the block before others.
H-Oracle.When A queries the oracle on a data block m i , B looks up m i in H-list, an initial empty list with the tuples (m i , s i , H (W i )).If B finds a matched tuple, it outputs H (W i ) as response.Otherwise B first picks a random value s i ∈ Z p and then computes H (W i ) = g s i /u m i , stores (m i , s i , H (W i )) in H-list and finally outputs H (W i ) as response.
SignGen-Oracle.To get the tags of data blocks {m i } i∈[1,C j,k ] , A queries the oracle on the file.

Upon receiving the query, for all
m i in H-list, finds a matched tuple (m i , s i , H (W i )), computes σ i = (g x ) s i and finally outputs the set V = σ 1 , . . ., σ C j,k as response.Since σ i = (H(W i )u m i ) x l , plugging H (W i ) = g s i /u m i into the equality, we can see that σ i = (g x ) s i for all i ∈ 1, • • • , C j,k .Update-Oracle.If A wants to replace the user U j with its successor U j+1 for some j ∈ {1, • • • , m − 1}, A will query the oracle on U j .Upon receiving the query, B first computes the update key uk j→j+1 = g xj/x j+1 using U j+1 's secret key x j+1 and sends the result to A.
Then A sets α j = g x j and β j+1 = uk j→j+1 , and adds them into U j , s verification metadata.

Performance Analysis
In this section, we analyze the communication and computation complexities of revocable third-party privacy-preserving auditing scheme for cloud storage.Particularly, we are only interested in the communication and computation costs of its frequent activities, and ignore the costs of the initial system setup that is the same as other conventional public auditing schemes.
NOTATION.Let Pair denote one pairing operation, Exp denote one exponentiation operation in G, and MZ and MG respectively denote one multiplication operation in Z p and G.We denote the bit size of the element in 1, • • • , C j,k , {1, • • • , n}, Z p and G by|C|, |n|, |p| and |G| respectively.The number of the data blocks selected by a challenge user is assumed to be a constant c.

Communication Cost
We can see that the communication overhead of our scheme depends on the communication complexity of algorithm Proof.According to the Proof algorithm, the user U j in one auditing process would first send a challenge Q = {(i, v i )} with size c (|C| + |p|) to the cloud and then the cloud would send a proof µ, σ, t, α 1 , . . ., α j−1 , β 1 , . . ., β j with size |p| + 2j|G| + c|C| + |G| to the user U j if it's the user U j , s first auditing query; otherwise the cloud would just send (µ, σ, t) with size |p| + |G| + c|C| to the user U j .Therefore, the total communication cost of one audit process in our scheme is |p| + |G| + c (2 |C| + |p|) bits.

Computation Cost
The computation cost includes update time and audit time.To update a user U j , the Update algorithm only needs to compute g x j−1 /x j .Hence the update time of our scheme is Exp.To complete one audit, the cloud should output a proof and the auditing user should verify its correctness.We know that the audit time of our scheme for user U j depends on the generation and verification costs of (µ, σ, t).Therefore, the audit time for user U j is (c + 2j) MZ + jMG + (2c + j) Exp + (j + 1) Pair (here we ignore the simple addition and hash operations).
Additional Comparison.We also give a comparison between our scheme and the revised scheme of [16] for auditing owned cloud storage.Table 2 shows the details of the comparison.We know that the auditing scheme in [16] is insecure under collusion attacks but it's the most efficient revocable public cloud storage auditing scheme in the literature.When a user U j executes the Proof algorithm of [16], it would send a challenge Q = {(i, v i )} with size c (|n| + |q|) to the cloud and the cloud would send a proof α, β, {id l , s l } l∈L with size j • (|p| + |G|) + c • |id| to the user U j .Therefore, the total communication cost of one audit process in that scheme is j • (|p| + |G|) + c • (|id| + |n| + |p|) bits.As the Update algorithm of [16] needs to recalculate all the tags of ndata blocks, we know the update time of [16] is nExp.To complete one audit, the scheme in [16] first requests the cloud to output a proof nExp and then instructs the auditing user to verify its correctness.Therefore, we know that the audit time of [16] for any user is (c + 2j) MZ + jMG + (c + j) Exp + (j + 1) Pair (here the simple addition and hash operations are also ignored).From Table 2, we can see that the communication cost of our scheme will has superior efficiency than the [16] in some cases.And audit time of our scheme is (almost) the same as those of [16], while the update time of [16] is larger than that of our scheme.Therefore we know our scheme is more computationally efficient than the scheme in [16].

Experimental Results
As we know, the comparison of computation cost is obvious.Our Update time is Exp , it is much lower than the update time of [16]: nExp.Our auditing time is approximately equal the scheme in [16], it is only a difference of cExp.So we only need compare the communication cost of our auditing scheme with the work of [16] in experiments.Our experiments are implemented on a windows 7 system with an Intel Core 2 i5 CPU running at 2.53 GHz, 2 GB DDR 3 of RAM (1.74 GB available).All algorithms are implemented by C language, and our code uses the MIRACL library version 5.6.1.The elliptic curve we use is an MNT curve, the base field size is 159 bits and the embedding degree is 6.The security level is chosen to be 80 bit, and |p| = |q| = 160.For simplicity, we also set k = 20, c = 300.All the results of experiments are represented as the average of 30 trials.As described in Figure 6, the experimental results show that, compared with the auditing scheme in [16], the communication cost of our auditing scheme are much light-weight than the scheme in [16].

Conclusions
In this paper, we have investigated the efficient user revocation problem in public cloud storage auditing systems and have proposed a dynamic revocable third-party privacy-preserving auditing scheme for cloud storage.We have proved that our scheme is secure against collusion attacks and have also demonstrated its effectiveness.In the light of the simplicity and extensibility of revocable third-party privacy-preserving auditing scheme for cloud storage, we believe the scheme would be much applicable in real-world cloud storage auditing systems.

Figure 1 .
Figure 1.The user data stored in the cloud.

Figure 2 .
Figure 2. Multi-user data stored in the cloud.
Assume that C 1 , • • • , C m are the i − th of blocks at the end of period T 1 , T 2 , • • • , T m , and c 1 , • • • , c m are the increment of the data block at the end of period T 1 , T 2 , • • • , T m , and p j,1 , p j,2 , • • • , p j,θ are the increment of the data block by the operation P j,1 , P j,2 , • • • , P j,θ during the period T j .Then we get C j = n + ∑ ∈[1,j] c = C j−1 + c j , where ∈ {1, • • • j}, and ∑ k∈[1,θ] p j,k = c j , where p j,k is a positive integer and k ∈ {1, • • • θ}.So at the auditing time the value of the i − th of blocks is C j , k = C j−1 + p, where p = p j,1 + p j,2 + • • • + p j,k .

Figure 3 .
Figure 3.Each block is attached with a signature, a block id and a current period.

Figure 4 .
Figure 4.An efficient and security revocable third-party privacy-preserving auditing scheme for cloud storage.

Figure 6 .
Figure 6.Comparison on the communication cost between our scheme and the scheme in[16].
α 1 , ..., α j , β 1 , ..., β j+1 .Corrupt-Oracle.Let all revoked users at present be U 1 , ...,U d for some d ∈ {1, • • • , m − 1}.If the adversary A queries the oracle on the user U j where j ∈ {1, • • • , d}, then B returns U j , s secret key x j as response.Proof.If B wants to verify whether the data block m stored in the cloud remains intact or not, it will issue a random challenge Challeng

Table 2 .
The comparison of two revocable public cloud storage auditing schemes.