A Secure Certificate-Based Data Integrity Auditing Protocol with Cloud Service Providers

: With the surge in cloud storage popularity, more individuals are choosing to store large amounts of data on remote cloud service providers (CSPs) to save local storage resources. However, users’ primary worries revolve around maintaining data integrity and authenticity. Consequently, several cloud auditing methods have emerged to address these concerns. Many of these approaches rely on traditional public-key cryptography systems or are grounded in identity-based cryptography systems or certificateless cryptography systems. However, they are vulnerable to the increased costs linked with certificate management, key escrow, or the significant expenses of establishing a secure channel, respectively. To counter these limitations, Li et al. introduced a certificate-based cloud auditing protocol (LZ22), notable for its minimal tag generation overhead. Nonetheless, this protocol exhibits certain security vulnerabilities. In this paper, we devise a counterfeiting technique that allows the CSP to produce a counterfeit data block with an identical tag to the original one. Our counterfeiting method boasts a 100% success rate ∀ data block and operates with exceptional efficiency. The counterfeiting process for a single block of 10 kB, 50 kB, and 100 kB takes a maximum of 0.08 s, 0.51 s, and 1.04 s, respectively. By substituting the exponential component of homomorphic verifiable tags (HVTs) with non-public random elements, we formulate a secure certificate-based cloud auditing protocol. In comparison to the LZ22 protocol, the average tag generation overhead of our proposed protocol is reduced by 6.80%, 13.78%, and 8.66% for data sizes of 10 kB, 50 kB, and 100 kB, respectively. However, the auditing overhead of our proposed protocol shows an increase. The average overhead rises by 3.05%, 0.17%, and 0.45% over the LZ22 protocol’s overhead for data sizes of 10 kB, 50 kB, and 100 kB, correspondingly.


Introduction
In recent times, as wireless sensor technology advances continuously, the integration of wireless sensor technique with implantable medical electronic devices has progressively supplanted traditional portable medical devices as a focal point in global medical research and development [1].In contrast to conventional portable medical electronic devices, implantable medical devices exhibit greater flexibility and convenience in appearance and usage.They can provide real-time health monitoring and even predict diseases.Implantable medical devices necessitate a simple chip implantation procedure within the body.Whether it involves monitoring diverse health metrics or restoring bodily functions, implantable chips offer enhanced ease, speed, accuracy, and cost efficiency.The utilization of implantable medical sensors enables users to monitor their health anytime, anywhere, thereby enhancing the efficient allocation of hospital resources to some extent.
Nevertheless, the escalating volume of health monitoring data poses challenges in terms of data storage, potentially reducing the efficiency of medical sensors.This challenge can be mitigated by cloud service providers (CSPs) equipped with robust computational capabilities and ample storage resources.The operational framework of a typical medical sensor network is depicted in Figure 1.Initially, medical sensors gather health data from users regularly, which are then transmitted via the Internet to the CSP through associated mobile Portable Personal Terminals (e.g., smartphones, smart wristbands).Subsequently, the Health Center can analyze these health data and provide feedback to users, while hospitals can leverage the monitoring data within the CSP to gain precise insights into a patient's condition and upload diagnosis outcomes to the CSP.However, as concerns about privacy protection continue to grow, two major issues have arisen regarding the choice of CSPs for data storage outsourcing.One concern relates to potential data leakage by the CSP, while the other focuses on ensuring the integrity of data stored within the CSP.Consequently, safeguarding the privacy and integrity of health data within CSPs is crucial for users.Data encryption technology is widely recognized as a pivotal tool for preserving data privacy, involving the encryption of data locally before transferring it to the CSP.Furthermore, data auditing techniques play a crucial role in verifying the integrity of data stored within a CSP.This method entails issuing an audit challenge to the CSP to evaluate its ability to accurately respond to the challenge, thereby ensuring data integrity.
Therefore, the data storage outsourcing capability provided by CSPs effectively addresses the challenge of overloaded local storage for wireless sensors.By utilizing outsourced storage integrated with data encryption and auditing technologies, users can ensure the privacy and integrity of their data.

Related Works
With the swift progress in wireless communication technology, wireless sensor technology has become a focal point of investigation.The small size, minimal energy consumption, and scalability of wireless sensors have established them as the preferred option for IoT applications, such as electronic medical health monitoring.Due to the limited computing and storage capacities of wireless sensors, they frequently collaborate with CSPs to securely store encrypted data in the cloud.As a result, the attention on ensuring data integrity within CSPs has significantly increased in recent years in the domain of outsourced storage security protection research.
Homomorphic encryption [2][3][4][5] enables cryptographic computing, providing secure calculations with guaranteed confidentiality, making it a significant research focus in cloud computing.However, homomorphic encryption does not ensure the integrity of the calculation process.Some data integrity-checking protocols were proposed between 2004 and 2006 [6][7][8].However, all of these protocols required downloading the complete data file to check the integrity of the data.This took up a lot of communication overhead, which was not practical in the era of big data with huge data volumes.
The initial introduction of the Provable Data Possession (PDP) model by Ateniese et al. in 2007 [9] marked a significant milestone.This model utilized homomorphic verifiable tags (HVTs) and random sampling methods to empower users to authenticate remote data integrity with a high level of certainty.However, the computational and storage resources demanded by the protocol were substantial due to the homomorphic nature of the RSA cryptosystem on which the HVTs were founded.In 2008, Shacham et al. led the way in integrating a third-party auditor (TPA) into the model for validating remote data integrity [10].By delegating the verification to a TPA, the protocol alleviated the verification burden on users.By employing BLS signatures [11] to create HVTs, this protocol generated shorter tags compared to the method proposed by [9].Nonetheless, the length of these HVTs still exceeded that of the data block itself, resulting in a storage overhead for the CSP that surpassed that of the data block.
Subsequently, in order to cater to diverse user needs and reduce the computational and storage overhead of the protocol, scholars developed a range of third-party cloud auditing protocols based on various cryptographic systems.Initially, numerous researchers devised third-party cloud auditing protocols [9,10,[12][13][14][15][16][17][18][19][20][21][22][23][24][25][26] grounded in the Public Key Infrastructure (PKI) cryptosystem [27].While PKI-based protocols are widely used, the substantial certificate management burden associated with them cannot be ignored.To tackle this challenge, other researchers suggested protocols [28][29][30][31][32][33][34][35][36][37][38][39][40][41] based on the identity (ID) cryptosystem [42].In the ID cryptosystem, the Private Key Generator (PKG) only needs to generate and retain the private key sk corresponding to the user's ID, leading to reduced storage overhead compared to the PKI-based protocols.However, the susceptibility of PKG to hacking and private key theft poses a challenge, rendering ID-based auditing protocols vulnerable to private key escrow attacks.To streamline key management and mitigate key escrow vulnerabilities, researchers have also proposed cloud auditing protocols [43][44][45][46][47][48] based on the certificateless cryptosystem [49].These protocols prevent the exposure of the private key by distributing the key generation process between the Key Generation Center (KGC) and the user, thereby addressing the key escrow issue.However, establishing a trusted channel for transmitting part of the private key between KGC and users presents a communication overhead challenge in the certificateless cryptosystem.
To resolve the issue of communication overhead in certificate-less cryptosystems, Gentry introduced the certificate-based cryptosystem in 2003 [50].The certificate-based cryptosystem eliminated the necessity to establish a trusted channel for each user; the certificate distribution could occur in the open channel, reducing the communication overhead resulting from establishing a trusted channel.Building upon the certificate-based cryptosystem, [51] devised an efficient third-party cloud auditing protocol.This protocol reduced the computational cost on both the user and the TPA sides compared to the aforementioned protocols by cleverly constructing the HVTs.Nonetheless, this protocol did raise some security concerns.

Our Contributions
In this paper, we design a third-party cloud auditing protocol that leveraged secure certificates to address the susceptibility of encrypted data blocks to forgery within the LZ22 protocol [51].Our contributions are detailed below.
To begin, we devise a method for generating forged data blocks with identical tags to the original ones.This technique is capable of forging lost data blocks, enabling the successful completion of TPA challenges in cases where the user's data block is missing due to CSP errors.Our forgery approach boasts a 100% success rate ∀ data block.Furthermore, we conduct simulation experiments to evaluate the computational overhead associated with forgery for data sizes of 10 kB, 50 kB, and 100 kB.The results demonstrate that the computational overhead for forgery is remarkably minimal, with a maximum forging time of 1.04 s per data block.
Subsequently, we develop a robust certificate-based data integrity auditing protocol to resolve the security issues present in the LZ22 protocol.By reconfiguring the homomorphic verifiable tags (HVTs) and integrating these enhanced HVTs into our cloud auditing protocols, we enhance the security of our protocol significantly.A comprehensive overview of our protocol is provided, along with an in-depth analysis of its correctness and security aspects.
Lastly, we validate the practicality and efficiency of our protocol through experimental assessments.By simulating the time overhead of Tag Generation and Auditing for various auditing protocols, including the latest PKI auditing protocol [26], ID-based auditing protocol [30], certificateless auditing protocol [46], certificate-based auditing protocol [51], and our auditing protocol, we demonstrate the superior efficiency of our protocol in Tag Generation compared to the other protocols.Additionally, our auditing efficiency matches that of the auditing protocol proposed by [51], ensuring a high level of security while maintaining operational efficiency.

Outline of the Article
The overall structure of the remaining sections in this article is outlined as follows.
In Section 2, we present pertinent background information regarding the Certificate-Based Data Integrity Auditing Protocol (CBDIAP).Subsequently, in Section 3, we delve into the security vulnerabilities of the LZ22 protocol and put forth a potential forgery attack strategy.Moving on to Section 4, we introduce and scrutinize the protocol proposed in this paper, conducting both correctness and security analyses.Subsequently, in Section 5, we evaluate the overhead associated with Tag Generation and Auditing for the proposed protocol through theoretical and experimental assessments.Finally, we encapsulate the key findings and delineate future research avenues in Section 6.

Preliminaries
In this section, we introduce some basic knowledge, including symmetric bilinear mapping, security assumptions, and the formal definition of the CBDIAP.The details are as follows.

Symmetric Bilinear Mapping
The concept of symmetric bilinear mapping was first introduced by John Milnor, and Dale Husemoller et al. in 1973 in their published book Symmetric Bilinear Forms [52].The details are as follows.
Choose two cyclic groups G 1 , G T .Suppose order(G 1 ) = order(G T ) = p(p is prime), and there exists a mapping ê : G 1 × G 1 → G T satisfying the following properties: Computability: ∀g 1 , g 2 ∈ G 1 , such that ê(g 1 , g 2 ) can be calculated efficiently.

Security Assumptions
Definition 1 (k-Collusion Attack Algorithm Problem (k-CAA) Assumption [53]).In a cyclic group G with order p where p is prime, ∀ x, h 1 , . . ., h k ∈ Z * p and g ∈ G , given g, g x and pairs h 1 , g , the task is to output a new pair h * , g where h * / ∈ {h 1 , . . . ,h k }.The k-CAA assumption is deemed valid under (t, ε) if there exists no probabilistic polynomial time (PPT) algorithm that can generate h * , g in G with a success rate of at least ε.Definition 2 (Weak k-CAA Problem Assumption [54]).In a cyclic group G with order p where p is prime, ∀ x, a, b, h 1 , . . ., h k ∈ Z * p and g ∈ G, given g, g x , g a , g b , and pairs h or solve g ab where h * / ∈ {h 1 , . . . ,h k }.
The weak k-CAA assumption is considered valid under (t, ε) if there exists no PPT algorithm that can generate h * , g ab x+h * or solve g ab in G with a success rate of at least ε.Definition 3 (Computational Diffie-Hellman Problem (CDH) Assumption [11]).In a cyclic group G with order p where p is prime, ∀ a, b ∈ Z * p and g ∈ G, given g, g a , g b , the aim is to solve g ab .The CDH assumption is considered valid under (t, ε) if there exists no PPT algorithm that can solve g ab in G with a success rate of at least ε.

The Formal Definition of the CBDIAP
The CBDIAP is a third-party data integrity auditing protocol that relies on certificatebased cryptographic systems.The protocol involves three key entities: the CSP, TPA, and user, each with distinct responsibilities.The CSP is tasked with system initialization, user certificate distribution, and encrypted data block storage.On the other hand, the TPA's role is to audit the CSP to guarantee the integrity of the data stored within it.The formal specification of this protocol can be found in Definition 4.

Definition 4.
The CBDIAP consists of four PPT algorithms [51]: System setup 1 λ → (msk, pp) : with input security parameter λ, CSP initializes the data integrity auditing system to generate the system master private key msk and broadcast the system parameters pp.

2.
User registration (ID, upk ID ) → (Cert ID ) : The user sends their ID and public key upk ID to the CSP.Then, the CSP returns a valid certificate Cert ID to the user.

3.
Outsourcing storage F = {m i } m i=1 , ds, t → τ, {σ i } m i=1 : Given an encrypted dataset F = {m i } m i=1 named ds, timestamp t, the user uploads the encrypted dataset F = {m i } m i=1 , the dataset label τ, and the data block tags {σ i } m i=1 to the CSP.

4.
Auditing (ID, ds, chal) →(0/1): The TPA sends the user's ID, ds, and the audit challenge chal to the CSP.The CSP generates a Data Integrity Proof PF to be returned to the TPA.
The TPA output is one, which proves that the data are intact on the CSP, or, conversely, outputs zero.

Correctness
Definition 5.If the CBDIAP is correct, the following conditions need to be met [51]: 1.
For the certificate Cert ID returned by the CSP, the user must verify that the certificate Cert ID sent by the CSP matches his or her own ID and upk ID to check whether the certificate is valid.

2.
∀ID ∈ {0, 1} * , ds, chal ∈ {(i, c i ) : i ∈ I}, if the CSP received (ID, ds, chal) from the TPA, the CSP can generate PF.Then, the CSP sends PF to the TPA.Finally, the TPA checks whether the PF matches the dataset label τ and checks whether the PF is evidence of the dataset ds.

3.
For {σ i } m i=1 , the TPA checks the integrity of the data in the CSP by testing whether {m i } m i=1 and {σ i } m i=1 match.

Security Model
In the CBDIAP, the forgery of adversary A is said to be successful if the forged PF ′ can pass the auditing algorithm, and the forged dataset with arbitrary data block m * / ∈ {m i } m i=1 is not interrogated.

Definition 6.
If the probability that any PPT adversary A can win the following game is negligible, then we consider CBDIAP secure.
Initialization: challenger C generates system parameters pp and system master private key msk, stores the msk itself, and sends the pp to adversary A.
TagGen query: Adversary A sends the user's ID, the encrypted dataset F = {m i } m i=1 named ds, and the corresponding timestamp t to challenger C.Then, C returns the corresponding dataset label τ and all the data block tags {σ i } m i=1 to A. ProofCheck query: ∀ dataset, C sends chal to A, A generates the corresponding PF.Forge: A generates proo f PF ′ , where PF ′ corresponds to an unvisited dataset, i.e., none of the data blocks in the new dataset have undergone the TagGen query process.

Data Block Forgery of LZ22 Protocol
First, we analyze the security problems of the LZ22 protocol in the outsourcing storage process in detail and propose our forgery method.Then, we experimentally analyze the time overhead required for forgery.

Security Problems of LZ22
In reality, a secure cloud auditing protocol requires that the CSP cannot generate a valid attestation without having the complete raw data [55].Here, we first assume that the TPA needs to audit the integrity of an encrypted dataset F = (m 1 , . . ., m m ) with identity ID and dataset name ds.Then, after the CSP receives the audit challenge (ID, ds, chal = {(i, c i ) : i ∈ I}) from the TPA, it generates a valid proof PF= (m, σ), where m = ∑ i∈I c i m i , σ = ∏ i∈I σ c i i .At this point, if the CSP is still able to generate a proof PF * = (m * , σ * ) that can be verified despite the loss of a data block m k , k ∈ I, then this cloud auditing protocol is unsafe.
In the LZ22 protocol [51], the data block m i has a tag .
For each data block m i , the CSP can pre-determine an intermediate value • m ij for tag σ i and store M i in the CSP.In this way, when a certain data block • m kj = M k , then the forged data block m * k has the same tag σ k as the real data block m k .In this way, the CSP can send a proof PF * =(m * , σ), We verify the algorithm by substituting PF * = (m * , σ) into the Equation (1): That is, the proof PF * = (m * , σ) returned by the CSP to the TPA can pass the verification.Since data block m * is forged by the CSP, the LZ22 protocol is not secure.Below, we consider specifically how to construct the data block m * k = m * k1 ,. ..,m * kn such that ∑ n j=1 H 4 (ID, j)•m * kj =M k .Since H 4 (ID, j), j∈{1,. . .,n} are all values that can be calculated by the CSP, m * k1 ,. ..,m * k(n−1) can be chosen arbitrarily.It is sufficient that holds.An extreme case is to make m * kj = 0,j∈{1,. .., (n−1)},m * kn = M k H 4 (ID,n) hold, when m * k = 0,. .., 0, M k H 4 (ID,n) .From the analysis, it is clear that the forging success rate of our proposed method for forging data blocks is 100%.
Note that this method of masking data loss by the CSP requires an additional value • m ij to be computed for each data block m i when storing the user dataset, and thus the CSP needs to prepare an additional 1  n of the original dataset size of the storage space for storing M i .Figure 2 compares the difference between the legitimate CSP and the dishonest CSP in the auditing phase.

Data Block Forgery Experiments
In this section, we delve into the time overhead associated with the CSP's ability to counterfeit a data block.Given that the data block m * k targeted for forgery shares an identical tag σ k with the authentic data block m k , there is no necessity to fabricate the tag σ k .
Our simulation used the Pycharm IDE, with the compiler version being Python 3.8.Our simulation ran on a Linux 5.10.0-8-genericsystem, using the 11th Gen Intel (R) Core (TM) i7-11800H @ 2.30-GHz processor.The parameters used in the simulation were all standard parameters of the Pypbc library [56].To design an 80-bit secure auditing algorithm, the length of any element in the group G 1 needed 160 bits (20 bytes).We analyzed the time overhead required for forgery with dataset sizes of 10 kB, 50 kB, and 100 kB, respectively.
In the data block forgery method proposed in the previous section, the CSP needs to additionally compute a value M i = ∑ n j=1 H 4 (ID, j) • m ij for each data block m i and store M i , i ∈ {1, . . ., m} locally after receiving the dataset F = (m 1 , . . ., m m ) uploaded by the user.After an experimental simulation, we concluded that the time overhead required by the CSP to compute each M i was related to the number of sector n in each data block as shown in Figure 3.After the CSP receives an audit challenge (ID, ds, chal = {(i, c i ) : i ∈ I}) from the TPA, if it finds that a block of data m k , k ∈ I is missing, it can then forge a block of data m * k = m * k1 ,. ..,m * kn using the previously stored value m k .The forgery method that minimizes the time overhead is to make m * kj = 0,j∈{1,. .., (n−1)}, m * kn = M k H 4 (ID,n) and obtain m * k = 0,. .., 0, M k H 4 (ID,n) .When the number of missing data blocks is more than one, the same method can be used to forge the other missing data blocks.We derived the time required by the forgery method with the lowest overhead for the CSP forgery of each m * k related to the number of sector n in each data block as shown in Figure 4.  To make the forged data block look more real, the values of m * k1 ,. ..,m * k(n−1) can be assigned one by one by the CSP according to the numerical characteristics of the existing data block, as long as the last element of the forged data block m * k satisfies , and the forgery process will require a greater amount of calculation.When the number of missing data blocks is more than one, the same method can be used to forge the other missing data blocks.The time required for the CSP to forge each more realistic m * k versus the number of sector n in each data block is shown in Figure 5.In the following, we analyze the total time overhead required for CSPs to forge data blocks in the LZ22 protocol using the forgery method proposed in this paper.First, for a given encrypted dataset F = (m 1 , . . . ,m m ), the CSP needs to compute an extra value • m ij for each data block m i .Then, the CSP forges the lost data block through the challenge.If the CSP uses the lowest overhead forgery method, the number of sectors n for each data block versus the total time overhead is shown in Figure 6.If the CSP uses a more realistic forgery method, the number of sectors n of each data block versus the total time overhead is shown in Figure 7. From Figures 3-7, we can see that the time overhead of our forgery method is minimal.With sufficient storage resources (i.e., sufficient storage space to store the intermediate value M i ), the CSP needs at most 1.1s to forge a lost data block and pass the audit challenge.Otherwise, even if auditing is required during the user outsourcing storage process (i.e., the CSP needs to calculate the intermediate value M i and forge the missing data block m k at the same time), it takes at most 5.5 s for the CSP to be able to complete the forgery of a particular missing data block and pass the auditing challenge.

The Proposed Protocol
In this section, we introduce an enhanced protocol designed to address the security vulnerabilities present in the LZ22 protocol.Subsequently, a comprehensive analysis of the correctness of our protocol is conducted.Finally, we provide a rigorous proof of the security guarantees offered by our proposed protocol.

Concrete Structure
From Section 3, it is clear that the encrypted data block m k stored by the CSP in the LZ22 protocol can be forged with 100% probability.In our protocol, we make it impossible for the attacker to calculate the exponential part of σ k by changing the H 4 (ID, j), j ∈ [1, n] function of tag σ k in the LZ22 protocol to pick n random numbers a j ∈ Z * q , j ∈ [1, n], which makes it impossible to forge any data block.The specific details of our protocol are as follows.
The proposed protocol comprises four algorithms illustrated in Figure 8.Initially, the system setup algorithm is executed by the CSP to generate initialization parameters pp.Then, the CSP sends pp to the user and TPA.Subsequently, in the user registration algorithm, the user creates (ID, upk ID ) and transmits it to the CSP.The CSP then responds by sending Cert ID to the user.Then, the user verifies the legitimacy of the certificate.Following this, the outsourcing storage algorithm is activated by the user, tasked with labeling encrypted datasets and transmitting (τ, {(m i , σ i ) m i=1 }) to the CSP and τ to the TPA.Lastly, the auditing algorithm is initiated by the TPA, responsible for issuing audit challenges to the CSP to verify the integrity of the stored data.Upon receiving an audit challenge from the TPA, the CSP must present the necessary proof of integrity (PF) to the TPA for assessment in order to verify the data integrity.A detailed description of each algorithm is provided below.

System Setup
Input security parameter 1 λ ; then, the CSP randomly selects the cyclic group G 1 of order prime q, and the symmetric bilinear mapping ê : G 1 × G 1 → G T .Then, the CSP randomly selects the generator element g ∈ G 1 and an integer s ∈ Z * q to compute the master public key pk = g s .Then, the CSP randomly selects three collision-resistant hash functions: Finally, the CSP announces the above system public parameter pp = (q, G 1 , G T , ê, g, pk, H 1 , H 2 , H 3 ) and sets s as the system master key msk.

User Registration
The user registration algorithm is divided into three phases: UserKeyGen, certify, and authentication.

1.
UserKeyGen: the user randomly chooses x ∈ Z q as secret key usk ID , computes the user public key as upk ID = g x , and then sends ID and upk ID to CSP.

2.
Certify: The CSP generates certificate Cert ID = H 1 (ID, upk ID ) msk and sends it to the user.

Outsourcing Storage
The outsourcing storage algorithm is divided into two phases: data processing and data uploading.

1.
Data processing: (1) Given an encrypted dataset F ∈ {0, 1} * with timestamp t and dataset name ds, the user initially divides the dataset F into m data blocks (m 1 , . . ., m m ), each comprising n sectors.Specifically, F = m i,j m×n , where m i,j ∈ Z q .
(2) The user then randomly selects r, a 1 , . . ., a n ∈ Z * q , calculates R = g r , g j n j=1 := {g a j } n j=1 , and U = (Cert ID ) . The user assigns the label τ = ( g j n j=1 , R, U, ds, t, m, n) of dataset F and retains a 1 , . . ., a n .(3) For each data block m i , the user computes the corresponding tag into Equation (2): 2.

Data uploading:
The user uploads dataset label τ, data blocks m 1 , . . ., m m , and corresponding tags σ 1 , . . ., σ m to the CSP.At the same time, the user sends dataset label τ to the TPA.

Auditing
In the Auditing algorithm, three distinct phases, namely challenge, proof generation, and proof verification, are delineated for execution.

1.
Challenge: The TPA randomly selects a non-empty subset I with element i ∈ {1, . . ., m}.For each i, the TPA randomly chooses c i ∈ Z * q .Subsequently, the TPA transmits the user ID, dataset name ds, and challenge chal = {(i, c i ) : i ∈ I} to the CSP.

3.
Proof verification: Upon receipt of PF, the TPA initially verifies the validity of the label τ using Equation ( 4).
If Equation ( 4) is satisfied, the TPA confirms the integrity of the user's data stored by the CSP through Equation (5).
If both equations Equations ( 4) and ( 5) are satisfied, the TPA can ascertain the integrity of the dataset stored in the CSP; otherwise, it indicates either nonintegrity or tampering of the dataset.

Correctness
According to Definition 5, in this section, we verify the correctness of the proposed protocol in terms of certificate validity, legitimacy of dataset label τ, and data integrity verification.To verify the correctness of the proposed protocol, we assume that all participants in this section faithfully execute the proposed protocol.= ê(H 1 (ID, upk ID ), pk) is constant holds. (here we let γ = H 2 ID, ds, t, g j n j=1 , R, m, n ).

Security Analysis
In our proposed protocol, following Definitions 1-3, we delineate three classes of PPT algorithmic adversaries.Adversary (A I ) simulates an eavesdropper with the ability to substitute the upk ID of the user yet lacks access to Cert ID .On the other hand, adversary (A I I ) behaves like a malicious CSP possessing knowledge of msk but lacking the capability to alter upk ID .Lastly, adversary (A I I I ) replicates a compromised CSP with the capacity to fabricate PF ′ but without the ability to retrieve the user's randomly generated a 1 , . . ., a n .None of the three adversaries, A I , A I I , and A I I I , have privileges to access Cert ID , usk ID or a 1 , . . ., a n .The security guarantees of our protocol are substantiated by Theorems 1-3.
Theorem 1. Assuming the weak k-CAA problem assumption holds in G 1 , it is infeasible ∀ PPT adversary A I to generate a valid proof with a significant advantage ε A I .
Proof.The detailed proof is elaborated in Appendix A. Theorem 2. Given the k-CAA assumption in G 1 , no PPT adversary A I I can counterfeit a valid proof with a non-negligible advantage ε A I I .
Proof.The thorough proof is accessible in Appendix B. Theorem 3. In the scenario where the CDH assumption holds in ê : G 1 × G 1 → G T , it is computationally infeasible ∀ PPT adversary A I I I to generate a valid proof with a notable advantage ε A I I I .
Proof.The detailed proof can be found in Appendix C.

Performance Analysis
In this section, we conduct a theoretical analysis of the computational complexity associated with Tag Generation and Auditing in various cryptographic protocols, including those proposed by Han et al. [26], Li et al. [30], Shen et al. [46], Li et al. [51], and the protocol presented in this work.Then, we also experimentally simulate these two properties.The specific theoretical and experimental analyses are as follows.

Analysis of Theoretical Effectiveness
We provide the operational notations in Table 1.The theoretical analysis outcomes of the above protocols are presented in Table 2.

Analysis of Experimental Simulations
In this section, we present the results of the experimental simulations conducted to evaluate the computational costs associated with Tag Generation and Auditing in various protocols, including the above five protocols.The simulations were performed using the PyCharm IDE with Python 3.8 compiler version.The experiments were conducted on a Linux 5.10.0-8-genericsystem equipped with an 11th Gen Intel Core i7-11800H @ 2.30-GHz processor.For the design of an 80-bit secure auditing protocol, each element in the group G 1 was required to have a length of 160 bits (20 bytes).
Figures 9-11 illustrate the correlation between the time cost of tag generation and the number of data block sectors (n) for the aforementioned protocols, considering dataset sizes of 10 kB, 50 kB, and 100 kB, respectively.From Figures 9-11, we find that the time overhead of the protocol proposed in this paper and the time overhead of the protocol proposed by [51] exhibit a gradual decrease as the number of sectors of each block increases.Upon analysis, it is evident that when the dataset size is constant, an increase in the number of sectors for each data block n results in a decrease in the relative value of m.Operations related to m predominantly involve operations on the group, while those associated with n involve operations on the finite field.It is noteworthy that the efficiency of operations on the group is notably lower compared to operations on the finite field, which gives rise to the aforementioned phenomenon.The figures indicate that the computational overhead of the protocol proposed by [51] and our protocol is the lowest among the five protocols.Nevertheless, our proposed protocol exhibits superior security performance.

Conclusions
In this study, we initially identified a forgery method capable of forging arbitrary data blocks within the [51] protocol with minimal time overhead.Subsequently, we introduced a secure certificate-based cloud auditing protocol.Analyses affirmed that the efficiency of the protocol presented in this paper surpassed that of the five compared protocols.Game A1.Suppose that C is given a random instance (g, g x , g a , g b , h ) of the weak k-CAA problem, where x, a, b, h 1 , . . ., h k ∈ Z * q , g ∈ G 1 .Let solve weak1 = g ab or solve weak2 = (h * , g ab x+h * ) be the solution to the weak k-CAA problem.C solves the weak k-CAA problem by interacting with A I .The details are as follows: 1.
Initialize : C sets pk = g a and creates a list of public parameters PP = {G 1 , G T , q, ê, g, pk}.
Then, C gives A I public parameters PP.

2.
Random oracle queries: C randomly chooses t ∈ [1, q u ] and assumes ID ′ denotes the tth time query to the H 1 oracle.C responds to the query from A I as follows: (1) UserKeyGen query: C maintains an initially empty list L ID ; L ID is used to store the following triples (ID, usk ID , upk ID ).(6) H 2 query : C maintains an initially empty list L 2 ; L 2 is used to store the following pluralist group (ID, ds, t, g j n j=1 , R ID , m, n, H 2 , coin).If A I queries (ID, ds, t ) in L 2 , C returns Ĥ to A I .Otherwise, C performs the following steps.Firstly, C tosses a coin, whose value ∈ {0, 1}.We specify that during the coin toss, Pr(coin = 1) = P H 2 , Pr(coin = 0) = 1 − P H 2 .If ID ̸ = ID ′ , we randomly choose Ĥ ∈ Z * q and set coin = 0.If ID = ID ′ and coin = 1, we randomly choose Ĥ / ∈ {h 1 , . . ., h k }; else, we randomly choose Ĥ ∈ {h 1 , . . ., h k }.Then, C returns Ĥ to A I and stores (ID, ds, t, g j n j=1 , R ID , m, n, H 2 , coin) in L 2 .(7) H 3 query : C maintains an initially empty list L 3 ; L 3 is used to store the following pluralist group (ID, τ, {y i } m i=1 ).If A I queries (ID, τ) in L 3 , C returns {y i } m i=1 to A I .Otherwise, C randomly chooses {y i } m i=1 ∈ G 1 .Then, C returns {y i } m i=1 to A I and stores (ID, τ, {y i } m i=1 ) in L 3 .(8) U query: C maintains an initially empty list L u ; L u is used to store the following pluralist group (ID, F, ds, t, U, R ID , g j n j=1 ).Firstly, A I randomly chooses an encrypted dataset F = {m 1 , . . . ,m m } with timestamp t.The dataset name is ds.Secondly, C randomly chooses r ID , a 1 , . . ., a n ∈ Z * q and sets R ID = g r ID , g j n j=1 = {g a j } n j=1 .
Then, C performs the following steps.If ID ̸ = ID ′ , we set U = Cert

Figure 1 .
Figure 1.The operation of a typical medical sensor network.

Figure 2 .
Figure 2. The difference between the legitimate CSP and the dishonest CSP.

Figure 3 .
Figure 3.The time cost of computing intermediate value M i .
n u m b e r o f s e c t o r o f e a c h b l o c k ( n )

Figure 4 .
Figure 4.The lowest time cost of forging each data block m * k .

Figure 5 .
Figure 5.The time cost of forging each more realistic data block m * k .

Figure 6 .Figure 7 .
Figure 6.The total time cost of forging each data block m * k (lowest overhead forgery method).

Figure 8 .
Figure 8. Flowchart of the proposed protocol.

Figure 9 .
Figure 9.The time cost of tag generation (dataset size = 10 kB).
n u m b e r o f c h a l l e n g e d d a t a b l o c k ( c ) o u r s c h e m e P K I I D -b a s e d C e r t i f i c a t e l e s s C e r t i f i c a t e -b a s e d (a)
If A I queries ID in L ID , C returns upk ID to A I .Otherwise, C performs the following steps.If ID ̸ = ID ′ , C randomly chooses usk ID ∈ Z * q and computes upk ID = g usk ID .Then, C returns (usk ID , upk ID ) to A I and stores (ID, usk ID , upk ID ) in L ID .If ID = ID ′ , C terminates the query.(2) KeyReplace query: when C received a new pair (usk * , upk * ) for ID (it can be any ID already in L ID ), and upk * = g usk * holds, C stores (ID, usk * , upk * ) in L ID .(3) H 1 query : C maintains an initially empty list L 1 ; L 1 is used to store the follow- ing triples (ID, H 1 (ID, upk ID ), α ID ).If A I queries (ID, upk ID ) in L 1 , C returns H 1 (ID, upk ID ) to A I .Otherwise, C performs the following steps.If ID ̸ = ID ′ , C randomly chooses α ID ∈ Z * q and sets H 1 (ID, upk ID) = g α ID .If ID = ID ′ , C sets H 1 (ID, upk ID ) = g b .Then, C returns H 1 (ID, upk ID ) to A I and stores (ID, H 1 (ID, upk ID ), α ID ) in L 1 .(4) Certi f y query : C maintains an initially empty list L c ; L c is used to store the following binary group (ID, Cert ID ).If A I queries ID in L c , C returns Cert ID to A I .Otherwise, C performs the following steps.If ID ̸ = ID ′ , C sets Cert ID = (g a ) α ID .Then, C returns Cert ID to A I and stores (ID, Cert ID ) in L c .If ID = ID ′ , C terminates the query.(5) Corruption query: If ID / ∈ L ID or ID = ID ′ , C terminates the query.Otherwise, C sends usk ID to A I from L ID .