Certificateless Provable Data Possession Scheme for Cloud-Based Electronic Health Records System
Abstract
1. Introduction
2. Motivation and Contribution
- Outsourcing a majority of computations to the public cloud server to achieve data transferability. This allows the data recipient to generate their own tags and verify the integrity of the data without having to download the entire dataset stored on the cloud.
- Guaranteeing the data integrity of the transferred data. Converting the data owner’s remote data into the data recipient’s data, where the integrity can only be verified by the data recipient.
- Our scheme is founded on certificateless cryptography, which streamlines the complicated certificate management process.
- We conduct a security analysis of the proposed scheme and also demonstrate its performance through specific implementations. The results indicate that the proposed scheme attains satisfactory security and efficiency levels.
3. Related Work
4. Notions and Preliminaries
- Bilinear MapLet be two multiplicative cyclic groups of large prime order p, and g be a generator of . The bilinear map is a map possessing the following characteristics:- Bilinearity: for all and , .
- Computability: there exists an effciently computable algorithm for computing map e.
- Non-degeneracy: .
 
- Computational Diffie–Hellman(CDH) ProblemFor unknown , given and as input, output . The CDH assumption in holds if it is computationally infeasible to slove the CDH problem in .
5. System Model and Security Model
5.1. System Model
- Cloud: The cloud offers users vast amounts of data storage space along with substantial computational resources. By means of cloud storage services, users are able to upload their data to the cloud and share it with other individuals.
- DO: The DO stores a large volume of data on the cloud. Prior to the transfer of the data, the DO conducts the remote data integrity checking on their own. Once the data have been transferred, the transferred data integrity checking is carried out by the data recipient.
- KGC: The KGC is trusted by other entities. It undertakes the responsibility of generating the system public parameters as well as the private keys corresponding to the identity IDs of other entities.
- DR: The DR inherits the DO’s remote data. Then, the DR can check the transferred data integrity by himself.
- Sanitizer: The sanitizer is a translation server used for proxy re-signing. The sanitizer transfers the DO’s tag to the DR’s Rtag with the help of the DR and the cloud. (For the transferred block, Rtag denotes the created tag for the DR)
5.2. Design Goals
- Correctness:- −
- Private Key Correctness: It is necessary to make sure that when the Private Key Generator (PKG) dispatches a correct private key to the data owner (DO), data recipient (DR), or the cloud, this private key can successfully undergo and pass the verification procedures carried out by the DO, DR, or the cloud, respectively.
- −
- Signature Correctness: It should be guaranteed that when the DO and the sanitizer send valid tags or Rtags to the cloud, these tags or Rtags are able to pass the verification process implemented by the cloud.
- −
- Auditing Correctness: One must ensure that when the cloud accurately stores the data belonging to the DO, the proof generated by the cloud can pass the verification processes of both the DO and the DR.
 
- Auditing Soundness: It is required to assure that if the cloud does not actually store the intact data of the DO, then it will not be able to pass the verification procedures conducted by either the DO or the DR.
5.3. Definition
- Setup: Taking a security k as input, the KGC generates the public keys and the respective public keys and private keys of the KGC, DO, cloud, and DR. Otherwise, the DO generates public values used to generate tags and the KGC adds them into the system parameter after verifying.
- TagGen: It is executed by the DO. Taking as input the parameter , the raw file F and private keys and , the algorithm outputs a tag set of F. Then, the cloud accepts it after verifying.
- ChalGen: It is run by the DO, to generate a random challenge set and sends it to the cloud.
- ProofGen: The cloud generates the corresponding proof P based on the challenge set and the data stored therein.
- ProofVerify: The DO performs the algorithm to check whether the outsource F is intact. It takes the parameter , the private key , the integrity proof P, and the challenge information as input, and judges whether the cloud stores the data correctly.
- Authorized and RTagGen: It is an algorithm interacted between the DO, DR, cloud, and sanitizer. The sanitizer generates the R-tag of the file blocks after obtaining the authorization from the other three entities.
- RTagCheck: The cloud accepts the R-tag after verifying its validity by using the public parameter and the private key .
- RProofGen It is executed by the cloud, to generate the response V including and according to the challenge .
- RProofCheck: Taking as input the parameter, the response V and the private key , the DR verifies the integrity of the file F on the cloud.
5.4. Security Model
5.4.1. Informal Security
- Internal security: This pertains to the security against untrustworthy sanitizers and the DR. It can be partitioned into two distinct security assurances.- Limited sanitizer security: The sanitizer is incapable of generating the block Rtag pairs for the DR without the authorization of either the DO, the DR, or the cloud. Even in the event of collusion between the sanitizer and the cloud, they cannot breach this limited sanitizer security.
- DO security: Even if the sanitizer, DR, and the cloud collude, they can not forge the tag behalf of DO.
 
- External security: It is the safeguard against foes external to the sanitizer Rtag framework (meaning they are distinct from the sanitizer, DO, and DR). The adversary is incapable of fabricating the block tag pairs or block Rtag pairs on behalf of the DO or DR. Notably, the cloud lacks the ability to forge the block tag pairs or block Rtag pairs on behalf of the DO or DR.
- During the RGenProof phase, in the event that certain challenged block R-tag pairs have been either modified or deleted, the response provided by the malicious cloud can only pass the RCheckProof phase with a probability that is so small as to be negligible.
5.4.2. Formal Security
- Hash Query: adaptively presents a sequence of hash queries to . In return, supplies the relevant hash values to .
- Partial Private Key Query: adaptively picks and asks for the partial private key. Subsequently, sends the corresponding partial private key to .
- Secret Key Query: adaptively opts for and requests the secret key. Then, sends the corresponding secret key to .
- PublicKey Query: adaptively selects and enquires about the public key. then provides the corresponding public key to .
- PublicKey Replace: has the capacity to replace the public key of with any random value. accordingly replaces the public key with the one chosen by .
- Tag Query: adaptively chooses the tuple and sends it to so as to get the tag on block f from the data owner with the identity . runs the TagGen algorithm to generate the tag on block f and offers the corresponding tag value to .
- The forged tag is valid for block with the identity and the corresponding public key .
- did not request the complete secret key of the user identified by the identity .
- did not ask for the partial secret key of the user identified by and did not replace the public key identified by .
- did not query for the tag value corresponding to .
- Hash Query: The adversary adaptively presents a sequence of hash queries to the challenger . In response, provides the corresponding hash values to .
- Partial Private Key Query: adaptively picks and requests the partial private key. Thereafter, sends the corresponding partial private key to .
- Secret Key Query: adaptively chooses and enquires about the secret key. Subsequently, sends the corresponding secret key to .
- TableProQuery: adaptively selects and and makes a query about the table . Then, sends the corresponding partial R-tag to .
- PublicKey Query: adaptively selects and asks for the public key. then supplies the corresponding public key to .
- PublicKey Replace: has the capability to substitute the public key of with any value. accordingly replaces the public key with the one selected by .
- Tag Query: adaptively opts for the tuple and sends it to aiming to obtain the tag on block f from the data owner with the identity . runs the TagGen algorithm to generate the tag on block f and gives the corresponding tag value to .
- The forged tag is valid for block with the identity and the public key .
- did not query the entire secret key of the user identified by the identity .
- did not request the partial secret key of the user identified by and did not replace the public key identified by .
- did not query the tag value corresponding to .
5.5. The Detectability
6. The Proposed Scheme
6.1. Setup
- In this phase, the KGC generates the system parameters via the following steps:- Given a security parameter , the cloud selects two cyclic multiplicative groups and having a large prime order q. Let g be a generator of . Let e denote a computable bilinear pairing: .
- The KGC randomly picks as the master secret key and computes the master public key .
- The KGC chooses four distinct hash functions , , , , a pseudo-random permutation , a pseudo-random function , a trapdoor function . Examples of applicable hash functions include SHA-256.
- The KGC publishes the system parameters.
 
- The KGC generates the data owner’s (DO’s) partial private key in the following way:- The DO sends its identity to the KGC to obtain its partial key.
- The KGC computes and returns to the DO.
- After receiving , the DO verifies the correctness of the partial key by checking whether . If the verification fails, the DO rejects the partial private key and makes another request.
 
- The DO generates its secret value and public key as follows:- The DO randomly selects .
- The DO computes as its secret key.In this case, the public key and secret key are, .
 
- The cloud and the data receiver (DR) generate their public keys and secret keysrespectively, in a manner similar to the above steps, with one distinction.
- To reduce communication and computation costs, the DO randomly selects s valuesand computes s public values .- The DO keeps confidential and sendsto the KGC, where .
- The KGC verifies the correctness of the signature byIf the verification is successful, the KGC incorporates into the system parameters. Otherwise, the KGC rejects it and notifies the DO to resend the public parameters. The interaction between the DO and the KGC during the process is summarized in Figure 2.
 
6.2. TagGen
- The DO divides the raw file F into n blocks, that is, .
- Each block is further broken down into s sectors , where . Consequently, the entire file can be expressed as .
- The DO computes and , for .
- The DO generates the tag for by computing where .
- The DO sends to the cloud such that . Finally, the DO deletes the original data except for .
- The cloud verifies the information in the following manner. It generates the aggregated tag and computes , . Then, it verifies the following equation:where . If the equation does not hold, the cloud rejects and declines to store the DO’s data. The process of is summarized in Figure 3.
6.3. ChalGen
6.4. ProofGen
- It generates the challenge set , where for .
- It computes and ,where .
- The cloud returns the proof to the DO.
6.5. ProofVerify
- The DO generates the challenge set , where , for .
- The DO computes and ,for .
- The DO checks whether the following equation holds:where . If the equation holds, that means the cloud has stored the data correctly.
6.6. Authorized and RTagGen
- The DR computes the re-key and sends it to the sanitizer, which can be used to transfer the data owner’s block tag pairs into the data steward’s block R-tag pairs.
- For , the cloud computes and . Then, it sends to the DO and sends to the sanitizer.
- The DO computes , where , , . Then, it sends to the sanitizer.
- The table is initially empty and is kept by the sanitizer. If there exists the tuple (DO, ∗) in the table , the sanitizer retrieves the tuple (data owner, t) and gets t. Otherwise, the sanitizer chooses and stores (data owner, t) into the table .
- Using the chosen or retrieved value t, the sanitizer computes the R-tag as the following procedure.
- It is noted that:
- We denote the R-tag as . Finally, the cloud gets all the block Rtags . The processes of are summarized in Figure 4.
6.7. RTagCheck
- Computers and .
- The cloud tests whether the following formulas hold:where . If they hold, then the cloud accepts it. Otherwise, the block R-tag pair is rejected.
6.8. RProofGen
- For , computes .
- Computes , for .
- Outputs .
6.9. RProofCheck
- For , computes .
- Computes , , .
- Checks whether the following formulas hold:If they hold, then the DR outputs “”. Otherwise, the DR outputs “”.
7. Analysis of Our Scheme
7.1. Correctness
7.2. Security Analysis
- If is in , S checks whether . If , S inquires from . If , S terminates. Otherwise, S computes when and updates . If , S directly retrieves and sends it to .
- If is not in , S retrieves from . If , S terminates. Otherwise, S computes and inserts into .
- If is in , S checks whether . If , S randomly selects and sets . Then, S updates . If , S terminates. If , S retrieves and sends it to .
- If is not in , S randomly selects and sets . Then, S sends to and inserts into .
- If it is, S sets , , then S updates and and sends to .
- If not, S selects a random value , sets , , inserts into and sends to .
- If is in , S retrieves and returns it to .
- If is not in , S randomly selects , sets , . Then, S sends to and inserts into .
- If is in , S replaces in with.
- If is not in , S inserts into .
- If , S retrieves t.
- If , S selects a random value and flips a coin with the probability of when and when . If , S sets . If , S computers . S inserts the new tuple to .
7.3. The Detectability
7.4. Functionality Comparison
7.5. Performance Evaluation
7.5.1. Computational Overhead
7.5.2. Communication Cost
7.5.3. Storage Cost
8. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Sun, J.; Fang, Y. Cross-Domain Data Sharing in Distributed Electronic Health Record Systems. IEEE Trans. Parallel Distrib. Syst. 2010, 21, 754–764. [Google Scholar] [CrossRef]
- Ren, K.; Wang, C.; Wang, Q. Security Challenges for the Public Cloud. IEEE Internet Comput. 2012, 16, 69–73. [Google Scholar] [CrossRef]
- Ni, J.; Zhang, K.; Yu, Y.; Yang, T. Identity-Based Provable Data Possession From RSA Assumption for Secure Cloud Storage. IEEE Trans. Dependable Secure Comput. 2022, 19, 1753–1769. [Google Scholar] [CrossRef]
- Shah, P.; Prajapati, P. Provable Data Possession Using Additive Homomorphic Encryption. J. King Saud Univ. Comput. Inf. Sci. 2022, 34, 3448–3453. [Google Scholar] [CrossRef]
- Guo, W.; Qin, S.; Gao, F.; Zhang, H.; Li, W.; Jin, Z.; Wen, Q. Dynamic Proof of Data Possession and Replication With Tree Sharing and Batch Verification in the Cloud. IEEE Trans. Serv. Comput. 2022, 15, 1813–1824. [Google Scholar] [CrossRef]
- Li, T.; Chu, J.; Hu, L. CIA: A Collaborative Integrity Auditing Scheme for Cloud Data With Multi-Replica on Multi-Cloud Storage Providers. IEEE Trans. Parallel Distrib. Syst. 2023, 34, 154–162. [Google Scholar] [CrossRef]
- Deng, L.; Wang, B.; Wang, T.; Feng, S.; Li, S. Certificateless Provable Data Possession Scheme With Provable Security in the Standard Model Suitable for Cloud Storage. IEEE Trans. Serv. Comput. 2023, 16, 3986–3998. [Google Scholar] [CrossRef]
- Ateniese, G.; Burns, R.; Curtmola, R.; Herring, J.; Kissner, L.; Peterson, Z.; Song, D. Provable Data Possession at Untrusted Stores. In Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 2 November–31 October 2007; pp. 598–609. [Google Scholar]
- Juels, A.; Kaliski, B.S. Pors: Proofs of Retrievability for Large Files. In Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 2 November–31 October 2007; pp. 584–597. [Google Scholar]
- Shacham, H.; Waters, B. Compact Proofs of Retrievability. J. Cryptol. 2013, 26, 442–483. [Google Scholar] [CrossRef]
- Tan, X.; Xie, Q.; Han, L.; Wang, S.; Liu, W. Proof of Retrievability with Flexible Designated Verification for Cloud Storage. Comput. Secur. 2023, 135, 103486. [Google Scholar] [CrossRef]
- Wang, C.; Chow, S.S.M.; Wang, Q.; Ren, K.; Lou, W. Privacy-Preserving Public Auditing for Secure Cloud Storage. IEEE Trans. Comput. 2013, 62, 362–375. [Google Scholar] [CrossRef]
- Worku, S.G.; Xu, C.; Zhao, J.; He, X. Secure and Efficient Privacy-Preserving Public Auditing Scheme for Cloud Storage. Comput. Electr. Eng. 2014, 40, 1703–1713. [Google Scholar] [CrossRef]
- Guan, C.; Ren, K.; Zhang, F.; Kerschbaum, F.; Yu, J. Symmetric-Key Based Proofs of Retrievability Supporting Public Verification. In Computer Security–ESORICS 2015; Pernul, G., Ryan, P.Y.A., Weippl, E., Eds.; Lecture Notes in Computer Science; Springer: Cham, Swizerland, 2015; Volume 9326, pp. 203–223. ISBN 978-3-319-24173-9. [Google Scholar]
- Shen, W.; Yu, J.; Xia, H.; Zhang, H.; Lu, X.; Hao, R. Light-Weight and Privacy-Preserving Secure Cloud Auditing Scheme for Group Users via the Third Party Medium. J. Netw. Comput. Appl. 2017, 82, 56–64. [Google Scholar] [CrossRef]
- Ateniese, G.; Di Pietro, R.; Mancini, L.V.; Tsudik, G. Scalable and Efficient Provable Data Possession. In Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, Istanbul, Turkey, 22–25 September 2008; pp. 1–10. [Google Scholar]
- Erway, C.C.; Küpçü, A.; Papamanthou, C.; Tamassia, R. Dynamic Provable Data Possession. ACM Trans. Inf. Syst. Secur. 2015, 17, 1–29. [Google Scholar] [CrossRef]
- Wang, Q.; Wang, C.; Ren, K.; Lou, W.; Li, J. Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing. IEEE Trans. Parallel Distrib. Syst. 2011, 22, 847–859. [Google Scholar] [CrossRef]
- Yu, J.; Ren, K.; Wang, C.; Varadharajan, V. Enabling Cloud Storage Auditing with Key-Exposure Resistance. IEEE Trans. Inform. Forensic Secur. 2015, 10, 1167–1179. [Google Scholar] [CrossRef]
- Yu, J.; Ren, K.; Wang, C. Enabling Cloud Storage Auditing With Verifiable Outsourcing of Key Updates. IEEE Trans. Inform. Forensic Secur. 2016, 11, 1362–1375. [Google Scholar] [CrossRef]
- Yu, J.; Wang, H. Strong Key-Exposure Resilient Auditing for Secure Cloud Storage. IEEE Trans. Inform. Forensic Secur. 2017, 12, 1931–1940. [Google Scholar] [CrossRef]
- Yu, J.; Hao, R.; Xia, H.; Zhang, H.; Cheng, X.; Kong, F. Intrusion-Resilient Identity-Based Signatures: Concrete Scheme in the Standard Model and Generic Construction. Inf. Sci. 2018, 442–443, 158–172. [Google Scholar] [CrossRef]
- Wang, B.; Li, B.; Li, H. Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud. IEEE Trans. Cloud Comput. 2014, 2, 43–56. [Google Scholar] [CrossRef]
- Yang, G.; Yu, J.; Shen, W.; Su, Q.; Fu, Z.; Hao, R. Enabling Public Auditing for Shared Data in Cloud Storage Supporting Identity Privacy and Traceability. J. Syst. Softw. 2016, 113, 130–139. [Google Scholar] [CrossRef]
- Fu, A.; Yu, S.; Zhang, Y.; Wang, H.; Huang, C. NPP: A New Privacy-Aware Public Auditing Scheme for Cloud Data Sharing with Group Users. IEEE Trans. Big Data 2022, 8, 14–24. [Google Scholar] [CrossRef]
- Wang, B.; Li, B.; Li, H. Panda: Public Auditing for Shared Data with Efficient User Revocation in the Cloud. IEEE Trans. Serv. Comput. 2015, 8, 92–106. [Google Scholar] [CrossRef]
- Luo, Y.; Xu, M.; Fu, S.; Wang, D.; Deng, J. Efficient Integrity Auditing for Shared Data in the Cloud with Secure User Revocation. In Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA, Helsinki, Finland, 20–22 August 2015; pp. 434–442. [Google Scholar]
- Wang, H. Identity-Based Distributed Provable Data Possession in Multicloud Storage. IEEE Trans. Serv. Comput. 2015, 8, 328–340. [Google Scholar] [CrossRef]
- Wang, H.; He, D.; Tang, S. Identity-Based Proxy-Oriented Data Uploading and Remote Data Integrity Checking in Public Cloud. IEEE Trans. Inform. Forensic Secur. 2016, 11, 1165–1176. [Google Scholar] [CrossRef]
- Yu, Y.; Au, M.H.; Ateniese, G.; Huang, X.; Susilo, W.; Dai, Y.; Min, G. Identity-Based Remote Data Integrity Checking With Perfect Data Privacy Preserving for Cloud Storage. IEEE Trans. Inform. Forensic Secur. 2017, 12, 767–778. [Google Scholar] [CrossRef]
- Wang, H.; He, D.; Yu, J.; Wang, Z. Incentive and Unconditionally Anonymous Identity-Based Public Provable Data Possession. IEEE Trans. Serv. Comput. 2019, 12, 824–835. [Google Scholar] [CrossRef]
- Zhang, Y.; Yu, J.; Hao, R.; Wang, C.; Ren, K. Enabling Efficient User Revocation in Identity-Based Cloud Storage Auditing for Shared Big Data. IEEE Trans. Dependable Secure Comput. 2018, 17, 608–619. [Google Scholar] [CrossRef]
- Shen, W.; Yang, G.; Yu, J.; Zhang, H.; Kong, F.; Hao, R. Remote Data Possession Checking with Privacy-Preserving Authenticators for Cloud Storage. Future Gener. Comput. Syst. 2017, 76, 136–145. [Google Scholar] [CrossRef]
- Ma, H.; Tian, G.; Liu, Z.; Zhang, L. Secure Data Deduplication with Ownership Management and Sharing in Cloud Storage. In Frontiers in Cyber Security; Li, F., Takagi, T., Xu, C., Zhang, X., Eds.; Communications in Computer and Information Science; Springer: Singapore, 2018; Volume 879, pp. 168–176. ISBN 9789811330940. [Google Scholar]
- Miao, Y.; Huang, Q.; Xiao, M.; Susilo, W. Blockchain Assisted Multi-Copy Provable Data Possession With Faults Localization in Multi-Cloud Storage. IEEE Trans. Inform. Forensic Secur. 2022, 17, 3663–3676. [Google Scholar] [CrossRef]
- Shen, W.; Qin, J.; Yu, J.; Hao, R.; Hu, J. Enabling Identity-Based Integrity Auditing and Data Sharing With Sensitive Information Hiding for Secure Cloud Storage. IEEE Trans. Inform. Forensic Secur. 2019, 14, 331–346. [Google Scholar] [CrossRef]
- Shen, J.; Zeng, P.; Choo, K.-K.R.; Li, C. A Certificateless Provable Data Possession Scheme for Cloud-Based EHRs. IEEE Trans. Inform. Forensic Secur. 2023, 18, 1156–1168. [Google Scholar] [CrossRef]
- Wang, H.; He, D.; Fu, A.; Li, Q.; Wang, Q. Provable Data Possession with Outsourced Data Transfer. IEEE Trans. Serv. Comput. 2021, 14, 1929–1939. [Google Scholar] [CrossRef]




| Notation | Meaning | 
|---|---|
| p | One large prime | 
| Multiplicative cyclic groups with order p | |
| g | A generator og group | 
| e | A bilinear pairing map | 
| A prime field with nonzero elements | |
| n | The number of data blocks of file F | 
| The original file F | |
| The identities of the data owner, the cloud and the data recipient | |
| The master secret key | |
| The data owner’s private key and public key | |
| The cloud’s private key and public key | |
| The data recipient’s private key and public key | 
| Schemes | Private Verification | Certificateless | Data Transmission | 
|---|---|---|---|
| W. Shen [36] | No | Yes | No | 
| J. Shen [37] | Yes | Yes | No | 
| H. Wang [38] | Yes | No | Yes | 
| Our Scheme | Yes | Yes | Yes | 
| Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. | 
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Wu, Y.; Tan, X.; Xie, Q. Certificateless Provable Data Possession Scheme for Cloud-Based Electronic Health Records System. Mathematics 2024, 12, 3883. https://doi.org/10.3390/math12243883
Wu Y, Tan X, Xie Q. Certificateless Provable Data Possession Scheme for Cloud-Based Electronic Health Records System. Mathematics. 2024; 12(24):3883. https://doi.org/10.3390/math12243883
Chicago/Turabian StyleWu, Yujie, Xiao Tan, and Qi Xie. 2024. "Certificateless Provable Data Possession Scheme for Cloud-Based Electronic Health Records System" Mathematics 12, no. 24: 3883. https://doi.org/10.3390/math12243883
APA StyleWu, Y., Tan, X., & Xie, Q. (2024). Certificateless Provable Data Possession Scheme for Cloud-Based Electronic Health Records System. Mathematics, 12(24), 3883. https://doi.org/10.3390/math12243883
 
        



 
       