Stateless Cloud Auditing Scheme for Non-Manager Dynamic Group Data With Privacy Preservation

As one of the core services of cloud computing, cloud storage could satisfy various storage and management requirements caused by the growth of data. Considering the complexity and uncontrollability of the cloud storage environment, many cloud auditing schemes were presented to assure the integrity of data in the cloud. However, most existing schemes have security risks, such as identity privacy and data privacy disclosure, authority abuse of group managers and collusion attacks during user revocation. To solve these problems, we propose a stateless cloud auditing scheme for non-manager dynamic group data with privacy preservation. The proposed scheme not only realizes user identity privacy preservation but also preserves data privacy security with the random masking technique. Unlike other solutions, our scheme allows $t$ group users to trace the user’s identity cooperatively without group managers, which eliminates authority abuse of group managers and provides non-frameability. Meanwhile, utilizing the concept of Shamir Secret Sharing, our scheme divides the re-signing process into several parts to resist collusion attacks during user revocation. By the designed binary tree, group users could trace dynamic data changes and recover the latest data when existing data are damaged. Besides, both users and the third-party auditor (TPA) are stateless in our scheme; that is, they no need to maintain data index information during cloud auditing. Our scheme also achieves mutual supervision between users and cloud service providers (CSPs), which ensures data are non-repudiation on both parties. Furthermore, we construct an efficient incentive for data visitors by using the blockchain technology and design a secure data sharing model to guarantee that data owners control their data ownership. Certificateless cryptography assures that the proposed scheme avoids certificate management and key escrow problems. Finally, security analysis and performance evaluation show that our scheme is secure and efficient.


I. INTRODUCTION
Cloud storage is a crucial part of the cloud computing platform, which makes individuals and groups enjoy virtualized infrastructure while avoiding paying huge expenses. Due to many advantages of cloud storage, more and more users chose to store their data to some well-known CSPs, such as iCloud and Google Docs [1]. Although these CSPs promise to provide a safe and reliable environment to users, byzantine The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Imran Tariq . failures, malicious external and internal attacks [2], [3] may still affect the integrity of data in the cloud. Since users lose direct control of data, they cannot know the status of the data in the cloud. Therefore, to assure the integrity of the data in the unstable cloud, it is crucial to develop cloud auditing.
In recent years, many cloud auditing schemes based on the traditional public key cryptography (PKC) have been proposed. In these schemes, the user's identity and public key are bound together by a digital certificate. However, the distribution and management of certificates bring a heavy computational overhead. To address this concern, many researchers focused on studying identity-based cryptography (IBC) cloud auditing schemes. The public keys of users are generated with their unique identities, and users' private keys are generated by the private key generation center (PKG). Unfortunately, once PKG is compromised, it can easily impersonate any user to forge tags without being discovered. In contrast, certificateless cryptography is a good choice, where the user's private key consists of a secret value and a partial key. The secret value is chosen by the user, and the partial key is generated by the key generation center (KGC), which eliminates the key escrow problem. Besides, the user's public key is generated by himself/herself, so certificateless cryptography also avoids the certificate management problem.
In certificateless settings, most cloud auditing schemes only focus on personal data [4]- [6]. When users want to share data with others in the group, some new issues appear. For instance, the TPA could find which user is more important in the group, and which data are more critical after several audits. Meanwhile, frequent data auditing may bring more attacks, such as address tracking. Therefore, it is vital to achieve identity anonymous of group users during data auditing. However, anonymity protects the identity privacy of group users while also leading to other risks. For example, when malicious group users upload illegal data or modify shared data for their interests, the property of anonymity offers a protective umbrella for them and makes them escape punishment. Aim at this problem, researchers proposed a series of cloud auditing schemes with traceability. Unfortunately, some of these schemes rely on one group manager with hugely high permissions. If this group manager discloses private information, it will bring severe threats to the identity privacy security of group users. There are also some schemes that require multiple group managers to track misbehaved users' identities cooperatively. Although they provide non-frameability, a lot of extra overheads are also generated because of the joining of group managers. Therefore, it is still an open challenge to design a cloud auditing scheme for identity privacy preservation and identity traceability.
Notably, in a secure cloud auditing scheme, the issue of data content disclosure in the process of auditing should be avoided. As the TPA is not full-trusted [7], he/she could collect a suffcient number of linear combinations from auditing information to obtain the sampled shared data content by solving linear equations [8]. To protect the data privacy, some shared cloud data auditing schemes use the random masking technology [9] or zero-knowledge privacy technology [10] to prevent the TPA from getting any information on the shared data. Unfortunately, in these schemes, the generation of tags, the update of data, and the verification of auditing proofs involve the data index information. The group users and the TPA need to maintain a large data index table or index-hash table, which significantly increases the computation costs. Therefore, ensuring data privacy security, and achieving group users and the TPA stateless are both essential to cloud auditing schemes.
Meanwhile, considering the group is dynamic, users should be able to revoke from the group at any time. Since the tags of shared data are generated with users' private keys, all tags of the revoked user need to transform into the tags of an existing group user. In traditional cloud auditing schemes, an existing group user is required to download all data of the revoked user, re-sign these data, and send new tags to the CSP. These operations produce many computation overheads. To overcome these shortcomings, some new cloud auditing schemes [11]- [14] that support user revocation are proposed. In these schemes, the CSP communicates with the revoked user to transform his/her all tags into the tags of one existing group user by using the re-signing key. However, the revoked user and the CSP could obtain private keys of existing group users by colluding. Therefore, how to ensure efficient and safe revocation of group users becomes an urgent issue to be solved in the cloud auditing schemes for shared data.
Furthermore, cloud storage is not only a data warehouse but also should ensure that group users update data dynamically according to different application purposes. For the sake of dynamic data integrity checking, researchers proposed data structures based on the index hash table (IHT) [12]- [15] and Merkle Hash Tree (MHT) [16]- [18] to support dynamic data operations. Unfortunately, these data structures can only record the latest data and the corresponding tags, making it impossible for group users to track the changes of data. If the existing data are lost or corrupted, users cannot recover them from the records. Thus, the issues of data traceability and data recoverability also should be taken into consideration.
At present, there is usually a lack of efficient mutual supervision between the CSP and users. On the one hand, to get compensation from the CSP, group users may falsely claim that their data in the cloud are lost. On the other hand, the CSP may only save old data for users and refuse to keep the updated data. In this case, it is difficult to determine which party tells the truth. Therefore, unsupervised data uploading is another important problem that should be solved.
So far, few schemes consider that the data owners may lose control of their data once the data are copied by other users in the process of data sharing. If other group users trade the copied shared data for profit, the rights of the data owners would be seriously violated. Meanwhile, during shared data accessing, data visitors should be rewarded according to the number of times that they access shared data. Therefore, security and practicality also cannot be ignored during data sharing and data accessing.

A. OUR CONTRIBUTIONS
In this paper, a stateless cloud auditing scheme for nonmanager dynamic group data with privacy preservation is proposed. We summarize significant contributions as follows.
(1) We present an efficient and secure certificateless cloud auditing scheme for shared data, which not only avoids the certificate management of PKC but also eliminates key escrow problem of IBC. VOLUME 8, 2020 (2) Our scheme could satisfy multi-levels of privacy preservation, include user identity privacy preservation and data content privacy preservation. Specifically, the TPA cannot obtain group users' identities information and shared data content from tags of shared data and auditing proof.
(3) Our scheme could realize identity traceability of group users without any group manager while assuring identity anonymous of users. Each group user in the proposed scheme is assigned the equal power to manage the group. Leveraging the Lagrange interpolation, at least t valid group users can trace the identity of the misbehaved user from the tags, which guarantees non-frameability of the scheme and avoids authority abuse of group managers.
(4) Our scheme achieves group users and the TPA stateless by introducing a new entity called cloud partner (CP), where the CP only stores a small amount of metadata. This method makes group users and the TPA have no more need to maintain complex data index tables and reduces overheads of data auditing and dynamic data updates.
(5) Our scheme realizes efficient and secure user revocation. Unlike the traditional method, the existing user does not need to perform tag processing operations. Based on the concept of Shamir secret sharing, the re-signing process of our scheme is divided into several parts, and are deployed to the CP. The method prevents the CSP from transforming tags between any two group users and makes the collusion attacks between the revoked user and the CSP impossible.
(6) We design a data structure based on the binary tree, which not only could support the dynamic data auditing but also achieves traceability and recoverability of data. The group users could easily find the previously stored data and recover these data content by the designed binary tree when the existing data are damaged.
(7) Our scheme achieves mutual supervision between group users and the CSP. In the process of interaction, the user and the CSP collaborate to generate a receipt of the upload data, which ensures the data are non-repudiation to both parties. (8) We design a secure shared data accessing model, which provides data visitors with an access interface instead of directly sharing data to them. This method offers data owners with protection of the ownership and the control of data. Meanwhile, we use the blockchain technology to record the times that data visitors access the shared data, and achieves effective incentive for data visitors according to these recordings. (9) The proposed scheme is proved to have strong security in the random model, which could resist two types of attacks of the certificateless environment and satisfy many security requirements. The performance analysis shows that our scheme is more efficient than other related schemes in communication and computation costs.

B. RELATED WORKS
To provide better cloud storage services to users, Ateniese et al. [19] presented the first provable data possession (PDP) model, which allows users to check the integrity of data without retrieving all files in the cloud. Then Juels and Kaliski [20] presented the proofs of retrievability (POR) model, which could generate the proof that the verifier retrieves data. Based on PDP and POR models, more cloud auditing schemes were proposed to satisfy different application requirements.
We remark that most cloud auditing schemes are based on PKC [14], [21]. In these schemes, the user needs to check the validity of the certificate every time before using his/her public key, which produces much computational overhead. For the case, IBC is adopted by many cloud auditing schemes [22], [23]. For instance, Yu et al. [24] presented an IBC cloud auditing scheme by using RSA signature technology, which realizes variable-size file blocks and cloud data public auditing. Wang et al. [25] presented a proxy-oriented IBC cloud auditing scheme, which could upload and audit the cloud data for managers. Although IBC avoids certificate management, it is not the best choice for auditing data integrity due to the inherent key escrow drawback. Wang et al. [26] first presented the certificateless cloud auditing scheme, which eliminates the key escrow problem. Li et al. [27] presented a certificateless shared cloud data auditing scheme, but it cannot protect the privacy security of cloud data and user identity privacy security against the TPA.
Besides safe key management, the property of identity anonymity is also important for group users. Wang et al. [15] proposed the first user identity protection mechanism ''Oruta'' supporting cloud data auditing and used the ring signature technology to construct a cloud auditing scheme with user identity privacy preservation. He et al. proposed a privacy preservation cloud auditing scheme for group users [28]. In this scheme, the tags of every user are transformed into the tags of the TPA, which assures the identity security of group users against the TPA. Later, Wu et al. [29] proposed a certifcateless cloud auditing scheme with privacy preservation for group users. However, none of the above three schemes supports the group user identity tracking. To solve the problem, Wang et al. [12] proposed a cloud auditing scheme ''Knox'' by using group signature technology, which realizes the identity traceability of misbehaved users by the group manager. Nevertheless, this method may cause that the innocent group user is framed and the malicious user is harbored because of the high authority of the group manager. Fu et al. [30] presented a cloud auditing scheme with traceability, which requires multiple group managers to work together to disclose malicious user identity. Despite scheme [30] overcomes the problem of frameability, such method of centralized control is still undesirable in some applications, such as a group is managed jointly by multiple users.
When it comes to privacy preservation, data privacy protection is also a vital property to shared cloud data auditing. Early on, most cloud auditing schemes had the data privacy problem, because the challenged data were aggregated into the linear combination to be one part of the auditing proof and the TPA easily get the data content from the auditing proof. For example, Yang et al. [31] indicated the fact that the scheme ''Panda'' [14] cannot resist the auditing proof forgery attack and may cause the data content leakage. Yu et al. [32] proposed a cloud auditing scheme with the perfect data privacy preservation relying on IBC. Zhu et al. [33] also proposed a cloud auditing scheme with data privacy preservation that achieves data dynamics utilizing an index hash table. Nevertheless, in the above schemes, group users and the TPA are required to maintain an index related table, which involves heavy computational and storage burden. Zhao et al. [34] proposed a group users stateless cloud auditing scheme with data privacy preservation, which only considers the stateless of users, and ignores the stateless of the TPA. What's more, the scheme also cannot support the user revocation.
To realize that users could revoke from the group flexibly and efficiently, many schemes [13], [14] are proposed. In these schemes, the CSP transforms the tags of the revoked user into the tags of an existing group user. Although the method does not affect existing group users, it is vulnerable to collusion attacks. Wang et al. [14] proposed a cloud auditing scheme that supports efficient user revocation. However, the CSP must know the re-signing keys of both users in advance, which bring some security flaws. For instance, a malicious CSP could arbitrarily specify a user in the group to receive the revoked user's tags. The CSP and the revoked user could also launch collusion attacks to get private keys of existing users.
Since data stored in the cloud may be updated frequently for various application requirements, cloud auditing schemes also need to consider the dynamic nature of cloud data. However, the previous cloud auditing schemes could only verify the integrity of static data in the cloud. To address this issue, Zhang et al. [18] presented an MHT-based cloud auditing scheme to realize the auditing for dynamic data in the cloud. Later, a modified MHT cloud auditing scheme [35] with each node containing two values were proposed, which reduces the computational complexity of finding leaf nodes. However, the MHT-based cloud auditing schemes still have some severe overhead problems. Zhu et al. [33] proposed another data structure IHT that supports data dynamics, but it cannot achieve traceability and recoverability of data. In 2014, Mo et al. [36] presented an MHT-based data possession verification scheme with non-repudiation. However, the scheme also does not support privacy preservation and TPA auditing.
In addition, to prevent data owners from losing control of their data, Huang et al. [37] proposed a privacy-preserving cloud auditing scheme with secure data sharing, but the scheme does not realize that the data are non-repudiation to group users and the CSP. Meanwhile, the incentive of the scheme is designed for data signers, which ignores data visitors.

II. PRELIMINARIES
In this section, we introduce some preliminaries that used in this paper, including bilinear pairing, hardness assumptions, threshold secret sharing and blockchain technology.

A. BILINEAR PAIRING
Let G 1 and G 2 be cyclic groups with the same prime order p. g is the generator of G 1 . The bilinear map e : G 1 × G 1 → G 2 satisfies the following conditions.

B. HARDNESS ASSUMPTIONS
Definition 2 (CDH Hypothesis): For any probabilistic polynomial time algorithm C, the probability of solving the CDH problem in G 1 is defined as: If Adv CDH (C) is negligible, it is difficult to solve the CDH problem.

C. SHAMIR THRESHOLD SCHEME
In 1979, Shamir first proposed a (t, n) threshold scheme based on polynomial Lagrange interpolation formula [38]. The scheme can distribute a secret U among n users of a group, and each group user is assigned a share of U . The secret U reconstruction requires at least t group users. The steps of the (t, n) threshold scheme are as follows.
(1) Secret division: First, the secret distributor D selects . . , n, and computes y k = L (x k ). Finally, D sends (x k , y k ) to the group user u k in secret. The polynomial is confidential and should be destroyed.
(2) Secret recovery: Suppose any t group users restore the secret U together. First, t group users offer their shares y l . Finally, the constant term L (0) of the polynomial L (x) is the secret U to be recovered.

D. BLOCKCHAIN TECHNOLOGY
Blockchain is a list of orderly records linked together by blocks, which is essentially a decentralized database.
According to the degree of network centralization, blockchain can be divided into three modes: public blockchain, consortium blockchain and private blockchain. The public blockchain is completely decentralized and permissionless. Users could visit any node in the public blockchain. The consortium blockchain is a partially decentralized blockchain, which is usually jointly managed by multiple organizations. The users who authorized by the organization could access the consortium blockchain. The private blockchain is a fully centralized blockchain with tamper resistance. Meanwhile, the access rights are controlled by a central authority.
In our scheme, we use a private blockchain to record the shared data accessing information of group users, which is only open to group users and the CSP.

III. SYSTEM MODEL AND SECURITY MODEL
In this section, we introduce system model, the definition of our scheme and security model.

A. SYSTEM MODEL
The system model in this paper mainly consists of two parts: data accessing and data auditing. The former is the model that group users access shared data, and the latter is the model that the TPA checks the integrity of shared data in the cloud. As Figure 1 shows, the data accessing model mainly includes four entities: the data uploader (DU), the group users (GUs), CP and CSP. The specific interaction process is as follows: Firstly, the DU generates the hash value, the tags of hash value and the data, and sends the hash value tag to the CP, the shared data with the tag and the authorization to the CSP. Secondly, after verifying the identity of the DU, the CSP generates and sends the tag of the hash value to the CP, the receipt to the DU. Thirdly, GUs send requests to the CSP to access the shared data. The requests contain the identity information of the visitors and the accessed data identity. Since the blockchain technology has the property of the tamper resistance, it could record the identity of the data visitor and the access time accurately. The DU could obtain rewards according to these accessing recordings kept in the private blockchain. Finally, after receiving requests, the CSP shares the data access interface with GUs, which assures the benefits of the DU.
As Figure 2 shows, the data auditing model mainly includes five entities: KGC, GUs, CP, CSP and TPA. The specific interaction process is as follows: Firstly, GUs generate their private keys and public keys utilizing partial keys distributed from the KGC, and compute re-signing key shares and send them to the CP. Secondly, GUs send auditing requests that are used to check the integrity of the data in the cloud to the TPA. Thirdly, the TPA generates the challenge for GUs and sends them to the CSP. After receiving the challenge, the CSP generates the proof and sends it to the TPA. Finally, the TPA gets the hash value from the CP to verify the correctness of the proof, and sends a response to GUs.
(1) KGC: It is a semi-trusted third-party entity who could output public parameters and system master key, and generate partial keys for every group user.
(2) GUs: They are users of the group who have a lot of data. In order to reduce the burden of data storage and maintenance, they store and share their data in the cloud. They could also access and modify the shared data in the cloud.
(3) DU: It is the data uploader and a member of GUs, whose responsibility is uploading the shared data.
(4) CSP: It is a third-party entity to coordinate and manage several cloud servers to provide computation resources and the shared data storage service.
(5) TPA: It is the third-party auditor that only serves GUs and has ability to audit the integrity of the shared data for GUs.
(6) CP: It is a reliable entity, whose responsibility is storing the hash value of shared data, publishing hash value to TPA for auditing, and helping GUs revoke from the group.

B. DEFINITION OF OUR SCHEME
Our scheme includes ten algorithms, namely system setup algorithm and partial key generation algorithm run by KGC, secret value generation algorithm, public key generation algorithm, share generation algorithm and tag generation algorithm run by a group user, challenge generation algorithm and proof verify algorithm run by the TPA, and tag verify algorithm, proof generation algorithm run by the CSP. They are represented by Setup, PartialKeyGen, SecretValueGen, Pub-licKeyGen, ShareGen, TagGen, TagVerify, ChallGen, Proof-Gen, and ProofVerify. These algorithms are described as follows.
Setup ( ) → α, params: Input a security parameter , it returns the parameters params, the system master key α.
PartialKeyGen (params, α, ID i ) → D i : Input params, α and the identity ID i , it returns the partial key D i . SecretValueGen (params, ID i ) → γ i : Input params and ID i , it returns the secret value γ i .
PublicKeyGen (params, γ i ) → pk i : Input params and γ i , it returns the public key pk i . ShareGen (params, γ i , pk k ) → (x k , y k , z k ) , F i : Input params, γ i and the public keys pk k (k = 1, . . . , n, k = i) of group users, it returns the sharing share (x k , y k , z k ) k=1,...,n,k =i and F i .
the data m, the index w and the time stamp T , it returns the tag σ , the hash value tag N * signed by u i and the authorization T * .
ChallGen (params, j max ) → chal: Input params and the maximum index j max , it returns the challenge chal.

C. SECURITY MODEL
In the certificateless environment, we introduce two adversaries to demonstrate the security of the proposed scheme. A | is a dishonest adversary who could replace any user's public key in the group with other value, although he/she cannot get ∂. A || is a curious adversary whose ability is accessing ∂ instead of replacing the public key of any group user.
In order to prove our scheme could be secure against two types of adversaries, we define some oracles at first.
Partial Key Generation Oracle O d (ID * ): The adversary inputs the identity ID * , it outputs D ID * as the partial key of ID * .
Secret Value Generation Oracle O s (ID * ): The adversary inputs the identity ID * , it outputs γ ID * as the secret value of ID * .
Public Key Oracle O p (ID * ): The adversary inputs the identity ID * , it outputs pk ID * as the public key of ID * .
Public Key Replace Oracle O r ID * , pk ID * : The adversary inputs the identity ID * and the public key pk ID * , it replaces the corresponding public key of ID * with pk ID * .
Tag Generation Oracle O t (ID * , w * , m * ): The adversary inputs the identity ID * , the index w * and the data m * , it outputs the tag of the data m * on ID * with the public key pk ID * .
Next, we define the security model against adversary A | . The specific process between the adversary A | and the challenger C is described as follows.
Setup: C performs the system setup algorithm Setup, sends public parameter param to A | , and remains the system master key α secretly.
Queries: A | inquires the partial key generation oracle O d , secret value generation oracle O s , public key oracle O p , VOLUME 8, 2020 public key replace oracle O r , and tag generation oracle O t . C generates the responses for these queries.
Forgery: A | returns the forged tag σ with the public key pk ID of the identity ID on data m .
If all the following conditions are true, A | wins the game.
(1) A | never asks for the partial key generation oracle O d of the identity ID .
(2) A | never asks for the tag generation oracle O t on data m of the identity ID .
(3) A | generates the forged tag σ that is valid. Last, we define the security model against adversary A || . The specific process between the adversary A || and the challenger C is described as follows.
Setup: C performs the system setup algorithm Setup, and sends public parameter param and the system master key ∂ to A || .
Queries: A || inquires the secret value generation oracle O s , public key oracle O p , and tag generation oracle O t . C generates the responses for these queries.
Forgery: A || returns the forged tag σ of the identity ID on data m .
If all the following conditions are true, A || wins the game.
(1) A || never asks for the secret value generation oracle O s of the identity ID .
(2) A || never asks for the tag generation oracle O t of data m with the identity ID .
(3) A || generates the forged tag σ that is valid.

IV. THE PROPOSED SCHEME
In this section, we introduce the construction and properties of our scheme in detail. The main notations used in the proposed scheme are listed in Table 1.

A. CONSTRUCTION OF SCHEME
To realize the non-frameability and high efficiency, we design a shared cloud data auditing scheme without group managers. Note that the group with a threshold t is pre-defined before the original user shares his/her data in the cloud, and the initial group users are decided by the original user. Later, the group is managed by all group users during data sharing. We suppose that our scheme has n group users The specific description is as follows.
(1) Setup: The KGC generates public parameters and the system master key by performing the following steps.
• The KGC selects the bilinear mapping e : G 1 × G 1 → G 2 , where G 1 and G 2 are two cyclic groups with prime number p, and g is the generator of G 1 .
• The KGC saves α in secret, and publishes public param- (2) PartialKeyGen: The user u i sends the identity ID i to KGC. The detailed steps of partial key generation are as follows.
• The KGC computes D i = H 1 (ID i ) α as the partial key of u i .
• The KGC sends D i to u i .
(3) SecretValueGen: u i randomly chooses γ i ∈ Z * q as his/her secret value.
(4) PublicKeyGen: u i uses γ i to generate the public key pk i = g γ i .
(5) ShareGen: Input public keys pk k (k=1, . . . , n, k = i) of group users and the secret value γ i . u i generates the sharing share as follows.
• u i selects n − 1 random values x k ∈ Z * q , computes y k = L (x k ), z k = P (x k ) and χ k = pk z k k . • u i saves F i = (χ 1 , χ 2 , . . . , χ n ), and sends (x k , y k , z k ) to u k secretly. (6) TagGen: Input m j and its name w j , where w j = mid||j||E. mid is the unique identity information of m j , j is the index of m j , and E represents the deleted block or the inserted data. u i generates the tag by the following steps.
• u i generates the hash value N j = H w j , the hash value tag N * j = N j || N j γ i and the tag σ j = D i · N j · g m j γ i for m j . 212894 VOLUME 8, 2020 • u i generates T j = w j ||T , where T denotes the current time stamp.
• u i generates the authorization T * j = T j || T j γ i .
• u i sends m j , σ j , F i and T * j to the CSP, and N * j to the CP. (7) TagVerify: The CSP and CP first verify the identity of u i , then the CSP checks the correctness of the tag and the CP stores N j as follows.
• The CSP verifies the identity of u i by the following equation.
e T j γ i , g = e T j , pk i .
If it works, the CSP performs the tag verification; otherwise, the CSP rejects the storage request for m j .
• The CSP checks the correctness of the tag by the following equation.
e σ j , g = e (H 1 (ID i ) , g 1 ) e H w j · g m j , pk i .
If the equation holds, the tag is valid. The CSP outputs ''1''. The CSP stores m j , σ j , F i , signs T j γ i with his/her private key ξ , keeps a copy of T j = T j γ i ·ξ , sends T j to u i as a receipt, generates the hash value tag R j = H w j ξ and sends R j to the CP.
• The CP first verifies the identity of u i by the following equation.
e N j γ i , g = e N j , pk i .
Then the CP checks the following equation with the public key g ξ of the CSP.
e R j , g = e N j , g ξ .
If they work, the hash value is stored; otherwise, the CP notifies u i and the CSP of the validation failed.
• After receiving T j , u i verifies the validity of the receipt with g ξ as follows.
If the equation holds, u i deletes local storage m j , σ j and only saves T j . (8) ChallGen: Input the set [1, Z ] of data index. The challenge is generated as follows.
• u i sends an auditing request to the TPA. • The TPA randomly selects a subset C with c elements from the set [1, Z ], and chooses c random values v j ∈ Z * q (j ∈ C). • The TPA sends chal = j, v j j∈C to the CSP. (9) ProofGen: Input chal, the CSP generates the proof as follows.
• The TPA checks the correctness of the proof by the following equation.
If the following equation holds, the integrity of the data is not destroyed. The TPA outputs ''1''. Otherwise, the data might be tampered or lost. The TPA outputs ''0''.
• N j j∈C are provided by the CP.

B. SUPPORT USER IDENTITY TRACING
For the malicious user in the group, input t valid group users' sharing share and the information of the destroyed data, the t users could cooperate to track the real identity of the malicious user. The algorithm only involves group users, which provides the fairness in the process of tracing. The specific process is as follows.
• The t valid group users compute η k = χ γ −1 k k by their share χ k and secret value γ k .
• The t valid group users compute pk i = t k=1 η f p (0) k , which is the public key of the malicious user. This process ensures that the current malicious group user could be traced. If group users want to trace the previous group user who changes the shared data, they could track the change of shared data by making the postorder-traversal of the binary tree. The group users could find the user identity who has affected data through the above process.

C. SUPPORT USER REVOCATION
When the user u a revokes from the group, the identity of u a and all keys of u a must be immediately declared invalid. Meanwhile, all tags generated by u a need to be converted to the tags of an existing group user. The algorithm mainly involves five entities, include the revoked user u a , the existing group user u b , the other group users u k , the CSP and the CP, which is shown in Figure 3. The specific process is as follows.
• Firstly, the new signer u b for the data of u a is decided by the voluntary application of group users or according to the order in which the user join the group. The group is jointly managed by all group users so that any group user could become u b and interact with the CSP by the secure channel. Please note that there are no specific restrictions on the selection of the new signer, as long as the new signer is the existing user in the group. Then the CSP chooses W ∈ Z * q and sends it to u b . Finally, u b   to u a , γ b W to other group users u k .
. u k computes the re-signing key share µ k = γ b W · y k and the re-signing public key ϒ k = g µ k utilizing (x k , y k ) sent by u a and γ b W sent by u b . u a sends M to the CP and the CSP. u k sends (x k , y k ) to the CP, ϒ k to the CSP.
• After receiving M , (x k , y k ), m a and σ a , the CP checks the correctness of σ a . If it satisfies the equation e σ j , g = e (H 1 (ID i ) , g 1 ) e H w j · g m j , pk i , the CP computes σ (k) a = (M · σ a ) µ k and sends the re-signing share x k , σ (k) a to the CSP.
• After receiving at least t re-signing share x k , σ (k) a , the CSP reorganizes the index of re-signing share into the set K (k ∈ K ). The CSP checks the correctness of x k , σ

D. SUPPORT DATA DYNAMICS
When group users change, delete, and insert the shared data in the cloud, the data structure based on binary tree could record the change of data. The storage form of data is E, m s j , σ s j , where s represents modified times of the data. m s j , σ s j represents the j th data block has been modified s times. Figure 4 shows the original state of data    (1) Data Modification: The data structure of the binary tree could store the last two updated records of the data, and the latest data would be kept in the root node of the binary tree. Figure 5 shows the state of the data after one modification and two modifications. When the data is lost or damaged, group users could recover the data content by making the postorder-traversal of the binary tree. The structure realizes data traceability and data recoverability.
(2) Data Deletion: The record E of the data becomes ''−1'', as shown in Figure 6.
(3) Data Insertion: To avoid disrupting the index of data, the inserted data continues the index of its former data, and adds 1 to E, that is E + 1. Figure 7 shows the state of the data after one insertion and two insertions.

E. SHARED DATA ACCESSING
When group users want to access the shared data in the cloud, they need to input their identity information and the accessed data identity mid. The CSP records the identity ID i of the data visitor and the specific access time t in the private blockchain, and the data structure of the private blockchain is shown in Table 2. The data visitors could get different degrees of award according to the times of accessing or total access time recorded in the private blockchain. For example, if the evaluation of reward is based on the number of accessing data by data visitors, the CSP could compute the number of access recording blocks in the private blockchain of the data visitor. Otherwise, the CSP could calculate the total access time of the data visitor recorded in the private blockchain. The way encourages users to access and learn shared data more.

V. SECURITY ANALYSIS
In this section, we analyze the correctness and the security requirements of our scheme, and make the security proof.

A. CORRECTNESS ANALYSIS
The correctness of the tag, the proof, identity traceability and the transformed tag in this scheme could be checked by the following derivation.
(1) The correctness of tags: The CSP checks the tag of u i as follows.
(2) The correctness of proofs: The TPA checks the proof sent by the CSP as follows.
(3) The correctness of identity traceability: The t valid group users compute the public key of the malicious user as follows.
z k · f p (0) = P (0) = γ i , the public key of the malicious user is pk i = g γ i .
(4) The correctness of transformed tags: The tag of the revoked user is transformed into the tag of the existing user as follows.
Because of k∈K y k · f l (0) = L (0) = 1 γ a , the re-signing of

B. SECURITY REQUIREMENTS
In this subsection, we demonstrate that our scheme satisfies the following security requirements.
(1) Unforgeability: The CSP cannot forge any proof without the corresponding data in the process of auditing. Suppose the challenge chal = j, v j j∈C , the CSP forges the proof proof = , λ , σ j j∈C , ID, PK . Then we get e j∈C σ j , g = e ID, g 1 e j∈C N j v j · g λ · , PK . If the CSP forges the proof successfully, there is an equation e σ j , g = e (H 1 (ID i ) , g 1 ) e N j · g m j , pk i , which is in contradiction with the unforgeability of the signature scheme. That is, if the CSP modifies λ = ε + θ , the valid tags cannot be retrieved.
(2) Identity privacy: In the process of auditing, the probability of that the TPA obtains the identities of all signers in the c shared data is about 1 [n · (n − 1) . . . (n − c + 1)]. The probability that anyone obtains the signer's identity of a shared data is about 1 n. In the process of auditing, due to the randomness of the selected c shared data, the probability that the TPA selects the correct combination of c shared data is c! [n · (n − 1) . . . (n − c + 1)]. The total probability that the TPA can distinguish the identities of all the signers from the proof is 1 [n · (n − 1) . . . (n − c + 1)], which can be ignored. In the proposed scheme, each shared data is individually signed by one user. However, the TPA cannot distinguish who is the signer of each shared data. Especially in the situations that shared data are modified frequently by different group users. According to the analysis of the scheme, it is proved that the proposed scheme could protect the user identity privacy.
(3) Data privacy: The TPA cannot get the corresponding data content from the proof proof = , λ, σ j j∈C , ID, PK . If the TPA could get j∈C v j · m j , then the data content can be obtained by collecting numerous linear combinations. Because of λ = ε + θ , in order to solve the bilinear equation, the TPA must get ε from = g −ε , which is as difficult as solving the DL problem in G 1 . Therefore, the proposed scheme relies on the random masking technology to protect data privacy.
(4) Collusion resistance: If the security of the secret sharing technology remains unchanged, the attacker cannot obtain the re-signing key during user revocation. Based on the security of secret sharing technology, the scheme uses Lagrange interpolation polynomial to divide the secret value 1 γ i into n − 1 shares and sends them to other users in the group. The attacker needs to persuade at least t − 1 users in the group to extract their shares of 1 γ i to generate the resigning key. Considering the cost of this operation, it cannot be realized in practice. Moreover, the scheme introduces the CP in the re-signing process, which makes the collusion attack impossible between the CSP and the revoked user.

C. SECURITY PROOF
In this subsection, we prove that the proposed scheme can resist the attacks of two types of adversaries in the certificateless environment under the random oracle model and the assumption of CDH difficult problem. The specific process is as follows.
Theorem 1: Suppose that there is an attacker A | who can win game I with the advantage ϑ 1 that cannot be ignored in the time t 1 . If A | experiences the most q H 1 H 1 hash queries, q H 2 H 2 hash queries, q p partial key queries, q s secret value queries, q pk public key queries, q kr public key replacement queries and q t tag queries, there is an algorithm C with the advantage ς 1 ≥ ς 1 q p + q t · 2e to solve the CDH problem in time t 1 ≤ t 1 + q H 1 + q H 2 + q p + q s + q pk + q kr + q t .
Proof: Suppose the difficult example G 1 , g, g a , g b of CDH problem, the goal is to calculate g ab .
(1) System Setup: C returns public parameters to A | and keeps the system master key ∂ in secret.
(2) H 1 Hash Query: A | submits the identity ID * to C, and makes a H 1 hash query. C maintains the list L 1 = {ID, h 1 , Q, G}, and checks whether ID * , h * 1 , Q * , G * is contained in L 1 .
• If ID * , h * 1 , Q * , G * does not exist, C tosses coins to select G ∈ {0, 1}. The probability of G = 0 is τ , the probability of G = 1 is 1 − τ . C randomly chooses C sends Q * to A | and updates L 1 .
• If ID * , h * 1 , Q * , G * exists, C sends Q * to A | . (3) H 2 Hash Query: A | submits the data identity w * to C, and makes a H 2 hash query. C maintain the list L 2 = { (w, h 2 )} . C looks up w * in the list L 2 .
• If it does not exist, C randomly selects h * 2 ∈ Z * q , sets g h * 2 , adds them to L 2 , and sends g h * 2 to A | . • If it exists, C sends g h * 2 to A | . (4) Partial Key Query: A | submits the identity ID * to C, and makes a partial key query. C maintains the list L p = { (ID, D ID , γ ID , pk ID )} . C checks whether ID * and D ID * are contained in L p . If ID * does not exist, C makes a H 1 hash query. If D ID * does not exist, C finds ID * , h * 1 , Q * , G * in L 1 and does these steps as follows.
and adds D ID * to the list L p . C finds D ID * in L p and sends it as the partial key of ID * to A | .
(5) Secret Value Query: A | submits the identity ID * to C, and makes a secret value query. C checks whether ID * and γ ID * are contained in L p . If ID * does not exist, C makes a H 1 hash query. If γ ID * does not exist, C randomly chooses γ ID * ∈ Z * q , sets pk ID * = g γ ID * , and adds them to L p . C finds γ ID * in L p and sends it as the secret value of ID * to A | .
(6) Public Key Query: A | submits the identity ID * to C, and makes a public key query. C checks whether ID * and pk ID * are contained in L p . If ID * does not exist, C makes a H 1 hash query. If pk ID * does not exist, C randomly chooses γ ID * ∈ Z * q , sets pk ID * = g γ ID * , and adds them to L p . C finds pk ID * in L p and sends it as the public key of ID * to A | .
(7) Public Key Replacement Query: A | submits the tuple ID * , pk ID * to C, and makes a public key replacement query. If the tuple (ID * , D ID * , γ ID * , pk ID * ) does not exist, C adds ID * , pk ID * to L p . If the tuple (ID * , D ID * , γ ID * , pk ID * ) exists, C replaces the corresponding value in the tuple with ID * , pk ID * .
• If G * = 1, C stops interaction. • If G * = 0, C extracts the corresponding H 2 (w * ), D ID * and γ ID * , calculates the corresponding tag and sends it to A | .
Forge: A | outputs the tag σ of the data m on ID with the public key pk ID .
Analysis: If A | wins the game I , C obtain the equation e σ , g = e H 1 ID , g 1 e H w · g m , pk ID .
solution of CDH difficult problem by calculating the equation e σ , g = e g bh 1 , g a e g h 2 · g m , pk ID . The possibility of g 1 = g a . C could obtain 212898 VOLUME 8, 2020 as the challenger C and adversary A | stopping interaction only exists in Partial Key Query and Tag Query, thus the probability that C outputs g ab is ς 1 ≥ ς 1 · τ · (1 − τ ) q p +q t ≥ ς 1 q p + q t · 2e , the time is t 1 ≤ t 1 + q H 1 + q H 2 + q p + q s + q pk + q kr + q t . Theorem 2: Suppose that there is an attacker A || who can win game II with the advantage ϑ 2 that cannot be ignored in the time t 2 . If A | experiences the most q H 1 H 1 hash queries, q H 2 H 2 hash queries, q s secret value queries, q pk public key queries and q t tag queries, there is an algorithm C with the advantage ς 2 ≥ ς 2 ((q s + q t ) · 2e) to solve the CDH problem in time t 2 ≤ t 2 + q H 1 + q H 2 + q s + q pk + q t .
Proof: Suppose the difficult example G 1 , g, g a , g b of CDH problem, the goal is to calculate g ab .
(1) System Setup: C returns public parameters to A || and keeps the system master key ∂ in secret.
(2) H 1 Hash Query: A || submits the identity ID * to C, and makes a H 1 hash query. C maintains the list L 1 = {ID, h 1 }, and checks whether ID * , h * 1 is contained in L 1 . • If it does not exist, C randomly chooses h * 1 ∈ Z * q , calculates g h * 1 . C sends g h * 1 to A || and updates L 1 . • If it exists, C sends g h * 1 to A || . (3) H 2 Hash Query: A || submits the data identity w * to C, and makes a H 2 hash query. C maintain the list L 2 = { (w, h 2 )} . C looks up w * in the list L 2 .
• If it does not exist, C randomly selects h * 2 ∈ Z * q , sets g b h * 2 , adds them to L 2 , and sends g b h * 2 to A || .
• If it exists, C sends g h * 2 to A || . (4) Secret Value Query: A || submits the identity ID * to C, and makes a secret value query. C maintains the list L p = { (ID, γ ID , pk ID , G)} . C checks whether ID * is contained in L p .
• If it does not exist, C tosses coins to select G ∈ {0, 1}.
The probability of G = 0 is τ , the probability of G = 1 is 1 − τ . C randomly chooses γ ID * ∈ Z * q , if G * = 0, sets pk ID * = g γ ID * , adds them to L p and sends γ ID * as the secret value of ID * to A || ; if G * = 1, sets pk ID * = (g a ) γ ID * , adds them to L p and stops interaction.
• If it exists and G * = 0, C finds γ ID * in L p and sends it as the secret value of ID * to A || ; if G * = 1, C stops interaction. (5) Public Key Query: A || submits the identity ID * to C, and makes a public key query. C checks whether ID * and pk ID * are contained in L p . If ID * does not exist, C makes a H 1 hash query. C checks whether pk ID * is contained in L p .
• If it does not exist, C randomly chooses γ ID * ∈ Z * q , if G * = 0, sets pk ID * = g γ ID * , adds them to L p and sends pk ID * as the public key of ID * to A || ; if G * = 1, sets pk ID * = (g a ) γ ID * , adds them to L p and stops interaction.
• If it exists, C finds pk ID * in L p and sends it as the public key of ID * to A || . (6) Tag Query: A | submits (ID * , w * , m * ) to C.
• If G * = 0, C extracts the corresponding H 2 (w * ) and γ ID * , calculates the corresponding tag and sends it to A || .
Forge: A || outputs the tag σ of the data m on ID . Analysis: If A || wins the game II C obtain the equation e σ , g = e H 1 ID , g 1 e H w · g m , pk ID .
as the solution of CDH difficult problem by calculating the equation e σ , g = e g h 1 , g α e g bh 2 · g m , g a·γ ID . The possibility of challenger C and adversary A | stopping interaction only exists in Partial Key Query and Tag Query, thus the probability that C outputs g ab is ς 2 ≥ ς 2 · τ · (1 − τ ) q p +q t ≥ ς 2 q p + q t · 2e , the time is t 2 ≤ t 2 + q H 1 + q H 2 + q s + q pk + q t .

VI. PERFORMANCE ANALYSIS
In this section, we compare and analyze the proposed scheme and schemes [29], [37] in terms of function implementation, security properties, communication cost, computation cost, and experimental results. For description, we defined the notations used for the section in Table 3. Since the cost of the general hash function operation and pseudo-random number generation operation contributed is negligible, they are not described anymore. As we know, an excellent cloud auditing scheme needs to have the characteristics of complete function, safety, low communication cost and low computation cost. In term of function, the cloud auditing scheme needs to satisfy traceability, group user revocation and data dynamic. In term of safety, the cloud auditing scheme needs to satisfy user identity privacy preservation, data content privacy preservation and collusion resistance between the revoked user and the CSP. In terms of communication cost and computation cost, bilinear pairings and exponentiations are very costly computations, which are the main computations for cloud auditing schemes. Meanwhile, tag generation and data auditing are the main phases for cloud auditing schemes. To reduce the communication and computation overhead, schemes need to perform less pair and exponentiation operations in the phases of tag generation and data auditing.    Table 4 shows the comparison of the functional features between the proposed scheme and the related schemes [29], [37]. The scheme [29] is a certificateless cloud auditing scheme with privacy preservation. The scheme [37] is a privacy-preserving cloud auditing scheme for group shared data. Schemes [29], [37] do not have three important properties of stateless auditing, user revocation, and data dynamics. In addition, our scheme also realizes secure data sharing and efficient incentives for data visitors. The scheme in this paper has comprehensive functions, which makes it have more wider application value than the scheme [29] and the scheme [37]. Table 5 shows the comparison of the security properties between the proposed scheme and related schemes [29], [37]. We could find that our scheme achieves the non-repudiation between the group user and the CSP, user identity privacy preservation, data content privacy preservation, and could resist the collusion attacks between the revoked user and the CSP. Besides, the proposed scheme does not involve key escrow problems and certificate management problems.

C. NUMERICAL ANALYSIS
We analyze the proposed scheme and previous schemes from communication cost and computation cost in detail.

1) COMMUNICATION COST
The proposed scheme's communication cost in this paper mainly comes from the challenge and the proof in the process of auditing. In the challenge generation stage, the TPA sends the challenge chal = j, v j j∈C to the CSP, its cost is 2c |q|, where |q| is the length of Z * q . In the proof generation stage, the CSP returns the proof proof = , λ, σ j j∈C , ID, PK to the TPA, its cost is |q| + (c + 3) |G|; the CP sends N j to the TPA, its cost is c |G|, where |G| is the length of G 1 . Thus, the total communication cost of the challenge and the proof in the process of auditing is (2c + 1) |q| + (2c + 3) |G|. To realize stateless auditing, the CP sends the hash value N j to the TPA to verify the shared data integrity, which produces an extra overhead of c |G|. Since c is smaller than n, the extra overhead of c |G| is negligible. It can be seen from the results that the total communication cost of the proposed scheme is lower than schemes [29], [37], which is shown in Table 6.

2) COMPUTATION COST
The proposed scheme's computation cost in this paper mainly comes from data signing and data auditing. We compare our scheme with schemes [29], [37] on these two stages, and the specific result is shown in Table 7. In the data signing stage, compared with the scheme [29], the proposed scheme has the lower computation cost. On the contrary, the scheme [37] costs lots of computation overhead in the process of signing   data. The reason is that the scheme [37] utilizes the group signature technology to protect user identity privacy, that is, constructing a complete tag requires adding the public keys of all group users. In the auditing stage, the CSP first computes the proof = g −ε , λ = ε + θ , σ j = σ v j j (j ∈ C) , ID = j∈C H 1 ID ij v j , PK = j∈C pk ij , θ = j∈C v j · m j . The total computation cost of the proof generation is cMul Z * q + 2 (c − 1) Mul G 1 + (2c + 1) Exp G 1 . Then the CSP sends the proof to the TPA. After getting the proof from the CSP, the TPA checks the proof correctness, which the computation cost is 3Pair + 2cMul G 1 + (c + 1) Exp G 1 . Since our scheme performs the least pairing operation, it is more efficient than schemes [29], [37]. At last, the total computation cost 3Pair + cMul Z * q + 2 (2c − 1) Mul G 1 + (3c + 2) Exp G 1 is also the lowest.

D. EXPERIMENTAL RESULTS
In order to better evaluate the proposed scheme in this paper, we compare the proposed scheme with schemes [29], [37] by a series of experiments. These experiments are based on Pairing Based Cryptography (PBC) library and applied to a Windows 10 (64-bit) operating system with an Intel Core i7 3GHz processor with 8 GB RAM. All results are averages of 10 trials.
In the first experiment, we compare the computation overhead of the tag generation in our scheme and the similar scheme [29] by selecting 10000-60000 data. Figure 8 shows the time taken to perform tag generation operation by 5 group users in our scheme and the scheme [29]. We could find that our scheme saves much computational overhead which only spends about 304 seconds to generate tags for 60000 data, and the cost savings increase as the amount of the shared data.
Then we compare the time cost in the proposed scheme with scheme [29] on the different challenged data number and the same user number. As Figure 9 shows, it is clear to see that the more data challenged, the more time overhead it takes to audit, and the TPA has a higher probability of finding problems of the shared data. Although the time of the proposed scheme has a linear relationship with the number of challenged data, our scheme only spends 769s to audit 60000 challenge data, which could be accepted. Besides, compared with the scheme [29], the time growth rate of our scheme is the slowest, which makes the proposed scheme have a massive advantage with the increase of the number of challenged data. Therefore, we could draw a conclusion that our scheme is more efficient during the data auditing process. VOLUME 8, 2020 We compare the time cost of the proposed scheme and the scheme [29] in the main stages. As Figure 10 shows, our scheme has less time overhead in the stages of Setup, Signing, and Auditing.

VII. CONCLUSIONS
In this paper, we utilize the certificateless signature technology to present a stateless cloud auditing scheme for non-manager dynamic group data with privacy preservation, which avoids the disadvantages of PKC and IBC. During the shared data auditing process, our scheme could satisfy the user identity privacy preservation and data content privacy preservation. Meanwhile, multiple valid group users could trace malicious users' real identities cooperatively, which guarantees security and non-frameability of the scheme. Moreover, the proposed scheme also supports efficient and collusion-resistant user revocation. In order to support data dynamics, we design a data structure based on the binary tree that could support group users to recover their latest data in case of shared data corruption. Furthermore, our scheme assures group users and the TPA stateless, which reduces computation costs in the process of auditing. Our scheme also realizes efficient incentives for data visitors based on the technology of blockchain. In terms of security, the proposed scheme supports secure data sharing and the efficient mutual supervision between group users and the CSP. At last, we show that the proposed scheme could support efficient cloud auditing while resisting two types of attacks in the certificateless environment without jeopardizing the security of shared data in the cloud. In the future, we will extend our scheme to include batch auditing, which could make the TPA fulfill different auditing tasks from multiple users.