Lattice-Based Privacy-Preserving and Forward-Secure Cloud Storage Public Auditing Scheme

,


I. INTRODUCTION
Nowadays numerous individuals and enterprises are willing to outsource their data to the cloud server in order to reduce the local storage burdens and computational costs. Meanwhile, considering the loss of physical control over data files, how to guarantee the cloud storage server to keep user's data intact becomes an urgent security issue to be addressed. Although being much stronger and more reliable than local devices, the cloud infrastructure is still subject to a wide range of threats from both internal and external adversaries on the integrity and availability of the outsourced The associate editor coordinating the review of this manuscript and approving it for publication was Chien-Ming Chen . data such as hardware device failure, system errors, software bugs and malicious hackers. For example, once an accident data corruption event occurs, the cloud storage provider may not inform the user this incident in time honestly only for the sake of maintaining its reputation, thus, making the user miss the golden opportunity to recover his valuable data. And what is even worse, the cloud storage provider may intentionally delete or alter the rarely accessed data of user so as to reclaim the storage space for maximizing its profit. Therefore, it is crucial for a client to perform efficient verification measures on the remote stored data periodically to ensure that their outsourced data not be modified or lost.
Data integrity verification in cloud storage has attracted intense interest because of its critical role in enhancing the VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ credibility of cloud service providers and the security of user data. Many researchers have investigated the security issue of cloud data integrity auditing and proposed various studies to resolve this problem [1]- [14].

A. RELATED WORK
In 2007, Ateniese et al. [1] first proposed the Provable Data Possession model for static data. The model implements data integrity checking by using RSA-Based Homomorphic Tags without downloading the entire data files from the cloud server to achieve blockless verification. In the PDP paradigm, the sampling method is used to perform the data integrity check, which improves the integrity verification efficiency significantly. With the rise and development of data outsourcing services, especially cloud storage services, more data integrity verification solutions begin to consider the actual application environment. Among these works, an attractive one is to support the public auditing feature. The public audit methodology enables the client to be free from heavy and dull burden on data integrity verification. To achieve public auditing, the client is required to hire a third-party auditor with professional expertise and strong computing power to periodically check the integrity of the data outsource to the cloud server on behalf of the data user. Wang et al. [14] put forward to a public auditing scheme with privacy-preserving property to against third party auditor by adopting the random masking technique.
The key exposure problem is another serious challenge to public auditing scheme. As is well known, the secret key is an indispensable and most crucial part of any cryptographic algorithm. In practice, the first core foundation task of deploying a cryptographic scheme is to secure storage and management of the secret key. Once the secret key is revealed, the whole cryptographic scheme will become completely insecure. However, the key-exposure problem is unavoidable in many real scenarios, including public auditing schemes for the outsourced data in the cloud storage server. First of all, in order to capture the secret key, the potential adversaries have exploited various attack methods, such as side-channel attacks [15], cold-boot attacks [16] and so on. Secondly, the sensitive secret key must be securely generated and stored in special well-protected cryptographic device, and delivered to the user by a secure channel. If the user carries the secret key by a non-special-trusted device (such as the common cheaper mobile phones or USB flash drive) or the transmission channel between the sender and receiver is not safe enough, the secret key is prone to be vulnerably exposed. Not to mention that the careless users and non-well-trained users may be lack of the sense of security and intentionally leak their private keys. The way by using the well-protected hard device to protect the secrete key from being exposed is costly and even impractical in some settings. Thus, researchers developed several ways without hardware to resist key exposure, such as secret sharing technique, forward security technique. The secret sharing technique require the user to split their secret(private) key into several components and distribute them to different participants resulting in high computation cost and communication cost. However, the forward security technique can provide the desired security in the presence of key exposure without distribution. Informal speaking, The idea of forward security is that the whole lifetime of a secret key is spitted into T distinct time periods enumerated by 1, 2, · · · , T . Accordingly, in each time period, user's private key can be denoted as SK 1 , SK 2 , · · · , SK T . The user will update(evolve) his/her secret key with time while the corresponding public key remains unchanged during the whole lifetime of a secret key. For instance, at the end of the i time period, the user updates the current SK i to the new secret key SK i+1 which will be used in the next time period by using key update algorithm(the key update algorithm commonly is one-way function) with the current secret key SK i as input, and then deletes the old secret key SK i . In case of key exposure occurring in the current time period i, it means that if the secrete key SK i is exposed to the adversary, but the prior time periods are not affected because the previous secret key SK 1 , SK 2 , · · · , SK i−1 have been deleted. In addition, the adversary cannot deduced the previous secrete key from the captured current key SK i either because the SK i is generated by a one-way function of the old secret key. Thus, the forward security technique can significantly mitigate the damage to the key exposure (since the leakage of the secret key in the time period i cannot compromise the security of the secret key in any previous time period). The formal definition of forward security is available in [17].
With respect to the public auditing scheme, the forward security technique is an effective solution to guarantee the security of the auditing key against key exposure and reduce the damage to the auditing key exposure to a minimal. However, most of the existing public auditing schemes are commonly designed in an idealized model and assume the secret key is safely kept. These schemes rarely consider the key-exposure problem in practice. Once the malicious cloud server captures the client's auditing secret key, it can succeed to pass the data verify auditing by forging the possession proof, therefore, the cloud can arbitrarily tamper with or discard the client's outsourced data for maximizing its economic profits. Apparently, the exposure of client's auditing secret key will cause fatal disaster to their outsourced data. Thus, how to protect client's secret key from being exposed or take effective measures to reduce the damage brought about by the client's secret key leaking to a minimum level deserve full consideration. Fortunately, in recent years, some cryptographic scholars begin to pay considerable attention to the key-exposure issue of the client's and many excellent works have been put forward to deal with it. As far as we know, Yu et al. studied the key-exposure issue in the cloud storage auditing for the first time [18]. Although their scheme [18] can significantly decrease the damage to key exposure, it also results in extra burden to the client because it is required the client to perform the key evolve algorithm in each time period. Subsequently, in order to reduce the client's computation cost, Yu et al. [8] proposed a new scheme which supports verifiable outsourcing of key updates operation to an authorized party. However, scheme in [18] and [8] has a same security vulnerability that the adversary captures the secret key in time period i and not be detected in time, he/she will be able to continuously capture the evolved new secret key until the key exposure is found by the client. In order to end this problem, Yu and Wang [19] designed a strong key-exposure resilient auditing scheme. Based on [19], Ding et al. [6] strengthened the security of [19] by introducing the idea of intrusion-resilient. Besides these works, several attribute based encryption (ABE) schemes with leakage-resilience have recently been investigated in various application scenarios, such as hierarchical CP-ABE scheme with continuous leakage-resilience [20], KP-ABE scheme with continual auxiliary input leakage-resilience [21].
All the above-mentioned public auditing schemes are based on complicated Public Key Infrastructure (PKI). These PKI-based schemes suffer from the heavy and cumbersome certificates management and deployment of public key certificates to the client, especially troublesome to the resource-limited client such as mobile phone and iPad. In addition, it also brings about heavy burden of certificate verification for the third-party auditor. In order to eliminate the heavy burden of certificate management and verification in PKI model, Shamir [22] proposed a novel public key model called Identity-Based Cryptosystems in 1984. Wang et al. [23] proposed the first identity-based public auditing scheme in which the identity(e.g., telephone number, e-mail address, IP address) of client act as the public key and the corresponding secrete key of each client is extracted from the master private key of the Private Key Generator(PKG). Afterwards, they extended their identity-based public auditing scheme to multi-cloud setting [24]. Later, Peng et al. [25] found the security flaw of the scheme in [24] and presented a remedy solution. However, Lan et al. [26] pointed out their scheme also suffers a security vulnerability that the malicious cloud server can forge the data possess proof to pass the data integrity verification even without the client's original data. Accordingly, Lan et al. put forward a remedy solution to address this issue without changing the original security properties. Li et al. [9] proposed an identity-based PDP scheme for multi-cloud storage.
It is worth noting that most of the existing public auditing schemes will be broken completely by quantum computing when the quantum computer come into reality in the near future because the underlying difficult problems of them are the large integer factorization problem or the discrete logarithm problem, which will be solved by adopting the quantum computer in polynomial time according to the work of Shor [27]. Fortunately, lattice cryptography can provide us a promising solution to construct quantum-resistant cryptographic schemes. Following the Ajtai's creative work [28] in lattice, various lattice-based schemes have been proposed so far [29]- [36]. In the presence of the security challenge in quantum era, several cloud storage public auditing schemes from lattice [33]- [36] have been proposed. Public auditing schemes from lattice in [34], [35] are based on the complicated PKI model and these two schemes do not consider the data privacy security property, thus, the malicious auditor can obtain the information of the data block after multiple audits of the same data block. Although literature [33], [36] achieves the privacy preserving of user data, their schemes cannot resist forgery attack.

B. MOTIVATION AND CONTRIBUTION
The motivation of our work is described as follows.
Firstly, privacy-preserving and forward-security are two essential secure properties in public auditing schemes that aim to provide more secure and more reliable auditing for data integrity checking.
Considering that the third-party auditor is not fully trustworthy and he may be curious about the user's data information from the audit process with his powerful computation capacity, therefore, when designing a public auditing scheme it should be paid close attention to preserving privacy of user data, namely, public auditing scheme with privacy-preserving is required. In addition, considering that, in practice, due to various reasons discussed above(e.g., improper care, insecure hardware, Trojan virus), the user's secrete key may be leaked. Once an attacker has compromised user's secrete key, he can impersonate the authorized owner of the private key to do anything malicious things. Thus, when designing a public audit scheme, in order to protect the user's auditing secrete key from being compromised, public auditing scheme with key-exposure resilient by adopting forward security technique is also demanded.
Secondly, considering that most of exiting public auditing schemes cannot resist the potential quantum attack, therefore, when designing a public auditing scheme, it should be paid considerable attention to prepare for quantum security.
To summarize, it is necessary to design a lattice-based privacy-preserving and forward-secure cloud storage public auditing scheme (LB-PPFS) to provide quantum security in the quantum era.
The main contributions of this work can be summarized as follows: 1) The first contribution of this work is that we design an identity-based public auditing framework for cloud storage system and propose a lattice-based privacy-preserving and forward-secure cloud storage public auditing protocol. Our novel auditing protocol can guarantee the data privacy-preserving by using the random mask cryptography technique and achieve forward-secure property by using the lattice basis delegation technique.
2) The second contribution of this work lies in that we prove the security of our proposed LB-PPFS to demonstrate that it is provably secure under the hardness assumption of SIS and ISIS problem in random oracle model. Furthermore, we also conduct a performance analysis of the proposed scheme and compare it with that of previously proposed similar schemes to demonstrate that our proposed scheme is security resist quantum-attack and feasible in practice. VOLUME 8, 2020 Thus, once the client initiates his request for data integrity checking to TPA, our protocol can achieve privacy-preserving verifying, forward-secure verifying, delegated verifying and public verifying of the integrity of the outsourced data.

C. PAPER ORGANIZATION
The rest of the paper is organized as follows. In Section II, we present preliminaries, including definitions and properties related to lattice, hardness assumption, basic system model and security definition. In Section III, we demonstrate the weakness of Zhang et al.'s scheme. In Section IV, we preset our concrete construction of LB-PPFS. In Section V, we give the correctness and security proven. In Section VI, we conduct the performance analysis of our proposal. Finally, we draw our conclusion in Section VII.

II. PRELIMINARIES
In this section, we give a brief review on the relevant knowledge of lattices, and introduce the basic system model and security definition of the proposed LB-PPFS.

A. LATTICES
Now we first review the definitions of lattices as follows.
Definition 1: be a set of linearly independent column vectors, it generates an m-dimensional full-rank lattice , which is defined as Definition 2: For q prime, matrix A ∈ Z n×m q , the definition of the q-modular integer lattices are defined as follows.
: Ae = y mod q}. Lemma 1: For any prime q ≥ 2, two positive integers n, m satisfies m ≥ 5n log q , there exists a probabilistic polynomial-time(PPT) algorithm TrapGen(q, n, m) [29] that returns a pair of A ∈ Z n×m q and T ∈ Z m×m q , such that A is statistically close to a uniform matrix in Z n×m q and T is a basis for lattice ⊥ q (A) with T ≤ O(n log q) and T ≤ O( √ n log q). Definition 3: The discrete Gaussian distribution over a subset L of Z m with center c ∈ R m and Gaussian parameter Lemma 2: Given any prime q ≥ 3, positive integers n, m ≥ 2n log q and a rank n matrix A ∈ Z n×m q , there exists a PPT algorithm SampleRwithBasis(q, m, n, A) [32] that outputs an invertible and low-norm matrix sampled from a distribution statistically close to R ∈ D m×m , and a random short basis Lemma 3: Given any prime q ≥ 2, and two positive n, m ≥ 2n log q , there exists a PPT algorithm, denoted Sample Pr e(A, T A , y, δ) [29], that, on input a matrix A ∈ Z n×m q , a short basis T A ∈ Z m×m q of lattice ⊥ q (A), a vector y ∈ Z n q and a Gaussian parameter δ ≥ T A ω( √ log m), it outputs a sample θ ∈ Z m from a distribution within negligible statistical distance of D y q (A),δ . Now we recall the important lattice basis delegation technique proposed by Agrawal et al. in [32], which is used to realize the secrete key evolution algorithm to achieve the forward security property of our proposed scheme.
Lemma 4: There exists a PPT algorithm NewBasisDel(A,

B. HARDNESS ASSUMPTION
Definition 5: The Small Integer Solution Problem(SIS) is described below. Given a prime q, a real number ς > 0 and a matrix A ∈ Z n×m q , to solve a nonzero integer vector e ∈ Z m such that Ae = 0 and e ≤ ς .
Definition 6: The Inhomogeneous Small Integer Solution Problem(ISIS) is defined below. For a prime q, a real number ς > 0, a matrix A ∈ Z n×m q and a vector y ∈ Z n q , to solve a nonzero integer vector e ∈ Z m such that Ae = y and e ≤ ς .
The main result of [29] is a connection between the hardness of the SIS, ISIS problems and the SIVP problem. For any poly-bounded ς = poly(n) and any prime q > ς ω( √ n log n), the average-case SIS, ISIS problems are as hard as approximating the SIVP problem in the worst case with certain factor ςÕ( √ n).

C. BASIC SYSTEM MODEL AND SECURITY DEFINITION
This section discusses the system model and security definition. As illustrated in Figure 1, the system framework of LB-PPFS in cloud computing is given, where the system framework consists of four different types of entities: a client, 1) Client. The owner of the data, who has huge amount of data needed to move to the remote cloud server for storage, maintenance and sharing with others. It may be either individual consumer or organization. 2) CSP. It is an entity which has seemingly unlimited storage capability and computation ability and has the responsibility for storing and maintaining the outsourced data of the client. CSP is commonly regard as a semi-trusted party. 3) PKG. It is a fully trusted entity of the cloud storage system and takes the charge of generating the system parameters, public-private key and the private key for other entities, e.g., clients, CSP. 4) TPA. It is an independent third-party who has more expertise and capabilities than users and executes the data integrity verification on behalf of the data owner's request without learning the data content.

Definition 7 (Syntax):
The syntax of the proposed LB-PPFS includes the following six-move algorithms as follows.
1) Setup. The algorithm performed by PKG and it outputs system parameters, master public key PK and master secret key SK according to the secure parameter and the total number of time periods r. 2) Extract. Given a client identity id u and master public-secret key pair (PK , SK ), this algorithm returns corresponding initial private key (first period key) SK I D u ||1 . Here I D u = id u ||r. 3) KeyUpdate. Take as input current time period i, and the private key SK I D u ||τ in a time period τ ( τ < i ), this algorithm outputs the private key SK I D u ||i in the time period i. 4) AuthGen. Take as input current time period i, and the public-private key pair (PK I D u ||i , SK I D u ||i ), and data file F, this algorithm outputs authentication ψ i . At the same time, the client upload ψ i and data file F to CSP, and removes them from the local storage completely.

5)
ProofGen. The algorithm is performed by CSP and it outputs a response auditing proof Pr oof according to authentication ψ i , data file F, and challenge information chal be received from the auditor TPA. 6) ProofVerify. The TPA runs this algorithm to verify the validity of the proof Pr oof according to public PK and PK I D u ||i , and challenge information chal. Finally, this algorithm outputs ''True'' if the Pr oof is correct that shows the data file is intact, otherwise, outputs ''False'' that indicates F is corrupted. To continuously ensure the integrity of the data in the cloud, the auditor must periodically initiate the data integrity verification challenge to the cloud storage server. A secure public audit scheme should have no probabilistic polynomial time adversary that makes the auditor to accept the forged evidence with a non-negligible probability.
Following the security definition in [33], security model is described through a game played by an adversary and a challenger. To formalize the security model, the interaction of the game between an adversary and a challenger is defined as following.
Definition 8 (Security Model): Given security parameter, if there are no probabilistic polynomial adversaries who win the following games with a non-negligible probability, the LB-PPFS is select-ID and select-period secure. Here, let O be an adversary and C be a challenger. O can continue to query for polynomial times as before, then outputs a response auditing forge proof Pr oof * for the data files F = (F 1 , F 2 , · · · , F l ) indicated by chal. There are two following restrictions during the inquiry process.
• The private key of I D * cannot be queried in time period t (1 ≤ t ≤ i * ) • At least one of the data blocks F l j corresponding to chal = {L, v i } is not carried out AuthGen query for identity I D * in time period i * . VOLUME 8, 2020 4) Output:The adversary O wins the above game if Pr oofVerify(PK I D * i * , i * , chal, Pr oof * ) = 1.

III. WEAKNESS OF ZHANG ET AL'S SCHEME
In this section, through the cryptoanalysis of Zhang et al.'s scheme [33], we demonstrate that their scheme has a security vulnerability that the malicious cloud servers could generate valid possession proof to pass the data integrity checking even without holding the original data of client. The specific analysis is described below. Note that, based the concept of PDP, for one thing, in the ProofGen stage, among the data tuple (i, F, i , ξ i ) which uploads to the cloud server for storing, only part component of them (i, i , ξ i ) is used to generate data possession proof information and response to the challenge for data integrity checking and be verified by the TPA. For another thing, in the ProofVerify stage, the TPA performs to check the validity of the responded data auditing proof without requiring the data files themselves, therefore, in the ProofGen stage, the malicious cloud server may cheat TPA.
In the stage of AuthGen, the signature in Zhang et al.'s scheme [33] is related to A c (A c is the public key of the cloud server), that is, their scheme transforms signature of data file F j to the signature of A c F j , i.e., the client adds an item A c F j . In the ProofGen stage, the cloud storage server picks a random vector w i , and utilizes the SamplePre algorithm to generate a preimage β, in this way, the cloud storage server can encapsulate data file F j with β, that is, F j = β+F j . Then, In the ProofVerify stage, the TPA can recover A c F j by F j . However, this method is subjected to forgery risk that the malicious cloud storage server can run SamplePre algorithm to obtain the preimage of A c F j , that is, find another fake data F j such that A c F j = A c F j . Meanwhile, since their scheme does not have a norm limit on F j , the malicious cloud server can easily obtain the fake data F j by Gaussian elimination.
Although F j may be different from F j by the above method, the malicious cloud server can generate valid proof information using F j , namely, in the ProofGen stage, the malicious cloud server can substitute F j with F j to generate the valid proof which can pass the data integrity checking in the ProofVerfy stage. Thus, Zhang et al.'s scheme [33] cannot resist forgery attack.

IV. THE CONCRETE LB-PPFS SCHEME
In this section, the concrete construction of our proposed LB-PPFS scheme for public auditing in cloud storage is presented in detail.

A. OVERVIEW
To facilitate the understanding of the proposed LB-PPFS scheme, in this subsection, we firstly present the sketch of our scheme. Its overall construction framework and workflow are demonstrated in Figure 2, which includes three stage.
1) Key generation stage. In this stage, the PKG is responsible for initializing the system parameters and extracting the corresponding secrete key for other entities in the system.
2) Authentication generation stage. The client generates the authentication for local data files, then uploads the data files and its corresponding authentications to the remote CSP.
3) Data audit stage. When receiving the data integrity audit request from client, the TPA generates the auditing challenge messages and sends them to the CSP. As a response, the CSP returns the corresponding data possess proof information for checking.

B. HIGH-LEVEL TECHNIQUE EXPLANATION
Our construction is based on two main key techniques: the lattice basis delegation technique and the random mask technique. In our design, we utilize the lattice basis delegation technique to achieve forward-secure property. As far as we are concerned, there exist several methods to implement the lattice basis delegation technique, such as literature [30], [31] and [32]. To the best of our knowledge, the lattice basis delegation technique NewBasisDel in [32] is one of the most promising techniques at present. Compared with [30] and [31], the lattice basis delegation technique in [32] has the characteristic of maintaining the fix lattice dimension upon delegation, which keeps the signature private key and signature length unchanged while the lattice basis delegation technique in [30] and [31] will expand the lattice dimensionality, thus doubling the size of the signature private key and the length of the signature. In practice, this will result in great increase of communication cost, which will reduce the efficiency of the system. To be specific, suppose that the current time period is i, the client can perform the NewBasisDel technique to updates(evolves) his/her current private SK I D u ||i to the new private key SK I D u ||i+1 which will be used in the next time period in KeyUpdate algorithm with the current time period i and private key SK I D u ||i as input, and then deletes the old secret key SK I D u ||i . In this way, the client updates(evolves) his/her private key with the whole time. Accordingly, taking as input the time period i and I D u as input, the CSP, TPA can compute the corresponding public key PK I D u ||i themselves thereby removing the requirement of the complicated certificate management in PKI model. Therefore, firstly, the client utilize SK I D u ||i to generate the data authentication in the time period i, then uploading them to the CSP and the CSP can compute the corresponding public key PK I D u ||i to verify these data. When receiving the audit request from the client, the TPA can also compute the corresponding public key PK I D u ||i to perform the audit process to check whether the client's data is kept intact. In case of key exposure occurring in the current time period i, it means that if the private key SK I D u ||i is exposed to the adversary, but the prior time periods are not affected because the previous secret key SK I D u ||1 , SK I D u ||2 , · · · , SK I D u ||i−1 have been deleted. In addition, the adversary cannot deduced the previous secrete key from the captured current key SK I D u ||i either because the SK I D u ||i is generated by a one-way function of the old secret key.
In our design, we utilize the random mask technique to achieve the data privacy-preserving property. In order to prevent auditing proof from leaking any data information, that is, to provide a privacy-preserving auditing scheme, we modify the signature scheme in [38] to be related to both data F j and A c F j (A c is the public key of the cloud server), so the cloud storage server can randomly generate β i such that A I D u ||i β i = A c w i when producing proof of possession for auditing, then encapsulate the signature with β i and encapsulate the challenge data with w i by using the random mask technique. In this way, we can prevent the TPA from restoring the client's data after multiple queries.

C. CONSTRUCTION OF LB-PPFS
In this subsection, we present the detailed description of the proposed LB-PPFS scheme as follows.

1) Setup:
Given the maximum number of challenge data blocks, the system establishment algorithm consists of the following six steps: (a) The system selects two primes p, q such that q ≥ (mkp) 2 , and sets n = m/5 log q . (b) The system implements the algorithm TrapGen (q, m, n) to generate a matrix A ∈ Z n×m q and a short basis T q ∈ Z m×m q of ⊥ q (A). (c) The system calculates T A = pT q . Obviously, T A is a good basis of lattice = pZ m ∩ ⊥ q (A). (d) The system defines two hash functions: H 1 : {0, 1} * → Z m×m q satisfies that its output value is a discrete Gaussian distribution (Standard deviation is σ R ) and H 2 : Z n×m q × {0, 1} * → Z n q . (e) Given the number of period r, the system sets Gaussian parameters δ = (δ 0 , δ 1 , δ 2 , · · · , δ r ) and σ = (σ 0 , σ 1 , σ 2 , · · · , σ r ) for the algorithms Sample Pr e and NewBasisDel respectively. For any 0 ≤ i ≤ r, and

4) AuthGen:
The client divides the entire file F into l blocks and marked as F = (F 1 , F 2 , · · · , F l ), where F j ∈ Z m p , then sets a unique index index ∈ {0, 1} * of the data file. Finally, for each block F j (1 ≤ j ≤ l), the client computes its authentication θ i,j according to the following steps, on input the current period i , the client public/private pair (A I D u ||i , T I D u ||i ). (a) Calculates l vectors λ i,j = H 2 (A I D u ||i ||index||j) ∈ Z n q , j = 1, · · · , l. (b) Solves t i,j such that The client sends the data file F, the authentications ψ i = {θ i,j } 1≤i≤l and the signature ξ i = {index||i||SSig ssk (index||i)} to cloud storage server, then deletes them from local storage. Here, ξ i is used to ensure the integrity of the identity of data file. 5) ProofGen: Participants at this stage include the cloud server and the auditor TPA. The specific interaction process is as follows.
(a) When receiving the auditing request from the client, the TPA firstly obtains the data file tag ξ i and verifies whether the integrity of the identity of data file is valid by using the client's public key spk to recover the signature SSig ssk (index||i)}. If the check is passed, then the TPA performs the following auditing steps. Otherwise, the TPA aborts the auditing process. (b) The TPA generates challenge information chal = {L, v i }, and send it to cloud storage server, where is the random subset L = {l 1 , · · · , l c } in the set {1, · · · , l} (c) The cloud storage server receives chal, then computers u i = j∈L v i,j F j , θ i = j∈L v i,j θ i,j and selects a random vector β i ∈ Z n q such that β i ≤ δ 0

V. ANALYSIS OF THE PROPOSED SCHEME A. CORRECTNESS PROOF
1) The inequations 0 < θ i,j ≤ δ i √ m and 0 < β i ≤ δ 0 √ m hold according to Lemma 3, so 0 < θ i ≤ c p 2 δ i √ m is satisfied. Thus, the following equation holds.
(b) Also owing to i ⊂ u,i holds, the following equation is correct.
The scheme is correct according to above analysis.

B. SECURITY PROOF
In this subsection, we show that the proposed scheme is secure through the following two theorems. Theorem 1: The proposed LB-PPFS scheme achieves forward security, provided that the hardness assumption of SIS problem is intractable.
Proof: Given a challenge matrix B ∈ Z n×m q , the challenger C obtains a vector θ * i,t ∈ Z m q such that Bθ * i,t = 0 and 0 < θ * i,t ≤ δ * √ m by playing game (Definition 8) with an adversary O. At the beginning of the game, O determines the challenge identity id * and the challenge time period i * , and C maintains two empty lists L 1 , L 2 . C adopts the algorithm and A I D * ||j = A I D * ||j−1 (R j * ) −1 for 1 < j ≤ i * , and records (I D * , 1, A I D * ||1 , R 1 * , ⊥), · · · , (I D * , 1, A I D * ||i * , R i * * , ⊥) into list L 1 . Finally, the challenger returns the system parameter (A, H 1 , H 2 , spk, δ, σ ).
Hash Queries: The adversary O can perform H 1 , H 2 inquiries at any time as follows.
H 1 (id u ||i) Query: Given an identity id u and a period i, it returns R i if the pair (id u , i) is found in list L 1 . Otherwise, it calculates and returns the relevant hash value according to the following five conditions.
(a) When id u = id * and i = i * + 1, the challenger C performs the algorithm SampleRwithBasis(A I D * ||i ) to get a matrix R i * +1 ← D m×m and a short basis The challenger C appends (id u , i * + 1, A I D * ||i * +1 , R i * +1 , T I D * ||i * +1 ) into list L 1 and return R i * +1 .
(b) When id u = id * and i > i * + 1, the challenger C first obtains the private key T I D * ||i−1 of identity id u in the time period i − 1 by running H 1 (id u ||i − 1) query, then selects a matrix R i ← D m×m and generates a short basis T I D u ||i of the lattice ⊥ q (A I D u ||i ) by carrying out the algorithm NewBasisDel(A I D u ||i−1 , R i , T I D u ||i−1 , σ i ). Finally, C appends (id u , i, A I D u ||i , R i , T I D u ||i ) into list L 1 and returns R i . Here, (c) When id u = id * and i = 1, the challenger C runs the algorithm SampleRwithBasis(A) to get a matrix R i ← D m×m and a short basis where A I D u ||1 = A(R i ) −1 . The challenger C appends (id u , 1, A I D u ||1 , R i , T I D u ||1 ) into list L 1 and outputs R i . (d) When id u = id * and i > 1, the challenger C executes H 1 (id u ||i − 1) query to get the private key T I D u ||i−1 of identity id u in time period i − 1, then selects a matrix R i ← D m×m and computes A I D u ||i = A I D u ||i−1 (R i ) −1 , further performs the algorithm NewBasisDel(A I D u ||i−1 , R i , T I D u ||i−1 , σ i ) to generate a short basis T I D u ||i of lattice ⊥ q (A I D u ||i ). Finally, C appends (I D u , i, A I D u ||i , R i , T I D u ||i ) into list L 1 and returns R i .
H 2 (A I D u ||i ||index||j) Query: Given A I D u ||i , index, j, C returns λ i,j if pair (A I D u ||i , index, j) is found in list L 2 . Otherwise, C randomly selects f ∈ Z m p and samples a spot λ i,j in D pZ m +f ,δ i , and sets λ i,j = H 2 (A I D u ||i ||index||j) = A I D u ||i λ i,j mod q − A c f and returns it. Finally, the challenger C records (A I D u ||i , index, j, λ i,j , λ i,j ) into list L 2 .
Private Key Query: Given an identity id u and a time period i, the challenger C returns SK I D u ||i = T I D u ||i by performing the query of H 1 (id u ||i).
AuthGen Query: Given a data file F = (F 1 , F 2 , · · · , F l ), an identity id u and a period i, the challenger C calculates and returns its authentication of the data file F according to the following two conditions.
(a) When id u = id * and i ≤ i * . The simulator is failure if H 2 (A I D u ||i ||index||j) was queried before. Otherwise, For 1 ≤ j ≤ l, the challenger C samples a spot The challenger C appends (A I D u ||i , index, j, λ i,j , λ i,j ) into list L 2 and returns λ i,j and ξ i = {index||i||SSig ssk (index||i)}.
(b) Others, the challenger C initiates private key query to obtain SK I D u ||i = T I D u ||i , and then performs the AuthGen algorithm to get authentication.
Challenge: After the above inquiry, the challenger C selects a specific challenge message chal of data file F * = (F 1 * , F 2 * , · · · , F l * ) and sends it to O. Finally, the adversary O outputs a forage proof Pr oof * = {i * , u i * , θ i * }. Output: After obtaining the forged proof Pr oof * = {i * , u i * , θ i * }, the challenger C extracts u i * and θ i * . C obtain authentication ψ i = {θ i,1 , θ i,2 , · · · , θ i,l } by looking up the lists L 1 , L 2 and running AuthGen query. Further, C gets another proof Pr oof * = {i * , u i , θ i } by performing the algorithm ProofGen, where The equation B(θ i − θ i * ) mod q = 0 holds because of the following equation Furthermore, since θ i and θ i * are no more than As mentioned above, literature [29] is a bridge between the VOLUME 8, 2020 hardness of the SIS(ISIS) problems and the SIVP problem, therefore, the parameters q ≥ (mkp) 2 , n = m/5 log q and δ i ≥ p √ n log q(σ R √ m log m) i log n are set in our proposed scheme, that meets the parameters requirement which make SIS problem be difficult. During the simulation, since files tag index is selected randomly, the abortion probability is negligible at the stage of AuthGen query. Here, define two distributions of authentication. One is generated in the above game, that selects spot The other is generated in proposed scheme, that solves t i,j according to the equation set We know the above two distributions are indistinguishable. According to lemma 5, the proposed LB-PPFS scheme achieves forward security.
Theorem 2: The proposed LB-PPFS scheme achieves data privacy preserving against the curious TPA, provided that the hardness assumption of SIS problem is intractable.
Proof: To save space, here we omit detailed description of the game in Theorem 2, but there are some key points should be pointed out as follows.
Taking into count that u i = j∈L v i,j F j is a linear combination of data blocks which is sampled in the challenge information chal, the curious TPA may attempt to recover the original data blocks of the client by taking advantage of its powerful computation. To handle the security vulnerability of privacy leakage, in the stage of ProofGen, CSP generates a vector β i that satisfies β i ≤ δ 0 √ m by random sampling technique, and encapsulates θ i into θ i with β i , which could prevent TPA to recover θ i from θ i , and further obtain u i by using the equation θ i mod p = u i . Meanwhile, CSP utilizes SamplePre(A c , T c , t c , δ 0 ) to compute θ c and encapsulates u i into u i with θ c , which could prevent TPA to recover u i from u i . In order to successfully solve these linear combinations, the curious TPA must obtain the valid θ c . Therefore, if the adversary has a nonnegligible probability to compute θ c it means that the adversary can succeed to solving the hardness assumption of ISIS problem T c θ c = t c . This is a contradiction because based on the security proof in [29], without knowing the trapdoor T c of the CSP, the TPA can only solve the θ c with negligible probability. Thus, we can safely draw the conclusion that TPA can't learn the knowledge of user data from the auditing process. Therefore, our proposed scheme preserves privacy against the curious TPA.

VI. PERFORMANCE ANALYSIS
In this section, we first present the functionality comparison of among the proposed LB-PPFS scheme and other several existing relevant schemes [8], [14], [33]. After that, we compare computation cost between our Scheme and Zhang et al.'s scheme [33] in terms of AuthGen stage, ProofGen stage and ProofVerify stage, respectively. At last, we discuss the performance comparison between Zhang et al.'s scheme [33] and our scheme in experiments.

A. FUNCTIONALITY COMPARISON
In this subsection, we present a summary on the functionality comparison between our LB-PPFS scheme and several existing schemes [8], [14], [33] with respect to the functionalities of storage correctness, blockless verification, probabilistic sampling, public auditability, data privacy preserving, forward security, post-quantum security in Table 1.
From Table 1, it is obviously observed that all the schemes can support blockless verification, probabilistic sampling, public auditability. Wang et al.'s scheme [14] can achieve data privacy preserving while not supporting the security property of forward security, post-quantum security.Yu et al.'s scheme [8] can achieve data privacy preserving and forward security but can not provide post-quantum security either. Zhang et al.'s scheme [33] can support the security property of data privacy preserving, forward security and post-quantum security, but fail to achieve storage correctness which has been discussed above. Only our LB-PPFS scheme can support all the following security properties: storage correctness, blockless verification, probabilistic sampling, public auditability, data privacy preserving, forward security, post-quantum security.
Based on the above comprehensive comparison, we could draw a concrete conclusion that our LB-PPFS scheme can achieve data privacy preserving and forward security public auditing as well as provide the post-quantum security simultaneously.

B. PERFORMANCE COMPARISON
According to the efficiency of Boneh and Freeman's signature scheme in [38], the auditing scheme we constructed is also effective since it is designed based on their signature scheme. The following is a specific comparison with the identity-based auditing scheme proposed by Zhang et al. [33]. For the sake of comparison, we summarize the relevant parameters n, m, q, σ, δ in our scheme and their meaning in Table 2.
1) The main calculations include n + l hash operations, 2nl inner products(i.e., nl inner product of m-dimension vector and nl inner product of n-dimension vector), l preimage samples and one signature in Zhang et al.'s scheme. In our scheme, the primary computation including l hash operations, l preimage samples, one signature and solving the following equations l times.
Obviously, Let t i,j = F j + pX ,λ i,j = λ i,j + A c F j , then the formula (1) can be transformed to where A is the simplest row corre-   sponding to matrix A I D u ||i , B is a reversible matrix and such that BA I D u ||i = A , and X ∈ Z m meets t ij = F j + pX . The client I D u can precompute A , p −1 B −1 , p −1 A and store, so the time of solving the equations approximates 2n inner products operations, i.e., nl inner product of n-dimension vectors.
2) In the stage of ProofGen. Based on the above time analysis of solving equations, our scheme has n inner products operations than Zhang et al.'s.
3) In the stage of ProofVerify. The main calculations include n + c + l hash operations and 3n inner products in Zhang et al.'s scheme. And our scheme needs c hash operations and 2n inner products of m-dimension vectors. Table 3 gives a summary of the comparison of computation cost between our scheme and Zhang et al.'s scheme [33] of three stage in terms of AuthGen stage,ProofGen stage and ProofVerify stage, where T ha , T mu , T sam , T sig denotes hash operation, multiplication operation, SamplePre operation and SSig signature operation, respectively. Now, we discuss the comparison of the performance time of three different stage between the Zhang et al.'s scheme [33] and our proposed scheme which is shown as Figure 3, Figure 4 and Figure 5. Our experiment simulation is conducted with Python 3.7 and the system platform is windows 7 ultimate with the Intel(R)Core (TM) 4130 CPU @3.40GHz,4 GB RAM. In order to achieve 80 bit-security, we set the  parameters as n = 64, m = 11978, q = 2 54 − 33, p = 127, r = 10, k = 100. Here each experiment is performed 30 times, then we show the average computation cost in these figures. Figure 3 shows that the computation cost at the stage of AuthGen for Clients grows linearly with the amount of the data blocks I. The computation costs in our scheme are similar to Zhang et al.'s scheme [33] at the AuthGen stage. Figure 4 shows that the computation cost at the stage of ProofGen for CSP grows linearly with the number of challenged data blocks from TPA. It can be seen that the computational cost in Zhang et al.'s scheme [33] is nearly to a constant, which almost has nothing to do with the number of challenged data blocks, but the computational cost in our scheme keeps in a low level. Figure 5 shows that the computation cost at the stage of ProofVerify for TPA grows linearly with the number of the challenge data block. It can be observed that both schemes are done well, but our scheme is slightly outperformed than Zhang et al.'s.
From the above performance analysis, it can be reached that the overall computation cost of our proposed scheme VOLUME 8, 2020 is almost similar to that of [33], while our scheme provides privacy-preserving and forward-secure guarantee, and overcomes the security vulnerability of [33] that CSP could generate valid proof even without the original data files.

VII. CONCLUSION
In this work, we propose a novel privacy-preserving and forward-secure cloud storage public auditing scheme from lattice. We first formalize the identity-based data integrity audit scheme model which includes system framework and security model. Then, we present the concrete identity-based privacy-preserving and forward-secure cloud storage public auditing scheme from lattice which is provably secure under the hardness assumption of SIS problem. Furthermore, by utilizing encapsulation technology with random masking and the lattice basis delegation technique, our scheme can prevent malicious TPA from getting the knowledge of original data and can achieve forward security for resisting key exposure attack. Therefore, our protocol can achieve the goal that the user data is protected from being corrupted by the untrusted CSP and the privacy of user's data is secure against the malicious TPA under the quantum computer attack.
HAIFENG LI received the B.S. degree in computer science from Hebei University and the M.S. degree in computer science from Northwest Normal University. He is currently pursuing the Ph.D. degree with the School of Software, Dalian University of Technology. His current research interests include applied cryptography, network security, cloud computing security, and big data security.
LIANGLIANG LIU received the Ph.D. degree in computer software and theory from the University of Chinese Academy of Sciences, Beijing, China, in 2014. He is currently a Lecturer with the School of Statistics and Information, Shanghai University of International Business and Economics. His main research interests are in information security, machine learning, natural language processing, and knowledge acquisition.
CAIHUI LAN received the Ph.D. degree in basic mathematics from the School of Mathematics and Statistics, Northwest Normal University, Lanzhou, China, in 2013. He is currently an Associate Professor with the School of Electronics and Information Engineering, Lanzhou City University. His main research interests include cryptography and information security, in particular, cryptographic protocols.
CAIFEN WANG received the Ph.D. degree in cryptography from the School of Communication Engineering, Xidian University, in 2003. She is currently a Professor with Shenzhen Technology University. Her main research interests include cryptography and information security, in particular, applied cryptography and security in cloud computing. She has been selected as a member of the Special Committee of Cryptography Algorithms and the Director of the China Cryptography Society.
HE GUO received the B.S. degree in computer science and technology from Jilin University, China, in 1982, and the M.S. degree in computer science and technology from the Dalian University of Technology, in 1988. He has been a Full Professor with the School of Software, Dalian University of Technology, since 2010. His research interests include computer vision, parallel and distributed computing, and cloud computing security. VOLUME 8, 2020