Towards Lightweight Provable Data Possession for Cloud Storage Using Indistinguishability Obfuscation

Cloud Computing has proved to be a boon for many individuals and organizations who cannot afford infrastructure and maintenance cost of resources. But the untrusted nature of Cloud Server (CS) brings many challenges related to security and trust. Public auditing is one process that enables users to delegate the integrity verification of outsourced data to external party such as Third-Party Auditor (TPA). Provable Data Possession (PDP) is one approach of auditing that can verify the integrity using cryptographic algorithms. Many PDP schemes are based on bilinear pairing and homomorphic authenticators that involves complex computations that leads to increased verification time. The lightweight auditing processes is a need today using modern cryptographic techniques. Indistinguishability Obfuscation (IO) is one of the modern but weaker primitive that, if used with one-way functions, provide multiple cryptographic constructs. Sahai and Waters proposed construction of cryptographic constructs using IO. Zhang et al. proposed lightweight public auditing scheme using these IO. But still there are many goals to achieve such as group support, collusion handling, privacy-preserving etc. using IO. In this paper, we are trying to explore these issues and lists future research directions in this field.


I. INTRODUCTION
Evolution in the field of computer technology and Internet-based services open up the era of Cloud Computing. High-speed processors with improved service computing architecture led to the development of large data centers. Flexible and increased network bandwidth enables a client to access or subscribe to data and services from remote data centers. This improved computing architecture helps many organizations or individuals to expand their businesses without any investment in infrastructure and maintenance costs. This paradigm mainly provides services in computing and storage. Multiple computing resources are easily assigned and released to cloud users based on their needs. Cloud datastore is one of the widely used services among cloud users. Cloud users can easily store and share information on cloud storage. Although it provides a promising platform, this The associate editor coordinating the review of this manuscript and approving it for publication was Mingjun Dai . paradigm has brought many security and performance issues with it. The main concern is that of integrity verification of outsourced data at remote centers since user is not having any physical control over it. Cloud Server (CS) may delete infrequent data to create space for other information. CS may also hide accidental data loss from users due to disk crashes, natural disasters or any other reason to maintain reputation. Because of mass outsourced data and resource capacity constraints on user side, it is not efficient for cloud user to conduct periodic integrity checks [1].
Multiple approaches are suggested to address this issue. Evidence generated through different logs is used to solve disputes between cloud user and CS [2]. But Log-based auditing faces many challenges such as: increased growth in log size, security, integrity, and privacy of logs [3]. Traditional cryptographic methods cannot be used as it is in this paradigm. Alternatively, CS needs to assure cloud users that their data is intact and can be accessible at any time. Auditing is a process that offers clear and recognizable footprints of VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ resource access for various activities. Traditional IT audits are mostly conducted in two ways: internal and external. The internal audit generally concentrates only on certain organizational processes, their optimization, and risk management. The external audit focuses on an organization's ability to satisfy the constraints of various laws and regulations. But when an organization's data is outsourced on the cloud, it discloses cloud-specific security concerns. Ryoo et al. [4] highlight the challenges of cloud security auditing from traditional IT security audit practices. According to Hsien et al. [5], the role of verifiers in cloud security audit is mainly categorized as private auditability and public auditability. In private auditing, cloud users or organizations directly verify data in cloud storage whereas, in public auditing, the verification task is delegated to an external verifier such as a Third-party Auditor (TPA) who can check outsourced data on behalf of cloud user. TPA uses cryptographic algorithms to check the integrity of outsourced data. Wang et al. [1] presented a framework for describing this problem and suggested a set of cryptographically desirable properties for public auditing services. Hsien et al. [5] surveyed basic requirements and evaluation metrics to analyze security and efficiency of the public auditing system. According to Hsien et al, evaluation parameters for public auditing systems are classified into two categories: Security evaluation and Performance Evaluation. Parameters for security evaluation include block-less verification, batch auditing, dynamic data support, and privacy-preserving. Performance evaluation parameters are computing cost and Storage cost. Kollar et al. [6] summarized a state of different methodologies for cloud security audit and focused on research issues. Methodologies include message authentication code, homomorphic authenticators, BLS signatures, etc. Most of the auditing schemes based on these cryptographic primitives involve complex computations cost that increases verification time. There is a need to propose lightweight auditing schemes using modern cryptographic techniques. This paper concentrate on existing challenges to achieve lightweight auditing schemes using a modern cryptographic technique: Indistinguishability Obfuscation (IO). The organization of the remaining sections of this paper is as described below: Section 2 describes the general strategies or approaches used by researchers for integrity verification of cloud data. Section 3 discusses the architecture and design goals of public auditing system. Section 4 elaborates on pros and cons of different cryptographic techniques used for public auditing system. Section 5 discusses the use of modern cryptographic technique such as Indistinguishability Obfuscation (IO) for public auditing. Section 6 addresses the future research challenges to achieve lightweight PDP using IO for public auditing.

II. GENERAL STRATEGIES OF INTEGRITY VERIFICATION FOR CLOUD STORAGE
Liu and Chen [7] listed three approaches for information auditing: strategic-oriented, Process-oriented, and resource-oriented. The process-oriented approach focuses on activities the system takes to achieve expected outcomes. This approach provides sufficient evidence for both digital forensics and reputation estimation for CS. More practical strategies for cloud data integrity are as follows: A. SENTINEL EMBEDDING In this strategy, cloud user produces sentinels to secure its own data at CS. Generally, sentinels are One-Way Functions (OWF). Predefined number of sentinels are appended to the file. Cloud user can check the integrity of outsourced data by giving challenges to CS by checking the fixed number of sentinels. Since CS is not aware about the location of sentinels, it can't modify the data. Juels and Kaliski [8] proposed a new cryptographic building block based on sentinels known as Proof of Retrievability (PoR). But it faces the problem of a restricted number of challenges since the number of sentinels is predefined. To address this problem, Schaum and Waters [9] proposed a new Compact PoR construct which suggests private verifiability based on Pseudo-Random Functions (PRF) and public verifiability using short signature based on Boneh, Lynn, and Shacham (BLS). Most of the verification schemes proposed using PoR are based on public-key cryptosystem which increases the computational burden on users. Guan et al. [10] proposed symmetric-keybased PoR using modern cryptographic construct Indistinguishability Obfuscation. Li et al. [11] also proposed OPoR verification scheme for resource-constrained devices such as mobiles where heavy tag generation task is outsourced to cloud audit server to make the process lightweight.

B. RANDOM SAMPLING AUTHENTICATORS
Another way to check the integrity of remote data is based on authenticators. Authenticators are nothing but metadata of an outsourced file. Cloud user produces authenticators or tags before uploading a file on CS. User keeps some part of metadata related to the file at its end. With the help of this metadata, users can verify the integrity of outsourced data. Authenticators are generated using cryptographic algorithms such as RSA, ECC, etc. The algorithms used to calculate authenticators are playing major role in this strategy. Ateniese et al. [12] proposed Provable Data Possession (PDP) scheme based on random sampling authenticators.
This research paper concentrates on the PDP model. Ateneiese presented a framework for PDP as shown in Fig. 1. Before outsourcing the file F at an untrusted store, client C preprocesses the file and generates metadata m. Client stores m locally at its store and forward updated file F' to Server S. The server stores the file and replies to challenges generated by client. PDP scheme uses Homomorphic Verifiable Tags (HVT) to generate authenticators. The homomorphic property allows to calculate a single value for the tags generated on multiple file blocks. The client precomputes tags for each block of file and stores the file, the tags at the server. For verification, client generates a challenge for random blocks and server computes the proof of possession using challenged blocks and tags. The PDP scheme comprises four polynomial-time algorithms: KeyGen, TagBlock, GenProof and CheckProof. KeyGen, TagBlock, and CheckProof are executed at client side whereas GenProof is executed at server end.
KeyGen(1 k )→(pk, sk): Key generation algorithm that takes security parameter k as input and produces Secret key pair (pk, sk).
TagBlock (pk, sk, m)→ T m : Generates verification metadata using public key pk, secret key sk, and message m. Generates verification metadata T m .
GenProof (pk, F, chal, )→prf : Server generates proof prf based on challenge blocks. It takes as input public key pk, ordered collection of blocks F, a challenge chal, and verification metadata corresponding to ordered file blocks F. CheckProof(pk, sk, chal, prf)→{0,1}: Validates proof of possession using public key pk, secret key sk, challenge chal, and proof prf. Generates 1 if successful otherwise 0.

III. FRAMEWORK OF PUBLIC AUDITING FOR CLOUD STORAGE
Cloud computing provides two basic service models, computing and storage. To meet user demands, all cloud computing services need high-performance cloud storage. So, cloud storage is one of the important components of the cloud computing system. The data in cloud storage is shared and accessed by many users which may create security and privacy issues. Cloud Server (CS) is one of the semitrusted entities which can hide some unintentional failures and data errors to maintain their reputation. So, the user must have some way to check the integrity of his data stored on cloud storage. User can't download and check integrity due to resource constraints. So public auditing process is widely used where external entities can verify the integrity of outsourced data on behalf of cloud user without downloading the entire file. The cloud user delegates the task of integrity verification to external entity called Third Party Auditor (TPA). TPA with the help of cryptographic techniques can verify the integrity.

A. SYSTEM MODEL OF CLOUD STORAGE AUDITING
As mentioned in Wang et al. [13] work, the auditing process mainly consists of three components: Cloud User, Cloud Server (CS), and TPA as shown in Fig. 2.

1) CLOUD USERS
A Cloud user is an individual user or a group member who outsources large data files on CS. These users completely rely on cloud server storage for data maintenance and computation by Cloud Server Provider (CSP). It has vast storage space and computation infrastructure to maintain and satisfy the cloud user's needs.

2) THIRD-PARTY AUDITOR (TPA)
TPA is an external expert and having capability to check the correctness of cloud storage on behalf of cloud user either periodically or upon user's requests. TPA is a trusted but curious entity in auditing framework that may lead to privacy issues.

B. DESIGN GOALS
Wang et al. [14] stated design goals for public auditing system. Our extended design goals can be summarized as follows: VOLUME

A. PUBLIC VERIFICATION
As surveyed by Zhang et al. [15], a widely used cryptographic method to verify the integrity of data is Message Authentication Code (MAC). Generally, before outsourcing, Cloud user precomputes MAC of file F with secret keys and store locally. During auditing, a cloud user reveals a secret key to CS and asked for a fresh MAC for outsourced file F. Then it compares a fresh MAC with locally stored MAC to verify the integrity. This verification covers all the data blocks during auditing. The problem with this technique is the restricted number of verifications because of a limited number of secret keys. Another problem is if user updates the data, cloud user has to download the entire file, calculate a new MAC and outsource the file again which is usually impractical due to large communication overhead. Moreover, the major problem with MAC is that not possible to support public auditability as the private keys are involved during verification. Another solution is to use a signature instead of MAC for public auditing. Cloud user generates signature on file F before outsourcing. During auditing, requesting a signature for random number of blocks. Even though both the schemes assure integrity, these solutions only support static data. Communication overhead is increased during dynamic data auditing because of frequently modified MAC tags and signatures.

1) HOMOMORPHIC AUTHENTICATORS
To address the problem with MAC and signature for public verification, Atenese et al. [12] proposed two PDP schemes: S-PDP and E-PDP using Homomorphic Verifiable Tags (HVT) based on RSA. Homomorphic Authenticators are one type of metadata associated with each file block. These are unforgeable authenticators that can be aggregated securely. By verifying only aggregated authenticators, a verifier gets assurance that a sequential grouping of blocks is properly computed. By using this technique, before outsourcing the data cloud user needs additional information i.e. metadata encoded along with the data. To compute the metadata, a data file is partitioned into blocks m i (i = 1,. . . , n). Homomorphic authenticator σ i is computed on each block. These authenticators are metadata to ensure the integrity of the file. To ensure that data is intact at CS, the authenticators should be verified by the data owner or TPA. A challenge ch = {(i, v i )} for a set of arbitrarily chosen blocks is submitted to CS. v i can be arbitrary weights. Because of the feature of the homomorphic authenticators, the server only needs to calculate a reply based on a linear arrangement of the sampled data blocks µ = i v i m i and an aggregated authenticator The reply of µ and σ are checked by TPA. It gives assurance of data correctness on a huge portion of cloud data. The problem with Homogeneous Authenticators is that the linear combination of blocks may disclose some information to TPA. RSA-based Homomorphic Authenticators are used by many researchers to ensure the correctness of cloud storage Wang et al. [16] proposed a privacy-preserving public auditing scheme using Homomorphic Linear Authenticators (HLA) combined with random masking. Wang et al. [17] suggested Oruta public auditing scheme for shared data using HLA. Panda, a public auditing scheme with user revocation is proposed by Wang et al. [18]. Public auditing system using RSA based Homomorphic Authenticators consists of mainly 4 functions Key_Gen(), Sig_Gen(), Gen_Proof(), Verify_Proof().
• Key Generation Centre (KGC) compute C's private key S IDc & public key P IDc • A signing key pair (ssk, spk) is generated by C.

Sig_Gen(sk,F):
• An arbitrary element name for the file F is chosen by data owner C.
• A file label t = name||sig ssk (name) is computed with a signature on it.
• By taking an arbitrary element for each block of F, cloud user C generates the signature and transfers it to CS. Gen_Proof (F,spk): In the auditing protocol, TPA gets backs the label t and verifies it by using spk. The procedure is finished if the test fails.
• TPA put a random challenge chal = {(i, v i ) } i∈I . • After receiving random challenge chal, CS computes • CS randomly picks r ← Z p , computes R = e(u, v) r and γ = h(R) and send it to TPA, where h is any secure hash function.

Verify_Proof (µ, R):
• γ = h(R) is computed and then check m i . Gennaro and Wichs [19] proposed a new primitive called fully homomorphic authenticators, that generates short tags or authentication metadata. The generated tag is independent of the size of authenticated input to computation. Demirel et al. [20] summarized homomorphic message authentication codes (MACs) and homomorphic signatures used to construct privately and publicly verifiable computing schemes.

2) COMMITMENT SCHEMES
To generate proof in auditing systems, commitment schemes are widely used. It allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes [21] are designed so that a party cannot change the value or statement after they have committed to it. These schemes hide a value but ensure that it cannot be changed later e. g. sealed bid at an auction. There are two stages in these commitment schemes: Commit and Reveal. During commit stage, the sender electronically ''locks'' a message in a box and sends the box to the receiver. During reveal stage, sender proves to the receiver that a certain message is contained in the box. Every commitment scheme must possess the following properties:

a: COMMITMENT MUST BE HIDING
It states that at the end of the commit stage, no adversarial receiver learns information about the committed value. Commitment schemes are computationally hiding if a receiver has limited computational power and cannot learn anything about the committed message. Commitment schemes are unconditional hiding if receiver has unlimited computational power and the commitment phase does not leak any information about the committed message.

b: COMMITMENT MUST BE BIDING
It states that at the end of the reveal stage, there is only one value that an adversarial sender can successfully ''Reveal''. Commitment schemes are computationally binding if a receiver has limited computational power and cannot reveal two different values. Commitment schemes are unconditional binding if receiver has unlimited computational power and cannot reveal two different values.
Two widely used commitment schemes for cloud auditing are Pedersen Commitment and Vector Commitment.
Pedersen Commitment: Pedersen commitment [22] is a perfectly hiding and computationally binding scheme that uses three stages as follows: Setup: The Receiver selects • Large primes p and q in such a way that q divides p-1 • G is a generator of the order-q subgroup of Z * p • Random secret a from Z q • Calculate h = g a mod p -values p, q, g, and h are published publicly, a kept private.

Commit:
To commit to some x ∈ Z q , sender calculates C = g x h r mod p where r is a random value such that r∈ Z q . Sender sends this Commitment value C to the receiver. This is nothing but the same as g x (g a ) r mod p = g x+ar mod p Reveal: Sender exposes x and r to open the commitment, receiving party then validates that C = g x h r mod p Cuvelier et al. [23] used Pedersen commitment to generate the proof which is perfectly Zero-knowledge proof for verification of election ballot system. Cuvelier and Periera [24] proposed verifiable MPC with PPAT which uses Pedersen commitment with NIZK. This work is illustrated by three different test applications: Solving a system of linear equations, electronic auctions, and finding the shortest path in a graph.
Vector Commitment: Catalano and Fiore [25] proposed a vector commitment scheme, in which user commit to an ordered sequence of q values (i. e. vector) instead of a single message. This commitment is done in such a way that later it is possible to open that commitment based on the positions of the vectors. More specifically, the vector commitment scheme has to preserve binding in terms of position. It states that an adversary can't open a commitment to two different values at the same position. The size of the commitment string and the size of each opening is independent of the vector length. Vector commitment constructs satisfy the computational binding but is not crucial regarding hiding property. It contains six algorithms such as: VC.KeyGen, VC.Com, VC.Open, VC.Ver, VC.Update, VC.ProofUpdate. Thokcham and Saikia [26] used a vector commitment scheme along with ring signature to generate proof during public auditing of cloud storage. Jiang et al. [27] proposed public auditing scheme for shared dynamic data with group user revocation using vector commitment and verifier-local revocation group signature. VOLUME 10, 2022 B. DYNAMIC DATA SUPPORT Cloud users store as well as share documents with multiple users. Dropbox and Google Docs are the best examples to provide such services to cloud users. Once a file is uploaded and shared, multiple users can insert, delete or modify the contents of the shared file. To handle these updates during public auditing, different cryptographic constructs that can support dynamic operations are discussed next.

1) MERKLE HASH TREE (MHT)
In cloud storage system, data owners may update data dynamically at any time. Block-level functions such as block alteration, block addition, and block removal are performed to maintain dynamic updates. But for auditing purposes, this is the most critical task in cloud data storage system. The homomorphic authenticator scheme uses the index information to calculate the authenticators for each block. Because of this index information, CS is prevented from using the same authenticator for another block to achieve the verification evidence. So, any update such as insertion or deletion operation will modify the indices of all the blocks. This modification leads to the recalculation of all equivalent authenticators.
MHT is a well-defined authentication structure in cryptography. The purpose of MHT is to efficiently prove that a set of elements are unaltered. MHT is a binary tree where the leaves are the hash values of authentic data values.
The Merkle Hash Tree (MHT) [28] as shown in Fig. 4 is used to achieve data dynamics during auditing. The leaves of the MHT are considered as the file blocks m i . A publicly certified root value R and the Auxiliary Authentication Information (AAI) of every leaf is used to verify the block m. For the path joining from the leaf to the root, AAI includes all the siblings of the nodes. Suppose verifier received verification request for {x 2 , x 7 } with authentic h r . The prover specifies the verifier with AAI < h (x 1 ), h d > and < h (x 8 ), h e > respectively for x 2 and x 7 . The verifier verifies by computing Here || is a concatenation operation. Check if the calculated h r is the same as authentic h r . Auditing schemes proposed in [14], [16], [29] utilized MHT during auditing to support dynamic updates on outsourced data.
Index Hash Table (IHT) is used by Oruta [17] and Panda [18] to support dynamic updates on shared data. In MHT, when a user modifies a single block in shared data, the indices of all blocks after the modified block are completely changed. Cloud user has to re-calculate the block tags after every modification. To avoid this recalculation, Zhu et al. [30] proposed IHT for dynamic updates with auditing. IHT stores the modifications on file blocks as well as generate the hash value for each block. The structure of IHT is similar to File Allocation Table (FAT) in operating system. It stores a serial number, block number, version number, random number, etc. A random number is a unique identifier for each block. Even-though, IHT increases complexity but it gives assurance regarding the behavior of untrusted CS. The problem with IHT is that because of singledimensional sequence structure, insertion and deletion operations are inefficient since it involves adjustment of average N/2 number of blocks. Again, during addition and deletion operation, the block numbers of some blocks are implicitly modified which creates unnecessary computational overhead. To overcome these issues, Tian et al. [31] proposed a modified two-dimensional data structure called Dynamic Hash Table (DHT) which consists of basically two elements: file element and block element. Each file is organized using a linked list with the corresponding file element as the header node. Because of the linked list, DHT minimizes the computation overhead during insertion and deletion operations.

2) RANK BASED MERKLE TREE (RBMT)
MHT supports dynamic updates but introduces some additional information for each tree node, such as status value and height value that leads to increased storage cost. The maintenance cost of MHT is also increased during updates since it has to update two values: status and height for each affected node. RBMT as shown in Fig. 5 is formed by utilizing MHT storage data structure and some parameters in node information [32].  where r lchild and r rchild are the rank values of the left and right nodes respectively.

C. PRIVACY-PRESERVING USER GROUP SUPPORT
As mentioned in [17], group users are normally of two types: original user and group user. Most of the time, organizations consist of multiple departments. Generally, employees from individual departments work in a group on documents shared between them. Cloud storage provides group services where the original user shares a document to multiple group members based on access policies. Original user delegates the verification task to TPA. TPA is one of the trusted but curious entities in auditing systems that can infer some information as well as the identity of user during auditing and can harm privacy. There are two types of user groups: static and dynamic. Static groups are predefined before sharing the data on cloud and the membership of users is not changed during data sharing. Whereas, in dynamic groups, a new user can be added and an existing user can be removed from the group at any time.

1) GROUP SIGNATURE
In group signature, a central entity called group manager is involved [33]. Group manager is responsible for the formation of group, addition of members, and revocation of members in a group. Initially, group manager selects its own private key and public parameters for group consisting of the public key of group. Using his own private key, group manager provides certificates to each member. These certificates consist of secret keys of each member. Using this secret key, the user can sign any arbitrary messages and any verifier can verify the authenticity of user using public group key. Thus, the group signature proves that the signer belongs to the group. Prearranged groups, separate procedures for user insertion and revocation, and a common symmetric key among group users are major problems with group signature. To create a confidential network among group members, Group Key Agreement (GKA) protocol is used. Rather than a common symmetric key among group members, Wu et. al [34] proposed Asymmetric Group Key Agreement (ASGKA) protocol in which the public key can be used to validate signature as well as encrypt messages. Any signature can be used to decrypt ciphertext under this public key.

2) RING SIGNATURE
Rivest et al. [35] formalized a notion of a ring signature scheme for a group. This scheme comprises only users. There is no centralized entity such as a manager or data owner. This scheme is mainly suitable when the group members do not wish to participate or collaborate in generating the signature. With this scheme, there are no prearranged groups, no procedures for altering, deleting groups, no means to issue specific keys among members, and no way to revoke the anonymity of genuine signers until the signer's wish. These features make this scheme very useful for generating proofs in auditing system where groups are involved. Boneh et al. [36] proposed a security model for aggregate signature that aggregates the signatures of n distinct users into a single short signature. This single short signature proves to the verifier that the signature on the original message is indeed calculated by n users. These aggregated signatures greatly help the public auditing system to verify the integrity of outsourced data where user groups are involved. All such signature scheme mostly needs certificates to be stored and process during verification. It led to increased time and computation costs. To address this complex certificate management and the key-escrow problem of ID-PKC, Choi et al. [37] proposed a secure certificate-less short signature scheme in a random oracle. Zheng et al. [38] proposed a general construction of linkable group signature to achieve anonymity, auditing, and tracing. Kumawat and Paul [39] proposed an accountable ring signature with constant size and based on Indistinguishability Obfuscation or OWF. Schlage and Schwenk [40] presented a CDH-based ring signature scheme that is anonymous and unforgeable under Computational Diffie-Hellman (CDH) assumption in bilinear group. This scheme is also space-efficient. It comprises two algorithms: Ring_sign and Ring_verify.

a: RING-SIGN
This algorithm takes as input given message M . For a size of ring n, each group member chooses a secret key Sk = x i which belongs to Z p and public key Pk = g x i .
• Signer t will choose random r i ∈ Z p for all other members of the group and generates s i = g r i . Signer t again computes signature on behalf of the group In (1), signer t computes a signature s t using his private key X t with different parameters such as public keys of n group members PK, the global parameter In (2), using public keys PK, signature (s 1 , s 2 . . . ..s n+1 ), and received message M , recomputes n i=1 e(s i ,Pk i ). e(s n+1 , u 0 l j=1 u m j j ). This recomputed part is verified using global parameters d and g.

D. COMPARATIVE ANALYSIS OF AUDITING FUNCTIONALITIES
Based on the above cryptographic techniques, multiple researchers have proposed public auditing schemes for cloud storage to verify the integrity of outsourced data. Table 1 shows the survey of different auditing functionalities proposed by different researchers.
Many researchers have proposed public auditing schemes using homomorphic authenticators, Elliptical curve cryptography for integrity verification. To support dynamic data auditing, MHT is one of the dominating authentications structures in auditing system. To support batch auditing, it is necessary to aggregate the signatures so that TPA can perform multiple auditing tasks simultaneously. Bilinear aggregate signature and its variants are utilized in auditing system by multiple researchers. Shared data means group user support is achieved by ring signature and its variants because of its anonymity. Most of the auditing schemes proposed a combination of HLA and ring signature to maintain user and data privacy from TPA during the auditing process. Chakraborty et al. [29] proposed public auditing using elliptical curve cryptography. Another cryptography technique known as ID-based cryptography is recently used by [43]- [45]. Key Generation Centre (KGC) is involved in an ID-based auditing system that generates key parameters for cloud user based on their attributes. As we observed, many researchers have proposed public auditing schemes using homomorphic authenticators, dynamic data support using MHT, etc. Homomorphic authenticators are costly in terms of computation since it involves multiple exponentiations, pairing, and multiplication operations.
These techniques increase the auditing time and computation cost.
As per the survey, there is a need to propose lightweight auditing schemes with modern cryptographic techniques. Many new cryptographic primitives such as signcryption, program obfuscation, and structure-preserving cryptography has powerful functionalities which previously not used by researchers. These can provide cloud users good and rich cloud services. Indistinguishability Obfuscation (IO) is a modern cryptographic technique currently used by many researchers. Using IO, even we obfuscate two programs with unique functionality, they are still computationally not distinct from each other. IO can be used with OWF to construct multiple essential building blocks such as public-key Encryption, ID-based encryption, as well as Chosen-Ciphertext Secure Public Key Encryption, and NIZKs. Zhang et al. [46] proposed public auditing using IO. Fig. 6 shows the auditing time comparison between schemes that uses HVT and IO. Fig. 6 a) shows the auditing time using HVT whereas Fig. 6 b) shows the verification time using IO technique. For the block size of 200 KB, the auditing time in Oruta and DHT-PA using HVT is nearer to 2.1 seconds and 1.5 seconds respectively. Whereas it is 0.3 seconds using IO. Fig. 6 shows that the auditing time using HVT is more as compared to IO Technique.

V. LIGHTWEIGHT PDP USING IO
This section describes the latest state of PDP using IO. We are trying to elaborate on the basic functionality of IO and its applicability to achieve different goals of public auditing.

A. . WHAT IS INDISTINGUISHABILITY OBFUSCATION (IO)?
The concept of obfuscation was first proposed by Barak et. al. [47]. According to this work, program obfuscation is a technique that creates computer programs ''unintelligible'' but still maintains their functionality. They proposed two methods for IO: Virtual Black-Box Obfuscation (VBO) and Indistinguishability Obfuscation (IO). VBO is similar to a black box instantiating the program. Although it has several applications in cryptography such as converting normal private-key encryption to public-key encryption, authors showed that VBO is not possible to achieve. So, they have proposed another concept Indistinguishability Obfuscation (IO) which obfuscates any two different (same size) functions that implement unique functionalities, that are still computationally differentiable with respect to each other. Garg et al. [48] suggested the first candidate construction of IO for general circuits. IO can be defined as below: Assume {C l } is a circuit class with security parameters l. A uniform PPT algorithm iO having input l, circuit C ∈ {C l } and outputs a circuit C is called indistinguishable obfuscator if the following conditions are fulfilled: 1. For all security parameters l, Circuit C, and input x, we have probability as: Equation (3) satisfies the completeness property of IO. It states that circuit C must behave exactly the same as circuit C if C is generated by an independent invocation of iO on C.
Equation (4) satisfies the indistinguishability property of IO. It states that the secrets embedded in the obfuscated program cannot be extracted by D. How to obfuscate the program is a major issue. The idea is to puncture the program (which is to be obfuscated). The concept states that we have to separate a key part of the program in such a manner that the functionality of the program still has to remains the same. And since we remove a key element, attacker can't win the security game. Suppose we want to transform a natural private key encryption scheme into a public-key encryption scheme by process of obfuscation. Consider a simple private-key encryption scheme: Assume that the key K is a secret key of a pseudo-random function (PRF), r is a random string. We can represent PRF as PR = PRF (K, r). For private-key encryption scheme, using a random string r, encrypt the message m and generate the encoded text C = (r, PR ⊕ m).
How to convert this private-key encryption scheme into a public-key encryption scheme using IO? Concerning to security point of view, the attacker should not be capable to regain message m * , if given the challenge ciphertext C * = (r * , e * ), encoding certain message m * . To achieve this, consider a flawed solution as follow: Let's assume that obfuscated version of encryption function as a public key. So obfuscated encryption function becomes: f k (r, m) = (r, PR ⊕ m). So, we have to develop the function f k using a ''Punctured'' PRF key such that it properly defines the PRF at all other random strings than r, but not going to reveal any information about PRF (K, r * ). Then attacker can't crack the security of challenge cipher-text even though he is aware of this punctured PRF confidential key. It means we have to substitute the original function f k (r, m) = (r, PR ⊕ m) using obfuscation of punctured function in such a way that it is not differentiable VOLUME 10, 2022 to the attacker. Still, there is a trivial attack possible on this solution. The attacker simply feed input (r * , 0) to the obfuscated program and accordingly determine PRF (K,r * ) and regain m * from the challenge cipher text. So, the idea is to search for an alternative to ''shift'' the puncturing to a place that is not at all retrieved by the program functionally.
Using a Pseudo-Random Generator (PRG) which associates λ bits to λ bits, where 2λ is a security parameter, we can tackle this issue. We can rewrite the new PRF using PRG as N_PRF = (k, PRG(r)). So, revised private-key encryption function is, f k (r, m) = (PRG(r), N_PRF ⊕ m). Because of the keyless nature of PRG, the attacker can't differentiate the original security game in which the challenge cipher text was generated.
According to Moran and Rosen [49], IO is one of the weaker primitives than VBO. Therefore, it is not possible to construct different cryptographic constructs using only IO. Sahai and Waters [50] have shown how to create basic cryptographic primitives such as: Public-key cryptosystem, short signature, NIZK, etc. from IO and One-Way Function (OWF). Here we elaborate implementation of publickey cryptography using IO. IO implies witness encryption. Witness encryption and OWF imply public-key encryption. This chain of implication results in a public-key encryption scheme where ciphertexts are themselves obfuscated programs. A pseudo-Random generator (PRG) is an OWF used for implementation. This scheme mainly contains three procedures: Setup, Encrypt, and Decrypt. Assume PRG be a pseudo-random generator that maps {0, 1} λ to {0, 1} 2λ . Let F be a puncturable PRF that contains an input of λ bits and outputs a single bit.
• Setup: This algorithm chooses puncturable PRF key k for F and generates an obfuscated program for PKE Encrypt function as below.
The obfuscated program PKE Encrypt * is as below. The public key PK is the obfuscated program and secret key SK is k. Mahmoody et al. [51] prove some lower bounds on assumptions that imply IO in a black-box way based on the computational assumption of P = NP. Holmgren and Lombardi [52] formulated a exponentially secured OWF and constructed collision-resistant hash families.

B. PUBLIC AUDITING OF CLOUD STORAGE USING IO
Most of the auditing schemes are based on homomorphic authenticators which involve multiple computations. Guan et al. [10] explored IO to construct a lightweight PoR scheme for public verification and symmetric-key primitives for encryption. This scheme has proved better performance for low-power devices users. It also supports dynamic updates. Some researchers used IO for PDP also. Boneh et al. [53] proposed a secure system for a service provider who has created a service and desires to outsource the execution on an untrusted cloud. Malicious cloud may try to infer information from the input-output messages that create harm to privacy of the users who use that service. The scheme allows service users to simultaneously authenticate and securely communicate with an obfuscated program while hiding this authentication and communication from the untrusted cloud.
Many schemes use semi-trusted proxy to convert encrypted messages of client into a ciphertext of the receiver. But in a real scenario, these proxies are not trustworthy and reliable. Consider the situation where client outsourced his encrypted large data on the cloud. To share this data with the receiver, he has to share his transform key with the proxy. Then proxy converts encrypted data into a re-encrypted ciphertext that can be decrypted using the receiver's secret key. However, proxy may use faulty implementation of the re-encryption algorithm or returning a random result to save computation time. To address this issue, Liu et al. [54] proposed a novel generic scheme for verifiable proxy re-encryption using IO. Sun et al. [55], [56] proposed public data integrity verification scheme based on IO that relieves the user from computation cost to calculate authenticators without splitting the data files into blocks. The privacy of user data will be maintained because of data breaches from TPA. Here we elaborate Zhang et al. [46] work in detail which proposed a lightweight public auditing scheme using IO with one-way function MAC for cloud storage. This scheme reduces the computation overhead at the auditor side just by calculating the MAC tag computations. TPA only needs to verify the validity of the MAC tag to check the integrity of outsourced data. The scheme achieves data privacy against the external auditor and resistance against external adversaries. Although IO construction requires a huge overhead for obfuscation, using this scheme it's only one-time cost/computation on user side. The scheme also extended to support dynamic updates using MHT. TPA can perform multiple verification tasks efficiently using batch auditing. The scheme consists of five algorithms: Setup, Store, Audit, Prove and Verify.
Setup: Let G and G T are two multiplicative groups produced by g with order p comprises bilinear map e: G × G → G T . Data owner D selects a signing key pair (ssk, spk), α, v where α → Z p and v = g α ∈ G. D chooses s random elements u 1 , u 2 . . . ..u s and determines pseudorandom permutation and function key π key ( ) and f key ( ) respectively. The secret and public parameters are sk = (α, ssk) and pk = (v, spk, u 1 , u 2 . . . ..u s ).
Store: Data owner transforms the data file F into blocks n and each block is again split into s sectors F = {f i,j } 1≤i≤n,1≤j≤s . D computes file tag as τ = name|| n||u 1 ,u 2 . . . ..u s ||sig ssk (name||n||u 1 ,u 2 . . . ..u s ) based on randomly selected names. Also computes tag for each data block as: where H() is any secure hash function. [1, n ] , τ } on cloud.
Audit: During this phase, D selects a MAC key k and shares it to TPA using a secure channel. D also generates a circuit Audit K as described below.
Uniform PPT algorithm iO takes security parameters, audit circuit Audit k and computes public parameter P as P = iO (Audit K ). TPA produces a challenge message using data blocks to be audited. Generates {k 1 , k 2 } which are keys for pseudorandom permutation and function respectively. TPA send these keys to CS. Output ⊥ Prove: Using {k 1 , k 2 }, CS computes i = πk 1 (ξ ) and v i = fk 2 (ξ ) where ξ ∈ [1, c] and c is the size of I (Input blocks to be audited). Based on public parameters and corresponding τ , f i,j , σ i ,c CS computes σ = i∈I σ v i i , µ j = i∈I v i f ij and Prf = P τ , {(i, v i ), µ j } i∈I , σ , {v, spk}). CS send this Prf to TPA for verification phase.
Verify: To verify the correctness of data, TPA computes πk 1 (ξ ) and v i = fk 2 (ξ ) and verify whether If equal, verification is successful otherwise verification fails.
Zhang et al. [46] scheme focused only on some of the design goals of PDP such as public verification, dynamic data updates and batch verification. Many existing PDP scheme using IO not addresses many security goals such as user group support, revocation of users, collusion resistance, privacypreserving etc. There are many MPC applications in real life such as e-voting, e-auction etc. where computations are performed by third party or worker. In such systems, many times clients are interested to verify the integrity of his submitted input. PDP is generally used to develop such verifiable MPC applications. IO can be used to minimize the computation as well as verification time in such systems. Next part surveys existing work and challenges to use IO in such multi-party applications as well as different goals to achieve in PDP.

1) VERIFIABLE MULTI-PARTY COMPUTATION USING IO
MPC is a technique in which several parties share their secret input without revealing anything to each other. The required function is calculated on shared input and the result of computation is shared to all the parties. MPC is having multiple applications in real life. Suppose two millionaires want to know which of them has more money without revealing exactly how much money they have. SMC [57], [58] is a computationally efficient technique that enables a client to outsource computation to external parties or cloud providers, convincing that the client's sensitive or shared information is not misused even if some parties are corrupted or cannot be completely trusted. In most practical cases of secure multiparty computation such as auctions, e-voting, benchmarking services, or cloud services in general, computations are performed by assigning all the sensitive inputs to a trusted third party or worker. A worker is responsible for computation and distribution of the result to all users. The basic overview of secret sharing MPC is as follows: • Initially, all parties share their secret inputs i.e. input x is shared so that x i = n j=1 x i j and party P j holds x i j where n is the number of parties.
• The parties carry out addition and multiplication on these shared values. Parties may communicate certain values by doing computation at local sites. The result of an operation is revealed to all the parties.
• At the end, the parties 'Open' the result of computation. This stage comprises each party sharing their 'final' share with each other (verifies that no errors were hosted by the attacker during this communication).
Gennaro et al. [59] introduced the formalization of ''Verifiable Computation'' that enable weak clients to outsource computation of function F on various dynamically chosen inputs x 1 , x 2 . . . ..x n to external party such as worker. The worker then returns the result of computation as well as proof that was carried out correctly on given value x i . Here users and worker are doing the interaction among themselves in many rounds to complete the process of MPC protocol. The main focus of researchers is to minimize these rounds of interactions and communication complexity to complete the MPC task. The trust in SMC is one of the major problems which encompass two main issues: the integrity of the computation, and the secrecy of the inputs. To verify the correctness of computation, most of the researchers have given approaches using cryptographic primitives. One such approach proposed by Baum et al. [60] is an efficient MPC scheme with public verifiability. They have come up with a publicly verifiable, secure computation scheme. The scheme offers an improved version of the SPDZ (pronounced ''Speedz'') protocol. In this protocol, even though every party involved is dishonest, someone can verify the correctness of the result. Garg et al. [61] focus to minimize the communication complexity in terms of the number of rounds minimized to two. They also obtain Universally Composable (UC) security with abort against static malicious adversaries and fairness if there is an honest majority. They come up with a technical tool two-round MPC from IO. He and Wang [57] discussed applications of secure MPC in computational geometric problems. Cuvelier and Pereira [24] present verifiable Multiparty computation with Perfectly Private Audit Trail [PPAT] for MPC using Pedersen commitment scheme. This scheme is single-phase: the users share their inputs asynchronously, and afterward, all parties can collect the result. They presented three distinct applications: resolving a system of linear equations, an auction system, and the exploration of the shortest path in a shared graph. This protocol uses non-interactive zero-knowledge (NIZK) proof to check the correctness of the result. In this scheme, the time required for verification is increasing as the number of users are increased. Table 2 shows the computation and verification cost of PPAT. Because of these operations, verification time for auction application in PPAT scheme at the client is increased as shown in Table 3.
Online auction is a popular example to be explored in terms of computationally efficient and secure multiparty computations. In 1999, Cachin [62] proposed a novel and efficient private bidding and auction scheme using a combination of homomorphic encryption with φ-hiding assumption. Cuvelier and Pereira [24] also presented PPAT scheme for electronic auction. Galal and Youssef [63] proposed solution for a verifiable online auction with blockchain using Ethereum. The comparative study of auditing features for verifiable MPC is shown in Table 4.
As we can observe from Table 4, Cuvelier and Pereira [24] and Baum et al. [61] has proposed public verification for SMC. But both the schemes are based on homomorphic encryption and NIZK. Cuvelier and Pereira [24] suggested verifiable MPC using any commitment scheme and NIZK. NIZK verifies the proof by comparing multiple proof relations which involve scalar multiplication and Group operations.

2) COLLUSION RESISTANT PUBLIC AUDITING USING IO
Security threats can be classified as internal and external threats. Many organizations concentrate only on external threats because of confidence that internal threats can be monitored by organization policies and access rights. Hence, they concentrate on an unfamiliar outsider who can get unauthorized access to their information. Although one entity can't get unauthorized access, dishonest internal and external   participants may collaborate and launch a collusion attack to get sensitive data. Public auditing for cloud storage system comprises Cloud users, CS, and TPA. For the efficient processing of the auditing system, many auditing schemes assume all these entities to be honest and fully trusted. But in practice, some of these entities may be dishonest and can collude with each other to generate a collusion attack.
In most auditing techniques, TPA is assumed to be expert, reliable, and having capability to validate the outsourced data on behalf of cloud users. But in real life, certain TPAs are honest but curious. They may collude with CS to pass the verification of some corrupted events. Huang et al. [64] studied the problem or situations where certain TPAs are semi-trusted or malicious. They proposed a feedback-based audit scheme where no need for users to interact with CS and can check the integrity of outsourced data by themselves instead of TPA. TPA generates the feedback loop through processing the proof from CSP and returns it to user which is yet unforgeable to TPA and checked exclusively by user.
In certain situations, during partial and total file loss, CS is one entity that is not trusted. CS may try to deceive users by manipulating verification tags and proving to possess correct files. CS may delete less frequently accessed user data to create space for new data. To manipulate this event, CS may collude with TPA to pass the verification and deceive the user. Chow et al. [65] proposed Server-Aided Verification (SAV) scheme based on pairing-based signatures. In business processes, a substantial part of verification computations is outsourced to untrusted servers which allow resource-constrained devices to enjoy security guarantees. To gain an unfair advantage, an adversary may collude with an untrusted server to complete his task. The authors proposed a generic pairing-based SAV protocol to address this issue. Su et al. [66] proposed map-based dynamic data integrity verification and recovery scheme that can prevent multiple cloud servers from colluding to fabricate consistent signatures. Huang et al. [67] addressed the trust problem between data owners and CS by collaborative auditing blockchain framework for cloud storage. Researchers in [68], [69] also addressed collusion resistance for cloud storage.
Cloud users many times create groups and share the contents with each other. Revoked users from a group may collude with CS or TPA to get unauthorized access of sensitive information. To avoid collusion due to revoked users, it is necessary to re-sign the blocks signed by the revoked user previously or regularly update the valid user list to CS or TPA so that they can differentiate between valid and revoked user.
Cloud users many times create groups and share the contents with each other. Revoked users from group may collude with CS or TPA to get unauthorized access to sensitive information. To avoid collusion due to revoked user, it is necessary to re-sign the blocks signed by the revoked user previously or regularly update the valid user list to CS or TPA so that they can differentiate between valid and revoked user. Wang et al. [18] proposed a user revocation scheme where CS has to re-sign the blocks of a revoked user using proxy resignature. This method avoids the unnecessary computational burden of an existing user to re-sign the blocks of revoked user. Group signature is a cryptographic technique in which any group member can sign the data but the identity of the signer is anonymous in generated signature. To create a confidential network among group members, Group Key Agreement (GKA) protocol is used. Rather than a common symmetric key among group members, Wu et al. [34] proposed Asymmetric Group Key Agreement (ASGKA) protocol in which the public key can be used to validate signature as well as encrypt messages while any signature can be used to decrypt ciphertext under this public key. AS in Wang et al. scheme, if CS received the secret key of revoked user, it may convert data m to m' by colluding with revoked user. During revocation, this m' will become valid data. To address this situation, Jiang et al. [27] proposed a group user revocation scheme in which the data owner is involved during revocation. Revocation uses ASGKA that negotiates a shared secret key instead of a common secret key. Kumar and Parthiban [70] presented a technique to overthrow collusion attack in auditing mechanism utilizing vector commitment and verifier local abrogation group signature. Luo et al. [71] presented collusion-resistant auditing using Shamir secret sharing. Scheme allows the group together with proxies and cloud to convert the signatures from revoked users into ones from the existing users after their revocation. To overcome the overhead of computation, Hequn et al. [85] utilized backup files for resigning after user has revoked. In this scheme, they store original as well as backup files on cloud during upload. When user is revoked, the existing user will resign on the backup file instead of the original. So revoked users do not have to share their security credentials with cloud. The lazy revocation model is used by Tian et al. [72] for revocation to avoid collusion. The idea is that during user revocation, other than block tag generations, all cryptographic information to protect the block needs to be done. Tag regeneration of related blocks is postponed after the signature conversion of revoked user. Rabaninejad et al. [73] proposed CORPA, collusion resistant auditing service using a proxy re-signature scheme which is based on Homomorphic Authenticable Signature HAS uni . In some schemes, instead of CS, existing user re-sign the blocks of revoked user. In this scenario, CS may collude with revoked user and get the secret key of the existing user. To address such collusion attack, Mara et al. [74] introduce CRUPA: Collusion Resistant User Revocable Public Auditing by the concept of regression. To secure the secret key of an existing user from CS, information proprietor is used to re-compute the Re-sign key using regression and send it to CS. CS further re-signs the blocks of revoked user using Resign key. Most of the time, there is large number of blocks are signed and outsourced on CS by revoked user. To resign all this vast information, create additional computational generation and a new private key update technique. By this strategy, revocation is realized by overhead on resigning entities (either CS or Existing user). Zhang et al. [75] explored a strategy for key updating the private keys of non-revoked members rather than authenticators of revoked users. Auditing is based on identity-based cryptography. Thokcham and Saikia [26] proposed collusion resistant auditing using CDH based Ring Signature scheme. Collusion between revoked user and CS is avoided through data owner by regularly updating valid members list to CS and TPA after each user revocation. Comparison between different auditing schemes with functionalities such as dynamic data support, user revocation, collusion attack resistance, etc. is shown in Table 5.   From Table 5, Zhang et al. [46] is one lightweight auditing scheme using IO. This scheme identified collusion attack between malicious auditor and cloud server but has not given any solution for this. Also, it doesn't support user groups. Thokcham and Saikia [26] proposed collusion handling between revoked user and cloud server with integrity verification. This scheme uses vector commitment for integrity verification which increases computation cost as well as verification time because of bilinear pairing. Table 6 shows the communication overhead for different schemes. As we can observe from Table 6, Wang et al. and Thokcham scheme need multiple computations such as multiplication, exponentiation, pairing, and hashing that lead to an increase in the cost of communication overhead on TPA as well as cloud user. Compare to these two schemes, Zhang et al. scheme need to perform only hash operations for auditing that naturally decrease the communication overhead. Fig. 7 shows the performance of verification time for Wang and Thokcham Scheme. As we observed from the graph, if number of users are increased, the verification time is also increasing by these schemes. So, there is a need to propose collusion resistant public auditing scheme that reduces computational overhead during revocation and is also independent of the number of group users.

3) LIGHTWEIGHT AND PRIVACY_PRESERVING PUBLIC AUDITING USING IO
In auditing model, TPA is one of the trusted entities but still curious and may compromise data and user privacy. During auditing, TPA may infer user information who has signed the blocks. Wang et al. [76] proposed Knox: privacypreserving auditing mechanism using group signature to construct homomorphic authenticators. The scheme uses MAC to reduce storage space of verification information. Auditing time is independent of group users. But the time required is high in this scheme. Wang et al. [16] achieved privacy from TPA by integrating homomorphic authenticators with a random masking technique. The linear combination of sampled blocks is masked with randomness in the server's response so that TPA is not able to build up a correct group of linear equations and cannot infer user's data contents. Yang et al. [77] proposed privacy-preserving cloud auditing scheme for multiple users with authorization and Traceability. Yang et al. [78] proposed another framework to achieve identity privacy as well as traceability and formalized public auditing using group signature. This scheme uses a group manager to construct authenticators and generate two lists that record the member list who perform latest modification on each block. Thokcham   CDH based ring signature scheme to attain group user privacy from TPA during auditing. The communication cost in certificate-based signatures is increasing due to handling of certificates. Some researchers [77], [79], [80] proposed privacy-preserving certificate-less auditing for cloud storage. Results show a great reduction in auditing time. Blockchainbased Privacy-preserving public auditing is proposed by some researchers [81], [82] that attain increased security levels.
In most of these schemes, cloud user and TPA are actively involved during verification phase. This may create an additional burden either on cloud users or on TPA. Tu et al. [83] proposed user-focus auditing which tries to reduce the overhead of user by pre-generating challenges for TPA before auditing. Guo et al. [84] proposed the ODPDP scheme which relieves user's verification overhead by migrating frequent auditing tasks to TPA. In this scheme, a contract takes place between user and TPA regarding the frequency of verification tasks. TPA generates challenges based on this contract. After each verification, a log file is generated at TPA which contains an audit data log. There is no need for a user to be available during verification, as per his convenience he can check the audit log.Jayaraman and Mohammed [86] also proposed Secure Privacy Conserving PDP (SPC-PDP) model for healthcare system. Based on literature survey, it is observed that ODPDP scheme reduces user overhead but increases the burden on TPA in terms of computation. It uses HVT for integrity verification and RBMT to support dynamic data. The computation cost of TPA in ODPDP during auditing is (l+s+1)Exp G + 2Pair. Where l is the number of challenged blocks, s denotes number of sectors per block, Exp G is exponentiation operation on group G and Pair is pairing operation. Compare to ODPDP scheme, Zhang et al. [20] scheme create less burden on TPA during auditing i.e. 2 Hash Zp where Hash is hashing operation on Z p . It means TPA has to compute only 2 hash functions for verification. ODPDP scheme not proposing any solution for identity privacy. The comparison of different auditing schemes concerning privacy-preserving is shown in Table 7.
Zhang et al. [89] shows that Privacy-Preserving public auditing protocol proposed by Liu et al. [90] for regeneratingcode-based cloud storage is not secure since the proxy delegated by data owner can forge authenticators for any data block. Li et al. [91] commented on data auditing system called P-ATHAT proposed by Sun et al. [92]. P-ATHAT consists of two schemes: Tree-based private auditing: User need to download the entire data to audit the data integrity.
Tree-based public auditing: No need to download entire data and learning the data contents.
This letter claimed that P-ATHAT scheme is vulnerable to an adversarial CS i.e. if a data block m i is arbitrarily modified to m i , the CS is able to forge a valid tag tag i , for m i to pass the TPA's auditing. To avoid this, author also suggested that proof information should be blinded to avoid above vulnerability. Prakash et al. [95] proposed a multisector public auditing that uses the data blocks masking to preserve privacy from TPA. This scheme is based on homomorphic authenticators. To handle user groups, most of the auditing schemes uses group and ring signature techniques that suffers from large tag size resulting in increased communication and verification cost as well as storage space. Yan et al. [96] proposed certificateless PDP in a workgroup that preserves privacy with respect to data uploader as well as group user. This scheme experience reduction in verification time but cost of tag generation is linearly increasing with number of tags. For 300 tags, the cost of tag generation is 3000ms while for 300 challenged blocks, verification time if 1500 ms. Researchers in [97] and [98] proposed privacy-preserving certificateless cloud auditing with group user support. The tag of each message in these schemes is only one element i.e. |G 1 |. Yan and Gui [99] also proposed an identity-based public auditing scheme with user privacy-preserving. This scheme ensures the relationship of data and data uploader in the proof generation phase instead of integrity auditing phase. It will reduce the overhead on TPA and also maintain privacy from TPA. The tag size in this scheme is again one VOLUME 10, 2022 group element |G 1 |. The tag generation time in this scheme is reduced because of compact tag size. For 300 blocks, tag generation time is 4.2 ms.

4) OTHER AREAS OF PUBLIC AUDITING USING IO
Cloud storage services are utilized in many fields to outsource data. CS and cloud users face multiple challenges because of this paradigm. Handling duplicate data on cloud storage is a major concern for CS. Multiple researchers have given solutions for cloud de-duplication. Liu at al. [102] proposed ''one-tag checker'' integrity auditing scheme using Convergent Encryption (CE) to avoid redundancy. Tag deduplication is avoided using message derived private key. Integrity auditing is achieved using HA and proxy-resignature scheme. Gao et al. [103] proposed low-entropy cloud data auditing scheme for file and authenticator deduplication that also utilizes a random-message locked key to compute authenticators. If we compare these schemes the proof generation time is linearly increasing as the number of blocks are increased. Gao et al. [103] also proposed cloud data auditing scheme with file and authenticator deduplication that achieve lowentropy.IO can be used with this scheme to share re-key in audit circuit so that malicious CS not deduce it.
To achieve a lightweight PDP, Gao et al. [104] proposed ''checking only when it is necessary'' auditing scheme with encrypted keyword for sensitive information. Based on label Relation Authentication Label (RAL), scheme generates the auditing proof as well as authenticate the relation that file contains the queries keyword.
Key-exposure is one of the serious problem reported in cloud paradigm. The secret key might be exposed due to weak security settings at client side. Once malicious CS received such keys for auditing, it can hide data lost incidents by forging fake authenticators. Yu et al. [105] proposed keyexposure resilient auditing for cloud storage. Using IO during auditing, normally keys we can share through audit circuit that data owner obfuscate and executed by CS to generate the proof. IO based auditing can give solution for such Keyexposure problem.

VI. NEW CHALLENGES AND RECOMMENDATIONS
PDP is one of the matured and widely used model for integrity verification of cloud storage. But most of the techniques used with PDP are based on cryptographic techniques. Homomorphic authenticator is one of the dominating techniques used by many researchers. But this scheme increases the verification time because of expensive computations on large numbers. Many PDP schemes are based on IO which is one of the modern cryptographic techniques. Many PDP scheme realizes efficient verification using IO but authenticator generation make these schemes inefficient. This is one of the limitations of IO that avoid to use it in PDP. Even though it creates one time overhead of obfuscating the verification circuit on user, it greatly reduces the verification time. There is a scope to improve the auditing processes utilizing IO by considering multiple perspectives of auditing.
Verification of MPC applications such as E-voting, E-auctions that uses lightweight devices such as mobiles is still an open issue to resolve because of increased verification time. It is necessary to propose Verifiable MPC such that there are reduced number of rounds and verification round must be independent from another round so that verification time will be reduced. Communication overhead in such systems totally depends upon message sizes transferred between different entities during auditing. Tag generation, proof generation phases must employ lightweight cryptographic techniques so that the computational overhead on lightweight devices should be reduced. IOT applications also uses lightweight devices. How can we utilize the IO technique for achieving verifiability in IOT environment is one of the future research direction in this field.
Group and ring signature techniques are widely used for group support in cloud paradigm. These techniques are based on certificates that increases the burden of certificate handling during verification. So, this is one of the avenues for future research to propose group support auditing using certificateless signature. Collusion attack is mostly generated by revoked users or TPA to get access to group information. Revocation policies should be strengthened to avoid such events. Zhang et al. [87] proposed revocable and certificateless public auditing model for cloud storage that supports the key update of the group user and the tag update of the revoked user. In most of the existing revocation procedures, existing user has to resign the blocks of revoked user that may create unnecessary burden on such users. Using symmetric key cryptography for integrity verification, cloud user has to share the secret key with TPA so that TPA can verify the file blocks during auditing. Even though TPA is trusted entity in this paradigm, he is curious about the data and identity of users. In such situations TPA may also collude with CS and fabricate the collusion attack to pass some forged audit.
To support dynamic data updates during auditing, MHT is widely used. During verification of MHT, auxiliary authentication information has to be generated and verified using certified root. This process may create many duplicate and unnecessary information during auditing for each verification. It may affect the total verification time. So, it is necessary to use IO with other constructs such as DHT, RBMT with multiple dynamic updates in batch mode to reduce verification time.
Continuous involvement of user during verification may create unnecessary burden on user. TPA also has to perform large computations during auditing. So, from the computation perspectives, the technical challenge of auditing service can be addressed by employing lightweight auditing process where user can audit the integrity of data as per his convenience. At the same time the computational burden of TPA should be reduced to generate lightweight auditing process. Wang et al. [88] presented lightweight certificatebased public/private auditing scheme based on asymmetric bilinear pairing. This scheme focuses on minimizing the computation cost of tag generation at user side since large data is outsourced by cloud users. Uses public/private audit model. Private auditing is efficient but during disputes, user can't become judge. So public auditing is invoked during any disputes in the absence of user. Such type of public/private auditing model can be used to generate lightweight processes.
Another major challenge observed by Ding et al. [93] is that if the user's auditing key is exposed to the malicious CS, the user's data may be deleted by CS without being detected. Ding proposed intrusion-resilience public auditing scheme to relieve damage caused by the key-exposure problem. As observed in this scheme, proof verification time depends on number of challenged blocks. As challenged blocks are increased, the verification time is also increasing. As a future work, modified auditing scheme can be proposed using IO to maintain constant and reduced verification time during auditing.
George and Nargunam [94] presented a comprehensive analytical and comparative survey for different auditing techniques and inferred that IO is one of the efficient methods to reduce overhead at auditor side as compared to attributebased methods. George also suggested to evolve efficient auditing scheme using IO that can reduce overhead on CS as well as TPA. Chen et al. [100] proposed a threshold hybrid encryption for integrity verification using AES and Shamir Secret Sharing without trusted center. Scheme also proposed re-signature technique to avoid collusion due to revoked user. As future research, this scheme can be modified using IO to reduce verification cost. Shen et al. [101] explored how to employ fuzzy private key for integrity auditing without storing private key. We can improve Zhang et al. [46] scheme by this fuzzy approach where cloud user has to share the MAC key with TPA through secure channel.
There are still multiple issues during auditing that are not addresses properly or not able to generate efficient auditing schemes. Auditing using file and authenticator deduplication, key-exposure resilient are some of the issues where IO technique can be utilized.

VII. CONCLUSION
In this paper, we reviewed different cryptographic constructs to implement lightweight auditing process for integrity verification of outsourced data. There are two basic approaches of auditing such as PDP and PoR. Our work concentrates on lightweight PDP processes. In this review, initially we presented an overview of multiple cryptographic techniques to achieve goals of public auditing system. We compared multiple auditing schemes proposed by many researchers with respect to auditing goals and cryptographic techniques. From this comparison, we came to know that with the use of IO, auditing time is greatly reduced. We explored the Zhang et al. work that uses IO to achieve lightweight public auditing process. Further, we identified the challenges to develop lightweight PDP processes with respect to verifiable MPC, Group support, Collusion resistant and privacypreserving using IO. We analyzed the performance based on communication cost, proof generation time and proof verification time. The study of this research work show that generation of lightweight PDP processes still has some open issues. Based on the survey, challenges are listed and recommendations are suggested.