Efficient Identity-Based Data Integrity Auditing With Key-Exposure Resistance for Cloud Storage

The key exposure is a serious threat for the security of data integrity auditing. Once the user's private key for auditing is exposed, most of the existing data integrity auditing schemes would inevitably become unable to work. To deal with this problem, we construct a novel and efficient identity-based data integrity auditing scheme with key-exposure resilience for cloud storage. This is achieved by designing a novel key update technique, which is fully compatible with BLS signature used in identity-based data integrity auditing. In our design, the Third Party Auditor (TPA) is responsible for generating update information. The user can update his private key based on the private key in one previous time period and the update information from the TPA. Furthermore, the proposed scheme supports real lazy update, which greatly improves the efficiency and the feasibility of key update. Meanwhile, the proposed scheme relies on identity-based cryptography, which makes certificate management easy. The security proof and the performance analysis demonstrate that the proposed scheme achieves desirable security and efficiency.


INTRODUCTION
C LOUD storage services are being gradually accepted in recent years for its great advantages, such as low cost, flexibility and on-demand service.As a result, more and more enterprises and individuals are choosing cloud platform to maintain and store their data.Although cloud storage service is convenient for users, security risks should not be neglected [1].One of the biggest concerns is the integrity of the outsourced data due to the inevitable operation errors or software/hardware failures in the cloud [2].To ensure the integrity of the cloud data, a great deal of cloud data integrity auditing schemes have been proposed [3], [4], [5], [6].Generally, to release the burden of users, a trusted Third-Party Auditor (TPA) is delegated to undertake the data integrity auditing task [7], [8], [9].
In most of existing data integrity auditing schemes [10], [11], [12], [13], [14], a pair of public key and private key needs to be generated for the user.The public key is used to verify the validity of the proof generated by the cloud.The private key is only utilized to calculate the authenticators for data blocks.The authenticators are used to verify whether the cloud correctly stores the user's data in the phase of data auditing.These schemes are based on traditional Public Key Infrastructure (PKI) setting, which uses a digital certificate to ensure the authenticity of the user's public key.As a result, it incurs the considerable overheads since certificate generation, certificate revocation and certificate renewal are complicated and time-consuming.A feasible solution for simplifying the certificate management is identity-based cryptography.In the identity-based cryptography, the user's private key is generated by a trusted Private Key Generator (PKG) based on the user's identity [15].The public key is replaced with the user's identity information (e.g., user name, E-mail address, and employee number), which removes the use of certificate [16], [17].Based on the identity-based cryptography, Wang et al. [18] constructed the first identity-based data integrity auditing scheme.Following that, Wang et al. [19] designed an identity-based proxy-oriented data integrity auditing scheme, in which the authenticators are calculated with the help of the proxy.Zhang et al. [20] constructed an identity-based shared data integrity auditing scheme with efficient user revocation.The above identity-based data integrity auditing schemes all use BLS signature to construct the authenticators of data blocks for supporting the data integrity auditing.
The key exposure is a serious security issue for data integrity auditing.Once the user's private key for data integrity auditing is exposed to the cloud, the cloud is able to discard the data rarely accessed to save the storage space, or hide the incidents of data loss to maintain his reputation by forging the valid authenticators with the user's private key.Consequently, it will make the data integrity auditing unable to work correctly any more.To deal with this problem, Yu et al. [21], [22], [23] and Xu et al. [24] designed the data integrity auditing schemes with key-exposure resilient in the PKI settings.They make use of different key update techniques to update the user's private key.However, all these key update techniques are incompatible with BLS signature.It means that these key update techniques cannot be directly applied to the existing identity-based data integrity auditing schemes [18], [20], [25], [26], [27].
Contribution.The contributions are summarized as follows: We propose a novel identity-based data integrity auditing scheme with key-exposure resilience for cloud storage.In the proposed scheme, we design a novel key update technique, which is fully compatible with BLS signature in identitybased data integrity auditing.The time-consuming computational operation for key updates is performed by the Third Party Auditor (TPA).Specifically, the TPA calculates the update information with its secret key in each time period, and sends the update information to the user.The user can check the validity of the update information and efficiently update his private key based on the private key in one previous time period and the update information from the TPA.Even if the malicious cloud obtains the user's private key in a certain time period, the auditing tasks in other time periods are still able to be well performed.When the user's private key is updated frequently, the user only needs to perform lightweight computations to calculate the private key for the current time period.In addition, our scheme supports real lazy update, i.e., the user updates his private key only when he uploads the file to the cloud rather than updating his private key in each time period.It greatly improves the efficiency and the feasibility of key update.Our scheme relies on the identity-based cryptography, which eliminates the complicated certificate management in traditional PKI systems.We prove the security of the proposed scheme and give a comprehensive performance analysis.

Related Work
In 2007, "Provable Data Possession" (PDP) was introduced by Ateniese et al. [28], which allows the cloud to convince the verifiers that it stores the data correctly.Juels and Kaliski [29] presented "Proof of Retrievability" (PoR) and constructed a publicly verifiable PoR scheme.In this scheme, data are encoded by error correcting codes and several "sentinels" are embedded in the file.The verifier is capable of verifying the correctness of data by checking whether the sentinels at some specific positions exist or not.In 2008, Shacham and Waters [30] constructed two improved PoR schemes by utilizing BLS signature and pseudorandom function respectively.
To support data dynamics, the first provable data possession scheme with partial data dynamics was proposed by Ateniese et al. [31].After that, plenty of data integrity auditing schemes focus on supporting full data dynamics [32], [33], [34], [35].To achieve data privacy protection, Wang et al. [36] proposed a data integrity checking scheme, in which the cloud utilizes a random value to produce auditing proof.Based on zero-knowledge proof of discrete logarithm, Li et al. [37] designed a cloud storage checking scheme supporting data privacy protection.Ding [38] employs edge server to help users to calculate authenticators, which alleviates the user's computation burden.Based on online/offline signature, Li et al. [3] presented a lightweight data integrity checking scheme for the user with low computation capability.Wang et al. [39] took the problem of user identity privacy into account and proposed a shared data integrity checking scheme with identity privacy protection by employing ring signature.To improve the cloud's storage efficiency, Xu et al. [26] proposed a blockchain-enabled deduplicatable data integrity auditing scheme.Shen et al. [40] designed a public auditing scheme with efficient data ownership transfer.Zhou et al. [41] proposed a multicopy data integrity auditing scheme, in which the improved Merkle hash tree is used to achieve multicopy dynamic operations.
The problem of complicated certificate management in the data integrity auditing has been researched.In [18], Wang et al. designed a cloud storage auditing scheme, which is built on identity-based cryptography.Zhang et al. [20] considered the problem of user revocation and presented a shared data integrity auditing scheme with efficient user revocation by updating non-revoked group users' private keys.Wang et al. [9] constructed an identity-based data integrity checking scheme, which achieves both unconditional anonymity and incentive.Zhang et al. [16] designed a data integrity auditing scheme with conditional identity privacy protection.Wang et al. [42] proposed an identity-based data outsourcing scheme with comprehensive auditing, in which the proxy generates data authenticators on behalf of the user.Based on the identity-based cryptography, Shen et al. [27] designed a shared data integrity checking scheme, in which the sensitive information is sanitized by the sanitizer.
All aforementioned schemes are designed on the assumption that the user's private key for data integrity auditing is absolutely secure and cannot be exposed.Yu et al. [21] first discussed the problem of key exposure and presented a data integrity auditing scheme with key-exposure resilience by updating the user's private key.Subsequently, Yu et al. [22] proposed a data integrity checking scheme with verifiable outsourcing of key updates.In this scheme, the task of updating private key is executed by the TPA.In [23], a strong key-exposure resilient data integrity auditing scheme is proposed, in which the cloud cannot obtain the user's private key in unexposed time periods.Xu et al. [24] designed an intrusion-resilient data integrity checking scheme, which mitigates the risk of key exposure.In this scheme, a full binary tree is utilized to update private key.Other key-exposure resilient data integrity auditing schemes [43], [44] have been proposed.Nonetheless, these schemes either introduce an additional key update server or are based on time-consuming lattice cryptography.

Organization
In Section 2, we first introduce notions and preliminaries used in the paper.After illustrating the system model and security model (Section 3), we give the identity-based data integrity auditing scheme with key-exposure resistance in Section 4. The security analysis and the performance analysis are discussed in Sections 5 and 6 respectively.Finally, in Section 7, the conclusion is made.

NOTATIONS AND PRELIMINARIES
In this section, we briefly review bilinear maps, discrete logarithm (DL) problem and computational Diffie-Hellman (CDH) problem.

Notations
We present some notations used in this paper in Table 1.

1) Bilinear Maps
Let G and G T be two multiplicative cyclic groups of prime order p.A bilinear map e is a map e : G Â G ! G T which satisfies [45]: a) Bilinearity: for all g 1 ; g 2 2 G and a; b

SYSTEM MODEL AND SECURITY MODEL
In this section, we present the system model, the design goal, the underlying algorithms and the security model.

System Model
As illustrated in Fig. 1, the system model of an identitybased data integrity auditing scheme with key-exposure resistance comprises four types of entities: the user, the cloud, the Third Party Auditor (TPA) and the Private Key Generator (PKG).
1) User: The user has a large number of files to upload to the cloud.2) Cloud: The cloud has enormous storage space and computation resources, and provides data storage services for the user.3) TPA: The TPA is an entity with abundant computation resources.It takes charge of two important tasks.
One is to verify whether the cloud data is stored intactly.The other is to generate the update information used to update the private keys for the user in different time periods.4) PKG: The PKG is responsible for generating system public parameters, the user's initial private key and the TPA's secret key.At the beginning of each time period, the TPA computes and sends the update information to the user, where the update information is used to update the user's private key for data integrity auditing.The user calculates the private key for the current time period based on the update information and the private key in one previous time period, and then generates data authenticators with the private key in the current time period.The user sends the data blocks and the corresponding authenticators to the cloud.
The TPA is delegated by the user to complete the task of data integrity auditing.First, a challenge is outputted by the TPA.Then the TPA sends the challenge to the cloud.Upon receiving the challenge, the cloud returns a corresponding proof to the TPA.The TPA verifies whether the cloud data are kept unchanged or not by checking the validity of proof.The initial private key of the user U ID N The maxinum lifetime of all cloud files t The threshold value x Ã

ID;j
The update information of the user U ID in the time period j sk ID;j The private key of the user U ID in the time period j F ¼ fm 1 ; m 2 ; . . .; m n g The cloud file F composed by blocks m i ði 2 ½1; nÞ f id The file identifier F ¼ fb 1 ; b 2 ; . . .; b n g The authenticator set t The file tag S The challenged block set c The number of challenged blocks Chal ¼ fi; v i g i2S The auditing challenge Proof ¼ fj; m; hg The auditing proof In this paper, we mainly focus on solving the problem of key exposure in data integrity auditing, and do not consider the problem of data privacy protection.In addition, we also do not consider the threat that the TPA is curious about the user's private key used to generate the authenticators.Actually, all existing data integrity auditing schemes with keyexposure resistance do not consider this threat.The detail explanation is described in Remark 1.
Remark 1.The basic assumption of most data integrity auditing schemes is that the TPA honestly returns a correct auditing result to the user.The user's private key is only used to generate the authenticators for realizing data integrity verification from the TPA.If the TPA is able to obtain an exposed private key and uncover the user's private keys, it will not forge the authenticators with these private keys to pass its own verification, which is fully unnecessary and unreasonable.In other words, the user's private keys are useless for the TPA.Therefore, the TPA has no incentive to obtain the user's private key.As a result, similar to the schemes [22], [23], we select the TPA to execute the tasks of key update information generation and data integrity auditing.

Design Goals
To achieve key-exposure resistance in identity-based data integrity auditing, the following goals should be achieved: 1) The correctness: a) The initial private key correctness: to guarantee that the initial private key can pass the user's checking only if the PKG produces the initial private key honestly.b) The update information correctness: to guarantee that the update information can pass the user's checking only if the TPA produces the update information correctly.c) Auditing correctness: to assure that the proof can pass the TPA's checking only if the cloud executes the auditing task honestly.2) Key-exposure resistance: to ensure that even if the private keys in t time periods are exposed, it does not affect the security of the private keys in other time periods.3) Auditing soundness: to guarantee that if the cloud does not actually keep the user's entire data, it cannot pass the the TPA's checking.4) Efficient key update: to ensure low overhead of private key update.

Underlying Algorithms
Definition 1.An identity-based data integrity auditing scheme with key-exposure resistance for cloud storage includes the following eight algorithms: The setup algorithm is executed by the PKG.Input the security parameter l, it outputs the master secret key x 0 , the system public parameters param.The PKG keeps the master secret key in secret.
2) Extractðx 0 ; ID; paramÞ: The extraction algorithm is completed by the PKG.With the master secret key x 0 , the user's identity ID and the system public parameters param as input, it generates the user's initial private key sk ID;0 and the TPA's secret key SK TPA;ID corresponding to the user U ID .The user U ID can check whether sk ID;0 is valid or not and accepts it as his initial private key only if it passes the checking.3) UpIGenðparam; j; j À 1; SK TPA;ID Þ: The update information algorithm is handled by the TPA.With the public parameters param, the current time period j, the previous time period j À 1 and the TPA's secret key SK TPA;ID as input, it outputs the update information x Ã ID;j used to update the user U ID 's private key in the time period j.The user can check the validity of x Ã ID;j .4) KeyUpdateðparam; j; ID; x Ã ID;j ; sk ID;jÀ1 Þ: The key update algorithm is carried out by the user U ID .With the public parameters param, the current time period j, the user identity ID, the corresponding update information x Ã ID;j and the private key sk ID;jÀ1 in the previous time period j À 1 as input, it generates the private key sk ID;j in the current time period j. 5) AuthGenðparam; F; j; sk ID;j ; f id ; sskÞ: The authenticator generation algorithm is completed by the user U ID .With the public parameters param, the current time period j, the file F , the user U ID 's private key sk ID;j , the file identifier f id and the user's signing private key ssk as input, it generates an authenticator set F and a file tag t. 6) Challengeðparam; c; ID; f id ; jÞ: The challenge generation algorithm is run by the TPA.With the public parameters param, the number of challenged blocks c, the user identity ID, the file identifier f id and the current time period j as input, it outputs the challenge chal for the file f id of the user U ID in the current time period j. 7) ProofGenðparam; j; t; F; F; chalÞ: The proof generation algorithm is handle by the cloud.With the public parameters param, the current time period j, the file tag t, the file F , the authenticator set F and the auditing challenge chal as input, it generates an auditing proof proof.8) ProofVerifyðchal; param; proof; t; j; ID; f id Þ: The proof verification algorithm is executed by the TPA.With the challenge chal, the system public parameters param, the proof proof, the file tag t, the current time period j, the user identity ID, and the file identifier f id as input, and outputs "1" if proof is a valid proof; or "0", otherwise.

Security Model
Our security model considers key-exposure resistance and audtiting soundness.In this security model, the user plays the role of the challenger and the malicious cloud is viewed as the adversary.Assume the adversary is not able to query the private keys of the same user in more than t time periods.We define a game between the challenger and the adversary to present how the adversary attacks the securtiy of an identitybased data integrity auditing scheme with key-exposure resistance.This game consists of the following phases: 1) Setup phase.The challenger executes the Setup algorithm to obtain the master secret key x 0 and the system public parameters param, then forwards param to the adversary and holds x 0 .Set time period j ¼ 0. 2) Query phase.In this phase, the adversary makes the following two queries to the challenger.a) Private key Queries: The adversary can issue the query of the private key for any identity ID in time period j.Moreover, for the same user U ID , the adversary cannot query his private keys in more than t time periods.The challenger executes the Extract, UpMGen and KeyUpdate algorithms to calculate the private key sk ID;j in time period j, and sends sk ID;j to the adversary.b) Authenticator Queries: The adversary can make queries for the data authenticators of the file F under the identity ID in time period j.The challenger calculates the corresponding authenticators for the file F by running the AuthGen algorithm, and returns these authenticators to the adversary.The adversary stores the file F and the corresponding authenticators.Set time period At the end of each time period, the adversary is able to choose to stay in query phase or move on to the next phase.
3) Challenge phase.The challenger chooses a time period j Ã , a file identifier f id Ã and a user identity ID Ã .In time period j Ã , ID Ã must does not appear in Private key queries.The challenger sends a challenge chal ¼ fi; v i g i2S to the adversary, where S 2 fg 1 ; g 2 ; . . .; g c g (g a 2 ½1; n, a 2 ½1; c and c 2 ½1; n).4) Forgery phase.The adversary produces a data integrity proof proof corresponding to the challenge chal in time period j Ã , and sends proof to the challenger.If ProofVerifyðchal; param; proof; t; j Ã ; ID Ã ; f id Ã Þ ¼ ''1 00 , then the adversary succeeds in the above game.This security model describes that the adversary cannot query the private keys of the same user in more than t time periods and also cannot query the private key of the challenged user in the challenged time period, but can query the data authenticators for any file in each time period.If the adversary does not correctly store the user U ID Ã 's all challenged data blocks for a time period in which the private key is not exposed, and cannot guess all bad blocks, he is unable to forge a valid proof to pass the verification of challenger.The adversary aims at passing the challenger's verification by outputting a valid proof for the challenged data blocks in the time period j Ã .In the time period j Ã , the user U ID Ã 's private key is not exposed.The following definition shows that there exists a knowledge extractor that can extract all challenged data blocks whenever the above adversary is capable of generating a valid proof proof in the time period j Ã .Definition 2. We say an identity-based data integrity auditing scheme with key-exposure resistance is secure if the following condition holds: whenever an adversary in the above described game can pass the challenger's verification by outputting a valid proof proof with non-negligible probability, there is a knowledge extractor that can extract the challenged data blocks with non-negligible probability.Definition 3.An identity-based data integrity auditing scheme with key-exposure resistance is ðr; dÞð0 < r; d < 1Þ detectable if r fractions of the whole file are corrupted by the cloud, the probability that these corrupted data blocks are detected is no less than d.

Construction of Our Proposal
The cloud file F is divided into n data blocks, which is denoted as F ¼ ðm 1 ; m 2 ; . . .; m n Þðm i 2 Z Ã p ). N is the maximum lifetime of all cloud files.In previous identity-based data integrity auditing schemes [20], [27], an identity-based signature Sig is employed to ensure the validity of the file identifier.Similarly, a similar identity-based signature Sig is utilized in the proposed scheme to guarantee the validity of the verification value, the file identifier f id and the time period.Assume the user has held the signing private key ssk corresponding to the signature Sig.Such an assumption makes the description of the proposed scheme more clear and simple.Fig. 2 shows the workflow of private key extraction.The workflow of update information generation, key update, authenticator generation, and data integrity auditing are shown in Fig. 3.
The detailed algorithms are presented below.

1) Setup(1 l )
The PKG produces the master secret key, the TPA's secret key and the system public parameters.a) The PKG picks two multiplicative cyclic groups G and G T of prime order p, two random generators g and u of G.The PKG also selects two different cryptographic hash functions The PKG picks a random value x 0 2 Z Ã p as the master secret key and computes Y 0 ¼ g x 0 as the master public key.c) The PKG publishes system parameters param ¼ ðG; G T ; p; u; g; e; H 1 ; H 2 ; Y 0 Þ. 2) Extract(x 0 ; ID; param) The PKG calculates and sends the initial private key to the user U ID .The user U ID is able to check whether the initial private key he received is valid or not.Furthermore, the PKG computes the TPA's secret key corresponding to the user U ID .a) For the user U ID , the PKG randomly selects a polynomial where t is the threshold on the number of a user's private keys that are allowed to be compromised.Generally speaking, t is much smaller than N. b) The PKG randomly picks r ID 2 Z Ã p , and computes R ID ¼ g r ID and s ID;0 ¼ r ID þ f ID ð0ÞH 2 ðR ID ; IDÞ ðmod pÞ according to the user's identity ID, where f ID ð0Þ ¼ x 0 .And then the PKG sets sk ID;0 ¼ ðR ID ; s ID;0 Þ as the user U ID 's initial private key, and sends it to the user U ID .c) The user U ID accepts the initial private key sk ID;0 if sk ID;0 can pass the verification of the following equation.
d) The PKG sets SK TPA;ID ¼ fx ID;1 ; x ID;2 ; . . .; x ID;t g as the TPA's secret key corresponding to the user U ID .The PKG sends SK TPA;ID to the TPA and computes public values Y ID;k ¼ g x ID;k ðk 2 ½1; tÞ. 3) UpIGen(param; j; j À 1; SK TPA;ID ) At the beginning of the time period j (1 j N), the TPA computes and sends the update information to the user U ID .The update information is used to update the user U ID 's private key.The user U ID checks the validity of the update information.a) At the beginning of the time period j (1 j N), the TPA computes the update information x Ã ID;j ¼ P t k¼1 x ID;k ðj k À ðj À 1Þ k Þð1 j N) for the time period j with the secret key SK TPA;ID ¼ fx ID;1 ; x ID;2 ; . . .; x ID;t g corresponding to the user U ID .The update information x Ã ID;j is used to update the user U ID 's private key in the time period j.Note that x Ã ID;j ¼ f ID ðjÞ À f ID ðj À 1Þ.And then the TPA sends the update information x Ã ID;j to the user U ID .b) The user U ID checks whether the update information x Ã ID;j is valid by the following equation If the Equation (2) holds, it means that the update information generated by the TPA is valid.Then, the user U ID executes the following KeyUpdate algorithm.4) KeyUpdate(param; j; ID; x Ã ID;j ; sk ID;jÀ1 ) The user U ID calculates the private key in the current time period using the update information he received in UpIGen algorithm and the private key in one previous time period.The user U ID computes s ID;j ¼ s ID;jÀ1 þ x Ã ID;j Á H 2 ðR ID ; IDÞ using the update information x Ã ID;j and the private key s ID;jÀ1 in one previous time period j À 1, and sets sk ID;j ¼ ðR ID ; s ID;j Þ as the private key in the current time period j.Note that s ID;j ¼ r ID þ f ID ðjÞ Á H 2 ðR ID ; IDÞ.Remark 2. Our scheme supports real lazy update.The user updates his private key only when he uploads the file to the cloud.It means that the user sends a key update request to the TPA for obtaining the update information only when there is a file that needs to be stored to the cloud.Assume that the user U ID uploads the file in the time period l, and does not upload the file in the time periods from j to l À 1.The user U ID only needs to update his private key in the time period l with one single step rather than do multiple updates from the time period j to the time period l.Specifically, at the beginning of the time period l, the user U ID sends a key update request to the TPA for obtaining the update information to update his private key.Upon receiving the update request, the TPA executes the UpIGen algorithm to generate the update information x Ã ID;j;l ¼ P t k¼1 x ID;k ðl k À j k Þ, then delivers it to the user U ID .The user U ID can verify the correctness of x Ã ID;j;l by the Equation (2) in UpIGen algorithm.If x Ã ID;j;l passes the verification, the user computes s ID;l ¼ s ID;j þ x Ã ID;j;l Á H 2 ðR ID ; IDÞ based on the update information x Ã ID;j;l and the private key s ID;j in the previous time period j.Note that s ID;l ¼ s ID;j þ ðf ID ðlÞ À f ID ðjÞÞ Á H 2 ðR ID ; IDÞ ¼ r ID þ f ID ðlÞ Á H 2 ðR ID ; IDÞ.The private key sk ID;l in the time period l is set as sk ID;l ¼ ðs ID;l ; R ID Þ. Remark 3. In our scheme, r ID can be the same for the same user in different time periods, for the following reasons.The user U ID 's private key in the time period j is sk ID;j ¼ ðs ID;j ; R ID Þ, where s ID;j ¼ s is the value computed by the PKG based on the PKG's master secret key x 0 , the TPA's secret key SK TPA;ID ¼ fx ID;1 ; x ID;2 ; . . .; x ID;t g corresponding to the user U ID and the time period j. f ID ðjÞ changes in every time period.The adversary cannot compute f ID ðjÞ because he cannot obtain the PKG's master secret key x 0 and the TPA's secret key SK TPA;ID .Similarly, the adversary cannot compute f ID ðjÞðj 2 ½1; NÞ in the whole time periods.In other words, the adversary cannot obtain r ID even if he is able to obtain the user U ID 's private keys in t time periods.In the phase of key update, the adversary cannot deduce the unexposed private keys without r ID and f ID ðjÞðj 2 ½1; NÞ even with up to t exposed private keys.As a result, the key update is secure even if r ID is the same for the same user in different time periods.Remark 4. In our scheme, the user's private key in the current time period is generated based on the private key in one previous time period and the update information from the TPA.If the TPA obtains the user's private key in a certain time period by compromising the hardware token that stores the user's private key, then it can inevitably uncover the user's private key in other time periods since it also knows the update information.It seems that there is no feasible technique to solve the problem that the TPA can uncover the user's private keys after obtaining an exposed private key.Actually, this is not a real threat in data integrity auditing with key-exposure resistance.5) AuthGen(param; F; j; sk ID;j ; f id ; ssk) The user U ID computes the authenticators for the file F with the private key in the current time period, and calculates the file tag used to guarantee the validity of the file identifier, the time period and the verification value.Then, the user U ID uploads the file F along with the authenticator set and the file tag to the cloud.a) For each block m i 2 Z Ã p ði 2 ½1; nÞ of the file F , the user U ID computes the authenticator b i using the private key sk ID;j in the current time period j as follows: b i ¼ ðH 1 ðf id jjijjjÞ Á u m i Þ s ID;j , where f id 2 Z Ã p is the file identifier.Let F ¼ fb i g 1 i n be the set of authenticators in the time period j. b) The user U ID generates the file tag t ¼ f id jjjjjR ID jjSig ssk ðf id jjjjjR ID Þ with the signing private key ssk.c) The user U ID uploads fF; Fg along with the file tag t to the cloud.6) Challengeðparam; c; ID; f id ; jÞ: The TPA selects a user identity ID, a file identifier f id and a time period j.Then the TPA outputs an auditing challenge chal ¼ fi; v i g i2S , where S 2 ½1; n is a subset including c elements and v i is a random value in Z Ã p .The TPA sends fchal; ID; f id ; jg to the cloud.7) ProofGenðparam; j; t; F; F; chalÞ Upon receiving chal, the cloud outputs an auditing proof proof ¼ fj; m; hg to the TPA, where The cloud sends the proof proof along with the file tag t to the TPA.8) ProofVerify(chal; param; proof; t; j; ID; f id ) After receiving proof, the TPA checks the validity of file tag t by verifying whether Sig ssk ðf id jjjjjR ID Þ is a valid signature or not.If the file tag t is valid, the TPA retrieves the file identifier f id , the time period j and the verification value R ID .Then, the TPA checks the validity of the proof proof via the following equation: The TPA outputs "1" if the Equation (3) holds; otherwise, outputs "0".

Discussion
In most of identity-based key-exposure resilient schemes [48], [49], [50], [51], a physically-secure helper is introduced to generate key update information.The user can update his private key with the key update information.In identity-based cryptography [15], [19], [25], the PKG is responsible for generating the user's initial private key.
To achieve the high-security level, both the helper and the PKG can replace the TPA to perform the key update information generation task in the proposed scheme.However, introducing the helper will increase the complexity of our system.If the PKG is in charge of generating key update information, he must always be online.In general, the PKG goes offline after generating the initial private key for the user.Thus, we still select the TPA to generate key update information for the user.

SECURITY ANALYSIS
The following analysis indicates that the proposed scheme is secure from the perspective of correctness, key-exposure resistance, detectability and key update security.

Theorem 1. (Correctness). A valid identity-based data integrity
auditing scheme with key-exposure resistance meets the following properties: 1) (Initial private key correctness) The initial private key can pass the checking if the PKG produces the initial private key honestly.2) (Update information correctness) The update information can pass the checking if the TPA produces the update information correctly.3) (Auditing correctness) The proof can pass the checking if the cloud executes the auditing task honestly. Proof.
1) Given the initial private key sk ID;0 ¼ ðR ID ; s ID;0 Þ generated by the PKG, the validity of sk ID;0 can be checked by the user under the Equation ( 1).The validity of the initial private key in Equation ( 1) is presented as follows: 2) Given the update information x Ã ID;j from the TPA, the user can check the correctness of x Ã ID;j based on the verification Equation (2).The validity of the update information in Equation ( 2) is presented as follows: 3) Given the proof proof ¼ fj; m; hg produced by the cloud, the validity of proof can be checked by the TPA using the Equation ( 3).The validity of the proof in Equation ( 3) is elaborated as follows: Theorem 2. (Security) Assume the signature scheme employed for file tag is secure and the CDH problem in G is hard.Whenever an adversary in our security model can pass the challenger's verification by outputting a valid proof proof with non-negligible probability, there is a knowledge extractor that can extract the challenged data blocks with non-negligible probability.
Proof.If the proof produced by the cloud can pass the verification, a knowledge extractor can be constructed to extract the whole challenged data blocks.We define the following games to complete our proof.t u Game 0. Game 0 is the game defined in Section 3.4.Game 1. Game 1 is equivalent to Game 0, except that the challenger keeps a list which consists of all the signed tags.If the adversary submits one tag, the challenger claims failure when this tag is a valid Sig signature but not signed by the challenger.
Analysis.If the challenger declares failure and aborts in Game 1 with non-negligible probability, a valid Sig signature can be easily forged by the adversary.This is in contradiction with the assumption that Sig is an unforgeable identity-based signature.Thus, the time period j Ã , the verification value R ID Ã and the file identifier f id Ã in the interactions with the adversary are all valid and produced by the challenger.
Game 2. Game 2 is equivalent to Game 1, except that the challenger maintains some records used to respond to the adversary's queries in local list.If the adversary can output a valid proof to pass the checking, while the adversary's aggregate authenticator is not equal to the expected Q i2S b i v i , the adversary succeeds, then the challenger will abort.
Analysis.Suppose the adversary produces a forged proof fj Ã ; m 0 ; h 0 g.This proof is able to satisfy the following equation, Suppose proof ¼ fj Ã ; m; hg is a valid proof produced by the honest prover.proof satisfies the following verification equation, Obviously, m 6 ¼ m 0 , otherwise h ¼ h 0 , which contradicts the above assumption.Define Dm ¼ m 0 À m.We design a simulator to solve the CDH problem if the adversary succeeds with a non-negligible probability.
Given g; g a ; h 2 G 1 , the aim of simulator is to calculate h a .The simulator randomly picks a; b 2 Z Ã p , and sets u ¼ g a h b .Meanwhile, set Y 0 ¼ g a and select a ID Ã ;1 ; a ID Ã ;2 ; . . .; a ID Ã ;t ; r ID Ã 2 Z Ã p at random.Set Y ID Ã ;k ¼ g a ID Ã ;k ðk 2 ½1; tÞ and R ID Ã ¼ g r ID Ã .Publish Y ID Ã ;1 ; Y ID Ã ;2 ; . . .; Y ID Ã ;t and R ID Ã .For each i 2 ½1; n in the challenge, a random value r i 2 Z Ã p is chosen by the simulator, then the simulator programs therandom oracle at i as The simulator is able to calculate the data authenticator b i , because we get Thus, the simulator computes b i as follows: Dividing Equation (4) by Equation ( 5), we obtain eðh 0 =h; gÞ It further implies Therefore, we get a solution of solving the CDH problem as follows as long as the denominator bDm Á H 2 ðR ID Ã ; ID Ã Þ 6 ¼ 0 mod p.
The probability that bDm Á H 2 ðR ID Ã ; ID Ã Þ 6 ¼ 0 mod p is 1 À 1=p, which is non-negligible.Therefore, it is contradiction with the assumption that the CDH problem in G is hard.
It means that if the difference between the adversary's probabilities of success in Game 1 and Game 2 is non-negligible, a simulator can be constructed to solve the CDH problem.
Game 3. Game 3 is equivalent to Game 2, except that the challenger maintains each interaction result with the adversary.If the adversary can output a valid proof to pass the checking, while the adversary's aggregated data block is different from the expected m, then the challenger will abort.
Analysis.Suppose proof ¼ fj Ã ; m; hg is a valid proof outputted by the honest prover.Proof can pass the checking of the following verification equation Suppose the adversary outputs a forged proof fj Ã ; m 0 ; h 0 g.The following verification equation holds since the forgery is successful, We know h 0 ¼ h from the Game 2. Define Dm ¼ m 0 À m.A simulator can be constructed to solve the DL problem.
Input g; h 2 G 1 to the simulator.The aim of simulator is to calculate a value a which satisfies h ¼ g a .The simulator randomly picks a; b 2 Z Ã p , and sets u ¼ g a h b .From the above two verification equations, we get Therefore, we obtain that u m ¼ u m 0 , and further implies 1 ¼ u Dm ¼ ðg a h b Þ Dm ¼ g aDm Á h bDm .Furthermore, we get Dm 6 ¼ 0 mod p, otherwise, we obtain m 0 ¼ m mod p.This is contradiction with the aforementioned assumption.Thus, we find a solution to solve the DL problem as follows as long as the denominator a 6 ¼ 0 mod p.The probability that a 6 ¼ 0 mod p is 1 À 1=p, which is non-negligible.Therefore, it is contradiction with the assumption that the DL problem in G is hard.It means that if the difference between the adversary's probabilities of success in Game 2 and Game 3 is non-negligible, a simulator can be constructed to solve the DL problem.
There is only negligible difference probability between these games.Note that the hardness of the CDH problem implies the hardness of the discrete logarithm problem.If the signature scheme employed for file tag is secure and the CDH problem in G is hard, the challenger will reject except when the adversary generates a valid proof.
In the end, a knowledge extractor is constructed to extract all challenged data blocks m i ði 2 S; jij ¼ cÞ by employing independent coefficients v i ði 2 S; jIj ¼ cÞ to generate proof on the same blocks m i ði 2 S; jij ¼ cÞ for c times.The extractor can obtain c independently linear equations in the variables m i ði 2 S; jij ¼ cÞ.By solving these equations, the extractor can extract m i ði 2 S; jij ¼ cÞ easily.Proof.The cloud's misbehaviour can be detected if and only if at least one of the data blocks challenged by the TPA matches the corrupted data blocks.Let a discrete random variable Y be the number of challenged data blocks that matches the corrupted data blocks.We employ P Y to denote the probability of detecting the cloud's misbehaviour.Thus, we have Therefore, the conclusion is that the proposed scheme is able to find the cloud's misbehavior with probability at least 1 À ð nÀu n Þ c .t u

PERFORMANCE EVALUATION 6.1 Functionalities Comparison
In Table 2, we illustrate the functionalities comparison of our scheme with several related schemes [13], [18], [23], [30].All of schemes in [13], [18], [30] can not resist key exposure.The scheme [23] can resist key exposure by updating the user's private key.However, it relies on public key infrastructure (PKI) which needs to execute the complicated certificate management.Besides, it cannot support private key lazy update.Compared with schemes [13], [18], [23], [30], our scheme satisfies the following four properties: certificate management simplification, public verifiability, key-exposure resistance and lazy update.

Performance Analysis
The following notations are defined to denote the computation costs of different operations in our scheme.The computation cost of one exponentiation operation in G is denoted as Exp G .The computation cost of one pairing operation is denoted as Pair.Compared with Exp G and Pair, the computation cost of other operations like addition, multiplication and hashing on G and the operations on Z Ã p are negligible.
(1) Computation cost.The comparison of computation cost for different entities is illustrated in Table 3.The PKG costs ðt þ 1ÞExp G to generate public values in the phase of setup, where t is the threshold value, and costs Exp G to generate the user's initial private key in the phase of extraction.On the user side, the computation cost mainly comes from the process of authenticator generation.The overhead used to update private key can be ignored.In the process of authenticator generation, the computation cost is 2nExp G on the user side, where n is the number of data blocks in the file.In our scheme, we do not consider the computation cost of the verification process on the user side because this process is optional.On the TPA side, the TPA needs to compute the update information and check the validity of the proof.However, the update information generation contributes negligible computation cost.In the process of auditing proof verification, the computation cost is 2Pair þ ðc þ 4ÞExp G .On the cloud side, the computation cost for generating the proof is cExp G .
To present the computation advantages of our scheme, we also give the computation cost of the classic scheme [18] in Table 3.We select the scheme [18] as a benchmark, because it is the representative state-of-the-art in identity-based data integrity auditing.As shown in Table 3, the PKG costs Exp G to generate the private key for the user in scheme [18].The computation cost of the user is 2nExp G , which is used to produce the authenticators.On the TPA side, the computation cost used to verify the correctness of auditing proof is 2Pair þ ðc þ 2ÞExp G .The computation cost of outputting the proof on the cloud side is cExp G .
As a result, the computation costs of the user and the cloud in our scheme are the same as that in the scheme [18].To achieve the extra key-exposure resilience, the computation cost of the PKG and the TPA in our scheme add acceptable overhead than that in the scheme [18].
(2) Communication cost.The challenge and the proof in the auditing phase are the dominant factors for the communication costs of our scheme and the scheme [18].As shown in Table 4, the communication cost of the scheme [18] is almost the same as that of our scheme.In our scheme and the scheme [18], the size of the challenge is c Á ðjnj þ jpjÞ bits, where jnj and jpj are the size of elements in ½1; n and Z Ã p respectively.The size of the proof is jpj þ jqj bits in the scheme [18], where jqj is the size of element in G.In our scheme, the size of the proof is 2jpj þ jqj bits, which requires more communication costs than the scheme [18].

Experimental Results
We utilize C programming language with Pairing-Based Cryptography (PBC) Library [52] and the GNU Multiple Precision Arithmetic (GMP) [53] to code all algorithms.All simulation experiments are implemented on 64-bit Linux system with an Intel Core i5-6200 with 2.3 GHz processor and 8 GB memory.In our setting, the size of an element in Z Ã p is set as 160 bits, and the base field size is set as 512 bits.
To evaluate the experimental performance of our scheme, we choose the schemes [23], [43] as the benchmarks since they are well known as two most efficient data integrity auditing schemes with key-exposure resistance which are based on PKI cryptosystem and identity-based cryptosystem, respectively.1) Authenticator generation phase.We evaluate the performance of authenticator generation and the results are shown in Fig. 4. We choose different numbers of data blocks with incremental numbers from 100 to 1,000 with 100 interval.Fig. 4 indicates that the computation costs of authenticator generation in our scheme and the schemes [23], [43] are linearly increase with the number of data blocks.Our scheme requires less computation cost in the authenticator generation phase compared to the schemes [23], [43].2) Private key update phase.In the phase of private key update, first the TPA generates the update information for the user, then the user updates his private  key according to the update information.Figs. 5 and 6 show that, in our scheme and the schemes [23], [43], the computation costs of update information generation and private key generation in each time period are almost the same.However, the computation cost of our scheme is much smaller than that of the schemes [23], [43].
To compare the computation costs of different private key update strategies in our scheme, we do the following two experiments.One is to update the private key directly from the time period 1 to the time period 7, which is called lazy update.The other one is to update the private key one by one from the time period 1 to the time period 7.As shown in Fig. 7, in lazy update, the user can directly generate the private key in the time period 7, which costs 0.002 ms.However, in one by one update, the user has to calculate the private keys in all time periods from the time period 1 to the time period 7, which costs 0.007ms.Thus, lazy update achieves high efficiency compared with the one by one update.
3) Auditing phase.We evaluate the computation costs of three different processes in auditing phase with different numbers of challenged data blocks.In our experiment, we challenge different data blocks with incremental numbers from 100 to 1,000 with 100 interval.The Figs. 8, 9 and 10 illustrate that the computation costs of three processes are proportional to the number of challenged data blocks.The computation costs of challenge generation and proof generation in our scheme and the schemes [23], [43] are approximately equivalent.In the phase of the proof verification, our scheme and the scheme [23] require more computation costs on the cloud side compared with the scheme [43].In data integrity auditing, both the TPA and the cloud have abundant computation resources.Therefore, the computational efficiency on the user side is our main concern in our      scheme.The experiment results show that our scheme has better efficiency on the user side and performs well in the phase of private key update.It means that the user only needs to perform lightweight computations to update his private key.

CONCLUSION
In this paper, we explore how to address the key exposure problem in identity-based data integrity auditing.We propose a novel and efficient identity-based data integrity auditing scheme with key-exposure resilience for cloud storage.In this scheme, even if the malicious cloud obtains the user's private key in a certain time period, the auditing task of other time periods are still able to work.The security proof and the performance analysis show that the proposed scheme is secure and efficient.

Fig. 3 .
Fig. 3.The workflow of update information generation, key update, authenticator generation, and data integrity auditing.

Theorem 3 .
(The detectability): Assume n data blocks are stored in the cloud and u data blocks are corrupted in the proposed scheme.If c data blocks are challenged by the TPA, the cloud's misbehavior can be detected with the probability at least 1 À ð nÀu n Þ c .

Fig. 7 .
Fig. 7.The time of different private key update strategies.

Fig. 4 .
Fig. 4. Computation cost in the phase of authenticator generation.
[47]DL assumption in G holds if it is computationally infeasible to solve the DL problem in G[46].3)ComputationalDiffie-Hellman(CDH)ProblemGiven g, g x and g y 2 G, where x; y 2 Z Ã p are unknown, generate g xy 2 G.The CDH assumption in G holds if it is computationally infeasible to solve the CDH problem in G[47].
x 2 G, where x 2 Z Ã p is unknown, generate x.

TABLE 3 The
[18]arison of Computation Cost for Different Entities ofOur Scheme and Wang et al.Scheme[18]

TABLE 4 The
[18]arison of Communication Cost of Our Scheme and Wang et al.Scheme[18]