attribute-based user revocable data integrity audit for

Research ArticleAttribute-Based User Revocable Data Integrity Audit forInternet-of-Things Devices in Cloud Storage

Yaowei Wang 12 Chen Chen 3 Zhenwei Chen 3 and Jiangyong He 4

1School of Telecommunications Engineering Xidian University Xirsquoan 710071 China2School of Communications and Information Engineering Xirsquoan University of Posts and TelecommunicationsXirsquoan 710121 China3School of Cyberspace Security Xirsquoan University of Posts and Telecommunications Xirsquoan 710121 China4National Engineering Laboratory for Wireless Security Xirsquoan University of Posts and Telecommunications Xirsquoan 710121 China

Correspondence should be addressed to Chen Chen alchen67163com

Received 6 August 2020 Revised 16 September 2020 Accepted 5 October 2020 Published 21 October 2020

Academic Editor Ximeng Liu

Copyright copy 2020 YaoweiWang et al+is is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Mobile crowdsensing (MCS) is a sensing paradigm exploiting the capabilities of mobile devices (Internet-of-+ings devicessmartphones etc) to gather large volume of data MCS has been widely used in cloud storage environment However MCS oftenfaces the challenge of data integrity and user revocation issues To solve these challenges this paper uses attribute-based revocablesignature mechanisms to construct a data integrity auditing scheme for IoT devices in the cloud storage environment Users useattribute private keys to generate attribute signatures and limit the userrsquos permission to use shared data through access policycontrol Only when the user attribute is included in the global attribute set and the attribute threshold is not less than the specifiednumber the user can use the attribute key for the data to generate a valid signature that can be authenticated under the control ofthe signature strategy At the same time the group manager (GM) can send secret information to a third-party auditor (TPA) totrack the creator of the signature to withdraw the userrsquos access to data when the business changes and realize the safe revocationof user group membership Formal security analysis and experimental results show that the proposed data-auditing solution issuitable for IoT devices in the cloud storage environment with respect to security and performance

1 Introduction

With the widespread use of MCS systems exemplified byInternet-of-+ings (IoT) and mobile communication de-vices [1] the way users collect and use data has graduallybecome more diverse While the portable terminal bringsconvenience to usersrsquo work and life [2ndash5] it also has certainlimitations such as limited storage space difficulty inachieving data synchronization between different terminaldevices and the immediacy of accessing data which makesdata cannot be fully utilized In order to improve userrsquos workefficiency improve data utilization rate and reduce localdata management and maintenance costs the cloud storagetechnology has been promoted

Because the storage service provider is not completelytrusted the data entrusted by the user to the third-party

storage have potential security risks [6ndash12] such as thedeletion of data with low usage rates the fact that the datawere damaged due to attacks is concealed storage does notmeet user requirements and data are maliciously leaked+erefore the proposed data integrity auditing technologycan help users to ensure that the integrity and availability ofdata are not damaged when using incompletely trusted cloudstorage services thereby better monitoring the data storagestatus For example in 2019 Alibaba Cloud went down dueto server failure which led to a large area of paralysis of theAPP and website produced by the company that entrustedthe software business to Alibaba Cloud resulting in userbusiness losses In case of such losses for solve the problemsin time users hope to get timely problem feedback from theservice provider However if the service provider deliber-ately conceals the loss the userrsquos interests will be damaged

HindawiSecurity and Communication NetworksVolume 2020 Article ID 8837456 10 pageshttpsdoiorg10115520208837456

+erefore to ensure the security of cloud storage servicesone of the urgent problems is to propose more efficientmechanisms to resist security threats

+e use of data is no longer limited to a single user Inmany cases the data will be shared in a specified work areafor multiple users to access For this type of sharing scenariousers also face many security threats such as abuse of useraccess rights malicious collusion between revoked users andstorage causes collusion attacks on data dynamic datamodification issues and user privacy leaks Adding an ef-fective user authority grant mechanism to the auditingscheme can ensure secure data access from the perspective ofusers and service providers While effectively ensuring thesecurity of data it can also ensure that the legitimate rightsand interests of data users are not infringed

When hackers attack the server they can directly obtainthe data stored in the cloud for illegal transactions Forexample as much as 87GB of user data stored by MEGA acloud storage service provider has been leaked Accordingto the amount of data leaked this data leakage event hasbecome the largest security accident in history Hackersattacked the servers of MyHeritage and other websites toobtain user information resulting in up to 617 millionprivate data being sold on the dark Internet +e userpassword stored in Facebook plaintext is also publiclyviewed by the companyrsquos employees and the userrsquos privacy isgone and the unencrypted data are likely to be directly usedto cause user losses All kinds of examples show thatrestricting the access rights of users and storing the data onthe third-party server after encryption can better protect ourkey data

11 Related Work With the development of science andtechnology the increasingly changing way of work putsforward higher requirements for the function and security ofcloud storage services In addition to solving the data storageproblems of users cloud storage services are expected tomeet the needs of users to access data anytime anywhere+e cloud storage service needs to ensure that the data storedin the server are not modifiable by either the cloud server orthe users sharing the data without the userrsquos permissionHowever the data stored in the third party cannot be underthe supervision of users all the time On the one hand it doesnot meet the actual situation on the other hand it wastes toomuch resources thus losing the significance of using cloudstorage services +erefore with the development of cloudstorage technology an efficient and low-cost audit schemefor data integrity of cloud storage has become one of the hotissues in this field

Today the data storage will be more flexible with thescale of data access If we only rely on the DO (data owner) toaudit the integrity of data is not conducive to the devel-opment and use of cloud storage services and with theincrease of data volume the audit burden of the DO will beincreased especially for users with limited computing powerand resources At this time we can reduce the DO burdenand improve the audit efficiency by dispersing the auditwork Considering the actual situation more local cases have

proposed a new form of data integrity audit that is the auditwork is entrusted to the outside which is called public auditIn 2007 Ateniese et al proposed an original public auditmodel based on RSA homomorphism markers [13] +everifier only needs to store a small amount of raw data toverify the integrity of the data stored on the server +escheme can realize remote verification of data integrity byrandom sampling of data blocks which improves the reli-ability of audit and reduces the audit burden of users In2010 the public audit scheme [14] proposed byWang et al isbased on homomorphic authenticator and random masktechnology which not only realizes the third-party audit(TPA) batch audit but also ensures that TPA cannot obtainany information about the data in the process of auditingdata In recent years there is also about the use of blockchainto achieve the audit of Internet-of-+ings [15ndash17] data in thecloud storage environment

+e proxy re-encryption technology [18] used in thescheme proposed by Ateniese et al can control the autho-rized decryptorrsquos decryption authority on the ciphertext sowhen the business changes the decryptorrsquos decryption au-thority on the ciphertext can be recovered further ensuringthat the ciphertext can only be decrypted by the designateduser To achieve secure user revocation Jiang et al con-structed a new data audit scheme [19] against collusionattack by using the group signature technology with goodfunctions and data-processing mechanism +is schemesolved the potential collusion attack problem in the scheme[20] constructed by Yuan et al and realized the good at-tributes of audit disclosure In the scheme PandaWang et al[21] proposed to let cloud sign data instead of users sup-porting batch audit and user revocation +en the relevantrevocation scheme [22ndash24] which combines attribute-basedencryption (ABE) [25] and proxy re-encryption technologyis proposed We call it revocable attribute-based encryption(R-ABE) here Sahai et al used an attribute-based encryptionscheme [26] to construct the scheme of user revocation Inthis scheme cryptograph delegation technology and doubleABE are used to allow CSP to be responsible for updatingcryptograph [27] +e attribute authorization center holdsthe private key and the update key used for indirect revo-cation +e validity of the update key is determined by itsown effective time and the update key only performs keyupdate operations for users who are not revoked Howeverdue to the need to use two ABE schemes in its constructionthis kind of revocation method is inefficient and not suitablefor a large number of frequently updated application sce-narios As an improvement of this kind of scheme in scheme[28] to improve the efficiency of CSP update a new accessmechanism is used to replace the time-based update key inthe R-ABE scheme which saves the process of entrusting thekey to CSP +e data owner (DO) stores the original ci-phertext to the CSP during the revocation period If there is aciphertext query beyond this revocation period CSP willsend the ciphertext that takes effect within the currenttime limit to the legitimate inquirer As long as the usermeets the access policy and revocation time limit specifiedby the DO the ciphertext can be decrypted by the user+is scheme combines identity-based encryption (IBE) and

2 Security and Communication Networks

time-encoding mechanism to achieve fine-grained accesscontrol and data sharing [29ndash31] Inspired by such userrevocation schemes some attribute-based user revocabledata integrity audit schemes have been proposed [24]

In 2017 Yu et al proposed an attribute-based clouddata audit protocol [32] to complete the check of datastatus while achieving efficient key processing +e dataare uploaded to the cloud by the user but the so-calledattributes are needed for the subsequent identification ofthese data providers by the cloud +is is done by thespecifier Tian et al ensure the anonymity of users whenauditing data integrity artificially prevent the third partyfrom inferring the identity information of data ownersfrom the inspection program propose a new concept ofcloud data integrity audit based on attributes [33] so as toeasily realize the anonymity of users and propose thesecurity model of such system Yan et al proposed a novelremote data-holding test scheme [34] Based on theoriginal remote data-holding checking (RDPC) protocolwe can prevent forgery attack and realize dynamic dataupdate Fu et al proposed a privacy audit scheme NPP[35] which supports the privacy protection of multipleparties in the group and realizes effective user revocation+e new data structure designed based on binary tree caneffectively track the change of data At the same time theTPA in this scheme needs to obtain the authorization ofGM when checking the data of the cloud server whichmakes CSP resist the malicious audit request to a certainextent to ensure the effectiveness of CSP work

Cloud storage service not only provides users withconvenient data usage [36] but also makes users unable tomaster the absolute control of data +erefore it is veryimportant to provide an effective CSP supervisionmechanism for improving usersrsquo trust in cloud services+e integrity verification technology of data has been oneof the hot issues in the field of information security sinceits birth Considering that in reality cloud storage serviceusually has complex application scenarios such as mul-ticloud remote access and duplicate data storage inwhich user data sharing can help promote the use of CSP+e existing cloud storage data integrity audit schemewith user revocation attribute is suitable for sharing databetween remote data access and group users face hasstrong practicability +erefore our main direction in thisscheme is user security revocation in data integrity auditscheme

12 Our Contribution In order to achieve an efficient auditof user security while ensuring data integrity our scheme hasthe following contributions

(i) Public audit a trusted third-party organization isentrusted with strong computing power to monitorthe storage status of the data stored by CSP

(ii) Correctness it can effectively verify whether thedata stored in the cloud server are correctly storedand can effectively supervise the storage behavior ofCSP

(iii) Access control only users who meet the specifiedattribute policy can access the shared data

(iv) Secure user revocation the revoked user cannotpass identity verification and cannot access ormodify shared data for dynamic operations

(v) Traceability if a user abuses data or poses a threat todata security the userrsquos identity can be identifiedand the userrsquos true identity can be tracked

13 Organization +is paper is organized as follows Sec-tion 1 describes the research background and related workSection 2 introduces the research content of this paperSection 3 describes the professional basic knowledge used inthis paper Section 4 elaborates the details of the planSection 5 has carried on the security proof to the proposedscheme In Section 6 the scheme is compared and simulatedSection 7 summarizes the whole work

2 Problem Statement

21 System Model As shown in Figure 1 the entities in-volved in this scheme are cloud storage service provider(CSP) cloud storage service consumer third-party auditor(TPA) and key generation center (KGC) and a user groupwith various memberships +e specific functions anddefinitions of each party are as follows

(i) CSP it provides outsourcing data calculation andstorage services for user groups and verifies groupmembersrsquo identity when group members accessdata When the user needs to verify the data storagestatus data integrity data are generated and sent tothe TPA for verification of the data integritycertificate

(ii) TPA it verifies the data integrity certificate gen-erated by CSP saving the user data audit burden

(iii) Users it refers to users who need cloud services bypurchasing cloud services and the data storagework is entrusted to the cloud server for execution

(iv) KGC it is responsible for generating parameters forthe system and generating attribute keys for allusers

22 Security Model +e security threats we considered inthis scheme mainly are as follows

(i) Semitrusted CSP the CSP may not faithfully reportthe data storage status to the user and maliciouslycover up data damage or loss

(ii) Revoked user the revoked user colluded with theCSP using the expired signature concealed the truemodification of the data and conducted a collusionattack on the database

(iii) +ird-party auditor TPA may be honest but curi-ous If the privacy of user identity is not anony-mously protected TPA is likely to analyze the useridentity and user data information

Security and Communication Networks 3

23 Security Definition A game is constructed that existsbetween the adversary A and the challenger B and thesecurity of the scheme proposed in this chapter is provedthrough the operation of the game+e details are as follows

(1) System setup phase the challenger runs the systemsetup algorithm obtains the system public param-eters and sends it to the adversary It keeps themaster key msk and user revocation list

(2) Query phase in the query phase the adversary willperform hash query key query signature query andquery of the generated proof

(i) Hash query (queryH1 and queryH2 respectively)through these two types of query adversaries theobtained information such as user attributes andsignature policies can be converted into elementson +e challenger separately generates a query listto observe the challenge from the adversary

(ii) Key query the identity and related attribute setare input and the challenger generates therelevant key to send to the A

(iii) Signature query the A asks about the signatureon the message and runs the algorithm togenerate σ and send it to A

(iv) Proof query the data integrity proof is obtainedfrom CSP and the proof audit message andsignature are sent to TPA for data integrityverification

(3) Forgery phase the adversary outputs a tuple con-taining elements such as forged signatures and dataintegrity proof If it can pass the verification thegame is aborted and the adversary wins

If A can win the game with negligible advantage ε thenthe scheme is security

3 Preliminaries and Complexity Assumption

31 Notations +e main notations used in this paper areshown and explained in Table 1

32 Bilinear Groups Let G andGT are two multiplicativecyclic groups of prime order p e is a bilinear [37] map G times

G⟶ GT with the following properties

(i) Bilinearity for all u v isin G and a b isin Zpe(ux vy) e(u v)xy

(ii) Nondegeneracy e(g g)ne 1(iii) Computability there is an effective algorithm to

compute bilinear maps e

33 Computational DiffiendashHellman Problem G is defined asa cyclic group of prime order [38 39] g is the generator of Ggiven ga gb isin G a bisinRZlowastp and the probability of gab cal-culated by the adversary A in polynomial time is negligiblethen there is advCDHA [A(ga gb) gab]le ε

34 Revocable Signature Based on Attribute In attribute-based signature (ABS) users sign messages using any of theirattribute predicates published from the attribute authorityUnder this concept the signature is not to prove the identityof the person signing the message but to declare theproperties owned by the underlying signer In ABS even ifmalicious users collude with each other to synthesize at-tributes that can generate effective signatures users cannotforge signatures with attributes that they do not have

Users get secret key from GM according to their attri-butes and choose signature strategy that meets the attributerequirements+rough the secret key users can calculate thedata signature based on this signature strategy +e verifierwill not get any information about identity or attributeswhen verifying the userrsquos signature and just need to verifythe attributes to meet the signature policy In this section wewill describe in detail the four main algorithms of thissignature scheme [40] as follows

(i) KeyGen(idΔmsk params)⟶ (ski SKidΔRL)the user identity and attributes are input the mskand parameters generated during system initiali-zation are input and the user private key and global

TPA

CSPData flow Audit message

Proof

Audit requestAudit response

Revoked user GM

User

User

Key

distr

ibut

ion

KGC

Figure 1 System model


private key as well as the user revocation list areoutput

(ii) Sign (MΦ c SKidΔ params)⟶ (σ) the userglobal property collection is set When the userproperty belongs to this collection the data sig-nature is generated according to the user privatekey

(iii) Verifyσ miΔ c⟶ (1perp) the validity of the sig-nature is verified Output verification can be rep-resented by 1 or not by perp

(iv) Revoke (listid rk)⟶ (id kid) the revoked useridentity is restored and RLis joined

35 9reshold Strategy Assuming that (Δ cΦ) is athreshold strategy let Delta be a set containing n attributesand the threshold is c then Δ A|AsubeΔ |A|le c1113864 1113865 at leasthaving c attributes in the attribute set

36 Automorphic Signature In the signature generationprocess the scheme embeds the verification key in themessage space and the data and signature in the messagespace are considered to be composed of elements in thebilinear group Such a signature scheme [41 42] is calledautomorphic signatures (ASs) +e signature validity veri-fication on the message data is verified by a set of pairedproduct equations +e self-constructed signature con-structed based on the CDH hypothesis can resist the chosen-message attack (CMA) from adaptive adversaries We givethe general structure of the self-constructed signaturescheme as follows

(i) Setup it is supposed that there is a quintuplecomposed of bilinear group elementstuple (e g G GT p) At the same timeG⟶ (x y z) is selected and a data space D

(Wd Vd) composed of data is defined whered isin Zp

(ii) KeyGen h isin Zp is selected to calculate the privatekey k gh

(iii) Sign the data di isin D to be signed are input therandom number s r⟶ Zp is selected and thesignature is calculated as σ ( B 1113936 y middot x middot di1leilen1113864 11138651h+s E gs Q xs T gr I xr)

(iv) Verify it is verified that the signature σ generated inthe previous step meets the following three verifi-cation equationse(B h middot E) e(y middot d g)e(z middot gr) e(E x)

e(g Q) e(gr x) e(g xr) to determine the validityof the value

4 Scheme Construction

41 Scheme Framework +e construction of this schemeincludes setup key generation signature proof generationverification user security revocation and so on +e basicdefinition of the algorithm is as follows

Setup(1λ)⟶ (paramsmsk ξp) the algorithm inputsthe security parameter λ and the output is the publicparameter and the master key of the system In addi-tion it generates the secret value ξp about the userrsquosrevocation +is step is completed by the attributeauthorization centerKeyGen (idΔmsk params)⟶ (ski SKidΔRL) inthis algorithm the attribute authorization center takesthe user identity id and the associated user attribute setΔ the system parameters params and the master keymsk which was generated in the system initialization asthe algorithm input outputs the user private key ski

and the global attribute private key SKidΔ after cal-culation and stores them together with the list RL usedto judge the user revocationSign (MΦ c SKidΔ params)⟶ (ci αi σ) this al-gorithm takes data M user attribute domain Φ at-tribute threshold κ global private key SKidΔ and publicparameters as input and then outputs commitmentvalue ci and corresponding attribute proof αi and theuserrsquos signature σ on data through calculationProof (σ M)⟶ (Λ) the algorithm inputs data andsignature and then generates a data integrity proof ΛVerify (Λ)⟶ (1perp) it inputs the data integrity proofand verifies the data storage status by equationRevoke (listid rk)⟶ (id kid) taking the identity listlistid containing the userrsquos identity information and therevocation key rk as input the userrsquos real identity can betraced for revocation of the userrsquos identity

42 A Concrete Scheme +e main work of this section is tointroduce the algorithms in the attribute-based user revo-cable integrity audit scheme +e details of the algorithmsare as follows

(1) Setup the attribute authorization center first gen-erates a 5-tuple β (n G GT e g) for the systemwhere e is a bilinear map e G times G⟶ GT LetG andGT be two bilinear groups p and q are primenumbers with bit size ϑ(λ) and satisfy the

Table 1 Main notations in this paper

Notations Descriptionξp Userrsquos revocation secret valuerk Revocation keymsk Master private keyparams Public parametersΦ Attribute domainski Userrsquos private keySKisΔ Global private keylistid User information tableΔprime Minimum authorized set of attributesAM Audit messagek Attribute thresholdci Commitment valueσ Userrsquos signatureΛ Data integrity proof


relationship n pq Randomly selectθisinRG πisinRGq g isin G ρ isin Zn Use the hash functionH1 H2 0 1lowast ⟶ G and our scheme can be ex-tended to support any element in G Let the revo-cation key be rk ξp isin Zn +is key satisfies therelationship ξp 0modq and ξp 1modp Run theautomorphic signature generation algorithm togenerate the system master key msk (ρ skau) +epublic-private key pair of the signature is(skau pkau) +e final parameter isparams (β g1 π π1 θ H1 H2 pkauΔ)

(2) KeyGen let user attribute be ati +e attribute set Δ iscontained in the attribute domain Φ Select the el-ement εid isin G ri isin Zn and then generate a auto-morphic signature σεid Compute the userrsquos privatekey as ski (ΓiΥi) (H1(ati)

ρεri

id) gri ) +e globalprivate key is SKisΔ (εid σεid skidatiisinΔ) +e useridentity id and secret value εid are stored in the userinformation table listid

(3) Sign the user inputs data M (m1 mn) attri-bute set Δ private key ski and public parameterparams+e attribute ati isin Φ owned by the user is setas the minimum authorized set of attributes as Δprimeand the number of matching attributes in ΔcapΦ is setas the threshold c +e signature generation followsthe following steps

(i) Choose zi isin Zn ati isin Δprime when xi 1 andati notin Δprime when xi 0 Calculate the commitmentvalue ci (H1(ati)θ)xiπzi about xi and relatedproof ωi ((H1(ati)θ)2ximinus 1ϕzi )zi

(ii) Set z 1113936atiisinΦzi select tisinRZn and computeHm H2(MΦ c)and σ1 (1113937atiisinΔΓi)(H2(MΦ c))tπz

1εrprimeid σ2 gt σ3 1113937atiisinΔprimeGig

rprime (iii) Output signature σ (σ1 σ2 σ3 (ci αi)atiisinΔ

εi d σεid)

(4) Proof the auditor chooses i isin Isube[1 n] and therandom element k isin Zlowastq Output audit messageAM i ki1113864 1113865iisinI and send it to CSP CSP computesmprime 11139361lejlenεjmjσ1prime 11139371lejlen(σi1)

εj σ2prime 11139371lejlen1113966

(σi2)εj atiisinΔprimeσ3prime 11139371lejlen(σi3)

εj1113966 1113967atiisinΔprime Output

Λ (mprime σ1prime σ2prime σ3prime)(5) Verify the elements in the proof are parsed and

input into equation e(σ1 g) e(θc1113937atiisinΦci g1)

e(Hm σ2)e(com(εid) σ3)e(h ασ) for verification Setcom(εid)ξp εξp

id

(6) Update if the data change m⟶ mprime the signatureon the data needs to be recalculated Update Hm

H2(MprimeΦ c) to generate a new signature

(7) Revoke the attribute authorization center sends therevocation key rk εp to a specific user such as thegroup manager to revoke the userrsquos authority andtakes the public parameters user signature σ and thetable listid corresponding to the secret value ξp anduser identity as the algorithm input if com(εid)ξp

εξp

id is established +is user identity can be suc-cessfully tracked Add the user information to the

revocation list RL to realize user revocation +eattribute verification formula is e(ci ci(Hi

(ati)θ)) e(ρ α)

5 Correctness and Security Analysis

Theorem 1 When the TPA sends an audit message to thecloud server if the audit response returned by the CSP can beverified by the following equation it means that the CSP hasachieved the correct storage of data

Proof +e correctness of the storage can be verified by thefollowing equation

e σ1 g( 1113857 e 1113945atiisinΔΓi g⎛⎝ ⎞⎠e H

tm g1113872 1113873 middot e Hm σ2( 1113857e

middot com εid( 1113857 σ3( 1113857 middot e h ασ( 1113857

e θc1113945atiisinΔ1

H1 atρi( 1113857

θ g⎛⎝ ⎞⎠ middot e Hm g

t1113872 1113873e

middot com εid( 1113857rprimecom εid( 1113857

ri g1113874 1113875e 1113945atiisinΔ1

H1 atρi( 1113857

θ middot πz g

⎛⎝ ⎞⎠


ci g⎛⎝ ⎞⎠e Hm σ2( 1113857 middot e σ3 g( 1113857e πσ h( 1113857

e θc1113945atiisinΦ

ci g1⎛⎝ ⎞⎠ middot e Hm σ2( 1113857e

middot com εid( 1113857 σ3( 1113857e h ασ( 1113857

(1)

When the equation is established it shows that CSP hascompleted the correct storage of data and the data are storedby the authorized user entrusted to CSP

Theorem 2 Considering the data security in the attackscenario of choosing message and signature strategy we useCDH hypothesis to construct data integrity verificationscheme so as to ensure that the adversary cannot pass thelegal authentication and damage the data in this scheme withthe forged evidence

Proof Assuming that there is a polynomial time algorithmB we can solve the CDH problem on G by interacting withthe adversary +at is when there is a generatorgp g]

p gιp1113966 1113967 isin G where gp is the generator of G calculate

the value of g]ιp +is shows that the adversary A can suc-

cessfully forge user signature to obtain data operation au-thority through authentication

Game 0 the main stage of this game is the challenge-response parameter generation and correct parameterdistribution Select the generator h in G Randomly


select element (r1 r5) isin Zq Let user attributedomain Φ and automorphic signature public-privatekey pair (skau pkau) Set g1 g]

phr2 g2 gιphr4 satisfy

the following relationship

e g1 h( 1113857 e g]ph

r2 h1113872 1113873

e hr1 h

r2r11113872 1113873

e gphr11113872 1113873

e g h1( 1113857

(2)

Finally send the parameter params to the adversaryGame 1 in this game stage the query operation ismainly initiated by AQH1

entering the user attribute in the function H1 canconvert the value into an element in G so as to facilitatesubsequent verification calculations Take ati as inputand run H1 query +e query list listH1

sends the queryresponse ati ci xi1113864 1113865 as output to A +e probability ofxi 1 is recorded as τ1 Compute H1(ati) g

ci

2 Whenxi 0 H1 gci is calculatedQH2

the function H2 is used to transform the data andits signature strategy into elements in G to facilitatesubsequent verification Take (MΔ c) as input andrun H2 query If the item is detected in the query listlistH2

the element sisinRZn is randomly selected and(MΔ c s) is output as a query response and sent to AIf not H2(MΔ c) gs is calculated and stored inlistH2

together with (MΔ c s)Qkey adversary A wants to get the userrsquos private keygenerated based on the userrsquos attribute A queries thekey through B When xi 0 B selects μisinRZn Whenxi 1 B selects μ μprimeisinRZlowastn and computes εid gμgμprime At the same time listH1

takes the ati ci xi1113864 1113865 item as theoutput to parse out the commitment information ci+e user private key can be obtained asski ((g

ci

2 )minus μμprimecri

id gri gminus ciμprime)Qsign in B after obtaining cid the userrsquos signature σ onthe data can be obtained according to the entriesqueried in listH2

and listH1

Qproof the adversary selects signature and challengevalue to send to B for proof query and B generatesintegrity proof Λ (mprime σ1prime σ2prime σ3prime) sends it to theadversaryGame 2 the adversary attempts to forge the validsignature of the legitimate user and generate integrityevidence based on the signature A has tuples(MprimeΔprime cprime σprime) where σprime is the forged signature of dataMprime under access policy (Δprime cprime) If the signature is validthen equation e(ci ci

prime(Hatiθ)) e(ρ αi) holds +at is

A traverses the list listH1 listH2

listHkey obtains

H1(ati) gci

2 H2(MΔ c) gs and calculatesgμιp [(σ1primeσminussprime

2 σminusμprime3 )δp g

πcip ]1c

We assume that A can compute the probability of gμιp as

advCDHλ |Pr(MΔ c σ) minus Pr(MprimeΔprime cprime σprime)|le ε +at is tosay A can break the security with the advantage of ε In thiscase our scheme is secure and can resist signature forgeryattacks from adaptive adversaries

6 Performance Analysis

In this section we compare the computational cost of thispaper with other data integrity audit papers [21 32] Asshown in Table 2 when calculating the cost of each stage ofthe comparison scheme in order to make the descriptionmore concise and clear we will use M to represent themultiplication on the multiplicative cyclic group P torepresent the pairing operation H to represent the hashoperation and E is used to express exponential operation r

represents the number of revoked users and n represents thenumber of data blocks +e analysis of the computationalcost of each stage in the plan mainly revolves around fouroperations multiplication pairing hash and exponent +eexperimental environment of this program is a PC withIntel(R) i5-7300HQ CPU25GHz processor and 8Gmemory +e Java programming language is used to sim-ulate the algorithm time of the program +e code-writingplatform is Eclipse and is based on the Java Pairing BasedCryptography Library (JPBC) library [43] selects a class Aelliptic curve for the simulation test of the efficiency of thescheme

As shown in Figure 2 the main computational overheadin the data integrity proof generation phase comes from thecomputational storage of the audit message (AM) +ecomputational cost of this scheme at this stage is2P + 5M + 2H + 3E Compared with the other two schemesit is proved that the cost of generation is related to the size ofdata block Our calculation cost at this stage is constant andwill not be affected by the size of data+erefore it is suitablefor large-scale proof generation greatly reducing the cost ofproof

As shown in Figure 3 here we use r to represent thenumber of users who have been revoked Under the as-sumption that the number of users is r the user revocationtime is tested Since scheme [32] does not include userrevocation function our comparison in revocation phase isonly compared with scheme [21] +e computational cost ofrevoking a single userrsquos operation is constant but when thenumber of users increases the efficiency of this scheme issignificantly higher than that of scheme [21] At this stageour calculation cost can be recorded as r(E + 2P)

As shown in Figure 4 the cost of the phase in theverification proof does not change with the number of datablocks in the data sequence and the verification time in this


stage is constant Compared with the scheme [21 32] theefficiency of our scheme has also been improved in the dataintegrity verification stage +e calculation cost of thisscheme at this stage can be recorded as H + 5P

7 Conclusion and Future Work

+e main discussion in this paper is a user revocable at-tribute-based data integrity audit scheme Compared withthe scheme of completely anonymous user identity thisscheme can break the anonymity of user signature whennecessary and can be applied to the place where users do notwant to be completely anonymous and the scheme has thefunction of public audit In addition this scheme uses at-tribute-based signature to realize flexible access permission-granting mechanism and realizes the unforgeability ofsignature to resist collusion attack from revoked users

As the demand for cloud storage services becomes moreandmore diverse more andmore data security problems areexposed so we propose the following research directions asthe next research content

9e Authorization Verification of TPA In the process of dataintegrity audit users entrust a third party to handle the dataverification After receiving the audit challenge from theTPA the CSP sends a response to send the calculated datacertificate to the TPA but if the application of the TPA is notauthorized it will cause a waste of CSP resources +e in-troduction of the third-party audit saves the extra audit costof users and realizes the efficiency of the audit work with itsown more professional ability However in order to preventthe CSP server from being attacked by DDOS initiated by

WangOur scheme

10 20 30 40 50 600e number of revoked users

0

1

2

3

4

5

6

7

8

9

10

Revo

catio

n tim

e (s)

Figure 3 Revocation time

YuWangOur scheme

100 200 300 400 500 600 7000e number of data blocks

0

10

20

30

40

50

60

70

80

90

100

Verifi

catio

n tim

e (m

s)

Figure 4 Verification time

Table 2 Functionality comparison

Scheme Yu et al [32] Wang et al [21] Our schemeProofGen (3 + n)M + H n(M + H) 2P + 5M + 2H + 3E

Verify 3P + M + E 3E + 2M + 4P + 2H H + 5P

Revoke mdash 2r(P + H + M + 2E) r(E + 2P)

YuWangOur scheme

100 200 300 400 500 600 700 8000e number of data blocks

0

1

2

3

4

5

6

7

8

Proo

f gen

erat

ion

time (

s)

Figure 2 Proof generation time


malicious TPA we need to consider an audit authorizationmechanism of TPA to limit its audit application

Data Batch Audit In practice there are multiple user groupsusing CSP services at the same time When multiple usergroups send audit requests to the same TPA TPA needs tohave the ability to process audit requests in batches +esolution of this problem can help users enhance theirconfidence in the reliability of cloud service applications andhelp developers better promote cloud computing servicesSo the problem of batch processing of data integrity auditrequest in cloud storage environment also needs furtherresearch

Data Availability

+e data used to support the findings of this study areavailable from the corresponding author upon request

Conflicts of Interest

+e authors have declared that no conflicts of interest exist

Acknowledgments

+is research was supported by the National Natural ScienceFoundation of China (grant nos 62072369 and 62072371)the Innovation Capability Support Program of Shaanxi(grant no 2020KJXX-052) the Key Research and Devel-opment Program of Shaanxi (grant nos 2019KW-053 and2020ZDLGY08-04) and the Natural Science Basic ResearchPlan in Shaanxi Province of China (grant no 2019JQ-866)

References

[1] Y Zhang R Deng E Bertino and D Zheng ldquoRobust anduniversal seamless handover authentication in 5G hetnetsrdquoIEEE Transactions on Dependable and Secure Computing2019

[2] S E Mensch and L Wilkie ldquoCell phone securityrdquo Interna-tional Journal of Strategic Information Technology and Ap-plications vol 9 no 3 pp 15ndash31 2018

[3] S Mensch ldquoCell phone security usage trends and awarenessof security issuesrdquo in Proceedings of the International Aca-demic Conferences Rome Italy November 2016

[4] A J Nicholson M D Corner and B D Noble ldquoMobiledevice security using transient authenticationrdquo IEEE Trans-actions on Mobile Computing vol 5 no 11 pp 1489ndash15022006

[5] M A Harris and K P Patten ldquoMobile device securityconsiderations for small- and medium-sized enterprisebusiness mobilityrdquo Information Management amp ComputerSecurity vol 22 no 1 pp 97ndash114 2014

[6] X Zhang H-t Du J-q Chen Y Lin and L-j Zeng ldquoEnsuredata security in cloud storagerdquo in Proceedings of the 2011International Conference on Network Computing and Infor-mation Security IEEE Guilin China pp 284ndash287 May 2011

[7] R V Rao and K Selvamani ldquoData security challenges and itssolutions in cloud computingrdquo Procedia Computer Sciencevol 48 pp 204ndash209 2015

[8] L M Kaufman ldquoData security in the world of cloud com-putingrdquo IEEE Security amp Privacy vol 7 no 4 pp 61ndash64 2009

[9] P Dinadayalan S Jegadeeswari and D Gnanambigai ldquoDatasecurity issues in cloud environment and solutionsrdquo inProceedings of the 2014 World Congress on Computing andCommunication Technologies pp 88ndash91 IEEE TrichirappalliIndia February 2014

[10] D Chen and H Zhao ldquoData security and privacy protectionissues in cloud computingrdquo in Proceedings of the 2012 In-ternational Conference on Computer Science and ElectronicsEngineering pp 647ndash651 IEEE Hangzhou China March2012

[11] A Sangroya S Kumar J Dhok and V Varma ldquoTowardsanalyzing data security risks in cloud computing environ-mentsrdquo in International Conference on Information SystemsTechnology and Management pp 255ndash265 Springer BerlinGermany 2010

[12] Y Zhang D Zheng and R H Deng ldquoSecurity and privacy insmart health efficient policy-hiding attribute-based accesscontrolrdquo IEEE Internet of 9ings Journal vol 5 no 3pp 2130ndash2145 2018

[13] G Ateniese R Burns R Curtmola et al ldquoProvable datapossession at untrusted storesrdquo in Proceedings of the 14thACM Conference on Computer and Communications Securitypp 598ndash609 Alexandria VA USA November 2007

[14] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the 14th 2010 IEEE INFOCOM IEEE SanDiego CA USA pp 1ndash9 March 2010

[15] C Machado and A A M Frohlich ldquoIOT data integrityverification for cyber-physical systems using blockchainrdquo inProceedings of the 2018 IEEE 21st International Symposium onReal-Time Distributed Computing pp 83ndash90 IEEE Singa-pore May 2018

[16] Y Zhang R H Deng X Liu and D Zheng ldquoBlockchainbased efficient and robust fair payment for outsourcing ser-vices in cloud computingrdquo Information Sciences vol 462pp 262ndash277 2018

[17] Y Zhang R Deng X Liu and D Zheng ldquoOutsourcingservice fair payment based on blockchain and its applicationsin cloud computingrdquo IEEE Transactions on Services Com-puting vol 5 no 1 pp 1939ndash1374 2018

[18] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to securedistributed storagerdquo ACM Transactions on Information andSystem Security vol 9 no 1 pp 1ndash30 2006

[19] T Jiang X Chen and J Ma ldquoPublic integrity auditing forshared dynamic cloud data with group user revocationrdquo IEEETransactions on Computers vol 65 no 8 pp 2363ndash23732015

[20] J Yuan and S Yu ldquoEfficient public integrity checking forcloud data sharing with multi-user modificationrdquo in Pro-ceedings of the IEEE INFOCOM 2014mdashIEEE Conference onComputer Communications pp 2121ndash2129 Toronto CanadaApril 2014

[21] B Wang B Li and H Li ldquoPanda public auditing for shareddata with efficient user revocation in the cloudrdquo IEEETransactions on Services Computing vol 8 no 1 pp 92ndash1062015

[22] S Yu C Wang K Ren and W Lou ldquoAchieving securescalable and fine-grained data access control in cloud com-putingrdquo in Proceedings of the 2010 IEEE INFOCOM pp 1ndash9IEEE San Diego CA USA March 2010

[23] K Yang X Jia and K Ren ldquoAttribute-based fine-grainedaccess control with efficient revocation in cloud storagesystemsrdquo in Proceedings of the 8th ACM SIGSAC Symposium


on Information Computer and Communications Securitypp 523ndash528 Hangzhou China May 2013

[24] M Li S Yu Y Zheng K Ren and W Lou ldquoScalable andsecure sharing of personal health records in cloud computingusing attribute-based encryptionrdquo IEEE Transactions onParallel and Distributed Systems vol 24 no 1 pp 131ndash1432012

[25] Y Zhang X Chen J Li D S Wong H Li and I YouldquoEnsuring attribute privacy protection and fast decryption foroutsourced data security in mobile cloud computingrdquo In-formation Sciences vol 379 pp 42ndash61 2017

[26] A Sahai H Seyalioglu and B Waters ldquoDynamic credentialsand ciphertext delegation for attribute-based encryptionrdquoLecture Notes in Computer Science vol 7417 pp 199ndash2172012

[27] J Ning Z Cao X Dong K Liang H Ma and L WeildquoAuditable σ-time outsourced attribute-based encryption foraccess control in cloud computingrdquo IEEE Transactions onInformation Forensics and Security vol 13 no 1 pp 94ndash1052018

[28] S Xu G Yang Y Mu and R H Deng ldquoSecure fine-grainedaccess control and data sharing for dynamic groups in thecloudrdquo IEEE Transactions on Information Forensics and Se-curity vol 13 no 8 pp 2101ndash2113 2018

[29] S Xu G Yang YMu and X Liu ldquoA secure IOTcloud storagesystem with fine-grained access control and decryption keyexposure resistancerdquo Future Generation Computer Systemsvol 97 pp 284ndash294 2019

[30] S Xu Y Li R Deng Y Zhang X Luo and X LiuldquoLightweight and expressive fine-grained access control forhealthcare internet-of-thingsrdquo IEEE Transactions on CloudComputing 2019

[31] S Xu J Ning Y Li et al ldquoMatch in my way fine-grainedbilateral access control for secure cloud-fog computingrdquo IEEETransactions on Dependable and Secure Computing p 1 2020

[32] Y Yu Y Li B Yang W Susilo G Yang and J Bai ldquoAt-tribute-based cloud data integrity auditing for secure out-sourced storagerdquo IEEE Transactions on Emerging Topics inComputing vol 8 no 2 pp 377ndash390 2020

[33] M Tian L Wang H Zhong and J Chen ldquoAttribute-baseddata integrity checking for cloud storagerdquo FundamentaInformaticae vol 163 no 4 pp 395ndash411 2018

[34] H Yan J Li J Han and Y Zhang ldquoA novel efficient remotedata possession checking protocol in cloud storagerdquo IEEETransactions on Information Forensics and Security vol 12no 1 pp 78ndash88 2016

[35] A Fu S Yu Y Zhang H Wang and C Huang ldquoNPP a newprivacy-aware public auditing scheme for cloud data sharingwith group usersrdquo IEEE Transactions on Big Data 2017

[36] J Ning X Huang W Susilo K Liang X Liu and Y ZhangldquoDual access control for cloud-based data storage and shar-ingrdquo IEEE Transactions on Dependable and Secure Computing2020

[37] D Boneh C Gentry B Lynn and H Shacham ldquoAggregateand verifiably encrypted signatures from bilinear mapsrdquoLecture Notes in Computer Science in IACR Cryptology ePrintArchive Springer Berlin Germany pp 416ndash432 2003

[38] J H Cheon and D H Lee ldquoDiffie-hellman problems andbilinear mapsrdquo IACR Cryptology ePrint Archive vol 1172002

[39] A Joux and K Nguyen ldquoSeparating decision diffie-hellmanfrom computational diffie-hellman in cryptographic groupsrdquoJournal of Cryptology vol 16 no 4 pp 239ndash247 2003

[40] A Escala J Herranz and P Morillo ldquoRevocable attribute-based signatures with adaptive security in the standardmodelrdquo in International Conference on Cryptology in Africapp 224ndash241 Springer Berlin Germany 2011

[41] M Abe G Fuchsbauer J Groth K Haralambiev andM Ohkubo ldquoStructure-preserving signatures and commit-ments to group elementsrdquo in Annual Cryptology Conferencepp 209ndash236 Springer Berlin Germany 2010

[42] G Fuchsbauer ldquoAutomorphic signatures in bilinear groupsand an application to round-optimal blind signaturesrdquo IACRCryptology ePrint Archive p 320 2009 httpeprintia-crorg

[43] A De Caro and V Iovino ldquoJPBC java pairing based cryp-tographyrdquo in Proceedings of the 2011 IEEE Symposium onComputers and Communications pp 850ndash855 IEEE KerkyraGreece June 2011


+erefore to ensure the security of cloud storage servicesone of the urgent problems is to propose more efficientmechanisms to resist security threats

+e use of data is no longer limited to a single user Inmany cases the data will be shared in a specified work areafor multiple users to access For this type of sharing scenariousers also face many security threats such as abuse of useraccess rights malicious collusion between revoked users andstorage causes collusion attacks on data dynamic datamodification issues and user privacy leaks Adding an ef-fective user authority grant mechanism to the auditingscheme can ensure secure data access from the perspective ofusers and service providers While effectively ensuring thesecurity of data it can also ensure that the legitimate rightsand interests of data users are not infringed

When hackers attack the server they can directly obtainthe data stored in the cloud for illegal transactions Forexample as much as 87GB of user data stored by MEGA acloud storage service provider has been leaked Accordingto the amount of data leaked this data leakage event hasbecome the largest security accident in history Hackersattacked the servers of MyHeritage and other websites toobtain user information resulting in up to 617 millionprivate data being sold on the dark Internet +e userpassword stored in Facebook plaintext is also publiclyviewed by the companyrsquos employees and the userrsquos privacy isgone and the unencrypted data are likely to be directly usedto cause user losses All kinds of examples show thatrestricting the access rights of users and storing the data onthe third-party server after encryption can better protect ourkey data

11 Related Work With the development of science andtechnology the increasingly changing way of work putsforward higher requirements for the function and security ofcloud storage services In addition to solving the data storageproblems of users cloud storage services are expected tomeet the needs of users to access data anytime anywhere+e cloud storage service needs to ensure that the data storedin the server are not modifiable by either the cloud server orthe users sharing the data without the userrsquos permissionHowever the data stored in the third party cannot be underthe supervision of users all the time On the one hand it doesnot meet the actual situation on the other hand it wastes toomuch resources thus losing the significance of using cloudstorage services +erefore with the development of cloudstorage technology an efficient and low-cost audit schemefor data integrity of cloud storage has become one of the hotissues in this field

Today the data storage will be more flexible with thescale of data access If we only rely on the DO (data owner) toaudit the integrity of data is not conducive to the devel-opment and use of cloud storage services and with theincrease of data volume the audit burden of the DO will beincreased especially for users with limited computing powerand resources At this time we can reduce the DO burdenand improve the audit efficiency by dispersing the auditwork Considering the actual situation more local cases have

proposed a new form of data integrity audit that is the auditwork is entrusted to the outside which is called public auditIn 2007 Ateniese et al proposed an original public auditmodel based on RSA homomorphism markers [13] +everifier only needs to store a small amount of raw data toverify the integrity of the data stored on the server +escheme can realize remote verification of data integrity byrandom sampling of data blocks which improves the reli-ability of audit and reduces the audit burden of users In2010 the public audit scheme [14] proposed byWang et al isbased on homomorphic authenticator and random masktechnology which not only realizes the third-party audit(TPA) batch audit but also ensures that TPA cannot obtainany information about the data in the process of auditingdata In recent years there is also about the use of blockchainto achieve the audit of Internet-of-+ings [15ndash17] data in thecloud storage environment

+e proxy re-encryption technology [18] used in thescheme proposed by Ateniese et al can control the autho-rized decryptorrsquos decryption authority on the ciphertext sowhen the business changes the decryptorrsquos decryption au-thority on the ciphertext can be recovered further ensuringthat the ciphertext can only be decrypted by the designateduser To achieve secure user revocation Jiang et al con-structed a new data audit scheme [19] against collusionattack by using the group signature technology with goodfunctions and data-processing mechanism +is schemesolved the potential collusion attack problem in the scheme[20] constructed by Yuan et al and realized the good at-tributes of audit disclosure In the scheme PandaWang et al[21] proposed to let cloud sign data instead of users sup-porting batch audit and user revocation +en the relevantrevocation scheme [22ndash24] which combines attribute-basedencryption (ABE) [25] and proxy re-encryption technologyis proposed We call it revocable attribute-based encryption(R-ABE) here Sahai et al used an attribute-based encryptionscheme [26] to construct the scheme of user revocation Inthis scheme cryptograph delegation technology and doubleABE are used to allow CSP to be responsible for updatingcryptograph [27] +e attribute authorization center holdsthe private key and the update key used for indirect revo-cation +e validity of the update key is determined by itsown effective time and the update key only performs keyupdate operations for users who are not revoked Howeverdue to the need to use two ABE schemes in its constructionthis kind of revocation method is inefficient and not suitablefor a large number of frequently updated application sce-narios As an improvement of this kind of scheme in scheme[28] to improve the efficiency of CSP update a new accessmechanism is used to replace the time-based update key inthe R-ABE scheme which saves the process of entrusting thekey to CSP +e data owner (DO) stores the original ci-phertext to the CSP during the revocation period If there is aciphertext query beyond this revocation period CSP willsend the ciphertext that takes effect within the currenttime limit to the legitimate inquirer As long as the usermeets the access policy and revocation time limit specifiedby the DO the ciphertext can be decrypted by the user+is scheme combines identity-based encryption (IBE) and












2 Problem Statement































TPA


Proof


Revoked user GM

User

User

Key

distr

ibut

ion

KGC


























ρεri







εi d σεid)








id




εξp



(ati)θ)) e(ρ α)





tm g1113872 1113873 middot e Hm σ2( 1113857e



H1 atρi( 1113857


t1113872 1113873e


ri g1113874 1113875e 1113945atiisinΔ1

H1 atρi( 1113857

θ middot πz g

⎛⎝ ⎞⎠






(1)












e g1 h( 1113857 e g]ph

r2 h1113872 1113873

e hr1 h

r2r11113872 1113873

e gphr11113872 1113873

e g h1( 1113857

(2)




ci






ci



and listH1




listHkey obtains

H1(ati) gci



πcip ]1c















WangOur scheme


0

1

2

3

4

5

6

7

8

9

10

Revo

catio

n tim

e (s)


YuWangOur scheme


0

10

20

30

40

50

60

70

80

90

100

Verifi

catio

n tim

e (m

s)






YuWangOur scheme


0

1

2

3

4

5

6

7

8

Proo

f gen

erat

ion

time (

s)





Data Availability




Acknowledgments


References

























































2 Problem Statement































TPA


Proof


Revoked user GM

User

User

Key

distr

ibut

ion

KGC


























ρεri







εi d σεid)








id




εξp



(ati)θ)) e(ρ α)





tm g1113872 1113873 middot e Hm σ2( 1113857e



H1 atρi( 1113857


t1113872 1113873e


ri g1113874 1113875e 1113945atiisinΔ1

H1 atρi( 1113857

θ middot πz g

⎛⎝ ⎞⎠






(1)












e g1 h( 1113857 e g]ph

r2 h1113872 1113873

e hr1 h

r2r11113872 1113873

e gphr11113872 1113873

e g h1( 1113857

(2)




ci






ci



and listH1




listHkey obtains

H1(ati) gci



πcip ]1c















WangOur scheme


0

1

2

3

4

5

6

7

8

9

10

Revo

catio

n tim

e (s)


YuWangOur scheme


0

10

20

30

40

50

60

70

80

90

100

Verifi

catio

n tim

e (m

s)






YuWangOur scheme


0

1

2

3

4

5

6

7

8

Proo

f gen

erat

ion

time (

s)





Data Availability




Acknowledgments


References



































































TPA


Proof


Revoked user GM

User

User

Key

distr

ibut

ion

KGC


























ρεri







εi d σεid)








id




εξp



(ati)θ)) e(ρ α)





tm g1113872 1113873 middot e Hm σ2( 1113857e



H1 atρi( 1113857


t1113872 1113873e


ri g1113874 1113875e 1113945atiisinΔ1

H1 atρi( 1113857

θ middot πz g

⎛⎝ ⎞⎠






(1)












e g1 h( 1113857 e g]ph

r2 h1113872 1113873

e hr1 h

r2r11113872 1113873

e gphr11113872 1113873

e g h1( 1113857

(2)




ci






ci



and listH1




listHkey obtains

H1(ati) gci



πcip ]1c















WangOur scheme


0

1

2

3

4

5

6

7

8

9

10

Revo

catio

n tim

e (s)


YuWangOur scheme


0

10

20

30

40

50

60

70

80

90

100

Verifi

catio

n tim

e (m

s)






YuWangOur scheme


0

1

2

3

4

5

6

7

8

Proo

f gen

erat

ion

time (

s)





Data Availability




Acknowledgments


References






































































ρεri







εi d σεid)








id




εξp



(ati)θ)) e(ρ α)





tm g1113872 1113873 middot e Hm σ2( 1113857e



H1 atρi( 1113857


t1113872 1113873e


ri g1113874 1113875e 1113945atiisinΔ1

H1 atρi( 1113857

θ middot πz g

⎛⎝ ⎞⎠






(1)












e g1 h( 1113857 e g]ph

r2 h1113872 1113873

e hr1 h

r2r11113872 1113873

e gphr11113872 1113873

e g h1( 1113857

(2)




ci






ci



and listH1




listHkey obtains

H1(ati) gci



πcip ]1c















WangOur scheme


0

1

2

3

4

5

6

7

8

9

10

Revo

catio

n tim

e (s)


YuWangOur scheme


0

10

20

30

40

50

60

70

80

90

100

Verifi

catio

n tim

e (m

s)






YuWangOur scheme


0

1

2

3

4

5

6

7

8

Proo

f gen

erat

ion

time (

s)





Data Availability




Acknowledgments


References


















































e g1 h( 1113857 e g]ph

r2 h1113872 1113873

e hr1 h

r2r11113872 1113873

e gphr11113872 1113873

e g h1( 1113857

(2)




ci






ci



and listH1




listHkey obtains

H1(ati) gci



πcip ]1c















WangOur scheme


0

1

2

3

4

5

6

7

8

9

10

Revo

catio

n tim

e (s)


YuWangOur scheme


0

10

20

30

40

50

60

70

80

90

100

Verifi

catio

n tim

e (m

s)






YuWangOur scheme


0

1

2

3

4

5

6

7

8

Proo

f gen

erat

ion

time (

s)





Data Availability




Acknowledgments


References




















































WangOur scheme


0

1

2

3

4

5

6

7

8

9

10

Revo

catio

n tim

e (s)


YuWangOur scheme


0

10

20

30

40

50

60

70

80

90

100

Verifi

catio

n tim

e (m

s)






YuWangOur scheme


0

1

2

3

4

5

6

7

8

Proo

f gen

erat

ion

time (

s)





Data Availability




Acknowledgments


References

















































Data Availability




Acknowledgments


References















































attribute-based user revocable data integrity audit for

Documents