Efficient Privacy-Preserving Certificateless Public Auditing of Data in Cloud Storage

Cloud computing is a fast-growing technology which supplies scalable, innovative, and efficient business models. However, cloud computing is not fully trusted, and the security of the data outsourced in cloud storage needs to be guaranteed. One of the hottest issues is how to ensure the integrity of the data in cloud storage. Until now, many researchers have proposed lots of provable data possession (PDP) schemes to deal with the problem of data integrity audition. Nevertheless, very little effort has been devoted to preserve the data uploader’s privacy while auditing the integrity of data shared in a group. To overcome the shortcoming, we propose a novel certificateless PDP protocol to efficiently audit the integrity of data shared in a workgroup with user privacy preserving. Due to the inherent structural advantage of the certificateless crypto mechanism, our PDP scheme eliminates the key escrow problem and the certificate management problem simultaneously. Moreover, the audition process in our scheme does not need any user’s identity which helps to keep the anonymity of data uploader. We give for our scheme a detailed security proof and efficiency analysis. Experiment results of performance evaluation demonstrate that our new scheme is very efficient and feasible.


Introduction
Recently, cloud computing has continued to provide scalable and low-cost services to user.e core advantage of cloud storage is dynamic scalability that allows the cloud storage services to deal with increasing amounts of data.erefore, a vast number of organizations and people would like to buy cloud storage service for data maintenance and management as one of fundamental investments.Moreover, with cloud storage platform, users are easy to work together in one team [1][2][3][4], in which they share data with each other.However, cloud service provider (CSP) is not fully trustworthy.e data stored in CSP might be corrupted or deleted because of accidental hardware errors, network exceptions, software bugs, or human mistakes [5][6][7][8].Furthermore, the untrusted CSP can tamper the user's data easily by either deleting or modifying them.To escape economic compensation and keep good reputation, CSP would not tell the truth to user.Additionally, with no audition mechanism, untrusted CSP can never be detected.erefore, cloud users need to periodically audit whether the data outsourced in cloud storage server is kept well.
e PDP model supplies the user an efficient method to audit the integrity of the remote data in cloud storage.e audition process of PDP is conducted by a challenge-response mechanism.In PDP schemes, the data owner divides their data to many small data blocks and binds one tag to each data block.Since the tag contains the information of data block, user can get the integrity status of data block through checking the validity of the corresponding tag.Until now, many articles have proposed several types of PDP schemes  for different application scenarios.However, most PDP protocols are just suitable for checking the integrity of single data that belong to only one user.
In real applications, sharing data among multiple users is a common situation, in which the shared data can be used by any one of the workgroup.erefore, auditing the integrity of data shared in a workgroup is an essential task which should be solved by PDP scheme.When auditing shared data, user anonymity against third party auditor (TPA) is an important security requirement.In practice, TPA is usually assumed to be honest-but-curious, which means TPA tries to guess the identity of data uploader when auditing the data integrity.If the identity is exposed, the data uploader may face great security threats especially when the data are sensitive.For example, every person can report to the government about criminal behaviors through open complaint platform.If the criminal knows who reported his behavior, he may revenge the reporter.To prevent criminal from revenging the reporter, it is necessary to preserve reporter's identity privacy.erefore, PDP scheme should keep confidential of uploader's identity to TPA.Aim to this goal, Wang et al. [23] proposed a concrete PDP protocol with the notion of user privacy preserving for shared data.Following, several schemes [24][25][26][27][28][29] with user privacy preserving are proposed.However, most previous PDP schemes are constructed by the PKI technique which suffers from certificate management problems such as generation, distribution, renew, revocation, update, and verification.To avoid certificate management, some PDP schemes are designed based on identity-based public cryptography (IBC) [40].However, IBC also has the natural drawback of "key escrow."To address these shortcomings, certificateless cryptography (CLC) [41] is introduced as a cryptography primitive.In CLC, user's private key is consisted of two components: the first is the partial key and the second is the secret value.User's partial key is computed by the key generation center (KGC), but the secret value is computed by the user himself/herself which is unknown to KGC. erefore, CLC overcomes the drawbacks of PKI and IBC simultaneously.Because of these advantages, some researchers utilize CLC to construct PDP schemes [31][32][33][34][35][36][37][38][39].Nevertheless, these schemes also have other shortcomings such as no user privacy preserving, heavy computationally cost, or existing security flaws which reduce the practicability of the schemes.us, it is necessary and urgent to present more efficient and secure PDP scheme based on CLC with user privacy preserving.
1.1.Our Contributions.Most previous PDP schemes only concentrate on verifying the integrity of personal data.However, to share data with multiple users based on cloud platform is a development trend and is becoming popular.Because any user can upload data to the cloud, the privacy of data uploader's identity should be guaranteed.at is to say, TPA can audit data integrity with the help of CSP but cannot distinguish the exact data uploader.
In this manuscript, we mainly consider to verify the integrity of data shared in a group with user privacy preserving.Our primary contributions in this study are summarized as following.
(1) We present the security model of certificateless-based PDP scheme for group shared data with user privacy protection.It defines the abilities of adversaries and the requirement of user privacy preserving.(2) We propose the concrete PDP scheme based on CLC for group shared data with user privacy preserving.
e proposal can resist the attacks of two types of adversaries and keep user privacy against TPA.
(3) We give rigorous secure proofs to prove the security of the proposed scheme in a random oracle model.We also demonstrate the performance evaluation results of our scheme and make comprehensive comparisons with several existing schemes.

Related Work.
e initial PDP model is proposed by Ateniese et al. [9], which tried to provide a method to verify the integrity of client's data stored in a remote server without downloading the data.To get better efficiency, they realized blockless verification by using homomorphic verifiable tags.Furthermore, they proposed two concrete schemes based on the RSA algorithm.However, the schemes were only available for static data with no support for dynamic operations.With the aim to enhance the scalability, Ateniese et al. [10] extended their initial PDP schemes and proposed an improved one based on symmetric key encryption.Although the improved scheme realized dynamic data operations as appending, updating, and deleting, the drawbacks still existed that the challenge number of the scheme was limited and did not support data inserting.Subsequently, Juels and Kaliski [11] proposed a similar model called proof of retrievability (POR) which had error-correcting capabilities besides data integrity audition.To improve efficiency, Shacham and Waters [12] developed a compact PoR scheme with a shorter authentication tag.
Later, Erway et al. [13] presented a PDP scheme which supported public integrity audition and fully data dynamic operations.To improve the efficiency of dynamic operation, Yan et al. [14] realized a PDP scheme with a new data structure that stored all blocks operation records.To increase data durability, Liu et al. [15] presented a multireplicas data integrity checking scheme, which supported fully dynamic data updates.Li et al. [16] further considered a more complex environment that multicopies were stored in multi-CSPs, and they constructed a concrete scheme to check the integrity of all copies for one time.In other works, Wang [17] proposed a proxy PDP scheme in which a commitment was used to authenticate the validity of the auditor.Yan et al. [18] strengthened the restriction for the verifier and proposed a verifier-designated PDP protocol.Wang et al. [19] presented a notion of data privacy protection and designed a public auditable PDP scheme.Shen et al. [20] designed a PDP protocol to guarantee the privacy of authenticators.
In recent years, many cloud applications supported users to work in coordination with shared data.erefore, how to audit the data shared among multiusers attracted many attentions.Wang et al. [21] designed the first PDP scheme by a ring signature technique to verify the integrity of data shared in a group with multiusers.e scheme also supported public auditing and user privacy preserving.Later, Yang et al. [22] proposed a PDP protocol for group data with user identity privacy and traceability.Wang et al. [23] designed a new PDP scheme to support dynamic groups which allowed group members to join or leave the group at 2 Security and Communication Networks any time.Wu et al. [24] developed a PDP scheme for auditing the integrity of data shared within multiple uploaders.Subsequently, Wang et al. [25] presented a PDP protocol based on the proxy resignature technique to address the problem of user revocation.Nonetheless, all these PDP schemes were designed by the traditional PKI mechanism which bears heavy cost of certificate management.
To eliminate certificate management, the identity-based cryptography (IBC) mechanism is used by many researchers to construct PDP schemes.Until now, several IBC-based PDP schemes have been proposed.For instance, Wang et al. [26] designed the first IBC-based data integrity checking scheme and proved its security under the defined security model.Yu et al. [27] presented an IBC-based PDP scheme which supported the dynamic group and data privacy protection.Tan and Jia [28] relied on an IBC-based signature scheme to propose a PDP scheme which also alleviated the users' fear of losing their keys.To improve the applicability of cloud storage, Zhang et al. [29] proposed a proxy-oriented identity-based encryption with a keyword search scheme from lattices for cloud storage, which was postquantum secure.Furthermore, Zhang et al. [29] proposed a scheme CIPPPA to check the integrity of medical data generated by wireless body area networks (WBANs).CIPPPA can not only achieve conditional identity privacy of patients in WBANs but also validate malicious auditing behaviors with the help of ethereum blockchain.
Unfortunately, IBC also has its own inherent drawback named "key escrow."To address this problem, PDP schemes based on CLC were proposed in many articles.Wang et al. [31] first presented a CLC-based PDP scheme for auditing cloud data.In this scheme, KGC computed the partial key for each user, but KGC did not know the user's secret value, so the user's private key was protected against KGC which avoided the key escrow problem.However, He et al. [32] thought the scheme in [31] is insecure because it did not give the formal security model.Subsequently, they proposed a CLC-based PDP scheme for checking the data of WBANs.Nevertheless, this scheme is proved insecure [33] either.To improve verification efficiency, Kim and Jeong [34] proposed a CLC-based PDP scheme with constant verification time.Similarly, Yang et al. [35] presented a PDP scheme for shared data integrity audition based on certificateless cryptography.e scheme claimed that it was able to guarantee user identity, but in the verification phase, TPA got the relationship between data and the public keys.us, it did not really realize user privacy preserving.Li et al. [36] presented a PDP protocol of group shared data based on certificateless cryptography, but the scheme lost the user privacy preservation feature.Kang et al. [37] proposed a certificateless public auditing scheme with privacy preserving for cloud-assisted WBANs which protected the data from being directly exposed to the TPA.Ming and Shi [38] proposed an efficient CLC-based PDP scheme with user privacy protection.Wu et al. [39] also designed a PDP scheme for multiusers setting with user privacy preserving, but the overheads of both communication and computation were too heavy especially in the challenge phase.

Preliminaries
We first review some preliminary cryptography knowledge throughout this study.

Bilinear Maps.
Assume that two multiplicative cyclic groups G 1 and G 2 have large prime order q.Let g ∈ G 1 to be one generator of G 1 .Define e: G 1 × G 1 ⟶ G 2 is a bilinear map with the following properties.
(a) Computability: for any u, v ∈ G 1 , and there exist efficient algorithms to calculate the value of e(u, v).(b) Bilinearity: for any x, y ∈ Z * q and u, v ∈ G 1 , and it has

Assumption
Definition 1. Computational Diffie-Hellman assumption: g is a generator of the multiplicative cyclic group G 1 .Given (g, g a , g b ), to get g ab is computationally intractable with unknown a, b ∈ Z * q .For any adversary A, the probability for A to solve this problem is negligible.We define the CDH problem as

System Model.
ere are four participants in our scheme: KGC, CSP, user group, and TPA.
(1) KGC is a trusted organization which generates the partial key for user.We assume the partial key is transmitted by secure channels.(2) CSP is the cloud storage service provider who maintains user's data and generates integrity proofs to prove the data integrity when received the challenge from TPA. (3) A user group has several users, and every user can upload data blocks to CSP by which all users share their data to each other.(4) TPA is responsible for auditing the integrity of data shared in a group.TPA sends an integrity challenge to CSP and gets a proof from CSP. en, TPA validates the rightness of the proof and informs the checking result to users.e system model of the proposed scheme is shown in Figure 1.It assumed that CSP is semitrusted.Namely, it can execute audition protocol honestly, but lies to TPA when data are broken.TPA is honest-but-curious, that is, TPA audits the data integrity honestly and responds the real audition result to data user, but it is curious about the identity of data uploader.
Our certificateless auditing scheme for group shared data with user privacy preserving consisted of seven algorithms: Security and Communication Networks Setup, PartialKeyGen, SecretValueGen, PublicKeyGen, TagGen, Challenge, Proof, and Audit.
Setup: with the security parameter k, this algorithm generates public parameters pp and master private key msk.PartialKeyGen: KGC runs this algorithm to compute user's partial key.It inputs the identity id i of the user u i and outputs u i 's partial key d i .SecretValueGen: each user (u i ) performs this algorithm to compute the secret value (s i ) PublicKeyGen: each user (u i ) performs this algorithm to compute the public key (PID i ) TagGen: this algorithm generates an authentication tag for each data block.It inputs user u i 's secret key sk i � (d i , s i ), and the block m j outputs its tag T i,j .Challenge: this algorithm is performed by TPA to select a data integrity challenge chal Proof: the algorithm generates the data integrity proof P for each challenge chal.It takes the inputs of shared data F, tags collection T, and the challenge chal.Audit: this algorithm is used to audit the rightness of integrity proof.It takes the inputs of the challenge chal, proof P, and data identity Fid.If P passes the verification, the algorithm returns "1;" otherwise, it returns "0."

Security Model.
Referring to [32,42], the security model of our proposed scheme contains two types of adversaries.
e first one denoted by A 1 cannot access the master key but can replace the user's public key.e second one denoted by A 2 knows the master key but cannot replace the user's public key.We utilize a game to cover the security characters of our   User privacy preserving is another security feature of the scheme.Since multiple users share data with each other in a group, each one can upload data to the group.In many cases, users prefer to keep anonymous against TPA.An honestbut-curious TPA tries to distinguish the identity of data uploader during the data verification process.If the user information is revealed and leaked by TPA, the data uploader may face potential security threats.us, the scheme should guarantee user's anonymity against TPA.Definition 3. A public certificateless PDP scheme for group shared data is user privacy preserving, if no information about the user identity is revealed by TPA within the procedure of data audition.

Construction of Our Scheme
We show the detailed construction of our certificateless PDP scheme for group shared data, which realizes public verification and user privacy protection.
Suppose the data F is shared in a group with N users denoted as u 1 , u 2 , . . ., u N  .F is split into n blocks, and each block is denoted by m i , where i is the block index.Different blocks may be uploaded by different users.e algorithms in our scheme are defined as follows.
Setup(1 k ) ⟶ (pp, msk): KGC first sets the value of security parameter k and selects a big random prime number q with |q| � k.Select cyclic multiplicative groups G 1 and G 2 with order q and a bilinear map e: G 1 × G 1 ⟶ G 2 .KGC selects a generator g of G 1 and three different hash functions: en, KGC randomly selects x ∈ Z * q and sets the master private key msk � x, so the master public key is P 0 � g x .e system parameter is pp � (q, g, G 1 , G 2 , e, P 0 , h 1 , h 2 , h 3 ).PartialKeyGen(id i ) ⟶ d i : on receiving the identity id i of the u i , KGC computes d i � h 1 (id i ) x as u i 's partial key and sends it to u i by a secure channel SecretValueGen ⟶ s i : u i randomly selects a value λ i ∈ Z * q and sets the secret value s i � λ i PublicKeyGen ⟶ PID i : with secret value s i , u i computes the public key PID i � g 1/s i TagGen(d i , s i , m j ) ⟶ T i,j : u i computes the value U � h 3 (P 0 , n) and generates the tag for the block m j by the following equation.
Here, Fid is the unique identification of the data F. Finally, u i uploads (m j , T i,j , id i ) to CSP.CSP validates the rightness of the tag by the following equation: It can be confirmed as follows: (5) Finally, CSP sends the proof P � (σ 1 , σ 2 , M) to TPA Audit(chal, P, Fid) ⟶ 0, 1 { }: when receiving P returned from CSP, TPA computes U � h 3 (P 0 , n) and checks the following equation: If equation ( 6) holds, returns 1; otherwise, returns 0.
Security and Communication Networks e equation ( 6) can be confirmed as follows: e T i,j , PID i  . (7)

Security Proof
In this section, we show the security proof of our new scheme under the security model defined in Section 3.2.In our proof, three hash functions (h 1 , h 2 , h 3 ) used in our scheme are all random oracles.

Lemma 1.
If the CDH problem (g, G 1 , g a , g b ) is hard for the group G 1 , our scheme is secure against A 1 .
Proof.If the adversary A 1 wins the game, a simulator β can be designed to solve the CDH hard problem resorting to A 1 .Let (g, G 1 , g a , g b ) to be one CDH instance, and β computes g ab by following steps.
us, the equation above can be changed to , g).We can compute the result of given CDH instance: We can see that if τ � 0, the game is perfect.Assume A 1 makes q K times partial key query and q T times tag query; the game is performed successfully with the probability of (1 − c) q K +q T .erefore, if A 1 wins the game with the probability ε, β can successfully output the result of g ab with the probability ε Proof.If the adversary A 2 wins the game, a simulator β can be designed to solve the CDH hard problem resorting to A 2 .Let (g, G 1 , g a , g b ) to be one CDH instance, and β computes g ab by following steps.
Setup: β picks a random number x ∈ Z * q as the master private key.B gives A 2 all the public parameters as well as the master private key x.h 1 query: B makes a list tab 1 � (id, h 1 )   for the h 1 query.If the user identity id queried exists in tab 1 , B retrieves the row (id, h 1 ) and responds the value gh 1 to A 2 .Otherwise, B selects a random number of h * 1 ∈ Z * q , responds g h * 1 to A 2 , and inserts (id * , h * 1 ) to tab 1 .Secret value query: A 2 can query the secret value for any user identity id * .B makes a list tab 2 � (id, pk, s)   to trace the results for this query.If id * existing in tab 2 , B returns s to A 2 .Otherwise, B selects a random number s * ∈ Z * q and computes pk * � (g) 1/s * .B inserts the row (id * , pk * , s * ) to tab 2 and returns s * to A 2 .Public key query: A 2 can query the public key for any user identity id * .B searches id * from tab 2 .If id * existing in tab 2 , B responds pk * to A 2 .Otherwise, B chooses a random value s * ∈ Z * q and computes pk * � (g a ) 1/s * .B inserts the row (id * , pk * , s * ) to tab 2 and returns pk * to A 2 .h 2 query: A 2 can query the hash value of (Fid, j) at any time.For this query, β keeps a list tab 3 with tuple (Fid, j, h 2 ).If the row (Fid, j, * ) exists in tab 3 , β retrieves h 2 and returns (g b ) h 2 to A 2 .Otherwise, β 2 ) into tab 3 .h 3 query: A 2 can query the hash value of (P 0 , v * ) at any time.For this query, β keeps a list tab 4 with tuple (P 0 , v, q 3 , h 3 ) and presets a special row (P 0 , V, g (ah 3 ) , h 3 ).If the row (P 0 , v * , * , * ) exists in tab 4 , β retrieves q * 3 and returns it to A 2 .Otherwise, β randomly chooses h * 3 ∈ G 1 and sets q * 3 � g h * 3 .β inserts a new row (P 0 , v * , q * 3 , h * 3 ) into tab 4 .Tag query: for the tag query (Fid, j, m j , id, v), β gets the rows (id, h 1 ), (id, pk, s), (Fid, j, h 2 ), and (P 0 , v, q 3 , h 3 ) from tab 1 , tab 2 , tab 3 , and tab 4 , respectively.en, β computes the tag T i,j � (g xh 1 • g bh 2 • q 3 m j ) s and returns it to A 2 .Forge: at last, A 2 gives a forged tag T i * ,j * ′ for block m j * ′ with the identity id i * ′ .andtotal block number v ′ .e block m j * ′ has not be executed the tag query under such conditions before.Analysis: if A 2 wins the game, the following equation e(T i * ,j * ′ , PID i * ) � e(h 1 (id i * ′ ), g x ) • e(h 2 (Fid, j * ) • U m j * ′ , g) must hold according to equation (3).en, β gets the row (id i * ′ , h 1 ′ ), (id i * ′ , pk ′ , s ′ ), (Fid, j * , h 2 ′ ), and (P 0 , v ′ , q 3 ′ , h 3 ′ ) from tab 1 , tab 2 , tab 3 , and tab 4 .If v ′ ≠ V, β aborts and exits.Otherwise, β changes the equation We can compute that the result of given CDH instance is g ab � ((T i * ,j * ′ ) 1/s′ /g xh 1 ′ ) (1/(h 2 ′h 3 ′m j * ′ )) .
According to the analysis, if v ′ � V, β can successfully output the result of g ab .Assume A 2 makes q K times h 3 query, and also, there are q K rows in the tab 4 .us, if A 2 wins the game with the probability ε, β can get the value of g ab with the probability (ε/q K ).Because CDH problem is hard for the group G 1 , our proposal is secure against for A 2 .
According to the Lemmas 1 and 2, our proposed scheme can resist both the adversaries of A 1 and A 2 .erefore, we can give eorem 1 as □ Security and Communication Networks Theorem 1.If the CDH problem is hard for the group G 1 , our proposed data integrity auditing scheme is secure in the random oracle model.Theorem 2. TPA cannot reveal the identity of data uploader within the process of data auditing.
Proof.From the audition algorithm of our scheme, it is not difficult to prove that TPA cannot know the data uploader of challenged data.First, the user's identity is stored by CSP privately, and no one knows the relation between data and user identity except CSP and users themselves.In the verification phase, TPA checks the proof by equation ( 6) without any information about user identity.Moreover, CSP also hides the user identity in the proof σ 1 � α •  (m l ,T i,l ,id i )∈Θ h 1 (id i ) v l by random value α. erefore, our scheme can guarantee the user privacy against TPA.□ 6. Performance Analysis 6.1.Performance Evaluation.We summary the performance of our protocol from aspects of computational and communicational cost, which are shown as follows (Table 1 ).
Computational cost: let T p , T exp−G 1 , and T exp−G 2 represent the computational cost of pairing, exponentiation on G 1 , and exponentiation on G 2 , respectively.Others like hash function, addition, and multiplication on Z q are omitted because they only incur negligible cost.It is easy to see that the algorithms such as Setup, PartialKeyGen, SecretValueGen, PublicKeyGen, and Challenge only need negligible cost, so we omit the performance analysis about these algorithms.e algorithm TagGen needs 2T exp−G 1 for generating one tag.us, the computational cost for generating all tags is 2nT exp−G 1 .Proof algorithm is performed by CSP to generate proof which needs cost of 2cT exp−G 1 + (c + 1)T p .e algorithm Audit is run by TPA, and it costs 2T p + (c + 1) • T exp−G 1 .Moreover, we compare the computational cost of our scheme with that in other three similar schemes in Table 1, in which |U| is the count of group users.From Table 1, we can get that the tag generation cost of our scheme is almost the same as that in [31,36], which is much lower than that of [37].In the proof generation step, our scheme has the highest cost than that of other three, that is, because our scheme does more work to hide the relationship of data and data uploader, so as to realize the user privacy preserving.We can see that only our scheme can preserve user privacy against TPA, while other three cannot.In the proof audition step, our scheme is the most efficient one compared with other three schemes.In summary, our scheme is computationally efficient.Communicational cost: in our scheme, a tag is one element of G 1 , so the communication cost for data transfer form is n|G 1 | + |F| + |id|, where |F| denotes the size of outsourced data and |id| is the size of user identity.
e size of each challenge is bounded of 4c + c|Z q |, and the proof size is

Experiment Results.
We implemented a prototype of our scheme with PBC library [43], which is based on the library of GMP [44].Our experiments are executed in the Ubuntu Kylin-15.10operating system with VMware workstation.We give 1 CPU and 1G Ram to the virtual machine and use the Lenovo laptop X270 as the host which installs the Win10 operation system with Core i5 CPU and 8G Ram.We choose the typical "Type A" elliptic curve supplied by PBC in our experiments.In order to accurately show the advantage of our scheme, we implement schemes in [31], [36], and [37] simultaneously.
We first make experiments to evaluate the efficiency of tag generation.We prepare 1000 randomly selected data blocks and run ten experiments with different number of tags.e results are shown in Figure 2. We can see that the computation cost increases linearly with the number of tags rising, which is consistent with the theoretical analysis.However, computing 1000 tags only costs about 9.8 seconds which is feasible.
Second, we make experiments to test the performance of proof generation.In this experiment, we simulate 100 different users and change the number of challenged blocks from 100 to 500 with total 1000 blocks.e experiment data are shown in Figure 3. From Figure 3, we can see that our scheme costs much more time than that of other three.e reason for this situation is analyzed before; specifically, we embed the relationship of challenged data and data uploader into the proof while other three schemes compute the proof only with data and tags without hiding the relationship.When checking the proof, TPA in other three schemes should use the data owner's public key which exposes the relationship of challenged data and the data owner.e cost of proof audition is shown in Figure 4. e schemes in [31,37] have the similar cost, the gap of which is very small.e cost of scheme in [36] is associated with the number of group users, so it has the most cost in the beginning.However, with the number of challenged blocks increasing, the audition cost of [31,37] exceeds that of the scheme [36].Overall, our scheme is the most efficient, one in this step, which needs only 2.5 seconds for 500 challenged blocks.
It is well known that CSP has great computation ability, but TPA is usually a normal workstation or personal computer.Although our scheme costs more time when generating the proof in the experiments, it is done by CSP which makes the gap be negligible in real environment.However, the different of TPA in our experiments and in real environment is very small, so the advantage of proof audition in our scheme is the very important.
To improve the efficiency of the data integrity audition scheme, we can assign more workload to CSP but less to TPA.We summary the computation cost of CSP and TPA in the four schemes with 500 challenged blocks.e results are shown in Figure 5, from which we can see that our scheme assigns the most workload to CSP but the lightest workload to TPA. us, compared with recent researches, our scheme is efficient especially for TPA.

Conclusion
In this article, we propose a public certificateless PDP scheme for cloud storage.Our scheme not only inherits the advantages of certificateless cryptography but also has the merit of user identity privacy protection.With our scheme, TPA can audit the integrity of group shared data rightly without revealing the data uploader so as to preserve user's privacy.We formalize the security model of our scheme with Our scheme Scheme of [31] Scheme of [36] Scheme of [37]  Our scheme Scheme of [31] Scheme of [36] Scheme of [37] Figure 4: e cost of proof audition.
Scheme of [27] Scheme of [32] Scheme of [33]  Security and Communication Networks two types of adversaries and prove its security in the random oracle model.Experimental result demonstrates that our proposal is efficient.
scheme; the game involves a super adversary A ∈ A 1 , A 2   and a challenger C. Setup phase: C calls Setup to generate the master private key msk and the public parameter pp.If A is the first type adversary A 1 , C gives pp to A. If A is the second type adversary A 2 , C gives both the pp and msk to A. Queries phase: A makes four types of query to C for polynomial times.C returns the results to A. (a) Hash query.Adversary A queries about hash values of any hash function in the scheme.C replies the hash value to A. (b) Partial key query.Adversary A can query any user's partial key with the identity id i .C calculates the partial key d i by the algorithm PartialKeyGen and returns d i to A (this step is executed only by the first type adversary A 1 ).(c) Secret value query.A can query any user's secret value with any identity id i .C computes the secret value s i by the algorithm SecretValueGen and returns s i to A. (d) Tag query.Adversary A can randomly select blocks and query their tags generated by any user in the group.C generates the tag of the queried block and sends the tag back to A. If C does not have user's private key in this step, he can compute the key by PartialKeyGen and SecretValueGen algorithms.Public key replacement: C can change any user's public key to any other value (this step is executed only by A 1 ) Forge phase: finally, A submits to C a forged proof P * for any (id * i , m * j ) with the public key PID * i .If the proof satisfies the following three conditions, A wins this game.

Figure 1 :
Figure 1: System model of our scheme.

Figure 2 :
Figure 2: e cost of tag generation.

Figure 3 :
Figure 3: e cost of proof generation.

4
Security and Communication Networks (1) P * passes the audition with id * i and PID * i (2) If A is the first type adversary A 1 , the partial key and secret value of id * i have not been queried.If A is the second type adversary A 2 , the secret value of id * i has never been queried.(3) m * j has never been performed the tag query with user identity id * i and PID * If the row exists, β returns d * to A 1 .If the row does not exist, β first gets (id A 1 and appends a new row (id * , h * 1 , q * 1 , τ * ) in table tab 1 .Partial key query: A 1 sends any identity id * to β for querying the partial key.β maintains a table tab 2 � (id, d, s, pk)   and searches the row (id * , d * , * , * ).* , h * 1 , q * 1 , τ * ) from tab 1 .If τ * � 1, β aborts and exits the game, and if τ * � 0, β sets d * � (q * 1 ) a � (g a ) h * 1 and inserts the new row (id * , d * , ⊥, ⊥) to tab 2 .Secret value query: with the query id * , β searches the row (id * , * , s * , * ).If the row exists, β sends s * to A 1 .

Table 1 :
Comparison of computational cost.