Remote Data Possession Checking Scheme with Supporting E�cient Group User Authority Management for Shared Cloud Data

Under the shared big data environment, most of the existing data auditing schemes rarely consider the authorization management of group users. Meanwhile, how to deal with the shared data integrity is a problem that needs to be pondered. Thus, in this paper, we propose a novel remote data checking possession scheme which achieves group authority management while completing the public auditing. To perform authority management work, we introduce a trusted entity – group manager. We formalize a new algebraic structure operator named authorization invisible authenticator (AIA). Meanwhile, we provide two versions of AIA scheme: basic AIA scheme and standard AIA scheme. The standard AIA scheme is constructed based on the basic AIA scheme and user information table (UIT), with advanced security and wider applicable scenarios. By virtue of standard AIA scheme, the group manager can perfectly and easily carry out authority management, including enrolling, revoking, updating. On the basis of the above, we further design a public auditing scheme for non-revoked users’ shared data. The scheme is based on identity-based encryption (IBE), which greatly reduce the necessary certificate management cost. Furthermore, the detailed security analysis and performance evaluation demonstrate that the scheme is safe and feasible.


Introduction
As cloud computing becomes more accepted by the public, cloud storage is also widely used. Cloud Server Provider (CSP) supply users with large-capacity and reasonably priced storage services. Users can choose different types of cloud storage services to store outsourced data according to their needs. Cloud storage has many advantages, such as pay on-demand, location independence, and off-site management, which makes it more popular. From an objective point of view, because users no longer have absolute control over outsourced data, the security and integrity of data on the cloud is facing huge risks. Once an error occurs, it will inevitably cause serious losses for users.
With the assistance of data sharing services, users can share data in the cloud with other users in the group. The data sharing service in the group not only saves the burden of local data storage for group users, but also reduces the overhead of multiple interactions with the CSP. Within a group, only users with legal permissions can access the shared data and can access freely. But in fact, the authorization management is a hard task for groups. There may exist some difficulties: (1) For a new user, how to apply to enroll the group to become a legal group user? (2) How to withdraw the shared data access rights of the users who have applied for leaving the group; if the user has shared the shared data in the group, how to revoke the ownership of this data? (3) How do group users view shared data? In addition, how to deal with the shared data integrity of group users in a shared big data environment is a problem that needs to be considered. To solve the above-mentioned challenge, this paper conducts a detailed discussion on the authority management of group users under the shared data integrity verification problem.

Contribution
In order to share cloud data, we construct a remote data possession checking scheme with supporting efficient group user authority management in this paper.
(1) In order to deal with the issue of opening and recovering the permissions of users within a group, in our proposed scheme, we introduce a trusted entity that is engaged in rights management -group manager.
(2) In order to assist the group manager in authority management, we further propose a novel algebraic structure operator called authorization invisible authenticator (AIA). AIA is an operator that can only be generated by the group manager, and can be used by group users, but is not visible. Furthermore, we provide two versions of AIA scheme: the basic AIA scheme and the standard AIA scheme. The standard AIA scheme is constructed based on the basic AIA scheme and user information table (UIT), with advanced security. In addition, we prove the security of the standard AIA scheme in terms of correctness, invisibility, unforgeability and non-malleability. By manipulating AIA, group manager can carry out authority management work perfectly and easily. There are advantages of AIA: a) Since AIA can only be distributed by the group manager, group users are available but cannot infer its algebraic structure and cannot forge legal AIA. Therefore, the security of authority management can be guaranteed. b) Integrity verification schemes for shared data with supporting user revocation are currently a research hotspot. With the aid of AIA, this problem can be well resolved. In addition, the cost of user revocation in a group no longer depends on the number of data blocks, but only on the number of group users. And it makes our scheme more practical. c) AIA is updated uniformly by the group manager only when a user leaves the group, so it can greatly save the calculation and transmission costs.
(3) To complete remote data possession checking for non-revoked group users, we further construct a shared data public auditing scheme on the basis of the above work. The proposed scheme provides the mathematical design of the data block tag, and the concrete process of public auditing. It is worth mentioning that the tags set is based on the identity-based encryption (IBE), which greatly saves the time it takes for the system to process the public key certificate. The correctness of our scheme, including private key correctness, AIA correctness and audit correctness, is well given. Moreover, under the given random oracle model, the soundness based on the Computational Diffie-Hellman Assumption and the Discrete Log Assumption is strictly proved. Besides, the performance evaluation demonstrates that the scheme is effective and feasible.

Related Work
The traditional remote data possession checking method requires users to download all their data stored in the cloud locally, and then perform checking. For users with low-capacity equipment or low computing capacity, the cost is fatal. In 2007, with the successive schemes of Provable Data Possession (PDP) [1] and Proof of Retrievability (PoR) [2], the research on data integrity verification was pushed to an un-precedented climax. The PDP scheme is based on homomorphic authenticators and random sampling strategy and uses RSA to design the tags set. The PoR scheme is implemented in bilinear pairing, which not only provides integrity verification, but also enables data retrieval. In addition, based on PoR, Shacham et al. [3] proposed two schemes which can complete the public verifiability and private verifiability using BLS signature and pseudorandom function respectively.
However, neither the PDP scheme nor the PoR scheme can realize the dynamic operations of the da-ta block. The schemes that cannot realize dynamic operations, such as block modification, deletion and append, which will be restricted in some scenarios. Aimed at this problem, Ateniese et al. [4] proposed a scalable PDP scheme based on symmetric key cryptography. By manipulating rank authenticated information table, Erway et al. [5] also provided an im-proved dynamic PDP scheme. Based on Merkle Hash Tree, Wang et al. [6] raised a public data integrity auditing scheme which can also realize dynamics by constructing block tag authentication. For simultaneous update of multiple replicas of files, Barsoum et al. [7] given a specific proposal. When the client's secret key is leaked, Yu et al. [8] put forward a strategy that can update the keys while achieving public auditing. Sookhak et al. [9] investigated the realization of data dynamics with the aid of a novel structure -divide and conquer tables. With the help of the authenticated structure named blockless Merkle tree, He et al [10] proposed a dynamic group-oriented PDP scheme which can realize full dynamics. Considering that the traditional scheme is only applicable to audits where there is no dispute over data possession, combined with blockchain technology, Xu et al. [11] provided a fairly arbitrable data auditing protocol. Wang et al. [12] formalized an online/offline PDP model, which divides data processing into two procedures to deal with different types of operations respectively.
But unfortunately, all the schemes mentioned above are implemented by Public Key Infrastructure (PKI). Public key cryptography based on PKI distribution keys has been widely used since its introduction. However, due to the existence of certificates, a series of costs such as generation, forwarding, and renewal are inevitably increased. Using the user's public identifier, such as the email address, as an encryption key can solve a series of problems caused by public key certificates [13][14]. Based on Identity-Based Encryption (IBE), the first public data integrity auditing scheme was proposed [15]. Wang [16] formalized an identity-based distributed provable data possession model which can realize private verification, delegated verification, and public verification. Wang et al. [17] discussed how to perform public integrity checking when users are restricted to access the CSP. Assisting by the entity of sanitizer, Shen et al. [18] given a data sharing scheme that supports the hiding of sensitive information. Using the user's biometric data as the encryption key and combining the attribute set encryption, Li et al. [19] studied a novel scheme based on fuzzy identity-based encryption [20]. To resist malicious auditors, Zhang et al. [21] proposed an identity-based public auditing scheme, which is implemented with the help of blockchain. Shen et al. [22] provided a remote data possession auditing scheme with supporting privacy of authenticators. To solve the problem that privacy may be leaked after the data is deleted in the cloud, Xue et al. [23] built a specific security model based on attribute set encryption and Merkle tree.
The group data sharing services under the integrity verification problem has been deeply studied in recent years. To address the issue of integrity verification of shared cloud data, Wang et al. proposed three different schemes [24][25][26]. Konx [24] focused on the privacy protection within the group and utilized group signatures to construct homomorphic authenticators to complete data checking. Different from Konx, Oruta [25] considered using ring signatures to achieve mathematical design. Panda [26] explored how to employ proxy resignatures to realize group user revocation. Yuan et al. [27] discussed a public integrity auditing scheme that can support multiple users to modify shared data. Tian et al. [28] given a comprehensive group management integrity auditing scheme which considers privacy protection, dynamics, and traceability of shared data. In order to support user revocation effectively, Zhang et al. [29] explored a new strategy for key generation phase and a technique for private key update. By constructing a homomorphic verifiable group signature in the privacyaware public auditing mechanism. Fu et al. [30] proposed a group shared data checking scheme which can prevent sensitive information from leaking to third-party auditors. Starting from the collusion-resistant attack, Luo et al. [31] provided the scheme to realize public auditing and user revocation.
In a group that shares cloud data, user revocation is a hard assignment. In the schemes mentioned above [26][27][28][29][30][31], the overhead of realizing user revocation in a group is directly associated with the number of users withdrawn, and even shows a linear relationship. It must inevitably lead to huge costs when the number of users is large. On the other hand, there are many problems to be solved in the group, such as: users' enrollment, data privacy.

Paper Organization
The rest of the paper is organized as follows. In section II, we present the preliminaries. And in section III, we present the system model and security model. A new algebraic structure operator named authorization invisible authenticator is explained in section IV. The detailed description of the proposed scheme is elaborated in section V. Section VI shows the security analysis. The performance evaluation is carried out in section VII. Section VIII is the conclusion of this paper.

Bilinear Maps
Let G1, G2 are multiplicative cyclic group with the order p, g is a generator of G1.

System Model
The system consists of five entities, and the model is shown in Fig. 1.
(1) Group Manager: the trusted entity who performs authority management work. The group manager opens the access authorizations for the users who apply to enroll the group, and at the same time revokes the access rights of shared data of users who leave the group. In addition, the data upload work of the group users is also executed by the group manager. Moreover, the public audit results of shared data within the group are recorded by the group manager, not the creator of the shared data.
(2) Group Users: When the user successfully enrolls the group, he becomes a legal group user; he can upload his data to the CSP and mark it as shared data; at the same time, he can access the shared data of other users in the group. That is, in our proposed scheme, all legal and unrevoked group users can upload data to the CSP and share it with other users. When a group user revokes and leaves the group, the group manager will deprive the user of the permission to view other shared files, but the shared files uploaded by this user still exist in the group. That is, once a group user upload files and share them with other group users, those files will be regarded as a shared data. The revoked user cannot access other users' shared files, but it does not affect other group users to view the shared files he has uploaded. In addition, the ownership of the shared file of the revoked group user will be transferred to the group manager; before the files are not modified, the revoked group user still knows the content of the shared file.
(3) Cloud Service Provider (CSP): an untrusted entity that provides public cloud storage service.
(4) Private Key Generator (PKG): the trusted entity who generates the private key for the group users.
(5) Third-Party Auditor (TPA): the trusted entity who is responsible for performing remote data checking for the shared data uploaded to the CSP after being authorized by the group users. When the TPA wishes to check the integrity of the shared data, it first sends an auditing challenge to the CSP. After receiving this challenge, the CSP responds to the TPA with an auditing proof of the possession of this shared data. Subsequently, the TPA will verify the correctness of this auditing proof, and then record it. The audit results will be feedback to the group manager on a regular basis.

Remark 1
The private key generation process is briefly shown in Fig. 1, which will be described in detail in section V.

Remark 2
The responsibilities of the group manager include the four parts: a) Grant permissions to the users who apply to join the group. b) Deprive permissions to the users who leave the group. Note that even if the user opts out of the group, he still has the right to view the shared files he uploaded, but he does not have the right to modify it. c) Perform uploading of shared data on behalf of group users. d) Record the audit results of the integrity verification of the shared data. After the TPA checks the integrity of the shared files, it records the results of each audit and feeds it back to the group manager on a regular basis, rather than directly to the creator of the shared files.

System Components
A remote data possession checking scheme with supporting efficient group user authority management consists of eight algorithms: Setup, AuthForUser, KeyGen, TagGen, UpdateForUsers, Challenge, ProofGen, ProofVerify. Each algorithm is described as follows: Setup is the "Setup" algorithm run by the PKG. It takes the security parameter k as input, and outputs the system public parameter pp, master public key mpk and master secret key msk.
AuthForUser is the "Authorized for Group User" algorithm which consists of a series of algorithms. It takes the pp as input, and outputs an AIA for the group user.
KeyGen is the "Private Key Generation" algorithm run by the PKG. It takes the pp, user's identity ID and mpk as input, and outputs user's private key SKID.
TagGen is the "Tags Set Generation" algorithm run by the group user. It takes SKID, the user's requirement message rm and shared file F as input, and outputs the tags set T for F. Then, the user uploads <F, T> to the group manager. Subsequently, the group manager performs the data upload work.
UpdateForUsers is the "Update AIA for The Rest of Group Users" algorithm run by the group manager. When one user is revoked from the group, the group manager runs this algorithm.
Challenge algorithm run by the TPA that is to generate the auditing challenge chal.
ProofGen is the "Proof Generation" algorithm run by the CSP. It takes the chal, F and T as input, and outputs the integrity proof P.
ProofVerify is the "Proof Verification" algorithm run by the TPA. It takes pp, chal and P as input, and outputs "0/1"; "1" indicates that the shared data stored in the CSP is intact; otherwise, it is not.

Design Goals
A remote data possession checking scheme with supporting efficient group user authority management should achieve following goals: (1) Correctness: The correctness consists of three parts: private key correctness, AIA correctness and audit correctness. a) Private Key Correctness: The private key generated by the PKG will only be accepted by the group user after passing the correctness verification of the group manager.
b) AIA Correctness: A legal AIA can be passed the verification of the group manager. c) Audit Correctness: If the CSP completely stores the user's cloud data, the proof generated by the CSP can be verified by the TPA.
(2) Audit Soundness: If the CSP does not possess user's intact data, it cannot pass the TPA's verification.
(3) Secure authority management: The group manager can safely and efficiently perform authority management work in the group. In addition, any user joining/leaving the group will not affect other users.
(4) Efficient revocation: When one user applies for revocation, only the group manager needs to perform the operation with lower computational overhead. In other words, the cost of user revocation is independent of the number of the revoked users.
(5) Public auditing: Under the authorization of the group users, the TPA performs remote data integrity verification for the shared data stored on the CSP; and periodically returns the audit results to the group manager.

Security Model
To formalize security model, we put forward a game between a challenger and an adversary , which is similar to reference [3]. The user is regarded as the challenger , and the untrusted CSP is regarded as the . This game shows how the adversary is against the security of the proposed scheme, and specific phases are given as follows: (1) Setup phase The challenger runs the Setup algorithm to obtain the system public parameter pp and master secret key (msk), then sends pp to the adversary .
(2) Query phase In this phase, the adversary makes two types of queries to the challenger . a) KeyGen phase. The adversary queries the user's private key. The challenger runs the KeyGen algorithm to get the private key SKID, then sends it to the adversary . b) TagGen phase. The adversary queries the tags set of the encrypted file F. The challenger runs the TagGen algorithm to obtain the tags set of the F, then sends it to the adversary .
(3) Challenge phase In this phase, the adversary acts as the prover and the challenger as the verifier. The challenger sends the integrity challenge to the adversary and asks the adversary to provide the integrity proof P against the challenge set chal.
(4) Forgery phase After receiving the integrity challenge from the challenger , the adversary outputs the integrity proof P and replies to the challenger . If the integrity proof P can pass the verification of the challenger with non-negligible probability, we say the adversary wins this game.
In the above security model, we need to prove that if an adversary does not truly store all the blocks related to the challenge set, it cannot generate the valid integrity proof and can pass the verification of challenger .

Definition 3 If the integrity proof P forged by adversary
can pass the verification of challenger with non-negligible probability, there exists a knowledge extractor that can extract the challenged data blocks except negligible probability. Definition 4 If the CSP corrupts fraction of the whole file, these corrupted data blocks can be detected with the probability of at least using the proposed scheme, where .

Authorization Invisible Authenticator
When a new user applies to enroll the group, the group manager performs authority management and authorized him to become a legal group user. Correspondingly, when a group user chooses to withdraw the group, the group manager should revoke all their permissions, including the right to modify the shared data they have uploaded, and the access right to view other shared data. Thus, in this section, we construct a novel algebraic structure operator named authorization invisible authenticator to facilitate the group manager to deal with permission management issues. For simplify, we call it AIA. By manipulating AIA, the group manager can carry out work perfectly and easily. An AIA should meet the following requirements: • Invisibility: AIA is distributed to group users by group administrators; group users possess legal AIAs are regarded as legal users in the group. AIA can only be used by the group users, but the algebraic structure is transparent to the group users; so, it cannot be inferred.
• Unforgeability: The group users cannot forge a legitimate AIA. The unforgeability of AIA determines that any unauthorized user cannot view the shared data in the group.
• Non-malleability: Given two AIA , and two values . Any legal AIA cannot be computed by linearly aggregating , except with negligible probability. The non-malleability of AIA ensures that no two unauthorized users can collude to forge a legitimate AIA.

Overview of Basic AIA Scheme
Before giving the standard AIA scheme, we first introduce a basic AIA scheme. A basic AIA scheme consists of four algorithms: (1) Init ( ): This is "Init" algorithm to initialize some public parameters. It takes the security parameter k as input, and outputs the public parameter pp (public parameter pp mentioned here are same as those initialized in the "Setup" phase in Section V).
(2) ApplyForAuth ( ): This is "Apply for Authorization" algorithm run by the group user. When a new user applies to join the group, he needs to ask for the group manager to authorize him to become a legal group user. It takes the pp as input, and outputs a requirement message rm. In order to facilitate the work of group manager and consider the security of the basic AIA scheme, the basic AIA scheme requires users to send rm only once when applying to enroll the group.
(3) AuthGen ( ): This is "AIA Generation" algorithm run by the group manager. It takes the rm and pp as input, and outputs an AIA for the legal group user.
(4) AuthUpdate: This is "AIA Update" algorithm run by the group manager. When the user leaves the group, the group manager needs to redistribute the AIA for the remaining group users.

User Information Table (UIT)
The general AIA scheme is suitable for group user authorization management in most scenarios. However, under our proposed scheme, the basic AIA scheme may exist two security threats: 1) Despite in the ApplyForAuth algorithm, the basic AIA scheme requires that the user sends rm to the group manager only once; But there may be a malicious group user. After sending rm to the group manager and obtaining AIA, he continues to send rm to the group manager many times and expects to obtain more AIA. The ultimate purpose of the malicious group user is to obtain multiple AIAs, tries to derive the mathematical structure of the AIA, and then forge a reliable AIA. 2) There may be a legitimate but curious group user who tries to use another valid rm to apply for AIA from the group manager. Considering the above potential security issue, it is necessary for the group manager to preserve the UIT locally. Moreover, with the help of UIT, the security of the basic AIA scheme can be further improved.
The group manager maintains a local user-informationtable (UIT) to record the information of every group user. The UIT contains five columns, and its structure is illustrated in Table 1. UN represents the number of current users in the group. ID is the identifier of the group user. rm is the requirement message sent to the group manager when the user joins the group. AIA is a legal access authenticator distributed to users by group manager. SKID is the private key of the group user obtained from the PKG (The usage of UIT will be shown in Section V).
There are advantages of UIT: (1) UIT records the matching relationship between group user's rm and AIA. In the ApplyForAuth phase, the group manager will only respond to the group user's requirement message rm once. And when one user is withdrawn from the group, the group manager will immediately delete the information of this user from the UIT and update the AIA of the remaining group users. In other words, the cost of user revocation only needs to be borne by the group manager.
(2) Only when a user's ID, rm, AIA and SKID form a oneto-one correspondence, that is, they are all in the same row of UIT, this user is regarded as a legal group user. Illegal group users will be removed from the group by the group manager.

Standard AIA Scheme
We demonstrate a standard AIA scheme which is composed of the basic AIA scheme and UIT, as shown in Fig. 2.
Remark 3 In order to save calculation and transmission costs, in our proposed standard AIA scheme, the group manager reassigns AIA for the rest of the group users only after one user leaves this group.
Remark 4 Note that in the standard AIA scheme we proposed, the cost of user revocation in a group is irrelevant to the shared data, but only with the number of group users.

Security of AIA Scheme
A standard AIA scheme should satisfy the above properties. We prove it to be secure in terms of A standard AIA scheme is defined as: (1) Init.
Let G1, G2 are two multiplicative groups with the same prime order p, and g is the generator of G1. There exists a bilinear pairing and a cryptographic hash function . Let the public parameter is .
a) The new user selects two random elements , and computes .
b) The user sends to the group manager.
a) After receiving the requirement, the group manager chooses elements , calculates and returns it to user.
b) The group manager sets UN = UN +1.
c) The group manager updates the UIT.
a) When a user leaves the group, the group manager reselects random elements , recomputes AIA and redistributes it for current user in group.
b) The group manager updates UN = UN -1.
c) The group manager updates the UIT.

Fig. 2
The process of standard AIA scheme correctness, invisibility, unforgeability and nonmalleability. Theorem 1 (Correctness) Given a legal AIA , the group manager can verify its correctness.
Proof: The group manager can parse the AIA through the following derivation and further to verify its correctness.

Theorem 2 (Invisibility)
The AIA is invisible for the group user.
Proof: Since the algebraic structure of AIA is confidential and transparent, AIA is not visible to any group users.
Theorem 3 (Unforgeability) For any adversary , the probability that he successfully forged AIA is computationally infeasible. Proof: Assume is a legal AIA, and adversary has successfully forged an AIA denoted as . We give a brief proof as follows: The valid AIA is , and we have: The forged AIA is , and we also have: (2) we divide (1) by (2), and obtain: According to the above assumptions, we can know , and further we get . Here are two large prime selected randomly by the group manager. Obviously, the probability of is which is negligible.
Therefore, it can be inferred that the probability that the adversary successfully forges a legal AIA is negligible.

Theorem 4 (Non-malleability) For any two adversaries
, the AIA cannot be forged by collusion. Proof: Suppose that two adversaries possess certified by the group users, and haven got AIA respectively.
is a legal AIA. The non-malleability of the AIA scheme can be proved by the following: Two adversaries respectively choose random values , and they try to linearly aggregate AIA to obtain . But in fact, there is no way to infer a valid AIA , the reason is as follows: The algebraic structure of valid AIA is And the algebraic structure of the aggregated AIA is Obviously, the above equation does not hold. So, the valid AIA cannot be forged by two adversaries through linear aggregation. Therefore, it can be seen that for any two adversaries , the AIA cannot be forged by collusion.

The Proposed Scheme
In our proposed scheme, all the users who have not been revoked can upload data and share them with other group users. The group user authorized the TPA to perform remote data integrity verification of shared data. Further, in order to facilitate the authority management and ensure the correct execution of the public auditing of the revoked user's shared data, the audit results of the shared data are no longer returned to the group user but are recorded by the TPA and fed back to the group manager periodically. A remote data possession checking scheme with supporting efficient group user authority management consists of eight algorithms, which are introduced in detail in this section.
(1) Setup a) The PKG chooses two multiplicative cyclic groups G1 and G2 of prime order p, and g is a generator of G1. The PKG selects cryptographic hash function c) The PKG randomly picks elements .
d) The PKG publishes the system public parameter and holds the master secret key private.
(2) AuthForUser a) The new user enrolled into a group sends its requirement message to the group manager, and then obtains a valid AIA as a proof of access to the shared data. The AIA is (the calculation steps of the standard AIA has been detailed discussed in Section IV). b) The group manager adds the related information into UIT and updates the number of users in the group, namely, UN = UN +1.
(3) KeyGen a) The PKG picks and computes .
b) The PKG calculates . And then the PKG returns to the group manager.
c) After receiving the private key SKID, the group manager verifies its correctness according to (3): If (3) holds, the group manager accepts it and adds it into the UIT. Otherwise, reject it.
d) The group manager forwards the SKID to the group user. The specific process of the user applying for AIA and the private key is shown in Fig. 3.
(4) TagGen For the group users, the calculation process of the shared data tags set is depicted as follows: a) The user's shared file is F. Before creating the tags set, he divides F into n blocks , where .
b) The user sets the , where is a random value selected as the file identifier. c) For block , the user computes where .
d) The user sends shared file and its corresponding tags set {F, T} to the group manager, and deletes the local storage. Subsequently, the group manager will perform the data upload work.
(5) UpdateForUsers When one user is revoked from the group, the group   Fig. 3 The process of applying for AIA and private key manager executes the AuthUpdate algorithm to recompute and redistribute AIA for the rest of group users, resets UN = UN -1, and then updates the UIT (the detailed operations are mentioned in Section IV).

(6) Challenge
After the group users authorize the public auditing of their shared data to TPA, TPA periodically performs remote data checking, records audit results, and regularly feeds back it to the group manager. The specific process of single shared data integrity verification is as follows: a) The TPA determines a c, where . b) The TPA generates a PRP key and a PRF key , where . c) The TPA sends the to the CSP.

(7) ProofGen
After receiving the challenge set chal sent by the TPA, the CSP responds it, generates the auditing proof, and returns to the TPA a) The CSP computes .
c) The CSP sends the auditing proof to the

TPA. (8) ProofVerify
After receiving the auditing proof returned by the CSP, the TPA checks its correctness through equation (4): If (4) holds, returns "1", which means that the shared data stored in the CSP is intact; Otherwise, returns "0". TPA carefully and accurately records the results of each audit result, and regularly feeds back the audit results to the group manager. The detailed public auditing process is given in Fig. 4.   Fig. 4 The auditing process of the proposed scheme

Security Analysis
In this section, we prove that the proposed scheme is secure in term of the correctness and audit soundness.
Theorem 5 (Correctness) Our proposed scheme satisfies the following correctness: a) Private Key Correctness: A valid private key can be passed the correctness verification of the group manager. b) AIA Correctness: A valid AIA can be passed the verification of the group manager. c) Audit Correctness: Only when the CSP completely stores all the shared data of the user, during the audit phase, the auditing proof P he generates can pass the correctness verification of the TPA.
Proof: b) The AIA's correctness proof has been given in Section IV. c) Given a proof P returned by the CSP, the TPA can verify whether the left and right sides of (4) are equal to determine the correctness of auditing proof P.
If (4) holds, it indicates that the data stored in the CSP is intact, returns "1"; Otherwise, returns "0". Theorem 6 (Audit Soundness) If the CDH assumption and DL assumption hold in G1, and the tags set is existentially unforgeable; then, the CSP cannot pass the TPA's verification with negligible probability, in the case that it does not fully possess user's intact file.

Proof:
We construct a knowledge extractor to extract the challenged block through multiple interactions with the proposed scheme. That is, if the adversary can pass the TPA' verification but not possess the intact data, we can extract the challenged block by repeated interactions between the knowledge extractor and the proposed scheme. Here, we assume that the CSP acts as an adversary , and the TPA is regarded as the challenger . By executing the following series of games to implement repeated interactions between and , the audit soundness of proposed scheme can be proved. Game 0: Game 0 is defined in Section III. Game 1: Game 1 is the same as Game 0, but there exists a minor difference. The challenger keeps a list with recording all tags that the adversary has ever queried. Whenever the adversary makes the TagGen query, the challenger adds a record to this list.
Game 2: Game 2 is the same as Game 1, but there exists a minor difference. The challenger keeps a list with recording all responses that the adversary has ever responded. Consider the following situation: the adversary has passed the challenger 's correctness verification, but he does not hold the complete challenged blocks. Once this occurs, we say that the adversary has won, but the game will be aborted. According to the above description, we know that if the response has passed the challenger 's verification, the P must be correct and can pass the verification of (5).
Suppose the forged response is . Note that since the adversary has won, then, we have ; but the game will be aborted. Thus, there are two situations: or . Let 's gives the detailed analysis. a) If the aggregated tags , that is, is not equal ; but the returned response has successfully passed the correctness verification, the game will be aborted.

Analysis:
The forged proof is . Because the forgery is successful, we have the following formula holds.
Now we construct a simulator which can break CDH assumption with the non-negligible probability, in case that the adversary makes the game aborted.
The goal of the simulator is to output when as input. The simulator acts like the challenger in Game 1 but has some difference. The simulator chooses two random values and set . Then, the simulator interacts with the adversary . When received the forged proof , the simulator checks whether (6) holds. Obviously, ; otherwise, . We define . By dividing (6) by (5), setting the public value , we get: Further, we can obtain . If the CDH problem can be solved in G1, then must be calculable. So, it's clearly that the probability of solving the CDH problem in G1 is equivalent to compute the probability of . The probability of is 1/p which is negligible since p is a large prime. So, the probability of solving the CDH problem in G1 is 1-1/p. Further, the probability of the game abort is 1-1/p. Hence, if there is a non-negligible difference between the adversary 's probabilities of success in Game 1 and Game 2, then the constructed simulator can solve the CDH problem. b) If the aggregated message ; but the returned response has successfully passed the correctness verification, the game will be aborted. Analysis: We also construct a simulator can break DL assumption with the non-negligible probability, in case that the adversary makes the game aborted. The goal of the simulator is to output when as input. The simulator acts like the challenger in Game 1 but has some difference.
The simulator also chooses two random values and set .
Here, we have but . Then we define . By dividing (6) by (5), we can obtain: Obviously, that ; otherwise, which contradicts after mentioned assumption. Further we have . So, the probability of solving the DL problem in G1 is equivalent to compute the probability of b=0. The probability of b=0 is 1/p which is negligible since p is a large prime. So, the probability of solving the DL problem in G1 is 1-1/p. Further, the probability of the game abort is 1-1/p. Hence, if there is a non-negligible difference between the adversary 's probabilities of success in Game 1 and Game 2, then the constructed simulator can solve the DL problem. Based on the above proof, we can know that the differences between these games can be ignored. Further, it can be inferred that if the CSP does not store intact data of user, it must not pass the TPA's verification.

Performance Evaluation
In this section, we first give the functionality comparison between our scheme and other related schemes and show the computation and communication overheads of a group user at the different phases. Then we evaluate the performance of the proposed scheme through several experiments.

Functionality Comparison
We discuss the functionality comparison between our scheme and scheme [3], [24], [29], [30] in terms of public verification, group authority management and user revocation. The results are shown as Table 2. Note that our scheme is the only one that satisfies those four properties. Moreover, none of the schemes [3], [24], [29], [30] can support group authority management.

Performance Analysis and Comparison
For simplicity, we give the meaning of the following notations firstly. Here denote the hash operation in . express the   mean the multiplication operation in .
represents the pairing operation. indicate the addition operation in . c indicates the number of the challenged blocks and n is the total number of data blocks. |n| is the size of an element of set [1, n]. |p| is the size of an element in , and |q| is the size of an element in .
(1) Performance Analysis In Table 3 and Table 4, we show the computation and communication overheads of a group user at different phases. a) Computation overhead. In Table 3, we show the computation overheads of a group user at different phases of the proposed scheme. In the apply for authorization phase, users who apply to join the group need to generate a requirement message rm, and the computation overhead is . In AIA generation phase, the group manager generates an AIA for users according to its rm, and the computation overhead is . In AIA update phase, the group manager needs to reselect random elements to get the new , but spending is the same as the AIA generation phase. The computation overhead of proof generation phase is . In order to conduct the integrity verification, the TPA needs to check the correctness of (4). For computing , our scheme requires to perform these operations in G1, including (c+1) exponentiation operations, 2 multiplicative operations, (c-1) addition operation and c hash operations. In addition, the computation cost of calculating is .
b) Communication overhead. In Table 4, we also discuss the communication overheads of a group user at different phases of the proposed scheme. In the apply for Wang et al. [24] Zhang et al. [29] Fu et al. [30] Our scheme authorization" phase, the communication overhead comes from transmitting rm. In order to distribute the AIA for every group user, the communication cost is the same and all requires in the AIA generation and AIA update phases. In our proposed scheme, the communication overhead is mainly from the integrity auditing process. In the challenge phase, the TPA sends to the CSP, and the size of auditing challenge is bits.
To generate the auditing proof, the CSP compute and reply the TPA. And the size of an auditing proof is bits.
(2) Performance Comparison In Table 5, we compare the computation overhead in terms of proof generation and proof verification algorithms with Wang et al.'s scheme [24], Zhang et al.'s scheme [29] and Fu et al.'s scheme [30]. From the Table  5, we know that all schemes have the same computation overhead at the phase of proof generation. It should be noted that both schemes [24] and [30] are implemented by means of asymmetric bilinear pairing .
However, scheme [24] involves the multiplicative and exponentiation operations on GT, while scheme [30] does not. We also know that the scheme [29] uses the most types of calculations, and scheme [30] the least. To verify the correctness of auditing proof P, the computation cost of our scheme is .

Experimental Results
In this subsection, we evaluate the performance of the proposed scheme by several experiments. We run a series of experiments on a 1.8 GHZ Intel Core i5 processor and 8GB RAM. All the experiments using the Type A with the free Pairing-Based Cryptography (PBC) Library. In the implementation, we choose the based filed size to be 512 bits, and the size of to be 160 bits, this is, |p| = 160 bits. We set the file size to 20MB which divided into 1,000,000 data blocks.
(2) Auditing phase Fig. 6 Computation cost in the auditing process.
The integrity auditing process divide into challenge generation, proof generation and proof verification algorithms. In order to evaluate the computation cost during the auditing process of our scheme, we set the number of challenged blocks from 0 to 2000, with 200 as the interval. As shown in Fig. 6, we can see that the time cost in the three phases is directly proportional to the number of data blocks to be challenged. That is, as the number of challenged data blocks increases, the calculation overhead also increases. The challenge phase takes the least time, and the time cost varies from 0.015840s to 0.450362s. When the number of challenged data blocks equals to 200, the time of proof generation is 0.882022s; while it needs nearly 7.645638s when the challenged data blocks is 2000. Because different kinds of operations are involved, the proof verification phase is most time-consuming. And the time ranged from 1.698569s to 15.251921s. In the third part, we evaluate the performance of proof verification phase through comparing our scheme with Zhang et al.'s scheme [29]. We set the number of the challenged blocks from 0 to 1000, increased by an interval of 100. Fig. 7 gives more details. It is clear that our scheme spends less than Zhang et al.'s scheme [29], which is consistent with the results obtained by the previous computational overhead analysis. As the number of challenged data blocks increases, the time cost in the proof verification phase of two schemes increases linearly. And in this phase, our scheme time ranged from 0.857812s to 8.184904s, while the Zhang et al.'s scheme [29] varied from 1.939095s to 9.195359s.

Conclusion
In this paper, we propose a remote data possession checking scheme for shared data, which can support group user authority management within the group. In order to realize group user authority management, we introduce a new entity -group manager, and further propose a standard AIA scheme. In addition, we propose a public auditing scheme for non-revoked users' shared data; and it's worth mentioning that in our scheme, the cost of user revocation is no longer depended on the number of data blocks, but only related to the number of users. Our proposed scheme is designed based on IBE, which reduce the necessary certificate management cost caused by PKI distribution of private keys. Security analysis and experimental results demonstrate that the scheme is safe and feasible.  Table.