A Privacy-Preserving Unpadded RSA based-Third Party Auditing Protocol for Cloud Storage Secure

—The motivation of this paper is to present an improved privacy preserving public auditing protocol for secure cloud storage, which is based on unpadded RSA based public auditing. Many protocols have been proposed to secure cloud storage. However, many issues such as enabling worry free public auditing, user data privacy and additional online burden to users. Thus in this paper we propose a secure cloud storage system supporting privacy preserving unpadded RSA based public auditing. The proposed protocol solves all the above mentioned issues and additionally batch auditability is done. By comparing the proposed protocols with the existing protocols of encryption the proposed protocol is much better than the existing protocol in terms of data privacy and public auditability.


INTRODUCTION
LOUD computing has been envisioned as the next generation Information Technology (IT) architecture for enterprises, due to its long list of unprecedented advantages in the IT history: on-demand self-service, ubiquitous network access, location independent resource pooling, rapid resource elasticity, usage-based pricing and transference of risk [Mell & Grance, 2009].As a disruptive technology with profound implications, cloud computing is transforming the very nature of how businesses use information technology.One fundamental aspect of this paradigm shifting is that data are being centralized or outsourced to the cloud.The users' perspective, including both individuals and IT enterprises, storing data remotely to the cloud in flexible.on-demand manner brings appealing benefits: relief of the burden for storage management, universal data access with location independence, and avoidance of capital expenditure on hardware, software, and personnel maintenances, etc., [Armbrust et al., 2009].
While cloud computing makes these advantages more appealing than ever, it also brings new and challenging security threats towards users' outsourced data.Since Cloud Service Providers (CSP) are separate administrative entities, data outsourcing is actually relinquishing user's ultimate control over the fate of their data.As a result, the correctness of the data in the cloud are being put at risk due to the following reasons.First of all, although the infrastructures under the cloud are much more powerful and reliable than personal computing devices, they are still facing the broad range of both internal and external threats towards data integrity [Cloud Security Alliance, 2010].Examples of outages and security breaches of noteworthy cloud services appear from time to time [Arrington, 2006;Kincaid, 2008;Amazon.com, 2008].Second, there do exist various motivations for CSP to behave unfaithfully to the cloud users regarding their outsourced data status.For examples, CSP might reclaim storage for monetary reasons by discarding data that have not been or are rarely accessed, or even hide data loss incidents to maintain a reputation [Ateniese et al., 2007;Shah et al., 2008;Wang et al., 2011].In short, although outsourcing data to the cloud is economically attractive for long-term large-scale storage, it does not immediately offer any guarantee on data integrity and availability.This problem, if not properly addressed, may impede the success the cloud architecture.
As users no longer physically possess the storage of their data, traditional cryptographic primitives for the purpose of data security protection cannot be directly adopted [Juels et al., 2007].In particular, simply downloading all the data for its integrity verification is not a practical solution due to the expensiveness at I/O and transmission cost across the network.Besides, it is often insufficient to detect the data corruption only when accessing the data, as it does not give users correctness assurance for those unaccessed data and might be too late to recover the data loss or damage.Considering the large size of the outsourced data and the user's constrained resource capability, the tasks of auditing the data correctness in a cloud environment can be formidable and expensive for the cloud users [Cloud Security Alliance, 2009; Wang et al., 2011].Moreover, the overhead of using cloud storage should be minimized as much as possible, such that a user does not need to perform too many operations to use the data (in additional to retrieving the data).In particular, users may not want to go through the complexity in verifying the data integrity.Besides, there may be more than one user accesses the same cloud storage, say in an enterprise setting.For easier management, it is desirable that cloud only entertains verification request from a single designated party.
To fully ensure the data integrity and save the cloud users' computation resources as well as online burden, it is of critical importance to enable public auditing service for cloud data storage, so that users may resort to an independent Third-Party Auditor (TPA) to audit the outsourced data when needed.The TPA, who the expertise and capabilities that users do not, can periodically check the integrity of all the data stored in the cloud on behalf of the users, which provides a much easier and affordable way for the users to ensure their storage correctness in the cloud.Moreover, in addition to help users to evaluate the risk of their subscribed cloud data services, the audit result from TPA would also be beneficial for the cloud service providers to improve their cloud-based service platform, and even serve for independent arbitration purposes [Shah et al., 2008].In a word, enabling public auditing services will play an important role in this nascent cloud economy to become fully established, where users will need ways to assess risk and gain trust in the cloud.
Recently, the notion of public auditability has been proposed in the context of ensuring remotely stored data integrity under different system and security models [Ateniese et al., 2007;Juels et al., 2007;Shacham & Waters, 2008;Wang et al., 2011].Public auditability allows an external party, in addition to the user himself, to verify the correctness of remotely stored data.However, most of these schemes [Ateniese et al., 2007;Shacham & Waters, 2008;Wang et al., 2011] do not consider the privacy protection of users' data against external auditors.Indeed, they may potentially reveal user's data to auditors, as will be discussed in Section 3.4.This severe drawback greatly affects the of these protocols in cloud computing.From the users perspective of protecting data privacy, the users, who own the data and rely on TPA just for the storage security of their data, do not want this auditing process new vulnerabilities of unauthorized information leakage to their data security [Shah et al., 2007;Wang et al., 2010].Moreover, there are legal regulations, such as the US Health Insurance Portability and Accountability Act (HIPAA) [104th United States Congress, 1996], further demanding the outsourced data not to be leaked to external parties [Shah et al., 2008].Simply exploiting data encryption before outsourcing [Shah et al., 2007;Juels et al., 2007] could be one way to mitigate this privacy concern of data auditing, but it could also be an overkill when employed in the case of unencrypted/public cloud data (e.g., outsourced libraries and scientific data sets), due to the unnecessary processing burden for cloud users.Besides, encryption does not completely solve the problem of protecting data privacy against third-party auditing but just reduces it to the complex key management domain.Unauthorized data leakage still remains possible due to the potential exposure of decryption keys.
Therefore, how to enable a privacy-preserving third party auditing protocol, independent of data encryption, is the problem we are going to tackle in this paper.Our work is among the first few ones to support privacy-preserving public auditing in cloud computing, with a focus on data storage.Besides, with the prevalence of cloud computing, a foreseeable increase of auditing tasks from different users may be delegated to TPA.As the individual auditing of these growing tasks can be tedious and cumbersome, a natural demand is then how to enable the TPA to efficiently perform multiple auditing tasks in a batch manner, i.e., simultaneously.
To address these problems, our work utilizes the technique of Unpadded RSA based homomorphic linear authenticator (or HLA for short) [Ateniese et al., 2007;Shacham & Waters, 2008;Wang et al., 2011], which enables TPA to perform the auditing without demanding the local copy of data and thus drastically reduces the communication and computation overhead as compared to the straightforward data auditing approaches.By integrating the HLA with random masking, our protocol guarantees that the TPA could not learn any knowledge about the data content stored in the Cloud Server (CS) during the efficient auditing process.
The rest of the paper is organized as follows: Section II presents the related works..Section III lays out our problem statement.Then, we provide the detailed description of our proposed work in Section 3. Section 4 finally, gives the concluding remark of the whole paper.

III. PROBLEM STATEMENT
We consider a cloud data storage service involving three different entities, as illustrated in Fig. 1: the cloud user, who has large amount of data files to be stored in the cloud server, which is managed by the cloud service provider to provide data storage service and has significant storage space and computation resources (we will not differentiate CS and CSP hereafter); the third-party auditor, who the expertise and capabilities that cloud users do not have and is trusted to assess the cloud storage service reliability on behalf of the user upon request.Users rely on the CS for cloud data storage and maintenance.They may also dynamically interact with the CS to access and update their stored data for various application purposes.As users no longer possess their data locally, it is of critical importance for users to ensure that their data are being correctly stored and maintained.To save the computation resource as well as the online burden potentially brought by the periodic storage correctness verification, cloud users may resort to TPA for ensuring the storage integrity of their outsourced data, while hoping to keep their data private from TPA.
We assume the data integrity threats towards users' data can come from both internal and external attacks at CS.These may include: software bugs, hardware failures, bugs in the network path, economically motivated hackers, malicious or accidental management errors, etc. Besides, CS can be self-interested.For their own benefits, such as to maintain reputation, CS might even decide to hide these data corruption incidents to users.Using third-party auditing service provides a cost-effective method for users to gain trust in cloud.We assume the TPA, who is in the business of auditing, is reliable and independent.However, it may harm the user if the TPA could learn the outsourced data after the audit.
Note that in our model, beyond users' reluctance to leak data to TPA, we also assume that cloud servers have no incentives to reveal their hosted data to external parties.On the one hand, there are regulations, e.g., HIPAA [104th United States Congress, 1996], requesting CS to maintain users' data privacy.On the other hand, as users' data belong to their business asset [Shah et al., 2008], there also exist financial incentives for CS to protect it from any external parties.Therefore, we assume that neither CS nor TPA has motivations to collude with each other during the auditing process.In other words, neither entities will deviate from the prescribed protocol execution in the following presentation.
To authorize the CS to respond to the audit delegated to TPA's, the user can issue a certificate on TPA's public key, and all audits from the TPA are authenticated against such a certificate.These authentication handshakes are omitted in the following presentation.

IV. CHALLENGES
To enable privacy-preserving public auditing for cloud data storage under the aforementioned model, our protocol design should achieve the following security and performance challenges:  Public auditability: to allow TPA to verify the correctness of the cloud data flexible on demand without retrieving a copy of the whole data or introducing additional online burden to the cloud users. Storage correctness: to ensure that there exists no cheating cloud server that can pass the TPA's audit without indeed storing users' data intact. Privacy preserving: to ensure that the TPA cannot derive users' data content from the information collected during the auditing process.

V. PROPOSED WORK
This section presents our public auditing scheme which provides a complete outsourcing solution of data-not only the data itself, but also its integrity checking.We follow a similar definition of previously proposed schemes in the context of remote data integrity checking [Ateniese et al., 2007;Juels et al., 2007;Shacham & Waters, 2008] and adapt the framework for our privacy preserving public auditing system.A public auditing scheme consists of four algorithms (KeyGen, SigGen, GenProof, VerifyProof).KeyGen is a key generation algorithm that is run by the user to setup the scheme.SigGen is used by the user to generate verification metadata, which may consist of digital signatures.GenProof is run by the cloud server to generate a proof of data storage correctness, while VerifyProof is run by the TPA to audit the proof.Running a public auditing system consists of two phases, Setup and Audit:  Setup: The user initializes the public and secret parameters of the system by executing KeyGen, and preprocesses the data file F by using SigGen to generate the verification metadata.The user then stores the data file F and the verification metadata at the cloud server, and deletes its local copy.As part of preprocessing, the user may alter the data file F by expanding it or including additional metadata to be stored at server. Audit: The TPA issues an audit message or challenge to the cloud server to make sure that the cloud server has retained the data file F properly at the time of the audit.The cloud server will derive a response message by executing GenProof using F and its verification metadata as inputs.The TPA then verifies the response via VerifyProof.Our framework assumes that the TPA is stateless, i.e., TPA does not need to maintain and update state between audits, which is a desirable property especially in the public auditing system [Shacham & Waters, 2008].Note that it is easy to extend the framework above to capture a stateful auditing system, essentially by splitting the verification metadata into two parts which are stored by the TPA and the cloud server, respectively.Our design does not assume any additional property on the data file.If the user wants to have more error resilience, he can first redundantly encodes the data file and then uses our system with the data that has error correcting codes integrated.

Overview
To achieve privacy-preserving public auditing, we propose to uniquely integrate the Unpadded RSA based homomorphic linear authenticator with random masking technique.In our protocol, the linear combination of sampled blocks in the server's response is masked with randomness generated by the server.With random masking, the TPA no longer has all the necessary information to build up a correct group of linear equations and therefore cannot derive the user's data content, no matter how many linear combinations of the same set of file blocks can be collected.On the other hand, the correctness validation of the block-authenticator pairs can still be carried out in a new way which will be shown shortly, even with the presence of the randomness.Our design makes use of a Unpadded RSA-based HLA, to equip the auditing protocol with public auditability.Specifically, we use the HLA proposed in [Shacham & Waters, 2008], which is based on the short signature scheme proposed by Boneh, Lynn, and Shacham (hereinafter referred as BLS signature) [Boneh et al., 2004].

Scheme Details
Homomorphic encryption is a form of encryption which allows specific types of computations to be carried out on ciphertext and generate an encrypted result which, when decrypted, matches the result of operations performed on the plaintext.This is a desirable feature in modern communication system architectures.Homomorphic encryption would allow the chaining together of different services without exposing the data to each of those services, for example a chain of different services from different companies could 1) calculate the tax 2) the currency exchange rate 3) shipping, on a transaction without exposing the unencrypted data to each of those services.Homomorphic encryption schemes are malleable by design.The homomorphic property of various cryptosystems can be used to create secure voting systems, hash functions, private information retrieval schemes and enable widespread use of cloud computing by ensuring the confidentiality of processed data.
There are several efficient, partially homomorphic cryptosystems, and a number of fully homomorphic, but less efficient cryptosystems.Although a cryptosystem which is unintentionally homomorphic can be subject to attacks on this basis, if treated carefully homomorphism can also be used to perform computations securely.
In the following examples, the notation () is used to denote the encryption of the message x.
If the RSA public key is modulus  and exponent , then the encryption of a message is given by   =    .The homomorphic property is then   1 .  2 =  1   2    −  1  2    = ( 1 . 2 )

VI. CONCLUSION
In this paper, we propose a privacy-preserving public auditing system for data storage security in cloud computing.We utilize the unpadded RSA based homomorphic linear authenticator and random masking to guarantee that the TPA would not learn any knowledge about the data content stored on the cloud server during the efficient auditing process, which not only eliminates the burden of cloud user from the tedious and possibly expensive auditing task, but also alleviates the users' fear of their outsourced data leakage.
Considering TPA may concurrently handle multiple audit sessions from different users for their outsourced data files, we further extend our privacy-preserving public auditing protocol into a multiuser setting, where the TPA can perform multiple auditing tasks in a batch manner for better efficiency.Extensive analysis shows that our schemes are provably secure and highly efficient.We leave the fullfledged implementation of the mechanism on commercial public cloud as an important future extension, which is expected to robustly cope with very large scale data and thus encourage users to adopt cloud storage services more confidently.
[Ateniese et al., 2007;Shacham & Waters, 2008]evability‖ (PoR) model, where spot-checking and error-correcting codes are used to ensure both -possession‖ and -retrievability‖ of data files on remote archive service systems.However, the number of audit challenges a user can perform is fixed a priori, and public auditability is not supported in their main scheme.Although they describe a straightforward Merkle-tree construction for public PoRs, this approach only works with encrypted data.Later,Bowers et al., (2009)propose an improved framework for POR protocols that generalizes Juels' work.Dodis et al., (2009)also give a study on different variants of PoR with private auditability.Shacham & Waters (2008)design an improved PoR scheme built from BLS signatures[Boneh et al., 2004]with proofs of security in the security model defined in[Juels et al., 2007].Similar to the construction in[Ateniese et al., 2007], they use publicly verifiable homomorphic linear authenticators that are built from provably secure BLS signatures.Based on 372 IEEE Transactions on Computers, Vol.62, No. 2, February 2013 Fig.3.Comparison on auditing time between batch and individual auditing, when -fraction of 256 responses are invalid: Per task auditing time denotes the total auditing time divided by the of tasks.The elegant BLS construction, a compact and public verifiable scheme is obtained.Again, their approach is not privacy preserving due to the same reason as[Ateniese et al., 2007].Shah et al., (2007;2008), propose introducing a TPA to keep online storage honest by first encrypting the data then sending a number of precomputed symmetric-keyed hashes over the encrypted data to the auditor.The auditor verifies the integrity of the data file and the server's possession of a previously committed decryption key.This scheme only works for encrypted files, requires the auditor to maintain state, and suffers from bounded usage, which potentially brings in online burden to users when the keyed hashes are used up.Dynamic data have also attracted attentions in the recent literature on efficiently providing the integrity guarantee of remotely stored data.Ateniese et al., (2008)is the first to propose a partially dynamic version of the prior PDP scheme, using only symmetric key cryptography but with a bounded number of audits.In Wang et al., (2012) consider a similar support for partially dynamic data storage in a distributed scenario with additional feature of data error localization.In a subsequent work,Wang et al., (2011)propose to combine BLS-based HLA with MHT to support fully data dynamics.Concurrently,Erway et al., (2009)develop a skip list based scheme to also enable provable data possession with full dynamics support.However, the verification in both protocols requires the linear combination of sampled blocks as an input, like the designs in[Ateniese et al., 2007;Shacham & Waters, 2008], and thus does not [Wang et al., 2010A]uditing outsourced data and suggest randomly sampling a few blocks of the file.However, among their two proposed schemes, the one with public auditability exposes the linear combination of sampled blocks an external auditor.When used directly, their protocol is not provably privacy preserving, and thus may leak user data information to the external auditor.supportprivacy-preservingauditing.In other related work,Sebe et al., (2008)thoroughly study a set of requirements which ought to be satisfied for a remote data possession checking protocol to be of practical use.Their proposed protocol supports unlimited times of file integrity verifications and allows preset tradeoff between the protocol running time and the local storage burden at the user.with a large number of audit delegations.Portions of the work presented in this paper have previously appeared as an extended abstract in[Wang et al., 2010A].We have revised the paper a lot and improved many technical details as compared to[Wang et al., 2010A].The primary improvements are as follows: First, we provide a new privacy-preserving public auditing protocol with enhanced security strength.All the experiments in our performance evaluation for the newly designed protocol are completely redone.Finally, we provide formal analysis of privacypreserving guarantee and storage correctness, while only heuristic arguments are sketched in[Wang et al., 2010A].