A threshold hybrid encryption method for integrity audit without trusted center

Cloud storage with sharing services is increasingly popular among data owners. However, it is difficult for the users to know if the cloud server providers (CSPs) indeed protect their data. To verify data integrity and preserve data and key privacy in the group, this paper proposes a new threshold hybrid encryption for integrity auditing method without trusted center. The proposed method is developed based on the Advanced Encryption Standard (AES) and the Elliptic Curve Cryptography (ECC) with Shamir secret sharing. In this way, the key can be distributed and managed without trusted center, preserving the privacy of the key of the AES and users’ private key. Besides, we design and implement a novel integrity auditing and re-signature method which verifies the data integrity and solves the collusion question of the cloud and the revoked users. Security analysis and performance evaluation demonstrate that the proposed scheme realizes the correctness, security, and efficiency with a low communication and computation cost.

With the emergence and widespread application of information technology in artificial intelligence (AI), Internet of things (IoT), and mobile internet [1, 2], data has achieved the explosive growth, especially in the industrial Internet of things(IIoT) applications [3]. Facing the burden of data storage, an increasing number of individuals and organizations has chosen to store their data in the cloud, which accelerates the rapid development of cloud storage in cloud computing [4, 5]. On the upside, the cloud storage can save the local space, freeing a lot of local computing power; on the downside, the data outsourced to the cloud may face many risks, including but not limited to data loss, privacy leak, and security attacks [6, 7].

In fact, the outsourced data are not controlled by the user. To save the storage space, the cloud may remove the rarely used or highly repeated data, which breaks the integrity of the user data in the cloud. It is impossible for most users, with limited auditing power, to know if their data in the cloud are still complete. To solve the problem, the user can entrust a third party to audit the integrity of his/her data by checking the accuracy, validity, and consistency of the data and pinpointing the incomplete or missing entries in the data storage. The integrity auditing is particularly important for group users of cloud storage with sharing services, as any misbehaving user in the group may endanger the data security of other group members. After all, users in the same group can share data with each other, and access and modify the shared data [8–10].

The integrity auditing mechanisms [11–13] have been proposed continuously. Verifying the integrity of shared data in the group based on public key infrastructure (PKI) faces severe security risks and a high computation cost [14, 15], most of them do not preserve the data privacy in the cloud environment, and do not mention safe management of the key. What is worse, the previous studies have concentrated on data security and data integrity in the cloud, failing to tackle the data security in the upload or download process, while the data are easily stolen by hacking attacks. To mitigate the risk and protect the privacy, the data and key should be encrypted. Therefore, it is important to develop an efficient and secure encryption scheme to preserve the data and key privacy, which supports the integrity auditing of the data shared between multiple parties.

The data shared by multiple parties can be applied to various applications, especially in collaborative scenarios. For instance, deep learning has provided an effective solution to collaborative learning and parallel computing in federal learning. However, many deep learning schemes cannot preserve privacy due to the lack of cryptographic tools [16]. Few schemes [17, 18] combing encryption technique fail to tackle the collusion between the CSP and users.

To address the aforementioned challenge, this paper designs an integrity auditing method based on a threshold hybrid encryption method without trusted center, which supports public auditing of data integrity with Shamir secret sharing. The main contributions of this paper are as follows:

1. (1)

   We introduce a novel threshold hybrid encryption scheme that the user data are encrypted by the Advanced Encryption Standard (AES), and the key seed of the AES is encrypted by the Elliptic Curve Cryptography (ECC), promoting the encryption efficiency and protecting data and key privacy.

2. (2)

   We adopt Shamir secret sharing employing multiple managers in the group to generate and dispense secret without trusted center, which facilitates the distribution and management of the keys. In this way, the multi-managers scenario is transformed into the multi-proxy scenario, which reduces the probability of malicious managers and makes the entire mechanism reliable and secure.

3. (3)

   Our method supports public auditing with a trusted third-party auditor (TPA) and re-signature with the revoked users’ data by the cloud with the help of a manager. Security analysis and performance evaluation indicate that our method achieves the validity and security, verifies the encryption effectiveness, shortens the re-signature time, and reduces the communication and computation cost.

Literature review

Much research has been done to audit data integrity at home and abroad. For instance, Ateniese et al. [19] proposed a public auditing protocol for static data integrity under the challenge-proof-verify mechanism, eliminating the need to retrieve the entire data. To support dynamic data, Ateniese et al. [20] designed a scalable public auditing strategy based on symmetric encryption. However, this strategy can only respond to a limited number of auditing requests, failing to fully support the integrity auditing of dynamic data. Neither of the above two schemes considers data privacy. Wang et al. [21] introduced a TPA to realize privacy-preserving integrity auditing of the dynamic data in the cloud.

To ensure secure data sharing among users, Guo et al. [22] presented a key-aggregate authentication cryptosystem to share dynamic data in the cloud. Shen et al. [23] prepared a data integrity auditing scheme that shared the data based on identity, without exposing sensitive information. Chi et al. [24] designed a novel cloud storage encryption scheme that allowed the CSP to protect user privacy with convincing fake secrets. Yu et al. [25] came up with a paradigm named strong key-exposure resilient auditing for secure cloud storage.

Harn [26] developed a threshold signature mechanism that enabled the group members to produce public and private keys of the group, however, it could not resist the collusion attack. Wang [27] put forward the identity-based distributed provable data possession (ID-DPDP) scheme which achieved public auditing of the data stored in multiple clouds. Since then, the threshold signature has attracted a lot of attention in the research of data integrity auditing [28, 29].

Recent years saw some threshold encryption schemes that encrypted data with dispersed encryption rights by secret sharing [30]. The existing threshold encryption schemes [31, 32] take a trusted center to produce and distribute the secret shares of all managers, which is an authoritative member of the system and can recover the secret without the aid of other members. Nonetheless, the trusted center might lead to authority deception and nullify the meaning of secret [33]. To solve the problem, Jie et al. [34] presented a threshold encryption method without trusted center, which encrypted and decrypted the privacy data through the collaboration between multiple players. Nevertheless, Jie’s method, solely relying on the ECC, cannot efficiently encrypt a large amount of data and does not apply to the cloud environment. Based on the TPA and the AES, Shimbre et al. [35] proposed enhancing distributed data storage security scheme for cloud computing utilizing the file distribution and SHA-1 technique, however, it did not consider signature and key security. Based on the state of the art, we compare common functions for auditing schemes in Table 1. These schemes are named according to the literature name or using the original naming method.

In machine learning, Sangaiah et al. [37] proposed a method for conserving position confidentiality using machine learning techniques by merging decision trees and k-nearest neighbor. Meanwhile, Sangaiah et al. [38] presented an energy-aware green adversary model for its use in the smart industrial environment through achieving position and information confidentiality in cyber-physical security. Both of the above two schemes protected the position or information confidentiality well in non-cryptographic mechanism. In a privacy-preserving multi-user collaborative deep learning model, Phong et al. [17] presented a privacy-preserving deep learning model via additively homomorphic encryption through federal learning. However, the model was still weak against the collusion of the server and trainers. Subsequently, Phong et al. [18] proposed a privacy-preserving deep learning model via weight transmission which protected the input privacy of each participant through symmetric encryption, without considering the collusion and key security.

To solve the problem of data and key privacy, resist the hacking and collusion attack, and ensure signature security, this paper proposes a threshold hybrid encryption method for integrity auditing without trusted center. The method employs the AES and the ECC to promote encryption efficiency and protect data and key privacy. To manage and distribute the keys, we use Shamir secret sharing with multiple managers in a group. Using the challenge-response game for the cooperation of the TPA and the CSP with a re-signature mechanism, we realize the integrity auditing and data dynamic update with a low communication and computation cost. The method is a universal encryption construction for cloud storage with sharing services and collaborative learning of deep learning, which promotes data sharing in the group and enhances the encryption efficiency and key security.

Organization

The remainder of this paper is organized as follows: “Preliminaries” section introduces some preliminaries; “System model and threat model” section establishes the system model and threat model; “Construction of the scheme” section details the construction of our method; “Correctness and security analysis” section analyzes the correctness and security of our method; Performance analysis is demonstrated in “Performance analysis”; “Conclusions” sections wraps up this paper with conclusions.

The main notations used in the description of our scheme are shown in Table 2.

Bilinear pairing and discrete logarithm (DL) problem

Bilinear pairing has been widely employed in cryptography and utilizes in data auditing at present. The detailed description is followed.

Definition 1

(Bilinear Pairing) Let \({\mathbb {G}_{1}}\) and \({\mathbb {G}_{2}}\) be two multiplicative cyclic groups with a prime order p, g be a generator of \({\mathbb {G}_{1}}\). A bilinear pairing \({e}: {\mathbb {G}_{1}}\times {{\mathbb {G}_{1}}\rightarrow {\mathbb {G}_{2}}}\) is a map function satisfying the three properties below:

1. (1)

   Bilinearity: for \(\forall ~u, v\in {\mathbb {G}_{1}}\) and \(a, b\in \mathbb {Z}_{p}^{*}\), there is e(u^a,v^b)=e(u,v)^ab.

2. (2)

   Computability: for \(\forall ~u, v\in {\mathbb {G}_{1}}, e(u, v)\) can be computed efficiently.

3. (3)

   Non-degeneracy: \(\exists ~u, v\in {\mathbb {G}_{1}}\), there is e(u,v)≠1.

Definition 2

(Discrete Logarithm (DL) problem) Let \({\mathbb {G}_{1}}\) be a multiplicative cyclic group, g be a generator of \({\mathbb {G}_{1}}\). Let unknown element \(a\in \mathbb {Z}_{p}^{*}\), given the value of \({g}, {g}^{a}\in {\mathbb {G}_{1}}\) as input, the DL problem is to output a.

Definition 3

(Discrete Logarithm (DL) assumption) For any probabilistic polynomial time (PPT) adversary \(\mathcal {A}_{\mathcal {{DL}}}\), the advantage for \(\mathcal {A}_{\mathcal {{DL}}}\) to solve the DL problem in \({\mathbb {G}_{1}}\) is negligible, which is defined as

Thereinto, a negligible value is denoted as ε in the above definitions.

Shamir secret sharing

Shamir secret sharing [39] assumes that a dealer holds a secret s and shares among N users by giving each user a share, and the secret s can be recovered from any t users. In other words, the original secret cannot be restored unless the number of users involved in decryption exceeds the threshold value t. This secret preservation strategy is also known as the (t, N) threshold method.

The advantage of this method applied in our scheme lies in the decentralized authority of group managers [40]. In this method, each manager can encrypt the user data, but cannot decrypt the ciphertext alone. To recover the plaintext data, there must be no less than t managers involved in decryption. More importantly, the failure of any manager in decryption does not affect the recovery of the plaintext. This property leads to the robustness of our system.

System model

As shown in Fig. 1, our system model contains three entities: the CSP, the TPA, and a user group with multiple managers.

System Model

Full size image

CSP

The CSP stores user data in the cloud platform with sharing services, works with the TPA to validate data integrity, and checks the legality of signature users.

TPA

With the professional knowledge of data auditing, the TPA executes public auditing with the CSP through the challenge-response game. During the game, the TPA launches challenges to the CSP, and the CSP responses the proof to prove the integrity of the data challenged by the TPA. Then, the TPA calculates the auditing results to return to the manager or the user.

User group with multiple managers

The user group contains both managers and users. The group managers can encrypt user data, upload them to the CSP, and decrypt the data before returning them to users. The encryption and decryption are conducted by multiple managers through Shamir secret sharing. To ensure correct decryption, the number of managers participating in the process must surpass the threshold value t. Any group user can upload his/her data to the CSP through a manager and download the shared data from the CSP. Each user can also access, modify, and delete the data shared by other users.

Threat model

As mentioned before, the data outsourced to the cloud may face many risks, including but not limited to data loss, privacy leakage, and security attacks. This paper mainly focuses on data leakage, authoritative attack, key exposure, and data integrity verification. Data integrity was mentioned earlier and will not be described here.

Data leakage

Data privacy is the key to the outsourcing storage and integrity auditing of sensitive data. Nonetheless, the privacy-preserving techniques for cloud storage, such as data encryption or differential privacy, cannot prevent data leakage in the outsourcing storage process. For example, when a user is revoked from the user group, its privilege to access, modify, and delete other users’ data are not immediately revoked, sowing the risk of data leakage.

Authoritative attack

If there is only one manager in the group, the manager will possess virtually unlimited authority and easily acquire all the data before encryption, causing the authoritative attack of the trusted center. To prevent the attack, the data are encrypted by the hybrid threshold encryption method with the secret sharing and recovered by not less than t managers in our scheme.

Key exposure

Key exposure is one serious security problem for cloud storage, which will cause the data more insecurity. Many methods have been developed to solve this problem, such as the paradigm called strong key-exposure resilient auditing for secure cloud storage [25]. Here, the key exposure is guarded against by encrypting the AES key with the ECC.

In general, our threshold hybrid encryption method consists of five phases: key generation, data encryption, integrity auditing, data decryption, and user revocation & re-signature.

Key generation

Let \({\mathbb {F}_{\eta }}\) be a finite field with η elements, \(E\left (\mathbb {F}_{\eta }\right)\) be an elliptic curve on the finite field, Q be the generator of the curve. Both the elliptic curve and the generator are public. Let \({\mathbb {F}_{q}}\) be a finite field containing the domain of possible secrets with q>N, q be a prime number, and N be the number of the managers {P₁,P₂,…,P_N} with Shamir secret sharing, P_i be the ith manager with the identity number ID_i, and t be the preset threshold value of Shamir secret sharing.

In our method, each manager can generate its own secret share and acquire the identity number and shares of other managers through interaction. Then, manager P_i computes the public parameter, which is executed in the elliptic curve \(E\left (\mathbb {F}_{\eta }\right)\) in the following steps:

Step 1: Manager P_i (1≤i≤N) randomly selects an integer \({d_{i}} \in \mathbb {Z}_{p} \) as the private key and then calculates its public key y as:

Step 2: Manager P_i sets up the polynomial f_i(x) of degree t−1 with f_iz as the cofficient:

where \({f_{{iz}}} \in {\mathop {\mathbb {F}}_{q}},z = 1,2, \cdots,t - 1\).

Step 3: Manager P_i calculates the secret share f_i(ID_j) of group manager P_j(j≠i) according to their identity number ID_j.

Step 4: Manager P_i calculates the parameter \({Y_{i_{j}}}\) for manager P_j:

Step 5: Meanwhile, manager P_i computes the validation parameter: α_iz=f_izQ, and then sends the public parameter: \(pp={\mathrm {\left \{y,{Y_{i_{j}}},{\alpha _{{iz}}}\right \}}}\) to the other managers. Manager P_i keeps its secret share f_i(ID_i) and public parameter \({Y_{i_{i}}}\).

Upon receiving the public parameters from the other t-1 managers, manager P_j can check the validity of f_i(ID_j) in the elliptic curve \(E\left (\mathbb {F}_{\eta }\right)\) by:

Data encryption

In our hybrid encryption method, managers encrypt user data by the AES and encrypt the key of the AES through the ECC with the message non-embeddable method [41]. Then, the data are signed with users’ private key before uploading. The efficient encryption process facilitates key distribution and management and protects the key of the AES, which provides an effective encryption solution to outsourced data. The details of the encryption process are given in Fig. 2.

The encryption process

Full size image

Let ω be a generator of multiplicative cycle group \({\mathbb {G}_{1}}, H\left (\cdot \right)\) be a hash function: \(\phantom {\dot {i}\!}{\left \{ {0,1} \right \}^{*}} \to {\mathbb {G}_{1}} \) with a bilinear pairing, and U_A be the user planning to upload its data M to the cloud.

First, user U_A generates the private key sk_A and the public key pk_A satisfying \(\phantom {\dot {i}\!}p{k_{A}} = {g^{s{k_{A}}}}\), and then sends plaintext M and the private key sk_A to manager P_i in the group. After receiving plaintext M and the private key sk_A, manager P_i verifies whether U_A is a legitimate user with the right to upload the data by:

where f_up is the uploaded file. If the above equality holds and U_A is in the user list, U_A must be a legitimate user who can upload the data. Then, manager P_i will receive data M; otherwise, manager P_i will delete data M. Next, manager P_i will encrypt data M in the following steps:

Step 1: Manager P_i selects a random number S (\({S} \in \mathbb {Z}_{p} \)) and sets up an AES key seed sk_AES;

Step 2: Manager P_i encrypts data M by the AES with sk_AES, yielding the ciphertext C_M of data M :

where Enc(·) represents the encryption function.

Step 3: Manager P_i encrypts AES key sk_AES by the ECC, yielding the ciphertext \({c_{s{k_{{AES}}}}}\) of sk_AES:

where (x₁,y₁) is the coordinates of C₁,(x₂,y₂) is the coordinates of C₂, and x₂ is the X coordinate of C₂.

Then, manager P_i will send ciphertext \({c_{s{k_{{AES}}}}}\) of sk_AES to each manager in the group, without saving the random number S and random key seeds sk_AES. Upon receiving ciphertext C_M, the manager will sign the encrypted data C_M using the private key of U_A as:

where id_M is the identity of ciphertext C_M.

Finally, manager P_i will send the ciphertext of data M with its signature \(\phantom {\dot {i}\!}{C_{M}}||{\sigma _{{C_{M}}}}\) to the cloud.

Integrity auditing

Before downloading the data, the data integrity should be verified by the auditing method. A user only needs to submit an auditing application to the TPA who will check the data integrity in the CSP through the challenge-response game and return the results to the user. To lower communication and computation cost, our method assumes that the user entrusts the TPA to perform integrity auditing through interaction with the CSP. Our integrity auditing plan is as follows, and the process is in Fig. 3.

The audit process

Full size image

Firstly, the user U_A requests auditing a certain file, and the TPA generates the challenge message through the following steps:

Step 1: The TPA randomly extracts a ciphertext subset \( L = \left \{ {{C_{{M_{1}}}},{C_{{M_{2}}}},\ldots,{C_{{M_{o}}}}} \right \}\) to serve as the numbers of data to be audited. Thereinto the set L are divided into N_U blocks \(L = \left \{ {{l_{1}},{l_{2}},\ldots,{l_{{N_{U}}}}} \right \}\), where l_i is the ith data blocks containing o_i elements. Then, the following equation can be derived:

where data blocks number i∈{1,2,…,N_U} is denoted as [1,N_U].

Step 2: The TPA randomly selects a value v_n from \({\mathbb {Z}_{p}^{*}}\) for n∈l_i and sends \(ms{g_{{chal}}} = {\left \{ {\left ({i,{v_{n}}} \right)} \right \}_{i \in [1,{N_{U}}]}}\) to the cloud as challenge messages.

Upon receiving the challenge messages, the cloud returns the proof of the outsourced data through the following steps:

Step 1: The cloud computes the tag proof β_i and the data proof γ_i of each part l_i in the following formula:

where σ_n is the signature of data block l_i satisfying

and id_n is the identity of n∈l_i.

Step 2: Then, the CSP sets \(\phantom {\dot {i}\!}\beta = \left \{ {{\beta _{1}},{\beta _{2}},\ldots,{\beta _{{N_{U}}}}} \right \}\) and \(\phantom {\dot {i}\!}\gamma = \{ {\gamma _{1}},{\gamma _{2}}, \ldots, {\gamma _{{N_{U}}}}\} \), and returns the proof msg_re={β,γ,id_n} to the TPA to see if:

If the equality holds, the TPA will output 1; otherwise, the TPA will output 0.

Step 3: Finally, the TPA sends the results to the user U_A who wants to be informed.

Data decryption

To obtain the shared data in the CSP, a user must download the data from the cloud storage. First, the user needs to file a download application to a manager. Then, the manager will verify if the user is a legitimate user with the privilege to download the data. If the user is rightful, the manager downloads the shared data. Afterward at least t managers will jointly decrypt the encrypted data, and then one of managers sends the data to the user. The verification is implemented in the following steps in Fig. 4.

The decryption process

Full size image

Let U_B be the user who wants to download data M from the cloud. The user needs to prepare the downloaded auditing file \(f_{{down}}^{s{k_{B}}}\) first and sends it to any manager as the downloaded application. Upon receiving \(f_{{down}}^{s{k_{B}}}\), the manager will execute the following formula:

where f_down denotes the downloaded file, sk_B and pk_B are the private key and the public key of user U_B, respectively. If the above equality holds and U_B is in the user list, U_B must be a legitimate user with the privilege to download the data. Then, manager P_i will file the download application to the CSP and obtain \(\phantom {\dot {i}\!}{C_{M}}||{\sigma _{{C_{M}}}}\). The \(\phantom {\dot {i}\!}{C_{M}}||{\sigma _{{C_{M}}}}\) will be split into the ciphertext C_M and signature \(\phantom {\dot {i}\!}{\sigma _{{C_{M}}}}\) by the manager, and C_M will be decrypted by t managers.

Let W={P₁,P₂,…,P_t} be t managers involved in data decryption. The details on the decryption process are given as follows:

Step 1: Upon receiving the ciphertext, manager P_i in W calculates its decryption factor \(\phantom {\dot {i}\!}{s_{i_{j}}}\) from manager P_j by its secret share with lagrange interpolation polynomial:

where \(\phantom {\dot {i}\!}{{ID_{i_{k}}}} \) and \(\phantom {\dot {i}\!}{{ID_{i_{j}}}}\) is the identity number of kth and jth managers in manager P_i, and k∈{1,2,…,t}.

Step 2: The manager P_j validates his/her decryption factor \(\phantom {\dot {i}\!}{s_{i_{j}}}\) as follows.

If the above formula holds, the decryption factor \(\phantom {\dot {i}\!}{s_{i_{j}}}\) must be true; otherwise, the decryption factor \(\phantom {\dot {i}\!}{s_{i_{j}}}\) must be false, and the application will be rejected.

Step 3: After manager P_i having received t decryption factors, manager P_i can calculate (x₂,y₂) by the ECC decryption algorithm:

The correctness of the formula is verified in the following formula (28).

Step 4: Then, manager P_i obtains the x₂, and calculates the AES key seed sk_AES by:

After getting the AES key seed sk_AES, manager P_i decrypts to obtain the plaintext M and sends the data to the user U_B.

User revocation and re-signature

The user revocation mechanism in data sharing services with the cloud has been studied in many papers [42–45]. For instance, Wang et al. [8] presented a proxy re-signature scheme that the user whose registration expires would be revoked by managers from the group, and lost the right to share, acquire or update data; all the data signed by the revoked user should be resigned by another legitimate user in the group, such that the integrity auditing of the revoked users’ data could proceed normally.

Since the data of the revoked user are stored in the cloud, its signatures can be directly recomputed by selecting a legitimate user in the group, who downloads the data signed by the revoked user to the local space. Next, the legitimate user should verify the correctness of the data, re-sign the data with its private key, and send the re-signed data back to the cloud. However, the direct download and re-signature method consumes lots of time and computing power and incurs a high communication cost, especially when a huge amount of data need to be signed and the users in the group change frequently.

It is obvious that if the cloud can obtain the private key of each user, and then the arduous task of re-signature can be completed quickly by the cloud itself. This approach eliminates the need to download data to the local space, saving the re-signature time. Nevertheless, the cloud is not completely reliable, making it dangerous to outsource the users’ private keys to the cloud. This calls for a fast and efficient re-signature method for legitimate users which can eliminate downloading the process of the cloud data. Namely, a user is revoked from the user group, the cloud as the re-signature proxy will convert a signature of the revoked user into a signature of the legitimate user on the same block, using the proxy re-signature technology, without learning any private key or data.

In view of the above, the proxy re-signature technique proposed by Wang et al. [8] is as follows. When user U_A is revoked, the cloud will cooperate with another legitimate user U_C to re-sign the data signed by the revoked user U_A. The details of the re-signature process without considering the collusion are provided in Fig. 5.

The re-signature process without considering the collusion

Full size image

Step 1: The CSP generates a random number r and sends it to the revoked user U_A.

Step 2: User U_A calculates the temporary data r/sk_A by the random number r and the private key sk_A, and then sends the data to the picked user used for re-signature.

Step 3: After receiving r/sk_A, user U_C uses its private key sk_C to calculate r·sk_C/sk_A and sends it to the CSP.

Step 4: After receiving r·sk_C/sk_A, the cloud obtains sk_C/sk_A by dividing the random number r and then calculates the new signature:

Through these steps, the signature of user U_A is changed to the new signature of user U_C.

The data are re-signed without being downloaded from the CSP, thus reducing the communication and computation cost and improving system efficiency. Nonetheless, the above process fails to consider the collusion between the CSP and the revoked users. If a revoked user reveals the sk_A to the CSP, the latter can calculate the sk_C by sk_C/sk_A, posing a threat to the data security of the user U_C.

To avoid the collusion attack between the CSP and the revoked users, we propose a new re-signature method with the manager participating in the user re-signature process. The re-signature mechanism of avoiding the collusion is followed in Fig. 6.

The re-signature process of avoiding the collusion

Full size image

Step 1: The CSP computes the temporary signature based on the information of the revoked user U_A and a random number r generated by the CSP.

Step 2: The CSP sends the temporary signature σ_temp to the user U_C, who receives the temporary signature and computes \(\phantom {\dot {i}\!}\sigma _{{~}_{{temp}}}^{s{k_{C}}}\) using the private key sk_C.

Then sends \(\phantom {\dot {i}\!}\sigma _{{~}_{{temp}}}^{s{k_{C}}}\) to manager P_i.

Step 3: Manager P_i verifies the following equation:

If the equation holds, manager sends \(\phantom {\dot {i}\!}\sigma _{{~}_{{temp}}}^{s{k_{C}}}\) to the CSP.

Step 4: The CSP receives \(\phantom {\dot {i}\!}\sigma _{{~}_{{temp}}}^{s{k_{C}}}\) and computes the new signature in the following formula:

Then, the CSP replaces \(\phantom {\dot {i}\!}{\sigma _{{C_{M}}}}\) with \(\phantom {\dot {i}\!}{\sigma _{{C_{M}}}}'\) and places the later after the data C_M.

In summary, the CSP does not obtain any information about the private key of any user, which enhances the system security and avoids the collusion attack.

Decryption correctness

This subsection mainly analyzes the correctness of the data decryption after downloading.

Conclusion 1

The AES key seed sk_AES can be decrypted with t decryption factors.

Proof

Carrying the features of Shamir secret sharing:

We have the sum of decryption factors as: □

Thus, extracting the x₂, the AES key seed can be derived as the formula (21).

Integrity auditing correctness

The audit Eq. (16) can be derived as follows:

Encryption/Decryption security

The private key f _i(0) of the system is safe

The private key f_i(0) of the system is created implicitly during the generation of the system public key y. When t managers hand out their secret shares, f_i(0) can be calculated:

Both attackers cannot get f_i(0) from the public key of the system. Because of the DL problem is very difficult to solve on the elliptic curve, it is not feasible for attackers to get the private key f_i(0) of managers from the public key of the system y=f_i(0)Q=d_iQ.

Similarly, the attackers cannot deduce the secret share f_i(ID_j) of each manager even if they have obtained the public information \({Y_{i_{j}}} = f_{i}\left ({ID_{j}} \right)Q\bmod q\). In other words, the attackers cannot derive f_i(0) from the secret share f_i(ID_j).

The false interaction information between managers can be found

1. (1)

   During the public key generation, manager P_i can verify f_i(ID_j) sent by manager P_j

   Proof

   Since \({f_{i}}\left (ID_{j}\right) = {d_{i}} + {f_{i1}}ID_{j} + \ldots + {f_{i(t - 1)}}ID_{j}^{t - 1}\), the following can be derived:

   $$ \begin{aligned} \qquad &{f_{i}}(ID_j)Q \\ =& \left({d_{i}} + {f_{i1}}ID_{j} + \ldots + {f_{i(t - 1)}}ID_{j}^{t - 1}\right)Q \\ =& {d_{i}}Q + {f_{i1}}ID_jQ + \ldots + {f_{i(t - 1)}}ID_{j}^{t - 1}Q \end{aligned} $$

   (31)

   Since α_iz=f_izQ, we have:

   $$ \begin{aligned} \qquad &{f_{i}}\left(ID_{j}\right)Q \\ =& {d_{i}}Q + {\alpha_{i1}}ID_{j} + \ldots + {\alpha_{i(t - 1)}}ID_{j}^{t - 1} \\ =& {d_{i}}Q + \sum\limits_{z = 1}^{t - 1} {{{\left({ID_{j}} \right)}^{z}}{\alpha_{{iz}}}} \\ =&y + \sum\limits_{z = 1}^{t - 1} {{{\left({ID_{j}} \right)}^{z}}{\alpha_{{iz}}}} \end{aligned} $$

   (32)

   therefore, the formula (4) is correct and can be verified. □

2. (2)

   During data decryption, no manager is cheated.

   Proof

   Owing to the formula (18), we gain the following:

   $$ {s_{i_{j}}}Q = {C_{1}}{{f_{i}}\left({ID_{j}} \right)\prod\limits_{1 \le k \le t,k \ne j} {\frac{{{-{ID_{i_{k}}}}}}{ {{ID_{i_{j}}}}-{{{ID_{i_{k}}}}}}\, {\mkern 1mu}} }Q $$

   (33)

   Due to the formula (3), we can get the formula (19).

   As shown in formula (19), each manager in the set W can verify the decryption factor \({s_{i_{j}}}\) with the public information, and any false decryption factor will be identified because the formula (19) does not hold, ensuring that no manager is cheated. □

3. (3)

   It is not feasible for the attacker to acquire the ciphertext \(\phantom {\dot {i}\!}{c_{s{k_{{AES}}}}} = \left ({{C_{1}},{c_{1}}} \right)\)

As mentioned before, the DL problem is very difficult to solve on the elliptic curve. Thus, it is impossible to calculate the random number S from the formula C₁=SQ. The lack of the random number fails the calculation of x₂ from (x₂,y₂)=Sy. Therefore, even if the attacker can intercept the ciphertext \({c_{s{k_{{AES}}}}} = \left ({{C_{1}},{c_{1}}} \right)\), it is impossible for him/her to obtain the AES key seed \(s{k_{{AES}}} = {x_{2}^{- 1}}{c_{1}}\). If a user in the group as an attacker obtains the \(s{k_{{AES}}} = {x_{2}^{- 1}}{c_{1}}\) and the plaintext M, it is impossible to send the forged ciphertext because of the ciphertext signature and verification.

In this section, we compare the communication and computation cost with the state of the art using numerical results. Further, we implemented the performances analysis through simulations.

Communication cost

As mentioned in “Construction of the scheme” section, the communication cost of our scheme is analyzed and compared in the following five phases. In the key generation phase, manager P_i sends the public parameter to other group managers, producing a communication cost of O(1). In the encryption phase, manager P_i sends the ciphertext \(\phantom {\dot {i}\!}{c_{s{k_{{AES}}}}}\) of sk_AES to each manager or sends the ciphertext data with their signatures to the cloud, which brings in O(1) communication cost. In the integrity auditing phase, the TPA launches a challenge to the CSP, generating O(N_U) communication cost with the number of challenging blocks N_U. Then, the CSP returns the proof to the TPA, which costs O(1) communication cost. In the decryption phase, the communication cost between user and manager or manager and the CSP costs O(1). In the user revocation and re-signature phase, it costs O(1) communication cost to re-signature. To sum up, the total communication cost is O(N_U).

Finally, we also compare the communication cost with several the prior compared work. Note that R is the number of users, |m| is the size of an element of ℤ_q,|h| is the bit number of a block, K is the number of the elements. As shown in Table 3, the communication cost of our scheme is the same as [4], and is less than [8, 31], and [36], which realizes high performance and is more efficient than the schemes of [8, 31], and [36].

Computation cost

Succinctly, we define modular exponentiation as \(\phantom {\dot {i}\!}{\mathrm {Exp_{G_{1}}}}\), point multiplication as \(\phantom {\dot {i}\!}{\mathrm {Mul_{G_{1}}}}\), and pairing operation as Pair. Compared with \(\phantom {\dot {i}\!}{\mathrm {Exp_{G_{1}}}}, {\mathrm {Mul_{G_{1}}}}\), and Pair, the computation cost of hash operation is ignored [4].

In the key generation phase, the computation cost is \(\phantom {\dot {i}\!}(t+3){\mathrm {Mul_{G_{1}}}}+(t-2){\mathrm {Exp_{G_{1}}}}\), which includes the secret sharing and the public key generation. The computation cost of the encryption phase is \(\phantom {\dot {i}\!}{\text {Pair}}+4\mathrm {Mul_{G_{1}}}+2{\mathrm {Exp_{G_{1}}}}\). In the integrity auditing process, the computation cost is \(\phantom {\dot {i}\!}{N_{U}}{\mathrm {Exp_{G_{1}}}}+(N_{U}-1){\mathrm {Mul_{G_{1}}}}\) for the tag proof generation, and \(\phantom {\dot {i}\!}{N_{U}}{\mathrm {Mul_{G_{1}}}}\) for the data proof generation. After the cloud returns the proof to the TPA, whose verified cost is \(\phantom {\dot {i}\!}(3{N_{U}} - 2)Mu{l_{{G_{1}}}}+{N_{U}}{\text {Pair}}\). For the decryption phase, the cost is \(\phantom {\dot {i}\!}(t^{2}+2t+2){\mathrm {Mul_{G_{1}}}}\). In the user revocation and re-signature stage, the cost of the CSP is \(\phantom {\dot {i}\!}{\mathrm {2Mul_{G_{1}}}}+4{\mathrm {Exp_{G_{1}}}}\), and manager’s cost is 2Pair.

Table 4 compares the computation cost of our scheme with the contrastive schemes. It can be seen that our scheme is more pair operation and less \(\phantom {\dot {i}\!}2({N_{U}}-1){\mathrm {Exp_{G_{1}}}}+({N_{U}}-4){\mathrm {Mul_{G_{1}}}}\) in the pre-processing, which is obviously underlying the scheme [4] for N_U relatively large case. In the proof generation, ours is the same as [4] and is better than [36]. Because [36] is more \(\phantom {\dot {i}\!}(K + (R - 1){N_{U}}){\mathrm {Exp_{G_{1}}}}+ ((R - 2){N_{U}} + 1){\mathrm {Mul_{G_{1}}}} + {N_{U}}K{\text {Mu}}{{\mathrm {l}}_{\Bbb Z}}_{_{p}} + K{\text {Has}}{{\mathrm {h}}_{\Bbb Z}}_{_{p}}\) computation cost than ours.

Experiment analysis

To evaluate the efficiency of our scheme, our experiments are implemented in Intel(R) Core(TM) i3-8100 CPU @ 3.60GHz, RAM 4GB with Win10 Operation System, utilizing the Eclipse platform with Java programming language and Java Pairing Based Cryptography (JPBC) to realize the cryptography operations for the AES, the ECC, and Shamir secret sharing, and using the SQLite lightweight database to simulate the cloud storage with the security level of 80 bits. In the following, we compare the communication cost of our scheme with [8, 31], and [36]. We simulate the running time of each phase including the key generation phase with the number of managers increasing and the cloud proof phase and the TPA verify phase with the number of blocks increasing for our scheme. Finally, we compare the re-signature time of our scheme with [8].

In the communication cost comparison process, Figs. 7 and 8 compare the communication cost of our scheme with contrastive schemes [8, 31], and [36] following the changes of the number of challenging blocks and the number of users, respectively. Thereinto, the number of challenging blocks is {10, 20, 30, ⋯, 100 } separately, the bit number of a block |h| is 100 with K as 1, and |m| is 160 bit. When analyzing the number of users on the influence of communication cost, we change the number of users for {10, 20, 30, ⋯, 100 }, taking |N_U| as 10, |h| as 100, |m| as 160, and K as 100. As shown in Fig. 7, as the number of challenged blocks grows, the communication cost increases continually, and our scheme is smaller communication cost than other comparative schemes. From Fig. 8, it can be seen that our scheme and [31] remain unchanged, but [8, 36] significantly change with the number of users increasing.

The communication cost comparison under the number of challenging blocks

Full size image

The communication cost comparison under the number of users

Full size image

In Fig. 9, we plot the running time of each phase for our scheme. In the key generation phase, we choose the sampling value {10, 20, 30, ⋯, 100 } of the number N of the managers and set the threshold value t=0.8∗N to experiment. Focusing on the integrity auditing phase, we set 1024 bytes as a block and the block numbers are {50, 100, 150, ⋯, 500 }. The cloud proof process in formula (13), (14), (15) and the TPA verify process in formula (16) are experimented, respectively. Thereinto, we plot the key generation time for the blue line, which are controlled by the blue x axis (the top x axis) with the increase of the number of managers and the blue y axis (the right y axis) with the increase of time. We plot the cloud proof time and the TPA verify time as the increase of the number of blocks with the bottom x axis and the left y axis. As shown in Fig. 9, as the number of managers grows, the running time increases continually for the key generation phase, and as the number of blocks increases, the running time also augments constantly for the cloud proof phase and the TPA verify phase. But it can be seen that the phase running time is short obviously, owning to its unit is microseconds, so our method is run quickly and more efficient.

The phase running time of our scheme

Full size image

In the re-signature process, we also adopt the sampled method to obtain the re-signature time of the block numbers {0, 50, 100, ⋯, 350 }. As shown in Fig. 10, as the number of re-signature blocks grows, the re-signature time increases constantly for our scheme and comparative scheme [8]. But it is obvious that our scheme consumes less than [8] with linear growth of re-signature blocks. When the number of the re-signature reaches 350, our scheme saves more than 20 seconds.

The re-signature time with the number of re-signature blocks

Full size image

This paper combines the AES and the ECC with Shamir secret sharing into a novel hybrid encryption method without trusted center, which is suitable for integrity auditing of cloud computing and collaborative learning of machine learning. The hybrid approach not only facilitates key distribution and management but also improves the encryption speed and efficiency of shared data. By our method, the uploaded data are encrypted to avoid privacy leakage and security attacks, the downloaded data are audited to keep the data integrity, and the re-signature is against the revoked user from learning any private key or data information. In addition, even if a manager fails to participate in decryption, the other managers can work together to restore the data when the number of participating managers exceeds a preset threshold. This feature ensures the high robustness of the system. The correctness and security of our method are verified through detailed analysis. Moreover, we evaluate the performance and efficiency of our method, and the results show that our scheme is correct, security, and efficient.

Data sharing not applicable to this paper as no datasets were generated or analyzed during the current study.

CSPs:

Cloud server providers

AES:

Advanced encryption standard

ECC:

Elliptic curve cryptography

AI:

Artificial intelligence

IoT:

Internet of things

IIoT:

Industrial Internet of things

PKI:

Public key infrastructure

TPA:

The third-party auditor

ID-DPDP:

Identity-based distributed provable data possession

DL:

Discrete logarithm

JPBC:

Java pairing based cryptography

The authors would like to thank the editor and the anonymous reviewers who have helped to improve the paper.

This research was funded by the National Natural Science Foundation of China under Grant Nos. U19B2021, 61972457, the National Cryptography Development Fund under Grant No. MMJJ20180111, Science & Technology Plan Projects of Henan Province Nos. 212102210084, 192102210295, Key Research and Development Program of Shaanxi under Grant No. 2020ZDLGY08-04, the Innovation Scientists and Technicians Troop Construction Projects of Henan Province.

Authors and Affiliations

1. State Key Laboratory of Integrated Service Networks, Xidian University, Taibai South Road, Xi’an, China

   Yange Chen & Baocang Wang

2. School of Information Engineering, Xuchang University, Bayi Road, Xuchang, China

   Yange Chen, Baocang Wang, Yuan Ping & Zhili Zhang

3. Chongqing College of Electronic Engineering, university chengdong road, Chongqing, China

   Hequn Liu

4. Key Laboratory of Intelligent Perception and Image understanding of Ministry of Education, International Research Center for Intelligent Perception and Computation, Xidian University, Taibai South Road, Xi’an, China

   Baljinnyam Sonompil

Contributions

All authors contributed to the study conception and design. Conceptualization was performed by Baocang Wang, Hequn Liu, and Yange Chen. The first draft of the manuscript was written by Yange Chen and Hequn Liu, Language was revised by Baljinnyam Sonompil, and all authors commented on previous versions of the manuscript. All author(s) read and approved the final manuscript.

Corresponding author

Correspondence to Baocang Wang.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions