Received July 1, 2020, accepted July 24, 2020, date of publication July 30, 2020, date of current version

August 11, 2020.

Digital Object Identifier 10.1109/ACCESS.2020.3013153

Decentralized and Privacy-Preserving Public

Auditing for Cloud Storage Based on Blockchain
YING MIAO1 , QIONG HUANG 1,2 , MEIYAN XIAO1 , AND HONGBO LI 1
1 College
of Mathematics and Informatics, South China Agricultural University, Guangzhou 510642, China
2 Guangzhou Key Laboratory of Intelligent Agriculture, Guangzhou 510642, China

Corresponding author: Qiong Huang (qhuang@scau.edu.cn)

This work was supported in part by the National Natural Science Foundation of China under Grant 61872152, in part by the Major
Program of Guangdong Basic and Applied Research under Grant 2019B030302008, and in part by the Science and Technology Program of
Guangzhou under Grant 201902010081.

ABSTRACT Cloud storage systems provide a flexible, convenient and friendly way for users to outsource
data. However, users lose control of their data once outsourcing them to the cloud. Public auditing was
introduced to ensure data integrity, in which a third-party auditor (TPA) is delegated to execute auditing
tasks. In general, TPA generates and sends challenge information to the cloud server (CS), which proves
data possession accordingly. However, the TPA may not perform public auditing protocol honestly or may
even collude with CS to deceive users. Some existing public auditing schemes utilize blockchain to resist
against the malicious TPA. However, the CS may guess the challenge messages and there is a risk that
users’ information may be leaked to the TPA during the process of auditing. In this paper, we propose
a decentralized and privacy-preserving public auditing scheme based on blockchain (DBPA), in which a
blockchain is utilized as an unpredictable source for the generation of (random) challenge information,
and the auditor is required to record the audit process onto the blockchain. Due to the characteristics of
blockchain, users can check the audit results publicly. Moreover, zero-knowledge proof is used in DBPA to
protect user’s privacy during the audit process so that the response information returned by the CS does not
leak information about user’s data. Security analysis and performance evaluation show that DBPA is secure
and efficient.

INDEX TERMS Decentralization, privacy preserving, public auditing, cloud storage, blockchain.

I. INTRODUCTION Furthermore, the cloud may suffer from single point of fail-
As valuable resources, data are generated in various of ways ure when hardware fails. Unfortunately, the CS may try to
whenever and wherever. Massive data at local storage cause hide data accidents in order to maintain its good reputation.
a series of difficulty in management. To reduce heavy burden According to [7], the most critical threats of cloud storage is
of data storage and maintenance in local storage, many users data integrity and privacy leakage. In recent years, a series of
choose to outsource their data into cloud [1]. As an excellent cloud storage security incidents have drawn highly attention
tool, cloud brings tremendous benefits and convenience to our of the public.1 Take Under Armour data breach as an exam-
life. At the same time, concerns about data security emerge ple. Their health and fitness tracking App ‘‘MyFitnessPal’’
[2]–[4]. After outsourcing to the cloud, users lose control was attacked by hackers, affecting about 150 million users at
of their data, and data on the cloud may not be secure and the end of February, 2018. The leaked information includes
may suffer from a various of attacks [5], [6]. On one hand, usernames, email addresses, passwords and etc. Therefore,
the cloud server (CS) may behave illegally on the outsourced it is of great importance to guarantee the integrity and privacy
data, e.g. retrieve or steal user data to make profit. On the of cloud data.
other hand, the CS might corrupt or delete user data to In recent years, many works on cloud data integrity and
save storage space and reduce maintenance expense. Thus, privacy protection have been reported. Firstly, a bunch of
data confidentiality, integrity and availability are violated. public verification schemes have been proposed in order
to improve the integrity of cloud data [8]–[17]. Public
The associate editor coordinating the review of this manuscript and
approving it for publication was Junggab Son . 1 https://blog.360totalsecurity.com/en/2018-cybersecurity-report/

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 8, 2020 139813
 Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

verification enables a user or a delegated TPA to check the following relation:

the data integrity [18]. An auditor usually checks the data
on schedule, and informs the user of data exception if the SHA256(PrevBlockHashkNonce
check fails. Secondly, as a third party, the auditor should not
ktx1 ktx2 k · · · ktxn ) < target, (1)
know extra information about user data in order to protect
their privacy. Thus, many privacy-preserving public auditing
schemes have been proposed, such as [19]–[22] and etc. where the target can be adjusted to change the difficulty of
Meanwhile, with the development of blockchain technology PoW puzzles.
and its advantage in decentralization, trustless consensus, Blockchain systems can be classified into three types: pub-
tamper proof and traceability, many researchers have studied lic blockchain, consortium blockchain and private blockchain
decentralized public auditing schemes against the malicious [37], according to the managed data, availability of data
auditor. A series of literatures can be found in [23]–[28]. and actions performed by a user. A private blockchain is
In most public verification schemes, the auditor is gen- authorized by an owner, while a consortium blockchain
erally assumed to be honest and reliable. However, it is a is authorized by a consortium organization in which all
strong assumption, as the auditor may not be so reliable as participants do not necessarily trust each other. A public
expected, i.e. it may compromise and collude with the CS blockchain has no threshold for users, and anyone can join
to hide data corruption incidents. However, few recent litera- or leave the blockchain without getting permission from
tures take a malicious auditor into consideration. In addition, centralized or distributed authorities. Furthermore, different
most recent schemes secure against the malicious auditor are blockchains have their advantages in different applications.
based on a centralized and trustworthy third party [29]–[31]. Private blockchain is faster, and public blockchain is more
Blockchain-based public auditing schemes provide a good open and transparent. In general, blockchain has its charac-
solution to the problem of resisting against the malicious teristics and advantages in decentralization and anonymity,
auditor. But the consensus mechanism brings some concerns non-modifiability and unforgeability and traceability and
as well, since a malicious cloud server could take use of irreversibility [38]. Blockchain has been successfully applied
public messages to infer auditing information before the in various of areas, such as electronic medical records [39],
auditor sends challenge messages. However, recent literatures public auditing [27], energy tracing [40], decentralized sup-
do not consider the issue. In this work we try to solve the ply chain management [41] and etc.
problem that the cloud server may guess challenge mes-
sages ahead of time in decentralized public auditing schemes, 2) PUBLIC VERIFICATION
and in the meanwhile, to guarantee that the TPA does not In order to ensure the integrity of data stored on an
know extra information of user data for the sake of privacy untrusted cloud server, Juels et al. [8] proposed the notion of
protection. Proof of Retrievability (POR), which relies on indistinguish-
able blocks as sentinels to detect data corruption. However,
their scheme does not support dynamic numbers of POR
A. RELATED WORK queries, nor consider the public auditing model. Ateniese
1) BLOCKCHAIN et al. [9] firstly proposed the Provable Data Possession (PDP)
Blockchain is increasingly recognized as an outstanding tool model which utilizes homomorphically verifiable tags and
in designing decentralized protocols. The concept traces a kind of challenge-response protocol. However, they did
back to the original whitepaper of Nakamoto [32] published not provide a security proof of their protocol in the paper.
in 2008, in which he applied blockchain as the core compo- Following the work of POR and PDP, many extended public
nent of the famous cryptocurrency named Bitcoin. Roughly, auditing schemes have been proposed for catering to different
blockchain is a distributed database that is maintained by mul- requirements, such as [10], [11], [11], [20] and etc. However,
tiple nodes and increases a list of ordered records in the shape these schemes are mainly based on public key infrastructure
of blocks without requiring trust among nodes [33]. There (PKI). Due to the limitation of communication resources
are many mature blockchain systems, such as Ethereum [34], and large amount of data, an auditor is delegated to audit
Litecoin [35] and etc. the integrity of outsourced data. Key management including
As a decentralized system, blockchain adopts the decen- revocation, storage, distribution and verification is cumber-
tralized consensus mechanism without a third-party trusted some and costly in PKI-based auditing systems.
authority. There are four major consensus mechanisms [36], To avoid heavy computation and communication cost of
Proof of Work (PoW), Proof of Stake (PoS), Practical managing certificates in public auditing schemes, Zhao et al.
Byzantine Fault Tolerance (PBFT) and Delegated Proof of [21] proposed the first identity-based public auditing (IBPA)
Stake (DPoS). The two popular cryptocurrencies, Bitcoin scheme. After that, a series of IBPA schemes were proposed,
and Ethereum, use PoW mechanism, which aims to prove such as [14], [15], [22], [31], [42] and etc. These schemes
the credibility of data by solving puzzles computationally assumes the existence of a fully trusted TPA, which is some-
hard to compute but easy to verify. A blockchain system what strong. If the auditor is dishonest or even malicious,
includes miners whose task is to compute a nonce satisfying it may collude with the cloud server to cover data loss and

139814 VOLUME 8, 2020

Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

may not perform the auditing honestly, which could not be guessing attacks launched by the cloud server. According
detected by users. to the PoW mechanism, a new block is generated every
10 minutes on average, which gives the cloud server a chance
3) DECENTRALIZED PUBLIC AUDITING to guess the challenge messages ahead of time and tries to
How to improve the credibility of TPA is increasingly attract- prepare for covering data loss during the period.
ing attentions in recent literatures [43]. Especially, thanks to
its outstanding properties of decentralization, openness and B. OUR CONTRIBUTIONS
non-modifiability, blockchain technology provides a good In this paper, we propose a decentralized public auditing
solution to deal with the aforementioned problems [44], [45]. solution targeting specifically to provide security against
In 2014, Armknecht et al. [23] firstly proposed a pub- challenge messages guessing attacks and privacy protection
lic verification scheme secure against the malicious audi- for users during the process of auditing. Our contributions in
tor, which uses Bitcoin blockchain as a secure source of the paper can be summarized as follows.
time-dependent pseudorandomness provider and uses the
• We propose a decentralized privacy-preserving public
hash of the latest block based on the time t and security
data integrity auditing scheme based on blockchain,
parameters to generate challenge messages. Owing to the
named DBPA, in which the challenge message is gen-
unique and unpredictable bits extracted from Bitcoin blocks,
erated based on the latest successive block hashes and a
Armknecht’s scheme avoids to generate biased challenge
random seed chosen by the TPA. Therefore, a malicious
messages to deceive the user. However, a new block is gener-
cloud server is unable to guess the challenge message
ated in 10 minutes on average in Bitcoin, and the cloud server
ahead of time any more.
may know the challenge information ahead of time.
• We utilize zero-knowledge proof (ZKP) to protect user
Following the work of Armknecht et al., a series of decen-
privacy in DBPA. Concretely, instead of returning the
tralized public auditing schemes secure against the malicious
aggregated tag (computed according to the challenge
auditor were proposed. To name a few, Zhang et al. [24] pro-
message), the cloud server returns a blinded version of
posed an identity-based public integrity-verification scheme
the tag and provides a ZKP to show the correctness of
which uses the latest Bitcoin block hash based on the time t
the tag. If the proof passes the verification, the TPA
to generate challenge messages.
learns nothing else but the correctness of user data. Thus,
Besides, Zhang et al. did not take the user privacy into
privacy of user data is guaranteed.
consideration. Afterwards, Zhang et al. [25] proposed another
• Our DBPA scheme employs the PoW consensus mecha-
public verification scheme. The new scheme adopts a random
nism and utilizes blockchain to record the audit results,
masking technique to hide linear relationship between proof
which is public, decentralized and unforgeable. Any
information and data blocks, which resists against external
malicious behaviors and incorrect results can be easily
adversaries and protects privacy information of users.
detected. Therefore, the audit results could be trusted.
In order to solve this problem, Zhang et al. [26] proposed
• We show that our DBPA scheme is secure in the random
a blockchain-based public integrity verification scheme
oracle model based on the intractability of Computa-
which uses a series of successive Ethereum block hashes
tional Diffie-Hellman problem and Discrete Logarithm
based on the timestamp t instead of the latest block
problem. Experimental results show that our scheme is
hash to generate challenge messages. Their core technique
efficient and performs well.
has been applied in another scheme [46] which aims to
add an accurate time-stamp for outsourced data. However,
C. ORGANISATION
Zhang et al.’s scheme [26] does not take the protection of user
privacy into consideration either. Xue et al. [27] proposed The remainder of the paper is organized as follows. We intro-
an identity-based public auditing scheme which uses the duce the preliminaries and definitions in Sections II and III,
latest Bitcoin block nonce to generate challenge messages. respectively. In Section IV, we describe the construction of
Their scheme prevents a malicious auditor from generat- our DBPA scheme. Then, we analyze the security of our
ing specified challenge messages. Yu et al. [28] proposed scheme in Section V. We provide a performance evaluation
a decentralized data auditing scheme which uses a series of our scheme in Section VI. Finally, we summarize the work
of successive blocks in consortium blockchain to generate in Section VII.
challenge messages. Their scheme could prevent a malicious
auditor from colluding with the cloud server to generate II. PRELIMINARIES
some specified challenge messages and thus deceiving users. A. BASIC TOOLS AND HARD PROBLEMS
However, the block numbers used in consortium blockchain 1) BILINEAR MAPS
is controlled by the auditor, which means the challenge mes- Let G1 and GT be two multiplicative cyclic groups of prime
sages are still controlled by auditor to some extent. order p, respectively, g be a generater of G1 . Let e :
All the schemes above take use of blockchain as the G1 × G1 → GT be a bilinear map with the following
pesudorandom seed to generate challenge messages. How- properties: (1) Bilinearity: for all U , V ∈ G1 and a, b ∈
ever, they failed to consider the issue of challenge messages Zp , e(U a , V b ) = e(U , V )ab ; (2) Computability: for any

VOLUME 8, 2020 139815

 Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

U , V ∈ G1 , e(U , V ) could be efficiently computed; and In addition, t denotes the agreed verification time, and Blt
(3) Non-degeneracy: e(g, g) 6 = 1T , where 1T is the identity denotes the hash of the latest block generated at or before
element of GT . time t, since the latest block may not appear exactly at time t.

2) DISCRETE LOGARITHM(DL) ASSUMPTION III. DECENTRALIZED AND PRIVACY-PRESERVING PUBLIC

Given g, ga ∈ G1 as input, where a is a random element of AUDITING SCHEME
Zp , there is no probabilistic polynomial-time (PPT) adversary A. SYSTEM MODEL
ADL which could output a with non-negligible probability. Figure 2 shows the architecture of our decentralized
We denote it as and privacy-preserving public auditing scheme based on
blockchain. In the scheme, there are four different entities,
Pr[ADC (g, ga ) = a : g ← G1 , a ← Zp ] ≤ ,
i.e., key generation center (KGC), cloud server (CS), data user
where  is a negligible function. (U) and a third-party auditor (TPA).
• Key generation center is an authority, whose task is to
3) COMPUTATIONAL DIFFIE-HELLMAN(CDH) ASSUMPTION generate system parameters and partial private key for
Given g, ga , gb ∈ G1 , where a, b are randomly chosen from users according to their identity.
Zp , no PPT adversary could calculate gab with non-negligible • Cloud server provides cloud storage services. It not only
probability. We denote it as has enough storage space, but also possesses amount of
computing power.
Pr[ACDH (g, ga , gb ) = gab : g ← G1 , a, b ← Zp ] ≤ .
• Data user is the data owner, who outsources data to the
cloud and delegates the TPA to check the data integrity.
B. BLOCKCHAIN STRUCTURE
He checks the auditor’s behavior via the blockchain.
Figure 1 shows the structure of blockchain [34]. Each • Third-party auditor detects the data integrity periodi-
block contains a hash pointer that points to its previous cally and checks if there is any data corruption. TPA
block. BlockHash denotes the hash value of current block. uploads the verification results to the blockchain after
PrevBlockHash denotes the hash value of the previous block. verifying the proof information from the CS.
Nonce denotes the solution to the PoW puzzle shown in
Eq. 1. Timestamp denotes the generation time of the block. Tx
denotes the transaction, and all the transactions are authenti-
cated by Merkel tree root (denoted by MerkelRoot). A trans-
action contains a payer’s account address, a payee’s account
address, data and the payer’s signature.

FIGURE 2. System model of DBPA.

DBPA system works as follows. Firstly, U outsources his

data into cloud, and delegates a TPA to help him execute
the auditing tasks. After receiving a delegation, the TPA
utilizes the latest public blockchain information to generate
a challenge message and sends it to CS, which then generates
a proof accordingly to confirm the data possession. If the
FIGURE 1. Data structure of blockchain.
proof from CS passes the verification, the TPA generates a
log file to record the audit result, and uploads the file to the
It is commonly believed that BlockHash is random blockchain. Finally, U checks the auditing results according
and unpredictable. In our scheme, a series of successive to the log file on the blockchain.
BlockHash, e.g. {Blt−ϕ+1 , Blt−ϕ+2 , · · · , Blt }, are used to
generate an unpredictable challenge message, where ϕ is the B. DEFINITION
number of blocks used to confirm a transaction. For instance, DBPA consists of six algorithms, Setup, Extract, Store,
we set ϕ = 6 in Bitcoin, and set ϕ = 12 in Ethereum. Audit, LogGen and CheckLog, defined as below.

139816 VOLUME 8, 2020

Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

Setup is run by the KGC to generate a master secret key b) Store Queries: A queries for the tags of a file M of
α and public parameters which are used in the fol- a user IDU . C uses the private key skU to run the
lowing algorithms. Store algorithm to generate file tags, and returns
Extract is run by the KGC to generate secret key of a user the tags to A.
according to its identity IDU . 3) Challenge phase. In this phase, A submits an identity
Store is run by U to outsource its data to the CS. The user IDU which has not appeared in extract queries before.
needs generate verification tags that enable a TPA to C generates a challenge message chal to A, which
check the data integrity. Furthermore, the CS needs refers to at least one data block whose tag has not been
confirm that the data is uploaded correctly. given to A.
Audit is run between the TPA and CS to check the data 4) Forgery phase. A generates a data possession proof
integrity. It consists of three sub-algorithms, includ- proof for the data blocks indicated by chal. If proof can
ing challenge generation (ChaGen), proof genera- pass the verification with non-negligible probability,
tion (ProGen) and proof verification (ProVer). we say that the adversary A succeeds in the game.
LogGen is run by the TPA to generate a log file to record The security model above indicates that, if the cloud server
the auditing result. The log file will be uploaded to does not keep all the data blocks challenged by C, it is unable
the blockchain. to generate a valid proof proof to pass the verification.
CheckLog is run by the user to audit the TPA’s behavior
by checking the validity of auditing records stored 1) DECENTRALIZED CHALLENGE MESSAGES GENERATION
in the log file on the blockchain.
In order to prohibit a misbehaving auditor from colluding
with the CS and generating an audit result ahead of time
C. SECURITY THREATS schedule, the challenge message should not depend solely
We consider threats from two entities, e.g. cloud server and on either the user or the auditor. Furthermore, the auditor
TPA. should provide incontrovertible evidence which should not
• Semi-trusted cloud server. The CS is assumed to be be pre-defined or predicted but can be checked and verified
semi-trusted. It may be dishonest and hide the incident publicly.
of data corruption by forging a proof to deceive the TPA.
It may also try to predict the challenge message ahead of 2) PRIVACY PRESERVATION
the audit. Except the verification result of data audit, the TPA should
• Misbehaving third-party auditor. The TPA is assumed be unable to infer any other information about user data from
to be semi-trusted. It will fulfill its obligation of data the proofs collected during the auditing process.
audit for users, but may try to infer information about
user data from the response information returned by 3) TRACEABILITY
the CS. In order to ensure the correctness and integrity of the out-
We also consider the case in which the CS and TPA may sourced data, the audit process should be traceable so that
collude together to generate false audit results to deceive the any malicious behavior of the TPA could be detected.
data user.
IV. OUR DBPA SCHEME
In this section, we describe our DBPA scheme, which utilizes
D. DESIGN GOALS
a blockchain. Assume that a user U has an identity IDU and
In this paper we target to design a secure and privacy-
that ϕ new blocks are needed to confirm a transaction in the
preserving public auditing scheme for cloud data storage.
blockchain (see Section II-B). Our scheme works as below.
Namely, our scheme should achieve the following goals.
Authenticity. Data corruption could be detected with over-
A. SETUP
whelming probability. That is, the CS could not pass the
Given security parameter 1` , the KGC generates system
auditing if there is any data loss or modification. We follow
parameters as follows:
the model in [13], [47], and consider the following game in
which the data owner is viewed as a challenger C and the CS • choose a bilinear map e : G1 × G1 → GT , where G1

is viewed as an adversary A. and GT are multiplicative groups with the same prime
order p, and g is the generator of G1 ;
1) Setup phase. C generates the master secret key and • choose a random α ∈ Zp as the master key and set PM =
system public parameters pp, and sends pp to A. gα ;
2) Query phase. A makes the following queries to C. • choose a pseudorandom function π1 : K1 × [1, n] →
a) Extract Queries: A queries for the private key [1, n], and a pseudorandom permutation π2 : K2 ×
of user with identity IDU . C runs the Extract [1, n] → Zp , where n is the (maximal) number of file
algorithm to generate the private key skU , and blocks, [1, n] is the set {1, 2, · · · , n}, and K1 , K2 are the
returns it to A. key spaces of π1 and π2 , respectively;

VOLUME 8, 2020 139817

 Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

• choose cryptographic hash functions H : {0, 1}∗ → Zp , • compute iξ = π1 (k1 , ξ ) and viξ = π2 (k2 , ξ ) for
Hi : {0, 1}∗ → G1 for i = 1 to 4, h1 : {0, 1}∗ → K1 , and ξ = 1, 2, · · · , c;
c c
h2 : {0, 1}∗ → K2 ; • compute S =
Q vi
Siξ ς and µ =
P
viξ miξ ;
• output the system public parameter pp = {G1 , GT , e, g, ξ =1 ξ =1
PM , ϕ, H , H1 ∼ H4 , h1 (·), h2 (·), π1 , π2 }, and keep α • randomly select ρ ∈ Zp , compute
secret. ρ ρ
TM = PM , TU = PKU , TR = Rρ ,
µ
B. EXTRACT and A = e(S ρ , g)/(e(QU ,0 , TM ) · e(V µ , TU ));
The KGC generates private key for U as follows: • randomly select θ ∈ Zp , set W = S θ , and provide
• compute QU ,0 = H1 (IDU , 0) and QU ,1 = H1 (IDU , 1); the following zero-knowledge proof (ZKP):
• compute DU ,0 = Qα α
U ,0 and DU ,1 = QU ,1 . π = ZKP
The KGC sends DU ,0 , DU ,1 to U, which checks if ρ ρ
× (ρ, µ, θ )|TM = PM ∧TU = PKU ∧TR = Rρ

e(DU ,0 , g) = e(QU ,0 , PM ) and e(DU ,1 , g) = e(QU ,1 , PM )
∧e(W ρ , g1/θ )e(QU ,0 , TM )e(V −µ , TU ) = A .
−µ
hold. If not, U rejects; otherwise, it chooses a random xu ∈ Zp
and computes PKU = gxu . The private key of U is sku = Concretely, the proof π is generated as follows:
{xu , Du,0 , Du,1 }, and the public key is {PKU , IDU }.
– randomly select rρ , rθ , rµ ∈ Zp , and compute
C. STORE RW = W rρ , Rθ = g1/θ ,
−r
U divides its data file M into n blocks, e.g. M = {mi }1≤i≤n , RQ = QU ,0µ , RV = V −rµ ,
randomly chooses an element name ∈ Zp for file nam- r r
RM = PMρ , RU = PKUρ , Rr = Rrρ ;
ing and a one-time number r1 ∈ Zp , and computes τ =
H (nameknkr1 kPKU ). U then generates file tags as follows: – compute
• randomly choose r2 ∈ Zp , and compute R = gr2 , V =
c = H (RW , Rθ , RQ , RV , RM , RU , Rr );
H3 (r1 ) and W = H4 (r1 );
• for each i ∈ [1, n], compute Ti = H2 (ikτ kR), and Si = – compute zρ = rρ + ρc, zθ = c, zµ = rµ + µc;
(DU ,0 · V xu )mi · (DU ,1 , W xu )H (ikτ kR) · Tir2 , where Si is the – output π = (c, zρ , zθ , zµ ).
file tag for data block mi ; The CS sends proof = {A, r1 , W , π} to the TPA.
• upload F = {M , {Si }ni=1 , R, r1 } to the CS. 3) ProVer. Upon receiving proof , the TPA checks the data
After receiving F, the CS computes τ = H (nameknkr1 k integrity as follows:
PKU ), and verifies the correctness of the data by checking • reject if either of the following equations fails to
if hold:
n n −zµ
Y
Si , g) = e( (Qm
Y
i hi W zρ QU ,0 V −zµ
e( U ,0 QU ,1 ), PM ) e( , Rθ )e( , TM )e( , TU ) = Ac ,
i=1 i=1 RW RQ RV
z
n
Y n
Y PMρ /RM = TMc ,
·e( (V mi W hi ), PKU ) · e( Ti , R), (2) z
PKUρ /RU = TUc ,
i=1 i=1
Rzρ /Rr = TRc ;
where hi = H (ikτ kR). The CS accepts F if the equation
holds, and rejects otherwise. • compute τ = H (nameknkr1 kPKU ), and
k1 = h1 (Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt kr3 ),
D. AUDIT
This algorithm consists of the following sub-algorithms. k2 = h2 (Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt kr3 );
1) ChalGen. The TPA chooses a random r3 ∈ Zp and • compute iξ = π1 (k1 , ξ ) and viξ = π2 (k2 , ξ ) for all
c ← [1, n], and sends the challenge message chal = ξ = 1, 2, · · · , c;
(ϕ, t, r3 , c) to the CS, where t is the current timestamp. • check whether
2) ProGen. After receiving chal from the TPA, the CS c
vi hi
c
QUξ,1 ξ , TM )e(
v h
Y Y
works as follows: A = e( W iξ iξ , TU )
• extract {Blt−ϕ+1 , Blt−ϕ+2 , · · · , Blt } from the ξ =1 ξ =1
blockchain based on t and ϕ, and compute c
vi
Tiξ ξ , TR ),
Y
·e( (3)
k1 = h1 (Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt kr3 ) ξ =1

and where hiξ = H (iξ kτ kR) and Tiξ = H2 (iξ kτ kR).

The TPA rejects if Eq. (3) does not hold, and
k2 = h2 (Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt kr3 ); accepts otherwise.

139818 VOLUME 8, 2020

Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

TABLE 1. The log file f .

(1)
d) compute τ = H (nameknkr1 kPKU ), iξ =
(1)
π1 (k1 , ξ ) and viξ = π2 (k2 , ξ ), where
(1) (1) (1) (1)
k1 = h1 (Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt kr3 ),
(1) (1) (1) (1)
k2 = h2 (Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt kr3 );
e) accept if
c (1) (1)
vi hi
ξ ξ (1)
Y
A (1)
= e( QU ,1 , TM )
ξ =1
c (1) (1) c (1)
vi
vi hi
Tiξ ξ , TR ), (4)
(1) (1)
Y Y
FIGURE 3. Public auditing data structure of a transaction.
·e( W ξ ξ , TU )e(
ξ =1 ξ =1
(1) (1) (1)
where h iξ = H (iξ kτ kR), and Tiξ =
E. USER CHECK (1)
H2 (iξ kτ kR), and reject otherwise.
The user checks the TPA’s behavior as follows.
1) LogGen. The TPA generates an auditing log as below: V. SECURITY ANALYSIS
a) for each verification task, generate an record as A. CORRECTNESS
Assume that the user generates file tags σ = {{Si }ni=1 , R, r1 }
{t, r3 , c, A, TM , TU , TR , r1 }; honestly and the TPA and CS follow the scheme to audit the
data and generate proof = {A, r1 , W , π}. Correctness can be
b) store the record to a log file f in chronological
verified as follows. Regarding Eq. (2), we have:
order as shown in Table 1, where TxID denotes
n
the transaction ID; Y
c) compute the hash value e( Si , g)
i=1
(1) (1) (1) n
}t1 = H (Blt−ϕ+1 kBlt−ϕ+1 k · · · kBlt xu mi H (ikT kR) xu H (ikT kR) r2
(Dm
Y
i
= e( U ,0 V DU ,1 W Ti ), g)
(1) (1) (1) (1) (1)
kt (1) kr3 kA(1) kTM kTU kTR kr1 ); i=1
n
H (ikT kR)
= e( (Dm
Y
d) generate a transaction Tx1 as shown in Figure 3, i
), g)
U ,0 DU ,1
where the data field is set to }t . If the transaction i=1
is successfully recorded into the blockchain, add n n
Tir2 , g)
Y Y
BlockHeight and TxID in the log file f , as shown ·e( (V xu mi W xu H (ikT kR) ), g)e(
in Table 1. i=1 i=1
n n n
2) CheckLog. U checks the validity of the auditing results
(Qm
Y Y Y
= e( i
Q hi
U ,0 U ,1 ), PM )e( (V mi hi
W ), PKU )e( Ti , R).
as follows:
i=1 i=1 i=1
a) acquire t (1) , t (1) + ϕ + 1, derive the actual time
when the audit was performed from t (1) and t (1) + Regarding Eqs. (3) and (4), we have:
µ
ϕ + 1, and reject if the time does not match the A = e(S, TG )/(e(QU ,0 , TM ) · e(V µ , TU ))
agreed one; c
vi µ ρ ρ
Siξ ξ , gρ )/(e(QU ,0 , PM ) · e(V µ , PKU ))
Y
b) extract }t1 from the blockchain, and reject if the = e(
extraction fails; ξ =1
c) check whether }t1 matches the entry in the first c viξ hi c
µ ρ vi
QU ,1 ξ , PM )e( Tiξ ξ , Rρ )
Y Y
row of f , and rejects if }t1 does not match the = e(QU ,0
agreed one; ξ =1 ξ =1

VOLUME 8, 2020 139819

 Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

c
ρ µ ρ ρ Proof: [Proof Sketch] The proof follows from that in
×e(V µ , PKU )/(e(QU ,0 , PM )e(V µ , PKU ))
viξ hiξ
Y
W
Section 4.2 of [48]. A challenger is used to obtain a valid
ξ =1
c c response {A, r1 , W , π}. In addition, the cloud server is treated
viξ hi vi
µ ρ ρ
QU ,1 ξ , PM )e( Tiξ ξ , Rρ ) as an adversary and the challenger controls the random oracle
Y Y
= e(QU ,0 , PM )e(
ξ =1 ξ =1
H (·). If there is a non-negligible probability that adversary
c wins, we can construct a simulator that solves the DL prob-
ρ ρ
e(V µ , PKU )e(
viξ hiξ
Y
W , PKU ) lem and CDH problem. To prove the authenticity of DBPA,
ξ =1 we define a sequence of games with interleaved analysis as
µ ρ ρ follows.
/(e(QU ,0 , PM )e(V µ , PKU ))
Game 0: This is simply the original authenticity
c viξ hi c c
ρ vi ρ game played between the TPA and the CS defined in
QU ,1 ξ , PM )e( Tiξ ξ , Rρ )e(
v h
Y Y Y
= ×e( W iξ iξ , PKU )
Section III-D.
ξ =1 ξ =1 ξ =1
c c c
Game 1: It is the same as Game 0, with the exception that
Y v iξ hi vi the adversary tries to forge a part of the proof information in
QU ,1 ξ , TM )e( Tiξ ξ , TR )e(
viξ hiξ
Y Y
= e( W , TU ).
Audit. Since σi = {Si , R} in DBPA is existentially unforge-
ξ =1 ξ =1 ξ =1
able, the challenger records each response generated by the
B. SECURITY ANALYSIS adversary, and declares failure and aborts if
Lemma 1: If the CDH problem is hard, the user’s file tags 1) the response is valid, and
are unforgeable under adaptively chosen-message attacks. 2) the response {A, r1 , W , π 0 = {A, TM , TU , TR0 }} is
Similar with [26], we can prove that it is computational different from the expected one {A, r1 , W , π =
infeasible for an adversary who does not own the user’s secret {A, TM , TU , TR }}.
key to forge a valid signature σ = {{Si }ni=1 , R, r1 }. So we omit Analysis. Denote the event above by abt1 . Given a chal-
the proof here. lenge message, the expected response {A, r1 , W , π} should
Lemma 2: As an inside adversary, the cloud server could satisfy that
not forge µ to pass the verification done by the TPA. µ
A = e(S, TG )/(e(QU ,0 , TM ) · e(V µ , TU ))
Proof: [Proof Sketch] Assume the CS forges µ to
c c c
µ0 and passes the verification. We know that for a vi hi vi
QUξ,1 ξ , TM )e( Tiξ ξ , TR ).
v h
Y Y Y
given challenge message, the correct responding should be = e( W iξ iξ , TU )e(
µ ξ =1 ξ =1 ξ =1
A = e(S, TG )/(e(QU ,0 , TM ) · e(V µ , TU )). Suppose that
the CS outputs the response {A0 , r1 , W , π}, where A0 = In case that the challenger aborts, the response {A, r1 , W , π 0 }
µ0
e(S, TG )/(e(QU ,0 , TM ) · e(V µ , TU )), which passes the ver-
0
generated by the adversary satisfies that
ification done by the TPA. We have that A/A0 = 1, therefore, µ
A = e(S, TG )/(e(QU ,0 , TM ) · e(V µ , TU ))
µ µ0
e(QU ,0 , TM ) · e(V µ , TU ) = e(QU ,0 , TM ) · e(V , TU ). µ0 c
vi hi
c c
vi
QUξ,1 ξ , TM )e( Tiξ ξ , TR0 ).
v h
Y Y Y
= e( W iξ iξ , TU )e(
That is, ξ =1 ξ =1 ξ =1
αρµ αρµ0
e(QU ,0 · V xu ρµ , g) = e(QU ,0 · V xu ρµ0
, g). We know that 1TR = TR −TR0 6 = 0 since TR 6 = TR0 . We further
have r2 6 = r20 , 1r2 = r2 − r20 6 = 0, and
We get that
c c
vi vi
Tiξ ξ , TR ) = e( Tiξ ξ , TR0 ),
Y Y
αρ xu ρ µ αρ xu ρ µ0
(QU ,0 ·V ) = (QU ,0 ·V ) . e(
ξ =1 ξ =1
αρ
Since µ 6 = µ0 , we set ω = QU ,0 · V xu ρ which can be
which is
represented as ω = (g0 )χ · (g00 )χ , where χ ∗ , χ 0∗ ∈ Zp ,
∗ 0∗
c c
vi r2 ρ vi r20 ρ
g0 , g00 ∈ G1 are randomly chosen. Furthermore, there exists Tiξ ξ , g) Tiξ ξ
Y Y
e( = e( , g).
x ∈ Zp , g00 = (g0 )x . Therefore, the discrete logarithm problem ξ =1 ξ =1
here is that given g0 , g00 = (g0 )x , compute x ∈ Zp , so the
c vi r2 ρ c vi r20 ρ
solution of discrete log problem is x = −(χ ∗ /χ 0∗ ). However, Equally, we have
Q
Tiξ ξ =
Q
Tiξ ξ , and then
χ 0∗ is zero only with probability 1/p, which is negligible ξ =1 ξ =1
because p is a large prime. We then get a solution to the DL c vi ρ1r2
T iξ ξ
Q
= 1.
problem with probability of 1 − 1/p, which contradicts the ξ =1
assumption that the DL problem in G1 is computationally Given a discrete logarithm problem g, h ∈ G1 , if we set
infeasible. Tiξ = gaξ · hbξ for some aξ , bξ ∈ Zp and ξ ∈ [1, c], the solu-
Theorem 1: Our DBPA scheme achieves the authenticity. tion to the DL problem could be given as x = logg h =
That is, if the cloud server’s response passes the TPA’s veri- c c
aξ viξ ρ1r2 / bξ viξ ρ1r2 . However, 1r2 is zero only
P P
−
fication, it must possess the specified data truly. ξ =1 ξ =1

139820 VOLUME 8, 2020

Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

with the probability 1/p, which is negligible because p is a Obviously, we can obtain
large prime. Then we get a solution to the DL problem with c
−b1 viξ m∗i b00 /b01 β −αviξ m∗i b00 β
(gb0 µβ · gαb0 µβ ·
0 Y
a probability of (1 − 1/p)Pr[abt1 ], which is non-negligible if (g ξ ·g ξ )
Pr[abt1 ] is so, contradicting the DL assumption. Therefore, ξ =1
we have that the difference between the adversary’s success c
−viξ m∗i b00 /b01 xu ρ
·V µxu ·
Y
probabilities in Game 0 and Game 1 is non-negligible. W ξ )
Game 2: It is the same as Game 1, except that the adversary ξ =1
is trained to be able to forge any part of response informa- c
−b1 viξ m∗i b00 /b01 β −αviξ m∗i b00 β
= (gb0 µβ · gαb0 µβ ·
0 Y
tion in Audit. That is, the challenger records each response (g ξ ·g ξ )
information generated by the adversary, declares failure and ξ =1
aborts if the response {A0 , r1 , W , π 0 = {A0 , TM0 , TU0 , TR0 }} is c
−viξ m∗i b00 /b01 xu ρ 0
·V µxu ·
Y
valid and different from the expected one {A, r1 , W , π = W ξ ) .
{A, TM , TU , TR }}. ξ =1
Analysis. Denote the event above by abt2 . Given a CDH
Since ρ 6 = ρ0, we can get
problem instance (g, gα , gβ ), the challenger sets g∗ = gα and
PM = gβ at the beginning of the game, sets QU ,0 = gb0 ·gαb0 ,
0 c
−b1 viξ m∗i b00 /b01 β −αviξ m∗i b00 β
$ = gb0 µβ gαb0 µβ
0 Y
(g ξ g ξ )
QU ,1 = gb1 · gαb1 , hi = −m∗i b00 /b01 where b0 , b00 , b1 , b01 are
0

ξ =1
randomly chosen from Zp , and randomly selects xu ← Zp
c
as (part of) the user’s secret key. To generate tags for a file −viξ m∗i b00 /b01 xu
·V µxu ·
Y
W ξ
M ∗ = {m∗i }, the challenger randomly chooses r2 ← Zp and
ξ =1
computes ({Si }, R), where R = gr2 and
= 1.
Si = gb0 βmi · V xu mi · g−b1 βmi b0 /b1 · W −xu mi b0 /b1 · Tir2 .
∗ ∗ ∗ 0 0 ∗ 0 0

Here, the solution to the given CDH problem is

According to Game 1, we know that TR = TR0 . Besides, c
αβ b0 µβ −b1 viξ m∗i b00 /b01 β
we have that · V µxu
Y
g = (g · (g ξ

µ
A= e(S , g)/(e(QU ,0 , TM ) · e(V µ , TU ))
ρ ξ =1
c
c c c c −(b00 µ− (viξ m∗i b00 ))−1
P
vi hi vi −viξ m∗i b00 /b01 xu ξ
QUξ,1 ξ , TM )e( Tiξ ξ , TR )
v h
Y Y Y Y
= e( W iξ iξ , TU )e( · W ξ )) ξ =1
.
ξ =1 ξ =1 ξ =1 ξ =1

and Note that the probability of game failure is the same as that
µ of
0
A = e(S , g)/(e(QU ,0 , TM0 ) · e(V µ , TU0 ))
ρ
c
c c c 0
X
vi hi vi b0 · (µ − (viξ m∗iξ )) = 0 mod p,
QUξ,1 ξ , TM0 )e( Tiξ ξ , TR0 ).
v h
Y Y Y
= e( W iξ iξ , TU0 )e(
ξ =1
ξ =1 ξ =1 ξ =1

We can get that which is 1/p. Since p is a large prime, it is thus negligible.
Therefore, the probability that we solve the CDH problem is
c c
µ vi hi (1 − 1/p) · Pr[abt2 ], which is non-negligible if Pr[abt2 ] is
QUξ,1 ξ , TM )e(Vµ ·
viξ hiξ
Y Y
e(QU ,0 · W , TU )
so, contradicting the CDH assumption. Hence, the difference
ξ =1 ξ =1
c c
between the adversary’s success probabilities in Game 1 and
µ vi hi Game 2 is negligible.
QUξ,1 ξ , TM0 )e(Vµ ·
viξ hiξ
Y Y
= e(QU ,0 · W , TU0 ).
Theorem 2: The cloud sever’s response proof =
ξ =1 ξ =1
{A, r1 , W , π} does not leak any information about µ to the
Equally, we have TPA.
c
−b1 viξ m∗i b00 /b01 β −αviξ m∗i b00 β
Proof: In the response proof = {A, r1 , W , π} returned
e((gb0 µβ · gαb0 µβ ·
0 Y
(g ξ ·g ξ ) by the cloud server, only S and µ may leak information about
ξ =1 the user’s data. However, S is hidden in W by a random
c
−viξ m∗i b00 /b01 xu ρ exponent θ ∈ Zp , and both S and µ are hidden in
·V µxu ·
Y
W ξ ) , g) µ
ξ =1 A = e(S ρ , g)/(e(QU ,0 , TM ) · e(V µ , TU ))
µ
c
−b1 viξ m∗i b00 /b01 β −αviξ m∗i b00 β = [e(S, g)/(e(QU ,0 , PM ) · e(V µ , PKU ))]ρ
b0 µβ αb00 µβ
Y
= e((g ·g · (g ξ ·g ξ ) ρ
ξ =1 by a random exponent ρ ∈ Zp , where TM = PM and TU =
ρ
c PKU . Furthermore, the zero-knowledge proof π does not leak
−viξ m∗i b00 /b01 xu ρ 0
·V µxu · any information about the witness ρ, µ, θ . To simulate the
Y
W ξ ) , g).
ξ =1 response, the simulator could randomly select A0 , r10 , W 0 from

VOLUME 8, 2020 139821

 Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

the corresponding domains, invoke the simulation algorithm

of the zero-knowledge proof to produce a simulated proof
π 0 , and output proof 0 = {A0 , r10 , W 0 , π 0 }. It is not hard to
see that the simulated proof 0 is indistinguishable from a real
response proof . Therefore, the response proof does not leak
any information about the user’s data.
Lemma 3: For a public blockchain whose consensus algo-
rithm is based on proof of work, hash value of the next block
that will be generated at a future time is unpredictable.
Proof: Assume that the adversary is a miner, and the
cloud server may collude with the miner. We follow the
existing threat model of miner in [49]. Suppose that data
M = {mi }1≤i≤n consists of n blocks, where κ blocks are not
valid, e.g. corrupted. The auditor challenges c blocks to check
the integrity of file M . Denote the probability of detecting
invalid blocks successfully by PX , where X is the number of
invalid blocks being challenged. We have
PX = Pr[X ≥ 1] = 1 − Pr[X = 0]
n−κ n−κ −1 n−κ −c+1
= 1− × × ··· × . (5)
n n−1 n−c+1
Since n−κ−i
n−i > n−κ−i−1
n−i−1 , we have
c c
n−κ n−κ −c+1
 
1− ≤ PX ≤ 1 − . (6)
n n−c+1
Denote by Pcorrupt = κ/n the probability of data corruption. FIGURE 4. Probability that the adversary wins when (a) ϒ is 0.25 and
We have that (b) ϒ is 0.5.

PX = 1 − (1 − Pcorrupt )c . (7)
Denote by P = (1 − Pcorrupt )c the probability that invalid tamper-proof. A new block is generated approximately per
blocks are not detected by the auditor, and by PA the proba- 15 seconds in Ethereum. The cloud server could not con-
bility that the adversary A wins, i.e. successfully cheating the trol the generation of a new block, and by Lemma 3 the
auditor. According to [49], we know that hash value of the new block is unpredictable for the cloud
server. Hence, the challenge information is unpredictable for
P (1 − Pcorrupt )c
PA = = , (8) the cloud server.
1 − ϒ(1 − P) 1 − ϒ[1 − (1 − Pcorrupt )c ] To ensure the integrity of outsourced data, most existing
where ϒ denotes the proportion of A’s mining hashrate. The schemes assume that the cloud server would not collude with
parameter ϒ measures the relative power of A and can be the TPA, which is a strong assumption. If the two entities col-
interpreted as the probability that the next oracle request lude, the TPA may send fake audit results to the user, in order
gives a valid block. For security in blockchain, we assume to help the CS to cover up a data corruption event and conceal
ϒ < 51%. If A is able to control more than half of its mistake, without being detected by the user. In our DBPA
computation power of the whole blockchain network, secu- scheme, the challenge information is generated based on the
rity of the blockchain would be broken. For example, when latest blockchain information and the choices of the TPA.
ϒ = 25%, Pcorrupt = 10%, c = 500, the probability Each audit information generated between the TPA and CS
that A wins is 0.013055, indicating that although A has is packed into a transaction and recorded into the blockchain.
strong computation power, the probability that it wins is still Due to the characteristics of blockchain, the whole audit pro-
small. cess, including challenge information generation, response
Theorem 3: The challenge information is unpredictable proof generation, and audit results verification, is thus trace-
for the cloud server. able. Any misbehavior of the TPA could be traced. As long
Proof: In our scheme, the challenge message is gen- as the blockchain remains tamper-resistant, we can learn
erated as k1 = h1 (Blt−ϕ+1 k Blt−ϕ+2 k · · · kBlt kr3 ), k2 = from the audit information recorded on the blockchain
h2 (Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt kr3 ), iξ = π1 (k1 , ξ ), viξ = that the TPA honestly fulfilled its obligation to audit the
π2 (k2 , ξ ). As we can see, the challenge message is determined user’s data stored on the CS. Hence, we have the following
by two parts. One part is r1 which is generated by the auditor, theorem.
and the other part Blt−ϕ+1 kBlt−ϕ+2 k · · · kBlt is determined Theorem 4: Misbehavior of the TPA in auditing the user’s
by the public blockchain, which is publicly transparent and data is traceable.

139822 VOLUME 8, 2020

Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

TABLE 2. Property Comparison.

TABLE 3. Comparison in Computation Overhead.

VI. PERFORMANCE TABLE 4. Comparison in Communication Overhead.

In this section, we provide comparisons of our scheme with
some other related schemes, in terms of functional features,
computational and communicational overhead.

A. PROPERTY COMPARISON
Table 3 shows the comparison of our DBPA scheme with
some other schemes in the literature in terms of functional
features. As we can see, the proposed scheme supports
all the features compared to the existing schemes. Con- privacy protection of the user’s data, which is more important
cretely, the proposed scheme supports public auditing, which for the users if their data is sensitive. Table 4 provides a
means the auditing proofs could be verified by any user. comparison of our scheme with [24] and [26] in terms of com-
Moreover, all the auditing proofs in our scheme are traceable munication overhead. In our scheme, the TPA needs to send
since all the hash values of auditing proofs are stored in the challenge message ϕ, t, r3 , c to the cloud server in the first
the blockchain permanently and cannot be tampered with. move. After receiving the challenge message, the cloud server
In addition, our scheme achieves privacy preservation during needs to return a response information proof = {A, r1 , W , π}
the process of auditing, while the other schemes are not. Fur- to the TPA. As we can see, the communication overhead of
thermore, our scheme could prevent the adversary from chal- our scheme on the TPA side is |Zp |, and the communication
lenge message guessing, while the other blockchain-based overhead on the cloud server side is 11|G1 | + |GT | + 5|Zp |,
schemes could not. where |G1 |, |GT | and |Zp | denote the length of an element
of G1 , GT and Zp , respectively, c denotes the number of
B. EFFICIENCY COMPARISON challenge blocks, and |H | denotes the hash length a block
In this part we compare our DBPA scheme with schemes in the underlying blockchain. From Table 4 we learn that
SWP [48], SCLPV [24], and CPVPA [26] in terms of com- the communication overhead in SCLPV is linear with c on
putation overhead and communication overhead. Table 3 pro- the TPA side, while those in our scheme and CPVPA are
vides a comparison in computational efficiency of the cloud independent of c.
server and the TPA, where MG , MZp , EG denote a scalar Overall, our DBPA scheme provides better privacy protec-
multiplication in G, a scalar multiplication in Zp , a modular tion and security guarantee, but at the cost of a little higher
exponentiation in G, respectively, P denotes a bilinear pair- communication overhead, when compared with SCLPV and
ing, Cf denotes the evaluation of a PRF, and c denotes the total CPVPA. Specifically, the extra communication overhead on
number of challenge data blocks. From the table we learn that the cloud server side is 9|G1 |+|GT |+3|Zp | for the protection
both the computational overhead of the cloud server and that of user privacy against the TPA, and that on the TPA side is
of the TPA are slightly higher than those of the other three |Zp | for randomizing the challenge message in order to resist
schemes. However, our scheme provides a good solution to against the cloud server.

VOLUME 8, 2020 139823

 Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

C. EXPERIMENTAL RESULTS
To demonstrate the usability of our DBPA scheme, we imple-
ment the scheme in Java. The experiments are conducted
on Windows 10 operating system, with Intel(R) Core(TM)
i7 CPU, 2.5GHZ and 8GB RAM. We make use of the
JPBC library, and utilize Type-A curve in our experiment.
To support 80-bit security level, we set the parameter p to
be of 160 bits. Figure 5(a) shows the computation delay on
the TPA side with different challenge block numbers. As we
can see, as the value of number c increases, the auditing
delay linearly increases as well, as more exponentiations and
multiplications in G1 are needed. Compared with CPVPA
[26], our scheme requires almost the same time to conduct
the verification on the same number of challenge data blocks.
Figure 5(b) shows the verification time of the CS side, which
almost grows linearly with the number of elements per file.
The verification time in our DBPA scheme is almost the
same as that in SCLPV [24] and CPVPA [26]. Furthermore,
We show the communication overhead between the TPA and
the CS in Figure 5(c), which is independent of the number
of challenge blocks in our scheme and CPVPA [26], while
it is linear with the number of challenge data blocks in
SWP [48] and SCLPV [24]. Furthermore, we use Ethereum
blockchain to examine the efficiency and cost of our DBPA
scheme. We use Solidity to create a contract and publish it to
Kovan public test network.2 The current price configuration
is 0.0012 Ether per million gas, and the current rate is about
1Ether ≈ 261.8$. Our wallet address is
0x851Ca2C940f1AD6eb10094dC08a37df81B3BE114.
The contract is deployed at block 1846343, and costs FIGURE 5. Efficiency comparison.
209978 gas. The transaction hash is
0x9c901a6f1b58f381a77da1492f54282
2e61b7435f236b188666c9b373e4c7eb7.
The transaction is confirmed at 22:49 on May 25th, 2020.
We first tested how the transaction confirmation time varies
in different number of data blocks, and set the number of data
blocks from 0 to 100. The results are shown in Figure 6(a).
As we can see, the time cost for confirmation has a positive
relationship with the transaction numbers. When a transaction FIGURE 6. Performance in Ethereum blockchain.

has been confirmed by at least 12 nodes on the blockchain

network, we consider the transaction is tamper-resistant [50].
Furthermore, we also tested the transaction fee with different VII. CONCLUSION
transaction numbers in Figure 6(b). We set the transaction In this paper, we proposed a decentralized and privacy-
number from 0 to 100, and found that the gas cost is linear preserving public auditing scheme, which is secure against
to the transaction numbers. This is reasonable, because in the procrastinating third-party auditor and malicious cloud
our scheme the transaction data only includes the hash value, server. Our scheme utilizes two components to generate
which is of constant size, and thus every transaction costs unpredicted challenge messages. One is generated by the
almost the same fee. From our experiment, the average cost of auditor, and the other is a series of decentralized block hashes.
each transaction is about 0.000035 Ether. More specifically, Our scheme could resist against the procrastinating auditor,
assume that the number of transactions is 50. Our scheme and a malicious cloud server could not retrieve or guess the
requires about 0.00175 Ether, which is equal to 0.45815$, challenge message ahead of the audit time. Furthermore, our
which is acceptable. scheme provides better protection of user privacy during the
process of verification of the audit response from the cloud
2 Kovan Testnet: https://kovan.etherscan.io/ server. We analyzed our scheme to show that it is secure, and

139824 VOLUME 8, 2020

Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

conducted a comprehensive performance analysis, showing [22] W. Shen, J. Yu, H. Xia, H. Zhang, X. Lu, and R. Hao, ‘‘Light-weight
that our scheme has low communication overhead and is effi- and privacy-preserving secure cloud auditing scheme for group users via
the third party medium,’’ J. Netw. Comput. Appl., vol. 82, pp. 56–64,
cient in terms of computation overhead. We did experiments Mar. 2017.
on Kovan testnet of Ethereum blockchain to demonstrate the [23] F. Armknecht, J.-M. Bohli, G. O. Karame, Z. Liu, and C. A. Reuter, ‘‘Out-
practicability of our scheme. sourced proofs of retrievability,’’ in Proc. ACM SIGSAC Conf. Comput.
Commun. Secur. CCS, 2014, pp. 831–843.
[24] Y. Zhang, C. Xu, S. Yu, H. Li, and X. Zhang, ‘‘SCLPV: Secure certifi-
REFERENCES cateless public verification for cloud-based cyber-physical-social systems
against malicious auditors,’’ IEEE Trans. Comput. Social Syst., vol. 2,
[1] E. Azhir, N. J. Navimipour, M. Hosseinzadeh, A. Sharifi, and A. Dar-
no. 4, pp. 159–170, Dec. 2015.
wesh, ‘‘Query optimization mechanisms in the cloud environments: A
[25] Y. Zhang, C. Xu, H. Li, and X. Liang, ‘‘Cryptographic public verification
systematic study,’’ Int. J. Commun. Syst., vol. 32, no. 8, May 2019,
of data integrity for cloud storage systems,’’ IEEE Cloud Comput., vol. 3,
Art. no. e3940.
no. 5, pp. 44–52, Sep. 2016.
[2] A. Singh and K. Chatterjee, ‘‘Cloud security issues and challenges: A sur-
[26] Y. Zhang, C. Xu, X. Lin, and X. S. Shen, ‘‘Blockchain-based public
vey,’’ J. Netw. Comput. Appl., vol. 79, pp. 88–115, Feb. 2017.
integrity verification for cloud storage against procrastinating auditors,’’
[3] Y. Shin, D. Koo, and J. Hur, ‘‘A survey of secure data deduplication
IEEE Trans. Cloud Comput., early access, Mar. 29, 2019, doi: 10.1109/
schemes for cloud storage systems,’’ ACM Comput. Surveys, vol. 49, no. 4,
TCC.2019.2908400.
pp. 1–38, Feb. 2017.
[27] J. Xue, C. Xu, J. Zhao, and J. Ma, ‘‘Identity-based public auditing for cloud
[4] M. Du, Q. Wang, M. He, and J. Weng, ‘‘Privacy-preserving indexing and storage systems against malicious auditors via blockchain,’’ Sci. China Inf.
query processing for secure dynamic cloud storage,’’ IEEE Trans. Inf. Sci., vol. 62, no. 3, Mar. 2019.
Forensics Security, vol. 13, no. 9, pp. 2320–2332, Sep. 2018.
[28] H. Yu, Z. Yang, and R. O. Sinnott, ‘‘Decentralized big data auditing for
[5] N. Kaaniche and M. Laurent, ‘‘Data security and privacy preservation in smart city environments leveraging blockchain technology,’’ IEEE Access,
cloud storage environments based on cryptographic mechanisms,’’ Com- vol. 7, pp. 6288–6296, 2019.
put. Commun., vol. 111, pp. 120–141, Oct. 2017.
[29] Y. Wu, X. Lin, X. Lu, J. Su, and P. Chen, ‘‘A secure light-weight public
[6] Y. Li, K. Gai, L. Qiu, M. Qiu, and H. Zhao, ‘‘Intelligent cryptography auditing scheme in cloud computing with potentially malicious third party
approach for secure distributed big data storage in cloud computing,’’ Inf. auditor,’’ IEICE Trans. Inf. Syst., vol. E99.D, no. 10, pp. 2638–2642, 2016.
Sci., vol. 387, pp. 103–115, May 2017.
[30] K. Qian and H. Huang, ‘‘A new identity-based public auditing against
[7] N. A. Kofahi and A. R. Al-Rabadi, ‘‘Identifying the top threats in cloud malicious auditor in the cloud,’’ Int. J. Embedded Syst., vol. 11, no. 4,
computing and its suggested solutions: A survey,’’ Adv. Netw., vol. 6, no. 1, pp. 452–460, 2019.
pp. 1–13, 2018. [31] X. Zhang, J. Zhao, C. Xu, H. Li, H. Wang, and Y. Zhang, ‘‘CIPPPA:
[8] A. Juels and B. S. Kaliski, ‘‘Pors: Proofs of retrievability for large files,’’ in Conditional identity privacy-preserving public auditing for cloud-based
Proc. 14th ACM Conf. Comput. Commun. Secur. CCS, 2007, pp. 584–597. WBANs against malicious auditors,’’ IEEE Trans. Cloud Comput., early
[9] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, access, Jul. 10, 2019, doi: 10.1109/TCC.2019.2927219.
and D. Song, ‘‘Provable data possession at untrusted stores,’’ in Proc. 14th [32] S. Nakamoto. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System.
ACM Conf. Comput. Commun. Secur. CCS, 2007, pp. 598–609. [Online]. Available: https://bitcoin.org/bitcoin.pdf
[10] B. Wang, B. Li, and H. Li, ‘‘Panda: Public auditing for shared data with [33] M. A. Khan and K. Salah, ‘‘IoT security: Review, blockchain solutions,
efficient user revocation in the cloud,’’ IEEE Trans. Services Comput., and open challenges,’’ Future Gener. Comput. Syst., vol. 82, pp. 395–411,
vol. 8, no. 1, pp. 92–106, Jan. 2015. May 2018.
[11] J. Yuan and S. Yu, ‘‘Public integrity auditing for dynamic data sharing with [34] G. Wood, ‘‘Ethereum: A secure decentralised generalised transaction
multiuser modification,’’ IEEE Trans. Inf. Forensics Security, vol. 10, no. 8, ledger,’’ Ethereum Project Yellow Paper, vol. 151, pp. 1–32, Apr. 2014.
pp. 1717–1726, Aug. 2015. [35] X. Li, P. Jiang, T. Chen, X. Luo, and Q. Wen, ‘‘A survey on the security of
[12] T. Jiang, X. Chen, and J. Ma, ‘‘Public integrity auditing for shared dynamic blockchain systems,’’ Future Gener. Comput. Syst., vol. 107, pp. 841–853,
cloud data with group user revocation,’’ IEEE Trans. Comput., vol. 65, Jun. 2020.
no. 8, pp. 2363–2373, Aug. 2016. [36] Y. Yuan and F.-Y. Wang, ‘‘Blockchain and cryptocurrencies: Model, tech-
[13] D. He, B. Huang, and J. Chen, ‘‘New certificateless short signature niques, and applications,’’ IEEE Trans. Syst., Man, Cybern. Syst., vol. 48,
scheme,’’ IET Inf. Secur., vol. 7, no. 2, pp. 113–117, Jun. 2013. no. 9, pp. 1421–1428, Sep. 2018.
[14] H. Wang, D. He, and S. Tang, ‘‘Identity-based proxy-oriented data upload- [37] T. M. Fernández-Caramés and P. Fraga-Lamas, ‘‘A review on the
ing and remote data integrity checking in public cloud,’’ IEEE Trans. Inf. use of blockchain for the Internet of Things,’’ IEEE Access, vol. 6,
Forensics Security, vol. 11, no. 6, pp. 1165–1176, Jun. 2016. pp. 32979–33001, 2018.
[15] S. Peng, F. Zhou, Q. Wang, Z. Xu, and J. Xu, ‘‘Identity-based public multi- [38] K. Salah, M. H. U. Rehman, N. Nizamuddin, and A. Al-Fuqaha,
replica provable data possession,’’ IEEE Access, vol. 5, pp. 26990–27001, ‘‘Blockchain for AI: Review and open research challenges,’’ IEEE Access,
2017. vol. 7, pp. 10127–10149, 2019.
[16] W. Shen, J. Qin, J. Yu, R. Hao, and J. Hu, ‘‘Enabling identity-based [39] K. Fan, S. Wang, Y. Ren, H. Li, and Y. Yang, ‘‘MedBlock: Efficient and
integrity auditing and data sharing with sensitive information hiding for secure medical data sharing via blockchain,’’ J. Med. Syst., vol. 42, no. 8,
secure cloud storage,’’ IEEE Trans. Inf. Forensics Security, vol. 14, no. 2, p. 136, Aug. 2018.
pp. 331–346, Feb. 2019. [40] N. Z. Aitzhan and D. Svetinovic, ‘‘Security and privacy in decentralized
[17] X. Zhang, H. Wang, and C. Xu, ‘‘Identity-based key-exposure resilient energy trading through multi-signatures, blockchain and anonymous mes-
cloud storage public auditing scheme from lattices,’’ Inf. Sci., vol. 472, saging streams,’’ IEEE Trans. Dependable Secure Comput., vol. 15, no. 5,
pp. 223–234, Jan. 2019. pp. 840–852, Sep. 2018.
[18] L. Zhou, A. Fu, S. Yu, M. Su, and B. Kuang, ‘‘Data integrity verification [41] K. Leng, Y. Bi, L. Jing, H.-C. Fu, and I. Van Nieuwenhuyse, ‘‘Research
of the outsourced big data in the cloud environment: A survey,’’ J. Netw. on agricultural supply chain system with double chain architecture
Comput. Appl., vol. 122, pp. 1–15, Nov. 2018. based on blockchain technology,’’ Future Gener. Comput. Syst., vol. 86,
[19] H. Tian, F. Nan, C.-C. Chang, Y. Huang, J. Lu, and Y. Du, ‘‘Privacy- pp. 641–649, Sep. 2018.
preserving public auditing for secure data storage in fog-to-cloud comput- [42] D. He, S. Zeadally, and L. Wu, ‘‘Certificateless public auditing scheme for
ing,’’ J. Netw. Comput. Appl., vol. 127, pp. 59–69, Feb. 2019. cloud-assisted wireless body area networks,’’ IEEE Syst. J., vol. 12, no. 1,
[20] B. Wang, B. Li, and H. Li, ‘‘Oruta: Privacy-preserving public auditing pp. 64–73, Mar. 2018.
for shared data in the cloud,’’ IEEE Trans. Cloud Comput., vol. 2, no. 1, [43] M. Ali, S. U. R. Malik, and S. U. Khan, ‘‘DaSCE: Data security for cloud
pp. 43–56, Jan. 2014. environment with semi-trusted third party,’’ IEEE Trans. Cloud Comput.,
[21] J. Zhao, C. Xu, F. Li, and W. Zhang, ‘‘Identity-based public verification vol. 5, no. 4, pp. 642–655, Oct. 2017.
with privacy-preserving for data storage security in cloud computing,’’ [44] H. Xu, J. Cao, J. Zhang, L. Gong, and Z. Gu, ‘‘A survey: Cloud data security
IEICE Trans. Fundamentals Electron., Commun. Comput. Sci., vol. E96.A, based on blockchain technology,’’ in Proc. IEEE 4th Int. Conf. Data Sci.
no. 12, pp. 2709–2716, 2013. Cyberspace (DSC), Jun. 2019, pp. 618–624.

VOLUME 8, 2020 139825

 Y. Miao et al.: Decentralized and Privacy-Preserving Public Auditing for Cloud Storage Based on Blockchain

[45] N. Ravi and N. R. Sunitha, ‘‘Introduction of blockchain to mitigate the QIONG HUANG received the Ph.D. degree from
trusted third party auditing for cloud security: An overview,’’ in Proc. 2nd the City University of Hong Kong, in 2010. He is
Int. Conf. Emerg. Comput. Inf. Technol. (ICECIT), Dec. 2017, pp. 1–6. currently a Professor with the College of Mathe-
[46] Y. Zhang, C. Xu, N. Cheng, H. Li, H. Yang, and X. Shen, ‘‘Chronos+ +: An matics and Informatics, South China Agricultural
accurate blockchain-based time-stamping scheme for cloud storage,’’ IEEE University, Guangzhou, China. He has published
Trans. Services Comput., vol. 13, no. 2, pp. 216–229, Mar./Apr. 2020. more than 110 research papers in international
[47] S. S. Al-Riyami and K. G. Paterson, ‘‘Certificateless public key cryptogra- conferences and journals. His research interests
phy,’’ in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur. Berlin, Germany:
include cryptography and information security,
Springer, 2003, pp. 452–473.
in particular, cryptographic protocols design and
[48] H. Shacham and B. Waters, ‘‘Compact proofs of retrievability,’’ in Proc.
Int. Conf. Theory Appl. Cryptol. Inf. Secur. Berlin, Germany: Springer, analysis. He has served as a Programme Commit-
2008, pp. 90–107. tee Member in many international conferences.
[49] C. Pierrot and B. Wesolowski, ‘‘Malleability of the blockchain’s entropy,’’
Cryptography Commun., vol. 10, no. 1, pp. 211–233, Jan. 2018. MEIYAN XIAO received the B.S. and M.S.
[50] X. Xu, I. Weber, M. Staples, L. Zhu, J. Bosch, L. Bass, C. Pautasso, degrees from South China Agricultural University,
and P. Rimba, ‘‘A taxonomy of blockchain-based systems for architec-
where she is currently pursuing the Ph.D. degree
ture design,’’ in Proc. IEEE Int. Conf. Softw. Archit. (ICSA), Apr. 2017,
with the College of Mathematics and Informatics.
pp. 243–252.
Her research interests include data security and
blockchain.

YING MIAO received the B.S. degree from South HONGBO LI received the B.S. and M.S.
China Agricultural University, in 2018, where she degrees from South China Agricultural University,
is currently pursuing the M.S. degree with the Col- Guangzhou, China, where he is currently pursuing
lege of Mathematics and Informatics. Her research the Ph.D. degree with the College of Mathematics
interests include data security and blockchain. and Informatics. His research interests include
applied cryptography and cloud security.

139826 VOLUME 8, 2020