An efficient secure Internet of things data storage

Research Article

An efficient secure Internet of things data storage auditing protocol with adjustable parameter in cloud computing

International Journal of Distributed Sensor Networks 2017, Vol. 13(1) Ó The Author(s) 2017 DOI: 10.1177/1550147716686579 journals.sagepub.com/home/ijdsn

Meng Liu1,2, Xuan Wang1, Chi Yang3, Zoe Lin Jiang1 and Ye Li1

Abstract Nowadays, an increasing number of cloud users including both individuals and enterprises store their Internet of things data in cloud for benefits like cost saving. However, the cloud storage service is often regarded to be untrusted due to their loss of direct control over the data. Hence, it is necessary to verify the integrity of their data on cloud storage servers via a third party. In real cloud systems, it is very important to improve the performance of the auditing protocol. Hence, the well-designed and cost-effective auditing protocol is expected to meet with the performance requirement while the data size is very large in real cloud systems. In this article, we also propose an auditing protocol based on pairing-based cryptography, which can reduce the computation cost compared to the state-of-the-art third-party auditing protocol. Moreover, we also study how to determine the number of sectors to achieve the optimal performance of our auditing protocol in a case of the same challenged data. And an equation for computing the optimal number of sectors is proposed to further improve the performance of our auditing protocol. Both the mathematical analysis method and experiment results show that our solution is more efficient. Keywords Internet of things data, cloud storage, integrity auditing, third-party auditing, pairing-based cryptography

Date received: 18 September 2016; accepted: 1 December 2016 Academic Editor: Xuyun Zhang

Introduction Internet of things (IoT) has deep impact on our daily lives.1 IoT applications can generate a great deal of data, such as heart rate and blood pressure data, water quality, and industrial big data.2 Nowadays, an increasing number of cloud users including both individuals and enterprises store their IoT data in cloud for benefits like cost saving and ease of data sharing. However, the cloud storage service is often regarded to be untrusted due to their loss of direct control over the data. Because the untrusted cloud storage providers instead delegate managements of the user data, the data on the cloud can be lost due to some possible causes. The disks of the storage servers could be damaged and the

maintainer might not successfully restore the lost data. But the cloud storage provider could not inform this error to the affected users. Moreover, cloud storage providers could be dishonest. To recycle the cloud 1

Computer Application Research Center, Harbin Institute of Technology Shenzhen Graduate School, Shenzhen, China 2 School of Mechanical, Electrical and Information Engineering, Shandong University, Weihai, China 3 Commonwealth Scientific and Industrial Research Organisation (CSIRO), Canberra, ACT, Australia Corresponding author: Xuan Wang, Computer Application Research Center, Harbin Institute of Technology Shenzhen Graduate School, Shenzhen 518055, China. Email: [email protected]

Creative Commons CC-BY: This article is distributed under the terms of the Creative Commons Attribution 3.0 License (http://www.creativecommons.org/licenses/by/3.0/) which permits any use, reproduction and distribution of the work without further permission provided the original work is attributed as specified on the SAGE and Open Access pages (http://www.uk.sagepub.com/aboutus/ openaccess.htm).

2

International Journal of Distributed Sensor Networks

storage space, they could discard the user data that have not been accessed or rarely accessed by the users. Thus, the users must be able to verify periodically the integrity of the data storing in the untrusted cloud storage. It should be noted that we assume that the verifier cannot use the local copy data when the verifier executes the provable data possession (PDP) protocol. An intuitive way is that the client stores a file to the server and computes a hash value of the file as a metadata stored in the client using a cryptographic hash function, such as MD5 and SHA. Then, the server sends the entire file to the client and the client recalculates a new hash value of the received file and compares the two hash values to verify whether the file is stored correctly in cloud storage. But this way has some critical issues. In real cloud storage system, both the number of files and the data size are very large, it requires a very large amount of bandwidth and time to send these files from the servers to the clients across the network. Hence, traditional integrity checking techniques such as cryptographic hash function cannot meet with the real requirement. That is the first issue. Accordingly, some solutions have used some techniques to solve the first issue, such as RSA-based hash functions3,4 and homomorphic hash functions.5,6 The communication cost can be O(1). But these solutions still have the second issue that the server needs access to the entire file and it costs expensive disk I/O and a large amount of computation. Accordingly, sampling technique, called spot checking, was used to reduce the expensive disk I/O and computation costs while still achieving a high probabilistic possession guarantee.7 These solutions using sampling technique only need constant amount of data to execute the PDP protocol, independently of the total size of a file. To solve the data privacy problem (i.e. the auditor cannot recover the data blocks from the server data proof), these auditing protocols are constructed based on the cryptographic algorithms, such as pairing-based cryptography8 and homomorphic encryption,9 to verify the server’s proof while the auditor cannot decrypt and recover the data blocks. To reduce the number of data tags and improve the performance, these auditing protocols also use the data fragment technique to split each data block into sectors, such as Yang and Jia’s8 solution. But the data fragment technique can increase the computation number of the bilinear pairing of Yang’s auditing protocol, so the computation cost of the algorithm can also increase with the computation number of the bilinear pairing. Our contributions can be summarized as follows: 1.

We propose an improved secure data storage auditing protocol based on Yang’s solution.

2.

Our solution is more efficient than Yang’s using the pre-do the bilinear pairing operation in the user client. We further improve the performance of our auditing protocol with adjustable parameter of the number of sectors in a case of the same challenged data. The optimal number of sectors can be directly determined by an equation according to the amount of challenged data.

Related work IoT data can be very important and the vast quantities of data can be keen to be outsourced to cloud. Botta et al.10 and Dı´ az et al.11 have discussed the integration of IoT and cloud computing. In order to guarantee data integrity, integrity verification is always a very important problem on outsourced IoT data.2 There were many solutions on integrity verification. In some previous solutions, the data owners are responsible for verifying the data integrity of cloud storage. In order to guarantee the justice of data possession, third-party auditing was introduced.12,13 It should meet three requirements (confidentiality, dynamic auditing, and batch auditing).13–15 Recently, several new third-party auditing protocols were proposed to allow the auditor to verify the data integrity on the cloud storage server.8,9,16,17 Wang et al.9 use homomorphic encryption to solve the data privacy problem. Yang and Jia8 proposed a new scheme based on pairing-based cryptography to solve the data privacy problem. Both of these two auditing protocols are constructed based on the cryptographic algorithms to verify the server’s proof while the third-party auditor cannot decrypt and recover the data blocks. And Yang and Jia8 also utilize the data fragment technique to split each data block into sectors to reduce the number of data tags and improve the performance. Yang et al.18 developed a novel error detection approach based on the scale-free network topology and most of detection operations to support fast detection and locating of errors in big sensor data on cloud. As dynamic data on cloud supporting these operations of insert/delete/modification is a very useful feature, integrity verification should be support dynamic data that allows the data owners update their data on cloud. Liu et al.19 proposed an auditing scheme with the support both of public auditing and fine-grained updates over variable-sized file blocks instead of a fixed size blocks. Zhang et al.20 proposed a novel approach based on an upper bound constraint to identify the intermediate data sets which need not be encrypted on cloud and reduce the privacy-preserving cost.

Liu et al.

3

Preliminaries In this section, we describe the system model and security model for a secure data storage auditing system. More information about the secure data storage auditing can be found in Yang and Jia,8 Sookhak and colleagues,21,22 and Shin and Kwon.23

4.

5.

auditor sends the challenge data set to the cloud server. Prove is a proof algorithm that can be used to generate a data proof to the auditor by the cloud server. Verify is a verification algorithm that can be used to check the integrity of data file by verifying the correctness of data proof.

System model As shown in Figure 1, a secure IoT data Storage auditing system model includes three entities: 1. 2. 3.

Owner who moves their files to the cloud server; Cloud Server who stores the owner’s data and provides the data access to users; Auditor who is a third party and responsible for checking the integrity of data stored in the cloud server on behalf of the owner.

A storage auditing protocol consists of five algorithms (KeyGen, TagGen, Chall, Prove, and Verify): 1.

2.

3.

KeyGen is a key generation algorithm that can be used to generate a public key and a secret key by the owner. TagGen is a tag generation algorithm that can be used to compute a data tag for each data block of an owner’s data file by the owner. And the owner moves the data blocks and the corresponding data tags to the cloud server. Chall is a challenge algorithm that can be used to randomly choose some data blocks as the challenge data set by the auditor. And the

Security model We assume that the auditor is semi-trusted such that they will perform honestly during the whole auditing procedure, but will not be trusted for data confidentiality. And the cloud server may be fully dishonest in terms of the data confidentiality and integrity. Thus, the secure data storage auditing system can face two main threats: data privacy threat from both of the cloud server and the auditor and data integrity threats from the cloud server.24 The cloud server and the auditor could be curious to the owner’s data file. The auditing protocol should protect the data privacy against the cloud server and the auditor. And the cloud server may carry out the following attacks:8 1.

2.

3.

Replace attack. The cloud server may choose another valid pair of data block and data tag to replace the challenged pair of data block and data tag that have been discarded. Forge attack. The cloud server may forge the data tag of data block and deceive the auditor, if the owner’s secret tag keys are reused for the different versions of data. Replay attack. The cloud server may generate the proof from the previous proof or other information, without retrieving the actual owner’s data.

Our efficient secure data auditing protocol Table 1 lists some notations used by algorithms for our secure data storage auditing protocol. Let G1 , G2 , and GT be the multiplicative groups with the same prime order p and e : G1 3 G2 ! GT be the bilinear map. Let g1 be a generator of G1 and g2 be a generator of G2 . Let h: f0, 1g ! G1 is a keyed secure hash function that maps Minfo to an element in G1 .

Algorithms for our secure data auditing protocol

Figure 1. System model of the secure data storage auditing system.

Generally, the pairing computation is the most expensive part of pairing-based cryptography. Yang’s secure data storage auditing protocol can protect the data privacy against the auditor using the pairing-based

4

International Journal of Distributed Sensor Networks

Table 1. Notations for our secure data storage auditing protocol. Symbol

Physical meaning

l skt pkt skh n M

Security parameter Secret tag key Public tag key Secret hash key Number of blocks in each component Data component divided into n data blocks, M = fm1 , m2 , . . . , mn g Number of sectors in each data block The jth sector of data block mi , where 1  i  n and 1  j  s Set of data tags, T = ft1 , t2 , . . . , tn g Wi = FID k i, the ‘‘k’’denotes the concatenation operation and FID is the identifier of the data and i represents the block number of mi , where 1  i  n Abstract information of M Challenge generated by the auditor Proof generated by the server

s mij T Wi Minfo C P

Chall (Minfo , E) ! C: Input: Minfo Output: C 1. It chooses randomly some data block numbers to construct a Challenge Set Q. 2. It chooses a random number vi 2 Zp for each data block mi , where i 2 Q. 0 3. It selects a random number r 2 Zp and computes an Ej = Erj for each Ej , where 1  j  s. 0 4. It constructs C = (fi, vi gi2Q , fEj gj2½1, s ).

Prove (M, T, C) ! P: Input: M, T, C Output: P 1. It computes the tag proof TP as

TP =

Q i2Q

cryptography method. Then, the pairing computation is also a very expensive part of their solution. In this article, we propose an improved secure data storage auditing based on Yang’s one to reduce the total computation cost of one auditing. We let the user pre-do the pairing operation so as to avoid it at the cloud side during the process of auditing. Yang’s secure data auditing protocol includes five algorithms: KeyGen, TagGen, Chall, Prove, and Verify. Our data auditing Protocol also have five algorithms. They are defined as follows and our definitions of TagGen, Chall, and Prove are different with Yang’s.

KeyGen (l) ! (pkt , skt , skh ): Input: l Output: pkt , skt , skh 1. It chooses two random numbers skt , skh 2 Zp . 2. It computes pkt = g2skt , where pkt 2 G2 .

where TP 2 G1 . 2. It computes MPj as

MPj =

P

tvi i

vi  mij

i2Q

where 1  j  s. 3. It computes the data proof DP as

DP =

s Q j=1

0

(Ej )MPj

where DP 2 GT . 4. It constructs P = (TP, DP).

Verify (C, P, skh , pkt , Minfo ) ! 0=1: Input: C, P, skh , pkt , Minfo Output: 0=1 Q h(skh , Wi )rvi . 1. It computes the challenge hash Hchal = i2Q

2. It checks the following equation

DP  e(Hchal , pkt ) = e(TP, g2r ) TagGen (M, skt , skh ) ! (T, E): Input: M = fm1 , m2 , . . . , mn g, skt , skh Output: T = ft1 , t2 , . . . , tn g, E 1. It chooses s random numbers x1 , x2 , . . . , xs 2 Zp . x 2. It computes uj = g1j , where 1  j  s and uj 2 G1 . 3. It computes eg1 , g2 = e(g1 , g2 ) and then computes x sk Ej = egj1 , gt2 , where 1  j  s, Ej 2 GT . !skt s Q mij 4. It computes a ti = h(skh , Wi )  uj for each data j=1

block mi , where ti 2 G1 .

If the equation holds it outputs 1. Otherwise, it outputs 0.

Correctness analysis The correctness and verification equation of our improved auditing protocol can be written in detail as follows

Liu et al.

5

DP  e(Hchal , pkt ) s Q 0 MPj = (Ej )  e(Hchal , pkt ) =

j=1 s Q

=

j=1 s Q

=

j=1 s Q

The cloud server side of our improved auditing protocol is the same as Yang’s. Because Yang’s auditing protocol can resist the three attacks, our improved auditing protocol can also resist them.

(Ejr )MPj  e(Hchal , pkt )

Theorem 2. In our improved auditing protocol, neither the server nor the auditor can obtain any information about the data and the secret tag key during the auditing procedure.

e(g1 , g2 )xj skt rMPj  e(Hchal , pkt ) e(g1 xj , g2 skt )

=

j=1 s Q

=

j=1 s Q

=

j = 1 i2Q s Q Q

=

j = 1 i2Q s Q Q

rMPj

 e(Hchal , pkt )

e(uj , pkt )rMPj  e(Hchal , pkt ) j=1 P r vi mij s Q Q e(uj , pkt ) i2Q  e( h(skh , Wi )rvi , pkt ) = i2Q

Q

r vi mij

e(uj , pkt )

Q

e(uj , pkt

rvi

mij

rvi

=

Q

e(uj , pkt

s Q

e(

j=1 s Q

)  e(

Q

=

i2Q Q

=

i2Q Q

Q

h(skh , Wi ), pkt rvi )

ð1Þ

)  e(

Q

h(skh , Wi ), pkt rvi )

i2Q

uj mij , pkt rvi )e(h(skh , Wi ), pkt rvi ) uj mij  h(skh , Wi ), g2 rvi skt )

j=1

i2Q

=

h(skh , Wi ), pkt rvi )

i2Q

e(

i2Q

Q i2Q

mij

i2Q j = 1

=

 e(

e((h(skh , Wi ) 

s Q

uj mij )skt , g2 rvi )

j=1

e(ti , g2 rvi ) e(ti vi , g2 r )

i2QQ

= e(

ti vi , g2 r )

Proof. Obviously, the cloud server side of our improved auditing protocol is the same as Yang’s. Because Yang’s auditing protocol can be confidential against the server during the auditing procedure, our improved auditing protocol can also guarantee the data privacy. On the auditor side, it can get the public key pkt , but it cannot conclude the secret key skt . It can also get the pairing value e(uj , pkt ), but it cannot conclude the random number xj . It is a discrete logarithm problem to get xj from the e(uj , pkt ) = e(g1 , pkt )xj and e(g1 , pkt ). It can also get the product of all the challenged data tags from the tag proof TP. Because the tag ti is computed using the secret key skt , it cannot conclude any information about the input data blocks. It can get the data proof DP. It is a discrete logarithm problem to get the linear combinations of the chosen data sectors MPj j2½1, s from the data proof DP. Hence, the auditor cannot get any information about the data blocks, random number xj , and the secret key in our improved auditing protocol.

i2Q

= e(TP, g2 r )

From equation (1), the cloud server can pass the auditing, if the data blocks and the data tags are stored correctly. However, if any of the challenged data block or data tag is corrupted or modified, the verification equation will not hold and the cloud server cannot pass the auditing.

Security analysis We first prove that our improved auditing protocol is provably secure under the security model. Then, we prove that it can guarantee the data privacy. Theorem 1. Our improved auditing protocol can resist the Replace Attack, Forge Attack, and Replay Attack. Proof. Obviously, on the cloud server side 0

Ej = Ejr = e(g1 , g2 )xj skt r = e(g1 xj , g2 skt r ) = e(uj , pkt r ) = e(uj , R)

Performance improvement with adjustable parameter Suppose that the corrupted probability of each sector of each block on the cloud storage is r. For a confirmation auditing or sampling auditing, the verifier selects b challenged blocks, where each block is split into s sectors. Then, any data corruption can be detected by the verifier with a probability of Pr(b, s), which can be expressed as Pr(b, s) = 1  (1  r)bs

ð2Þ

Interestingly, we can see that the verifier can choose a constant amount of sectors and can detect any data corruption with the same probability of Pr(b, s) regardless of the total number of data blocks. Therefore, block sampling can reduce the expensive disk I/O and computation costs while still achieving a high probabilistic possession guarantee. By calculating, if r = 0:01, the verifier needs only to choose b  s = 460 sectors in order to achieve Pr(b, s) of at least 99%. We first give some notations to represent the computation cost of basic computational operation in the

6

International Journal of Distributed Sensor Networks

Table 2 The computation cost of basic computational operations.

Table 4 The computation cost of some sub-operations in our solution.

Symbol

Computational operation

Server

Auditor

tpg tpgt tmz tmg tmgt te ta th

Exponentiation of an element of G1 or G2 Exponentiation of an element of GT Multiplication of two numbers of Zp Multiplication of two elements of G1 or G2 Multiplication of two elements of GT Pairing of two elements of G1 and G2 Addition of two numbers of Zp Keyed secure hash function h

tTP = b  tpg + (b  1)  tmg tMP = s  (b  tmz + (b  1)  ta )

tchal = tpg + s  tpgt tHchal = b  th + b  tpg + b  tmz + (b  1)  tmg tverify = 2te + tmgt

tDP = s  tpgt + (s  1)  tmgt

Table 5 The computation cost results of some basic computational operations.

Table 3 The computation cost of some sub-operations in Yang’s solution. Server

Auditor

tTP = b  tpg + (b  1)  tmg tMP = s  (b  tmz + (b  1)  ta )

tchal = tpg tHchal = b  th + b  tpg + b  tmz + (b  1)  tmg tverify = 2te + tmgt

tDP = s  te + s  tpgt + (s  1)  tmgt

algorithms of Yang’s secure data storage auditing protocol in Table 2. According to the definitions of three algorithms of Chall, Prove, and Verify, we can formalize the expression of computation cost using some basic computational operations. So, the total computation cost can expressed as Tall = (b  tpg + (b  1)  tmg + (s  (b  tmz + (b  1)  ta )) + (s  te + s  tpgt + (s  1)  tmgt ) + (tpg ) + (b  th + b  tpg + b  tmz + (b  1)  tmg ) + (2  te + tmgt )

ð3Þ

Obviously, we should evaluate the performance of Yang’s secure data storage auditing protocol with the total computation cost of one auditing (Table 3). According to the definitions of our three algorithms of Chall, Prove, and Verify, we also formalize the expression of computation cost in Table 4. The total computation cost of one auditing of our solution can expressed as Tall = (b  tpg + (b  1)  tmg ) + (s  (b  tmz + (b  1)  ta )) + (s  tpgt + (s  1)  tmgt ) + (tpg + s  tpgt ) + (b  th + b  tpg + b  tmz + (b  1)  tmg ) + (2  te + tmgt )

ð4Þ

Symbol

Experiment value (ms)

tpg tpgt tmz tmg tmgt te ta th

2.824 10.826 0.00094 0.01419 0.054 32.979 0.00016 0.2605

According to equations (3) and (4), the difference of the total computation cost between our and Yang’s solution can be expressed as DT = s  tpgt  s  te

ð5Þ

Generally, the computation cost of a bilinear pairing of two elements of G1 and G2 is more expensive than a exponentiation of an element of GT . According to equation (5), our solution is more efficient than Yang’s with the same parameter. Moreover, for a confirmation auditing or sampling auditing, in the case of the same total number of sectors (i.e. the same probability of Pr(b, s) and the same disk workload), the computation cost should be influenced by the values of b and s according to equation (4). Hence, we further improve the performance of our solution by choosing the optimal number of sectors s in a case of the same challenged data (b  s sectors). We test the computation cost of basic computational operations listed in Table 2 on a Windows System with an AMD Phenom II X4 810 Processor at 2.60 GHz and 8 GB RAM in the C language based on GNU Multiple Precision Arithmetic Library (GMP) version 4.1 and pairing-based cryptography library version 0.4.7. The elliptic curve group used by us is an MNT d159 curve, which has a 160-bit group order, and the embedding degree of which is 6. The results are shown in Table 5.

Liu et al.

7 Table 6 The optimal number of sectors s with the total challenged data by evaluation. Challenged data

Challenged sectors

s1

s2

100 200 300 400 500

5120 10,240 15,360 20,480 25,600

26 37 46 53 59

37 53 65 75 84

Figure 3. The optimal number of sectors s versus the total challenged data (Kbytes).

Figure 2. The computation cost versus the number of sectors with a constant challenged data by evaluation: (a) Yang’s solution and (b) our solution.

In this section, our goal is to choose a number of sectors for each data block in order to achieve the optimal performance of the auditing protocol in a case of the same challenged data in bytes. We define the total challenged sectors as z = b  s. Thus, we obtain the following optimization problem min Tall (z, s)

The partial derivative of Tall (z, s) at s is ∂Tall∂s(z, s). The following equation (6) indicates the relationship between the optimal number of sectors s and the total challenged sectors z to minimize the total computation cost Tall (z, s) ∂Tall (z, s) =0 ∂s

ð6Þ

So we can get the following two equations to calculate the optimal number of sectors s1 and s2 for Yang’s and our solutions

pffiffi s1 = 0:3679 z

ð7Þ

pffiffi s2 = 0:523 z

ð8Þ

and

Figure 2 shows the relationship between the computation cost and the number of sectors s by evaluation when the total challenged data in Kbytes is 100, 200, 300, 400, and 500. Figure 2 also shows our solution is more efficient than Yang’s when the total challenged data in Kbytes is 100, 200, 300, 400, and 500. Table 6 shows the optimal number of sectors s when the total challenged data in Kbytes is 100, 200, 300, 400, and 500 by evaluation. According to equations (7) and (8), respectively, Figure 3 shows the optimal number of sectors s versus the total challenged data for Yang’s and our solution by evaluation. Moreover, according to equations (3) and (4), Figure 4 shows the optimal total computation cost versus the total challenged data for Yang’s and our solution by evaluation based on the optimal number of sectors in Figure 3. We also show the optimal number of sectors in Figure 4. In the two figures, the total challenged data goes to 1000 Kbytes (i.e. the total number

8

International Journal of Distributed Sensor Networks of challenged sectors is 51,200). From Figures 3 and 4, we can see that our solution can achieve the better performance than Yang’s while the optimal number of sectors of our solution is greater than the one of Yang’s solution.

Experiment results and analysis

Figure 4. The optimal total computation cost versus the total challenged data (Kbytes).

According to the computation cost of some basic computational operations, we can evaluate the total computation cost of Yang’s and our solutions using equations (3) and (4). Figure 5(a) and (b) shows the total computation cost evaluated using equations (3) and (4). We also implement Yang’s and our secure data storage auditing protocol on a Windows System with an AMD Phenom II X4 810 Processor at 2.60 GHz and 8 GB RAM in the C language based on GNU Multiple Precision Arithmetic Library (GMP) version 4.1 and

Figure 5. The total computation cost of Yang’s and our solutions: (a) Yang’s solution by evaluation, (b) our solution by evaluation, (c) Yang’s solution by experiment, and (d) our solution by experiment.

Liu et al.

9

Figure 6. The total computation cost ratio between Yang’s and our solution: (a) by evaluation and (b) by experiment.

pairing-based cryptography library version 0.4.7. The corresponding experiment results are shown for Yang’s and our solutions in Figure 5(c) and (d). In Figure 5, as the number of the challenged data increases, the total computation cost of the two solution increases linearly. But we cannot see clearly the difference between Yang’ s and our solutions. So some other figures are shown as follows to illustrate the difference. Figure 6 shows the total computation cost ratio between Yang’s and our solutions. In Figure 6, we can know the total computation cost ratio in a case of the same number of challenged data blocks and the same number of sectors. And in a case of the same number of sectors, as the number of challenged data blocks increases, the total computation cost ratio decreases and goes stable (the ratio is about 1). We can see the more obvious trend in Figure 7(a) and (c), which are the projection of Figure 6(a) and (b) in the plane of the number of challenged data blocks and the total computation cost. In Figure 7(a) and (c), in a case of the same number of sectors, as the number of challenged data blocks increases, the total computation cost ratio decreases. Moreover, when the number of challenged data blocks is large, the total computation cost ratio is constant (the ratio is about 1). We can also see the more obvious trend in Figure 7(b) and (d), which are the projection of Figure 6(a) and (b) in the plane of the number of sectors and the total computation cost. In Figure 7(b) and (d), in a case of the same number of challenged data blocks, as the number of sectors increases, the total computation cost ratio increases. The total computation cost ratio by experiment in Figure 7 looks a little different with the one by evaluation because there are some other computation costs. But overall our experiment results are consistent with the results by evaluation. In summary, when the number of challenged data blocks is small, our solution is more efficient than

Yang’s in some cases of the same number of challenged data blocks. And as the number of challenged data blocks increases, our solution has the same performance as Yang’s (the performance ratio is about 1). As mentioned above, the number of challenged data (z = b  s) should be determined by the corrupted probability r of each sector of each block on the server and the probability Pr(b, s) of server misbehavior detection. By spot checking, the verifier needs only to choose z = b  s = 460 sectors in order to achieve Pr(b, s) of at least 99%(99% confidence) if r = 0:01. Hence, the size of challenged data is about 10 Kbytes. While the size of challenged data goes to 500 Kbytes, the verifier can still detect server misbehavior at 99% confidence if r = 0:00018 according to equation (2). Hence, the number of challenged data sampled by the verifier will be small in which our solution is more efficient than Yang’s. In Figure 8, we compare the optimal total computation cost versus the total challenged data in bytes for Yang’s and our solution by evaluation and by experiment. We also show the optimal number of sectors in Figure 8. In our experiment, the maximize number of sectors is 64. Therefore, the optimal total computation cost by experiment in Figure 8 looks a little different with the one by evaluation. But overall our experiment results are consistent with the results by evaluation. Figure 8 also shows that our solution is more efficient than Yang’s. To further illustrate the effectiveness of our solution, we also compare the computation cost versus the size of challenged data in Figure 9 by experiment. In summary, our solution is more efficient than Yang’s. Equation (8) can be used to evaluate and determine the optimal number of sectors for each data block in order to achieve the optimal performance per executing our auditing protocol in a case of the same amount of challenged data.

10

International Journal of Distributed Sensor Networks

Figure 7. Project figures of Figure 7: (a) the number of challenged data blocks and the total computation cost by evaluation, (b) the number of sectors and the total computation cost by evaluation, (c) the number of challenged data blocks and the total computation cost by experiment, and (d) the number of sectors and the total computation cost by experiment.

Figure 8. The optimal total computation cost versus the total challenged data (Kbytes) for Yang’s and our solution.

Figure 9. Comparison of computation cost of our solution(s is determined by equation (8)) and Yang’s solution (s=50).

Liu et al.

Conclusion In this article, we proposed an improved secure IoT data storage auditing protocol based on Yang’s solution. The performance of our solution was improved by pre-doing the bilinear pairing computation. And then we further improved the performance of our solution by selecting the optimal number of sectors to achieve the optimal performance of executing the auditing protocol. Experiment results show that the performance results are consistent with the results by the mathematical analysis method and our solution is more efficient than Yang’s. Declaration of conflicting interests The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported, in part, by National High Technology Research and Development Program of China (No. 2015AA016008), National Science and Technology Major Project (No. JC201104210032A), National Natural Science Foundation of China (No. 61402136), and Natural Science Foundation of Guangdong Province, China (No. 2014A030313697).

References 1. Kortuem G, Kawsar F, Sundramoorthy V, et al. Smart objects as building blocks for the internet of things. IEEE Internet Comput 2010; 14(1): 44–51. 2. Liu C, Yang C, Zhang X, et al. External integrity verification for outsourced big data in cloud and IoT: a big picture. Future Gener Comp Sy 2015; 49: 58–67. 3. Deswarte Y, Quisquater JJ and Saidane A. Remote integrity checking. In: Proceedings of the IFIP TC11/ WG11.5 6th working conference on integrity and internal control in information systems, Boston, MA, 13–14 November 2003, pp.1–11. Berlin: Springer. 4. Gazzoni Filho DL and Barreto PSLM. Demonstrating data possession and uncheatable data transfer. IACR Cryptol ePr Arch 2006; 2006: 150. 5. Sebe F, Martinez-Balleste A, Deswarte Y, et al. Timebounded remote file integrity checking. Technical report 04429, July, 2004. Toulouse: LAAS. 6. Yamamoto G, Oda S and Aoki K. Fast integrity for large data. In: Proceedings of the ECRYPT workshop on software performance enhancement for encryption and decryption, Amsterdam, 11–12 June 2007, pp.21–32. European Network of Excellence (ECRYPT). 7. Ateniese G, Burns R, Curtmola R, et al. Provable data possession at untrusted stores. In: Proceedings of the 14th ACM conference on computer and communications security, Alexandria, VA, 29 October–2 November 2007, pp.598–609. New York: ACM.

11 8. Yang K and Jia X. An efficient and secure dynamic auditing protocol for data storage in cloud computing. IEEE T Parall Distr 2013; 24(9): 1717–1726. 9. Wang Q, Wang C, Ren K, et al. Enabling public auditability and data dynamics for storage security in cloud computing. IEEE T Parall Distr 2011; 22(5): 847–859. 10. Botta A, De Donato W, Persico V, et al. Integration of cloud computing and internet of things: a survey. Future Gener Comp Sy 2016; 56: 684–700. 11. Daz M, Martı´ n C and Rubio B. State-of-the-art, challenges, and open issues in the integration of internet of things and cloud computing. J Netw Comput Appl 2016; 67: 99–117. 12. Zeng K. Publicly verifiable remote data integrity. In: Proceedings of 10th international conference on information and communications security, Birmingham, 20–22 October 2008, pp.419–434. Berlin, Heidelberg: Springer. 13. Wang C, Ren K, Lou W, et al. Toward publicly auditable secure cloud data storage services. IEEE Network 2010; 24(4): 19–24. 14. Ateniese G, Di Pietro R, Mancini LV, et al. Scalable and efficient provable data possession. In: Proceedings of the 4th international conference on security and privacy in communication networks, Istanbul, 22–25 September 2008, pp.9:1–9:10. New York: ACM. 15. Erway C, Ku¨pc xu¨ A, Papamanthou C, et al. Dynamic provable data possession. In: Proceedings of the 16th ACM conference on computer and communications security, Chicago, IL, 9–13 November 2009, pp.213–222. New York: ACM. 16. Wang C, Wang Q, Ren K, et al. Privacy-preserving public auditing for data storage security in cloud computing. In: Proceedings of the 29th conference on information communications (INFOCOM’10), San Diego, CA, 15–19 March 2010, pp.525–533. Piscataway, NJ: IEEE Press. 17. Zhu Y, Hu H, Ahn GJ, et al. Cooperative provable data possession for integrity verification in multicloud storage. IEEE T Parall Distr 2012; 23(12): 2231–2244. 18. Yang C, Liu C, Zhang X, et al. A time efficient approach for detecting errors in big sensor data on cloud. IEEE T Parall Distr 2015; 26(2): 329–339. 19. Liu C, Chen J, Yang LT, et al. Authorized public auditing of dynamic big data storage on cloud with efficient verifiable fine-grained updates. IEEE T Parall Distr 2014; 25(9): 2234–2244. 20. Zhang X, Liu C, Nepal S, et al. A privacy leakage upper bound constraint-based approach for cost-effective privacy preserving of intermediate data sets in cloud. IEEE T Parall Distr 2013; 24(6): 1192–1202. 21. Sookhak M, Talebian H, Ahmed E, et al. A review on remote data auditing in single cloud server: taxonomy and open issues. J Netw Comput Appl 2014; 43: 121–141. 22. Sookhak M, Gani A, Talebian H, et al. Remote data auditing in cloud computing environments: a survey, taxonomy, and open issues. ACM Comput Surv 2015; 47(4): 65:1–65:34. 23. Shin S and Kwon T. A survey of public provable data possession schemes with batch verification in cloud storage. J Internet Serv Inf Secur 2015; 5(3): 37–47. 24. Kim D, Kwon H, Hahn C, et al. Privacy-preserving public auditing for educational multimedia data in cloud computing. Multimed Tool Appl 2015; 75(21): 1–15.