Verifiable Auditing for Outsourced Database in Cloud Computing

IEEE TRANSACTIONS ON COMPUTERS, VOL. 64,

NO. 11,

NOVEMBER 2015

3293

Verifiable Auditing for Outsourced Database in Cloud Computing Jianfeng Wang, Xiaofeng Chen, Xinyi Huang, Ilsun You, Senior Member, IEEE, and Yang Xiang, Senior Member, IEEE Abstract—The notion of database outsourcing enables the data owner to delegate the database management to a cloud service provider (CSP) that provides various database services to different users. Recently, plenty of research work has been done on the primitive of outsourced database. However, it seems that no existing solutions can perfectly support the properties of both correctness and completeness for the query results, especially in the case when the dishonest CSP intentionally returns an empty set for the query request of the user. In this paper, we propose a new verifiable auditing scheme for outsourced database, which can simultaneously achieve the correctness and completeness of search results even if the dishonest CSP purposely returns an empty set. Furthermore, we can prove that our construction can achieve the desired security properties even in the encrypted outsourced database. Besides, the proposed scheme can be extended to support the dynamic database setting by incorporating the notion of verifiable database with updates. Index Terms—Integrity auditing, database encryption, outsourcing computation, cloud computing

Ç 1

INTRODUCTION

C

LOUD computing enables convenient and on-demand network access to a centralized pool of configurable computing resources. It has plenty of benefits for real-world applications such as on-demand self-service, ubiquitous network access, location independent resource pooling, rapid resource elasticity, usage-based pricing, outsourcing, etc. In the outsourcing computation paradigm, the resourceconstraint clients can outsource the expensive computing and storage into the cloud service provider (CSP) and enjoy unlimited computing and storage services in a pay-per-use manner [3], [11]. Hacig€ um€ us¸ et al. [19] first implicitly introduced the notion of database outsourcing. In the outsourced database (ODB) model, the data owner delegates the database management to the CSP, in order to reduce the heavy database maintenance cost. In addition, the data owner performs the database encryption operations and uploads the encrypted database with the corresponding indices to the CSP. The CSP is responsible for providing all necessary resources and services (e.g., software, hardware and network) to users. The users can issue various query requests to the CSP and receive the corresponding results from CSP.




J. Wang and X. Chen are with the State Key Laboratory of Integrated Service Networks (ISN), Xidian University, P.R. China. E-mail: [email protected], [email protected].
X. Huang is with the School of Mathematics and Computer Science, Fujian Normal University, Fujian 350000, P.R. China. E-mail: [email protected].
I. You is with Department of Information Security Engineering, Soon Chun Hyang University, 22 Soonchunhyangro, Asan-si, Chungnam-do, 336-745 Republic of Korea. E-mail: [email protected].
Y. Xiang is with the School of Information Technology, Deakin University, Burwood, Victoria, Australia. E-mail: [email protected]. Manuscript received 4 Nov. 2014; revised 17 Jan. 2015; accepted 19 Jan. 2015. Date of publication 5 Feb. 2015; date of current version 9 Oct. 2015. Recommended for acceptance by K. Li. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference the Digital Object Identifier below. Digital Object Identifier no. 10.1109/TC.2015.2401036

Despite the tremendous benefits, the ODB paradigm inevitably suffers from some new security challenges [7], [10]. First, the outsourced data contains some sensitive information that should not be exposed to the semi-trusted CSP. Thus, one security challenge is the secrecy of outsourced data: the CSP should not learn anything about what it is actually stored. We argue that the traditional encryption technique can only provide a partial solution to this problem since it is very difficult to perform effective operations over the encrypted data. Second, the dishonest CSP may return an incorrect and/or incomplete result of the query requests in order to save the computation/ bandwidth resources [9]. Thus, another security challenge is the verifiability of results. That is, the user can efficiently perform verifiable auditing for the result returned by the CSP. Particularly, in the case of database outsourcing, the verifiability consists of the following two security issues [29]: (i) Correctness: the result has not been tampered with; (ii) Completeness: the result should include all valid tuples that satisfy the computation conditions. Devanbu et al. [14] first studied the verifiability of outsourced database based on the Merkle hash tree (MHT) technique. Ma et al. [24] proposed an efficient authentication scheme by constructing a MHT on each individual tuple. In order to prove the verifiability of search result, the CSP only needs to return the corresponding verification object (VO) with signature of MHT. However, the construction does not ensure the completeness of search results. For example, assume that there are three tuples that satisfy the search request, while the CSP only returns two of them and the user cannot detect the misbehavior of CSP. Pang et al. [31] partly addressed the completeness issue based on the technique of signature aggregation and chaining. However, the solution does not work when the CSP claimed that there are no matched tuples in the outsourced database (i.e., the CSP returned an empty result). The reason is that the user cannot effectively verify the validity of the empty set. Later,

0018-9340 ß 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

3294

IEEE TRANSACTIONS ON COMPUTERS,

Xie et al. [39] presented a probabilistic verification method to achieve the completeness which requires the data owner to insert some faked tuples into the outsourced database beforehand. However, an implicit assumption in the construction is that the faked tuples must be known by all users. Trivially, a dishonest CSP can collude with any compromised user and then definitely know the faked tuples. Therefore, the CSP can deceive other honest users without being detected. Recently, Yuan and Yu [40] proposed a new verifiable aggregation query scheme for outsourced database, where each tuple is assigned to a polynomial-based authentication tag that ensures the verifiability of results for certain aggregation queries. However, their scheme still did not consider the case when the CSP returned an empty result. To the best of our knowledge, there is no effective auditing scheme of outsourced database that can fully support the properties of both correctness and completeness.

1.1 Our Contributions In this paper, we further study the verifiable auditing for database outsourcing. Our main contributions are three folds:








We propose a new verifiable auditing scheme for ODB, which can simultaneously achieve the correctness and completeness of search results even if the CSP intentionally returns an empty set. Besides, the proposed scheme supports common database operations such as selection and projection. We prove that the proposed scheme is secure in the semi-honest-but-curious server model. Compared with the existing database auditing schemes [14], [24], [31], [39], our solution is also effective even in the encrypted outsourced database which ensures the confidentiality of the sensitive data. The proposed scheme can be extended for the dynamic database by incorporating the idea of verifiable database with updates (VDB) [6].1 That is, the data owner can update the tuples of outsourced database at any time while the misbehavior of server to cheat the users will be detected with an overwhelming probability.

1.2 Related Works The primitive of database outsourcing has been well studied in the past decades [14], [20], [22], [24], [27], [29], [30], [31], [34], [39], [41]. The existing ODB schemes can be categorized into three types by different verification approaches: The first approach uses authenticated data structures (e.g., Merkle hash tree) to provide integrity of search results [5], [14], [15], [28], [30]. The main idea is that an index is generated based on the Merkle hash tree for the whole database and the integrity auditing of search result can be achieved 1. Note that the notion of ODB is somewhat different from VDB. First, the data owner and the user of the database are the identical entity in VDB. Second, the user (i.e., data owner) in VDB can only issue a query request for an index and then retrieve the corresponding database tuple. While in ODB, the user can issue various query requests and the CSP searches the whole database and returns all the tuples that satisfy the requests. In this sense, we can view VDB as a special case of ODB.

VOL. 64, NO. 11,

NOVEMBER 2015

by re-computing the signature on the root of the MHT. The disadvantage of MHT-based approach is that it requires plenty of communication and computation overhead. That is, in order to achieve the verifiability of each single data tuple, a verification object including many tuples needs to be sent to the user, which is a set of logðnÞ sibling nodes from a specific leaf to the root. On the other hand, none of the MHT-based schemes can ensure the completeness of searching results. The second approach is a probabilistic integrity verification method [33], [39]. The main idea is that the data owner inserts some faked tuples to the database beforehand (the solution is very similar to the idea of “ringers” [18]). There are two disadvantages for this solution: First, the faked tuples must be shared by all authorized users and thus the CSP could collude with a corrupted user. Second, this method requires the CSP to return all attributes of tuple and thus cannot support some common database operations such as projection. The last approach is based on the signature chaining technique [26], [27], [32], which can save communication and computation overhead for query verification. In [26], the authors introduced a valiant of aggregated signature, called immutable aggregated signature, which can not only save communication and verification overhead but also prevent the attacker from computing a new valid aggregated signature even if some aggregated signatures have possessed. Mykleun et al. [27] first pointed out the problem of completeness for searching results, but they did not provide a solution. Later, Pang et al. [31] and Pang et al. [32] proposed a solution to the completeness problem for static and dynamic outsourced database, respectively. In their scheme, all tuples are assumed to be ordered in terms of certain searchable attributes, and the data owner created a signature for each tuple that consists of the information of the two immediate adjacent tuples. To comply with access control rules on the database, two fictitious boundary entries are inserted into the searchable attribute domain. Nevertheless, it is intractable to handle the case when noncontinuous region is queried. Recently, Yuan and Yu [40] proposed a new verifiable aggregation query scheme for outsourced database. Each tuple is assigned a authentication tag based on polynomial, which can be used to check the integrity of query result for certain aggregation queries. However, we argue that none of the above schemes never consider the case when the CSP intentionally returned an empty result and thus cannot support the full completeness. Another concern about data integrity is the issue of storage integrity on outsourced data, which allows the data user to verify the integrity of his own data files stored on untrusted server without retrieving it. The seminal works include Provable Data Possession (PDP) [1] and Proof of Retrievability (POR) [23]. Later, plenty of researches on remote data integrity verification have been investigated in [17], [21], [35], [36], [37]. However, there are some differences between storage and query integrity over outsourced data. First, the user must beforehand know some knowledge about the database (e.g., the hash value of data blocks) in the setting of storage integrity. While in the scenario of query integrity, the user knows nothing about the outsourced database. Furthermore, the storage integrity only

WANG ET AL.: VERIFIABLE AUDITING FOR OUTSOURCED DATABASE IN CLOUD COMPUTING

3295

Fig. 1. A toy bloom filter construction. Fig. 2. An example of Merkle hash tree.

focused on the correctness of the query while the query integrity must ensure both the correctness and completeness of query.

1.3 Organization The rest of the paper is organized as follows. We present some preliminaries in Section 2. In Section 3, we present the system and threat model of our proposed scheme. The detailed description of our proposed scheme and its security analysis are presented in Section 4. The performance evaluation is given in Sections 5. Finally, the conclusion is given in Section 6.

2

PRELIMINARIES

In this section, we first present the basic definitions and properties of Bloom filter (BF ) and Merkle hash tree. We then review the encryption scheme of outsourced database proposed by Evdokimov and G€ unther in [16].

2.1 Bloom Filter The Bloom filter is a kind of space-efficient data structure proposed by Bloom [4] in 1970, which can be used to check whether an element belongs to a set. A bloom filter consists of a bit array of m bits and k independent hash functions $ defined as follows: hi : f0; 1g 7!½1; m; i 2 ½1; k. In the initial phase, all the positions of the array are set to 0. To add an element to the set, feed it to each of the k hash functions to get k array positions. Set the bits value at all these positions to 1. It is need to note that the operation does not work at the same position as long as its value is 1. Given any element x, the steps for checking whether it is in the set, feed it to each of the k hash functions to get k array positions. That is, if any of the bits at these positions are 0, the element x is definitely not in the set. On the contrary, if all of the bits are 1, we cannot determine whether the element x belongs to the set S. This is due to the existence of false positive, i.e., there is a possibility for some x2 = S, all bits at the corresponding positions of hi ðxÞ are 1. A toy instance of Bloom filter is shown in Fig. 1. It is easy to see that the element z does not belong to the set S. In the case of element w, though all the corresponding positions are 1, it does not belong to S. It is called as false positive. In [2], the authors analyze the relationship among the size of the Bloom filter m, the number of hash functions k, the number of elements n and the probability of false positive Pf . Specifically, for given m and n, Pf is equal to ð1  ekn=m Þk . Pf reaches the minimum value when k is ln2  ðm=nÞ. In this case, Pf is approximately ð0:6185Þm=n .

2.2 Merkle Hash Tree Merkle hash tree [25] is a specific binary tree, which is used to authenticate data with lower communication overhead. In the MHT, each internal node stores a hash value of the concatenation of its child nodes and each leaf node stores hash value hðdi Þ of the authenticated data value di , where hðÞ is a one-way collision-resistant hash function. More specifically, we depict it with a simple example. Given a data set D ¼ fd1 ; d2 ; d3 ; d4 g, as shown in Fig. 2, hðiÞ ¼ hðdi Þ; i 2 ½1; 4, h12 ¼ hðhðd1 Þkhðd2 ÞÞ, where k denotes string concatenation. The root of MHT is signed by traditional public key signature technique. The MHT can be used to authenticate any subset of D by using the verification object. A VO is a set of all sibling nodes on the path from the desire leaf node to the root. For example, in order to authenticate d1 , the VO contains h2 , h34 and the signature of h14 . The verifier computes 0 0 h14 ¼ hðhðhð1Þkhð2ÞÞkh34 Þ and checks whether h14 is equal to h14 . If so, d1 is valid; otherwise, it has been tampered with. 2.3 Database Encryption Scheme In this section, we briefly review Evdokimov’s database encryption scheme [16]. There are some cryptographic primitives used in their scheme: ðK; E; DÞ, K ¼ f0; 1gm , X ¼ f0; 1gm , E : K  X 7! Y is an IND-CPA secure symmetric encryption scheme, where key space and space of plaintexts are identical.
ðK0 ; E 0 ; D0 Þ, E 0 : K0  X 7! Y 0 is an IND-CPA secure symmetric encryption scheme. 0
P : K  X 7! K, X ¼ f0; 1gm is a pseudo-random permutation, here K ¼ X . The participants of Evdokimov’s scheme consist of the data owner and the server. The scheme includes the following algorithms:





Key generation. Data owner generates encryption key R K0 , kb ¼ ðk0 ; k1 ; k2 Þ in the following way: k0 R




0

R

0

k1 K , k2 K , where k0 is the key of encryption 0 scheme ðK ; E 0 ; D0 Þ and k1 ; k2 are the keys of pseudo-random permutation P (k1 ; k2 are chosen independently). Encryption. Data owner performs tuple by tuple encryption of database, separately encrypting each attribute value. Given ða1 : x1 ; . . . ; al : xl Þ as a

3296

IEEE TRANSACTIONS ON COMPUTERS,

VOL. 64, NO. 11,

NOVEMBER 2015

plaintext tuple. Without loss of generality, let xi be a plaintext value of attribute ai . The encryption algorithm encrypts it by performing the following steps: Step 1: Data owner encrypts xi into ciphertext ci ¼ E 0k0 ðxi Þ. Step 2: Data owner generates key ks ¼ Pk1 ðxi Þ and intermediate ciphertext s ¼ Pk2 ðxi Þ, then produces search tag t ¼ E ks ðsÞ. Step 3: When all attributes of tuple are encrypted, the tuple E ciphertext ðaE 1 : ðt1 ; c1 ÞÞ; . . . ; al : ðtl ; cl ÞÞ is uploaded to the server.


Decryption. The data owner decrypts all the attribute values of every tuple and obtains the corresponding plaintexts tuples. For example, the decryption of ciphertext ðti ; ci Þ can be performed in the following way: D0k0 ðci Þ ¼ xi .

Remark 1. We notice that the above scheme allows to perform searching on the ciphertext without decrypting. That is, to search tuple satisfying the plaintext value of attribute aE q is equal to xq , the data owner sends search E request ðq; kq ; aE i Þ ¼ ðPk2 ðxq Þ; Pk1 ðxq Þ; aq Þ to the server. E Upon receiving ðq; kq ; aq Þ, the server checks every value ðtq ; cq Þ of attribute aE q tuple by tuple for the following equality: Dkq ðtq Þ ¼ q and returns tuples that satisfying it. Recall the above scheme, it can be seen that ks ¼ kq holds for all tuples in result set. It means that Dkq ðtÞ ¼ Dkq ðEks ðsÞÞ ¼ Dkq ðEks ðPk2 ðxq ÞÞÞ ¼ q. It implies that all tuples satisfying the query condition are included in the result set. More importantly, the query condition does not contain any plaintext values. In other words, the server cannot learn any plaintext information while performing search. Nevertheless, it needs to point out that the above schemes do not consider the issue of integrity of search result.

3

Fig. 3. The outsourced database model.

(Note that the dispute is caused by the false positive of Bloom filter).

3.2 Threat Model In this work, we assume that the CSP is “semi-honest-butcurious” server. That means the CSP may not correctly follow our proposed protocol but return a fraction of search result and execute only a fraction of searching operations honestly [9], [38]. Users would try to access data either within or out of the scopes of their privileges. Moreover, the communication channels involving the CSP are assumed to be insecure. Hence, two types of attackers are considered: (i) An external attacker refers to an entity who wants to obtain sensitive information of outsourced data via public channels. This kind of attacker includes revoked users and unauthorized users who want to obtain more secret information out of their scopes; (ii) An internal attacker refers to CSP, who may cheat in search process for benefits. We aim to achieve the following two security goals in this paper:


PROBLEM FORMULATION

3.1 System Model The proposed verifiable auditing scheme of outsourced database consists of four entities: the data owner, the users, the cloud service provider, and the arbitrament center (AC). The architecture of verifiable auditing scheme is shown in the Fig. 3.









Data owner. The data owner refers to the entity who wants to outsource database to the CSP. Moreover, he generates an authentication structure using the Bloom filter and Merkle hash tree for verifying the integrity of outsourced database. User. The user is an entity that wants to access database services, who may have limited storage capacity and computing power. Moreover, the user may be corrupted by the dishonest server. For simplicity, we assume that the authentication between data owner and user is appropriately completed. CSP. The CSP is responsible for storing the encrypted data and provides various database services to users (e.g., searching). AC. The AC works as a trusted third party to deal with the dispute between the user and the CSP




4

Data confidentiality. We require that the encrypted tuple data of outsourced database is semantically secure. Namely, nothing can be leaked from the remotely stored data and index beyond the search result and the pattern of search queries. Verifiability of search result. We require that if the CSP returns incorrect and/or incomplete search result, the misbehavior of the CSP can be detected with an overwhelming probability. Also, we consider the extreme case that no matched tuples are returned. This implies that the proposed scheme can fully support the verifiability of both correctness and completeness.

VERIFIABLE AUDITING SCHEME OF OUTSOURCED DATABASE

In this section, we first introduce two basic tools used in the proposed construction. Then, we present our verifiable auditing scheme in detail.

4.1 Basic Tools Tuple-MHT. A Tuple-MHT refers to a MHT built on an individual tuple. Specifically, each attribute of tuple is

WANG ET AL.: VERIFIABLE AUDITING FOR OUTSOURCED DATABASE IN CLOUD COMPUTING

Fig. 4. Structure of bloom filter tree.

represented by a leaf node in the Tuple-MHT construction, which is assigned to a hash value of the attribute. Similar to the construction of MHT, the value of each internal node is derived from the hash of the concatenation of its two child nodes. The process performs recursively until the root value is assigned. Following that, the signature of the root is generated by the data owner. The verification process of Tuple-MHT is similar to the MHT’s. The main benefit is the reduction of the communication overhead of tuple verification when performing the projection operation. Notice that parallel technique in [24] is used to solve the integrity of plaintext database. Bloom Filter Tree (BFT). A Bloom filter tree refers to a binary tree structure (Fig. 4), in which each node stores a bloom filter with variable length (due to the element number of Bloom filter). Given a set S, in level 1, the bloom filter is called BF1;1 , including all elements of the S. As children of BF1;1 , BF2;1 and BF2;2 include half of all elements respectively.2 In this way, the BFT is constructed as a binary tree. Note that the length of BFi;j becomes shorter with the reduction of elements. Roughly speaking, each level takes almost equal storage cost.

4.2 High Description The problem for query integrity of outsourced database can be formulated as follows: The data owner encrypts his own database locally and then outsources the encrypted database into the CSP. The user then sends the query request to the CSP and receives the corresponding results from it. Since the CSP may return an invalid result for self-benefit, the user must check the integrity of the returned result. In this paper, we propose a new verifiable auditing scheme for outsourced database, which can ensure the integrity of search results even if the dishonest CSP purposely returns an empty set. Our main idea is that we use the above primitives of BFT and Tuple-MHT to check the query integrity. More precisely, on receiving the search result, the user can simultaneously achieve the correctness and completeness of each tuple by reconstructing the root of Tuple-MHT (i.e., hash of the tuple). If an empty set is returned, the user can check whether the search request belongs to the BF to ensure the correctness of search result. Furthermore, The BFT can be used to eliminate the dispute between the server and the user caused by the false positive of the BF. 2. We assume that elements are divided into two parts equally according to the original order.

3297

4.3 The Proposed Construction In this section, we present a concrete verifiable auditing scheme of outsourced database (An overview of our scheme is shown in Fig. 5). We first introduce some notations. Assume that P ¼ ðKð1 Þ; Encðsk; Þ; Decðsk; ÞÞ and P0 ¼ ðK0 ð1 Þ; Enc0 ðsk; Þ; Dec0 ðsk; ÞÞ are two IND-CPA secure symmetric encryption schemes. Note that the key space and plaintext space of P0 are identical. P : K  M 7! K is a pseudo-random permutation, where K and M have the same length. The details of the proposed scheme are given as follows. System Setup. The system setup phase initializes the necessary parameters in the following steps:


Two appropriate symmetric encryption schemes P and P0 and a pseudo-random permutation P are initialled independently. Next, the data owner generates the master key kb ¼ ðk0 ; k1 ; k2 Þ, where R

R

k0 Kð1 Þ, k1 ; k2 K0 ð1 Þ: k0 is the key of P, k1 ; k2 are the keys of P. The data owner shares the ðk1 ; k2 Þ with all authenticated users.3
A Bloom filter with k hash functions is initialled. Then all the distinct attribute values are inserted into the BF . In addition, according to the description in Section 4.1, a BFT is generated by the data owner. Data Outsourcing. Suppose the data owner wants to outsource a relational database R ¼ ðA1 ; A2 ; . . . ; An Þ to CSP, where Ai refers to the name of attribute column. The owner encrypts the plaintext database based on the encryption technique in [16]. That is, given a data tuple r ¼ ða1 ; a2 ; . . . ; an Þ 2 R, each element value ai is encrypted separately. The detail is described as following:


We denote by ni the total number of tuples, in which the value of the attribute column Ai is equal to ai . For each element values ai of tuple r, the data owner counts ni and then computes the corresponding hash value denoted as hðai kni Þ. In addition, a TupleMHT is generated based on the idea of MHT, where each leaf node is assigned to a hash value hðai kni Þ. The root of Tuple-MHT is denoted as hðrÞ, which is called hash of the tuple r.
The data owner encrypts each element value ai with the conventional symmetric encryption: ci ¼ Enck0 ðai Þ.
The data owner generates the search tag ti for each element ai in the following manner: the data owner computes tag generating key ksi ¼ Pk1 ðai Þ and intermediate ciphertext si ¼ Pk2 ðai Þ, then generates search tag ti ¼ Encksi ðsi Þ.
The data owner uploads the ciphertext tuples rE ¼ ðt1 ; c1 ; hða1 kn1 Þkn1 Þ; . . . ; ðtn ; cn ; hðan knn Þknn Þ and the signature S on hðrÞ, and BF (note that the validity of BF is also ensured by the signature of data owner) to the CSP. Finally, the data owner sends the BFT to the arbitration center (AC). Only when dispute happens will it be used. 3. The shared keys are used to generate search tag in the process of Data Retrieving.

3298

IEEE TRANSACTIONS ON COMPUTERS,

VOL. 64, NO. 11,

NOVEMBER 2015

Fig. 5. Overview of our verifiable auditing scheme.

Data Retrieving.Suppose the user wants to search tuple satisfying that the element value of attribute column Aq is euqal to a. (Denote by Aq ¼ a) The following processes need to be performed:








The user generates a search request T ¼ ðq; kq ; AE q Þ¼ ðPk2 ðaÞ; Pk1 ðaÞ; AE Þ and sends T to the CSP, where q is the encryption form of attribute column Aq . AE q Upon receiving the search request T , the CSP checks each triple ðtq ; cq ; hðaq knq Þknq Þ of attribute AE q tuple by tuple in the following equality: Deckq ðtq Þ ¼ q returns tuples satisfying the equality to the user.4 If no matched tuple is found, the CSP returns BF as proof to the user. The user sends the received ciphertext tuple rE to the data owner and receives the corresponding plaintext tuple r ¼ ða1 ; . . . ; an Þ.

4. It requires that part of attributes of the tuple are returned (i. e., verification object). As a result, the proposed scheme has a lighter communication overhead.

Verifying. To verify the integrity of search result, the user checks the validity in terms of both correctness and completeness. At the end of the verification, Accept or Reject will be sent back that represents the CSP is honest or malicious, respectively. The algorithm is performed in the following phases:


Correctness. It requires that the result has not been tampered with. There are two cases need to perform as follows:

Case 1:When the result set is empty, the CSP claims that there is no matched tuples in the outsourced database and only returns the BF to the user. Using the BF , the user verifies the correctness of search result. The detail of the process is described as follows: Step 1: The user first checks the validity of the BF . If the verification holds, goes to Step2. Otherwise, the process terminates and outputs Reject. Step 2: The user checks the equality BF ðaÞ ¼ 1 and determines whether the search request a belongs to

WANG ET AL.: VERIFIABLE AUDITING FOR OUTSOURCED DATABASE IN CLOUD COMPUTING

3299

the BF .5 If the equality holds (i.e., dispute happens), it goes to Step3. Otherwise, the process terminates and outputs Accept. Step 3: The user sends the disputed search request a to the arbitration center (AC). Using the BFT, the AC can determine whether a belongs to the BF with overwhelming probability. Specifically, the algorithm will be performed recursively by level. For a given node BFi;j , its children nodes will be checked while BFi;j ðaÞ ¼ 1. If two children of BFi;j satisfy that BFiþ1;2j1 ðaÞ ¼ 0 and BFiþ1;2j ðaÞ ¼ 0, respectively. We will set BFi;j ðaÞ ¼ 0. Once all BFi;j of certain level i meet that BFi;j ðaÞ ¼ 0, the process terminates and outputs Accept. Otherwise, Reject is sent back.

argue that our solution works in the case of dynamic database by incorporating the notion of verifiable database [6], [8], [12], [13]. Specifically, a VDB scheme is used to outsource database between the data owner and the CSP. That is, the data owner can update tuples of outsourced database by assigning a new value. The main idea here is that the data owner can revoke the signatures given to the CSP for previous values by a primitive named vector commitment [8], which can support the public verifiability. If the CSP attempts to tamper with the database, it will be detected by both the data owner and users with an overwhelming probability. Therefore, it can guarantee that the user performs search on the latest database while achieving the verifiability of search result.

Case 2:When the result set is not empty, the user first performs the correctness checking. That is, he checks whether each tuple included in the search result has been tampered with. The detail of the process is described as follows:

4.4 Security Analysis Theorem 1. The proposed verifiable auditing scheme is secure in terms of data confidentiality.

Step 1: For a given tuple r in the result set, the user checks every value ðti ; ci ; hðai kni Þkni Þ of r for the following ai kni Þ, where a~i is obtained by equality: hðai kni Þ ¼ hð~ decrypting the the ciphertext ci . If fails, the process terminates and outputs Reject. Otherwise, it goes to Step2. Step 2: Based on the idea of Tuple-MHT, the user can regenerate hðrÞ with the returned VO, the hash of tuple r. That is, using the hash value hð~ ai kni Þ computed in step1, hðrÞ can be computed by the hash chain of hð~ ai kni Þ. Finally, the user checks hðrÞ by verifying its signature S. Both steps can guarantee each tuple of the search result is correct.


Completeness. It requires that the result should include all valid tuples that satisfy the query condition. We argue that the proposed verifiable auditing scheme can easily achieve the completeness of results. In details, on the basis of the result of correctness, the user counts the number of tuples n~i satisfying the search condition and checks the equality: ni ¼ n~i . If holds, it implies that the completeness is achieved and outputs Accept. Otherwise, the verification of completeness is failed and outputs Reject.

Remark 2. In our construction, we generate a Tuple-MHT for each individual tuple. Based on the Tuple-MHT, the subset of relational operations such as selection and projection can be supported. In other words, when part of attributes in the given tuple are returned, the proposed construction can achieve the verifiability of search result by the corresponding verification object. Note that the VO may be involved more attributes as it is the intersection of many VOs of single attribute. Remark 3. For the case of static database, our construction can easily achieve the verifiability of search result. We 5. For simplicity of description, we use BF ðaÞ to denote the process, where BF ðaÞ ¼ 0 represents a does not belong to it and BF ðaÞ ¼ 1 represents a may belong to it very possible.

Proof. In our construction, the core technique of database encryption is the encryption scheme [16]. It has been proven in the full version of [16] that the encryption scheme is IND-CPA secure. Hence, our construction can achieve the corresponding security for outsourced data if the encryption key is securely kept by the user. It is necessary to note that we assume the authorization between data owner and users is appropriately done. That is, any unauthorized users or revoked ones cannot get the valid encryption key. To search tuples satisfying Aq ¼ a, the user can send a E search tag T ¼ ðq; kq ; AE q Þ ¼ ðPk2 ðaÞ; Pk1 ðaÞ; Aq Þ to the CSP. The latter checks each value ðtq ; cq ; hðaq knq ÞÞ of attribute AE q tuple by tuple and returns those tuples satisfying Deckq ðti Þ= q. Note that the search tag T does not contain any plaintext information. According to [16], when Encsk ðÞ is an IND-CPA secure encryption scheme and P is a pseudo-random permutation, the probability of collision DecPk1 ðEncPk1 ðPk2 ðai ÞÞÞ ¼ Pk2 ðaÞ (a 6¼ ai ) is negligible. That is, all tuples in the result belong to the actual solution. u t Theorem 2. The proposed verifiable auditing scheme can achieve the verifiability of search result. Proof. We first prove the correctness of search result. There are two cases need to be considered. On one hand, if the result set is empty, the BF is returned as proof to the user. The user checks the equality BF ðaÞ ¼ 1 and then can determine the correctness. Note that the BF is signed by the data owner using a secure signature algorithm, such as RSA or ElGamal. Therefore, without the private key of the data owner, the CSP can forge a valid proof with negligible probability. On the other hand, the result set includes some matched tuples. First, the user checks the correctness of the ciphertext attribute value ci of the result tuple. Since the encryption scheme is IND-CPA secure, no attacker can forge valid ciphertext c~i without encryption key. Second, the user checks the correctness of tuple in the result. Based on the assumption of collision resistance of the hash function, the ~ is negligible. probability of valid root of Tuple-MHT hðrÞ

3300

IEEE TRANSACTIONS ON COMPUTERS,

VOL. 64, NO. 11,

NOVEMBER 2015

TABLE 1 Computation Cost of Our Proposed Scheme

Computation of outsourcing Computation of verifying Supporting correctness Supporting completeness Database type

Scheme [24]

Scheme [31]

Scheme [40]

Our Scheme

nS þ nð2a  1ÞH 1S Yes No Plaintext

naS 3S Yes Partial Plaintext

nS þ 3nExp 4P Yes Partial Plaintext

nS þ naE þ n½ð2 þ kÞa  1H 1D+1S Yes Full Ciphertext

We then prove the completeness of search result. On the basis of the results of the correctness, it can be proven easily. That is, the user can prove that each tuple in the result set is the real tuple that satisfies the query condition. Thus, to tamper the search result, the attacker may provide an incorrect number of tuples n~i . Note that the ni involves in the attribute hash value hðai kni Þ, and it follows that the misbehaver will be detected with an overwhelming probability. u t

4.5 Efficiency Analysis In this section, we present efficiency analysis of the proposed scheme in theory. For the convenience of discussion, some marks are introduced. We denote by H an operation of hash, E an encryption (resp., by D a decryption), by S a signature, by P the paring operation, by Exp the modular exponentiation, by n the number of outsourcing data records, by k the hash number of bloom filter, by a the number of attributes of each data record,and by r the number of returned data records, Besides, Notice that we omit the ordinary file upload (download) operations for simplification. Table 1 presents the comparison between our scheme and two previous schemes. It can easily be seen that our scheme can achieve completeness of searching result with only a small increase in computation overhead over [24]. Compared with schemes in [31], [40], the proposed scheme is superior in efficiency of data outsourcing and verifying. Specifically, our scheme requires one signature operation for a single data record outsourcing, while a S operations and 1S þ 3Exp operations need to be conducted in [31], [40], respectively. To verify the integrity of result, our scheme needs to check one signature, which is less than the two existing scheme (3 S operations in [24] and 4 P operations in [40]). Thus, our proposed scheme is more practical for real applications.

5

PERFORMANCE EVALUATION

In this section, we provide a thorough experimental evaluation of our verifiable auditing scheme. Our experiments are simulated with python 3.4 on Linux machine with Intel Core i5-3470 3.20 GHz CPU and 4G memory. Note that in order to precisely measure the overhead at both CSP and user sides, all experiments were performed on the same machine. In the following experiments, we fix the number of hash functions of Bloom filter as k ¼ 14. According to [2], to achieve the requirement of false positive Pf  220 , the ratio of the length of Bloom filter and tuple number is fixed to 32. In order to more easily understand the efficiency of our proposed scheme, we simulated all four phases (i.e., System Setup, Data Outsourcing, Data Retrieving and Verifying) in two cases, where the attribute number of each tuple is fixed as 8 or 16, respectively.

5.1 Cost of System Setup In the system setup phase, the main computation cost is dominated by hash function calculations, which are used to construct Bloom filter and Bloom filter tree. More precisely, the user conducts (l+1)kna hash and 2 signature operations. It needs to be pointed out that we cannot omit the time cost of hash operation when the number of operation is very large. We perform the experiments with data records R ranging from 1,000 to 8,000. As shown in Figs. 6a and 6b, the time cost will linearly increase with data records. It can clearly be seen that the time overhead of constructing BFT is much more than BF because there are more hash operations for BFT construction. Actually, the time cost of constructing BFT (l-level) is approximately equal to l times of constructing BF with the same length. The results indicate that our construction can be acceptable without any computation-intensive operations.

Fig. 6. Time comparison of construction between Bloom filter and Bloom filter tree.

WANG ET AL.: VERIFIABLE AUDITING FOR OUTSOURCED DATABASE IN CLOUD COMPUTING

3301

Fig. 7. The time cost of data processing in the proposed scheme.

5.2 Cost of Data Outsourcing and Retrieving In order to ensure the security and privacy of outsourced database, the data owner could encrypt each attribute value tuple by tuple before storing it. Specifically, the total computation consists of n signature, na encryption (symmetric), and ð2a  1Þn hash operations. Consider that the signature of time is far greater than hash and symmetric encryption, we mainly concern the signature operation in our experiment. As shown in Fig. 7a, the time cost of data outsourcing are increasing with the number of tuples of database. For different number of attributes in each tuple, the time is almost the same because hash and symmetric encryption operations are negligible. Note that the phase of data outsourcing Fig. 7a is obviously slower because there are signature operations for each tuples. That is, the user signs the root of every attribute MHT with his private key, which is used as the proof of tuple in phase of verifying. Although the computation overhead is slightly high, the phase of outsourcing is one-time work and can be done by off-line way. On receiving a user’s search request, the CSP checks the corresponding attributes tuple by tuple. For each attribute, the CSP conducts 1 decryption operation. The computation overhead are linearly increase with data records. The time cost of CSP for different number of data records is shown in Fig. 7b.

seen that the computation burden keeps constant with the vary of the data records. That is because signature of time is far more than k hash operation. (ii) some results are retrieved. In this case, The user verifies the integrity of search result by signature verification. To be specific, for a given tuple in the result set, the user first checks the integrity of attribute by hash reconstruction. Then the integrity of tuple can be checked by verifying signature of root of tupleMHT. We can see from Fig. 7d that the time cost is linearly increasing with the number of tuple in result set.

5.3 Cost of Verifying To verify the integrity of search result, we consider two cases: (i) no result is retrieved. That is, the CSP claims that there is no match tuple exists in the outsourced database. Only the Bloom filter is returned as the proof, which is used to check whether the CSP is honest. The main computation is verifying of signature for it. As shown in Fig. 7c, it can be

ACKNOWLEDGMENTS

6

CONCLUSION

In this paper, we investigate the integrity auditing of outsourced database in cloud computing. Our main contribution is to propose a new verifiable auditing scheme of outsourced database which can achieve the verifiability of search result even if the result is an empty set. Besides, our scheme supports common database operations such as selection and projection. Furthermore, our construction can be easily extended to the scenario of dynamic database by incorporating the notion of verifiable database with updates. We also prove that our scheme can achieve the desired security goals and provide detailed simulation tests.

This work was supported by the National Natural Science Foundation of China (Nos. 61272455, 61472083 and U1405255), China 111 Project (No. B08038), Doctoral Fund of Ministry of Education of China (No. 20130203110004), Program for New Century Excellent Talents in University (No. NCET-13-0946), Fok Ying Tung Education Foundation

3302

IEEE TRANSACTIONS ON COMPUTERS,

(141065) and Program for New Century Excellent Talents in Fujian University (JA14067), the Fundamental Research Funds for the Central Universities (Nos. BDY151402 and JB142001-14) and Australian Research Council (ARC) projects DP150103732, DP140103649, and LP140100816. Yang Xiang is the corresponding author.

REFERENCES [1]

[2] [3] [4] [5]

[6] [7]

[8] [9] [10] [11] [12] [13]

[14] [15] [16] [17] [18] [19] [20] [21]

G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson, and D. Song, “Provable data possession at untrusted stores,” in Proc. 14th ACM Conf. Comput. Commun. Security, 2007, pp. 598–609. B. Andrei and M. Michael,“Network applications of bloom filters: A survey,” Internet Math., vol. 1, no. 4, pp. 485–509, 2004. M. J. Atallah, K. N. Pantazopoulos, J. R. Rice, and E. H. Spafford, “Secure outsourcing of scientific computations,” Adv. Comput., vol. 54, pp. 215–272, Jan. 2002. B. H. Bloom, “Space/time trade-offs in hash coding with allowable errors,” Commun. ACM, vol. 13, no. 7, pp. 422–426, Jul. 1970. E. Bertino, B. Carminati, E. Ferrari, B. M. Thuraisingham, and A. Gupta, “Selective and authentic third-party distribution of XML documents,” IEEE Trans. Knowl. Data Eng., vol. 16, no. 10, pp. 1263–1278, Oct. 2004. S. Benabbas, R. Gennaro, and Y. Vahlis, “Verifiable delegation of computation over large datasets,” in Proc. 31st Annu. Cryptol. Conf., 2011, pp. 111–131. R. Buyya, C. Yeo, S. Venugopal, J. Broberg, and I. Brandic, “Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility,” Future Generation Comput. Syst., vol. 25, no. 6, pp. 599–616, Jun. 2009. D. Catalano and D. Fiore, “Vector commitments and their applications,” in Proc. 16th Int. Conf. Prac. Theory Public-Key Cryptography, 2013, pp. 55–72. Q. Chai and G. Gong, “Verifiable symmetric searchable encryption for semi-honest-but-curious cloud servers,” in Proc. IEEE Int. Conf. Commun., 2012, pp. 917–922. X. Chen, J. Li, J. Ma, Q. Tang, and W. Lou, “New algorithms for secure outsourcing of modular exponentiations,” in Proc. 17th Eur. Symp. Res. Comput. Security, 2012, pp. 541–556. X. Chen, J. Li, and W. Susilo, “Efficient fair conditional payments for outsourcing computations,” IEEE Trans. Inf. Forensics Security, vol. 7, no. 6, pp. 1687–1694, Dec. 2012. X. Chen, J. Li, J. Weng, J. Ma, and W. Lou, “Verifiable computation over large database with incremental updates,” in Proc. 19th Eur. Symp. Res. Comput. Security, 2014, pp. 148–162. X. Chen, J. Li, X. Huang, J. Ma, and W. Lou, “New publicly verifiable databases with efficient updates,” IEEE Trans. Dependable Secure Comput., http://doi.ieeecomputersociety.org/10.1109/ TDSC.2014.2366471 P. Devanbu, M. Gertz, C. Martel, and S. G. Stubblebine, “Authentic third-party data publication,” in Proc. 14th IFIP Workshop Conf. Database Security, 2000, pp. 101–112. P. Devanbu, M. Gertz, C. Martel, and S. G. Stubblebine, “Authentic data publication over the Internet,” J. Comput. Security, vol. 11, no. 3, pp. 291–314, 2003. S. Evdokimov and O. G€ unther, “Encryption techniques for secure database outsourcing,” in Proc. 12th Eur. Symp. Res. Comput. Security, 2007, pp. 327–342. € , C. Papamanthou, and R. Tamassia, C. Erway, A. K€ upc¸u “Dynamic provable data possession,” in Proc. 16th ACM Conf. Comput. Commun. Security, 2009, pp. 213–222. P. Golle and I. Mironov, “Uncheatable distributed computations,” in Proc. Cryptographyers’ Track RSA Conf., 2001, pp. 425–440. H. Hacig€ um€ us¸ , B. Iyer, and S. Mehrotra, “Providing database as a service,” in Proc. 18th Int. Conf. Data Eng., 2002, pp. 29–38. H. Hacig€ um€ us¸ , B. Iyer, and S. Mehrotra, “Executing SQL over encrypted data in the database-service-provider model,” in Proc. ACM SIGMOD Int. Conf. Manag. Data, 2002, pp. 216–227. Z. Hao, S. Zhong, and N. Yu, “A privacy-preserving remote data integrity checking protocol with data dynamics and public verifiability,” IEEE Trans. Knowl. Data Eng., vol. 23, no. 9, pp. 1432– 1437, Sep. 2011.

VOL. 64, NO. 11,

NOVEMBER 2015

[22] F. Li, M. Hadjieleftheriou, G. Kollios, and L. Reyzin, “Dynamic authenticated index structures for outsourced databases,” in Proc. ACM SIGMOD Int. Conf. Manag. Data, 2006, pp. 121–132. [23] A. Juels and B. S. Kaliski Jr., “PORs: Proofs of Retrievability for Large Files,” in Proc. 14th ACM Conf. Comput. Commun. Security, 2007, pp. 584–597. [24] D. Ma, R. H. Deng, H. Pang, and J. Zhou, “Authenticating query results in data publishing,” in Proc. 7th Int. Conf. Inf. Commun. Security, 2005, pp. 376–388. [25] R. C. Merkle, “Protocols for public key cryptosystems,” in Proc. IEEE Symp. Security Privacy, 1980, pp. 122–134. [26] E. Mykletun, M. Narasimha, and G. Tsudik, “Signature bouquets: Immutability for aggregated/condensed signatures,” in Proc. 9th Eur. Symp. Res. Comput. Security, 2004, pp. 160–176. [27] E. Mykletun, M. Narasimha, and G. Tsudik, “Authentication and integrity in outsourced databases,” ACM Trans. Storage, vol. 2, no. 2, pp. 107–138, May 2006. [28] K. Mouratidis, D. Sacharidis, and H. Pang, “Partially materialized digest scheme: An efficient verification method for outsourced databases,” VLDB J., vol. 18, pp. 363–381, 2009. [29] M. Narasimha and G. Tsudik, “Authentication of outsourced databases using signature aggregation and chaining,” in Proc. 11th Int. Conf. Database Syst. Adv. Appl., 2006, pp. 420–436. [30] H. Pang and K. L. Tan, “Authenticating query results in edge computing,” in Proc. 20th Int. Conf. Data Eng., 2004, pp. 560–571. [31] H. Pang, A. Jain, K. Ramamritham, and K. L. Tan, “Verifying completeness of relational query results in data publishing,” in Proc. ACM SIGMOD Int. Conf. Manag. Data, 2005, pp. 407–418. [32] H. Pang, J. Zhang, and K. Mouratidis, “Scalable verification for outsourced dynamic databases,” Proc. VLDB Endowment, vol. 2, no. 1, pp. 802–813, 2009. [33] R. Sion, ” Query execution assurance for outsourced databases,” in Proc. 31st Int. Conf. Very Large Data Bases, 2005, pp. 601–612. [34] B. Thompson, S. Haber, W. G. Horne, T. Sander, and D. Yao, “Privacy-preserving computation and verification of aggregate queries on outsourced databases,” in Proc. 9th Int. Symp. Privacy Enhancing Technol., 2009, pp. 185–201. [35] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving public auditing for data storage security in cloud computing,” in Proc. 29th IEEE Int. Conf. Comput. Commun., 2010, pp. 525–533. [36] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, “Enabling public auditability and data dynamics for storage security in cloud computing,” IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 5, pp. 847–859, May 2011. [37] C. Wang, S. Chow, Q. Wang, K. Ren, and W. Lou, “Privacypreserving public auditing for secure cloud storage,” IEEE Trans. Comput., vol. 62, no. 2, pp. 362–375, Feb. 2013. [38] J. Wang, H. Ma, Q. Tang, J. Li, H. Zhu, S. Ma, and X. Chen, “Efficient verifiable fuzzy keyword search over encrypted data in cloud computing,” Comput. Sci. Inf. Syst., vol. 10, no. 2, pp. 667– 684, Apr. 2013. [39] M. Xie, H. Wang, J. Yin, and X. Meng, “Integrity auditing of outsourced data,” in Proc. 33rd Int. Conf. Very Large Data Bases, 2007, pp. 782–793. [40] J. Yuan and S. Yu, “Flexible and publicly verifiable aggregation query for outsourced databases in cloud,” in Proc. 4th IEEE Workshop Secur. Privacy Cloud Comput., 2013, pp. 520–524. [41] Y. Zhu, G. J. Ahn, H. Hu, S. S. Yau, H. G. An, and C. J. Hu, “Dynamic audit services for outsourced storages in cloud,” IEEE Trans. Service Comput., vol. 6, no. 2, pp. 227–238, Apr.–Jun. 2013. Jianfeng Wang received the MS degree in mathematics from Xidian University, China. He is currently working toward the PhD degree in cryptography in Xidian University. His research interests include applied cryptography, cloud security, and searchable encryption.

WANG ET AL.: VERIFIABLE AUDITING FOR OUTSOURCED DATABASE IN CLOUD COMPUTING

Xiaofeng Chen received the BS and MS degrees in mathematics from Northwest University, China, in 1998 and 2000, respectively. He received the PhD degree in cryptography from Xidian University in 2003. Currently, he is at Xidian University as a professor. His research interests include applied cryptography and cloud computing security. He has published more than 100 research papers in refereed international conferences and journals. His work has been cited more than 1,800 times at Google Scholar. He is in the Editorial Board of Computing and Informatics (CAI), International Journal of Grid and Utility Computing (IJGUC), and International Journal of Embedded Systems (IJES), etc. He has served as the program/general chair or program committee member in more than 30 international conferences. Xinyi Huang received his Ph.D. degree from the School of Computer Science and Software Engineering, University of Wollongong, Australia. He is currently a Professor at the School of Mathematics and Computer Science, Fujian Normal University, China, and the Co-Director of Fujian Provincial Key Laboratory of Network Security and Cryptology. His research interests include applied cryptography and network security. He has published over 100 research papers in refereed international conferences and journals. His work has been cited more than 1700 times at Google Scholar (H-Index: 23). He is an associate editor of IEEE Transactions on Dependable and Secure Computing, in the Editorial Board of International Journal of Information Security (IJIS, Springer) and has served as the program/ general chair or program committee member in over 60 international conferences. Ilsun You received the MS and PhD degrees in computer science from Dankook University, Seoul, Korea, in 1997 and 2002, respectively. He received the second PhD degree from Kyushu University, Japan, in 2012. From 1997 to 2004, he was at the THINmultimedia Inc., Internet Security Co., Ltd. and Hanjo Engineering Co., Ltd. as a research engineer. Now, he is an associate professor at Department of Information Security Engineering, Soon Chun Hyang University. He has served or is currently serving as a main organizer of international conferences and workshops such as IMIS, MobiWorld, MIST, SeCIHD, AsiaARES, and so forth. He is in the Editorial Board for Journal of Network and Computer Applications (JNCA), International Journal of Ad Hoc and Ubiquitous Computing (IJAHUC), Computing and Informatics (CAI), Journal of High Speed Networks (JHSN), and Security and Communication Networks (SCN). His main research interests include internet security, authentication, access control, and formal security analysis. He is a Fellow of the IET and a Senior member of the IEEE.

3303

Yang Xiang received the PhD degree in computer science from Deakin University, Australia. He is currently a full professor at the School of Information Technology, Deakin University. He is the director of the Network Security and Computing Lab (NSCLab). His research interests include network and system security, distributed systems, and networking. In particular, he is currently leading his team developing active defense systems against large-scale distributed network attacks. He is the chief investigator of several projects in network and system security, funded by the Australian Research Council (ARC). He has published more than 130 research papers in many international journals and conferences, such as IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Information Security and Forensics, and IEEE Journal on Selected Areas in Communications. Two of his papers were selected as the featured articles in the April 2009 and the July 2013 issues of IEEE Transactions on Parallel and Distributed Systems. He has published two books, Software Similarity and Classification (Springer) and Dynamic and Advanced Data Mining for Progressing Technological Development (IGI-Global). He has served as the program/general chair for many international conferences such as ICA3PP 12/11, IEEE/IFIP EUC 11, IEEE TrustCom 13/11, IEEE HPCC 10/09, IEEE ICPADS 08, NSS 11/10/09/08/07. He has been the PC member for more than 60 international conferences in distributed systems, networking, and security. He serves as the associate editor of IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, Security and Communication Networks (Wiley), and the editor of Journal of Network and Computer Applications. He is the coordinator, Asia for IEEE Computer Society Technical Committee on Distributed Processing (TCDP). He is a senior member of the IEEE. " For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.