Hindawi

Security and Communication Networks

Volume 2021, Article ID 9921209, 15 pages
https://doi.org/10.1155/2021/9921209

Research Article
Blockchain-Based Cloud Data Integrity Verification Scheme with
High Efficiency

Gaopeng Xie,1 Yuling Liu,1 Guojiang Xin ,2 and Qiuwei Yang1

1
College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China
2
School of Informatics, Hunan University of Chinese Medicine, Changsha 410208, China

Correspondence should be addressed to Guojiang Xin; lovesin_guojiang@126.com

Received 13 March 2021; Revised 7 April 2021; Accepted 16 April 2021; Published 29 April 2021

Academic Editor: Zhili Zhou

Copyright © 2021 Gaopeng Xie et al. )is is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
With the large-scale application of cloud storage, how to ensure cloud data integrity has become an important issue. Although
many methods have been proposed, they still have their limitations. )is paper improves some defects of the previous methods
and proposes an efficient cloud data integrity verification scheme based on blockchain. In this paper, we proposed a lattice
signature algorithm to resist quantum computing and introduced cuckoo filter to simplify the computational overhead of the user
verification phase. Finally, the decentralized blockchain network is introduced to replace traditional centralized audit to publicize
and authenticate the verification results, which improves the transparency and the security of this scheme. Security analysis shows
that our scheme can resist malicious attacks and experimental results show that our scheme has high efficiency, especially in the
user verification phase.

1. Introduction attacker may pretend to be a tenant to launch an internal

attack, violating other users’ data. Finally, cloud service
With lots of applications deployed in the cloud, user data are providers may deliberately hide that user data are corrupted
also collected centrally and handed over to the cloud. Cloud or store data that users rarely access offline. Considering the
computing provides users with shared computing resources large-scale outsourcing data and limited computing power,
and storage resources and has multiple deployment models verifying outsourcing data integrity has become a vital issue
like private cloud, community cloud, public cloud, and in cloud storage.
hybrid cloud [1]. For users, storing data in the cloud can )e root problem of cloud data security lies in the trust
bring many benefits, such as reducing hardware investment between the cloud service provider (CSP) and the user.
costs, reducing the local storage burden, and supporting Failure of cloud devices, external attacks, or even the
remote access. However, while cloud storage brings con- snooping of user data by the CSPs may result in leakage, loss,
venience, it also brings corresponding challenges. Highly and damage of user data. On the other hand, even if user data
centralized data and complex computing environments is destroyed, users may not achieve effective accountability,
make user data subject to multiple threats [2]. Compared to and the CSP will evade responsibility and not recognize it.
traditional data centers, the cloud has more complex sys- )erefore, the essence of the problem lies in the lack of trust
tems. )e numerous components make the cloud more between the two sides. Once problems occur, it is difficult for
likely to be attacked. As the complexity of the systems in- the challenged party to provide the basis agreed by both
creases, so do the vulnerabilities of the systems. Secondly, sides.
multitenants share cloud computing resources, making data )e traditional solution is to introduce a third-party
more vulnerable to be damaged. In the cloud computing auditor (TPA) to form a three-party authentication model
environment, the customized resources between tenants are [3], as shown in Figure 1. But there are still problems in this
usually isolated by adopting a logical method. A malicious way, which cannot guarantee that the TPA will not cooperate
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
2 Security and Communication Networks

TPA

Se
st

Re

nd
ue

sp
eq

th
lt

on
tr

ec
su
di

se
re

ha
Au

to
rn

lle
th
tu

ng
ec
Re

e
ha
lle
ng
e
Data flow
User CSP
Figure 1: Traditional cloud storage model.

with the other party to cheat for interests or other reasons. )e rest of the paper is organized as follows. Section 2
However, the emergence of blockchain provides a new provides an overview of the related work. Section 3 intro-
solution to this problem. duces the related background knowledge. Section 4 describes
Blockchain is a type of chain structure that combines the proposed scheme in detail. Section 5 provides the se-
data blocks in chronological order, and it is a tamper-proof curity analysis. Section 6 presents the experiment and an-
and nonforgeable distributed ledger guaranteed by cryp- alyzes the performances of the scheme. Section 7 concludes
tography [4]. All blockchain participants maintain the the paper.
blockchain’s node information, so all information on the
blockchain is open and transparent. Once the information is
2. Related Work
released, it is permanently retained and cannot be tampered
with. )e open verification and tamper-proof features of the With the rapid development of the Internet, there are more
blockchain enable it to act as a trusted third party to address and more new hot areas, such as 5G [5], Internet of )ings
users’ concerns in the cloud computing environment, and all (IoT) [6], SDN [7], and cloud computing, which have
results can be published to the blockchain for authentication spawned a lot of related research. In the field of cloud
and maintained by all users of the blockchain. )erefore, computing, there are some researches on the verification of
integrating the blockchain into cloud computing, using the data integrity, as well as data retrieval [8], image retrieval
blockchain’s advantages to solve the disadvantages of the [9, 10], and so on. )is section mainly introduces some
cloud computing environment, can more effectively provide related work on the cloud data integrity verification, lattice
users with data security. signature, and blockchain involved in this paper.
With quantum computing development, traditional
cryptography security is threatened, so a high-security
signature scheme that can resist quantum attacks is nec- 2.1. Cloud Data Integrity Verification. With the populari-
essary. )is paper proposes a new cloud data integrity zation of cloud storage, many scholars pay attention to
verification scheme based on blockchain and lattice signa- remote data integrity audit. Cloud storage integrity verifi-
ture. Our key contributions in this paper can be summarized cation refers to how users verify the integrity and availability
as follows. of data stored in the cloud. To solve the security risks
)is paper proposes a protocol for cloud data integrity brought by cloud storage, many solutions have been pro-
verification based on lattice signature. Under the small in- posed to ensure data integrity. At present, data integrity
teger solution (SIS) assumption, the algorithm can resist verification schemes can be divided into two categories:
quantum attacks and malicious attacks under the random Provable Data Possession (PDP) schemes and Proofs of
oracle model and protect user data privacy. )e user’s Retrievability (POR) schemes. )e PDP schemes use the
computational complexity in the verification phase is greatly “challenge-response” mechanism to verify whether the
simplified by introducing the cuckoo filter, and the algo- user’s data is correctly stored in the cloud; the POR schemes
rithm’s efficiency is further improved. can recover some lost or damaged data. Besides, referring to
)is paper introduces a decentralized blockchain-based the verifier’s identity, the verification scheme can be divided
data integrity service to replace the traditional centralized into private verification scheme and public verification
data integrity service; this avoids the problem of untrust- scheme. Compared with private verification, public verifi-
worthy TPA and further improves the reliability of the cation with TPA better supports public audit, dynamic
service. update, and efficient verification.
)is paper evaluates the correctness and feasibility of the Ateniese et al. [3] proposed a PDP scheme for the first
proposed method through experiments. Experimental re- time in consideration of public audit based on the challenge-
sults show that the method is effective. response mode, using RSA algorithm to generate key pairs
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 3

and using trusted third-party audit to verify data integrity In the public audit verification model, most of the work
instead of users. )e CSP only needs to return the label assumes that the TPA is trusted to complete the entire data
information of the file block to verify the integrity of the file, integrity verification work. However, in practical applica-
reducing the computational and communication overhead tions, the internal working process of TPA and its credibility
of the data verification process. However, this scheme does need further research and proof. )e techniques such as
not support the dynamic update operation of data. In order encrypted data blocks and random masks can prevent the
to support dynamic auditing of data, Ateniese et al. [11] original data from being leaked to the TPA. However, for
proposed an extensible PDP. )is scheme first calculates a users, TPA’s internal structure and operation process are
limited number of verification tokens, and each token is unknown. In reality, the TPA may collude with the CSP to
linked to some data blocks, thereby ensuring that the scheme attack the user or collude with the user or other CSP
can support the modification of data in a prescribed manner, competitors to attack the CSP and return the wrong veri-
but the number of verifications and data updates performed fication results.
by the verifier is limited, and only additional operations are In order to solve the malicious TPA, some methods
supported. Each update requires recreating the remaining have been proposed. )e scheme of Huang et al. [23] used
verification tokens. In this solution, the time complexity of multiple TPAs for audit authorization and introduced
the computational overhead of the CSP and the data owner is the receive server and time server to ensure that the TPA
O(t), and the time complexity of the communication completed the audit task accurately and timely. However,
overhead is O(1). After that, a series of improvements have the credibility of the introduced server entity could not
been proposed. be confirmed. Wu et al. [24] proposed dividing the
Erway et al. [12] proposed a new hierarchical authen- verification of TPA into complex calculation process and
tication skip list data structure and used RASL to construct a simple verification process. )e former is handled by
PDP scheme that supports full data update but does not TPA, while the latter is verified by the user himself. Xiao
provide data privacy protection. Wang et al. [13] used a et al. [25] used trusted hardware deployed on the cloud
random mask to optimize the above scheme to protect users’ storage server to generate and store audit logs. Due to the
privacy information, but the scheme is degraded and cannot limited performance of the hardware and the risks of
support data block insertion. In addition, Zhou et al. [14] deployment in untrusted cloud storage providers, its
pointed out that the scheme could not resist the forgery security and credibility need to be further verified. )e
attack; that is, the adversary with evidence could forge new above solutions do not really solve the task that TPA may
legal evidence by repeatedly using a secret value to pass the not faithfully complete the audit requirements of cloud
integrity verification scheme. users.
Zhu et al. [15, 16] proposed a new index hash table (IHT)
based data structure that supports dynamic operations and
public audit. IHT can reduce the storage overhead of veri- 2.2. Lattice Signature-Based Work. In recent years, lattice
fication information. Yang et al. [17] used the properties of cryptographic schemes have been greatly developed in
cryptography and bilinear pairing instead of mask tech- cryptography theory and achieved a series of research re-
nology to provide data privacy protection for data integrity sults. One of the major public problems of lattice signature
schemes and support dynamic and batch auditing of data, schemes is to reduce the size of the verification key while
but Ni et al. [18] proved that this method is fragile, because it implementing short signatures. In 2010, Boyen [26] pro-
does not provide response authentication and is vulnerable posed the first secure short signature scheme based on
to enemy attacks. provable lattice under the standard model. )en Micciancio
Xu et al. [19] proposed an algorithm for detecting data and Peikert [27] improved the hash function of Boven’s
verification results to resist counterfeit fraud attacks from scheme and further improved the security of the scheme.
untrusted verification results. )e algorithm performs cross- Subsequent provably secure digital signature schemes
validation by establishing a dual evidence mode of integrity [28, 29] have made improvements in both the verification
verification proof and incredible check proof. Integrity key size and the signature size but only realized existential
verification proof is used to check the integrity of the data, unforgeability against chosen message attacks. Yang et al.
and incredible check proof is used to determine the cor- [30] used the special algebraic structure of the ideal lattice to
rectness of the data verification results, but the introduction construct an identity-based signature scheme, which im-
of secondary verification evidence to cross-check verification proved the efficiency of the scheme and simplified the
results increases the computation and storage overhead. signature. Under selected identity and fixed selection
Shen et al. [20] proposed a new data integrity verification messages, the scheme satisfies unforgeability, but the scheme
scheme that enables files in cloud storage to be shared se- cannot achieve the anonymity if a single identity is signed.
curely without affecting privacy and integrity verification. Li Later, Zhang et al. [31] not only designed a lattice signature
et al. [21] proposed a provable data integrity method, which scheme that can prove secure under the standard model with
improves the verification efficiency by reducing the user cost only O(log n) matrices for verification keys but also
during the initialization phase. Zhu et al. [22] proposed an achieved existential unforgeability against chosen message
integrity verification scheme based on a short signature attacks, that is, a completely secure lattice signature scheme,
algorithm (ZSS signature) for the IoT environment, which but the security of the scheme is limited by the number of
proved to be secure and efficient. message queries.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
4 Security and Communication Networks

With the development of quantum computing, the se- addition, Wei et al. [44] proposed an integrated model using
curity of traditional cryptography is threatened, so the re- blockchain technology. )ey use mobile agent technology to
search of lattice cryptography that can resist quantum deploy the distributed virtual machine agent model in the
computing has gradually expanded to various fields. Tian cloud. It can ensure the reliability of data storage, moni-
et al. [32] first applied lattice signature to partially blind toring, and verification, which is also essential for building a
signature field, saving a final round communication while blockchain integrity protection mechanism.
confirming the validity of the signature. In the field of )e characteristics of openness, transparency, and data
identity-based signature (IBS), Wang et al. [33] first used traceability of the blockchain make it play an essential role in
lattice signature to build an adaptive-ID secure IBS scheme finance, medical care, and the IoT. In cloud data integrity
with high space efficiency. Gao et al. [34] used lattice sig- verification, the combination of integrity verification and
nature to ensure the security of the blockchain in the blockchain is still in the exploration stage. )erefore, in this
postquantum era and built an efficient cryptocurrency paper, we propose a new blockchain-based cloud data in-
scheme based on lattice. tegrity verification method, using blockchain to solve the
Due to the rapid development of quantum computing untrustworthy problem of TPA.
technology, existing public-key cryptographic standards will
no longer be secure under quantum computing. As a rep- 3. Preliminaries
resentative of the resistance to quantum computing attacks,
more and more scholars begin to devote to the study of )is section will introduce some background related to our
lattice signature. scheme, which is mainly divided into three parts: the back-
ground related to the lattice signature algorithm, the back-
ground of blockchain, and the background of the cuckoo
2.3. Application of Blockchain. Because of the malicious filter. )e lattice signature background mainly includes the
TPA, schemes based on cryptographic principles instead of introduction of lattice and the difficult problem on the lattice.
credit are needed, so that both the user and the CSP can )e security of the lattice signature algorithm in our scheme is
reach an agreement to objectively and honestly verify the based on the SIS problem, so we introduce the SIS problem;
data integrity. )e birth of blockchain provides a guarantee what is more, to eliminate the situation that the distribution of
for “trust.” It uses a consensus algorithm to ensure data the signature results related to the user’s private key distri-
consistency between nodes and an encryption algorithm to bution, we also need to use rejection sampling theorem.
ensure data security.
Hardjono et al. [35] proposed a privacy protection
method for debugging IoT devices into the cloud ecosystem 3.1. Lattice
based on the blockchain, enabling anonymous registration
of the device, and being able to prove its manufacturing Definition 1. Let B � (b1 , . . . , bm )⊂Rn be a set of linearly
source. Heilman et al. [36] combined smart contracts with independent vectors, then the lattice Λ generated by B is
blind signature technology to achieve transaction ano- Λ � 􏽮Bc � 􏽐M i�1 bi ci |ci ∈ Z, 1 ≤ m ≤ n􏽯, and B is called the
nymity. Liang et al. [37] designed a system called ProvChain, basis of the lattice Λ. )e length of the basis ‖B‖ is the length
which can collect the provenance data, store and verify it of the longest vector in B. )e standard orthogonal basis of B
through blockchain, and provide a complete provenance obtained by the standard Schmidt orthogonalization is
􏽥 � (b􏽥1 , . . . , b􏽥n ).
B
data record when needed. Zhu et al. [38] developed a
blockchain-based file management system to specifically
address the problem that project documents are vulnerably Definition 2. Let q be a prime number, A ∈ Zn×m
q , and
tempered with. In the field of cloud data integrity verifi- u ∈ Znq , and define
cation, Yue et al. [39] proposed a blockchain-based verifi- Λ⊥q (A)Λ􏼈e ∈ Zm s.t. Ae � 0(mod q)􏼉,
cation scheme in P2P cloud storage and verified data by (1)
using Merkle trees. Wang et al. [40] deeply combined the Λuq (A)Λ􏼈e ∈ Zm s.t. Ae � u(mod q)􏼉.
blockchain with the PDP scheme to create the first block-
chain-based PDP model with high efficiency and security. To
against procrastinating auditors, Zhang et al. [41] proposed a Lemma 1. Let q ≥ 3 be an odd number and m � 5n logq;
certificateless verification scheme with blockchain technol- then there is a probabilistic polynomial time algorithm
ogy, but this scheme can only avoid procrastinating auditors TrapGen(q, n), output matrix A ∈ Zn×m q , and T ∈ Zq
m×m
,
n×m
and cannot handle other issues such as TPA colluding with where A is nearly uniform on Zq , T is a basis of lattice
others. Tian and Li [42] proposed another cloud verification 􏽰������
Λ⊥q (A) and satisfies T 􏽥 ≤ O( n log q ), and T ≤ O(n log q)
scheme, which is a cloud federation of TPA based on
except for a negligible probability.
blockchain to solve the unreliability of TPA. )e decen-
tralization of the blockchain is very compatible with the IoT,
so there are studies using blockchain to verify the integrity of 3.2. SIS Problem
the data of IoT devices. Liu et al. [43] proposed a blockchain-
based framework to achieve decentralized data integrity Definition 3. SIS problem. Given an integer q, a matrix
verification of IoT data stored in a semitrusted cloud. In A ∈ Zn×m
q , and a real number β, find a set of nonzero
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 5

solutions such that the homogeneous equation uses smart contracts composed of automated script code to
Ae � 0 mo d q holds, where e satisfies that e2 ≤ β. program and manipulate data.
SIS assumption. For some bounded polynomial func- Blockchain has the characteristics of decentralization,
tions q(n), m(n), β(n) with n as the independent variable, if immutability, traceability, collective maintenance, openness,
the probability of enemy A successfully solving the SIS and transparency. )ese characteristics ensure the block-
problem in any polynomial time is negligible in the case of chain’s honesty and transparency and lay the blockchain’s
unknown trap door, then the SIS assumption is valid. foundation to create trust. )e blockchain’s rich application
scenarios are based on the fact that the blockchain can solve
information asymmetry and achieve collaborative trust and
3.3. Discrete Gaussian Distribution. )e Gaussian distribu- concerted action among multiple subjects.
tion with standard deviation σ ∈ R and center v ∈ R is de-
fined as ρv,σ (x) � exp((− (x − v)2 )/2σ 2 ). For x, v ∈ Rn ,
ρv,σ (x) � exp((− x − v2 )/2σ 2 ). Discrete Gaussian distribu- 5. Cuckoo Filter
tion on Zm , centered on v ∈ Zm , standard deviation σ ∈ R, Cuckoo filter [46] is a random data structure with a simple
m
defined as Dm v,σ (x) � ((ρv,σ (x))/(ρσ (Z) )). If the discrete structure and high space efficiency. Compared with the
Gaussian distribution centered at 0 over Zm , the expression bloom filter, the cuckoo filter has the advantages of good
m
can be simplified to Dm σ (x) � ((ρσ (x))/(ρσ (Z) )). query performance, high space utilization efficiency, and
√�� support for reverse operation. It provides two possible
m (m/2)(1− k2 )
Lemma 2. If k > 1, Pr[z > kσ m ; z ∈ Dm σ ]<k e . storage locations for each keyword, dynamically relocates
Further, for any vector v ∈ Rm and existing keywords, makes room for new keywords during
− (r2 /(2v2 σ 2 ))
σ, r > 0,Pr[|z, v| > r; z ∈ Dm
σ ] ≤ 2e . insert operations, and quickly locates keywords during
lookup operations. )e cuckoo filter’s expected insertion
Lemma 3. For any v ∈ Zm , if σ � αv, where α > 0, time complexity is still O(1), although repeated relocations
Pr[(Dm m (12/α+1/2α2 )
; z ∈ Dm − 100 are required. )e insertion process is shown in Figure 3.
σ (z)/Dv,σ (z)) < e σ] �1− 2 .
We can calculate the two candidate buckets for a key-
word through the following formula:
4. Rejection Sampling Theorem
h1 (x) � hash(x), (2)
If f and g are probabilistic distribution functions, there
exists M ∈ R, and f(x) ≤ M · g(x) is satisfied for any x. If h2 (x) � h1 (x) ⊕ hash x′ s fingerprint􏼁. (3)
the sampled points z are taken from the distribution g and a
pair (z, c) is output with probability Pr � (f(z)/(Mg(z))), Cuckoo filter only store fingerprint values instead of
then (z, c) can be regarded as an instance of rejection original values, so equation (2) can ensure that h1 (x) can
sampling, the distribution of the output result is f, and the also be calculated through h2 (x) and the fingerprint. So,
number of times required to output an instance is M. once you know the current bucket k and its fingerprint, you
Some basic properties of rejection sampling theorem: can calculate another bucket by
􏽰����� √����
(1) Pr[z > ω(σ log m ); z∈R D1σ ] � 2− ω log m ; Pr[z > k′ � k⊕hash(fingerprint). (4)
12σ; z∈R D1σ ] < 2− 100 .
􏽰������� )ere are three cases when inserting: the first case is that
(2) ∀z ∈ Zm , σ ≥ log(3m); Dm v,σ ≤ 2
− m+1
.
√�� m − m
both buckets are empty, and then a vacant position is
(3) Pr[z > 2σ m ; z∈R Dσ ] < 2 . randomly selected to insert the item. )e second case is that
only one bucket has a vacant position so directly inserted the
item into this position. )e third case is that neither bucket is
4.1. Blockchain. Blockchain is an important concept of empty; then randomly choose a bucket, swap the item in the
Bitcoin [45], which is essentially a decentralized database bucket with the item to be inserted, and then relocate the
and at the same time serves as the underlying technology of kicked item by equation (3); if the relocated bucket is still not
Bitcoin. A blockchain is a series of data blocks generated by empty, then continue to kick out the original item and
using cryptographic methods, as shown in Figure 2. Each relocate it, and repeat this process until all elements are
block contains information about a Bitcoin network inserted.
transaction used to verify its data’s validity and generate the )e cuckoo filter also supports lookup and delete op-
next block. erations. )e lookup operation only needs to query whether
In a narrow sense, blockchain is a chained data structure the item is in one of the corresponding two buckets. )e
that sequentially combines data blocks according to the time delete operation is similar; remove the item from the cor-
sequence, and a distributed ledger that cannot be tampered responding bucket. )e detailed description of these oper-
with or forged through cryptography. ations can be found in the article [46].
In a broad sense, blockchain technology uses blockchain )e fingerprint-based insert algorithm enables the insert
data structures to verify and store data, uses distributed node operation to use only the bucket’s information, without
consensus algorithms to generate and update data, uses reretrieving keywords. )rough equations (2) and (3), the
cryptography to ensure data transmission and access, and dynamically adding and deleting elements can be realized.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
6 Security and Communication Networks

Block i – 1 Block i Block i + 1

Prev_hash Timestamp Prev_hash Timestamp Prev_hash Timestamp

Tx_root Nonce Tx_root Nonce Tx_root Nonce

Hash01 Hash23

Hash0 Hash1 Hash2 Hash3

Tx0 Tx1 Tx2 Tx3

Figure 2: )e basic structure of blockchain.

Bucket 0 Bucket 0

1 1 c

x) 2 b 2 b
Relocate
h 1(
3 3
Item x
4 c 4 a

5 5
h2

Relocate
(x
)

6 a 6 x

7 7

(a)
Slot 0 Slot 1 Slot 2 Slot 3 Slot 0 Slot 1 Slot 2 Slot 3
Bucket 0 q w e r Bucket 0 q x e r
1 t y 1 t y
(x)

2 2
1
h

3 u i o p 3 w i o p
Item x
4 a s d f 4 a u d f
5 5
h2

6 g h j k 6 g h j k
(x)

7 7 s

(b)

Figure 3: Illustration of cuckoo filter. (a) Each bucket with one slot. (b) Each bucket with four slots.

)e cuckoo filter application, which has the advantages of (1) Dynamic integrity verification: users may often need
efficient computation and storage, can reduce the storage to update the data uploaded to the CSP. )e pro-
and calculation overhead of the verification process to the posed scheme needs to support dynamic changes of
data integrity verification. data, including support for data insertion, data de-
letion, and data modification.
6. The Proposed Data Integrity (2) Resist quantum attack: with the advent of the
quantum era, lattice cryptography plays an in-
Verification Scheme
creasingly important role in the fields of cryptog-
6.1. Design Goals. In order to complete the data integrity raphy and information security. )e proposed
verification safely and efficiently, our proposed data integrity scheme should be able to resist the attack of quantum
verification scheme should have the following properties: computer and be safe in the quantum environment.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 7

(3) Trusted audit: when users upload data to the CSP, KeyGen(): )is phase is performed by the user to gen-
their control over the data is greatly reduced, and erate the user’s public key and private key. First, prepare the
traditional data verification methods may not be hash function H distributed on Bnk as the random oracle
applied to the cloud environment. At the same time, model, where Bnk is the set of binary vectors with length n and
the CSP may have the problem of maliciously weight k. )en generate a random matrix S ∈ Zm×n 2q as the
modifying the results of data integrity verification. user’s private key and a matrix A ∈ Zn×m2q as the user’s public
)erefore, the proposed data integrity verification key and the matrix A needs to satisfy
scheme must ensure that the results of data integrity AS � A(− S) � qIn (mod 2q), In represents the n-dimen-
verification are fair and credible. sional identity matrix. )e way to generate the key pair is
easy to implement and the whole process is efficient.
SigGen(): performed by the user. On one hand, the file to
6.2. System Model. Most integrity verification protocols use be uploaded is divided into data blocks to construct the
TPA to communicate the interaction between the user and signature set; on the other hand, Merkle hash tree (MHT)
the CSP, improving data integrity verification efficiency and and cuckoo filter are constructed based on the signature set.
reducing the user’s computing and storage overhead. )e signature process can be specifically divided into the
However, since TPA performs the verification, the reliability following steps.
of TPA is in doubt, and there are potential threats such as
conspiring with CSP to deceive users or fake proof. An ideal Step 1: )e user divides the file equally into blocks of
public audit institution should have the following charac- the same size F � 􏼈F1 , . . . , Fn 􏼉.
teristics: no additional computing and storage costs, no data Step 2: )e user uses random function to generate a
privacy disclosure, and most importantly, fairness and secret value τ and blinds the file blocks with τ,
justice. )erefore, we introduce blockchain as the third- μi � Fi + fτ (i, IDF ), where IDF is the identification of
party audit to replace traditional centralized audit. )e the file and μ is the blinded data.
system is mainly divided into three types of participants.
Step 3: )e user randomly samples vector y1 from the
discrete Gaussian distribution Dm σ and vector y2 from
6.2.1. User. )e user has the ownership of the data files and Dnσ ; set u � Ay1 + y2 .
the local storage space is limited, so user chooses to entrust Step 4: Calculate ci � H(Au mod 2q, μi ), where A is the
the files to the CSP. For the sake of cloud data security, the public key and μ is the message to be signed; calculate
user will check the integrity of the uploaded data from time zi � u + (− 1)b Sci , where b is an element randomly
to time. sampled from the set {0, 1}.
Step 5: )e signature pair (zi , ci ) is output by rejection
6.2.2. CSP. )e CSP has a large storage space and strong sampling theorem with probability
computing capabilities. It makes money by providing (1/(M exp(− ||Sc||2 /2σ 2 )cosh(〈z, Sc〉/σ 2 ))). In partic-
storage and computing services for various users, enabling ular, if the rejection sampling has no output, then the
users to upload and download data anytime and anywhere. signature process will restart from step 2.
But the CSP is only responsible for storing the data and does Step 6: After the signature pair (zi , ci ) is output, the
not ensure data security. user will calculate zi . If zi > B2 or zi∞ ≥ (q/4), then
reject and restart the signature process. Else verify
whether ci � H(Azi + qci mod 2q, μ); if equal, the sig-
6.2.3. Blockchain. A third-party audit platform between the nature generation completes.
user and the CSP is responsible for forwarding and re-
cording the user and the CSP interactions during the data )e signature algorithm adopts the rejection sampling
integrity verification process. When users dispute with CSP, theorem to make the distribution of the signature (z, c)
the blockchain’s records can be submitted to the arbitration independent of the private key S and increase the security of
institution as valid evidence. All participants jointly main- the signature. )en the user needs to build MHT with the
tain the blockchain network, and the behavior of users and signature set Φ � 􏼈ci 􏼉, 1 ≤ i ≤ n as the leaf nodes. Cuckoo
CSP is jointly monitored to ensure the system’s normal filter is also created based on the leaf nodes of the MHT. )e
operation. specific steps to construct the cuckoo filter are as follows.
First, create an empty hash table. )en the two buckets
corresponding to each MHT leaf node according to equa-
6.3. Scheme Details. )e proposed scheme uses the lattice tions (2) and (4) are calculated. After all the nodes have been
signature algorithm to sign the files on the user side, the inserted according to the insertion algorithm, the cuckoo
cuckoo filter is also used to simplify the user verification filter is built.
process, and the blockchain network is introduced to record Upload(): performed by the user and the CSP. After
the interaction between the user and the CSP. )e scheme completing the above operations, the user constructs an
mainly includes six parts: KeyGen(), SigGen(), Upload(), upload request 􏼈upload, IDuser , IDCSP , ts, F, H(F), IDF ,
Challenge(), ProofGen(), and Verify(). )e process is shown Φ, σ user � sign(H(R))}, sends to the smart contract, and
in Figure 4 and the details are given below. then forwards to the CSP, where ts is a timestamp and
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
8 Security and Communication Networks

Upload

...
SigGen Hash
Data blocks Signatures MHT CSP
Upload

Slice data

Challenge

Genproof
KeyGen Upload
User Public key Blockchain

Challenge

Verifyproof
Figure 4: Verification process of the system.

sign(H(R)) is the signature generated by the private key on Step 1: )e user first calculates the signature pair of the
the root node of MHT. Upon receiving the upload request updated file (z∗i , c∗i ) and generates the corresponding
from the user, the CSP first verifies σ user and calculates update request Update � ((M/I/D), i, F∗i , c∗i ), where M
H′ (F) through F to verify whether H′ (F) � H(F). If equal, represents the modify operation, I represents the insert
then it retains F and sends a response 􏼈upload, IDCSP , operation, D represents the delete operation, and F∗i
IDuser , ts, IDF , 1, σ CSP } to �the user through smart contract, represents the updated file.
� �� ��
where σ CSP � sign(IDCSP ��IDuser ��ts‖IDF ��1), 1 means suc- Step 2: )e user constructs the update request
cess and 0 means failure. )e user verifies σ CSP ; if passed, the
􏼈Update, IDuser , ID�CSP , ts,�σ user 􏼉 to the CSP, where
user can delete the local file and the file upload process is � �
σ user � sign(IDuser ��IDCSP ��ts‖Update). After receiving
complete. Otherwise, the file upload fails and the user re-
the request, CSP updates the data on the cloud
starts the upload project.
according to the request. If Update � (M, i, F∗i , c∗i ), the
Challenge(): Performed by the user, the user sends the
CSP replaces Fi with F∗i on the MHT. If
challenge request to the CSP through the smart contract.
Update � (I, i, F∗i , c∗i ), the CSP inserts a new node F∗i
When the user wants to verify the data integrity, a x-element
after the leaf node Fi and updates the MHT, as shown in
subset I � 􏼈s1 , . . . , sx 􏼉 from set [1, n] is randomly selected as
Figure 5. If Update � (D, i, F∗i , c∗i ), the CSP deletes the
the audit request and then a challenge set chal � {i d, I} is
leaf node Fi and updates the MHT, as shown in Fig-
generated. )e user constructs an audit request
ure 6. After the file is updated, the CSP gets a new root
􏼈audit, IDuser , IDCSP , ts, IDF , chal,
�� σ user��􏼉 and ��sends to the node R∗ of MHT and returns the update proof
CSP, where σ user � sign(IDuser ��IDCSP ��ts‖IDF ��chal).
Proof U � 􏼈IDCSP , IDuser , IDF , i, Φ, H(Fi ), R∗ , σ CSP �
ProofGen(): Performed by the CSP. After the CSP re- sign(H(R))} to the user.
ceives the user’s audit request, it first verifies the user’s
signature. If valid, the CSP locates the location of each file Step 3: After receiving the proof, the user first verifies
block, then calculates the corresponding signature the signature σ CSP � sign(H(R)) and then uses
Φ′ � 􏼈c′i􏼉, 1 ≤ i ≤ x with the public key, then constructs the 􏼈IDF , i, Φ, H(Fi ), H(F∗i )􏼉 to calculate whether the
generated root node R′ is the same as R∗ . If equal, the
proof 􏼈IDCSP , IDuser , ts, IDF , F,�Φ′ , σ CSP �� 􏼉, and��sends to the
� update operation is successful, and the user calculates
user, where σ CSP � sign(IDuser ��IDCSP ��ts‖IDF ��Φ′ ). the signature sign(H(R′ )) for the new root node of
Verify(): After the user receives the proof returned by the MHT and sends response 􏼈Update, IDuser , IDCSP , ts, 1,
CSP, the user first verifies the validity of the signature. )en σ user � sign(H(R′ ))} to the CSP.
the lookup operation of cuckoo filter is performed to check
whether all signatures exist in the cuckoo filter. If all sig- Step 4: )e user deletes the deleted files from cuckoo
natures exist in the cuckoo filter, the data integrity verifi- filter and inserts the updated nodes. After the cuckoo
cation is passed; otherwise, the data are compromised. filter update is complete, the file update operation is
complete, and the user deletes the local file.

6.4. Dynamic Operation. Generally speaking, files are not

immutable after being uploaded by users. In practical ap- 6.5. Security Analysis. In 2016, NIST (National Institute of
plications, users will need to update files, such as add, delete, Standards and Technology) released “Report on post-
and modify. So, we use MHT to support dynamic operation. quantum cryptography” [47]. According to the report,
Simultaneously, the proposed scheme reduces the com- due to the rapid development of quantum computing
plexity of the verification process by introducing cuckoo technology, most existing public-key cryptographic
filter, so the dynamic operation of the scheme involves two standards will no longer be secure under quantum
parts. )e first part is the update operation of MHT, and the computing. Up to now, there is no effective polynomial
second part is the update operation of the cuckoo filter. time algorithm that can solve the difficult problem based
)e specific steps to update the file are as follows. on lattice, so the cryptosystem based on lattice can
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 9

h (root) h′ (root)

h (a) h (b) h′ (a) h (b)

h′ (r2)
h (r1) h (r2) h (r3) h (r4) h (r1) h (r3) h (r4)

h (r2) h (ri)

(a) (b)

Figure 5: Insert operation of MHT.

h (root) h′ (root)

h (a) h (b) h′ (a) h (b)

h (c) h (d) h (e) h (f) h (c) h (r4) h (e) h (f)

h (r1) h (r2) h (r3) h (r4) h (r5) h (r6) h (r7) h (r8) h (r1) h (r2) h (r5) h (r6) h (r7) h (r8)

(a) (b)

Figure 6: Delete operation of MHT.

effectively resist quantum attacks. )erefore, our pro- 6.7. Correctness

posed scheme meets the security requirements of post-
quantum cryptography. )en, we will analyze the security Theorem 2. Given the lattice signature pair (z, c) and the
of the proposed scheme. data file f, the verifier can check the correctness of the sig-
nature pair.

6.6. Privacy Proof. Prove the correctness of the signature pair is

equivalent to prove the correctness of the equation
Theorem 1. In the entire integrity verification process, no H(Ay mod 2q, μ) � H(Az + qc mod 2q, μ). So, the correct-
matter who obtains the interaction information between the ness can be proved as follows:
user and the CSP, the user’s private information cannot be
parsed. Az + qc � A􏼐y +(− 1)b Sc􏼑 + qc � Ay +(− 1)b ASc + qc
� Ay + qIn 􏼁c + qc � Ay mod 2q.
Proof. During the verification process, there are three main
parts of the interaction between the user and the CSP. )e (5)
user uploads 􏼈μi , ci , i, i d􏼉 to the CSP, the user sends chal � Hence, H(Ay mod 2q, μ) � H(Az + qc mod 2q, μ), and
{i d, I} to the CSP, and the CSP returns proof to the user. the correctness of the scheme can be proved. □
After the user divides the file into blocks, the data blocks
can be blinded by random mask technology; that is,
μi � Fi + fτ (i, name). )us, no one except the user can parse 6.8. Unforgeability
the original file data. In addition, the user only needs to
upload Φ � 􏼈ci 􏼉, 1 ≤ i ≤ n to the CSP, from the public key, Theorem 3. Assume that there is a polynomial time algo-
and Φ cannot derive any valid information. )e challenge rithm F which makes up to s queries on the signature oracle
information chal � {i d, I} only contains the block number and h queries on the random oracle H, and successfully forge
to be verified, the proof information returned by the CSP is the signature with a nonnegligible probability δ. Een there is
similar to the information uploaded by the user, so valid a polynomial time algorithm that can solve SISq,n,m,β (β �
information cannot be derived from it. 2B2 ) difficult problem.
In summary, secret data will not be disclosed during the
data integrity verification process, and user privacy is Proof. Suppose that c′ � H(Az′ + qc′ mod 2q, μ ) is F’s
guaranteed. □
′
response to the signature query; then we can get that c′ �
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
10 Security and Communication Networks

H(Az + qc′ mod 2q, μ) hold. If μ ≠ μ and z ≠ z′ , then the CPU: Intel Core i7-8750H @ 2.20 GHz
′
probability that the two hash values are equal is infinitely Memory: 16 GB DDR4 2667 MHz
close to 0. )en we can find μ � μ and z � z′ ; thus,
′
A(z − z′ ) � 0 mod 2q. Since z ≠ z′ and z∞′ ≤ (q/4), so z −
HD: 5400RPM Western Digital 1TB HDD
z′ ≠ 0 mod q and z − z′ ≤ 2B2 . )us, there is no such re- OS: Ubuntu 16.04 system.
sponse that can forge the signature. )e algorithm and cuckoo filter are conducted by C
Another situation is that c′ is F’s response to the random programming language with the pairing-based cryptography
oracle query, then we can get c∗ ←Bnk , and the probability (PBC) library version 0.5.14, GNU multiple precision
that the forger uses c′ ≠ c∗ to forge the signature is arithmetic (GMP) library version 6.2.0, and the Openssl
ξ � (δ − (1/|Bnk |)) · ((δ − (1/|Bnk |)/t) − (1/|Bnk |)). )at is, F version 1.0.2n. )e security parameter of the lattice signature
uses the signed data μ to generate the signature pair (c′ , z′ ) is set to λ � 128 bits. )e size of the file to be signed is all
with the probability ξ, and Az + qc′ � Az′ + qc∗ . )en 1 MB. All experimental data are the average result of 100
A(z − z′ ) � q(c′ − c∗ ) mod 2q. Since c′ − c∗ ≠ 0 mod 2q, so experiments. )e blockchain network is conducted on
z − z′ ≠ 0 mod 2q. Since z − z∞′ < (q/2), so z − z′ ≠ 0 mod q. Hyperledger Fabric. Hyperledger Fabric is a leading open
So, the condition cannot be met and the signature cannot be source, general-purpose blockchain structure built for en-
forged. terprises. Since Hyperledger does not require mining, it does
In summary, there is no probabilistic polynomial al- not require strong hardware support, nor consume re-
gorithm that can forge the signature; the proposed scheme sources, and its allowable transactions per minute are much
can resist malicious attacks. □ greater than Ethereum. )e framework of the blockchain we
implemented is shown in Figure 7. )e user and the CSP
7. Security Analysis of Blockchain Network communicate through the smart contract. )e communi-
cation mode is that the user or the CSP first initiates the
Blockchain is a decentralized and untrusted distributed communication request to the smart contract, then the
shared ledger system that combines data blocks in a smart contract writes the request into the ledger and then
chronological order to form a specific data structure. It is broadcasts it to other nodes, and the communication is
cryptographically guaranteed to be tamper-proof and completed after the corresponding node receives.
unforgeable. From a data perspective, blockchain is a
distributed database that cannot be changed in practice. 9. Computational Overhead
Traditional distributed databases only maintain data at a
central server node, and other nodes store only data To evaluate the computational overhead of our scheme, we
backups. )e data storage on the blockchain is completely denote the computational overhead required for the add
distributed; that is, all nodes jointly participate in data operation as Add, the multiply operation as Mul, the hash
maintenance. )e tampered or destroyed data of a single operation as Hash, and the mod operation as Mod. During
node will not affect the data stored in the blockchain. Only the signature generation process, the main calculation op-
more than 51% of the nodes jointly launching an attack can erations are H(Au mod 2q, μ) and u + (− 1)b Sc. Assume that
change the data on the blockchain. )erefore, the data on the file is divided into n file blocks, then the client needs to
the blockchain can be considered immutable to achieve generate n corresponding signatures. Besides, the rejection
secure storage of the data. sampling theorem is used during the signature generation; it
On the other hand, since the blockchain runs auto- needs to repeat the signature generation process M times on
matically, there is no problem with procrastinating auditors, average to output one signature. Hence, the computational
and it is impossible to collude with CSP. )erefore, when cost of the client is 3nMMul + 2nMAdd+
users have disputes with CSP, the records on the blockchain nMMod + nMHash. Assume that the challenge request sent
can be used as valid evidence. Simultaneously, by replacing to the CSP contains c random numbers, then the compu-
TPA with blockchain, users’ sensitive private information is tational cost of CSP is 2cMul + cAdd + cMod + cHash.
accessible only to themselves, which can avoid obtaining
users’ privacy information during the TPA verification 9.1. Communication Overhead. As for the communication
process and guarantee the users’ privacy security. overhead, during the challenge phase, the audit request
In conclusion, using blockchain as the third-party au- {i d, I} contains only numbers representing the file number
thentication platform can ensure availability, security, effi- to be validated, so the communication cost in this phase is
ciency, and user privacy. negligible. During the GenProof phase, the CSP needs to
return the signatures and the relevant files requested by the
8. Experiment Results and Evaluation user, so the communication cost is nlS + nf, where n rep-
resents the number of blocks required in the challenge phase,
8.1. Experiment. )e experiment is running on the com- lS represents the signature length of each file, and f rep-
puter with the following settings: resents the size of the file block.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 11

Ledger

Smart contract Challenge

Challenge Proof
Proof

Blockchain
network
CSPs Users

Figure 7: )e framework of the blockchain network.

Table 1: Characteristics analysis of different cloud data integrity verification schemes.

Scheme Dynamic operation Privacy protection Resistant to quantum attack Trusted third party
[20] No Yes No No
[21] Yes Yes No No
[24] Yes No No No
[40] No Yes No Yes
Our scheme Yes Yes Yes Yes

9.2. Characteristic Analysis. Table 1 shows the analysis of the meet the normal needs of the system. )en we evaluate the
characteristics of different cloud data integrity verification performance of the signature algorithm. Our method is
schemes. )e proposed scheme uses the blockchain network compared with the BLS signature proposed by Wang et al.
instead of traditional TPA, which solves the untrustworthy [13] and the ZSS signature proposed by Zhu et al. [22]. We
problem of TPA. CSP and blockchain only store files that can conduct experimental comparisons from three aspects:
be disclosed, and only users can access private information. signature generation cost, proof generation cost, and veri-
)e lattice signature scheme is also proposed to enhance the fication cost.
signature security and meet the requirements of resisting )e signature generation time comparison of the three
quantum computing attacks. )e scheme’s efficiency anal- schemes is shown in Figure 9. )e result shows that our
ysis mainly analyzes the lattice signature scheme’s efficiency scheme has a lower computational overhead than the other
and the efficiency of the user’s integrity verification. two schemes in terms of signature generation. Since the BLS
)e characteristic analysis of different lattice signatures signature and the ZSS signature use bilinear mapping, many
is shown in Table 2, where n is the security parameter, m is exponential operations with high computational overhead
the dimension of the lattice, and μ is the length of the data are involved. Our method’s main computational overhead is
block. From the result, we can see that, on the one hand, our multiplication operation, hash operation, and repeated
proposed scheme avoids the use of expensive Gaussian calculations in the signature process caused by the rejection
sampling and improves efficiency. On the other hand, it uses sampling theorem. Although the ZSS signature is optimized
a random oracle model to improve the security of the in many aspects such as more efficient hash operations, our
scheme. In terms of signature length, our scheme’s signature scheme is still more efficient.
length is shorter. Figure 10 shows the comparison result of the proof
generation time. )ere is a linear relationship between the
10. Performance Analysis proof generation time and the number of challenging blocks.
Like the signature generation process, the BLS signature
In this section, we will evaluate the performance of the needs to calculate an exponential operation, a hash opera-
proposed scheme through experiments. We evaluate the tion, and a bilinear mapping operation. However, the
performance of the blockchain network first; Figure 8, re- computational overhead of the ZSS signature in the proof
spectively, shows the throughput and consensus time of the generation stage is higher than that of the BLS signature,
blockchain. since although the ZSS signature does not involve expo-
It can be seen from the results that the blockchain nential calculations, the amount of data to be calculated is
network has a throughput of thousands of transactions per much larger, so it takes the most time. In our scheme, the
second and a consensus time of milliseconds, which can fully proof generation stage only involves multiplication, hash,
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
12 Security and Communication Networks

Table 2: Comparisons of different lattice signature schemes.

Scheme Public-key length Private key length Signature length Whether sampled Random oracle model
[27] (nm + (|μ| + 2)n2 k + n)log q mnk log q m+2nk log q Yes No
[32] nk log q mk log(1 + 2 d) 2m log(12σ) + 2k log b No Yes
[34] (mn + dm)log q m2 log q m log q Yes No
Our scheme nm log 2 q nm log 2 q m log(12σ) No Yes

10000 6.5
Transactions per second

Consensus time (ms)

8000 6.0

6000
5.5

4000
5.0
2000
4.5
0
5 10 15 20 25 5 10 15 20 25
Numbr of nodes Number of nodes
(a) (b)

Figure 8: Performance evaluation of blockchain. (a) )roughput. (b) Consensus time.

20
2.8
18 2.6
Signature generation time (s)

16 2.4
2.2
Proof generation time (s)

14
2.0
12 1.8
10 1.6
8 1.4
1.2
6
1.0
4 0.8
2 0.6
0.4
0
0.2
100 200 300 400 500 600 700 800 900 1000
e number of data blocks 100 200 300 400 500 600 700 800 900 1000
e number of challenged blocks
Our scheme
BLS signature Our scheme
ZSS signature BLS signature
ZSS signature
Figure 9: Comparison of signature generation time.
Figure 10: Comparison of proof generation time.

and modulus operations, and the amount of data to be

calculated is small, so our scheme has better performance. filter, our scheme’s performance is worse than the ZSS sig-
)en we simulate the performance of the three schemes in nature, since the ZSS signature has only bilinear mapping
the verification phase. Besides, we also compare the perfor- operations in the verification phase, and only a series of ad-
mance of our scheme in the verification phase without the dition and multiplication operations are calculated. However,
cuckoo filter. )e comparison result is shown in Figure 11. )e with the introduction of the cuckoo filter, the complex sig-
BLS signature has the worst performance due to the need to nature verification process is simplified to a simple cuckoo filter
calculate many exponential operations. Without the cuckoo lookup process; the verification process only takes a few
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 13

Acknowledgments
2000
)is work was supported in part by the National Natural
Science Foundation of China under Grant 61872134, in part
Verification time (ms)

1500 by the Natural Science Foundation of Hunan Province under

Grant 2018JJ2062, in part by Science and Technology De-
velopment Center of the Ministry of Education under Grant
1000 2019J01020, in part by the 2011 Collaborative Innovative
Center for Development and Utilization of Finance and
500
Economics Big Data Property, Universities of Hunan
Province, in part by the National Key Research and De-
velopment Program of China (2017YFC1703306), and in
0 part by the School Level Project of Hunan University of
100 200 300 400 500 600 700 800 900 1000
Chinese Medicine (2018GL01).
The number of challenged blocks

Our scheme with cuckoo filter

References
Our scheme without cuckoo filter [1] S. Nepal, S. Chen, J. Yao, and D. )ilakanathan, “DIaaS: Data
BLS signature
Integrity as a Service in the Cloud,” in Proceedings of the 2011
ZSS signature
IEEE 4th International Conference on Cloud Computing,
Figure 11: Comparison of verification time. pp. 308–315, IEEE, Washington, DC, USA, 2011.
[2] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage,
milliseconds, which is much lower than other methods. When “Hey, you, get off of my cloud: exploring information
users want to verify the data integrity, they only need to leakage in third-party compute clouds,” in Proceedings of
the 16th ACM Conference on Computer and Communi-
perform a lookup operation of the cuckoo filter to verify
cations Security, pp. 199–212, ACM, New York, NY, USA,
whether the signatures returned by the CSP are in the filter. 2009.
)erefore, compared with the traditional signature verification [3] G. Ateniese, R. Burns, R. Curtmola et al., “Provable data
process, our verification method’s time complexity is just O(1), possession at untrusted stores,” in Proceedings of the 14th
which has a clear advantage in terms of efficiency. ACM Conference on Computer and Communications Security,
pp. 598–609, ACM, New York, NY, USA, 2007.
[4] M. Crosby, P. Pattanayak, S. Verma, and V. Kalyanaraman,
11. Conclusion “Blockchain technology: beyond bitcoin,” Applied Innovation,
With the rapid popularity of cloud storage and the rapid vol. 71, no. 2, pp. 6–10, 2016.
[5] W. S. H. M. W. Ahmad, N. A. M. Radzi, F. S. Samidi et al., “5G
expansion of data on the cloud, ensuring the integrity of the
technology: towards dynamic spectrum sharing using cog-
data on the cloud has also become a classic topic. In this paper, nitive radio networks,” IEEE Access, vol. 8, pp. 14460–14488,
we propose an efficient cloud data integrity verification scheme 2020.
based on blockchain. In our scheme, we use the blockchain [6] J. Su, R. Xu, S. Yu, B. Wang, and J. Wang, “Idle slots skipped
network to solve some shortcomings of the traditional cen- mechanism based tag identification algorithm with en-
tralized audit and improve the efficiency and security of the hanced collision detection,” KSII Transactions on Internet
scheme. On the other hand, based on the assumption of SIS and Information Systems, vol. 14, no. 5, pp. 2294–2309,
problem, our scheme can resist the threat of quantum com- 2020.
puting, and by combining lattice signature and cuckoo filter, [7] J. Su, R. Xu, S. Yu, B. Wang, and J. Wang, “Redundant rule
we also simplify the user verification process, solving part of the detection for software-defined networking,” KSII Transactions
on Internet and Information Systems, vol. 14, no. 6,
problem of the insufficient computing power of users. )e
pp. 2735–2751, 2020.
proposed scheme’s performance is evaluated, and the result [8] X. Jiang, J. Yu, J. Yan, and R. Hao, “Enabling efficient and
shows that the scheme is provably efficient. In future work, the verifiable multi-keyword ranked search over encrypted cloud
closer combination of blockchain and integrity verification data,” Information Sciences, vol. 403-404, pp. 22–41, 2017.
scheme needs to be explored and more comprehensive [9] Z. Zhou, Q. M. J. Wu, Y. Yang, and X. Sun, “Region-level
characteristics of the scheme need to be satisfied. visual consistency verification for large-scale partial-duplicate
image search,” ACM Transactions on Multimedia Computing,
Communications, and Applications, vol. 16, no. 2, pp. 1–25,
Data Availability 2020.
)e data used to support the findings of this study are [10] Z. Zhou, Y. Mu, and Q. M. J. Wu, “Coverless image steg-
anography using partial-duplicate image retrieval,” Soft
available from the corresponding author upon request.
Computing, vol. 23, no. 13, pp. 4927–4938, 2019.
[11] G. Ateniese, R. Di Pietro, L. V. Mancini, and G. Tsudik,
Conflicts of Interest “Scalable and efficient provable data possession,” in Pro-
ceedings of the 4th International Conference on Security and
)e authors declare that there are no conflicts of interest Privacy in Communication Netowrks, pp. 1–10, ACM, New
regarding the publication of this paper. York, NY, USA, 2008.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
14 Security and Communication Networks

[12] C. C. Erway, A. Küpçü, C. Papamanthou, and R. Tamassia, [28] L. Ducas and D. Micciancio, “Improved short lattice signa-
“Dynamic provable data possession,” ACM Transactions on tures in the standard model,” Advances in Cryptology-
Information and System Security, vol. 17, no. 4, pp. 1–29, CRYPTO 2014, vol. 8616, pp. 335–352, 2014.
2015. [29] J. Alperin-Sheriff, “Short signatures with short public keys
[13] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, from homomorphic trapdoor functions,” IACR International
“Privacy-preserving public auditing for secure cloud storage,” Workshop on Public Key Cryptography, vol. 2015, pp. 236–255,
IEEE Transactions on Computers, vol. 62, no. 2, pp. 362–375, 9020.
2013. [30] D. Yang, C. Xu, L. Xu, and X. Zhang, “Identity-based sig-
[14] E. Zhou, Z. Li, H. Guo, and Y. Jia, “An improved data integrity nature scheme over ideal lattices,” Journal of Cryptologic
verification scheme in cloud storage system,” Acta Electronica Research, vol. 2, no. 4, pp. 26–36, 2015.
Sinica, vol. 42, no. 1, pp. 150–154, 2014. [31] J. Zhang, Y. Chen, and Z. Zhang, “Programmable hash
[15] Y. Zhu, H. Wang, Z. Hu et al., “Dynamic audit services for functions from lattices: short signatures and IBEs with small
integrity verification of outsourced storages in clouds,” “, key sizes,” Advances in Cryptology-CRYPTO 2016, vol. 9816,
ACM, in Proceedings of the 2011 ACM Symposium on pp. 303–332, 2016.
Applied Computing, pp. 1550–1557, ACM, New York, NY, [32] H. Tian, F. Zhang, and B. Wei, “A lattice-based partially blind
USA, 2011. signature,” Security and Communication Networks, vol. 9,
[16] Y. Zhu, G. J. Ahn, H. Hu et al., “Dynamic audit services for no. 12, pp. 1820–1828, 2016.
outsourced storages in clouds,” IEEE Transactions on Services [33] Z. Wang, X. Chen, and P. Wang, “Adaptive-ID secure
Computing, vol. 6, no. 2, pp. 227–238, 2011. identity-based signature scheme from lattices in the standard
[17] K. Yang and X. Jia, “An efficient and secure dynamic auditing model,” IEEE Access, vol. 5, pp. 20791–20799, 2017.
protocol for data storage in cloud computing,” IEEE Trans- [34] Y.-L. Gao, X.-B. Chen, Y.-L. Chen, Y. Sun, X.-X. Niu, and
actions on Parallel and Distributed Systems, vol. 24, no. 9, Y.-X. Yang, “A secure cryptocurrency scheme based on post-
pp. 1717–1726, 2012. quantum blockchain,” IEEE Access, vol. 6, pp. 27205–27213,
[18] J. Ni, Y. Yu, Y. Mu, and Q. Xia, “On the security of an efficient 2018.
dynamic auditing protocol in cloud storage,” IEEE Transac- [35] T. Hardjono and N. Smith, “Cloud-based commissioning of
tions on Parallel and Distributed Systems, vol. 25, no. 10, constrained devices using permissioned blockchains,” in
pp. 2760-2761, 2013. Proceedings of the 2nd ACM International Workshop on IoT
[19] G. Xu, Y. Bai, C. Yan et al., “Check algorithm of data integrity Privacy, Trust, and Security, pp. 29–36, New York, NY, USA,
verification results in Big data storage,” Journal of Computer 2016.
Research and Development, vol. 54, no. 11, pp. 2487–2496, [36] E. Heilman, F. Baldimtsi, and S. Goldberg, “Blindly signed
2017. contracts: anonymous on-blockchain and off-blockchain
[20] W. Shen, J. Qin, J. Yu, R. Hao, and J. Hu, “Enabling identity- bitcoin transactions,” Financial Cryptography and Data Se-
based integrity auditing and data sharing with sensitive in- curity, vol. 9604, pp. 43–60, 2016.
formation hiding for secure cloud storage,” IEEE Transactions [37] X. Liang, S. S. Shetty, D. Tosh et al., ProvChain: Blockchain-
on Information Forensics and Security, vol. 14, no. 2, based Cloud Data Provenance, Blockchain for Distributed
pp. 331–346, 2019. Systems Security, New York, NY, USA, 2019.
[21] A. Li, S. Tan, and Y. Jia, “A method for achieving provable data [38] L. Zhu, Y. Wu, K. Gai, and K.-K. R. Choo, “Controllable and
integrity in cloud computing,” Ee Journal of Supercomputing, trustworthy blockchain-based cloud data management,”
vol. 75, no. 1, pp. 92–108, 2019. Future Generation Computer Systems, vol. 91, pp. 527–535,
[22] H. Zhu, Y. Yuan, Y. Chen et al., “A secure and efficient 2019.
data integrity verification scheme for cloud-IoT based on [39] D. Yue, R. Li, Y. Zhang, W. Tian, and C. Peng, “Blockchain
short signature,” IEEE Access, vol. 7, pp. 90036–90044, based data integrity verification in P2P cloud storage,” in
2019. Proceedings of the 2018 IEEE 24th International Conference on
[23] K. Huang, M. Xian, S. Fu, and J. Liu, “Securing the cloud Parallel and Distributed Systems (ICPADS), pp. 561–568,
storage audit service: defending against frame and collude IEEE, New York, NY, USA, 2018.
attacks of third party auditor,” IET Communications, vol. 8, [40] H. Wang, Q. Wang, and D. He, Blockchain-Based Private
no. 12, pp. 2106–2113, 2014. Provable Data Possession, IEEE Transactions on Dependable
[24] Y. Wu, X. Lin, X. Lu, J. Su, and P. Chen, “A secure light-weight and Secure Computing, New York, NY, USA, 2019.
public auditing scheme in cloud computing with potentially [41] Y. Zhang, C. Xu, X. Lin, and X. S. Shen, “Blockchain-based
malicious third-party auditor,” IEICE Transactions on In- public integrity verification for cloud storage against pro-
formation and Systems, vol. E99.D, no. 10, pp. 2638–2642, crastinating auditors,” IEEE Transactions on Cloud Com-
2016. puting, vol. 23, p. 1, 2019.
[25] D. Xiao, L. Yang, B. Sun, and S. Zheng, “Provable data [42] J. Tian and T. Li, “Data integrity verification based on model
possession system for realistic cloud storage environ- cloud federation of TPA,” Journal on Communications,
ments,” Journal of Software, vol. 27, no. 9, pp. 2400–2413, vol. 39, no. 8, pp. 113–124, 2018.
2016. [43] B. Liu, X. L. Yu, S. Chen, X. Xu, and L. Zhu, “Blockchain based
[26] X. Boyen, “Lattice mixing and vanishing trapdoors: a data integrity service framework for IoT data,” in Proceedings
framework for fully secure short signatures and more,” of the 2017 IEEE International Conference on Web Services
Public Key Cryptography-PKC 2010, vol. 6056, pp. 499–517, (ICWS), pp. 468–475, New York, NY, USA, 2017.
2010. [44] P. Wei, D. Wang, Y. Zhao, S. K. S. Tyagi, and N. Kumar,
[27] D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, “Blockchain data-based cloud data integrity protection
tighter, faster, smaller,” Advances in Cryptology-EUROCRYPT mechanism,” Future Generation Computer Systems, vol. 102,
2012, vol. 7237, pp. 700–718, 2012. pp. 902–911, 2020.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/9921209, Wiley Online Library on [19/06/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 15

[45] S. Nakamoto, “Bitcoin: A Peer-To-Peer Electronic Cash

System,” Manubot, vol. 23, 2019.
[46] B. Fan, D. G. Andersen, M. Kaminsky, and
M. D. Mitzenmacher, “Cuckoo filter: practically better than
bloom,” in Proceedings of the 10th ACM International on
Conference on Emerging Networking Experiments and Tech-
nologies, pp. 75–88, ACM, New York, NY, USA, 2014.
[47] L. Chen, S. Jordan, Y. K. Liu et al., Report on Post-quantum
Cryptography, National Institute of Standards and Technol-
ogy, New York, NY, USA, 2016.