Page 79 - Read Online

P. 79

Page 72 Jiang et al. J Surveill Secur Saf 2020;1:61-78 I http://dx.doi.org/10.20517/jsss.2020.09

Therefore, Equation (6) holds.

s
Note that, χ j ∑ i ⋅ χ = , ij mod q for all ∈j [1, ]s and
∈ iI
σ = ∏ σ i i s
∈ iI
s
= ∏ KAB i s ⋅ ∏ ((H 4 Λ ll FID lli )⋅ � ∏ u χ , ij ) ) i s
� FID i
ϑ t
(Λ
j
∈ iI
∈ iI j = 1
= (g 2 a ) ∑ ∈ i s ⋅ H 2 (K AB ) ∑ i I ∈ i I i s ( ⋅ ∏ 4 (Λ � H Λ ll FID lli ) ⋅ FID i i s ∏ s u ∑ j i I ∈ i s χ , ij ) ϑ t
�
∈ j = iI 1
It follows that:
a
( ,)σ g = e ( e g g ∑ ∈ i s ⋅ ( e H 2 (K AB ),) g ∑ i I ∈ i I i s ⋅ (( ∏ 4 Λ ll FID lli ) ⋅ � H i s ∏ s u ∑ j i I ∈ i s χ , ij ),) g ϑ t
,)
(Λe
� FID i
2
∈ j = iI 1
s
� FID i
,
(Λ
= ( e g g 1 ) ∑ ∈ i s ⋅ ∑ i I ∈ i I i s ⋅ KP ( e H Λ ll FID lli ) , g t ϑ ) i I ∈ i s i s ⋅ ( e ∏ u χ j , g t ϑ ∑ )
�
4
2
j
= j 1
s
= ( e g g 1 ) ∑ ∈ i s ⋅ KP ∑ i I ∈ i I i s ⋅ ⋅WP ( e ∏ u χ j , g ϑ t )
,
2
j
= j 1
Theorem 2: Here, we suppose that the signature algorithm is efficient and secure, and can generate file tags
validly and correctly. And it is supposed that the Computational Diffie-Hellman (CDH) assumption holds
in bilinear groups. The identity-based one-way anonymous scheme is secure against adaptive simulation.
In detail, neither an untrusted cloud server nor the adversary can forge a valid proof to get through the
verification of the auditor successfully if the data in the cloud is tampered with or corrupted.
Proof: We utilize the theory of knowledge proof and a series of security games to prove this theorem which
can acquire the challenged data blocks in the aforementioned game. When the adversary interacts with
the challenger and generates a valid proof P, adversary can successfully pass the verification for the
challenged data blocks in the aforementioned game; there is a constructed knowledge extractor that can
capture the challenged data blocks. It is assumed that the adversary can get through the TPA’s verification
successfully without keeping the outsourced file integrity. Then, we can capture the whole challenged data
blocks through the interaction between the constructed knowledge extractor and the proposed scheme.
Game 0: The challenger and the adversary behave in Game 0 in a manner similar to that described in
Section 4. First, the challenger executes the preprocessing Setup algorithm to obtain the public parameter
PP and a master secret key msk, and then sends PP to the adversary . Next, performs the KeyGen
algorithm to obtain the secret key of user. Then, picks a list of data blocks and queries the signatures of
them. According to the queries, executes the Extract algorithm to generate corresponding signatures for
the data blocks and transmit these requested signatures to the . After that, sends a challenge to , and
generates corresponding proof to . Finally, succeeds and the game aborts if the proof can get through
the verification of successfully with non-negligible probability.

Game 1: This game is identical to Game 0 with one difference. The challenger keeps a list of query
records about the requested signature of . If the adversary is able to yield a aggregate signature, which
is valid under the verification of the challenger and is not generate by , the game aborts and the
adversary succeeds.

Analysis: It is supposed that wins in the Game 1 with non-negligible probability. With this in mind,
we can construct a simulator in our scheme to solve the CDH problem in bilinear groups. Given a group
α
G with prime order q , ,gg α , ∈h G as input, the simulator is to generate h by interacting with . The
simulator acts like the challenger and runs as follows:

74 75 76 77 78 79 80 81 82 83 84