Blockchain-Based Data Auditing Protocol with Signcryption Scheme in Cloud Storage

Ⅰ. Introduction

With various organizations’ increasing adoption of cloud computing, ensuring data integrity has emerged as a critical concern. Cloud Service Providers (CSPs) offer users convenient options for storage and processing, but they simultaneously pose a noteworthy threat to the integrity of user data. As the users host their data to the cloud storage, they cannot monitor their data integrity continuously. Furthermore, CSP might face internal or external hazards leading to a breach in the security of stored data.

Data integrity in cloud storage refers to data reliability. Data integrity violations are also termed breaches or tampering with users’ data that can cause critical issues to data trust. In fact, tampering with data can go unnoticed and fuel malevolent actions by removing individual entries (i.e., eliminating unwanted traces) or modifying specific chunks of data (i.e., affecting the behavior of data consumers)^[1]. Kaspersky Lab discovered a large cyber-attack that stole money from account balances at more than 100 financial institutions globally, with an estimated worth of almost $1 billion^[2]. Due to the fact that integrity violations are difficult to detect and highly effective, it make clear how crucial it is to provide data integrity auditing protocol in cloud computing.

In the traditional auditing protocol, the user utilizes a Third-Party Auditor (TPA) to become a verifier that verifies data integrity stored in cloud storage^[3]. Because stored data may be enormous, it is impractical and inefficient for the verifier to download the user’s data beforehand during data auditing. Further, the verifier might not have sufficient computation resources. More importantly, there is no assurance of neutral data auditing, and thus endangers users’ privacy. Numerous research studies have been carried out to offer auditing protocols for cloud systems. Refs. [4,5] proposed an identity-based signcryption, and Ref. [6] proposed a signcryption scheme based on elliptic curve. Unfortunately, those signcryption schemes did not provide important properties needed in data auditing protocol: public verifiability, privacy-preserving, and blockless verification. Refs. [7-10] delivers a public verifiability property to their works. Nevertheless, it lacks privacy-preserving and blockless verification in the auditing process. The user must forward the original data to the verifier, threatening the user’s data privacy. It means the verifier must download the data first, which is counterproductive. The privacy of the user’s data is threatened since the user must send the original data to the verifier.

To tackle this difficulty, this paper suggests a protocol for auditing cloud data using blockchain and a signcryption method. Our approach utilizes the reliability and transparency of blockchain technology to empower users to authenticate their data’s consistency, which is saved in cloud-based storage. Through the utilization of signcryption, this protocol guarantees not only encryption but also authentication of data prior to transmission into the cloud. This feature serves as an extra level of security for safeguarding sensitive information.

The remainder of the paper is organized as follows. This paper first describes preliminaries in Section Ⅱ. Then, this paper presents the proposed auditing protocol in Section Ⅲ. Discussion and security analysis about the proposed scheme equations’ correctness, unforgeability from malicious CSP and verifier, computational and communication cost, and comparative analysis of the proposed scheme will be presented in Section Ⅳ. Finally, Section Ⅴ presents the paper’s conclusion.

Ⅱ. Preliminaries

2.1 Bilinear Pairings

Let [TeX:] $$G_1$$ be a cyclic additive group, and [TeX:] $$G_2$$ be multiplicative cyclic groups with prime order p, P is the generator of the group [TeX:] $$G_1$$. The mapping e : [TeX:] $$G_1 \times G_2 \rightarrow G_2$$ is a bilinear map with the following properties:

1. Bilinearity: [TeX:] $$e(a P, b Q)=e(P, Q)^{a b}$$ and [TeX:] $$e(P + R, Q)=e(P, Q) \cdot e(R, Q) \forall P, Q, R \in G_1, a,b \in Zp.$$

2. Computability: There is an efficient algorithm to compute [TeX:] $$e(P, Q) \forall P, Q \in G_1 .$$

3. Non-degeneracy: There exists [TeX:] $$P \in G_1 .$$ such that [TeX:] $$e(P, P) \neq 1.$$

This paper considers the following problems in the additive group [TeX:] $$G_1.$$

· Discr ete Logar ithm Problem (DLP): Given two group elements P and Q, find an integer [TeX:] $$n \in Z_p^*,$$ such that Q = nP whenever such an integer exists.

· Computational Diffie-Hellman Problem(CDHP): For [TeX:] $$a, b \in Z_p^*,$$ given P, aP, bP, compute abP.

There are two variants of CDHP:

· Inver se Computational Diffie-Hellman Problem (Inv-CDHP): For [TeX:] $$a \in Z_p^*,$$ given P, aP, compute [TeX:] $$a^{-1}P.$$

· Squar e Computational Diffie-Hellman Problem (Squ-CDHP): For [TeX:] $$a \in Z_p^*,$$ given P, aP, compute [TeX:] $$a^2 P.$$

2.2 ZSS Signcryption

C. Ma^[9] proposed a signcryption scheme that provides public verifiability for data auditing.

· ComGen. Given the security parameters k and n. Two cyclic groups [TeX:] $$\left(G_1,+\right) \text { and }\left(G_2, \cdot\right)$$ of the same prime order [TeX:] $$p \gt 2^k,$$ a generator P of [TeX:] $$G_1,$$ a bilinear map [TeX:] $$e: G_1 \times G_1 \rightarrow G_2,$$ three hash functions [TeX:] $$H_1:\{0,1\}^* \rightarrow Z_p, H_2: G_1^3 \rightarrow \{0,1\}^n,$$ and [TeX:] $$H_3:\{0,1\}^k,$$ and an symmetric encryption scheme (E, D). Then, [TeX:] $$I=\{\left.k, n, G_1, G_2, P, e, H_1, H_2, H_3, E, D\right\}.$$

· KeyGen. Every user picks his private key [TeX:] $$SK_U$$ from [TeX:] $$Z_P^*$$ randomly and uniformly. Then, he computes his public key [TeX:] $$P K_U=S K U_P.$$

· Signcrypt. Given a message [TeX:] $$m \in\{0,1\}^*,$$ the recipient’s public key [TeX:] $$P K_R$$ and the sender’s private key [TeX:] $$S K_S.$$ The sender computes:

- pick [TeX:] $$r \xleftarrow{R} \{0,1\}^n$$ and compute [TeX:] $$u=\left(H_1(m)\right.+SK_S+r)^{-1}$$ mod p.

- compute [TeX:] $$U=u P \in G_1, V=r \oplus H_2\left(U, P K_R,uPK_R\right.)$$ and then [TeX:] $$W=E_{\mathrm{k}}\left(m / / P K_S\right)$$ where [TeX:] $$\kappa=H_3(r).$$

Finally, form the signcryptext C = (U,V,W).

· Unsigncrypt by recipient upon receiving (U,V,W).

- parse C as (U,V,W) and compute [TeX:] $$r=V \oplus H_2\left(U, P K_R, S K_R U\right).$$

- compute [TeX:] $$m / / P K_S=D_{\mathrm{k}}(W)$$ where [TeX:] $$\kappa=H_3(r) .$$

- if [TeX:] $$e\left(U,\left(H_1(m)+r\right) P+P K_S\right)=e(P, P)$$, then return the message m; otherwise return [TeX:] $$\perp$$ means unsigncryption failure.

· Public Ver ifiability. The recipient wants to prove that the sender signcrypted a message m to the trusted third party (TTP). So, the recipient forwards [TeX:] $$\left(m, U, r, P K_S\right)$$ to the TTP. Then, TTP accepts the proof if this equation is valid [TeX:] $$e\left(U,\left(H_1(m)+r\right) P+P K S\right)=e(P, P).$$

ZSS signcryption by [9] gives the public verifiability property. Unfortunately, it lacks three other desirable properties, privacy-preserving, blockless verification, and reliable verifier. The user must send the original message m to the TTP first. As a result, the TTP might obtain user information. Second, the author added the random value r in the ZSS signature generation. As a result, the user must also provide the TTP with the r value. The TTP is harmful because of its ability to construct a symmetric encryption key, [TeX:] $$\kappa \text {, using } H_3(r) \text {. }$$ Thus, the TTP might decrypt the original message m, threatening data privacy. Third, it is inefficient for the verifier to download message m for data auditing, especially if message m is a sizable file. Therefore, this paper proposed an improved version of the ZSS signcryption scheme that provides four properties in data auditing, public verifiability, privacy-preserving, blockless verification, and reliable verifier.

Ⅲ. Proposed Scheme

This section explains a blockchain-based data auditing protocol with a ZSS signcryption scheme for cloud storage. This paper adopted the signcryption from [9]. In [9], the author also gives a public verifiability property. However, his work lacks privacy-preserving, blockless verification, and a reliable verifier during auditing because the user needs to deliver the original message m to the verifier. By doing so, users’ data privacy would be disclosed to the verifier. Therefore, this paper gives three additional advantages besides public verifiability important for data auditing protocol: privacy-preserving, blockless verification, and reliable verifier.

This paper picked the ZSS signature because it required less pairing operation than other short signatures, such as the BLS signature^[11]. Furthermore, ZSS does not need a particular hash function, i.e., MapToPoint, used in BLS. Users can use a general hash function such as SHA family or MD5^[11]. In the proposed protocol, a user will store a file in CSP. First, he will compute a Signcrypted data σ. Then, he will send σ to the CSP. Before CSP stores data in their storage, it will unsigncrypt the σ. This paper provides a list of notations used for the remainder of this chapter in Table 1 and describes the detailed process as follows.

3.1 Setup Phase

· Par amGen. Given security parameter b and d. Let [TeX:] $$G_1$$ be a cyclic additive group, [TeX:] $$G_2$$ be multiplicative cyclic groups with prime order p, and P be the generator of group [TeX:] $$G_1.$$ The bilinear mapping [TeX:] $$e: G_1 \times G_2 \rightarrow G_2,$$ three hash functions [TeX:] $$\text { Hash }_1:\{0,1\}^* \rightarrow Z_p, \text { Hash }_2: G^{3_1} \rightarrow \{0, 1\}^d$$ and [TeX:] $$\text { Hash }_3:\{0,1\}^d \rightarrow \{0, 1\}^b,$$ and symmetric encryption scheme (Enc, Dec). Therefore the system parameters are [TeX:] $$\left\{b, d, G_1, G_2, P, e, \operatorname{Hash}_1, \operatorname{HaSh}_2, \operatorname{HaSh}_3, E n c, Dec\right\} .$$

· KeyGen. Sender chooses a random number from [TeX:] $$Z_p,$$ sets it as his secret key [TeX:] $$SK_S,$$ and computes his public key [TeX:] $$P K_S=S K_S P .$$ The recipient chooses a random number from [TeX:] $$Z_p,$$ sets it as his secret key [TeX:] $$SK_R,$$ and computes his public key [TeX:] $$P_K R=S K_R P.$$

· Signcryption. User as sender S generated a signcryption σ for each message m as follows.

1. Generates [TeX:] $$v=\left(H a s h_1(m)+S K_S\right)^{-}_1.$$

2. Choose [TeX:] $$r \xleftarrow{R}\{0,1\}^d$$ and generates V = vP, [TeX:] $$X=r \oplus \operatorname{Hash}_2\left(V, \quad P K_R, \quad v P K_R\right).$$ Then, generates [TeX:] $$k=\operatorname{Hash}_3(r),$$ a symmetric encryption key. So, [TeX:] $$Y=\operatorname{Enc}_k(m).$$

3. Therefore the signcryption σ = (V,X,Y) where V is a ZSS signature of message m, X is the randomness of encryption key generation, and Y is the encryption of message m.

· Unsigncryption. After receiving σ = (V, X,Y ) from the sender S, the recipient R start unsigncryption process.

1. R parse σ to get (V, X,Y ).

2. Computes [TeX:] $$r=X \oplus \operatorname{Hash}_2\left(V, P K_R, V S K_R\right)$$ and [TeX:] $$k=\operatorname{Hash}_3(r).$$

3. Decrypt Y to get message m. So, [TeX:] $$m=\operatorname{Dec}_k(Y).$$

4. If the Equation (1) holds, unsigncryption success; otherwise, R rejects σ from the sender.

To add randomization to the signature generation process, the author of [9] inserts a random variable r . The consequence is the user must provide the verifier the r . As explained earlier, this presents a concern since r can create a symmetric encryption key using the [TeX:] $$\operatorname{Hash}_3(r)$$ function. In this way, the verifier threatens data privacy by being able to decrypt the original message. Different from [9], by removing the r , the proposed scheme prevents leakage of the encryption key to the verifier. Furthermore, the original message m will not be passed to the verifier during auditing in the proposed scheme. So, it assures data privacy and increases verification efficiency because the verifier does not need to download the original message m beforehand.

3.2 Store File Phase

This phase explains storing the user’s data in the CSP. The user and CSP are involved, as shown in Fig. 1. This paper presents details as follows.

Fig. 1.

Store File Scheme.

1. User divided data F into n shards of m. [TeX:] $$F=\left\{m_1, \quad m_2, \quad m_3, \quad \ldots, \quad m_n\right\}.$$ The user does a signcryption process for each data shard and generates [TeX:] $$\sigma_i,$$ where i is the index of each data shard. Therefore the Signcryption [TeX:] $$\sigma_i=\left(V_i, X_i,Y_i\right) .$$ Set of signcrypted data is [TeX:] $$\text { Sign = }\left\{\sigma_1, \sigma_2, \sigma_3, \quad \ldots, \quad \sigma_n\right\}$$. Then, the user stores a set of signcryption Sign to the CSP.

2. User stores set of Signature [TeX:] $$S n=\left\{V_1, V_2, V_3, \dots,V_n\}\right.$$ to the smart contract.

3. CSP verify data from user by parsing each [TeX:] $$\sigma_i$$ to [TeX:] $$(V_i, X_i, Y_i)$$

4. CSP get Sign from the smart contract.

5. Then CSP does the unsigncryption process and compares [TeX:] $$V_i$$ from the smart contract and the user. If equal, store the user’s data; otherwise, reject it.

3.3 Data Auditing Phase

In the data auditing phase, three entities are involved: user, CSP, and verifier, as shown in Fig. 2. The user has stored data in the CSP storage. Then, he wants to check his data integrity by publishing an auditing task to the smart contract. Then, other users that joined the blockchain network can be the verifier by applying to the smart contract. The appointed user becomes the verifier for the corresponding auditing task. Then, the verifier generates a challenge variable and sends it to the corresponding CSP. After receiving the challenge from the verifier, CSP generates proof and sends it to the verifier. Next, the verifier will verify whether the proof given by CSP is correct through the validity of an equation. The details are described as follows.

Fig. 2.

Data Auditing Protocol.

1. When the user wants to verify his stored data in CSP, he publishes an auditing task to the smart contract. This task will be broadcast so anyone who joins the blockchain network can get this notification.

2. Other users who want to become verifiers apply to a smart contract for the corresponding auditing task.

3. Smart contract will check the credibility points and current deposit of the applied verifier. It will choose a user with high credibility points and send the file that will be verified to the verifier.

4. Then user generates a set of random numbers [TeX:] $$\{i\}_{i \in I}$$ for the auditing task, where i is the index of stored challenged data shard. Then, he sends those random numbers and also the set of Signature of the challenged data shards [TeX:] $$Sn = \left\{V_i\right\}_{i \in I}$$ to the verifier.

5. Upon receiving request from user, verifier choose randomly [TeX:] $$f_i$$ from [TeX:] $$Z_p$$ and generates a challenge [TeX:] $$\text { chal }=\left\{i, f_i\right\}_{i \in I}$$. Then send chal to the corresponding CSP.

6. After receiving chal from verifier, CSP computes [TeX:] $$r_i=X_i \oplus \operatorname{Hash}_2\left(V_i, P K_R, V_i S K_R\right).$$ Then he can computes [TeX:] $$k_i=\operatorname{Hash}_3\left(r_i\right)$$ to decrypt [TeX:] $$Y_i.$$ Therefore [TeX:] $$m_i=\operatorname{Dec}_{k i}\left(Y_i\right) .$$ After that, CSP generates proof δ and sends it to the verifier.

7. Verifier get the Sign from the smart contract.

8. Then the verifier generates proof ω.

Subsequently, the verifier checks whether Equation (4) holds. If it holds, CSP successfully proves the user’s data integrity; otherwise, CSP failed, and the auditing task also failed.

9. Finally, the verifier reports the auditing results to the smart contract. The smart contract will broadcast the result to the network and update the credibility points and balance for the corresponding auditing task’s participants.

3.4 Credibility Points and Incentive Mechanisms

This paper aims to attract verifiers to participate in auditing tasks by proposing credibility points and incentive mechanisms. This mechanism also could prevent arbitrary behavior by penalizing its actors who do not comply with the rules.

· Users, verifiers, and CSPs must register themselves to the smart contract. To participate in the process, users, verifiers, and CSPs need to stake/ make a deposit as a guarantee. In the case of dishonest/malicious behavior, their deposit will be decreased.

· They will be given initial credibility points. This point shows the credibility of each actor. The higher the points means, the actor more credible and trustable.

· Each actor that does their job faithfully will be given additional points and incentives as a reward; otherwise, they will get penalty points and deduct their deposit.

· In the case of a user, if the user does something malicious, for example, deceiving the verifier/ CSP, the user will get a penalty by decreasing the credibility points and deposit.

· In the case of the verifier, if the verifier does their job faithfully during the auditing task, they will get additional points. Otherwise, their points will be decreased.

· CSPs also will be given credit points that show their credibility. If CSPs fails to prove users’ request, their credit points will decrease.

· If their deposit is 0, they cannot participate in any process. They will get suspended for several amounts of time.

Ⅳ. Evaluation and Security Analysis

4.1 Correctness

Below is the correctness proof of the signcryption scheme shown in Equation (1).

Below is the correctness proof of the data auditing protocol shown in Equation (4).

4.2 Unforgeability

This paper presents an unforgeability of two cases in the proposed protocol, malicious CSP cannot forge proof δ to deceive the verifier, and malicious verifier cannot forge the auditing results.

· Malicious CSP.

Malicious CSP cannot forge proof δ because every time the verifier sends a challenge, a random value f will be given in the chal variable. CSP will generate proof δ based on f from the verifier as shown in Equation (2), and value f is different for each data shard. Even we further assume that malicious CSP forges δ, namely [TeX:] $$\delta \neq \delta^{\prime} .$$ The auditing process done by the verifier in Equation (4) shows that the verifier must validate [TeX:] $$\delta^{\prime}$$ with two other variables, the sender’s public key [TeX:] $$PK_S$$ and proof ω generated by the verifier, which also consists of f value. Therefore, the [TeX:] $$\delta^{\prime}$$ cannot make Equation (4) hold. Another case is when a malicious CSP tries to deceive the verifier by replacing challenged data block [TeX:] $$m_j$$ with another data block mk when the former data block is broken. Accordingly, the proof [TeX:] $$\delta^{\prime}$$ becomes

So, the Equation (4) can be represented as

Hence, [TeX:] $$\operatorname{Hash}_1\left(m_k\right)=\operatorname{Hash}_1\left(m_j\right)$$ However, [TeX:] $$\operatorname{Hash}_1\left(m_k\right)$$ cannot be equal to [TeX:] $$\operatorname{Hash}_1\left(m_j\right)$$ due to the anti-collision property of the hash function. Therefore, it is infeasible to make Equation (6) hold, and the proof from CSP cannot pass the auditing process.

· Malicious Ver ifier .

The malicious verifier cannot forge auditing results because the verifier must generate proof ω that requires V, which is a signature generated by the user as shown in Equation (3). The V values are stored in the smart contract, which is very difficult to be tampered with. Even if we further assume that the malicious verifier forges proof ω, to generate variable V , the malicious verifier needs the user’s private key [TeX:] $$SK_S$$ and original message [TeX:] $$m_i.$$ The proposed scheme provides privacy-preserving and blockless verification properties, meaning the verifier can verify the data without receiving the original message [TeX:] $$m_i$$ from the user or CSP. So, without the possession of those two variables, [TeX:] $$SK_S \text{ and } m_i,$$ it is impossible to generate a forged [TeX:] $$m_i^{\prime}$$ and make equation [TeX:] $$\left(\operatorname{Hash} 1\left(m_i^{\prime}\right)+S K_S\right)^{-1} P=\left(\operatorname{Hash}_1\left(m_i\right)+S K_S\right)^{-1} P$$ holds. Both malicious CSP and verifier cannot calculate the user’ s private key from the public key under the InvCDHP assumption. Furthermore, in the auditing process, the verifier needs to validate ω with two other variables, the sender’s public key [TeX:] $$PK_S$$ and proof δ generated by CSP as shown in Equation (4). Therefore, it is infeasible to make equation [TeX:] $$e\left(\delta, \omega^{\prime}\right)=e(P, P)$$ holds, where [TeX:] $$\omega^{\prime} \neq \omega$$

4.3 Computational Cost

To analyze the proposed scheme performance, this paper compares the scheme’s computational cost with four other signcryption schemes in Table 2. This part will discuss several aspects: signature type, computational cost, signature size, and time complexity. First, signature type. The proposed scheme and [9] use the ZSS signature scheme. While [12] uses the BLS signature and [13], [14] uses the attribute-based signature. The ZSS signature is more efficient because it has fewer pairing operations than the BLS signature used in [12]. In addition, the ZSS signature does not need a particular hash function like in the BLS signature (i.e., MapToPoint). It can use a general hash function like the SHA family or MD5.

The second is computational cost. Table 2 also shows costs for the sender and recipient that compute signcryption and unsigncryption, respectively. The pairing and exponential operations are considered highcost operations. Unfortunately, the attribute-based signature required more exponential operations than other schemes. In the [13], the sender needs to do nine exponential operations, and in [14], the sender requires eight exponential operations. Unlike the two previous schemes, the BLS-based signature in [12] required the sender to do fourteen multiplication and two pairing operations.

However, in the proposed scheme, the computational cost for the sender is 1Exp + 1Inv + 1Mul + 1Add + 3Hash, and for the recipient is 1Add + 2Hash + P. The sender needs to do fewer exponentiation and multiplication operations than other schemes. The recipient also has fewer operations when doing an unsigncryption scheme. Furthermore, in the unsigncryption scheme, the bilinear pairing of e(P, P) can be precomputed. So, there is only one pairing operation. In addition, even though the proposed scheme has more hash operations, the cost hash function is negligible compared to the other operations. Nevertheless, the computational cost is the same as the based reference, which is [9].

S = Sender, R = Recipient, n = number of message, Add = addition, Hash = hash function, Mul = multiplication, Inv = Inverse, Exp = exponentiation, P = Bilinear Pairings, n/ a = not available.

Another variable to measure the proposed scheme performance is to analyze the signature length and time complexity. Regarding signature length, the BLS signature size is approximately 160 bits^[15], while ZSS is around 260 bits^[9]. The bigger the signature size, the longer the time needed to complete signcryption or unsigncryption. In terms of time complexity, the proposed scheme and four other schemes have linear time complexity (O(n)), except the recipient part in [13] that has constant time complexity (O(1)). The former indicates that the time in this instance, relies on the input n. The greater the value of n, the longer the required time. The latter shows that the required time is always constant and does not depend on the input variable.

The discussion above shows that^[12] has a shorter signature size but a high computational cost. The proposed scheme and [9] have lower computational costs than [12], but this paper has a more extended signature size. However, with those conditions, the proposed scheme offers more advantages than other schemes. The trade-off is this paper can achieve desirable properties in the data integrity auditing process, public verifiability, privacy-preserving, blockless verification, and reliable verifier. More importantly, the proposed scheme can accomplish three more properties with the exact cost as the primary reference [9].

4.4 Communication Cost

This section presents the communication cost comparison between the proposed scheme and the primary reference^[9]. Communication cost is the amount of data transfer involved in a protocol. For the proposed scheme, this paper measures the communication cost of the data auditing scheme presented in Fig. 2. Bits are used as the measurement unit. Three entities that interacted in the proposed protocol are the user, CSP, and verifier. In Table 3, there are five interactions among entities in the proposed scheme: send signcryption, send challenged data shards, send proof δ , send chal, and send verification results. All of those messages are unicast messages.

Note : the measurement unit is in bits, n = number of data shards, c = number of challenged data shards.

In the proposed scheme’s auditing process, file F is divided into n shards of m. To give a practical example in the analysis, this paper denotes the size of file F the same as that is used in [16], which is 40M. Then, file F is divided into 10,000 data shards, so each size of [TeX:] $$m_i$$ is 4kb = 32,000 bits, where i is the index of data shards. When the user asks a verifier to do the auditing process, he randomly sends several challenged data shards; this paper denotes it as c. Assuming c is half of n, c is 5,000 data shards. Therefore, according to Table 3, the total communication cost for all entities in the proposed scheme is 2,147kb. While in [9] scheme, entities have three interactions: send signcryption, forward parameters ([TeX:] $$m_i$$, U, r, PKs), and return mi. All of those messages are unicast messages. This paper denotes values n and c, the same as in the previous example. Therefore, the total communication cost for all entities in [9] is 41,417kb.

The results show that the total communication cost in the proposed scheme is lower than^[9]. This paper provides blockless verification that allows the auditing process to happen without accessing the original message. In contrast, the communication cost in [9] is higher because the user and CSP must send an original message shard [TeX:] $$m_i$$. This scheme’s communication cost depends on the size of [TeX:] $$m_i$$. For the example, the size of [TeX:] $$m_i$$ is 32,000 bits. As a result, in this case, the total communication cost of [9] is almost twenty times higher than ours. Nevertheless, the proposed scheme offers a cheaper communication cost than [9].

4.5 Comparative Analysis

In this section, this paper presents an analysis of the compatibility of the proposed scheme with the three desirable properties. Also, this paper compares the proposed scheme with four other works related to data auditing using the signcryption schemes in Table 4 as follows.

· Public Ver ifiability.

The proposed scheme provides the public verifiability property shown in Equation (4), where this paper presented a use case in which a verifier can verify data stored in CSP. So the user has the option to choose someone other than CSP to carry out the data integrity checking process. The comparison with four other works in Table 4 shows that only [9] fulfilled this property. Unfortunately, only the authorized receiver may verify the data in [12-14] since their protocols did not allow other parties to verify saved data.

· Privacy-preserving.

The proposed scheme can ensure that the verifier cannot know the users’ data during auditing. As shown in Equation (2), CSP sends proof δ to the verifier that is generated not from the user’s original data. In addition, the verifier only computes the message’s signature [TeX:] $$V_i$$ during Equation (3) creation, not the original data. Therefore, the proposed scheme can prevent data leaks to the verifier during auditing. The other works that provide this property are [12-14]. While protocol in [9] requires the user to submit to the verifier the original message that has to be verified. Hence it does not support this property. This would expose the user’s private information to third parties.

· Blockless Verification.

The proposed scheme supports blockless verification. In blockless verification, the verifier is not required to download all the challenged data blocks. Equation (4) demonstrates that while the verifier performs an auditing process, no original data is downloaded from CSP. It increases efficiency rather than downloading the data beforehand. Table 4 shows that only^[14] supports this property. While three other works^[9,12,13] did not provide this property since the verifier needs the original message in order to complete the auditing task, the availability of this property was not provided by them.

· Reliable Verifier.

The proposed scheme and two other works [13,14] provide a reliable verifier using blockchain technology. Blockchain enables transparency between users, CSPs, and verifiers through its decentralized nature. Furthermore, the proposed protocol assures a credible verifier by enforcing credibility points and incentive mechanisms for the honest verifier. However, two other works [9,12] do not support this attribute since they rely on TPA, which is not the best solution in actual circumstances.

Ⅴ. Conclusion

This paper proposed a blockchain-based data auditing protocol in a cloud storage with an improved ZSS signcryption scheme that provides desirable properties such as public verifiability, privacy-preserving, blockless verification, and reliable verifier. A use case for signcryption implementation in data auditing is also presented in this paper that aims to ensure data integrity, confidentiality, and non-repudiation. Ultimately, this paper also presented security analysis by demonstrating the validity of the proposed scheme equation, its unforgeability in the presence of malicious CSP and verifiers, examining the computational and communication cost, and finally, by presenting comparative studies analysis with four other works. The comparative studies show that only the proposed scheme can fulfill the four desirable data auditing protocol properties. The proposed protocol is also equipped with credibility points and incentive mechanisms to attract the participation of verifiers. Furthermore, it could also prevent arbitrary behavior of participants by introducing penalty points. In addition, the proposed system can also accomplish three more attributes than the primary reference with the exact computational cost, according to the examination of computational cost and time complexity. Subsequently, this paper’s communication cost analysis shows that the proposed auditing protocol can achieve lower communication costs than the primary reference. Those analyses implied that this paper offers more advantages in data auditing protocol through blockchain and improved ZSS signcryption.