Skip to main content

Cloud EMRs auditing with decentralized (tn)-threshold ownership transfer

Abstract

In certain cloud Electronic Medical Records (EMRs) applications, the data ownership may need to be transferred. In practice, not only the data but also the auditing ability should be transferred securely and efficiently. However, we investigate and find that most of the existing data ownership transfer protocols only work well between two individuals, and they become inefficient when dealing between two communities. The proposals for transferring tags between communities are problematic as well since, they require all members get involved or a fully trusted aggregator facilitates ownership transfer, which are unrealistic in certain scenarios. To alleviate these problems, in this paper we develop a secure auditing protocol with decentralized (tn)-threshold ownership transfer for cloud EMRs. This protocol is designed to operate efficiently without requiring the mandatory participation of every user or the involvement of any trusted third-party. It is achieved by employing the threshold signature. Rigorous security analyses and comprehensive performance evaluations illustrate the security and practicality of our protocol. Specifically, according to the evaluations and comparisons, the communication and computational consumption is independent of the file size, i.e., it is constant in our protocol for both communities.

Introduction

Nowadays, an increasing number of users uploads and stores their data in the clouds because of its cost-effective and convenient (Wang et al. 2023). After the upload, however, users loss direct control over the data. Thus, it is crucial to check the integrity in order to ensure the uploaded data are free from accidental corruptions and purposive attacks. Until now, the integrity auditing technology has been well studied (Wang et al. 2019; Huang et al. 2020; Shen et al. 2020, 2022; Tian et al. 2015; Wang et al. 2016; Ateniese et al. 2007; Juels and Kaliski Jr 2007; Shacham and Waters 2013; Ateniese et al. 2008; Erway et al. 2015; Zhu et al. 2011; Fu et al. 2017; Yang et al. 2016; Shen et al. 2017; Wang et al. 2017, 2020, 2013; Li et al. 2014; Shen et al. 2017; Han et al. 2019). Specifically, in a typical integrity auditing procedure, the data owner initiates a key pair and generates some “miniature” of the data, i.e., verifiable tags, using its own secret key, followed by uploading these tags to clouds along with the data. When being audited with random challenge values that are picked by the data owner, the clouds respond with succinct proof of possession rather than the challenged data directly. The data is believed to be intact with high confidence only when the proof from clouds is validated successfully using data owner’s public key.

Cloud data can be traded like a commodity. For each data deal, specially, the integrity auditing ability, which indicates ownership, is shifted from the old owner to the new one along with the data itself. However, transferring integrity auditing ability is not that easy as transmitting data. Typically, it is achieved with expensive tag re-generation. In this scenario, the computational and communication consumptions are huge (e.g. linearly increases with the file size). Wang et al. (2019) and Shen et al. (2020) proposed solutions to reduce computational and communication burden at data owner side by leveraging proxy re-signature, which work well when transferring ownership between two individuals.

However, the data transaction may happen between not only two individuals but individual-community and even two communities. For example, medical research organizations pay for the EMRs from hospitals and independent patients, and patients transfer their EMRs to new hospitals or departments with the assistance of doctors. In such multi-user scenario, the aforementioned solutions (Wang et al. 2019; Shen et al. 2020) become inefficient due to transferring integrity auditing ability, i.e., the ownership, one by one. As far as we know, the proposition presented in Shen et al. (2022) accomplished ownership transfer between two communities by introducing multi-signature, which, however, requires all members in each community to be online in order to re-generate tags, and the fully trusted authority is required in each side to perform key management. We believe that it would be better if data transaction between two communities can be completed without requiring all-member participation or the fully trusted key manager.

Inspired by these observations, this paper introduces a secure and efficient ownership transfer protocol for two communities, and it is achieved without requiring all-member participation or the trusted manager. Our contributions are summarized as follows:

  1. 1.

    Flexible multi-community ownership transfer: We propose a threshold ownership transfer protocol for two multi-user communities. Namely, our protocol ensures the ownership of data can be transferred successfully as long as the number of online users exceeds the preset threshold. It is achieved by exploiting the threshold signature.

  2. 2.

    Reducing the assumption of trusted manager: In our protocol, the trusted manager is not involved. In contract, key management is completed via the cooperation of online users in each community.

  3. 3.

    High level of performances: In the random oracle model, we establish the security of our protocol based on the CDH assumption. The security assessment of our protocol encompasses key aspects such as correctness, soundness, unforgeability, robustness, and detectability. Furthermore, we conduct the performance analysis of our protocol, and compare it with several closely related works. The evaluation illustrates that our protocol provides more functionalities, and it is achieved without introducing extra resource consumptions.

The remaining contents of this paper include: Sect. 2 primarily introduces the closely related ownership transfer works, Sect. 3 provides some preliminaries for our proposed protocol, and Sect. 4 describes the model of our proposed protocol, including the system and security models. Our decentralized (tn)-threshold ownership transfer protocol will be presented in Sect. 5. Then in Sect. 6, we primarily conduct a comprehensive analysis of the security aspects of our protocol. Section 7 provides the performance analysis and comparison, and Sect. 8 concludes this paper.

Related work

We review a few closely relevant cloud data auditing protocols with ownership transfer in this section.

In Ateniese et al. (2007), Ateniese et al. introduced the concept of “Provable Data Possession” (PDP), and developed the technique to efficiently check data integrity on cloud servers. Simultaneously, Juels and Kaliski Juels and Kaliski Jr (2007) proposed the so-called Proofs of Retrievability (PoRs). Different from the existing schemes, PoRs (Juels and Kaliski Jr 2007) limited the number of validations, retrievability was achieved with the help of error-correcting codes. Both PDP (Ateniese et al. 2007) and PoRs (Juels and Kaliski Jr 2007) have the outperformed properties, and they inspired other researchers. For instance, Shacham and Waters in Shacham and Waters (2013) optimized PDP and PoRs. In Shacham and Waters (2013), data were generated using homomorphic authenticators in order to reduce verification time. Specifically, they split each block into multiple sections, and generated a tag for each block.

In some existing works, the time consumed for tag generation were directly proportional to the number of tags. As a result, they became impractical when data volume were huge. Users typically seek the ability to promptly verify the integrity of data. To address this issue, Shacham and Waters (2013), Wang et al. (2017) and Wang et al. (2020) adopted an offline/online approach, i.e. divided the tag generation into two phases including offline and online phases. The offline stage bears the majority of the computational overhead in order to reduce the overall overhead. In Li et al. (2014), Shen et al. (2017) and Han et al. (2019), the trusted third parties were employed to reduce the time consumption in the tag generation.

When collective ownership of data becomes commonplace, such as in medical scenarios where EMRs are commonly owned by both doctors and patients, schemes (Yang et al. 2016; Fu et al. 2017; Shen et al. 2017; Huang et al. 2020; Wang et al. 2013) had been developed to address challenges associated with group members participating in auditing. For instance, Fu et al. (2017) focused on the problem that it was not suitable for groups of peers with the shared authority. In their endeavors to tackle this challenge, they embraced the (tn)-threshold signature as a solution to alleviate the potential misuse of singular authoritative power. This was accomplished by distributing the power among multiple managers. However, this led to a significant resource consumption. In Huang et al. (2020), the authors proposed a protocol that supports public auditing without managers in order to address the issue of single power abuse. In the protocol of Huang et al. (2020), each user in a group had equal rights to participate in the auditing process. The experimental results demonstrated a significant enhancement in the efficiency of Huang et al. (2020) (compared to Fu et al. (2017)). In the multi-user scenario, data sharing with user revocation was successfully realized in Wang et al. (2013), specifically, the proxy re-signature algorithm was employed to renew tags.

In medical scenarios, there are differences in the treatment directions that each hospital excels in, and more patients’ cases are also needed to promote medical progress. At this point, the ownership of the patient’s electronic medical record may need to be transferred. In 2016, Azaria et al. (2016) introduced a novel Medrec model by using cloud storage and blockchain. It achieved the data interoperability while the data faced with privacy leakage issue. Then, Liu et al. (2018) utilized the context extraction signature and CP-ABE to protect the privacy of EMRs. Subsequently, many studies (Wu and Du 2019; Sarkar and Sarkar 2021; Wang and Wang 2023; Cerchione et al. 2023; Lin et al. 2023; Rai 2023; Wang et al. 2023) focused on improving the efficiency, untrustworthiness, security, and other issues of data sharing.

Due to the need of accelerating the data flow, the transfer of data ownership and auditability becomes crucial in certain scenarios. For instance, Wang et al. addressed this issue and proposed the first complete cloud data ownership transfer protocol in Wang et al. (2019). However, in this protocol, both the communication and computational cost were very high. Shen et al. noticed this issue and focused on improving the efficiency of cloud data ownership transfer in Shen et al. (2020). In subsequent research, they extended (Shen et al. 2020) to the multi-user scenario (Shen et al. 2022), which makes it more in line with real-world requirements. In addition, Gai et al. (2023) had explored user anonymity in ownership transfer, but their recognition of data ownership relied on the third party and cannot be considered as a true completion of ownership transfer. However, these schemes can work smoothly only when all users are online. Namely, when offline users are present, existing solutions cannot directly execute the ownership transfer process. To our knowledge, there is currently no protocol that accommodates the involvement of offline users in the ownership transfer process. Therefore, this paper introduces a cloud EMRs auditing protocol featuring the decentralized (tn)-threshold ownership transfer.

Preliminaries

In this section, we will review some preliminaries, primarily including bilinear pairings, the Computational Diffie-Hellman (CDH) problem, and homomorphic authenticators.

Bilinear pairings

Assuming p is a large prime, we choose two p-order multiplicative cyclic groups \({\mathbb {G}}_1\) and \({\mathbb {G}}_T\). And assume that g is a generator of \({\mathbb {G}}_1\). Let \(e:{\mathbb {G}}_1 \times {\mathbb {G}}_1 \rightarrow {\mathbb {G}}_T\) be a bilinear pairings when the following conditions are satisfied:

  1. 1.

    Computablility: For \(\forall \, u,v \in {\mathbb {G}}_1\), e(uv) is an efficiently computable algorithm.

  2. 2.

    Bilinearity: For \(\forall \, a,b \in Z_p\) and \(\forall \, u,v \in {\mathbb {G}}_1\), we have \(e(u^a,v^b)=e(u,v)^{ab}\).

  3. 3.

    Non-degeneracy: \(\exists \, u,v \in {\mathbb {G}}_1\) such that \(e(u,v) \ne 1_{{\mathbb {G}}_T}\);

The CDH problem in \({\mathbb {G}}_1\) can be defined as follows:

Definition 1

(Computational Diffie-Hellman problem). Given a tuple \((g,g^x,g^y)\), where \(x,y \in _R Z_p\), the CDH problem in \({\mathbb {G}}_1\) is to compute \(g^{xy}\). We assume that \(\lambda\) is a security parameter and \(negl(\lambda )\) is a negligible function. The CDH assumption holds in \({\mathbb {G}}_1\) if for any PPT adversary \({\mathcal {A}}\),

$$\begin{aligned} Pr[{\mathcal {A}}(1^\lambda ,g,g^x,g^y)=g^{xy}] \le negl(\lambda ). \end{aligned}$$

Homomorphic authenticators

The homomorphic authenticator function can completes the verification process without downloading the uploaded data. Specifically, the algorithm typically comprises four steps:

  1. 1.

    \({\mathcal {H}}.SysGen\). Inputting the security parameter, it outputs two p-order cyclic multiplicative groups \({\mathbb {G}}_1\) and \({\mathbb {G}}_T\) and a bilinear pairing \(e:{\mathbb {G}}_1 \times {\mathbb {G}}_1 \rightarrow {\mathbb {G}}_T\). Additionally, the \({\mathcal {H}}.SysGen\) algorithm also outputs two generators \(g,u \in _R {\mathbb {G}}_1\).

  2. 2.

    \({\mathcal {H}}.KeyGen\). Inputting g, \({\mathcal {H}}.KeyGen\) outputs a public-secret key pair \((sk \in _R Z_p,pk=g^{sk})\).

  3. 3.

    \({\mathcal {H}}.Sig\). Inputting (skpk) and \(F=\{m_j\}_{j \in [1,l]}\), it outputs the signature \(\sigma _j=(u^{m_j})^{sk}\).

  4. 4.

    \({\mathcal {H}}.BatVer\). The homomorphic authenticator possesses the property of batch verification. Namely, inputting F and \(\sigma _j\), it outputs \(PV=(\prod \sigma _j ^ {\gamma _j},\sum m_j\gamma _j)\) where \(\gamma _j \in Z_p\), batch verification can be performed using the expression \(e(\prod \sigma _j ^ {\gamma _j},g)=e(u^{\sum m_j\gamma _j},pk)\).

System models and definitions

This section mainly introduces the system and security models of our protocol. Additionally, some definitions related to the protocol were also introduced.

The system model

According to Fig. 1 we can see that, the system model of our protocol primarily consists of four entities: Cloud, GroupA, GroupB and the Third Party Auditor (TPA). Meanwhile, in practice, the identities of users in the group are different, we do not specialize in addressing them, but instead refer to them as “users”.

  1. 1.

    Cloud is a semi-trustworthy entity, it is equipped with extensive computational capabilities and substantial storage capacity, so users with insufficient local storage capacity will store their data on cloud server.

  2. 2.

    GroupA is a decentralized group. In GroupA, each user has equal rights. They upload local data to cloud servers, and the ownership dynamics of this data might shift at a subsequent point.

  3. 3.

    GroupB is also decentralized, and each user in GroupB has the same rights and responsibilities. GroupB is the transferring party, namely, it is the target of cloud data ownership transfer.

  4. 4.

    TPA is a semi-trustworthy entity with auditing expertise. It can provide convincing result when completing the auditing delegations issued by cloud servers. However, the TPA may use his known information to peek into users’ privacy information.

Fig. 1
figure 1

The system model of our protocol

The formal definitions

The protocol consists of five algorithms, and they are defined as follows:

  • SysGen\((1^\lambda ) \rightarrow (params)\). This is a probabilistic algorithm. And the security parameter \(\lambda\) functions as the input, producing the system parameter params as its output.

  • KeyGen\((params) \rightarrow (\{{sk}_i,pk_i\}_{i \in [1,n]},pk)\). In this probabilistic algorithm, all n users in group execute the following operations:

    1. 1.

      Each user inputs params and generates secret key sharing \({sk}_i\). Specially, no user can compute and obtain the secret key sk of the group.

    2. 2.

      Each user computes the public key sharing \(pk_i\) and the group public key pk.

  • TagGen\((\{{sk}_i,pk_i\}_{i \in [1,n]},F,m_j,params) \rightarrow (\sigma _j,sig)\). This algorithm is a deterministic one. The inputs of this algorithm are the parameters generated by users, the file \(F=\{m_j\}_{j \in [1,l]}\), and parameters params, it outputs the data tag \(\sigma _j\) and the file tag sig.

  • Audit\((chal,m_j,\sigma _j,pk,sig,params) \rightarrow (\{0,1\})\). This algorithm is a deterministic one, and it runs by the Cloud and the TPA. While the TPA sends the challenge set to the Cloud, the Cloud outputs the integrity proof chal. Making use of chal, the TPA outputs “1” if chal is valid, or outputs “0” otherwise.

  • TagTrans\((F,\sigma _j,\{{sk}_i,pk_i\}_{i \in [1,n]},\{{sk}'_I,pk'_I\}_{I \in [1,n']},params) \rightarrow (\sigma '_j,sig')\). This algorithm is a deterministic one, and it works as follows:

    1. 1.

      Input params and key pairs \(\{{sk}_i,pk_i\}_{i \in [1,n]}\), users in GroupA output the transfer tokens for multi-user ownership transfer and send them to users in GroupB.

    2. 2.

      Taking advantage of the tokens, users in GroupB generate the final transfer tokens and send them to the Cloud.

    3. 3.

      The Cloud inputs the signature \(\sigma _j\) of GroupA, the final transfer tokens of GroupB, and outputs the new signatures \(\sigma '_j\) for GroupB.

The security model

We will propose a secure auditing protocol with decentralized (tn)-threshold ownership transfer for cloud EMRs. It should demonstrate soundness, unforgeability, and secure transferability, as defined below:

Definition 2

(Soundness). The proposed protocol is considered sound if it is impossible for the cloud to pass the integrity verification, when the proof is valid and the challenged data \(m_j\) is corrupted (i.e. \(m_j \ne m^*_j\)). In other words, it needs to satisfy:

$$Pr[{\mathcal {A}}^{O_{sign}(SK,\cdot )}(pk_i,pk,params)\rightarrow (\sigma ^*_j,sig^*) \wedge m_j \ne m^*_j \wedge (m^*_j,\sigma ^*_j) \notin \{(m,\sigma )\} \wedge Audit(chal,m^*_j,\sigma ^*_j,pk,sig^*,params) \rightarrow 1: (\{{sk}_i,pk_i\}_{i \in [1,n]},pk) \leftarrow KeyGen(params), params \leftarrow SysGen(1^\lambda )]\le negl(\lambda ),$$

where \(negl(\lambda\)) is a negligible function, \(O_{sign}(\cdot ,\cdot )\) denotes the signature query oracle, and \(\{(m,\sigma )\}\) represents \({\mathcal {A}}\) had queried the set of pairs, the same applies to subsequent instances.

Definition 3

(Unforgeability). The protocol is considered unforgeable if the ownership of any blocks \(m'_j\) is impossible to be forged for arbitrary adversaries. In other words, it needs to satisfy:

$$Pr[{\mathcal{A}}^{{O_{{sign}} (SK, \cdot )}} (pk_{i} ,pk,params) \to (\sigma ^{\prime}_{j} ,sig^{\prime}) \wedge (m^{\prime}_{j} ,\sigma ^{\prime}_{j} ) \notin \{ (m,\sigma )\} \wedge Audit(chal,m^{\prime}_{j} ,\sigma ^{\prime}_{j} ,pk,sig^{\prime},params) \to 1:(\{ sk_{i} ,pk_{i} \} _{{i \in [1,n]}} ,pk) \leftarrow KeyGen(params), params \leftarrow SysGen(1^{\lambda } )] \le negl(\lambda ).$$

Definition 4

(Secure transferability). The ownership transfer process in this protocol is considered secure, if it satisfies the following conditions:

  • If GroupA is honest, it should be resistant to the collusion attack orchestrated by GroupB and Cloud. Assuming the key pairs of GroupA are \(\{{sk}_i, pk_i\}\), we define that for all PPT adversaries, there is

    $$Pr[{\mathcal{A}}^{{O_{{sign}} (SK, \cdot ),O_{{aux}} ( \cdot )}} (pk_{i} ,pk,sk^{\prime}_{I} ,pk^{\prime}_{I} ,pk^{\prime},params) \to (\sigma _{j}^{*} ,sig^{*} ) \wedge (m_{j}^{*} ,\sigma _{j}^{*} ) \notin \{ (m,\sigma )\} \wedge Audit(chal,m_{j}^{*} ,\sigma _{j}^{*} ,pk,sig^{*} ,params) \to 1:(\{ sk_{I} ,pk_{I} \} _{{I \in [1,n^{\prime}]}} ,pk) \leftarrow KeyGen(params), params \leftarrow SysGen(1^{\lambda } )] \le negl(\lambda ),$$

    where \(O_{aux}(\cdot )\) is for auxiliary transfer token queries in ownership transfer. The same as below.

  • The only difference between the scenario where GroupA colludes with Cloud and the scenario where GroupB colludes with Cloud lies in the adversary’s capabilities. We define that all PPT adversaries, there is

    $$Pr[{\mathcal{A}}^{{O_{{sign}} (SK, \cdot ),O_{{aux}} ( \cdot )}} (pk^{\prime}_{I} ,pk^{\prime},sk_{i} ,pk_{i} ,pk,params) \to (\sigma _{j}^{*} ,sig^{*} ) \wedge (m_{j}^{*} ,\sigma _{j}^{*} ) \notin \{ (m,\sigma )\} \wedge Audit(chal,m_{j}^{*} ,\sigma _{j}^{*} ,pk,sig^{*} ,params) \to 1:(\{ sk_{I} ,pk_{I} \} _{{I \in [1,n^{\prime}]}} ,pk) \leftarrow KeyGen(params), params \leftarrow SysGen(1^{\lambda } )] \le negl(\lambda ).$$

The proposed protocol

This section overviews the proposed cloud EMRs auditing with decentralized (tn)-threshold ownership transfer protocol, and then provides the detailed operations.

Overview

In some applications, the data owners cannot accept the significant costs that incurred during downloading cloud data, and uploading data and newly generated tags. This issue assumes particular salience in scenarios where medical research organizations procure EMRs, or patients change doctors, needing EMRs transfer from cloud servers. For this reason, many researchers have proposed cloud auditing protocols with ownership transfer. Specifically, in e-Health application, doctors are often offline due to busy work. This situation hinders the ownership transfer for EMRs. In certain scenario, finding a trustworthy manager for a group is also hard. To alleviate these problems, this paper introduces an innovative paradigm by integrating (tn)-threshold signatures. The new design enables groups quickly transfer EMRs without employing the trustworthy manager. Moreover, in the proposed protocol, the ownership of cloud EMRs can be securely and efficiently transferred when the number of concurrently online users reaches the predetermined threshold.

The detailed operations

We assume that there are n users in GroupA, the threshold of GroupA is t. Similarly, the number of users in GroupB is defined as \(n'\), with a threshold of \(t'\). Additionally, the system has a multi-user file \(F=\{m_j\in Z_p\}_{j\in [1,l]}\). Similar to Tian et al. (2015), Wang et al. (2011) and Wang et al. (2016), \(S=\{Kgen,Sig,Vrf\}\) constitutes a signature algorithm. The detailed operations of our protocol are described as follows:

  • SysGen\((1^\lambda ) \rightarrow (params)\). The system performs the following operations by utilizing the input security parameters \(\lambda\):

    1. 1.

      Chooses two p-order cyclic multiplicative groups \({\mathbb {G}}_1\) and \({\mathbb {G}}_T\) and a bilinear pairing e. Then, the system generates two independent generators \(g,u \in _R {\mathbb {G}}_1\).

    2. 2.

      Chooses three hash functions, specifically, they are constructed as follows:

      $$\begin{aligned}&H_1:\{0,1\}^* \rightarrow {\mathbb {G}}_1, \\ {}&H_2:\{0,1\}^* \rightarrow {\mathbb {G}}_1, \\ {}&H_3:{\mathbb {G}}_1 \rightarrow Z_p. \end{aligned}$$
    3. 3.

      Outputs the parameters \(params=\{p,{\mathbb {G}}_1,{\mathbb {G}}_T,g,u,e,H_1,H_2,H_3,S\}\).

  • KeyGen\((params) \rightarrow (\{{sk}_i,pk_i\},pk)\). We denote the users in GroupA as \(A_i(i \in [1,n])\). In this algorithm, each user \(A_i\) computes and obtains the secret key sharing \({sk}_i\) along with its corresponding public key sharing \(pk_i\) by executing the following operations:

    1. 1.

      User \(A_i\) initiates the process by generating a random polynomial \(f_i(x) = \phi _{i0} + \phi _{i1}x+ \phi _{i2}x^2 +... + \phi _{i(t-1)}x^{(t-1)}\), with each \(\phi _{ik}(1 \le i \le n,0 \le k \le t-1)\) being a coefficient. Posteriorly, \(A_i\) broadcasts the variable \(C_{ik}=g^{\phi _{ik}}\), computes the secret value sharing \(s_{ii'}=f_i(i')\), and transmits \(s_{ii'}\) to user \(A_{i'}\) secretly, ensuring that \(i \ne i'\). Upon receiving \(s_{ii'}\) from \(A_i\), user \(A_{i'}\) undertakes a validation process by performing the calculation

      $$\begin{aligned} g^{s_{ii'}}=\prod _{k=0}^{t-1}{(C_{ik})^{{i'}^k}},1 \le i \le n. \end{aligned}$$
      (1)

      Note that any incorrect secret value sharing will result in false of Equ. (1). Namely, the user \(A_i\) with the incorrect secret value sharing \(s_{ii'}\) would be detected, it will be regarded as an illegality entity and cannot participate in subsequent processes. Finally, user \(A_i\) computes and obtains secret key sharing \({sk}_i\) by calculating

      $$\begin{aligned} { sk_i = \sum _{i' \in [1,n]} s_{ii'}(mod\ p).} \end{aligned}$$

      Furthermore, the secret key sk can be computed according to Equ. (2). However, any user in GroupA cannot compute and obtain the secret key (recall that \(\phi _{i0}\) is the private parameter of user \(A_{i}\)).

      $$\begin{aligned} { sk = \sum _{i \in [1,n]} \phi _{i0}(mod\ p),} \end{aligned}$$
      (2)
    2. 2.

      User \(A_i\) in GroupA computes the public key sharing using the above parameters, i.e.,

      $$\begin{aligned} pk_i = \prod _{i' \in [1,n]} \prod _{k=0}^{t-1} (g^{\phi _{i'k}})^{i^k}. \end{aligned}$$

      Then, each user \(A_i\) in GroupA broadcasts its public key sharing \(pk_i\). Receiving the public key sharing \(pk_i\), any other users in GroupA can check the correctness of \(pk_i\). In addition, the public key of GroupA is \(pk=g^{sk}\) by aggregating any t public key sharings.

    3. 3.

      Each user \(A_i\) runs S.Kgen to obtain the signing key pair \(\{(ssk_i,spk_i)\}\).

  • TagGen\((\{{sk}_i,pk_i\}_{i \in [1,n]},F,m_j,params) \rightarrow (\sigma _j,sig)\). In this stage, user \(A_i\) in GroupA generates a multi-user signature for the file F. Specifically, the number of involved users should exceed the threshold t in order to complete the operation. The involved users perform the following operations:

    1. 1.

      User \(A_i\) calculates \({\sigma }_{1,i}=H_2(F)^{{sk}_i}\) and \({\sigma }_{2,i}=u^{{sk}_i}\), and broadcasts values \({\sigma }_{1,i}\), \({\sigma }_{2,i}\) to other users. The correctness of the values can be verified by Equ. (3) and Equ. (4)

      $$\begin{aligned} { e(\sigma _{1,i},g)=e(H_2(F),pk_i),} \end{aligned}$$
      (3)
      $$\begin{aligned} { e(\sigma _{2,i},g)=e(u,pk_i).} \end{aligned}$$
      (4)
    2. 2.

      User \(A_a\) serves as the aggregator if it obtains t legitimate information. Then, aggregator \(A_a\) aggregates t legitimate information to calculate \(\sigma =H_2(F)^{sk}\) and \(\xi =g^{H_3({\sigma })}\). Typically, aggregator \(A_a\) computes

      $$\begin{aligned} {\sigma =\prod _{i \in mes} \sigma _{1,i}^{\lambda _i}=H_2(F)^{sk},} \end{aligned}$$

      where \(\lambda _i=\prod _{j \ne i} \frac{-j}{i-j}\) is the Lagrangian interpolation coefficient. Ultimately, aggregator \(A_a\) computes

      $$\sigma _j=[H_1(F||j)]^{H_3(\prod _{i \in mes} \sigma _{1,i}^{\lambda _i})}\cdot (\prod _{i \in mes} \sigma _{2,i}^{\lambda _i})^{m_j}=[H_1(F||j)]^{H_3(\sigma )}\cdot (u^{m_j})^{sk}.$$

      In the above equation, mes refers to the collection of t legitimate information.

    3. 3.

      The aggregator \(A_a\) computes the file tag \(sig=(F||s||\xi )||S.Sig(F||s||\xi )_{ssk_a}\). Then, \(A_a\) uploads \(\{\{(m_j,\sigma _j)\}_{j \in [1,s]},sig\}\) to Cloud for remote storage.

  • Audit\((chal,m_j,\sigma _j,pk,sig,params) \rightarrow (\{0,1\})\). On inputting the file tag sig, TPA chooses the \(c-\)element challenge set \(chal=\{(j,\gamma _j \in _R Z_p)\}\). Then, TPA interacts with Cloud and executes the following operations:

    1. 1.

      TPA sends the \(c-\)element challenge set \(chal=\{(j,\gamma _j \in _R Z_p)\}\) to Cloud.

    2. 2.

      Receiving \(chal=\{(j,\gamma _j \in _R Z_p)\}\), the Cloud calculates data proof and tag proof as

      $$\begin{aligned} {PM=\sum _{(j,\gamma _j)\in chal}m_j\gamma _j,} \\ {P\sigma =\prod _{(j,\gamma _j)\in chal}\sigma _j^{\gamma _j}.} \end{aligned}$$
    3. 3.

      The Cloud sends \(({PM},{P\sigma },sig)\) to TPA.

    4. 4.

      The TPA calculates and obtains F, s, and \(\xi\) using sig. Then, TPA verifies \(S.Vrf(F||s||\xi )_{spk_a}\). If the verification passes successfully, TPA checks

      $$\begin{aligned} {e(P\sigma ,g)\overset{\text {?}}{=}e(\prod _{(j,\gamma _j)\in chal} H_1(F||j)^{\gamma _j},\xi )\cdot e(u^{PM},pk).} \end{aligned}$$
    5. 5.

      The TPA outputs \(``1"\) when the above equation holds. Otherwise, it outputs \(``0"\).

  • TagTrans\((F,\sigma _j,\{{sk}_i,pk_i\}_{i \in [1,n]},\{{sk}'_I,pk'_I\}_{I \in [1,n']},params) \rightarrow (\sigma '_j,sig')\). In this stage, when inputting the file abstract F, the original data tag \(\sigma _j\), key pairs of users in GroupA and GroupB, and params, we can complete the ownership transfer operations via the following steps:

    1. 1.

      Each user \(A_i\) in GroupA picks \(x_i \in _R Z_p\), computes \(W_{1,i}=H_2(F)^{{sk}_i}\), \(W_{2,i}={sk}_i - x_i\) and \(W_{3,i} = u^{x_i}\).

    2. 2.

      Aggregator \(A_a\) collects t legitimate information and calculates the transfer tokens \((W_1,W_2,W_3)\):

      $$\begin{aligned} {\begin{aligned} W_1&=H_3(\prod _{i \in mes} W_{1,i}^{\lambda _i})=H_3(\sigma ),\\ W_2&=\sum _{i \in mes}\lambda _i W_{2,i}=\sum _{i \in mes}\lambda _i({sk}_i-x_i)={sk}-\sum _{i \in mes}\lambda _ix_i,\\ W_3&=u^{\sum _{i \in mes}\lambda _ix_i}. \end{aligned}} \end{aligned}$$

      Then, aggregator \(A_a\) sends the transfer token \((W_1, W_2, W_3)\) to GroupB.

    3. 3.

      Each user \(B_I\) in GroupB executes the KeyGen algorithm, and obtains the secret key sharing \({sk}'_I\) and public key sharing \(pk'_I\). Additionally, the public key of GroupB is \(pk'\) and the secret key of GroupB is \({sk}'\). Moreover, each user \(B_I\) in GroupB runs S.Kgen algorithm and obtains the signing key pair \(\{(ssk_I,spk_I)\}_{I \in [1,n']}\).

    4. 4.

      Each user \(B_I\) in GroupB chooses \(x_I \in _R Z_p\), and computes \(W_{4,I}=H_2(F)^{{sk}'_I}\), \(W_{5,I}={sk}'_I-x_I\), \(W_{6,I}=u^{x_I}\).

    5. 5.

      Aggregator \(B_a\) collects \(t'\) legitimate information and computes the transfer tokens where \({\sigma }'=H_2(F)^{{sk}'}\)

      $$\begin{aligned} {\begin{aligned} W_4&=H_3(\prod _{I' \in mes'} W_{4I}^{\lambda '_I})-W_1=H_3(\sigma ')-H_3(\sigma ),\\ W_5&=\sum _{I \in mes'}\lambda '_IW_{5,I}-W_2={sk}'-\sum _{I \in mes'}\lambda '_Ix_I-({sk}-\sum _{i \in mes}\lambda _ix_i)\\ {}&={sk}'-{sk}+(\sum _{i \in mes}\lambda _ix_i-\sum _{I \in mes'} \lambda '_Ix_I),\\ W_6&=(W_3)^{-1}\cdot \prod _{I \in mes'}W_{6,I}^{\lambda '_I}=u^{\sum _{I \in mes'}\lambda '_Ix_I-\sum _{i \in mes}\lambda _ix_i}. \end{aligned}} \end{aligned}$$

      where \(mes'\) refers to the collection of \(t'\) legitimate information. Then, the aggregator \(B_a\) sends \(sig=(W_5||W_6||W_7)||S.Sig(W_5||W_6||W_7)_{ssk_a}\) to the Cloud.

    6. 6.

      The Cloud recovers \(W_5\), \(W_6\) and \(W_7\), and verifies the equation \(S.Vrf(W_5||W_6||W_7)_{spk_a}=1\). If the verification passes successfully, the Cloud computes

      $$\begin{aligned} \sigma '_j= &\sigma _j\cdot [H_1(F||j)]^{W_4}\cdot (u^{m_j})^{W_5}\cdot {W_6}^{m_j}=\sigma _j\cdot [H_1(F||j)]^{H_3(\sigma ')-H_3(\sigma )}\\ {}&\cdot (u^{m_j})^{{sk}'-{sk}+(\sum _{i \in mes}\lambda _ix_i-\sum _{I \in mes'}\lambda '_Ix_I)}\cdot (u^{\sum _{I \in mes'}\lambda '_Ix_I-\sum _{i \in mes}\lambda _ix_i})^{m_j}\\ = & [H_1(F||j)]^{H_3(\sigma )}\cdot (u^{m_j})^{sk}\cdot [H_1(F||j)]^{H_3(\sigma ')-H_3(\sigma )}\\ {}&\cdot (u^{m_j})^{{sk}'-{sk}+(\sum _{i \in mes}\lambda _ix_i-\sum _{I \in mes'}\lambda '_Ix_I)}\cdot (u^{\sum _{I \in mes'}\lambda '_Ix_I-\sum _{i \in mes}\lambda _ix_i})^{m_j}\\=&[H_1(F||j)]^{H_3(\sigma ')}\cdot (u^{m_j})^{{sk}'}. \end{aligned}$$

This completes the description of our protocol. It is obvious that tags of GroupB have the same structure as that of GroupA. Namely, TPA can check the integrity of ownership transferred file F by executing the same operations described in Audit algorithm.

Security analysis

  In this section, we mainly conduct the security analysis and prove the correctness, soundness, unforgeability, secure transferability, robustness, and detectability of our proposed protocol.

Theorem 1

The proposed protocol is deemed correct. Specifically, if every entity in the system model performs all operations honestly, then the Cloud provide the valid proof with the overwhelming probability.

Proof

The protocol is correct, meaning that if every entity in the protocol honestly executes the protocol, the integrity of the file can be audited via the following equation

$$\begin{aligned} e(P\sigma ,g)&=e(\prod _{(j,\gamma _j) \in chal}[[H_1(F||j)]^{H_3(\sigma )}\cdot (u^{m_j})^{sk}]^{\gamma _j},g)\\ {}&=e(\prod _{(j,\gamma _j)\in chal}[[H_1(F||j)]^{H_3(\sigma )}]^{\gamma _j},g)\cdot e(\prod _{(j,\gamma _j)\in chal}[(u^{m_j})^{sk}]^{\gamma _j},g)\\ {}&=e(\prod _{(j,\gamma _j)\in chal}H_1(F||j)^{\gamma _j},g^{H_3(\sigma )})\cdot e(u^{\sum _{(j,\gamma _j)\in chal}m_j\gamma _j},g^{sk})\\ {}&=e(\prod _{(j,\gamma _j)\in chal}H_1(F||j)^{\gamma _j},\xi )\cdot e(u^{PM},pk). \end{aligned}$$

If TagTrans algorithm is honestly executed by each user and every parameter is generated correctly, GroupB can also verify the file’s integrity using the above equation. \(\square\)

Theorem 2

The proposed protocol is deemed sound. Specifically, in the random oracle model, any adversary is incapable of inducing the TPA to approve proofs created from some corrupted data with significant probability as long as the CDH assumption holds.

Proof

Assuming the existence of a PPT adversary \({\mathcal {A}}\) capable of compromising the protocol’s soundness. We then construct a simulator \({\mathcal {B}}\) to solve the CDH problem with the input \((g,g^a,g^b)\), \({\mathcal {B}}\) controls random oracles and runs \({\mathcal {A}}\). And its goal is to obtain \(g^{ab}\).

Let \(\{m_{d,1},m_{d,2},...,m_{d,n}\}\) are the blocks of file \(F_d\), and \(\{\sigma _{d,1},\sigma _{d,2},...,\sigma _{d,n}\}\) are the tags of the blocks. The set of queries causing the challenger to abort is denoted as \(chal=\{(j,\gamma _j)\}\) with the length of \(|chal|=c\), and the proof from \({\mathcal {A}}\) is \(P_d^*=({PM}_d^*,{P\sigma }_d^*,t_d^*)\).

Additionally, we also know that a valid proof takes the form

$$\begin{aligned} { P_d=({PM}_d=\sum _{(j,\gamma _j) \in chal}m_{d,j}\gamma _j,P\sigma =\prod _{(j,\gamma _j) \in chal}\sigma _{d,j}^{\gamma _j},t_d),} \end{aligned}$$

where \(\xi _d=g^{H_3(H_2(F_d)^{{sk}})}\) in \(t_d\).

According to Theorem 1, the acceptable proof should satisfy

$$\begin{aligned} { e(P\sigma _d,g)=e(\prod _{(j,\gamma _j) \in chal}H_1(F_d||j)^{\gamma _j},\xi _d) \cdot e(u^{{PM}_d},pk).} \end{aligned}$$

We assume that the adversary \({\mathcal {A}}\) has the capability to compromise the soundness of the protocol, namely, \({P\sigma }_d \ne {P\sigma }_d^*\). Thus, we can obtain \({PM}_d \ne {PM}^*_d\). Consequently, we can derive

$$\begin{aligned} { e(P\sigma _d^*,g)=e(\prod _{(j,\gamma _j) \in chal}H_1(F_d||j)^{\gamma _j},\xi _d^*) \cdot e(u^{{PM}_d^*},pk).} \end{aligned}$$

Then, the simulator \({\mathcal {B}}\) simulates the security game for \({\mathcal {A}}\) as follows:

  • Setup. \({\mathcal {B}}\) chooses two random oracles \(H_1:\{0,1\}^* \rightarrow {\mathbb {G}}_1\) and \(H_3:\{0,1\}^* \rightarrow {\mathbb {Z}}_p\) and sets \(u=g^b\), where \(b \in _R Z_p\).

  • H-query. During this stage, \(H_1\) and \(H_3\) will be subject to hash queries, with \(q_1\) and \(q_3\) inquiries respectively. When querying for the \(j^{th}\) block, if the query has been recorded in the table, \({\mathcal {B}}\) responds according to the table’s content. Otherwise, the following steps are executed:

    1. 1.

      \(H_1(F_d||j)\): \({\mathcal {B}}\) sets \(H_1(F_d||j)=\frac{g^{\mu _{d,j}}}{u^{m_{d,j}}}\) as the response to \({\mathcal {A}}\)’s inquiry, and records it in \(T_{H_1}\), where \(T_{H_1}\) is an empty table created by \({\mathcal {B}}\) (\(T_{H_3}\) is the same). When \({\mathcal {A}}\) asks for the same content, \({\mathcal {B}}\) will return the same information based on the records on \(T_{H_1}\).

    2. 2.

      \(H_3({\sigma }_d)\): \({\mathcal {B}}\) chooses \(v_d \in _R Z_p\), sets \(H_3({\sigma }_d)=v_d+a=v'_d\) and records it in \(T_{H_3}\).

  • S-query. During this phase, the signature queries are executed iteratively for a total of \(q_s\) instances. Upon querying the \(j^{th}\) block of the abstract file \(F_d\), we have

    $$\begin{aligned} {H_1(F_d||j)=\frac{g^{\mu _{d,j}}}{u^{m_{d,j}}},H_3(\sigma _d)=v_d+a=v'_d.} \end{aligned}$$

    Then, \({\mathcal {B}}\) computes \(\sigma _{d,j}\) as

    $$\begin{aligned} \sigma _{d,j}=(\frac{g^{u_{d,j}}}{u^{m_{d,j}}})^{v_d+a} \cdot (u^{m_{d,j}})^a=\frac{g^{\mu _{d,j} \cdot (v_d+a)}}{u^{m_{d,j} \cdot v_d}}, \end{aligned}$$

    where \(\sigma _{d,j}\) is the response to \(m_{d,j}\)’s signature query.

  • Forgery. Finally, \({\mathcal {A}}\) forges a proof for data block \(m_{d,j^*}^*(m_{d,j^*}^* \ne m_{d,j^*})\). The verification equation can be rearranged as

    $$\begin{aligned} {e(P\sigma ,g)=e(\prod _{(j,\gamma _j) \in chal}H_1(F_d||j)^{\gamma _j},h_d) \cdot e(u^{{PM}_d},pk).} \end{aligned}$$

    We divide the verification equation \(({P\sigma }_l^*,{PM}_l^*)\) by \(({P\sigma }_l,{PM}_l)\)

    $$\begin{aligned} {e(\frac{P\sigma _d^*}{P\sigma _d},g)=e(\frac{u^{{PM}_d^*}}{u^{{PM}_d}},pk) } \end{aligned}$$
    (5)

    From Equ. (5), we can know that \((\frac{{P\sigma }_d^*}{{P\sigma }_d})=(\frac{u^{{PM}_d^*}}{u^{{PM}_d}})^a\). Let \(\triangle {PM}={PM}_d^*-{PM}_d\), thus, we obtains the solution to the CDH problem

    $$\begin{aligned} {g^{ab}=(\frac{P\sigma _d^*}{P\sigma _d})^{\frac{1}{\triangle {PM}}}.} \end{aligned}$$

In addition, we have \(\triangle {PM} \ne 0\) because we have \({PM}_d \ne {PM}^*_d\) while \({P\sigma }_d \ne {P\sigma }_d^*\). With this, the simulation and solution reach their conclusion. The simulation’s indistinguishableness to the real attack because of the randomness at each stage in the simulation process. These sources of randomness are autonomously and randomly selected from the perspective of \({\mathcal {A}}\). We assume that \({\mathcal {A}}\) can break the protocol with advantage \(\epsilon\). Leveraging \({\mathcal {A}}\)’s capabilities, \({\mathcal {B}}\) then achieves a CDH problem solution with probability of \((1 - \frac{q_1}{p})^{q_s} \cdot \epsilon \approx \epsilon\). In this context, \((1 - \frac{q_1}{p})^{q_s}\) represents the probability that adversary \({\mathcal {A}}\) can eventually succeed, enabling effective attacks, based on the model’s parameters. And the different randomness employed in hash and signature queries ensure the success of the simulations. For the same file, such randomness diverge in \(H_1(F_d||j)\) only with a probability of \(1 - \frac{q_1}{p}\).

\(\square\)

Theorem 3

The protocol is considered to be unforgeable. Specifically, in the random oracle model, it is practically impossible for any adversary to forge provably valid tags for arbitrary data with a negligible probability as long as the CDH assumption holds.

Proof

Assuming the existence of a PPT adversary \({\mathcal {A}}\) capable of compromising the protocol’s unforgeability. Then, we construct a simulator \({\mathcal {B}}\) to break the CDH assumption. Given the input of \((g,g^a,g^b)\), we have the following details of the security game:

  • Setup. \({\mathcal {B}}\) chooses two random oracles \(H_1:\{0,1\}^* \rightarrow {\mathbb {G}}_1\) and \(H_3:\{0,1\}^* \rightarrow {\mathbb {Z}}_p\) and sets \(u=g^b\), where \(b \in _R Z_p\).

  • H-query. H-query aligns with the description provided in Theorem 2’s proof. So, we have \(H_1(F_d||j)=\frac{g^{\mu _{d,j}}}{u^{m_{d,j}}}\) and \(H_3({\sigma }_d)=v_d+a=v'_d\).

  • S-query. During this stage, the signature queries are executed iteratively by \({\mathcal {A}}\) for \(q_s\) instances. Upon querying the \(j^{th}\) block of the abstract file \(F_d\), we have \(H_1(F_d||j)=\frac{g^{x_{d,j}}}{u^{m_{d,j}}}\) and \(H_3({\sigma }_d)=v_d+a=v'_d\). \({\mathcal {B}}\) computes \(\sigma _{d,j}\) by calculating

    $$\begin{aligned} \sigma _{d,j}=(\frac{g^{u_{d,j}}}{u^{m_{d,j}}})^{v_d+a} \cdot (u^{m_{d,j}})^a=\frac{g^{\mu _{d,j} \cdot (v_d+a)}}{u^{m_{d,j} \cdot v_d}}, \end{aligned}$$

    \(\sigma _{d,j}\) is the response to \(m_{d,j}\)’s signature query.

  • Forgery. In this stage, \({\mathcal {A}}\) aims to forge a tag \(\sigma _{d,j^*}\). With the assistance of the results obtained in H-query, we have

    $$\begin{aligned} \sigma _{d,j^*}=(\frac{g^{\mu _{d,j^*}}}{u^{m_{d,j^*}}})^{v'_d} \cdot (u^{m_{d,j^*}})^a=\frac{g^{\mu _{{d,j^*}} \cdot v'_d}}{u^{{m_{d,j^*}} \cdot v'_d}} \cdot u^{m_{d,j^*} \cdot a}. \end{aligned}$$

    The resolution to the CDH problem has now been identified:

    $$\begin{aligned} u^a=g^{ab}=(\frac{\sigma _{d,j^*} \cdot u^{m_{d,j^*} \cdot v'_d}}{g^{\mu _{d,j^*} \cdot v'_d}})^{\frac{1}{m_{d,j^*}}}. \end{aligned}$$

With this, the simulation and solution reach their conclusion. The simulation’s indistinguishableness to the real attack because of the randomness at each stage in the simulation process. These sources of randomness are autonomously and randomly selected from the perspective of \({\mathcal {A}}\). We assume that \({\mathcal {A}}\) can break the protocol with advantage \(\epsilon\). Leveraging \({\mathcal {A}}\)’s capabilities, \({\mathcal {B}}\) then achieves a CDH problem solution with probability of \((1 - \frac{q_1}{p})^{q_s} \cdot \epsilon \approx \epsilon\). In this context, \((1 - \frac{q_1}{p})^{q_s}\) represents the probability that adversary \({\mathcal {A}}\) can eventually succeed, enabling effective attacks, based on the model’s parameters. And the different randomness employed in hash and signature queries ensure the success of the simulations. For the same file, such randomness diverge in \(H_1(F_d||j)\) only with a probability of \(1 - \frac{q_1}{p}\). \(\square\)

Theorem 4

The ownership transfer in this protocol is deemed secure. Specifically, in the random oracle model, it is computationally infeasible for any colluding adversary to forge a valid tag belonging to someone else, and the probability of such an occurrence is negligible, as long as the CDH assumption holds.

Proof

Due to the similarity in proof methods between the two scenarios, where GroupA combats GroupB and colludes with Cloud, and where GroupB combats GroupA and colludes with Cloud, the only difference lies in the \({\mathcal {A}}\)’ attack capabilities (i.e., when GroupB colludes with Cloud, the adversary \({\mathcal {A}}\) gains access to the secret keys of GroupB’s users, whereas when GroupA colludes with Cloud, the adversary \({\mathcal {A}}\) gains access to the secret keys of GroupA’s users), based on the aforementioned situations, we will provide the proof for the former and omit the proof for the latter.

Assuming the existence of an adversary \({\mathcal {A}}\) capable of compromising the transfer security of GroupA. Subsequently, we construct a simulator \({\mathcal {B}}\) to break the CDH assumption. Given the input of \((g,g^a,g^b)\), we have the following details of the security game:

  • Setup. \({\mathcal {B}}\) chooses two random oracles \(H_1:\{0,1\}^* \rightarrow {\mathbb {G}}_1\) and \(H_3:\{0,1\}^* \rightarrow {\mathbb {Z}}_p\) and sets \(u=g^b\), where \(b \in _R Z_p\).

  • H-query. H-query is identical to those presented in Theorem 2’s proof. So, we have \(H_1(F_d||j)=\frac{g^{\mu _{d,j}}}{u^{m_{d,j}}}\) and \(H_3({\sigma }_d)=v_d+a=v'_d\).

  • S-query. The same as the above statement. And the final result is

    $$\begin{aligned} \sigma _{d,j}=(\frac{g^{u_{d,j}}}{u^{m_{d,j}}})^{v_d+a} \cdot (u^{m_{d,j}})^a=\frac{g^{\mu _{d,j} \cdot (v_d+a)}}{u^{m_{d,j} \cdot v_d}}. \end{aligned}$$
  • Aux-query. We perform \(q_a\) auxiliary queries, where auxiliary parameters are mainly used for regenerating tags. \(W_{1,d}=H_3({\sigma }_d)=v'_d=v_d+a\) for GroupB is from H-query, and \(W_{2,d}=a-x_d\) and \(W_{3,d}=u^{x_d}\), where \(x_d\) is chosen by \({\mathcal {B}}\). GroupB picks \(x_{I,d}^N \in _R Z_p\), then we have

    $$\begin{aligned} {\begin{aligned} W_{4I,d}^N&=H_2(F)^{{sk}'_I},\\ W_{5I,d}^N&={sk}'_I-x_{I,d}^N,\\ W_{6I,d}^N&=u^{x_{I,d}^N}. \end{aligned}} \end{aligned}$$

    Finally, \({\mathcal {B}}\) can compute

    $$\begin{aligned} {\begin{aligned} W_4^N&=H_3(\prod _{I \in mes'}(W_{4I,d}^N)^{\lambda '_I})-W_{1,d}=H_3(H_2(F)^{{sk}'})-v'_d,\\ W_5^N&=\sum _{I \in mes'}\lambda '_IW_{5I,d}^N-W_{2,d}={sk}'-\sum _{I \in mes'}\lambda '_Ix_{I,d}^N-({sk}-x_d),\\ W_6^N&=(W_{3,d})^{-1} \cdot \prod _{I \in mes'}(W_{6I,d}^N)^{\lambda '_I}=u^{\sum _{I \in mes'}\lambda '_Ix_{I,d}^N-x_d}. \end{aligned}} \end{aligned}$$
  • Forgery. At the end, \({\mathcal {A}}\) forges a valid tag which has not been queried for a block \(m_{d,j}\) in file with abstract \(F_{d^*}\) of GroupB. With \(H_1(F_d||j)=\frac{g^{\mu _{d^*,j}}}{\mu ^{m_{d,j}}}\) from H-query and \(v'_d\) from Aux-query, we have

    $$\sigma _{d,j^*}=[H_1(F_{d^*}||j)]^{v'_d} \cdot (u^{m_{d^*,j}})^a=(\frac{g^{\mu _{d^*,j}}}{u^{m_{d^*,j}}})^{v'_{d^*}} \cdot (u^{m_{d^*,j}})^a=\frac{g^{\mu _{d^*,j}} \cdot v'_{d^*}}{u^{m_{d^*,j} \cdot v'_{d^*}}} \cdot u^{m_{d^*,j} \cdot a}.$$

    The resolution to the CDH problem has now been identified

    $$\begin{aligned} u^a=g^{ab}=(\frac{\sigma _{d,j^*} \cdot u^{m_{d,j^*} \cdot v'_d}}{g^{\mu _{d,j^*} \cdot v'_d}})^{\frac{1}{m_{d,j^*}}}. \end{aligned}$$

With this, the simulation and solution reach their conclusion. The simulation’s indistinguishableness to the real attack because of the randomness at each stage in the simulation process. These sources of randomness are autonomously and randomly selected from the perspective of \({\mathcal {A}}\). We assume that \({\mathcal {A}}\) can break the protocol with advantage \(\epsilon\). Leveraging \({\mathcal {A}}\)’s capabilities, \({\mathcal {B}}\) then achieves a CDH problem solution with probability of \((1-(\frac{q_1}{p}) \cdot (\frac{q_3}{p}))^{q_s} \cdot \epsilon \approx \epsilon\). In this context, \((1-(\frac{q_1}{p}) \cdot (\frac{q_3}{p}))^{q_s}\) represents the probability that adversary \({\mathcal {A}}\) can eventually succeed, enabling effective attacks, based on the model’s parameters. And the different randomness employed in hash and signature queries ensure the success of the simulations. For different files, such randomness diverge in \(H_1(F_d||j)\) with \(1 - \frac{q_1}{p}\) and \(H_3({\sigma }_d)\) with \(1-\frac{q_3}{p}\). \(\square\)

Theorem 5

The proposed protocol is deemed robust. Robustness implies that our solution is flexible, and it can resist against the presence of dishonest users.

Proof

Firstly, let us analyse the flexibility of our protocol. Recall that during KeyGen of our protocol, each user \(A_{i}\) utilizes private parameter \(\phi _{i0}\) to generate its private and unique polynomial. Subsequently, by broadcasting or securely transmitting some secret information, key sharing \({sk}_{i}\) is generated. In this phase, when honest users detect dishonest users, they can promptly verify it through the Equ. (1) and inform other honest users. The dishonest user can then be excluded before proceeding with key sharing generation. During this process, users do not need to reselect private parameters or generate polynomials, and the polynomial can still be used to generate different key sharings with other groups. Therefore, our protocol demonstrates flexibility.

Secondly, we establish the resilience of our protocol against dishonest users. We consider a scenario where \(D=\{U_i\}_{i\in [1,t-1]}\) represents dishonest users, and \(H=\{U_i\}_{i\in [t,n]}\) represents honest users. In the initial broadcast phase of KeyGen, any user who transmits dishonest information is promptly excluded, as shown in the flexibility analysis. Subsequently, during the public key sharings generation in KeyGen, if a dishonest user fails to compute its public key share, the remaining honest users can collaborate to calculate that user’s public key share using the formula \(pk_i = \prod _{i' \in [1,n]} \prod _{k=0}^{t-1} (C_{i'k})^{i^k}\). Lastly, in the signature sharing generation of TagGen, if fewer than t users are dishonest, two scenarios unfold: first, if they refuse to broadcast their signature sharings, effective signatures can still be generated by the remaining honest users; second, if they generate invalid signature sharings, honest users can verify this through Equ. (3) and Equ. (4). Therefore, the proposed protocol exhibits robustness. \(\square\)

Theorem 6

The proposed protocol exhibits \((R_c,1-(1-R_c)^c)\) detectability, where \(R_c\) denotes the proportion of the corrupted data blocks, c represents the number of the challenged blocks.

Proof

In this protocol, we assume the number of data blocks is l, and among them, b blocks are corrupted. Thus, we can obtain the corruption rate of the data blocks is \(R_c=\frac{b}{l}\). Based on these assumptions, we can conclude that the probability of our protocol detecting the corrupted data blocks is no less than \(1-(1-R_c)^c\), where c refers to the number of the challenged data blocks. Additionally, \(1-R_c\) represents the probability that the cloud server has effectively protected the integrity of the data, \((1-R_c)^c\) means that the challenging c data blocks are also well preserved by the Cloud. Thus, \(1-(1-R_c)^c\) is the detection probability of corruption. \(\square\)

Performance analysis

In this section, we conduct numerical and experimental analysis of our protocol. Furthermore, we assess its performance and compare it with the closely related works, including (Huang et al. 2020; Wang et al. 2019; Shen et al. 2020, 2022).

Numerical analysis and comparison

The property comparison is shown in Table 1. Specifically, Huang et al. (2020) considers the offline users, however, the transferability of cloud data does not be considered. As a contrast, Wang et al. (2019), Shen et al. (2020)and Shen et al. (2022) are developed without considering the offline users. Moreover, Wang et al. (2019) and Shen et al. (2020) are designed with only the single-user data.

Table 1 Property comparison

Table 2 showcases the communication comparison, whereas Table 3 outlines the computation comparison. In these two tables, the variables l, t, n, \(t'\), \(n'\), and q represent the following: l signifies the number of data blocks, t corresponds to the threshold for the number of original owners, n represents the count of original owners, \(t'\) stands for the threshold pertaining to the number of owners after transfer, and \(n'\) indicates the number of owners in the group after transfer. Additionally, q denotes the prime order of \({\mathbb {G}}_1\). For simplicity, we denote modular exponentiation in \(Z_p\), \({\mathbb {G}}_1\), and \({\mathbb {G}}_T\) as \(E_{Z_p}\), \(E_{{\mathbb {G}}_1}\), and \(E_{{\mathbb {G}}_T}\), point multiplication in \(Z_p\), \({\mathbb {G}}_1\), and \({\mathbb {G}}_T\) as \(M_{Z_p}\), \(M_{{\mathbb {G}}_1}\), and \(M_{{\mathbb {G}}_T}\), inverse in \(Z_p\), and \({\mathbb {G}}_1\) as \(I_{Z_p}\), and \(I_{{\mathbb {G}}_1}\) and bilinear pairing as P. In this comparison, the computational overhead of hash function calculations is not considered because the computational cost of hash functions is small, and it is negligible (comparing with other resource consuming operations). Moreover, \(``|\cdot |''\) means the length.

Table 2 Comparison of communication costs

According to Table 2, the tag uploading of Wang et al. (2019) and Shen et al. (2020) caters exclusively to single-user data, while Huang et al. (2020), Shen et al. (2022) and our protocol are tailored for multi-user data scenarios. In general, because the number of data blocks l is much larger than the number of owners n (or \(n'\)) and the threshold t (or \(t'\)) set for them, and t (or \(t'\)) is set to be much smaller than n (or \(n'\)), Table 2 shows that the tag uploading cost of our protocol is similar to that of Wang et al. (2019) and Shen et al. (2022). In terms of the proof responding, our protocol’s communication cost aligns with that of Shen et al. (2020) and Shen et al. (2022), and it is lower than Wang et al. (2019) and Huang et al. (2020). As Huang et al. (2020) does not have the ownership transfer phase, we only compare it with Wang et al. (2019), Shen et al. (2020) and Shen et al. (2022). For convenience, we denote the party being transferred to as A and the party conducting the transfer as B. According to Table 2, the communication cost of our protocol is slightly higher, in terms of transfer, than that of Wang et al. (2019); Shen et al. (2020), and it is close to Shen et al. (2022). Thus, our protocol provides more functionality, and it is achieved with moderate communication costs.

Table 3 Comparison of computational costs

According to Table 3, we can see that the computational costs of tag generation for Wang et al. (2019),Shen et al. (2020) and Shen et al. (2022) are linearly correlated with l. However, Huang et al. (2020) and our protocol are also related to the threshold t of the user group. Nevertheless, since t is much smaller than l, the computational costs of tag generation for these protocols are similar. Furthermore, the computational cost of auditing (comprising proof generation and proof verification) is influenced by c, while other factors have little impact, so the consumption gap for each scheme is not significant. Recall that Huang et al. (2020) does not consider the transferability, so in the following stages, we only compare protocols (Wang et al. 2019; Shen et al. 2020, 2022) and ours. In the process of token generation and tag recomputation, due to the fact that t and \(t'\) in our scheme are much smaller than l and n, the computational cost of our protocol is lower than that of Wang et al. (2019) and Shen et al. (2022), and it is very close to that of Shen et al. (2020). We will elaborate on the computational costs through experiments in the next subsection.

Experimental analysis and comparison

Based on GNU Multiple Precision Arithmetic (GMP) Library 6.1.2 and Pairing-Based Cryptographic (PBC) Library 0.5.14. We perform a few experiments on the Dell Laptop G3 3590 equipped with Intel(R) Core(TM) i7-9750 H CPU @ 2.60GHz 2.59 GHz, 8.00G RAM and Windows 11 operation system. In the experiments, we assume \(|q| = 160\) for the sake of analysis, and for ease of statistical tracking, we presume the existence of \(t = t'\) and \(n = n'\). We implement 10 experiments, collect and obtain the average data results. Then, we plot the figures using MATLAB R2018b.

Fig. 2
figure 2

Time cost of single-user tag generation

Fig. 3
figure 3

Time cost of multi-user tag generation

Fig. 4
figure 4

Time cost of single-user data auditing

Fig. 5
figure 5

Time cost of multi-user data auditing

Fig. 6
figure 6

Time cost of single-user ownership transfer

Fig. 7
figure 7

Time cost of multi-user ownership transfer

According to Fig. 2, we can see that in the case of a single user (\(n=t=1\)), as analyzed in the tag generation of Table 3, the time cost of all protocols increases linearly with l, and their time costs are very close to each other. However, our protocol achieves more functionality compared to Huang et al. (2020), Wang et al. (2019) and Shen et al. (2020, 2022). The multi-ownership scenario is analysed in Fig. 3. Specifically, in Fig. 3, with the number of data blocks l fixed at 2000, we can see that the time cost of Huang et al. (2020) and our protocol in tag generation is not significantly affected by the threshold setting. As analyzed in Table 3, in our protocol, the time cost is additive with respect to the threshold t and the data blocks l, whereas in Huang et al. (2020), they exhibit a multiplicative relationship. In cases where the threshold t is significantly smaller than l, the variation of t has little impact on the time cost of our tag generation phase but can significantly affect (Huang et al. 2020).

The experimental results of auditing (comprising proof generation and proof verification) are shown in Fig. 4 and Fig. 5, illustrating how the time expenditure fluctuates with variations in c. Specifically, as analyzed in Table 3, the time cost of the audit phase in these five protocols is primarily influenced by parameters c and t. However, since t is significantly smaller than c, the effect of t on the final outcome is minimal. Consequently, the results depicted in Fig. 4 show little discrepancy in the auditing time cost among the five protocols. Additionally, as discussed in Table 3, it is worth noting that different threshold settings do not have any impact on the time cost of the audit phase in Huang et al. (2020) and our protocol.

Since Huang et al. (2020) does not have the functionality of ownership transfer, it does not participate in the comparative experiments on the time cost of ownership transfer. Moreover, since Wang et al. (2019); Shen et al. (2020) only support the single-user scenario, we first discuss the time cost of ownership transfer for Wang et al. (2019); Shen et al. (2020, 2022) and our protocol in the single-user scenario. Meanwhile, Fig. 6 illustrates our analysis results. Clearly, we can observe from Fig. 6 that there is little difference in the time cost of the ownership transfer phase among several protocols in the single-user scenario. Among these, Shen et al. (2022) exhibits slightly higher time cost compared to ours because it also requires sending the tag back to GroupB for computation. Additionally, we also analyse the time cost of ownership transfer for Shen et al. (2022) and our protocol in the multi-user scenario. The analytical results are shown in Fig. 7. From the analysis in Table 3, we can infer that during the ownership transfer process, Shen et al. (2022) requires the participation of n users, whereas our protocol only requires the involvement of t users, where t is constrained by the relationship \(t < n\). Therefore, we can see that the time cost of the ownership transfer process in our protocol is lower than that of Shen et al. (2022) in Fig. 7.

Through the performance analysis we can see that, communication cost, computational cost, and corresponding time cost of our protocol are similar to other protocols in single-user scenario. However, compared to other relevant protocols, our approach offers additional features such as supporting multi-user scenarios and the presence of offline users.

Conclusion

In cloud EMRs applications, the data needs to be audited. In certain scenarios, the ownership of cloud EMRs data may need to be transferred. It is never a trivial task to securely and efficiently complete the above operations. Motivated by these observations, this paper introduces a cloud EMRs auditing protocol with decentralized (tn)-threshold ownership transfer. Our main contribution lies in the fact that users in the non-manager group (i.e. the decentralized setting) do not need to be online simultaneously. Specifically, as long as t out of n users execute operations, the ownership of cloud EMRs data can be securely transferred. In addition, the security of the proposed protocol is proved in terms of correctness, soundness, unforgeability, secure transferability, robustness, and detectability. Moreover, we assess the performance of our protocol via numerical and experimental analysis, and compare it with a few closely relevant works (Huang et al. 2020; Wang et al. 2019; Shen et al. 2020, 2022). The comparison shows that our protocol offers more functionalities, and it is achieved without introducing extra resource consumptions.

Limitations

A drawback of our protocol lies in potential wastage of computational resources during the tag generation process. For instance, in our protocol, we designate users who have provided t (a preset threshold) valid pieces of information as aggregators for tag generation. However, in real-life scenarios, there might be more than t users (denoted as T) generating valid signature sharings. When this happens, computational resources for computing \(T-t\) signature sharings could be wasted. Additionally, the security of our protocol is proven under the random oracle model. However, it is widely acknowledged that the random oracle model is an idealized construct, and it is challenging to find corresponding hash functions in reality. Therefore, in the future, we aim to design new protocol which can be proved secure under other models, such as the standard model.

Availability of data and materials

Not applicable.

References

  • Ateniese G, Burns R, Curtmola R, Herring J, Kissner L, Peterson Z, Song D (2007) Provable data possession at untrusted stores. In: Proceedings of the 14th ACM conference on computer and communications security, pp 598–609

  • Ateniese G, Di Pietro R, Mancini LV, Tsudik G (2008) Scalable and efficient provable data possession. In: Proceedings of the 4th international conference on security and privacy in communication netowrks, pp 1–10

  • Azaria A, Ekblaw A, Vieira T, Lippman A (2016) MedRec: using blockchain for medical data access and permission management. In: 2016 2nd international conference on open and big data (OBD). IEEE, pp 25–30

  • Cerchione R, Centobelli P, Riccio E, Abbate S, Oropallo E (2023) Blockchains coming to hospital to digitalize healthcare services: designing a distributed electronic health record ecosystem. Technovation 120:102480

    Article  Google Scholar 

  • Erway CC, Küpçü A, Papamanthou C, Tamassia R (2015) Dynamic provable data possession. ACM Trans Inf Syst Secur (TISSEC) 17(4):1–29

    Article  Google Scholar 

  • Fu A, Yu S, Zhang Y, Wang H, Huang C (2017) NPP: a new privacy-aware public auditing scheme for cloud data sharing with group users. IEEE Trans Big Data 8(1):14–24

    Article  Google Scholar 

  • Gai C, Shen W, Yang M, Yu J (2023) PPADT: privacy-preserving identity-based public auditing with efficient data transfer for cloud-based IoT data. IEEE Internet Things J 10(22):20065–20079

    Article  Google Scholar 

  • Han J, Li Y, Chen W (2019) A lightweight and privacy-preserving public cloud auditing scheme without bilinear pairings in smart cities. Comput Stand Interfaces 62:84–97

    Article  Google Scholar 

  • Huang L, Zhou J, Zhang G, Sun J, Wei T, Yu S, Hu S (2020) IPANM: incentive public auditing scheme for non-manager groups in clouds. IEEE Trans Dependable Secure Comput 19(2):936–952

    Google Scholar 

  • Juels A, Kaliski Jr BS (2007) PORs: proofs of retrievability for large files. In: Proceedings of the 14th ACM conference on computer and communications security, pp 584–597

  • Li J, Tan X, Chen X, Wong DS, Xhafa F (2014) OPoR: enabling proof of retrievability in cloud computing with resource-constrained devices. IEEE Trans Cloud Comput 3(2):195–205

    Article  Google Scholar 

  • Lin C, Huang X, He D (2023) Efficient blockchain-based electronic medical record sharing with anti-malicious propagation. IEEE Trans Serv Comput

  • Liu J, Li X, Ye L, Zhang H, Du X, Guizani M (2018) BPDS: a blockchain based privacy-preserving data sharing for electronic medical records. In: 2018 IEEE global communications conference (GLOBECOM). IEEE, pp 1–6

  • Rai BK (2023) PcBEHR: patient-controlled blockchain enabled electronic health records for healthcare 4.0. Health Serv Outcomes Res Methodol 23(1):80–102

    Google Scholar 

  • Sarkar A, Sarkar M (2021) Tree parity machine guided patients privileged based secure sharing of electronic medical record: cybersecurity for telehealth during covid-19. Multimedia Tools Appl 80:21899–21923

    Article  Google Scholar 

  • Shacham H, Waters B (2013) Compact proofs of retrievability. J Cryptol 26(3):442–483

    Article  MathSciNet  Google Scholar 

  • Shen J, Zhou T, Chen X, Li J, Susilo W (2017) Anonymous and traceable group data sharing in cloud computing. IEEE Trans Inf Forensics Secur 13(4):912–925

    Article  Google Scholar 

  • Shen W, Yu J, Xia H, Zhang H, Lu X, Hao R (2017) Light-weight and privacy-preserving secure cloud auditing scheme for group users via the third party medium. J Netw Comput Appl 82:56–64

    Article  Google Scholar 

  • Shen J, Chen X, Wei J, Guo F, Susilo W (2022) Blockchain-based accountable auditing with multi-ownership transfer. IEEE Trans Cloud Comput

  • Shen J, Guo F, Chen X, Susilo W (2020) Secure cloud auditing with efficient ownership transfer. In: Computer Security–ESORICS 2020: 25th European symposium on research in computer security, ESORICS 2020, Guildford, UK, September 14–18, Proceedings, Part I 25. Springer, pp 611–631

  • Tian H, Chen Y, Chang C-C, Jiang H, Huang Y, Chen Y, Liu J (2015) Dynamic-hash-table based public auditing for secure cloud storage. IEEE Trans Serv Comput 10(5):701–714

    Article  Google Scholar 

  • Wang Q, Wang D (2023) Understanding failures in security proofs of multi-factor authentication for mobile devices. IEEE Trans Inf Forensics Secur 18:597–612

    Article  Google Scholar 

  • Wang C, Chow SS, Wang Q, Ren K, Lou W (2011) Privacy-preserving public auditing for secure cloud storage. IEEE Trans Comput 62(2):362–375

    Article  MathSciNet  Google Scholar 

  • Wang B, Li B, Li H (2013) Panda: Public auditing for shared data with efficient user revocation in the cloud. IEEE Trans Serv Comput 8(1):92–106

    Article  Google Scholar 

  • Wang Y, Wu Q, Qin B, Shi W, Deng RH, Hu J (2016) Identity-based data outsourcing with comprehensive auditing in clouds. IEEE Trans Inf Forensics Secur 12(4):940–952

    Article  Google Scholar 

  • Wang Y, Wu Q, Qin B, Tang S, Susilo W (2017) Online/offline provable data possession. IEEE Trans Inf Forensics Secur 12(5):1182–1194

    Article  Google Scholar 

  • Wang H, He D, Fu A, Li Q, Wang Q (2019) Provable data possession with outsourced data transfer. IEEE Trans Serv Comput 14(6):1929–1939

    Article  Google Scholar 

  • Wang F, Xu L, Li J, Choo K-KR (2020) Lightweight public/private auditing scheme for resource-constrained end devices in cloud storage. IEEE Trans Cloud Comput 10(4):2704–2716

    Article  Google Scholar 

  • Wang C, Wang D, Duan Y, Tao X (2023) Secure and lightweight user authentication scheme for cloud-assisted internet of things. IEEE Trans Inf Forensics Secur 18:2961–2976

    Article  Google Scholar 

  • Wang Q, Wang D, Cheng C, He D (2023) Quantum2fa: efficient quantum-resistant two-factor authentication scheme for mobile devices. IEEE Trans Dependable Secure Comput 20(1):193–208

    Article  Google Scholar 

  • Wu S, Du J (2019) Electronic medical record security sharing model based on blockchain. In: Proceedings of the 3rd international conference on cryptography, security and privacy, pp 13–17

  • Yang G, Yu J, Shen W, Su Q, Fu Z, Hao R (2016) Enabling public auditing for shared data in cloud storage supporting identity privacy and traceability. J Syst Softw 113:130–139

    Article  Google Scholar 

  • Zhu Y, Wang H, Hu Z, Ahn G-J, Hu H, Yau SS (2011) Dynamic audit services for integrity verification of outsourced storages in clouds. In: Proceedings of the 2011 ACM symposium on applied computing, pp 1550–1557

Download references

Acknowledgements

The authors would like to thank the reviewers for their valuable time.

Funding

This work is supported by the National Natural Science Foundation of China (No. 61902289, No. 62202102, No. 61972096), the University-Industry Cooperation Project of Fujian Provincial Department of Science and Technology (2022H60250), the National Technology Development Project in Fujian province (No. 2023L3007), Key Projects of Scientific and Technological Innovation in Fujian Province (No. 2022G02003), and the Natural Science Foundation of Fujian Province (No. 2023J01534).

Author information

Authors and Affiliations

Authors

Contributions

The design of the proposed protocol: WYM, the security proof: WYM, YWJ and ZYX, the experimental deployment and analysis: YAY and XL, revising the manuscript: WYM and ZYX. All authors have read and agreed to the published version of the manuscript.

Corresponding author

Correspondence to Yuexin Zhang.

Ethics declarations

Competing interests

All authors declare no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, Y., You, W., Zhang, Y. et al. Cloud EMRs auditing with decentralized (tn)-threshold ownership transfer. Cybersecurity 7, 53 (2024). https://doi.org/10.1186/s42400-024-00246-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s42400-024-00246-4

Keywords