JOURNAL OF NETWORKS, VOL. 6, NO.

7, JULY 2011

1033

Provable Data Possession of

Resource-constrained Mobile Devices in Cloud
Computing
Jian Yang1,2
1College of Electronic and Information Engineering, Tongii University, Shanghai 201804, China
2College of Mathematics and Computer Science, Dali University, Dali, Yunnan 671003, China
Email: sbjc1215@126.com
Haihang Wang1, Jian Wang1,3, Chengxiang Tan1 and Dingguo Yu1
1College of Electronic and Information Engineering, Tongii University, Shanghai 201804, China
3College of Electronics & Information Engineering, Henan University of Science & Technology, Luoyang,
China
Email: wanghh@sh163.net, wangjian_migi@sina.com, cxtan@trimps.ac.cn, zjydg@163.com

AbstractBenefited from cloud storage services, users can

save their cost of buying expensive storage and application
servers, as well as deploying and maintaining applications.
Meanwhile they lost the physical control of their data. So
effective methods are needed to verify the correctness of the
data stored at cloud servers, which are the research issues
the Provable Data Possession (PDP) faced. The most
important features in PDP are: 1) supporting for public,
unlimited numbers of times of verification; 2) supporting
for dynamic data update; 3) efficiency of storage space and
computing. In mobile cloud computing, mobile end-users
also need the PDP service. However, the computing
workloads and storage burden of client in existing PDP
schemes are too heavy to be directly used by the
resource-constrained mobile devices. To solve this problem,
with the integration of the trusted computing technology,
this paper proposes a novel public PDP scheme, in which the
trusted third-party agent (TPA) takes over most of the
calculations from the mobile end-users. By using bilinear
signature and Merkle hash tree (MHT), the scheme
aggregates the verification tokens of the data file into one
small signature to reduce communication and storage
burden. MHT is also helpful to support dynamic data
update. In our framework, the mobile terminal devices only
need to generate some secret keys and random numbers
with the help of trusted platform model (TPM) chips, and
the needed computing workload and storage space is fit for
mobile devices. Our scheme realizes provable secure storage
service for resource-constrained mobile devices in mobile
cloud computing.
Index Termsbilinear signature, merkle hash tree, provable
data possession, mobile computing, cloud computing,
trusted computing

2011 ACADEMY PUBLISHER

doi:10.4304/jnw.6.7.1033-1040

I. INTRODUCTION
In cloud computing, multi-tenants share the external
resources of computing and storage, which allows
enterprises and individuals get on-demand computing or
storage services from cloud service providers(CSP), such
as Amazons S3 and Googles App Engine, and no
longer maintain their local physical machines. However,
In this new model, the users put their data on the cloud
storage servers maintained by service providers, which
deprives the users of their control of the physical
possession of data, even though they are the owners of
the data. In this case, some new security needs and
problems have arisen. At the same time, when ones data
are outsourced, he wants to know whether the data is
truly stored at the correct servers and be intact as stated in
the Service Level Agreement (SLA). In addition, in
multi-layer cloud services framework, higher layer cloud
applications need lower layer services (such as storage
service or virtual machine image service).In this
circumstance, higher layer CSP needs effective methods
to verify the basic storage services provided by lower
CSP. It is the problem that the important direction of the
current research field in cloud computing - provable data
possession (PDP) wants to solve. On the basis of PDP,
if servers ensure the clients can retrieve correct data files
with the help of erasure codes, such as Reed-Solomon
codes, the services are named as Proofs of Retrievability
(POR).
The first solutions to this issue are proposed by
Deswarte et al. [1] and Filho et al.[2], which both use
RSA-based functions to hash the whole data file for every
verification challenge. Obviously, both of them are

1034

inefficient for big data files, which need more time to

compute and transfer their hash values. Ateniese et al. [3]
proposed a formal definition and related operations of the
PDP model. They use some homomorphic tokens in the
encoded file to help verify whether the file was tampered
without any legal authentication. Juels et al. [4] formally
put forward the protocol structure and security framework
of the POR model and proposed a method to detect
unauthorized changes of data by adding some sentinels
randomly in the original files. But the above schemes
only have limited times of verification operations and do
not support public verification. On the basis of the
security model in [4], Shacham et al. [5] designed an
improved scheme to realize public data possession
verification by using bilinear signature. But in their
framework, the number of the authentication tokens
stored on the server is proportional to the number of data
blocks, and it only is fit for static file storage. Similar to
[5], Wang et al. [6] uses Merkle hash tree (MHT) to build
verification tags stored at the servers and support
dynamic data update. They treat the leaf nodes of MHT
as the left-to-right sequence so that the locations of error
data can be detected.
From another perspective, with the prevalence of the
3G and 4G wireless communication networks, the mobile
devices, such as mobile phones, PDA, also want to share
the benefits introduced by the cloud on-demand storage
and computing service. But the traditional mobile
terminals are resource-constrained devices (with low
CPU frequency and small memory) and can not use the
existing PDP schemes directly, which require clients
encode files with erasure codes, divide encoded files into
blocks and sign on every data blocks. Those operations
on large files are intolerable in our mobile computing
clients. How to solve this problem is the main goal of our
work.
A.

Our Contribution
Combined with bilinear map and the well-studied
authentication structure-MHT, this paper addresses to
design a storage service model with public provable data
possession in mobile computing environment. To achieve
public verifiability in this environment, we need a trusted
third-party auditor (TPA) to do most of the calculation
works done by the clients in other PDP schemes.
Specifically, our contribution in this paper can be
summarized as the following two aspects:
We use trusted computing technology for the
mutual authentication between the end-users and
the TPA so that the most computations of the
end-users can be done by TPA. The end users
only need to generate some passwords and a
small amount of random numbers, which can be
done by the TPM chips embedded in their
machines.
We improve the existing PDP schemes
(especially the work proposed in [6]) with
bilinear mapping signature to make them fit for
the mobile computing environment. To the best
of our knowledge, our scheme is the first storage
framework in mobile cloud computing to support
2011 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 6, NO. 7, JULY 2011

the stateless verification, public provable data

possession, dynamic data update, and is provably
secure in random oracle model.
B.

Paper Structure
The rest of the paper is organized as follows. Section II
introduces the related works. Then we provide the
description of our scheme in Section III, including model
structure, notation and preliminaries, important functions
and detailed implement of our scheme. Section IV gives
the security analysis and performance evaluation,
followed by Section V which gives the concluding
remark of the whole paper and overviews the related
work finally.
II. RELATED WORKS
Ateniese et al. [3] proposed the first formal definition
of the PDP model and related operations, functions. In
their system some homomorphic verifiable tags are used
to verify data file. Juels et al. [4] proposed a formal
definition of POR and its security model. After being
encrypted and divided into small data blocks, which are
encoded with Reed-Solomon codes, the data file is added
into some "sentinels to detect whether it was intact.
However, the both schemes don not support dynamic data
update and can only verify limited times because that the
two schemes only have finite number of the sentinels in
a file. When the finite sentinels are exhausted, the file
must be send back to the owner to re-compute new
sentinels. In their improved work, Ateniese et al. [7]
proposed a new scheme with homomorphic linear
authenticators (HLA), of which communication
complexity is independent of the file length. Though the
scheme supports infinite times of verification, it can not
verify publicly.
Chang et al. [8] proposed a remote identity check
scheme. By using redactable signature (a kind of
homomorphic signature scheme proposed in [9]), a
redactor can calculate a effective signature on a redacted
message x without knowing the private key. This idea
can be used in a third-party verification scheme and
verifier does not need to know the private key. Shacham
et al. [5] proposed two POR schemes: the first uses
bilinear signature, and is provable secure and efficient in
the random oracle model. The second depends on
pseudo-random function and bilinear map, and is
provable secure in the standard model. Both schemes rely
on the homomorphic property--aggregating the
verification proofs into a small value. However, the
above two methods are not aware of the users privacy
preserving in public audit.
An effective public PDP scheme should have the two
important following properties [10]:
To allow a TPA to verify the correctness and
integrity of the data without retrieving a copy of
the whole data or introducing additional on-line
burden to the clients.
To avoid introducing new vulnerabilities to the
privacy of the data.

JOURNAL OF NETWORKS, VOL. 6, NO. 7, JULY 2011

Wang et al. [6, 10] discussed the privacy protection in

public audit. In their framework, the third-party audit
protocol with the privacy preserving is independent of
data encryption. By using homomorphic authenticator
and random masking, the scheme conceals the content of
the original data from TPA and TPA can perform
multiple auditing tasks in a batch manner.
Erway et al. [11] is the first to support dynamic data
update by using rank-based verification skip list in cloud
servers. The most similar PDP scheme to ours was
proposed by Wang et al. [6], which is also our works
basis. Their scheme supports public data possession
verification and dynamic data update at the same time. It
improves the previous PDP models by using the classical
MHT and enables TPA to complete privacy-preserved
data integrity check with the support of dynamic data
update. This method does not require user's real-time
participation in the cloud, and avoids the leakage of
users privacy. However, it still requires the user to
calculate initial verification tokens of the files, which is
not suitable for this papers application environment.
If the TPA takes over a large number of computing
works of the mobile end-users, first of all, the TPA
should achieve mutual authentication with the end-users,
and establish a secure transmission channel on this basis.
A feasible method is to take the advantage of the trusted
computing technology, which is a mature technology, but
has few successful applications applied in the cloud
computing and few concrete frameworks designed. EMC
China lab collaborated with Fudan University, Huazhong
University of Science and Technology, Tsinghua
University and Wuhan University to carry out a research
projects on trusted virtual infrastructure, named Daoli
[12]. The research project is committed to tenants
isolation and protection platform provider away from
attacks by malicious tenants in multi-tenant cloud
computing environments. Combination trusted computing
with virtualization technologies to enhance the security of
computing platforms, makes cloud service providers
being able to provide virtual private cloud (VPC) services
in public cloud. In [13], the authors discussed how to use
TCB for security enhancements in Xena famous
open-sourced virtual machine monitor can be used in
cloud computingand described how this method is used
to achieve "trusted virtualization" and enhance the
security of the virtual TPM. They moved the new VM
creation function to a small trusted VM out of Dom0.
This method has two main goals: the one is to reduce and
bound the size of TCB in Xen-based systems, especially
remove the user space in Dom0 from the TCB, to
enhance security. Another one is that if we suppose TCB
were security, the new VM would have maintained the
same attributes of the security and integrity with physical
machine. The privacy manager discussed in [14] uses
TPM to manage privacy keys required in privacy
protection. Trusted computing technology to the IaaS
cloud computing systems was introduced in [15]. In
Eucalyptus, for example, the authors used a Trusted
Coordinator (TC) (maintained by an external trusted
entity) to combine unreliable cloud Manager (CM) with a

2011 ACADEMY PUBLISHER

1035

number of trusted nodes in order to form its main

architecture. This framework ensures the safety of the
customers VM, allows users to verify the IaaS service
providers and determine whether the services are security
before they start VM.
However, about the combination with trusted
computing and cloud computing, the schemes mentioned
above did not enhance the security and integrity of the
cloud storage services with the provable data possession,
which is a critical measure to enhance the user's
confidence in using the cloud storage services, especially
in wireless mobile computing environment. To the best of
our knowledge, our scheme is the first to explore the
application of PDP scheme in mobile computing
environment combined with the trusted computing.
III. OUR SCHEME
A. Model Structure
System participants: as shown in Figure 1, in our
resource-constrained public provable data possession
scheme of the cloud storage service, there are three main
participants: 1)client, i.e. mobile end-user, which has a
TPM chip and stores data files in the cloud, and expects
to get trusted storage validation; 2) trusted third party
auditor (TPA), which is credible for clients and take the
main file encryption and authentication tasks required
during the process of the scheme; 3) cloud storage service
provider (CSP), which has a large capacity of storage and
provides the users with storage services and the proof of
data possession when needed.
In the mobile computing environment, the clients
computing and storage capacity is very limited, but it has
the ability to use its TPM chips to produce and store
secret keys. The TPA is acted by a service agent located
between the mobile access point and the gateway of the
IP network services. The TPA should have high
performance of computing but limited storage space,
which is only for small part of the information of the
clients and the current session message. In addition, it
should connect securely with the client for providing
services. Through Internet, the CSP provides
high-capacity, redundant storage services. Generally

Fig.1. System structure model

speaking, the CSP is an unsafe, even malicious entity.
That is to say, for some financial benefits, it is possible to

1036

read, tamper or delete the user's original files, even to

forge the proof of the data possession. So the files should
be encrypted before sending to the CSP. In this paper, we
assume all parties communicate through secure, reliable,
authenticated channels for all phases
Security goal: In this system, the client and the TPA
need to establish a secure link. On the basis of security of
the underlying communication link between the mobile
terminal and the TPA, firstly, through the Diffie-Hellman
key exchange protocol, the scheme generates a symmetric
key for data exchange. Except for some necessary keys
and random values, the client does not perform additional
computation works, which are taken over by the TPA.
The scheme is secure under the random oracle model and
our security model is based on the one proposed in [6].
Design goal: The scheme has three design goals
shown as followed.
public provable data possession: to allow a
verifier, not just the data owner or users, to have
the capability to verify the correctness of the
stored data on demand;
stateless verification: to generate the proofs of
data possession according to the challenge
produced randomly by the verifier, not to the
persistent information maintained by some
entities;
resource-constrained mobile environment support:
to allow end-user just to generate and store the
keys by utilizing TPM chip instead of doing lots
of computing works, which are done by the TPA
now;
trusted computing technology applying: to build a
trusted channel between the TPA and the client,
then use it to transfer the related messages and
authorize the TPA to complete those works for
reduce the clients workload.
B. Notation and Preliminaries
Diffie-Hellman
protocol.
Diffie-Hellman
key
exchange protocol is one of the most famous schemes in
cryptography, which mainly utilize the discrete log
problem to safely exchange a shared symmetric key
through an unsecured channel. By using this method, the
end-user and the TPA can share a symmetric key so that
the data files, asymmetric keys and the information of the
verification can be transferred safely after being
encrypted by this key.
Merkle hash tree. A Merkle Hash Tree (MHT) is a
well-studied authentication structure [16], which can
efficiently and securely prove that a set of data blocks are
undamaged and unaltered. It is constructed as a binary
tree where the leaves in the Merkle hash tree are the hash
values of authentic data. During the process of the
verification, the verifier only needs check whether the
root value of the tree is tampered. In the archive [6], their
scheme treats the leaf nodes as the left-to-right sequence
for getting the positions of error data blocks. For the sake
of simplicity, in our scheme, MHT tree leaf nodes only
store the hash of data blocks.

2011 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 6, NO. 7, JULY 2011

Bilinear map. A bilinear map is a map eG1G1G2,

where G1 is a Gap Diffie-Hellman group and G2 is a
multiplicative cyclic group with a big prime order p. It
has the following properties:
Computable: there exists an efficiently
computable algorithm for computing the map;
Bilinear: for all h1,h2G1 and a,bZp,

e(h1a , h2b ) e(h1 , h2 ) ab ;

Non-degenerate: e( g , g ) 1 , where g is a
generator of G1.

C.

Some Important Procedures:

Improved from [4, 6, 17], our secure storage system
with provable data possession contains the following
functions:
KenGen(1k) (pk,sk) : This algorithm takes as input
initial secure parameter 1k, and returns the public key pk
and the private key sk. In our scheme, the end-user
generates and maintains the keys in TPM chip.
Encapek(F) F: The TPA uses this algorithm to
encrypt the raw file F with the seal key ek and encode it
with erasure codes. It returns the sealed file F.
SigGen_Clientsk (F) Sigsk (H(R)): This algorithm is
run by end-users. It takes as input the hash value of the
root of the MHT and outputs its signature as a metadata.
SigGen_TPA(F) : This algorithm is run by TPA.
It takes as input each data blocks {mi} of the sealed file
F, and outputs the signature collection = { i } on
{mi}.
GenProof(chal, F, Sigsk(H(R)), ) (P): This
algorithm is run by the storage server. It takes as input the
verification challenge message chal generated by TPA,
the stored file F, the metadata signature and the signature
set , and returns the possession proof P.
Verify(P, chal) {TRUE|FALSE}: By run this
algorithm, according to the random challenge chal, the
proof P returned from the server and some metadata of
the end-user, the TPA verify the correctness of the data
file, and outputs TRUE if the integrity of the file is
verified as correct, or FALSE otherwise.
Decapdk(F) F: The end-user request to extract a file
F, and the TPA retrievals the corresponding sealed file F
from the cloud, decodes and decrypts the file to get F
with the decryption key (dk), then sends F to the
end-user.
D.

Detailed Implementation
For implementing the public provable data possession
of the cloud storage service in our background, first of all,
a trusted communication channel should be build between
the TPA and the mobile end-user, which needs mutual
remote identification. This issue will be discussed more
detail later in this paper. After mutual identification, by
utilizing the Diffie-Hellman key exchange protocol, the
TPA and the end-user negotiate a symmetric key for the
exchange of other information in this scheme.
Now we start to present the main idea of our scheme.
According to the model defined in [4, 6, 10, 17], we
assume the raw data file F is first encrypted by the key

JOURNAL OF NETWORKS, VOL. 6, NO. 7, JULY 2011

(ek) and encoded into F using erasure codes, then the F

is divided into N blocks {mi}, where miZp and 1iN.
Let e: G1G1G2 be a bilinear map, which has a big
prime order p and a generator g of group G1. Let H:
{0,1}* G1 is a hash function. The main procedure of
our scheme is as follows:
Setup: In this phase, we assume the end-user has
already completed the remote identification with the TPA
by using TPM and set up a trusted communication
channel. Through this channel, the phase setup is
executed as Algorithm 1 described:
Algorithm 1 Setup:
1.CTg, g
2.TCg
3.CT {F}

1037

Algorithm 2 Verify
1.TSchal={(i, vi)}, where 1ic
2.STproof={,,(H(mi),i), Sigsk (H(R))} , where 1ic
3.TCVerify(,, (H(mi),i) ,Sigsk (H(R)) ,chal)={true , false}

The challenge message chal is generated by TPA.

The TPA chooses c random numbers in the set [1, N] to
constitute a sequence subset I. For each iI, the TPA
picks a random element viZp. The challenge message
chal sent to CSP is composed of the number i and the
corresponding vi. On receiving the chal, the CSP runs
GenProof(chal, F, Sigsk (H(R)), ) to generate the
proof, which includes the corresponding hash value H(mi)
of the data blocks {mi} for every iI and the additional
information i for rebuilding the root H(R) of the MHT.
In addition, the CSP also computes the following two
values as a part of the proof:
c

4.TC { H ( R ) }

{ dk }

vi mi Z p

i 1

5.CTSigsk (H(R)) = (H(R))

and

ivi G1

4.TS Sigsk (H(R)), F={mi}, ={i}, where 1iN, i

=[H(mi)umi]

C represents for the Client, T for the trusted third-party

agent and S for the cloud storage server

i 1
.
After receiving the proof, the TPA runs Verify(*), and
sends the result back to the client. The main goal of the
function Verify(*) is to test whether the following two
equations is correct:

e(Sig sk (H(R)), g) ? e(H(R), g )

The first two steps of algorithm 1 are to complete

Diffie-Hellman key exchange. After this, the client and
the TPA share a symmetric key g . Then the client
encrypts the original file F with this key and sends it to
the TPA.
Received the original file F from the client, a pair of
asymmetric keys (ek, dk) are generated by invoking
KenGen(*), where (ek) is for encrypting the file and (dk)
for decrypting after retrieval. By calling Encapek(F), the
TPA encrypts the file, divides it into small blocks and
encodes the data blocks with erasure codes. After doing
these, the TPA gets N blocks {mi} (1iN) as the stored
file F. Then, the TPA calculates H(R), the hash value of
the root of the MHT, of which the leaves are the hash of
the corresponding mi. At last of this turn, the TPA sent
the value H(R) and dk to the client encrypted with the

(1)

e( , g ) ? e( ( H (mi ) vi u , g )

i1
. (2)
If so, the Verify(*) returns TRUE; otherwise FALSE.
File retrieval: Before retrieval, the client and the TPA
should negotiate a symmetric session key Ks through
Diffie-Hellman key exchange protocol. Then, shown as
algorithm 3, the client sends the decryption key (dk)
encrypted by Ks to the TPA and the TPA request the CSP
for extracting the file F. The CSP sends F to the TPA.
Then the TPA runs Decapdk(F) to get the raw file F and
send F to the end-user through a secure communication
channel.

Algorithm 3 Retrieval

shared key g .
By running SigGen_Client sk (F), the client signs H(R)
and sent the signature of H(R) back to the TPA. The TPA
calls SigGen_TPA(F) to calculate the signature
collections of each blocks of F, then sends {Sigsk (H(R)),
F, } to the cloud storage servers. In algorithm 1, u is a
element in G1 chosen randomly by the TPA.
Integrity verification: This phase starts from the client
or the TPA by sending a verification challenge to the
cloud storage service provider (CSP). According to the
challenge, the CSP computes the proof of verification and
sends it back to the TPA. After verifying the proof, the
TPA sends the result to the client. The detail process of
verification is shown as the algorithm 2:

2011 ACADEMY PUBLISHER

1.CTRequest(F), {dk}Ks
2.TSRequest(F)
3.STF
4. TCF=Decapdk(F)

Noted that, we do not include the process of

negotiation of the symmetric session key Ks in the above
description of algorithm 3.
E.

Discussions
Remote identification: As stated above, the client and
the TPA use a symmetric key generated through the
Diffie-Hellman protocol to encrypt the original file, the
secret information, the hash value of the root of the

1038

JOURNAL OF NETWORKS, VOL. 6, NO. 7, JULY 2011

Merkle hash tree and some control information

transferred between them. But before that, both of them
need remote mutual identification. On one hand, based on
trusted computing idea, we assume that the TPA is
trusted in mobile computing environment. That is to say,
the client does not need to identify the TPA. On the other
hand, the client is attested by answering the challenge of
TPA with a message signed by the Attestation Identity
Key (AIK), which is created and maintained by the TPM
chip embedded in the clients device. There are lots of
schemes to solve this problem. Because this paper
focuses on the mobile computing, we can adopt the
scheme proposed by Yang et al. [18] to realize the remote
identification in wireless environment.
Verification equation: During the verification phase, if
the information stored at the cloud has not been tampered,
replaced or deleted, according to the properties of bilinear
map, the correctness of Eq. (1) can be elaborated as
follows:

e(Sig sk (H(R)), g) e((H(R)) , g)

e(H(R), g )
And the one of equation (2) can be proved as follows:
c

e( , g ) e( ivi , g )
i 1
c

e( ( H (mi ) u mi )
i 1
c

vi

e( H (mi ) u

vi

mi vi

, g )
,g )

vi

IV. SECURITY AND PERFORMANCE ANALYSIS

A. Security Analysis:
As mentioned above, an important basis of our scheme
is building a secure information transferring channel
between the client and the TPA. The TPA, which we
assume is trusted, can authenticate the client based on
hardware TPM chip embedded in the device of the client.
By using Diffie-Hellman key exchange, the two entities
can share a symmetric key to ensure the data files and
signatures transferred between them are more secure.
Furthermore, the trusted computing technology can also
help them to avoid Man-in-the-middle attack during the
process of the Diffie-Hellman key exchange.
The file transferred between the TPA and the CSP is
encrypted and encoded file F, which avoid the CPS
knowing the content of file and ensure the privacy and
confidentiality of the raw file. The signature structure of
MHT is the basis of keeping the integrity of data. That
the root signature of the MHT is computed by the
end-user can avoid the leakage of the users private key.
As for the security analysis of the bilinear map in PDP
schemes, archives [5-6, 10] have exhaustive description,
so we will not discuss it in detail.
B.

i 1
c

this property. Because in our mobile computing

environment, a lot of calculations on mobile device are
not meaningful, we do not intend to discuss this issue in
detail.

mivi

e( ( H (mi ) ) u i 1

, g )

i 1
c

Performance Analysis:
According algorithm 1 and 2, we can demonstrate the
overall workload of the computing and storage of each
parties in our scheme as followed:
Mobile terminal: stores the private key and
decryption key dk of file; computes the public

vi

key g and the signature Sigsk(H(R)) of the

MHT root H(R).

e( ( H (mi ) ) u , g )
i 1

Data confidentiality: according the proof in [6], that

the equation 1 and 2 are satisfied can ensure the data
stored at the cloud storage servers are correct and intact
under the random oracle model. In additional, for the
privacy and the confidentiality, the TPA encrypts the raw
file with the key (ek) and decrypt with the key (dk) when
it sends and retrieves the file respectively. The
asymmetric key pair (ek, dk) is created by the TPA.
Because the TPA maybe need provider the verification
service for multi-user in a real circumstance, according to
the TPM main specification v1.2 [19], in our scheme
there are two ways to maintain the key pair. One way is
to use TPM_Bind to bind the key pair and store it on the
TPA. Another solution is, as shown in algorithm 1, that
the decryption key (dk), which encrypted by the
symmetric key shared between the client and the TPA,
can be sent to the client and sent back to the TPA during
extracting the file.
Supporting dynamic data update: the scheme in [6]
has already supported dynamic data update with the
operation on the Merkle hash tree, so our scheme also has

2011 ACADEMY PUBLISHER

TPA: stores the users public key g ;

encodes/decodes, encrypts/decrypts the file,
computes the data blocks signature collection ,
and verifies the two equations during verification.
CSP: stores the signature Sigsk(H(R)), the
encoded F and the ; generates the verification
information and , and computes the i for
recovering the MHT.
It should be noted that we do not include the
workloads for generating the needed random numbers
and nonce of every entity in our scheme.
As described above, through a trusted channel between
the end-user and the TPA, the heavy works, such as
encoding (decoding), encryption (decryption) of the file,
can be moved to the TPA to be done, and the end-user
only need to generate keys and sign the root of the MHT.
So our scheme realized the goal: the storage space and
the computing ability needed for end-user during
verifying the data possession are as small as possible,
which is fit for the mobile computing device, such as
mobile phone and PDA, etc.

JOURNAL OF NETWORKS, VOL. 6, NO. 7, JULY 2011

By using the MHT idea, the data blocks signatures are

aggregated into the signature of the root of the MHT to
verify the data integrity with a minimum of storage space.
The root signature is put into the cloud server, which
realized the stateless verification. The MHT can also help
to implement the dynamic data update as described in [6].
V. CONCLUSIONS
When the resource-constrained mobile devices use the
cloud storage services deployed on traditional IP
networks, the end-users are most concerned about
whether the CSP stores their files correctly and dutifully.
On the basis of the existing researches on PDP and POR,
a secure storage scheme with public provable data
possession of the mobile devices in cloud computing is
proposed in this paper. Through the remote
authentification of the mobile end-user by using trusted
computing technology, a trusted third-party agent can
undertake most computing workload of the client in
traditional PDP, which makes our scheme be fit for the
mobile computing environment. Combined with MHT
and bilinear signature, improved the framework and
related algorithms from the existing PDP schemes, our
scheme realized public PDP with the support of dynamic
data update. The scheme is provable secure under the
random oracle model as proved in [6]. To the best of our
knowledge, our scheme is the first to explore the
application of PDP scheme in mobile computing
environment combined with the trusted computing.
Our future works include building a prototype system
to test the performance of our scheme and exploring the
application of other PDP framework applied in secure
storage services of mobile computing environment.

ACKNOWLEDGEMENT
The authors wish to thank those reviewers and editors
of this paper. This work is supported by the Science and
Technology Support Program of Science and Technology
Commission of Shanghai Municipality (No. 072712036),
the National Natural Science Foundation of China (No.
60803096), the Fundamental Research Funds for the
Central Universities and Dalian IT teachers project.

REFERENCES
[1] Deswarte, Y., J.-J. Quisquater, and A. Saidane. Remote
integrity checking. In Proc. of Conference on Integrity and
Internal Control in Information Systems. 2003.
[2] Filho, D.L.G. and P.S.L.M. Baretto. Demonstrating data
possession and uncheatable data transfer, In IACR ePrint
archive. 2006.
[3] Ateniese, G., et al., Provable data possession at untrusted
stores, in Proceedings of the 14th ACM conference on
Computer and communications security. 2007, ACM:
Alexandria, Virginia, USA. p. 598-609.
[4] Juels, A. and J. Burton S. Kaliski, Pors: proofs of
retrievability for large files, in Proceedings of the 14th ACM
conference on Computer and communications security. 2007,
ACM: Alexandria, Virginia, USA. p. 584-597.

2011 ACADEMY PUBLISHER

1039

[5] Shacham, H. and B. Waters, Compact Proofs of

Retrievability, in Proceedings of the 14th International
Conference on the Theory and Application of Cryptology and
Information Security: Advances in Cryptology. 2008,
Springer-Verlag: Melbourne, Australia. p. 90-107.
[6] Wang, Q., et al., Enabling Public Verifiability and Data
Dynamics for Storage Security in Cloud Computing, in
Computer Security ESORICS 2009, M. Backes and P. Ning,
Editors. 2009, Springer Berlin / Heidelberg. p. 355-370.
[7] Ateniese, G., S. Kamara, and J. Katz, Proofs of Storage
from Homomorphic Identification Protocols, in Advances in
Cryptology ASIACRYPT 2009, M. Matsui, Editor. 2009,
Springer Berlin / Heidelberg. p. 319-333.
[8] Chang, E.-C., and J. Xu, Remote Integrity Check with
Dishonest Storage Server, in Proceedings of the 13th
European Symposium on Research in Computer Security:
Computer Security. 2008, Springer-Verlag: Malaga, Spain. p.
223-237.
[9] Johnson, R., et al., Homomorphic Signature Schemes, in
Proceedings of the Cryptographer's Track at the RSA
Conference on Topics in Cryptology. 2002, Springer-Verlag. p.
244-262.
[10] Wang, C., et al., Privacy-preserving public auditing for
data storage security in cloud computing, in Proceedings of the
29th conference on Information communications. 2010, IEEE
Press: San Diego, California, USA. p. 525-533.
[11] C. Chris Erway, A.K., Charalampos Papamanthou,
Roberto Tamassia, Dynamic provable data possession, in
Proceedings of the 16th ACM conference on Computer and
communications security. 2009, ACM: Chicago, Illinois, USA.
p. 213-222.
[12] Mao, W.B. Talking About the Cloud Computing. 2009
2009-03-03;
Available
from:
http://blog.csdn.net/wenbomao/archive/2009/03/03/3952761.as
px and http://www.daoliproject. org.
[13] Murray, D.G., G. Milos, and S. Hand, Improving Xen
security through disaggregation, in Proceedings of the fourth
ACM SIGPLAN/SIGOPS international conference on Virtual
execution environments. 2008, ACM: Seattle, WA, USA. p.
151-160.
[14] Pearson, S., Y. Shen, and M. Mowbray, A Privacy
Manager for Cloud Computing, in Proceedings of the 1st
International Conference on Cloud Computing. 2009,
Springer-Verlag: Beijing, China. p. 90-106.
[15] Santos, N., K.P. Gummadi, and R. Rodrigues, Towards
trusted cloud computing, in Proceedings of the 2009
conference on Hot topics in cloud computing. 2009, USENIX
Association: San Diego, California. p. 3-3.
[16] Cao, T.J., Y.P. Zhang, and C.J. Wang, Secure Protocols.
2009, Beijing, China: BUPT Press. 2.
[17] Bowers, K.D., A. Juels, and A. Oprea, Proofs of
retrievability: theory and implementation, in Proceedings of
the 2009 ACM workshop on Cloud computing security. 2009,
ACM: Chicago, Illinois, USA. p. 43-54.
[18] Li, Y., M. Jian-Feng, and Z. Jian-Ming, Trusted and
anonymous authentication scheme for wireless networks.
Journal of China Institute of Communications, 2009. 30(9): p.
29-35.
[19] Group, T.C., TPM Main Specification Level 2 Version
1.2, Revision 103. 2007, TCG.

1040

Jian Yang is a lecturer of Dali

University in China. He was
responsible for teaching database
technology and E-commerce in
Faculty of Computer. He was born on
Dec in 1976. He received his master
degree of Engineering in Kunming
University of Science on May in 2005.
Now he is a PhD student in Tongji
University. He has published a dozen of papers on
computer magazines. His major research interests include
network security, trusted computing, cloud computing.
Mr. Yang is a student member of China Computer
Federation.

Haihang Wang is a professor and a

supervisor of Ph.D. student in Tongji
University at Shanghai. He was born on
Mar. in 1965 and received his Ph.D.
degree in Zhejiang University in 1994.
Now He is engaged in teaching
E-commerce and Project Management of
Information System. His research interests
include intelligent information system,
network security, E-commerce and supply chain management,
enterprise information technology, mechatronics and
automation, production and operations management. He has
already published 60 papers on international magazines and
conferences.

2011 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 6, NO. 7, JULY 2011

Jian Wang is a lecturer of Henan

University of Science and Technology in
China. She earned her master degree in
Huazhong University of Science &
Technology in 2005. Now she is a Ph.D.
student in Tongji University. Her research
interests include trusted computing and
network security.

Chengxiang Tan was born in 1965 and

earned his Ph.D. in North-west
Polytechnic University in 1994. He is a
professor and a supervisor of Ph.D student
in Tongji University at Shanghai. He is
engaged in teaching information security,
digital forensics and the theory of
information asurance. His major research
interests include Network and information
security, wireless and mobile services
security support, multi-network integration, and digital crime
investigation and forensic.

Dingguo Yu was born in 1976, now is

a PhD candidate of Tongji University,
China. He received BS degree in
mathematics in 1998 from Zhejiang
Normal University, China, and received
MS degree in computer application
technology in 2005 from Tongji
University. His current research interests
include network & information security
and mobile computing.