CRUPA: collusion resistant user revocable public auditing of shared data in cloud

Cloud repository is one of the most important services afforded by Cloud Computing where information is preserved, maintained, archived in distant servers and made available to the users over the Internet. Provided with the cloud repository facilities, customers can organize themselves as a cluster and distribute information with one another. In order to allow public integrity auditing on the information stored in semi-trusted cloud server, customers compute the signatures for every chunk of the shared information. When a malicious client is repudiated from the group, the chunks that were outsourced to the cloud server by this renounced customer need to be verified and re-signed by the customer present in the cluster (i.e., the straightforward approach) which results in huge transmission and reckoning cost for the customer. In order to minimize the burden of customers present in the cluster, in the existing scheme Panda, the semi-trusted Cloud Service Provider (CSP) is allowed to compute the Re−sign key. Further, the CSP audits and re-signs the revoked customer chunks by utilizing the Re−sign key. So, it is easy for the CSP by colluding with the revoked customer to find the secret keys of the existing customer. We introduce a novel Collusion Resistant User Revocable Public Auditing of Shared Data in Cloud (CRUPA) by making use of the concept of regression technique. In order to secure the secret keys of the existing customers from the CSP, we have allowed the information proprietor to compute the Re−sign key using the regression technique. Whenever the information proprietor revokes the customer from the cluster, the information proprietor computes the Re−sign key using the regression technique and sends to the CSP. Further, the CSP audits and re-signs the revoked customer chunks using the Re−sign key. The Re−sign key computed by the information proprietor using regression method is highly secure and the malicious CSP cannot find the private information of the customers in the cluster. Besides, our mechanism achieves significant improvement in the computation cost of the Re−sign key by information proprietor. Further, the proposed scheme is collusion resistant, supports effective and secure customer repudiation, multi-information proprietor batch auditing and is scalable.


Introduction
Cloud repository is one of the significant services provided by cloud computing [19]. It empowers the information possessor to deploy their information to the cloud server. Many distributed computing service suppliers have been developed, such as Google App Engine, Dropbox that satisfies the requirement for data repository and high performance computation. With information repository and sharing services, customers are permitted to update and distribute the information saved in the distributed server in any place and at any moment [7]. Yet, security of the information has become a severe issue and one of the worrying factors of the information security is the integrity of the deployed information in the distributed server. Even though the cloud repository suppliers accomplish a trustworthy and secure repository maintenance to the customers, the honesty of deployed information might be adulterated due to the negligence of people or disruption of the hardware/software [25]. Apart from inherent hazards, external attacker can further impair the integrity of the deployed information in the cloud. Hence, public integrity verification is required to assure the customers that the deployed information is precisely deployed in the cloud. Presently, optical networks [34,35] have been deployed all over the globe for efficient information communication.
Numerous mechanisms have been suggested based on miscellaneous procedures [17,42,43] that assure the integrity of deployed information in an untrustable cloud. In all these mechanisms, signatures on every chunk of shared information are estimated by the Information proprietor (IP) and he deploys the information and the equivalent signatures to the distributed server, that permits the IP and public examiner to examine the integrity of the information in the distributed server without fetching the complete deployed information. Still, a large number of the earlier mechanisms deal with the case of individual information, that implies the IP is the only modifier, who possesses the private key and can modify the information. Researchers are motivated to address the issue in cross domain areas such as Wireless Sensor Networks [28] and the Internet of Things [22].
Wang et al. [38] introduced Oruta, a public examining convention for distributed information in the cloud employing ring signatures. The scheme conserves identity privacy of the customers in the cluster from the public verifier at the time of verification. The limitation is that the mechanism does not bolster traceability and data freshness. Wang et al. [37] introduced Knox, based on cluster signatures that can conserve the identity secrecy of customers from the public verifier. The limitation of the Knox scheme is that the customers need to distribute their private value with the public verifier and customer repudiation is expensive.
Wang et al. [39] proposed public verifying mechanism to bolster effective customer repudiation utilizing intermediary re-signatures, that acknowledge the distributed server to transform the signatures estimated by the repudiated customer into signatures of the current customer within the cluster. The cloud knows in advance the resigning keys of any two customers in the cluster. This procedure leads to the following two severe security issues. Initially, a mischievous CSP may immediately transform signatures between two customers utilizing the re-signing keys. Further, conspiracy amidst the cloud and the repudiated customers might disclose the private keys of all the current customers in the cluster. The reckoning cost of verification increases with the size of the cluster.
Considering these two security problems of [39], we propose a novel Collusion Resistant User Revocable Public Auditing of Shared Data (CRUPA) mechanism. By using regression tools, we permit the IP to estimate the Re − sign key and transmit to the distributed server. As the Re − sign key is computed by the IP, it is not possible for the malicious cloud to trace out the secret parameters of the existing customers.
Motivation: In the exisiting scheme [39], the semitrusted CSP is allowed to figure out the Re − sign key by employing the secret keys of the existing customers in the cluster. Since the CSP knows the secret keys of the customers, it is very easy for the CSP to know and retrieve the sensitive data cached in the server. Moreover, when the revoked customer colludes with the CSP, they can further hack or misuse the information cached in the distributed server. Hence the existing scheme [39] is not secure and is not collusion resistant. Motivated to secure the Re − sign key from the semi-trusted CSP, in the proposed scheme, after revoking the malicious customer from the cluster the IP who is the head or manager of the respective cluster is allowed to compute the Re − sign key using regression method such that the key computed is highly secure. Then, the IP transmits the Re − sign key to the CSP and allows him to audit the revoked customer chunks and re-signs the chunks using the Re − sign key. Since the semi-trusted CSP receives the Re − sign key by the IP, it is not possible for the CSP to learn the private keys of the customers present in the cluster and the information stored in the server is highly secure. We have enhanced the existing system to multiple clusters with the respective information proprietors' scenario.
Contributions: In this paper we introduce Collusion Resistant User Revocable Public Auditing (CRUPA) of Shared Data scheme that reduces the computation cost of the Re − sign key using regression method by the IP that is highly secure and also supports multiple clusters with their respective IP. Specifically, our contributions are outlined as follows: Organisation: The rest of the paper is arranged as follows: Related works and Background work are discussed in "Related works" section. Several preliminaries are introduced in "Preliminaries" section. Problem definition, System model are discussed in "Problem statement" section. Mathematical Model using Regression Method, Security Analysis and Adversary Model are explained in "Mathematical model" section. Scheme details of Collusion Resistant User Revocable Public Auditing of Shared Data in Cloud (CRUPA) and the construction of Homomorphic Authenticable Proxy Re-signature Scheme (HAPS) using Regression Method are discussed in "The algorithm" section. In "Performance evaluation" section, Performance Evaluation results are analysed and "Conclusions" section contains the Conclusions.

Related works
Provable Data Possession [1], authorizes the auditor to publicly validate the integrity of information without fetching the whole information. Improving their earlier work for dynamic operations on data, Ateniese et al. [2] constructed another PDP scheme using symmetric keys. This scheme does not support public verification. Erway et al. [11] suggested dynamic verifiable information possession mechanism by using authorized lexicons. Zhu et al. [47] introduced a public verifying scheme that uses the chunk format to reduce the depository of signatures. The mechanism uses Index Hash Table (IHT) that empowers customers to perform effective operations. Tian et al. [32] introduced a non-repudiation dynamic verifiable information possession scheme. The scheme supports identity authentication and non-repudiation. The disadvantage of the mechanism is that it does not support batch auditing. Wu et al. [40] present a Non-Repudiable Provable Data Possession with Designated Verifier (DV − NRPDP) scheme. The scheme addresses the non-renunciation issue and resolves the controversy among the clients and distributed repository servers. The disadvantage of the scheme is that it has high reckoning cost of examining a proof.
Raghavendra et al. [23] have presented a reliable multiproprietor information distribution for effective association in the cloud. The advantage of the scheme is that the repository space is efficiently utilized and has reduced the time to query documents from the cloud. The drawback is that the convention does not bolster multi-media documents. Tian et al. [30] introduced a public verifying mechanism for secure cloud repository utilizing Dynamic Hash Table (DHT). The proposed mechanism supports dynamic data verification, privacy preservation and batch verification. Dynamic Hash Table (DHT) is used to archive the details of the data for verification and as a result it accomplishes prompt verification and effective data restoration. The limitation is that the scheme does not support different types of cloud data.
Luo et al. [20] have presented a public validation convention for the integrity of collaborative information with pervasive and conspiracy resistant customer repudiation. Polynomial based validation marks are generated that support secure and compelling public validation. The cumulative overhead of the examining scheme is comparatively small. Tian et al. [31] have introduced an extensive public verification mechanism for distributed information in cloud. The mechanism supports the customer's identity privacy, information privacy and identity trackability. The drawback of the mechanism is that it has larger communication cost.
Dong et al. [10] have achieved data confidentiality against the semi-trusted cloud. They designed a protected, adequate and flexible data co-ordinated scheme. The mechanism does not accomplish information consistency. Yaun and Yu [46] have designed an auditing mechanism for distributed data sharing utilities illustrated by multi-user alterations, public auditing, adequate user repudiation and pragmatic reckoning auditing performance. The mechanism overcomes customer impersonation assault. The limitation is that it does not realize dependability and error detection .
Geeta et al. [13] have performed extensive review on the latest methods in information auditing and security in cloud computing. Shen et al. [26] have suggested an effective public verification convention. The proposed convention supports batch verification, blockless verification and lazy update. The limitation of the scheme is that the transmission cost is more in verification phase. Zhu et al. [48] have presented a secure anti-conspiracy information sharing mechanism for dynamic clusters in the cloud. The repudiated customer cannot fetch the original document though he conspires with the CSP. The proposed mechanism bolsters guaranteed key allocation, fine-grained access control and safe customer repudiation. Li et al. [18] have presented a security model and a formal definition for Ciphertext Policy-Attribute-Based Encryption (CP − ABE) scheme with effective attribute repudiation. The proposed mechanism is secure against conspiracy attack launched by the prevailing customers and the renunciated customers. The limitation of the scheme is that it takes more time in the Setup phase.
Yang et al. [44] have designed a framework for public auditing for shared information in distributed repository supporting identity secrecy and trackability. The mechanism achieves data privacy by utilizing blind signature method. The limitation is that the mechanism incurs little overhead to accomplish the identity trackability. Hall et al. [14] have presented a protocol which achieves the cryptographic definition of security, when the only output are the regression coefficient estimates. The protocol guarantees the confidentiality of the input information. Homomorphic encryption is utilized in constructing the protocol for regression analysis. Chen et al. [8] introduced two conventions that can authorize protected and effective outsourcing of linear regression problems to the cloud. The conventions are efficient and also preserves the client's data confidentiality. The drawback of the mechanism is that it does not support to identify practical problems related to computation outsourcing to the cloud.
Verifiable data proprietorship mechanism [29] provides trustworthiness and individuality in an active, multi-user framework. By exploiting trustworthy hardware on the server, forking and rollback intrusions are discarded. The proposed design does not consider load stabilizing over various servers. Venugopal et al. [36] have proposed a number of soft computing techniques for security requirements. Jin et al. [16] have introduced the integrity auditing scheme that supports public verifiability, efficient data dynamics and fair disputes arbitration. Fair arbitration protocols are designed so that any possible dispute can be fairly settled. The scheme incurs reasonable overhead of data dynamics and dispute arbitration.
Dong et al. [9] have suggested a confidentiality preserving and secure data collaboration procedure in distributed computing. The convention does not leak any features of the clients to the cloud. The procedure is adequate and has low overhead. The mechanism is not executed on real cloud platform. A comprehensive analysis of miscellaneous data trustworthiness procedures for distributed computing has been carried out by Garg and Bawa [12]. They have examined that the maximum of the prevailing procedures concentrate on integrity checks to distinctive data depository strategy. Simulations are carried out on C++ platform [33].
Raghavendra et al. [24] have proposed an effective token creation method, that enhances immune and productive label construction phase. A systematic composition is refined to encode the ordered keywords for secure label construction. The method reduces the cost of the information proprietor. Xu et al. [41] have introduced multiauthorization proxy re-encoding method. The scheme greatly reduces the computation cost of the creation of key constituents and the termination of the customers retrieving authority. The algorithm needs prolonged computation duration Setup phase.
Hwang et al. [15] have outlined a group signature mechanism supporting the manageable connectivity. The convention supports reliability properties for e.g., confidentiality and connectivity. Privacy is not preserved by global linkability. Yu et al. [45] have suggested a distributed data integrity auditing with identity privacy-conserving convention for mobile cloud repository. The scheme affords anonymity to Third Party Auditor (TPA) and reliable label-updation. The mechanism incurs minimum reckoning, transmission and repository overhead.
Shen et al. [27] outlined a distant information integrity auditing mechanism that realizes information distribution with sensitive information hiding. Authors have utilized a sanitizer that is used to sanitize the sensitive information of the document. The mechanism supports information data sharing with sensitive information hiding. The limitation of the mechanism is that the computation cost of TPA in proof verification is more. Table 1 shows the comparison of recent existing schemes for Public Honesty Verification with Group Customer Repudiation.

Background work
Wang et al. [39], have suggested public auditing scheme for the integrity of shared information with adept customer repudiation. By exploiting the concept of agent re-signatures, the cloud is permitted to re-sign revoked customer chunks on behalf of current customers at the time of customer repudiation, to prevent current customers to retrieve and re-sign chunks by themselves. Further, the public examiner examines the integrity of the distributed information without retrieving the entire information from the cloud, though CSP re-signs few chunks of distributed information. The scheme also supports batch auditing. The limitation of the scheme is that it is does not preserve the privacy of the customers in  Shen et al. 2019 [27] Individuality-based integrity auditing and information sharing with sensitive information hiding for reliable cloud repository.
The computation costs of TPA and CSP is higher with the increase of challenged blocks.
Supports information sharing with sensitive information hiding.
Computation cost of TPA in proof verification is high.
Jin et al. 2018 [16] Dynamic and public auditing with fair negotiation for cloud information.
The scheme introduces additional overhead of data dynamics Supports public verifiability, efficient data dynamics and fair disputes arbitration.
Reasonable overhead of data dynamics and dispute arbitration.
Tian et al. 2017 [30] Public auditing mechanism for protected cloud repository based on Dynamic Hash the cluster and is not collusion resistant i.e., the revoked customer colludes with the cloud.

Preliminaries
This section discusses the foundations of our approach and are outlined below:

Bilinear map:
Consider two cyclic multiplicative groups G and G T of prime order p. e : G * G → G T is a bilinear map with the subsequent properties [6]: • Computability: An effective algorithm prevails for estimating map e.
Computational Diffie-Hellman (CDH) Problem: Given g, g a , g b ∈ G for unknown a, b ∈ Z p , to estimate g ab .

Homomorphic authenticators
Homomorphic authenticators [1], permit a public validator to examine the integrity of information distributed in the cloud server without fetching the complete information. The properties of homomorphic authenticable signature mechanism are as follows: Let the signer s public/secret key pair be (p i , s i ), ρ 1 is the signature on chunk b 1 ∈ Z p , and ρ 2 is the signature on chunk b 2 ∈ Z p .
• Blockless auditability: Given ρ 1 and ρ 2 , two arbitrary values β 1 , β 2 in Z p and a chunk b = β 1 b 1 +β 2 b 2 ∈ Z p , an auditor audits the accuracy of chunk b without the knowledge of b 1 and b 2 .
• Non-flexibility: Given b 1 and b 2 , ρ 1 and ρ 2 , two random values β 1 , β 2 in Z p and a chunk b = β 1 b 1 +β 2 b 2 ∈ Z p , a customer without secret key (s k ), is unable to produce a legitimate signature ρ on chunk b by joining ρ 1 and ρ 2 .
Blockless auditability permits an auditor to examine the integrity of information hosted on the distributed server by generating the linear aggregation of all the chunks via a challenge-and-response convention. Hence the verifier need not download the whole information from the cloud. Non-flexibility illustrates that alternative entities who do not possess appropriate secret keys are unable to create legitimate signatures on combination of chunks by using the signatures that they possess.

Proxy re-signatures
Proxy re-signatures [4] permit a semi-trusted intermediary to accomplish as an interpreter of signatures amidst two customers. Conventional proxy re-signature mechanisms [3,4], do not support blockless auditability, if we utilize these intermediary re-signature mechanisms in the public verification schemes, then the auditor has to retrieve the whole information to verify the integrity, that necessarily decreases the effectiveness of verification. Hence, we utilize Homomorphic Authenticable Proxy Re-signature (HAPS) [39] mechanism, that satisfies blockless auditability and non-flexibility. In our paper, after repudiating malicious customer, the IP of respective clusters computes the Re − sign key and transmits it to the CSP. After acquiring the Re − sign key, the CSP checks the integrity of the revoked customer chunks and signs these chunks utilizing the Re − sign key sent by the IP.

Regression co-efficient
Regression co-efficient is an estimation of an independent variable in terms of the other. If p k and s k are co-related, the best fitting straight line in the least square sense gives a reasonably good relation between public key p k and secret key s k . Similarly, in our scenario, the regression coefficient secures the public key p k and secret key s k of the Re − sign key.

Problem definition
Given a cloud storage model consisting of CSP, TPA and multiple clusters with their respective Information Proprietor's, the main objectives are: (i) Secure Re − sign key generation: The IP, manager of the respective clusters is allowed to compute the Re − sign key securely using the regression method. (ii) Effective and secure customer repudiation: Once a malicious customer is repudiated from the cluster by the IP, the chunks signed by the repudiated customer can be effectively re-signed. On behalf of the existing customers, the CSP efficiently and securely audits and re-signs the repudiated customer chunks using the Re − sign key sent by the IP and the repudiated customer can no longer estimate the valid signatures on the shared information.

Assumptions
(i) CSP is a semi-trusted entity.
(ii) Private channels (e.g., SSL) exist between each pair of entities.

System model
As demonstrated in Fig. 1, the system framework comprises of three objects: the Cloud Service Provider (CSP), the TPA and multiple clusters with respective IP. The CSP provides information repository and distribution services to the customers. The TPA aims to audit the integrity of distributed information via challenge-and-response convention with the CSP. Each cluster consists of an IP and various customers in the cluster. The IP is the head or manager of the cluster (group of customers). The IP generates the private keys and public keys for all the customers in the cluster (See Function 1: GenerateKey). The IP also creates the Customer List (CL). The IP of the respective cluster generates and distributes information with other customers in the cluster through the cloud. Both the IP and customers in the cluster can retrieve and update the distributed information. The distributed information is divided into range of chunks. A customer in a cluster modifies a chunk by carrying out an insert, delete and update operations on the chunk. Considering that the CSP is a semi-trusted party, it obeys the rules and does not corrupt the integrity of the information passionately as a mischievous attacker. However, it might also deceive the auditor regarding the inaccuracy of the distributed information so that the prominance of its information services is retained. Normally, the inaccuracy of shared information might be due to hardware/software breakdown or human misinterpretation. Because of these aspects, the customers do not totally rely on the cloud with the integrity of distributed information.
The integrity of the distributed information is preserved by appending a signature to every chunk of the shared information, that is estimated by anyone of the customer's present in the cluster. Particularly, when the IP originally generates the shared information in the cloud, the total signatures on the shared data are estimated by the IP. Hereafter, when a customer changes a chunk, this customer additionally requires to sign the revised chunk with his secret key. By distributing the data amidst the cluster of customers, distinct chunks may be signed by various customers due to modifications by distinct customers.
While the customer in the cluster leaves or misconducts, the cluster has to remove this customer. Usually, as the originator of the shared information, the IP acts as the cluster manager and he has an authority to repudiate the customer from the cluster. When a customer is removed, the signatures computed by this eliminated customer become insignificant to the cluster, and the chunks signed by this renunciated client ought to be re-signed by the prevailing user's secret key, so that the accuracy of the complete distributed information is validated with the public keys of the current customers.

Mathematical model
Computation of re-sign key (τ Re−key ) by the information proprietor using regression method: In the existing scheme [39], the authors have allowed the semi-trusted CSP to estimate the Re − key utilizing the secret keys of the existing customers in the cluster. Thus, it is very easy for the CSP to know and access the sensitive data cached in the server. Moreover, when the revoked customer colludes with the CSP, they can further hack or misuse the information cached in the cloud server. Hence, the existing scheme [39] is not secure and is not collusion resistant.
In the proposed scheme, we have not allowed the semitrusted CSP to compute the Re − sign key. In order to secure the secret keys of the existing customers, we have allowed the IP of the respective clusters to compute the Re − sign key (τ Re−key ) using the regression method. When a customer is repudiated from the cluster, the IP of the respective cluster computes the Re − sign key and transmits to the CSP. The CSP receives the Re − sign key, verifies and re-signs the revoked customer chunks with the Re − sign key sent by the IP.
The Information Proprietor (IP) uses secret key τ i and public key (pk j ) of customers c i and c j respectively. The identities of customers c i and c j are id i and id j respectively where (i,j) ∈ [1,c]. H is a hash function with H: {0,1} * → G 1 . The computation of Re − sign key using regression technique is as follows: In order to secure secret key and public key, the IP substitutes τ i and pk j , along with hash of id of i th customer and id of j th customer in the variables a 1 and a 2 respectively. a 1 =(H(id i ))τ i ; a 2 =(H(id j )pk j By using a 1 and a 2 compute X 1 , Y 1 and Z 1 : X 1 = 2(a 1 ) a 2 ; Y 1 = 2(X 1 ) a 2 ; Z 1 = X 1 -Y 1 The following steps shows the computation of Re − sign key (τ Re−key ) using the Regression method: X 2 = 2(Y 1 ) a 2 ; Y 2 = 2(X 1 ) a 2 ; Z 2 = X 2 -Y 2 S(X) = X 1 +X 2 ; S(Y) = Y 1 +Y 2 ; S=Z 1 +Z 2 mX=SX/2; mY=SY/2; mZ=SZ/2 SX 2 = (X 1 ) 2 +(X 2 ) 2 ; SY 2 = (Y 1 ) 2 +(Y 2 ) 2 ; SZ=(Z 1 ) 2 +(Z 2 ) 2 δX 2 = S(X 2 /Z)-(mX) 2 where =δ(X 2 )+δ(Y 2 )+δ(Z 2 ). The 1 Re − sign key (τ Re−key ) computed consists of secret key and public key implicitly and the key is highly secure where it is difficult for the semi-trusted CSP or the revoked customer to break the key and know the secret keys of the existing customers in the clusters.

Theorem 1
The CSP by colluding with the revoked customer, will not be able to find the secret keys of the existing customers from the Re − sign key.
Proof In the proposed scheme, the IP is the manager of the cluster. The IP generates the secret keys and the public keys of all the customers present in the cluster [See Function 1: GenerateKey]. In order to secure the secret key (τ i ) and public key (pk j ), the IP substitutes τ i and pk j , along with hash of id of i th customer and id of j th customer in the variables a 1 and a 2 respectively [See "Mathematical model" section]. Further in the regression technique, a 1 and a 2 are substituted in X 1 and Y 1 . This procedure continues, and the final 1 Re − sign (τ Re−key ) Eq. 1, consists of secret key and public key implicitly and the Re − sign key computed is highly secure and the CSP will not be able to break this key. The steps in the computation of Re − sign key using the regression technique proves that the regression technique tightly secures the secret key and the public key and hence it is impossible for the adversary by colluding with the CSP to find the secret key and public key of the customers present in the cluster.
Let us assume that the revoked customer (malicious customer) colludes with the mischievous CSP. Now the CSP is possessing the Re−sign key sent by the IP. The CSP and the malicious customer tries to break the Re − sign key and know the secret keys of the existing customers in the cluster. If they succeed then CSP and malicious customer would have achieved their goal of possessing the secret key. But, it is not possible for both CSP and the revoked customer to break the Re − sign key and extract the secret key as the 1 Re − sign key is computed by the IP using regression technique which is a powerful tool that efficiently secures the secret key and does not allow any adversary by colluding with the CSP to find the secret key from the Re − sign key. Figure 2 shows the adversary model. The model consists of three entities: Cluster of customers with their respective IP, Cloud Service Provider (CSP) and Third Party Auditor (TPA). The IP, manager of the cluster monitors all the activities of the customers prevailing in the cluster. From Fig. 2, it is observed that if any one of the customer present in the cluster performs unwanted activity i.e., the malicious customer tries to retrieve the sensitive information or tries to hack the data, these activities are traced out by the IP. The IP immediately retrieves his credentials and revokes the malicious customer from the cluster. Further, the IP computes the Re−sign key using the regression technique and sends to the CSP. After receiving the Re−sign key, the CSP audits and re-signs the revoked customer chunks using the Re − sign key. Next, the revoked customer might collude with the CSP [See Fig. 2], and tries to find the secret keys of the customers present in the cluster. Since, the Re − sign key is computed by the IP using regression technique, it is not possible by the CSP or the revoked customer to break the Re − sign key and find the secret keys of the customers. Hence the proposed scheme preserves the privacy of the customers and is collusion resistant.

Adversary model
In the existing scheme [39], the semi-trusted CSP is permitted to compute the Re − sign key. So, the mischievous CSP colludes with the revoked customer and tries to attack or hack the sensitive information cached in the cloud server. Hence, the existing scheme does not preserve the privacy of the customers and is not collusion resistant.
The semi-trusted CSP is permitted to compute the Re − sign key. So, it is easy for the CSP by colluding with the revoked customer to find the secret keys of the existing customer and they (CSP and revoked customer) can access the information cached in the cloud server. Hence the existing scheme is not collusion resistant.

System setup
Let G 1 , G 2 and G T be multiplicative groups of prime order p, g be a generator of G 2 , e: G 1 * G 2 → G T be a bilinear map. H(·) is a secure map-to-point hash function:({0, 1} k → G 1 ) that map strings consistently to G 1 . Another hash function h(·): G 1 →Z p maps group element of G 1 evenly to Z p . The overall number of chunks in the distributed information is n and the distributed information is represented as S =(b 1 , b 2 , .....b n ). The total number of customers in the cluster is c.
The Algorithm 2, CRUPA (Collusion Resistant User Revocable Public Auditing of Shared Data in Cloud) consists of two phases: Phase I: Secure Re-signing of Revoked Customer Blocks by CSP.
Phase II: Secure Multi-Information Proprietor Cluster Auditing for Shared Information by the Third Party Auditor.

PhaseI: secure re-signing of revoked customer blocks by CSP
The Function 1: GenerateKey illustrates the generation of secret and public key parameters of the system. There are D Information Proprietors (IP s) of the respective clusters in the system, and each Information Proprietor d has a document F d =(b d,1 , ......b d,n ) , φ) to the CSP, where φ={ρ k,i } 1 ≤ i ≤ n . Now the existing customers of all the clusters retrieve their respective chunks, perform modifications, sign with their secret key (τ ) and upload to the server as described in the function SignatureGen [See Algorithm 2, PhaseI, Part I]. IP is an authorized person and keeps track of all the customers activities in his cluster. During this process, when anyone of the existing customer is found malicious or the term of his/her membership is expired, then the IP has the right to revoke this customer and withdraw all his credentials.
When a customer is repudiated, the signatures computed by this eliminated client are insignificant to the group, and the chunks that were formerly signed by this repudiated customer should be verified for integrity and re-signed. In the proposed scheme, the IP revokes the malicious customer from the cluster, computes the 1 Re − sign key (τ Re−key ) utilizing the regression method as in Eq. 1, and transmits it to the CSP. After obtaining the Re − sign key (τ Re−key ) the CSP checks the integrity of the revoked customer chunks and re-signs with the τ Re−key as illustrated in the function Resignature [See Algorithm 2, Phase I, Part II]. The proposed scheme is highly secure, i.e., it is very difficult for the semi-trusted CSP to retrieve the secret keys of the existing customers from the Re−sign key (τ Re−key ). By colluding with the revoked customer, the CSP cannot find the secret keys of the existing customers' as the 1 Re−sign key is computed by the IP. Hence, the proposed scheme is collusion resistant, and provides secure integrity auditing of the revoked customer chunks by the CSP.

PhaseII: secure multi-information proprietor cluster auditing for shared information by the third party auditor.
In the proposed system model, the IP s of respective clusters create the auditing request and sends to the TPA.
The public verifier executes ClusterVerify [See Algorithm 2, PhaseII, Part III], and validates the accuracy of proof of storage acknowledged by the cloud. The public verifier efficiently performs multi-information proprietor auditing and sends the auditing proof to the respective IP. The multi-information proprietor auditing considerably decreases the transmission cost of the server and the (2020) 9:47 Page 10 of 18 Function 1: GenerateKey Function: Generates the system public and secret parameters. Input: c, d 1 , global parameter (g, d∈(1,....D) information proprietors of their respective clusters in the system. 2 Choose random elements τ ∈ Z p , J∈ G 1 3 Compute v=g τ and w=J τ 4 For a particular information proprietor d, the secret key, sk=τ d ∈ Z p 5 Corresponding public parameters are (v d , w d , g d , Respective information proprietor of each cluster generates the public and secret parameters for existing customers as: 7 Start: 8 for each i upto c. 9 Generate random number τ i from Z p * .
10 Compute Public key pk i =g τ i . 11 Assign Private key sk i = τ i . 12 End. 13 d 1 of respective clusters creates CL. 14 CL is public and signed by d 1 .
computation cost of the public verifier. For the public verifier's challenge request, Challenge= {(i, ξ i )} i ∈ E , the CSP utilizes the bilinear aggregate signature [5], and sends one group element ρ instead of {ρ d } 1 ≤ d ≤ D . Thus, the communication cost on the server side has been greatly reduced. At the same time, combining D auditing equations into one helps to decrease the number of expensive pairing operations from 2D, as individual verification requires D + 1 pairing operations. Hence, reasonable amount of verification time of public verifier is saved.

Construction of homomorphic authenticable proxy re-signature scheme (HAPS) using regression method
In the existing scheme, Wang et al. [39], proposed Homomorphic Authenticable Proxy Resignature (HAPS) mechanism. This scheme has five functions: KeyGen, Re − key, Sign, Re − sign and Verify. In the function Re − key of the HAPS mechanism, they have used the Re − key computed by the CSP [39]. They have allowed the semi-trusted CSP to estimate the Re − key employing the secret keys of the existing customers in the cluster. Thus the semitrusted CSP, who has the knowledge of the secret keys of the existing customers can have access to the information cached in the cloud server. Further, the CSP may collude with the repudiated customer and perform mischievous activity on the data. Hence, the limitation of the scheme is that it is not collusion resistant ie., CSP and the repudiated customer can find the secret keys of the existing customers.
In our paper, we have used Homomorphic Authenticable Proxy Resignature (HAPS) [39] mechanism. This scheme has five functions: KeyGen, Re−key, Sign, Re−sign and Verify. In the function Re − key [See Algorithm 1], we have used the Re − sign key (τ Re−key ) computed by the IP in Eq. 1. The Homomorphic Authenticable Proxy Resignature scheme using regression method does not allow the semi-trusted CSP to compute the Re − sign key. Whereas the IP is allowed to estimate the Re − sign key (τ Re−key ) as illustrated in Eq. 1, utilizing the regression method and then it sends to the CSP. Since the Re − sign Algorithm 1: Homomorphic Authenticable Proxy Re-signature Scheme (HAPS) using Regression method 1 Let G 1 , G 2 be two groups of order p, g be a generator of G 1 , e : G 1 *G 1 → G 2 be a bilinear map, w be another generator of G 1 . The global parameters are (e, p, G 1 , G 2 , g, w, H) where H is a hash function with H:(0,1) * → G 1 . Input: τ i . b k ∈ Z p and id k where k ∈ [1,n], w, and τ Re−key Output: ρ k , ρ k (τ Re−key ) 2 KeyGen: 3 Customer c i selects random number τ i from Z p * 4 Assigns Private key sk i = τ i 5 Computes Public key pk i =g τ i 6 Re-key: 7 IP computes the Re − sign key (τ Re−key ) using regression method [eq. no.1] (τ Re−key )=2[( +4)/(2 sigX 2 sigY 2 + 4) ] 8 Sign: 9 Existing customer c i generates the signature (ρ k ) on block b k as: 10 ρ k =(H(id k ) w b k ) τ i 11 Re-sign: 12 CSP (Proxy) verifies the integrity and re-signs the revoked customer chunks as: 13 The CSP (proxy) first verifies that e(ρ k , g)= ((H(id k )w b k ), pk e ). 14 If the auditing result is 0, the agent outputs ⊥ 15 Otherwise, the IP computes Re − sign key (τ Re−key ) using regression method and sends to the CSP (proxy) to re-sign the revoked customer chunks. 16 CSP (proxy) re-signs the revoked customer chunks as ρ k Existing customers c i in every cluster generates the signature (ρ k ) on block b k as: 10 end for 11 Part II: ReSignature 12 CSP verifies the integrity and re-signs the revoked customer blocks as: 13 The CSP first verifies that e(ρ k , g) , pk e ). 14 If the auditing result is 0, the CSP outputs ⊥ 15 else IP computes Re − sign key τ Re−key using regression method and sends to the CSP to re-sign the revoked customer block. 16 CSP re-signs the revoked customer blocks  27 If the output is 1, the TPA considers that the sincerity of total chunks in shared information S is appropriate, else the TPA outputs 0.
key (τ Re−key ) is estimated by the IP, it is not possible for the CSP to find the secret keys of the existing customers. Hence the proposed scheme satisfies blockless verifiability, non-flexibility and is also collusion resistant i.e., the semi-trusted CSP cannot collude with the revoked customer. Table 2 presents the Summary of the Notations used in the Algorithm 2.

Performance evaluation
To evaluate our proposed mechanism, a prototype system is implemented utilizing Java with Java Pairing-Based Cryptography Library (jPBC) [21] and the experiments are conducted on a PC with windows 7, Intel(R) Core(TM) i5-5200U, CPU @2.20GHz, 8GB RAM. In the following experiments, we assume the size of element in G 1 or Z p is | p |=160 bits. The size of an element of Z q is | q |=80 bits. The size of each chunk is 4KB. Communication Cost: The proposed mechanism is a secure and efficient customer revocation mechanism. The existing customers in every cluster are relieved from the burden of verifying the revoked customer chunk and hence the communication cost of all the existing customers in every cluster is reduced. While performing auditing, the TPA retrieves only the combination of all the chunks (Challenge) instead of the complete information, therefore the communication cost of the TPA is saved. The size of the verification message is where c is the number of current customers in each cluster, e is the number of challenged chunks, the size of an element in G 1 is | p| and the size of a chunk identifier is |id| . The overall transmission cost of a verifying task is d(2c.|p| + e.(|id|+|n|+|q|)) bits where d is the number of information proprietors, |n| is the size of element of set [1,n]. Computation Cost: The computation cost of an individual signature of a chunk is about 2Exp G 1 + Hash G 1 +Mul G 1 . As illustrated in the Re − Signature function [See Algorithm 2, Phase 1, Part II] of the proposed scheme, the CSP initially checks the accuracy of the initial signature on a chunk and a fresh signature is estimated on the same chunk using Re − sign key. The computation cost of the CSP to re-sign a chunk is MulG 1 +HashG 1 +2Exp G 1 +2Pair. The proof of storage response generated by the CSP consists of the aggregated signatures and linear combination of sampled chunks. After receiving the proof of storage from the CSP, the computation cost for verification by an auditor is e-MulExp 1 G (|ξ i |)+Hash e G +Mul 2 G +Exp 2 G (|p|)+Pair 2 G,G The time taken by the IP to estimate the Re − sign key (τ Re−key ) is as shown in Fig. 3. The computation time is independent of the size of the cluster. The IP takes the keys from two existing customers and computes the Re − sign key (τ Re−key ) [Eq. 1]. Hence the time cost remains the same throughout. In comparison to the Panda scheme, the computation cost is reduced as we have allowed IP of the respective clusters to compute the Re − sign key and send to the CSP. But in the Panda mechanism, the CSP estimates the Re − key and re-signs the revoked user blocks, hence the computation cost increases.
The performance comparison between CRUPA and Panda schemes during customer revocation is shown in Fig. 4. In the proposed mechanism, the CSP securely and efficiently re-signs the respective cluster s revoked customer chunks and also saves the prevailing customer s reckoning and correspondence resources. As depicted in Fig. 4 the CSP in CRUPA re-signs 500 chunks in 11 s while CSP in Panda takes 15 s, nearly 30 percent improvement.
The IP computes and delivers the Re − sign key (τ Re−key ) to the CSP. The time taken by the CSP to re-sign the revoked user chunks in CRUPA is less as compared to the Panda scheme [see Fig. 5.]. In Panda scheme, the CSP computes the Re − key as well as re-signs the revoked customer chunks. But in our scheme, CSP s computation cost is completely reduced as CSP receives the Re − sign key (τ Re−key ) by the IP and only re-signs the revoked customer chunks. Hence our mechanism is secure and effective.
The system model that we have proposed consists of multiple clusters with their respective IP. Figure 6 shows the batch auditing for single cluster and multiple clusters compared with the existing schemes. When TPA receives individual customer's auditing requests, the average auditing time taken by the TPA is more i.e., 290ms [27] [see Fig. 6]. By allowing the TPA to carry out the verification for cluster of customers auditing requests simultaneously i.e., single cluster auditing, then the average auditing time taken by the TPA in CRUPA is less (269ms) compared to Panda scheme [39] (272ms). In CRUPA, the TPA's average auditing time cost is slightly more for multi-information proprietor cluster auditing. Considering the TPA generates the different number of challenged information chunks, we respectively show the computation cost of the TPA and that of the CSP in integrity auditing phase in Figs. 7, 8 and 9. The computation overhead of the TPA during proof verification is as shown in Fig. 7. The computation overhead of TPA during proof verification in Shen scheme [27] ie., for individual customers proof of possession sent by CSP to TPA varies from 0.3s to 12.5s while in CRUPA (single batch), it varies from 0.1s to 5.97s and for multiple batch, it varies from 0.19s to 7.67s. TPA takes more time to provide the verification proof for the individual customers proof of possession sent by the CSP. When multiple cluster dataowners sends auditing requests, the TPA randomly chooses a set of chunks i.e., generates challenge set and sends it to the CSP. Now, the CSP sends a single proof of possession for the received challenge set to the TPA. Hence, the time  taken by the TPA to verify the proof in batch auditing (single and multiple clusters) is less compared to individual auditing. Compared with the time of proof verification, the time of challenge generation increases slowly [see Fig. 8], just varying from 0.013s to 0.546s in [27] while in CRUPA (multiple clusters) it varies form 0.011s to 0.32s and for single cluster it varies from 0.001s to 0.15s. The time of challenge generation by the TPA in CRUPA is less compared to Shen scheme [27] Figure 9 shows the computation cost of CSP during proof generation. The computation cost of CSP is more in Shen scheme [27], as CSP provides proof for the individual customer's challenged chunks. In the proposed scheme, TPA performs batch auditing. The TPA sends the challenge set for single batch or multiple batch auditing to the CSP. Now, the CSP provides proof of possession of the challenged blocks present in the challenge set i.e., the CSP takes less time to provide proof of possession for batch auditing as compared to the individual auditing.
The processing time for different block numbers [see Fig. 10] in the Setup phase [30] is more compared to the CRUPA scheme. In the Setup phase of DHT − PA scheme, the CSP computes the tag for each uploaded blocks (i.e., TagGeneration phase) that includes the communication cost and computation cost while in CRUPA, the IP performs processing of all the blocks. Thus, the

Conclusions
In this paper, we have introduced a Collusion Resistant User Revocable Public Auditing (CRUPA) of distributed information in the cloud. The IP of the respective revoked customer cluster computes the Re − sign key (τ Re−key ) using regression method and transmits it to the cloud server. The computation cost of Re − sign key (τ Re−key ) using regression method by the IP has been significantly reduced. The algorithm supports effective and secure customer repudiation. Once the IP of the respective clusters revokes the customer, the CSP verifies the revoked customer chunks and securely re-signs with the Re − sign key (τ Re−key ) that allows the proposed scheme to be collusion resistant. Further, the algorithm supports multi-information proprietor batch auditing. The TPA in CRUPA takes less time to perform single batch auditing compared to the existing scheme. The proposed scheme is scalable as cloud information is effectively distributed among the existing customers of multiple clusters. Extensive experimental results demonstrate the efficiency and effectiveness of Collusion Resistant User Revocable Public Auditing (CRUPA) scheme. The processing time taken by the IP in the Setup phase is low. The computation cost of TPA and CSP is low in the integrity auditing phase. The limitation of the mechanism is that it has a slightly more auditing cost for multi-information proprietor batch auditing.

Footnote
The 1 Re − sign key computed by the information proprietor using the regression technique mentioned in this paper must be considered as an indication. Since, the Re − sign key is computed by the IP using regression technique, it is not possible by the CSP by colluding with the revoked customer to break the Re − sign key and find the secret keys of the customers. Hence the proposed scheme preserves the privacy of the customers and is collusion resistant. Further, the proposed scheme supports effective and secure customer repudiation, multi-information proprietor batch auditing and is scalable.