A threshold hybrid encryption method for integrity audit without trusted center

Cloud storage with sharing services is increasingly popular among data owners. However, it is difficult for the users to know if the cloud server providers (CSPs) indeed protect their data. To verify data integrity and preserve data and key privacy in the group, this paper proposes a new threshold hybrid encryption for integrity auditing method without trusted center. The proposed method is developed based on the Advanced Encryption Standard (AES) and the Elliptic Curve Cryptography (ECC) with Shamir secret sharing. In this way, the key can be distributed and managed without trusted center, preserving the privacy of the key of the AES and users’ private key. Besides, we design and implement a novel integrity auditing and re-signature method which verifies the data integrity and solves the collusion question of the cloud and the revoked users. Security analysis and performance evaluation demonstrate that the proposed scheme realizes the correctness, security, and efficiency with a low communication and computation cost.


Introduction
With the emergence and widespread application of information technology in artificial intelligence (AI), Internet of things (IoT), and mobile internet [1,2], data has achieved the explosive growth, especially in the industrial Internet of things(IIoT) applications [3]. Facing the burden of data storage, an increasing number of individuals and organizations has chosen to store their data in the cloud, which accelerates the rapid development of cloud storage in cloud computing [4,5]. On the upside, the cloud storage can save the local space, freeing a lot of local computing power; on the downside, the data outsourced to the cloud may face many risks, including but not limited to data loss, privacy leak, and security attacks [6,7].
In fact, the outsourced data are not controlled by the user. To save the storage space, the cloud may remove the rarely used or highly repeated data, which breaks the integrity of the user data in the cloud. It is impossible *Correspondence: bcwang79@aliyun.com 1 State Key Laboratory of Integrated Service Networks, Xidian University, Taibai South Road, Xi'an, China 2 School of Information Engineering, Xuchang University, Bayi Road, Xuchang, China Full list of author information is available at the end of the article for most users, with limited auditing power, to know if their data in the cloud are still complete. To solve the problem, the user can entrust a third party to audit the integrity of his/her data by checking the accuracy, validity, and consistency of the data and pinpointing the incomplete or missing entries in the data storage. The integrity auditing is particularly important for group users of cloud storage with sharing services, as any misbehaving user in the group may endanger the data security of other group members. After all, users in the same group can share data with each other, and access and modify the shared data [8][9][10].
The integrity auditing mechanisms [11][12][13] have been proposed continuously. Verifying the integrity of shared data in the group based on public key infrastructure (PKI) faces severe security risks and a high computation cost [14,15], most of them do not preserve the data privacy in the cloud environment, and do not mention safe management of the key. What is worse, the previous studies have concentrated on data security and data integrity in the cloud, failing to tackle the data security in the upload or download process, while the data are easily stolen by hacking attacks. To mitigate the risk and protect the privacy, the data and key should be encrypted. Therefore, it is important to develop an efficient and secure encryption scheme to preserve the data and key privacy, which supports the integrity auditing of the data shared between multiple parties. The data shared by multiple parties can be applied to various applications, especially in collaborative scenarios. For instance, deep learning has provided an effective solution to collaborative learning and parallel computing in federal learning. However, many deep learning schemes cannot preserve privacy due to the lack of cryptographic tools [16]. Few schemes [17,18] combing encryption technique fail to tackle the collusion between the CSP and users.
To address the aforementioned challenge, this paper designs an integrity auditing method based on a threshold hybrid encryption method without trusted center, which supports public auditing of data integrity with Shamir secret sharing. The main contributions of this paper are as follows: (1) We introduce a novel threshold hybrid encryption scheme that the user data are encrypted by the Advanced Encryption Standard (AES), and the key seed of the AES is encrypted by the Elliptic Curve Cryptography (ECC), promoting the encryption efficiency and protecting data and key privacy. (2) We adopt Shamir secret sharing employing multiple managers in the group to generate and dispense secret without trusted center, which facilitates the distribution and management of the keys. In this way, the multi-managers scenario is transformed into the multi-proxy scenario, which reduces the probability of malicious managers and makes the entire mechanism reliable and secure. (3) Our method supports public auditing with a trusted third-party auditor (TPA) and re-signature with the revoked users' data by the cloud with the help of a manager. Security analysis and performance evaluation indicate that our method achieves the validity and security, verifies the encryption effectiveness, shortens the re-signature time, and reduces the communication and computation cost.

Literature review
Much research has been done to audit data integrity at home and abroad. For instance, Ateniese et al. [19] proposed a public auditing protocol for static data integrity under the challenge-proof-verify mechanism, eliminating the need to retrieve the entire data. To support dynamic data, Ateniese et al. [20] designed a scalable public auditing strategy based on symmetric encryption. However, this strategy can only respond to a limited number of auditing requests, failing to fully support the integrity auditing of dynamic data. Neither of the above two schemes considers data privacy. Wang et al. [21] introduced a TPA to realize privacy-preserving integrity auditing of the dynamic data in the cloud.
To ensure secure data sharing among users, Guo et al. [22] presented a key-aggregate authentication cryptosystem to share dynamic data in the cloud. Shen et al. [23] prepared a data integrity auditing scheme that shared the data based on identity, without exposing sensitive information. Chi et al. [24] designed a novel cloud storage encryption scheme that allowed the CSP to protect user privacy with convincing fake secrets. Yu et al. [25] came up with a paradigm named strong key-exposure resilient auditing for secure cloud storage.
Harn [26] developed a threshold signature mechanism that enabled the group members to produce public and private keys of the group, however, it could not resist the collusion attack. Wang [27] put forward the identitybased distributed provable data possession (ID-DPDP) scheme which achieved public auditing of the data stored in multiple clouds. Since then, the threshold signature has attracted a lot of attention in the research of data integrity auditing [28,29].
Recent years saw some threshold encryption schemes that encrypted data with dispersed encryption rights by secret sharing [30]. The existing threshold encryption schemes [31,32] take a trusted center to produce and distribute the secret shares of all managers, which is an authoritative member of the system and can recover the secret without the aid of other members. Nonetheless, the trusted center might lead to authority deception and nullify the meaning of secret [33]. To solve the problem, Jie et al. [34] presented a threshold encryption method without trusted center, which encrypted and decrypted the privacy data through the collaboration between multiple players. Nevertheless, Jie's method, solely relying on the ECC, cannot efficiently encrypt a large amount of data and does not apply to the cloud environment. Based on the TPA and the AES, Shimbre et al. [35] proposed enhancing distributed data storage security scheme for cloud computing utilizing the file distribution and SHA-1 technique, however, it did not consider signature and key security. Based on the state of the art, we compare common functions for auditing schemes in Table 1. These schemes are named according to the literature name or using the original naming method.
In machine learning, Sangaiah et al. [37] proposed a method for conserving position confidentiality using machine learning techniques by merging decision trees and k-nearest neighbor. Meanwhile, Sangaiah et al. [38] presented an energy-aware green adversary model for its use in the smart industrial environment through achieving position and information confidentiality in  Ours cyber-physical security. Both of the above two schemes protected the position or information confidentiality well in non-cryptographic mechanism. In a privacy-preserving multi-user collaborative deep learning model, Phong et al. [17] presented a privacy-preserving deep learning model via additively homomorphic encryption through federal learning. However, the model was still weak against the collusion of the server and trainers. Subsequently, Phong et al. [18] proposed a privacy-preserving deep learning model via weight transmission which protected the input privacy of each participant through symmetric encryption, without considering the collusion and key security.
To solve the problem of data and key privacy, resist the hacking and collusion attack, and ensure signature security, this paper proposes a threshold hybrid encryption method for integrity auditing without trusted center. The method employs the AES and the ECC to promote encryption efficiency and protect data and key privacy. To manage and distribute the keys, we use Shamir secret sharing with multiple managers in a group. Using the challenge-response game for the cooperation of the TPA and the CSP with a re-signature mechanism, we realize the integrity auditing and data dynamic update with a low communication and computation cost. The method is a universal encryption construction for cloud storage with sharing services and collaborative learning of deep learning, which promotes data sharing in the group and enhances the encryption efficiency and key security.

Organization
The remainder of this paper is organized as follows: "Preliminaries" section introduces some preliminaries; "System model and threat model" section establishes the system model and threat model; "Construction of the scheme" section details the construction of our method; "Correctness and security analysis" section analyzes the correctness and security of our method; Performance analysis is demonstrated in "Performance analysis"; "Conclusions" sections wraps up this paper with conclusions.

Preliminaries
The main notations used in the description of our scheme are shown in Table 2.

Bilinear pairing and discrete logarithm (DL) problem
Bilinear pairing has been widely employed in cryptography and utilizes in data auditing at present. The detailed description is followed.
Definition 1 (Bilinear Pairing) Let G 1 and G 2 be two multiplicative cyclic groups with a prime order p, g be a generator of G 1 . A bilinear pairing e : G 1 × G 1 → G 2 is a map function satisfying the three properties below: Definition 2 (Discrete Logarithm (DL) problem) Let G 1 be a multiplicative cyclic group, g be a generator of G 1 . Let unknown element a ∈ Z * p , given the value of g, g a ∈ G 1 as input, the DL problem is to output a.

Definition 3 (Discrete Logarithm (DL) assumption)
For any probabilistic polynomial time (PPT) adversary A DL , the advantage for A DL to solve the DL problem in G 1 is negligible, which is defined as Thereinto, a negligible value is denoted as ε in the above definitions.

Shamir secret sharing
Shamir secret sharing [39] assumes that a dealer holds a secret s and shares among N users by giving each user a share, and the secret s can be recovered from any t users. In other words, the original secret cannot be restored unless the number of users involved in decryption exceeds the threshold value t. This secret preservation strategy is also known as the (t, N) threshold method.
The advantage of this method applied in our scheme lies in the decentralized authority of group managers [40]. In this method, each manager can encrypt the user data, but cannot decrypt the ciphertext alone. To recover the plaintext data, there must be no less than t managers involved in decryption. More importantly, the failure of any manager in decryption does not affect the recovery of the plaintext. This property leads to the robustness of our system.

System model
As shown in Fig. 1, our system model contains three entities: the CSP, the TPA, and a user group with multiple managers.

CSP
The CSP stores user data in the cloud platform with sharing services, works with the TPA to validate data integrity, and checks the legality of signature users.

TPA
With the professional knowledge of data auditing, the TPA executes public auditing with the CSP through the challenge-response game. During the game, the TPA launches challenges to the CSP, and the CSP responses the proof to prove the integrity of the data challenged by the TPA. Then, the TPA calculates the auditing results to return to the manager or the user.

User group with multiple managers
The user group contains both managers and users. The group managers can encrypt user data, upload them to the CSP, and decrypt the data before returning them to users. The encryption and decryption are conducted by multiple managers through Shamir secret sharing. To ensure correct decryption, the number of managers participating in the process must surpass the threshold value t. Any group user can upload his/her data to the CSP through a manager and download the shared data from the CSP. Each user can also access, modify, and delete the data shared by other users.

Threat model
As mentioned before, the data outsourced to the cloud may face many risks, including but not limited to data loss, privacy leakage, and security attacks. This paper mainly focuses on data leakage, authoritative attack, key exposure, and data integrity verification. Data integrity was mentioned earlier and will not be described here.

Data leakage
Data privacy is the key to the outsourcing storage and integrity auditing of sensitive data. Nonetheless, the privacy-preserving techniques for cloud storage, such as data encryption or differential privacy, cannot prevent data leakage in the outsourcing storage process. For example, when a user is revoked from the user group, its privilege to access, modify, and delete other users' data are not immediately revoked, sowing the risk of data leakage.

Authoritative attack
If there is only one manager in the group, the manager will possess virtually unlimited authority and easily acquire all the data before encryption, causing the authoritative attack of the trusted center. To prevent the attack, the data are encrypted by the hybrid threshold encryption method with the secret sharing and recovered by not less than t managers in our scheme.

Construction of the scheme
In general, our threshold hybrid encryption method consists of five phases: key generation, data encryption, integrity auditing, data decryption, and user revocation & re-signature.

Key generation
Let F η be a finite field with η elements, E F η be an elliptic curve on the finite field, Q be the generator of the curve. Both the elliptic curve and the generator are public. Let F q be a finite field containing the domain of possible secrets with q > N, q be a prime number, and N be the number of the managers {P 1 , P 2 , . . . , P N } with Shamir secret sharing, P i be the ith manager with the identity number ID i , and t be the preset threshold value of Shamir secret sharing.
In our method, each manager can generate its own secret share and acquire the identity number and shares of other managers through interaction. Then, manager P i computes the public parameter, which is executed in the elliptic curve E F η in the following steps: Step 1: Manager P i (1 ≤ i ≤ N) randomly selects an integer d i ∈ Z p as the private key and then calculates its public key y as: Step 2: Manager P i sets up the polynomial f i (x) of degree t − 1 with f iz as the cofficient: where f iz ∈ Fq, z = 1, 2, · · · , t − 1.
Step 3: Manager P i calculates the secret share f i ID j of group manager P j j = i according to their identity number ID j .
Step 4: Manager P i calculates the parameter Y i j for manager P j : Step 5: Meanwhile, manager P i computes the validation parameter: α iz = f iz Q, and then sends the public parameter: pp = y, Y i j , α iz to the other managers. Manager P i keeps its secret share f i (ID i ) and public parameter Y i i .
Upon receiving the public parameters from the other t-1 managers, manager P j can check the validity of f i ID j in the elliptic curve E F η by:

Data encryption
In our hybrid encryption method, managers encrypt user data by the AES and encrypt the key of the AES through the ECC with the message non-embeddable method [41]. Then, the data are signed with users' private key before uploading. The efficient encryption process facilitates key distribution and management and protects the key of the AES, which provides an effective encryption solution to outsourced data. The details of the encryption process are given in Fig. 2.
Let ω be a generator of multiplicative cycle group G 1 , H (·) be a hash function: {0, 1} * → G 1 with a bilinear pairing, and U A be the user planning to upload its data M to the cloud.
First, user U A generates the private key sk A and the public key pk A satisfying pk A = g sk A , and then sends plaintext M and the private key sk A to manager P i in the group. After receiving plaintext M and the private key sk A , manager P i verifies whether U A is a legitimate user with the right to upload the data by: where f up is the uploaded file. If the above equality holds and U A is in the user list, U A must be a legitimate user who can upload the data. Then, manager P i will receive data M; otherwise, manager P i will delete data M. Next, manager P i will encrypt data M in the following steps: Step 1: Manager P i selects a random number S (S ∈ Z p ) and sets up an AES key seed sk AES ; Step 2: Manager P i encrypts data M by the AES with sk AES , yielding the ciphertext C M of data M : where Enc(·) represents the encryption function. Step 3: Manager P i encrypts AES key sk AES by the ECC, yielding the ciphertext c sk AES of sk AES : where (x 1 , y 1 ) is the coordinates of C 1 , (x 2 , y 2 ) is the coordinates of C 2 , and x 2 is the X coordinate of C 2 . Then, manager P i will send ciphertext c sk AES of sk AES to each manager in the group, without saving the random number S and random key seeds sk AES . Upon receiving ciphertext C M , the manager will sign the encrypted data C M using the private key of U A as: where id M is the identity of ciphertext C M .
Finally, manager P i will send the ciphertext of data M with its signature C M ||σ C M to the cloud.

Integrity auditing
Before downloading the data, the data integrity should be verified by the auditing method. A user only needs to submit an auditing application to the TPA who will check the data integrity in the CSP through the challenge-response game and return the results to the user. To lower communication and computation cost, our method assumes that the user entrusts the TPA to perform integrity auditing through interaction with the CSP. Our integrity auditing plan is as follows, and the process is in Fig. 3.
Firstly, the user U A requests auditing a certain file, and the TPA generates the challenge message through the following steps: Step 1: The TPA randomly extracts a ciphertext subset L = C M 1 , C M 2 , . . . , C M o to serve as the numbers of data to be audited. Thereinto the set L are divided into N U blocks L = l 1 , l 2 , . . . , l N U , where l i is the ith data blocks  (12) where data blocks number i ∈ {1, 2, . . . , N U } is denoted as Step 2: The TPA randomly selects a value v n from Z * p for n ∈ l i and sends msg chal = {(i, v n )} i∈ [1,N U ] to the cloud as challenge messages. Upon receiving the challenge messages, the cloud returns the proof of the outsourced data through the following steps: Step 1: The cloud computes the tag proof β i and the data proof γ i of each part l i in the following formula: where σ n is the signature of data block l i satisfying and id n is the identity of n ∈ l i .
Step 3: Finally, the TPA sends the results to the user U A who wants to be informed.

Data decryption
To obtain the shared data in the CSP, a user must download the data from the cloud storage. First, the user needs to file a download application to a manager. Then, the manager will verify if the user is a legitimate user with the privilege to download the data. If the user is rightful, the manager downloads the shared data. Afterward at least t managers will jointly decrypt the encrypted data, and then one of managers sends the data to the user. The verification is implemented in the following steps in Fig. 4.
Let U B be the user who wants to download data M from the cloud. The user needs to prepare the downloaded auditing file f sk B down first and sends it to any manager as the downloaded application. Upon receiving f sk B down , the manager will execute the following formula: e f down , pk B = e f sk B down , g (2021) 10:3 Page 7 of 14 Fig. 4 The decryption process where f down denotes the downloaded file, sk B and pk B are the private key and the public key of user U B , respectively. If the above equality holds and U B is in the user list, U B must be a legitimate user with the privilege to download the data. Then, manager P i will file the download application to the CSP and obtain C M ||σ C M . The C M ||σ C M will be split into the ciphertext C M and signature σ C M by the manager, and C M will be decrypted by t managers. Let W = {P 1 , P 2 , . . . , P t } be t managers involved in data decryption. The details on the decryption process are given as follows: Step 1: Upon receiving the ciphertext, manager P i in W calculates its decryption factor s i j from manager P j by its secret share with lagrange interpolation polynomial: where ID i k and ID i j is the identity number of kth and jth managers in manager P i , and k ∈ {1, 2, . . . , t}.
Step 2: The manager P j validates his/her decryption factor s i j as follows.
If the above formula holds, the decryption factor s i j must be true; otherwise, the decryption factor s i j must be false, and the application will be rejected.
Step 3: After manager P i having received t decryption factors, manager P i can calculate (x 2 , y 2 ) by the ECC decryption algorithm: The correctness of the formula is verified in the following formula (28).
Step 4: Then, manager P i obtains the x 2 , and calculates the AES key seed sk AES by: After getting the AES key seed sk AES , manager P i decrypts to obtain the plaintext M and sends the data to the user U B .

User revocation and re-signature
The user revocation mechanism in data sharing services with the cloud has been studied in many papers [42][43][44][45]. For instance, Wang et al. [8] presented a proxy resignature scheme that the user whose registration expires would be revoked by managers from the group, and lost the right to share, acquire or update data; all the data signed by the revoked user should be resigned by another legitimate user in the group, such that the integrity auditing of the revoked users' data could proceed normally.
Since the data of the revoked user are stored in the cloud, its signatures can be directly recomputed by selecting a legitimate user in the group, who downloads the data signed by the revoked user to the local space. Next, the legitimate user should verify the correctness of the data, re-sign the data with its private key, and send the re-signed data back to the cloud. However, the direct download and re-signature method consumes lots of time and computing power and incurs a high communication cost, especially when a huge amount of data need to be signed and the users in the group change frequently.
It is obvious that if the cloud can obtain the private key of each user, and then the arduous task of re-signature can be completed quickly by the cloud itself. This approach eliminates the need to download data to the local space, saving the re-signature time. Nevertheless, the cloud is not completely reliable, making it dangerous to outsource the users' private keys to the cloud. This calls for a fast and efficient re-signature method for legitimate users which can eliminate downloading the process of the cloud data. Namely, a user is revoked from the user group, the cloud as the re-signature proxy will convert a signature of the revoked user into a signature of the legitimate user on the same block, using the proxy re-signature technology, without learning any private key or data.
In view of the above, the proxy re-signature technique proposed by Wang et al. [8] is as follows. When user U A is revoked, the cloud will cooperate with another legitimate user U C to re-sign the data signed by the revoked user U A . The details of the re-signature process without considering the collusion are provided in Fig. 5.
Step 1: The CSP generates a random number r and sends it to the revoked user U A .
Step 2: User U A calculates the temporary data r/sk A by the random number r and the private key sk A , and then sends the data to the picked user used for re-signature. Step 3: After receiving r/sk A , user U C uses its private key sk C to calculate r · sk C /sk A and sends it to the CSP.
Step 4: After receiving r · sk C /sk A , the cloud obtains sk C /sk A by dividing the random number r and then calculates the new signature: Through these steps, the signature of user U A is changed to the new signature of user U C .
The data are re-signed without being downloaded from the CSP, thus reducing the communication and computation cost and improving system efficiency. Nonetheless, the above process fails to consider the collusion between the CSP and the revoked users. If a revoked user reveals the sk A to the CSP, the latter can calculate the sk C by sk C /sk A , posing a threat to the data security of the user U C .
To avoid the collusion attack between the CSP and the revoked users, we propose a new re-signature method with the manager participating in the user re-signature process. The re-signature mechanism of avoiding the collusion is followed in Fig. 6.   Fig. 6 The re-signature process of avoiding the collusion Step 1: The CSP computes the temporary signature based on the information of the revoked user U A and a random number r generated by the CSP.
Step 2: The CSP sends the temporary signature σ temp to the user U C , who receives the temporary signature and computes σ sk C temp using the private key sk C .
Then sends σ sk C temp to manager P i . Step 3: Manager P i verifies the following equation: If the equation holds, manager sends σ sk C temp to the CSP.
Step 4: The CSP receives σ sk C temp and computes the new signature in the following formula: Then, the CSP replaces σ C M with σ C M and places the later after the data C M .
In summary, the CSP does not obtain any information about the private key of any user, which enhances the system security and avoids the collusion attack.

Decryption correctness
This subsection mainly analyzes the correctness of the data decryption after downloading.

Conclusion 1 The AES key seed sk AES can be decrypted with t decryption factors.
Proof Carrying the features of Shamir secret sharing: We have the sum of decryption factors as: Thus, extracting the x 2 , the AES key seed can be derived as the formula (21).

Integrity auditing correctness
The audit Eq. (16) can be derived as follows:

Encryption/Decryption security The private key f i (0) of the system is safe
The private key f i (0) of the system is created implicitly during the generation of the system public key y. When t managers hand out their secret shares, f i (0) can be calculated: Both attackers cannot get f i (0) from the public key of the system. Because of the DL problem is very difficult to solve on the elliptic curve, it is not feasible for attackers to get the private key f i (0) of managers from the public key Similarly, the attackers cannot deduce the secret share f i ID j of each manager even if they have obtained the public information Y i j = f i ID j Q mod q. In other words, the attackers cannot derive f i (0) from the secret share f i ID j .

The false interaction information between managers can be found
(1) During the public key generation, manager P i can verify f i ID j sent by manager P j j , the following can be derived: Since α iz = f iz Q, we have: therefore, the formula (4) is correct and can be verified.
Proof Owing to the formula (18), we gain the following: Due to the formula (3), we can get the formula (19). As shown in formula (19), each manager in the set W can verify the decryption factor s i j with the public information, and any false decryption factor will be identified because the formula (19) does not hold, ensuring that no manager is cheated.
(3) It is not feasible for the attacker to acquire the ciphertext c sk AES = (C 1 , c 1 ) As mentioned before, the DL problem is very difficult to solve on the elliptic curve. Thus, it is impossible to calculate the random number S from the formula C 1 = SQ.
The lack of the random number fails the calculation of x 2 from (x 2 , y 2 ) = Sy. Therefore, even if the attacker can intercept the ciphertext c sk AES = (C 1 , c 1 ), it is impossible for him/her to obtain the AES key seed sk AES = x −1 2 c 1 . If a user in the group as an attacker obtains the sk AES = x −1 2 c 1 and the plaintext M, it is impossible to send the forged ciphertext because of the ciphertext signature and verification.

Performance analysis
In this section, we compare the communication and computation cost with the state of the art using numerical results. Further, we implemented the performances analysis through simulations.

Communication cost
As mentioned in "Construction of the scheme" section, the communication cost of our scheme is analyzed and compared in the following five phases. In the key generation phase, manager P i sends the public parameter to other group managers, producing a communication cost of O(1). In the encryption phase, manager P i sends the ciphertext c sk AES of sk AES to each manager or sends the ciphertext data with their signatures to the cloud, Finally, we also compare the communication cost with several the prior compared work. Note that R is the number of users, |m| is the size of an element of Z q , |h| is the bit number of a block, K is the number of the elements. As shown in Table 3, the communication cost of our scheme is the same as [4], and is less than [8,31], and [36], which realizes high performance and is more efficient than the schemes of [8,31], and [36].

Computation cost
Succinctly, we define modular exponentiation as Exp G 1 , point multiplication as Mul G 1 , and pairing operation as Pair. Compared with Exp G 1 , Mul G 1 , and Pair, the computation cost of hash operation is ignored [4].
In the key generation phase, the computation cost is (t + 3)Mul G 1 + (t − 2)Exp G 1 , which includes the secret sharing and the public key generation. The computation cost of the encryption phase is Pair + 4Mul G 1 + 2Exp G 1 . In the integrity auditing process, the computation cost is N U Exp G 1 + (N U − 1)Mul G 1 for the tag proof generation, and N U Mul G 1 for the data proof generation. After the cloud returns the proof to the TPA, whose verified cost is (3N U − 2)Mul G 1 + N U Pair. For the decryption phase, the cost is (t 2 + 2t + 2)Mul G 1 . In the user revocation and resignature stage, the cost of the CSP is 2Mul G 1 + 4Exp G 1 , and manager's cost is 2Pair. Table 4 compares the computation cost of our scheme with the contrastive schemes. It can be seen that our scheme is more pair operation and less 2(N U − 1)Exp G 1 + (N U − 4)Mul G 1 in the pre-processing, which is obviously underlying the scheme [4] for N U relatively large case. In the proof generation, ours is the same as [4] and is better than [36]. Because [36]

Experiment analysis
To evaluate the efficiency of our scheme, our experiments are implemented in Intel(R) Core(TM) i3-8100 CPU @ 3.60GHz, RAM 4GB with Win10 Operation System, utilizing the Eclipse platform with Java programming language and Java Pairing Based Cryptography (JPBC) to realize the cryptography operations for the AES, the ECC, and Shamir secret sharing, and using the SQLite lightweight database to simulate the cloud storage with the security level of 80 bits. In the following, we compare the communication cost of our scheme with [8,31], and [36]. We simulate the running time of each phase including the key generation phase with the number of managers increasing and the cloud proof phase and the TPA verify phase with the number of blocks increasing for our scheme. Finally, we compare the re-signature time of our scheme with [8].
In the communication cost comparison process, Figs. 7 and 8 compare the communication cost of our scheme with contrastive schemes [8,31], and [36] following the changes of the number of challenging blocks and the number of users, respectively. Thereinto, the number of challenging blocks is {10, 20, 30, · · · , 100} separately, the bit number of a block |h| is 100 with K as 1, and |m| is 160 bit. When analyzing the number of users on the influence of communication cost, we change the number of users for {10, 20, 30, · · · , 100}, taking |N U | as 10, |h| as 100, |m| as 160, and K as 100. As shown in Fig. 7, as the number of challenged blocks grows, the communication cost increases  Ref. [4] 1Exp Ref.
[36] -- continually, and our scheme is smaller communication cost than other comparative schemes. From Fig. 8, it can be seen that our scheme and [31] remain unchanged, but [8,36] significantly change with the number of users increasing. In Fig. 9, we plot the running time of each phase for our scheme. In the key generation phase, we choose the sampling value {10, 20, 30, · · · , 100} of the number N of the managers and set the threshold value t = 0.8 * N to experiment. Focusing on the integrity auditing phase, we set 1024 bytes as a block and the block numbers are {50, 100, 150, · · · , 500}. The cloud proof process in formula (13), (14), (15) and the TPA verify process in formula (16) are experimented, respectively. Thereinto, we plot the key generation time for the blue line, which are controlled by the blue x axis (the top x axis) with the increase of the number of managers and the blue y axis (the right y axis) with the increase of time. We plot the cloud proof time and the TPA verify time as the increase of the number of blocks with the bottom x axis and the left y axis. As shown in Fig. 9, as the number of managers grows, the running time increases continually for the key generation phase, and as the number of blocks increases, the running time also augments constantly for the cloud proof phase and the TPA verify phase. But it can be seen that the phase running time is short obviously, owning to its unit is microseconds, so our method is run quickly and more efficient. In the re-signature process, we also adopt the sampled method to obtain the re-signature time of the block numbers {0, 50, 100, · · · , 350}. As shown in Fig. 10, as the number of re-signature blocks grows, the re-signature time increases constantly for our scheme and comparative scheme [8]. But it is obvious that our scheme consumes less than [8] with linear growth of re-signature blocks. When the number of the re-signature reaches 350, our scheme saves more than 20 seconds.

Conclusions
This paper combines the AES and the ECC with Shamir secret sharing into a novel hybrid encryption method without trusted center, which is suitable for integrity auditing of cloud computing and collaborative learning of machine learning. The hybrid approach not only facilitates key distribution and management but also improves the encryption speed and efficiency of shared data. By our method, the uploaded data are encrypted to avoid privacy leakage and security attacks, the downloaded data are audited to keep the data integrity, and the re-signature is against the revoked user from learning any private key or data information. In addition, even if a manager fails to participate in decryption, the other managers can work together to restore the data when the number of participating managers exceeds a preset threshold. This feature ensures the high robustness of the system. The correctness and security of our method are verified through detailed analysis. Moreover, we evaluate the performance and efficiency of our method, and the results show that our scheme is correct, security, and efficient.