Privacy Preserving Dynamic Provable Data Possession with Batch Update for Secure Cloud Storage

Cloud Server (CS) is an untrusted entity in cloud paradigm that may hide accidental data loss to maintain its reputation. Provable Data Possession (PDP) is a model that allows Third Party Auditor (TPA) to verify the integrity of outsourced data on behalf of cloud user without downloading the data files. But this public auditing model faces many security and performance issues such as: unnecessary computational burden on user as well as on TPA, to preserve identities of users from TPA during auditing, support for dynamic updates etc. Many PDP schemes creates computational burden either on TPA or Cloud User. To balance this overhead between TPA and User, this paper proposes Privacy-Preserving Dynamic Provable Data Possession (PDPDP) scheme, which is based on ODPDP scheme. In ODPDP scheme, user relieves the burden by signing a contract with TPA regarding verification of his outsourced data. But this scheme generates computation overhead on TPA. To reduce this computation overhead of TPA, our PDPDP scheme uses Indistinguishability Obfuscation (IO) with one-way function such as message authentication code to make a lightweight auditing process. PDPDP scheme uses Rank-based Merkle Tree (RBMT) to support dynamic updates in batch mode which greatly reduces computation overhead of TPA. ODPDP lacks privacy which is maintained in PDPDP using ring signature technique. Our experimental results demonstrate the reduced verification time and computation cost compared to existing schemes. Keywords—Public auditing; ring signature; Indistinguishability Obfuscation; Rank-based Merkle Tree (RBMT)


I. INTRODUCTION
With the rapid development of cloud computing, many individuals or small-scale organizations started outsourcing their data on untrusted CS. This paradigm even though, proved to be a boon, has brought many security challenges with it. The user is not having physical ownership of data since outsourced data may be stored at any server. This outsourced data may get damaged unintentionally because of disk crashes or natural disasters. Sometimes CS may delete infrequent data intentionally to create space for new users. These incidents or data loss are not reported to cloud users to maintain reputation [1]. Provable Data Possession (PDP) is a technique that allows any user to check the integrity of data blocks outsourced on CS without downloading the entire data file. Many researchers have proposed cryptographic techniques using homomorphic authenticators [2]- [12]. Cloud users can check the integrity of outsourced data on their own but this frequent task creates an additional burden on the cloud user in terms of time and computation cost. So, researchers have proposed solution in which user can delegate auditing work to TPA having expertise and skill. TPA generates a challenge message and CS has to produce the proof based on recent data. This proof is verified by TPA. This model has many security challenges since CS is one of the untrusted entities and TPA even if trusted, curious about auditing work.
Integrity checking during dynamic update operations of data is a major challenge in the PDP model. Authenticators have to be recalculated during insertion, deletion, and modification operations on data because most of the authenticators are calculated based on indices of files. Researchers have proposed dynamic auditing schemes using Merkle Hash Tree (MHT) [24]. MHT is a hash-based data structure used for data verification. Another data structure used for dynamic data updates are Index Hash Table (IHT) [5], [6] Dynamic Hash Table (DHT) [18]. These techniques need some additional information to store which may increase storage and computation cost. Guo et al. [21] proposed Multi-leafauthenticated (MLA) scheme for dynamic data using Rank based Merkle Tree (RBMT). This scheme authenticates multiple leaf nodes at once without storing height and status value. With this scheme, multiple dynamic update operations can be performed in batch mode.
In auditing model, TPA is one of the trusted entity but still curious and may compromise data and user privacy. During auditing, TPA may infer user information who have signed the blocks. Researchers have given multiple approaches to address this issue. Some privacy-preserving protocols [39], [40] are proposed based on aggregate signature [14] or hash-based commitment [15] but auditing is not mentioned in these schemes. Huang et al. [18] proposed privacy-preserving scheme using group signature and blockchain. Tian et al. [20] also proposed a privacy-preserving scheme that addresses data privacy using random masking to blind the data proof. Identity privacy is preserved using a modification record table to record operation information. Different variations of signature algorithms, such as blind signature, random sampling, ID-based privacy, and attribute-based signature are used by multiple researchers during auditing [22]- [28]. Attribute-based signatures are based on attribute-based cryptography [16], [17]. Ring signature is another variation of group signature in which ring or group is formed with multiple users. User sign the blocks and share it among the group members. Verifier determines that block is signed by one of the group members *Corresponding Author 589 | P a g e www.ijacsa.thesai.org but can't reveal who has signed the block. Certificateless authentication [29], [30] is one of the cryptographic techniques for authentication. Some authors proposed privacy-preserving integrity verification scheme [31], [32] using certificate-less ring signature which greatly reduces the computation cost during auditing. Li et al. [19] proposed integrity checking of group shared data using certificateless signature. Ni et al. [33] proposed lightweight ID-P 3 DP scheme in which privacy is achieved through zero-knowledge proof.
Many of the above auditing schemes are based on homomorphic authenticators which incur high computation cost and time during auditing. There is a need to propose a lightweight auditing process which can create a little burden on TPA as well as on cloud user. Indistinguishability Obfuscation (IO) is a modern cryptographic technique that uses one-way function for implementation of different cryptography constructs [35]. Researchers [36]- [38] proposed an efficient public verification scheme using IO combined with one-way function MAC which makes this scheme lightweight by generating very little burden on TPA. Tu et al. [13] proposed user-focus auditing which try to reduce the overhead of user by pre-generating challenges for TPA before auditing. Guo et al. [21] also proposed outsourced auditing scheme in which after each verification, TPA generates an audit data log which is checked later by the user. These schemes reduce the burden of verification on user. There is no need for a user to be available during verification, as per his convenience he can check the audit log.
Most of the auditing schemes create computational burden of tag generation and verification either on TPA or user. If we try to reduce the burden of TPA, it will increase the burden on user or vice-versa. Zhang et al. [36] scheme reduces the computation overhead of TPA but cloud user is actively involved in auditing process. Guo et al. [21] scheme proposes auditing scheme where user is not involved in auditing process but it creates computation burden on TPA because of Efficient Homomorphic Verifiable Tags (EHVT).
The remainder of this paper is described as follows: Section II describes related work, problem identification and contributions by authors. Section III elaborates basic building blocks of P 2 DPDP scheme. Section IV explains the P 2 DPDP scheme. Section V discusses the evaluation of P 2 DPDP scheme in terms of security and performance.

A. Related Work
A good number of solutions have been proposed by many researchers [1]- [10] for integrity verification of outsourced data. In most of these schemes, cloud user and TPA are actively involved during verification phase. This may create an additional burden on cloud users as well as on TPA. Guo et al. [21] proposed ODPDP scheme which relieves user's verification overhead by migrating frequent auditing tasks to TPA. In this scheme, a contract takes place between user and TPA regarding the frequency of verification task. TPA generates challenges based on this contract. After each verification, a log file is generated at TPA which contains an audit data log. User as per his convenience can check the log and make sure the integrity of his data as well as working of TPA. This scheme greatly reduces the overhead on user side. This scheme uses Multi-Leaf Authentication (MLA) solution with RBMT for dynamic data updates which greatly reduces storage cost as well as allows verification of multiple dynamic operations in batch mode.
To minimize the burden of TPA in terms of computations, it is necessary to develop a verification scheme which is lightweight in terms of computation. Zhang et al. [36] proposed lightweight auditing technique using IO and one-way function MAC. This greatly reduces the computation overhead of TPA during verification since TPA has to just calculate MAC each time and verify it with the received proof from CS. In this scheme, during outsourcing data at CS, a user has an additional overhead of generating circuit (audit program), obfuscating with MAC key, and send it to CS. But this is only a one-time cost to generate obfuscated program since it would not change along with the modification of public parameters and challenge message. This scheme uses Merkle Hash Tree (MHT) to support dynamic data updates on file.
In auditing model, generating privacy-preserving auditing technique is a major challenge because of the curious but trusted nature of TPA. Thokcham [34] proposed a privacypreserving auditing technique using CDH based ring signature. This ring signature scheme is unforgeable and completely anonymous. Any ring member can sign a message using his private key and public keys of other members. So not every member needs to be present during the signing process. Using this scheme, anyone can check whether a signature is generated by a valid member of the group but at the same time not revealing the user's identity who has signed that message. Thus, preserving the identity privacy of user during verification from TPA.
ODPDP scheme reduces user overhead but increases burden on TPA in terms of computation. The computation cost on TPA in ODPDP during auditing is (l+s+1) + 2Pair. Where l is number of challenged blocks, s denotes number of sectors per block, is exponentiation operationon on group G and Pair is pairing operation. Compare to ODPDP scheme, Zhang et al. [36] scheme create less burden on TPA during auditing i.e., 2 ℎ where Hash is hashing operation on . It means TPA has to compute only 2 hash functions for verification. So proposed P 2 DPDP scheme modifies the ODPDP by using IO and MAC proposed by Zhang et al. scheme instead of EHVT of ODPDP for integrity verification. ODPDP scheme not proposing any solution for identity privacy. We extend this scheme by using CDH based ring signature to achieve identity privacy proposed by Thokcham [34]. P 2 DPDP also uses RBMT of ODPDP which allows verification of multiple dynamic operations in batch mode compared to MHT in Zhang et al. [36].

B. Problem Identification
To balance the computation overhead between user and TPA, this paper proposes Privacy-Preserving Dynamic Provable Data Possession (P 2 DPDP) scheme for cloud storage. In this scheme, the main purpose of using IO is to reduce the computation burden of TPA while maintaining security. Since 590 | P a g e www.ijacsa.thesai.org TPA only needs to validate the commitments generated by CS, user's data will not be revealed to TPA which preserve data privacy during auditing process. To avoid the continuous involvement of user during auditing process, Cloud user and TPA sign a contract which includes starting address of the block, the frequency at which auditor launches a challenge, and number of challenged blocks. TPA verifies the outsourced data based on contract and generates a log file which can be verified by user as per his convenience. For the support of dynamic updates, RBMT is used that can perform multiple update operations in a batch way. P 2 DPDP support user groups and preserve identity privacy by using CDH based ring signature scheme.

C. Research Contribution
Specifically, the contribution of our scheme P 2 DPDP is as follows: • Guo et al. [21] proposed ODPDP scheme which uses Effective Homomorphic Verifiable Tag (EHVT) for integrity verification and RBMT for dynamic data processing. To make the auditing process lightweight and to reduce computation overhead of TPA, we modify the integrity verification scheme of ODPDP by using indistinguishability obfuscation of Zhang et al. [36].
• Guo et al. [21] scheme not offering a solution for identity privacy during auditing. We extend this ODPDP scheme to achieve group user privacy using CDH based ring signature.
• We describe a concrete P 2 DPDP scheme to be secure and lightweight by modifying ODPDP scheme. Experimental results certify the performance of our scheme.

III. PRELIMINARIES
This section introduces cryptographic building blocks used in P 2 DPDP scheme such as IO for integrity verification, MLA for dynamic updates and CDH based ring signature scheme for privacy-preserving.

A. Industinguishability Obfuscation (IO)
Indistinguishability obfuscation is a notion that obfuscates any two distinct (equal size) programs that implement identical functionalities but computationally indistinguishable from each other [35].
Assume { }is a circuit class with security parameters l. A uniform PPT algorithm iO having input l, circuit C ∈ { } and outputs a circuit ′ is called indistinguishable obfuscator if the following conditions are fulfilled: 1) For all security parameters l, Circuit C, and input x, we have probability as: Equation (1) satisfies the completeness property of IO. It states that circuit ′ must behave exactly same as circuit C if ′ is generated by an independent invocation of iO on C.
2) For any (not essentially uniform) PPT adversaries D, for all security parameter l ∈ N, for all pairs of circuits 0 , 1 ∈ , there exists a negligible function Negl such that if Equation (2) satisfies the indistinguishability property of IO. It states that the secrets embedded in obfuscated program cannot be extracted by D.
Zhang et.al. [36] proposed integrity verification using IO and one-way function MAC.

B. Multi-Leaf Auhentication (MLA)
ODPDP scheme [21] proposed MLA for dynamic updates. This scheme uses RBMT instead of MHT to support authentication of indices of leaf nodes. In RBMT, no need to store height value as in MHT. Each node contains only two fields (r,h) where r is the rank of a node which is the number of leaf nodes reachable from node ω and h is a hash value of that node. Mainly, the rank of a leaf node is 1 i.e., r=1. The second element h is defined as in (3): where 1 and 2 be a secure collision-resistant hash function and || denotes concatenation. The outsourced file F is divided into n blocks such as F= { 1 , 2 …., }. The i th element is bind to the i th leaf node of RBMT by storing the hash value of at node using 2 in (3). Thus, leaf nodes are already sorted from left to right by their indices. For each non-leaf node, ω.left.hash and ω.right.hash indicates the hash value of the left node and right node respectively calculated using 1 in (3). RBMT can be constructed for given n data blocks. A Merkle root ℎ is sufficient to check the integrity of dynamic updates in a tree because of the dependency of all data blocks. Fig. 1 shows the RBMT constructed over 14 data blocks. In Fig.1, when multiple leaf nodes are challenged using MHT such as ω 3 and ω 7 , the proofs generated are Ω 3 = {ω 26 , ω 22 , ω 15 , ω 4 , ω 3 } and Ω 7 = {ω 26 , ω 21 , ω 17 , ω 18 , ω 7 }. During verification using MHT, some repeated and unnecessary nodes have to be retrieved and processed that incur large computation costs. But using MLA solution, if multiple challenged nodes are (3,7,8,10,13), the corresponding multi-proof ⊔ is: where every necessary node appears just once which reduces computation cost as well as support multiple updates in batch mode.

C. CDH based Ring Signature Scheme
To achieve privacy during auditing, Thokcham [34] used CDH based ring signature which is one of the unforgeable and anonymous technique. No centralized entity is involved i.e., no concept of group manager. This scheme comprises two algorithms: Ring_sign and Ring-verify. Ring-sign: This algorithm takes as input given message M. For a size of ring n, each group member chooses a secret key Sk = which belongs to and public key Pk = .
• Signer t will choose random Є for all other members of the group and generates = . Signer t again computes signature on behalf of group In (4), signer t computes signature using his private key with different parameters such as: public keys of n group members PK, the global parameter d, Ring-verify: As per (5), verifier verifies the signature using received ring signature σ, message M, and public keys PK of all members. The verifier checks the following equality.

A. System Model
The framework for our P 2 DPDP scheme is as shown in Fig. 2. It consists of three entities: Cloud User, CS, and TPA.
• Cloud User: Cloud user is one of the members of user group who can share a file in a group. Users can check the integrity of shared files through an audit log generated by TPA.
• CS: an entity having the capability of computation and storage at its end. It is having the responsibility to maintain and manage outsourced files.
• TPA: an external entity that works on behalf of users and expertise in verifying the integrity of outsourced data.
The workflow for P 2 DPDP scheme from Fig. 2 is as follows: 1) Any cloud user from a group outsources data file on CS. Before outsourcing, user calculates the tag for each block, signs the blocks using a ring signature scheme. 2) The user constructs RBMT tree using hash values of file blocks. User generates circuit for auditing program, obfuscates it, and sends to CS. Shares MAC key to TPA as well as sign a contract with auditor regarding verification activity. 3) Based on the frequency mentioned in the contract, TPA generates challenges and performs auditing activity. During an audit, using CDH based ring signature, TPA verifies group signature using public keys of all members in a group. 4) Generates log file for each activity. 5) Users can check the log entry at any time to verify the integrity of an outsourced file. 6) For dynamic updates, user sends the update command uc to the TPA. 7) TPA updates the RBMT tree according to uc and sends updated proof to CS for verification. If verification successful, CS sends signed proof to user. 8) User verifies proof and if successful, send updated data blocks ui to CS. CS updates data blocks accordingly.

B. Design Goals
To achieve privacy-preserving during integrity verification of outsourced data, proposed scheme P 2 DPDP should satisfy the following design objectives: 1) Public verification: to allow an external auditor to verify the integrity of outsourced data without downloading the data file.
2) Privacy-Preserving: data or user identity must not be revealed to TPA during auditing.
3) Data Dynamic Support: integrity verification process must support dynamic updations on outsourced data such as insert, delete and modify operations. 4) Lightweight: verification process must create minimum communication and computation overhead on user and TPA. C. P 2 DPDP Scheme Our proposed P 2 DPDP scheme works in four phases: Setup, Store, AuditData, and AuditLog.

Setup: Let G and
be two multiplicative groups produced by g with order p contains bilinear map e: G x G → G . User U selects a signing key pair (ssk, spk), α, v where α → and v = Є G. U picks random elements 1 , 2 … . . and fixes pseudorandom permutation, function key ( ) and ( ) respectively. The secret and public parameters are sk=(α, ssk) and pk=(v, spk, 1 , 2 … . . ). Group members randomly select private key as Є Using key generation of CDH based ring signature scheme and = Є G as a public key.
Store: Initially according to (6), U divides the file F into blocks n and sector s as in.
Tag Generation: U chooses random element name for file and computes file tag as and data tag as in (7).
In (7), User calculates data tag for each bock i of file F using random elements of each sector 1 , 2 … . . and hash value of block number and file name. Here H is any secure hash function. U generates processed data M as M ={M,ϕ} where Constructing RBMT: U first calculates hash values for each block of file F using H2. ℎ = 2 ( ) where 1≤ i ≤n Then generate tree TR using RBMT on ordered hash values. Each leaf node stores the corresponding hash value ℎ .

Ring Signature Generation:
U has to sign a block on behalf of a group using CDH based ring signature scheme. U randomly chooses 0 , Є and compute signature for all other group members except U denoted by j in (8).
Where, n -number of members in a group j -serial number of the member in the signature who is signing it U computes signature for every member using respective random number r of that user. Then computes h= H(ϕ||T) where T is a timestamp. U again computes using (4).

The signature at time T is
U outsources M and calculated as in (9) on CS. In (9), 1 , 2 … . . +1 is the signature generated for n users by U on behalf of group at time T.
Outsourcing Auditing Task: During this task, U chooses a MAC key k and passes it to TPA using a secure network. U also produces a circuit as described below.
This circuit is similar to auditing program which generate the MAC using embedded MAC Key K based on given input. Uniform PPT algorithm iO proceeds with audit circuit as input and generates public parameter P as P=iO( ).
Agreeing Parameters: • All group members need to sign on a public parameter ={q, ℎ } where q is the number of data blocks and ℎ is a Merkle root of TR.
• Contract CT is established between U and TPA as BI-block index from which auditing work will start.
Fr-Frequency at which TPA launches a challenge.
b-number of challenged data blocks for checking.
AuditData Protocol: This protocol mainly deals with checking the integrity of outsourced data and log generation by TPA.
• Using CDH based ring signature process, TPA verifies the group signature based on input signature , public keys ( 1 , 2 … . . ) of all members in a group, and public parameter 0 . TPA first calculate h=H(ϕ||T). Then verifies signature using (5).
Log Generation: After every audit, either successful or fail, TPA creates a log record of his auditing work. AuditLog Protocol: • U generates challenge using random subset B of file block indices and sends it to TPA. For each b Є B, TPA finds challenge ( ) , proof ( ) from his log file. Computes i, from ( ) . TPA generates multi_audit proof ⊔ using ℎ of TR and generates the proof of appointed log for subset B using (12).
In (12), B indicates the challenge generated by U during AuditLog. Elements i, denotes the challenge retrieved through log file for blocks b and ( ) indicates proof retrieved from log file for blocks b. ⊔ is a multi-audit proof generated from RBMT.
• TPA send a signed proof with his signature ( ( ) ) to U for verification. After verifying the signature, U computes new PRF as.

= (name||{( , ) ЄB })
• U compares if = ( ) . If matched, verification of outsourced data is successful else verification fails. U also verify ⊔ using ℎ of TR. D. Support for Dynamic Updates P 2 DPDP scheme support three types of update operations such as: deletion, insertion, and modification on blocks. If we perform these updates one by one, it will incur a large computation overhead at the auditor side to generate and verify the hash tree. To reduce this overhead, P 2 DPDP is based on a MLA scheme using RBMT proposed by ODPDP which can handle updates in batch instead of one by one.
Initially, U computes all the hash and tag values of the new file block in Store phase, generates the RBMT tree, and set public parameter as ={q, ℎ }. U sends the update command uc to CS and TPA. U also generates audit circuit same as basic scheme but with modified verification function ] ) which consists of checking following equation: ,v) After receiving uc command, TPA updates leaf nodes, other affected nodes and generate an updated tree * and it's Merkle root ℎ * . TPA then sends the updated signed proof up to CS. CS verifies up by executing the audit circuit. U can also later check the correctness of up. If verification is successful, U sends updated information ui to CS and CS updates the processed data.

V. EVALUATION
In this section, P 2 DPDP scheme is evaluated by showing correctness proof, security analysis, performance and experiment analysis.

A. Correctness Proof
is an audit circuit generated by U during Store phase. Upon execution of this audit circuit, CS generates MAC based on challenge, block tag σ and using global parameters. Audit circuit contains verification function which denotes the realization of (10). Correctness proof for (10) is as follows: Proof: Assume user U outsourced data at CS using Store protocol. But due to some problems, data at CS accidentally corrupted or deleted. With P 2 DPDP scheme, malicious CS can't pass its verification. We prove this by game sequence as below: 1) Based on a contract signed between U and TPA, TPA generates a challenge using AuditData Protocol.

5)
Using , TPA calculates PRF and compares it with � . 6) CS wins if TPA passes the verification even if PRF ≠ � .
But in above game, it's very difficult for malicious CS to cheat auditor because of HMAC scheme during verification.

Liability:
Theorem 2: An honest auditor can demonstrate that he did his work correctly in case of any disputes.
Proof: To prove the liability of the auditor, we consider two situations: when an auditor is honest or an auditor is dishonest. Consider first the auditor is honest. As per the contract between auditor and User, the auditor generates a challenge ( ) . User can reconstruct the challenge since the contract consists of number of data blocks to be audited. User can check the value of PRF by recalculating (11). Honest auditor generates a log file named Log_File which is the evidence for all the auditing work completed by auditor. So honest auditor can prove his liability by this Log_File.
Compare to this, if the auditor is malicious and not doing his work properly, user can use AuditLog Protocol to verify the behavior of auditor. By regenerating challenge, user can check the AuditLog file anytime and auditor can't deny his misbehavior.

Privacy-Preserving:
Theorem 3: From the server's response to the challenge message, TPA not able to infer any information such as data and identity of user.
Proof: During verification, user U first generates an audit circuit (which is nothing but an auditing algorithm program which is supposed to be originally executed by TPA). U obfuscates this circuit by embedding MAC key K and send to CS. For each verification, CS computes the inputs based on the challenge message and executes the obfuscated program. CS generates the MAC tag and sends it to TPA. TPA has to only verify the MAC tag to check the integrity of outsourced data. TPA needs to calculate i and based on challenged blocks using the HMAC scheme. So, it is computationally infeasible for TPA to infer any information or user data using P 2 DPDP. P 2 DPDP uses CDH based ring signature scheme to share any data among group members. In this scheme, user who want to share a file, computes signature on this data with his own private key using (4). During verification, TPA can verify the signature with public keys of all users. Using this scheme, TPA can check whether the signature is computed by a valid user of group or not but scheme can't reveal individual user identity to verifier. Thus because of CDH based ring signature scheme and IO, P 2 DPDP proved to be privacy-preserving.

C. Performance Analysis
We first evaluate the performance of P 2 DPDP scheme which shows the privacy-preserving, lightweight auditing process. Also, we compare the performance of P 2 DPDP with existing schemes.
The main important functionalities which we have considered for this work are: public auditing, dynamic data operations, privacy-preserving, and group support. Table I shows the functionality comparison of P 2 DPDP scheme with existing schemes.
To evaluate the performance of P 2 DPDP scheme, we evaluate the communication cost between CS and TPA during the proof generation and verification phase of AuditData protocol. Communication cost between the user and CS is not important since user uploads the data entirely to CS initially and user can verify the integrity of outsourced data during AudiLog protocol. During proof generation, TPA generates a challenge message { 1 , 2 } for b number of blocks where 1 and 2 are transformed keys of HMAC. After receiving challenge message, CS generates proof PRF by calculating HMAC through the obfuscated program. So, communication overhead for proof generation is bH where H is any secure hash operation. After generating the proof PRF using HMAC, CS sends it to TPA. During verification, TPA checks the integrity of outsourced blocks using MAC key and verify PRF = (name||{(i, ) iЄI }) So TPA has to calculate only HMAC. TPA also verifies the user signature by verification algorithm of CDH based ring signature. Using (5), TPA verifies the users n. So, the total communication overhead during verification is + n where is hashing operation into .
User can check the integrity of outsourced data or performance of TPA during AudiLog protocol. So total Communication overhead during AuditLog is also . Table II shows the comparison of P 2 DPDP scheme with the existing scheme. Fig. 3 shows the comparison between ORUTA, CORPA, and our P 2 DPDP scheme for communication overhead in KB with respect to group size.
We can't compare this cost with ODPDP scheme since it doesn't support user groups. The comparison demonstrates the noticeable and constant performance of communication cost between CS and TPA during auditing in P 2 DPDP scheme. 595 | P a g e www.ijacsa.thesai.org

D. Experimental Results
This section proves the performance of P 2 DPDP system in terms of different experiments. We deployed our P 2 DPDP scheme on a system comprising Windows 8.1with an Intel Core i5-5200U CPU functioning at 2.20 GHz, 4.0 GB RAM. Python is used for module implementation of P 2 DPDP scheme. The hash algorithm is instantiated using SHA256. Fig. 4 shows the impact of number of users in a group on verification time during AuditData protocol. It shows that verification time is independent of the number of users. By creating a group of 25 users, we have compared the results with Oruta and CORPA scheme. We have not considered ODPDP scheme for comparison since it doesn't support user groups. All results are average of 5 runs. For 20 users in P 2 DPDP scheme, the Verification time is 0.15 seconds. While Oruta, and CORPA are 2.24, and 1.75 seconds respectively. Result proves the effectiveness and lightness of our scheme because of reduced and constant verification time at auditor side during AuditData protocol. Since our P 2 DPDP scheme is based on ODPDP scheme, it is mandatory for us to compare results with this scheme. In both the schemes, verification is performed during AuditData and AuditLog protocol. Initially we compare the results of both schemes during AuditData where TPA performs audit based on contract and generate log entries. Fig. 5 shows the proof generation and verification time in seconds with respect to challenged data blocks during AuditData protocol.
To compare the results with ODPDP scheme, in P 2 DPDP scheme, the block size is kept fixed i.e., 16KB. Total outsourced data is 1GB. Fig. 5(a) shows the constant proof generation time in P 2 DPDP scheme as compared to ODPDP. Fig. 5(b) shows the gradual increase in proof verification time as number of challenged blocks is increasing in P 2 DPDP as compared to ODPDP scheme. Fig. 6 shows the performance of P 2 DPDP during AuditLog. It presents the computation time and communication cost required by user to verify the past work of TPA under the number of checked log entries.    For experiments, we have analyzed the computation time of our scheme up to 100 log entries. As expected, computation time is increasing linearly with number of checked log entries. But computation time of P 2 DPDP scheme is reduced as compared to ODPDP scheme. Fig. 6 shows the communication cost during AuditLog protocol. Result shows that P 2 DPDP scheme is giving better performance in terms of communication cost compared to ODPDP.

VI. CONCLUSION
In most of the previous auditing scheme, Cloud user and TPA are actively involved during verification process which may create additional burden in terms of time and cost. This paper proposes P 2 DPDP scheme for cloud storage in which there is no need of user during verification process. TPA generates challenges based on the contract signed between TPA and user. TPA also generates log which can be audited by user as per his convenience. P 2 DPDP scheme also create the light-weight verification process so as to reduce the computation burden of TPA using new cryptographic technique, Indistinguishablity Obfuscation and MAC. P 2 DPDP support and manages user groups using CDH based ring signature scheme. CDH based ring signature is anonymous scheme which preserves the identity of users from TPA during auditing. P 2 DPDP scheme supports dynamic updates in batch mode using MLA solution proposed by ODPDP scheme which is based on RBMT.
Security analysis and experiments show that P 2 DPDP scheme is secure, lightweight and privacy-preserving. Communication cost during auditing between CS and TPA is almost constant and reduced compared to Oruta and CORPA since TPA has to just calculate MAC and compare it with MAC received from CS. Verification time is also reduced and constant compare to existing schemes. Experimental results reveal that verification time is independent of number of group users. Results of AudiLog protocol shows that P 2 DPDP scheme is performing better in terms of communication time and cost as compared to ODPDP scheme. CDH based ring signature generates certificates which need to be processed during verification leads to increase computation time. In terms of future work, we plan to modify P2DPDP scheme using certificateless signature schemes to reduce computation time.