PAT: A precise reward scheme achieving anonymity and traceability for crowdcomputing in public clouds

Accepted Manuscript PAT: A precise reward scheme achieving anonymity and traceability for crowdcomputing in public clouds Huaqun Wang, Debiao He, Yanfei Sun, Neeraj Kumar, Kim-Kwang Raymond Choo PII: DOI: Reference:

S0167-739X(16)30735-X http://dx.doi.org/10.1016/j.future.2016.12.005 FUTURE 3246

To appear in:

Future Generation Computer Systems

Received date: 17 July 2016 Revised date: 28 October 2016 Accepted date: 4 December 2016 Please cite this article as: H. Wang, D. He, Y. Sun, N. Kumar, K.-K.R. Choo, PAT: A precise reward scheme achieving anonymity and traceability for crowdcomputing in public clouds, Future Generation Computer Systems (2016), http://dx.doi.org/10.1016/j.future.2016.12.005 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

PAT: A Precise Reward Scheme Achieving Anonymity and Traceability for Crowdcomputing in Public Clouds Huaqun Wang School of Computer Science and Technology, Nanjing University of Posts and Telecommunications, Nanjing, China

Debiao He* State Key Lab of Software Engineering, Wuhan University, Wuhan, China

Yanfei Sun Key Lab of Broadband Wireless Communication and Sensor Network Technology (NUPT), Nanjing, China

Neeraj Kumar Department of Computer Science and Engineering, Thapar University, Patiala, India

Kim-Kwang Raymond Choo Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX 78249, USA School of Information Technology and Mathematical Sciences, University of South Australia, Adelaide, SA 5001, Australia School of Computer Science, China University of Geosciences, Wuhan 430074, China

Abstract While providing anonymity at terminal devices (e.g. Android and iOS devices) is beneficial for users (e.g. consuming services and resources without the risk of being traced), relevant stakeholders (e.g. providers and governments) may require conditional anonymity for billing purpose or to locate dishonest or compromised client devices. In a cloud computing deployment where large number of computation tasks are submitted to the public cloud, the public cloud server may encounter computation peak and hence, responses to the terminal devices may be delayed. Thus, in this paper, we design the first precise reward scheme ∗ Corresponding

author.

Preprint submitted to Journal of LATEX Templates

December 8, 2016

achieving both anonymity and traceability for crowdcomputing in public clouds. We then prove the security of the proposed scheme in the random oracle model, and demonstrate the practicality of the scheme using simulations. Keywords: Cloud crowdcomputing, anonymous reward scheme, traceability for crowdcomputing 2010 MSC: 00-01, 99-00

1. Introduction Cloud services are increasingly popular due to the benefits afforded by the utilization of these services. However, there are a number of performance issues relating to cloud computing. For example, when a significant number of 5

computation tasks are submitted to a public cloud server, this could result in a bottleneck. Hence, the particular public cloud server may take more time to respond. By integrating crowdcomputing in cloud computing, we are able to obtain higher quality results at a faster speed. Specifically, in crowdcomputing, (intensive) data computing tasks can be outsourced to the cloud. The cloud

10

can also be used to outsource data computation tasks to crowdcomputing; thus, enabling public cloud service providers to provide more efficient, more flexible services for users. When terminal devices participate in processing of outsourced tasks, they can execute their tasks locally, or download their task from the cloud servers

15

and execute based on their own data and computation resources. A typical assumption in crowdsourcing is that terminal devices would honestly perform the protocol. This is not practical, as in a real-world deployment, it is likely we have compromised, malicious or misbehaving terminal devices. Terminal devices are also owned by different entities (e.g. supermarkets and

20

individual users). Thus, terminal devices may not have an incentive to participate in crowdcomputing unless they are financially compensated. In other words, if we have some incentive schemes, we could encourage more terminal devices to participate since the public cloud server will reward the terminal de2

vices (and their owners) for their services. Therefore, protecting the identity 25

of the terminal devices is crucial, as they could be used to identify their actual owners. In other words, should the terminal devices be anonymous and their services financially compensated, it is likely that more terminal devices will participate in the crowdcomputing scheme. To prevent dishonest terminal devices (TD) from misbehaving, the public cloud server need to provide traceability

30

as a basic security function. For example, a dishonest TD may request to be financially compensated more than once for a single task. Therefore, traceability, privacy preservation and incentive, are essential security properties in cloud crowdcomputing. Given the popularity of cloud computing, there has been extensive research

35

in the security cloud and related technologies, such as virtualization, utility computing and service-oriented architecture [2, 3, 4]. To ensure security in the could computing, a lot of encryption schemes [41, 42, 43], public auditing schemes [44, 45] and authentication schemes [46, 47] have been proposed in last several years. In 2013, for example, Ma et al. presented a generic secure

40

outsourcing scheme, which allows users to outsource computation of exponentiation operations to some untrusted cloud servers in a secure way [5]. In order to transform a two-party computation protocol into an outsourced two-party protocol, Carter et al. developed a generic technique [6]. Guillevic et al. [7] also demonstrated how a device with limited computational capability can out-

45

source its pairing computation to other devices (including potentially malicious devices) with more computing power. Another popular research topic in recent years is crowdsourcing and crowdcomputing - see SETI@Home [8], Folding@Home [9], and the Mersenne prime search [10]. In 2012, for example, Rajshree et al. studied how to design crowd-

50

sourcing service using their proposed high-level framework. The authors used the driver’s license issuing service as a case study [11]. More recently in 2015, Smirnov et al. presented a general purpose crowdcomputing framework architecture designed to compose crowdcomputing workflows of different complexities [12]. In 2014, Christoforou et al. studied an master-worker structure for 3

55

machine-oriented computing tasks (e.g. SETI@home) or human intelligence tasks (e.g. Amazons Mechanical Turk) [13]. In crowdcomputing, safety, security and dependability are three key notions (see [14]). In 2015, Ren et al. surveyed existing mobile crowdsourcing frameworks and applications, and presented challenges and countermeasures in mobile crowdsourcing [16].

60

We posit that incentive mechanism can help to attract and recruit more terminal devices to provide on-demand computation services for the requesters. This observation is also echoed in the work of Zhang et al. [17]. Based on online reverse auction, the author designed three online incentive mechanisms for mobile devices. This topic will be increasingly important due to the trends in

65

big data, cloud computing and crowdcomputing. Thus, designing schemes that provide anonymity and preserve user privacy is crucial [19, 20, 21]. Unconditional anonymity is another important notion for crowdcomputing, as insider threats are real and we need to be able to trace such dishonest insiders (i.e. traceability).

70

We observe that in e-cash systems, traceability is highly desirable. Traceability can be used to detect and trace double-spenders. In 2013, Zeinalipour-Yazti et al. presented an efficient solution that allows one to compare a query trace against a crowd of traces generated and stored on distributed smartphones [22]. Thus, in this paper, we propose a concrete precise reward scheme achieving

75

anonymity and traceability for crowdcomputing in public clouds (hereafter referred to as the PAT scheme). Individual TD can be rewarded based on its (computational) contribution, and dishonest TD can be traced should a complaint be lodged. However, we also need to ensure that the identity of a honest TD is not revealed. Thus, in the proposed scheme, we use the random pseudonym

80

technique. 1.1. Organization The rest of the paper is structured as follows. Section 2 presents some cryptographic preliminaries (e.g. identity-based public key cryptography, bilinear pairings and restrictive partially blind signature). Section 3 presents the system 4

85

model and the formal security model for our PAT scheme. Section 4 details the concrete PAT scheme for crowdcomputing in public clouds. Section 5 analyzes the performance of the scheme, in terms of computation and communication costs. Then, the security analysis is also presented. Finally, we conclude the paper in Section 6.

90

2. Preliminaries We now introduce the underlying cryptographic techniques required in the PAT scheme. 2.1. Identity-based cryptography and bilinear pairings In public-key cryptography (PKC), a user could easily generate his/her pub-

95

lic and private key-pair. However, it is computationally difficult to obtain the private key from a public key without having access to the relevant secret information. In identity-based cryptography (IBC), the user’s identity is also the user’s public key. Thus, IBC eliminates the complex and expensive public key certificate management in public key infrastructure (PKI). When bilinear pair-

100

ings are introduced, many bilinear pairings-based IBC schemes are designed. We briefly review the bilinear pairing below. Let G1 be a cyclic additive group. Let G2 be a cyclic multiplicative group.

G1 and G2 have the same prime order q. Let P be a generator of G1 . Denote

Zq = {0, 1, 2, · · · , q − 1} and Zq∗ = Zq /{0}. Denote the bilinear map as e :

105

G1 × G1 → G2 . The bilinear map satisfies the following properties: 1. Bilinearity: ∀a, b ∈ Zq∗ , e(aP, bP ) = e(P, P )ab 2. Non-degeneracy: e(P, P ) 6= 1G2 .

3. Computability: ∀Q, R ∈ G1 , there is an efficient algorithm to calculate e(Q, R). 5

By using the modified Weil [24] or Tate pairings [25] on the supersingular 110

elliptic curves, the bilinear map e can be constructed. A group with such the bilinear map e is called a bilinear group, on which the Computational DiffieHellman (CDH) problem is assumed computationally hard while the Decisional Diffie-Hellman (DDH) problem is easy [15]. CDH and DDH problems are defined below.

115

Definition 1 (CDH). Given (P, aP, bP ) ∈ G13 where a, b are unknown, to calculate abP .

Definition 2 (DDH). Given (P, aP, bP, Q) ∈ G14 where a, b are unknown, to determine whether or not Q = abP holds.

We pick some special supersingular elliptic curve E which is defined on the 120

finite field. On E, CDH problem is difficult while DDH problem is easy by using the bilinear pairings e. 2.2. Digital signature Digital signature is concerned with the authenticity of data. Digital signature scheme consists of three efficient algorithms: key generation, signing,

125

and verification. On the other hand, a secure digital signature must satisfy the security property: unforgeability. Definition 3 (Signature). A signature scheme is a triple, G, S, V , of probabilistic polynomial-time algorithms which satisfy the conditions below: 1. On input 1k , G (key-generator) outputs a pair of bit strings (s, v).

130

2. For the generated (s, v) and every α ∈ {0, 1}∗ , S (signing) and V (verification) satisfy Pr[V (v, α, S(s, α))] = 1 where the probability is taken over the internal coin tosses of S and V . Definition 4 (Security). [18] For a probabilistic oracle machine, M , we denote by QO M (x) the set of queries made by M on input x and access to oracle O. Let M O denote the output of M . A digital signature scheme is secure if 6

for every positive polynomial poly and sufficiently large n, the following formula holds 

Pr 

Vv (α, β) & α 6∈ QSMs (v)

where(s, v) ← G(1 ) and (α, β) ← MSs (v) k



<

1 poly(k)

where the probability is taken over the coin tosses of G, S, and V , as well as the coin tosses of M . 135

2.3. Restrictive partially blind signature (RPBS) In 1982, Chaum introduced blind signatures [26], which is a new special formed digital signature with the blinded message content to each signer. Because the blind signature has the particular feature of blinded content, it can effectively protect the specific content of the message against its signers. There-

140

fore blind signature has been widely adopted in privacy-related schemes, such as cryptographic election, digital cash, etc. Unfortunately, in some schemes, such as electronic cash schemes, the double-spending problem could not be settled. Brands proposed restrictive blind signatures in 1993 [27, 28]. By taking use of the cryptographic technique, a recipient can achieve a blind signature

145

on a message unknown to the signer but the choice of the message is restricted and must conform to certain rules. Partially blind signatures were introduced by Abe and Fujisaki [29]. In the partially blind signature, a signer and a recipient can agree on some perceptible message content mutually agreed. In some special environment, the restrictiveness and partial blindness have been

150

two obligatory security properties. In 2002, Maitland et al. proposed the first restrictive partially blind signature (for short, RPBS) scheme [30]. In 2007, Chen et al. firstly presented the notion of identity-based RPBS and designed a concrete RPBS scheme based on bilinear pairings [31]. From then on, many identity-based RPBS schemes were proposed [33, 34, 35, 32]. Along with the

155

rapid development of computer network and communication technique, some special security requirements also appears in the new network. RPBS schemes has been used in wireless mesh network [36], smart grid [37], privacy-preserving

7

loyalty programs [38]. In this paper, we study PAT scheme by leveraging on identity-based restrictive partially blind signatures as the cryptographic tool.

160

3. System model and security model In this section, we give the system model and security model for our PAT scheme. 3.1. System model In order to achieve the computation service from a large group of terminal

165

devices (for short, TDs) and make transactions with public cloud server (for short, PCS), trusted third party (for short, TTP) and bank are necessary in the system model of PAT scheme. At the same time, private key generator (for short, PKG) is used to create the entity’s private key from the entity’s identity. Based on the condition that the system parameters have been generated, the

170

entities get their private keys from PKG. Through the interaction between TD and TTP, TD gets the permit which is the credential to access PCS and provide the computation service. By using permit, TD accesses PCS and provide computation service to PCS. PCS sends the rewards to TD for its service. TD stores the reward in the bank. When the dishonest TD stores the same permit

175

twice, its identity can be traced by the interaction between the bank and TTP. For the honest TD, its anonymity is satisfied. In PAT scheme, there are five parties, i.e., PKG, TTP, PCS, TD and Bank. Their roles are given below: 1. PKG has a master secret key and issues private keys for the other entities.

180

2. TTP is an entity which facilitates secure interactions between two parties who trust this third party. In our PAT system, all the entities trust TTP. 3. PCS is managed by cloud service provider. When the huge amounts of computation tasks are submitted to PCS, they will make PCS go into computation peak and take more time to respond these requirements. In

185

order to solve the problem, PCS takes use of the crowdcomputing. 8

4. TD is the low-cost computers and storage device, such as desktop computers, laptops, tablets, smart phones, etc. They provide computation service for PCS. 5. Bank stores TD’s rewards and pays money to TD. Through the cooperation with TTP, bank can trace the dishonest TD.

190

3.2. Security model Firstly, the definition of interactive proof system is presented. Secondly, the precise definition of PAT scheme is proposed. At last, the formal security definition of PAT scheme is given. 195

Definition 5 (Interactive Proof System). [39] Let c, s : N → R be functions satisfying c(n) > s(n) +

1 p(n)

for some polynomial p(·) where N is the

integer set and R is the real number field. An interactive pair (P, V ) is named a interactive proof system for the language L, with integrity constraint c(·) and reliability constraint s(·), if 1. Integrity: for every x ∈ L, Pr[< P, V > (x) = 1] ≥ c(|x|).

200

2. Reliability: for every x 6∈ L and every interactive machine B, Pr[< B, V > (x) = 1] ≤ s(|x|).

Interactive proof system is adopted to define PAT schemes, such as Definition 4. 205

Definition 6 (PAT Scheme). A PAT scheme is a collection of six polynomial time phases (Setup, Extract, Registration, Provide service and gain reward, TD revocation, Traceability) among PKG, TD, TTP, PCS and Bank. The phases are described below: 1. Setup: It is a probabilistic polynomial time (PPT) algorithm which gener-

210

ates the system parameters. It also generates the master secret key s and the master public key Ppub for PKG.

9

2. Extract: Given an identity ID, PKG runs this algorithm to generate the corresponding private key SID . PKG sends SID to the entity ID via secure channel. 215

3. Registration: It is an interactive protocol between TD and TTP. Through the interactive protocol, TD gets the credential which can help TD access PCS and provide the computation service for PCS. 4. Provide service and gain reward: It is an interactive protocol among TD, PCS and bank. TD submits permit to PCS. PCS verifies permit. If the

220

verification succeeds, PCS will accept TD’s computation service and pay the reward for TD. TD will store the reward in the bank. 5. TD revocation: TD can be revoked actively or passively. When TD is revoked, PCS will not accept its computation service. 6. Traceability: When a dishonest TD stores the same permit more times

225

than once, its identity can be traced through the interaction among TD, bank and TTP. An applicable PAT scheme must be efficient and secure. A secure PAT scheme must satisfy the following security properties: 1. Restrictiveness: Let M be blindly signed by the signer. TD can unblind

230

the signature into another message M 0 ’s signature. M ’ and M have some certain relation. 2. Unforgeability: The adversary cannot pass himself as the signer to sign any message. 3. Privacy-preservation: For the honest TD, any adversary cannot identify

235

its identity. 4. Traceability: For the dishonest TD, bank and TTP can trace its identity via cooperation between bank and TTP.

10

5. Effective revocation: The scheme should provide a function for TD to drop out the computation service easily and efficiently. 240

Definition 7 (Restrictiveness). TD sends M to TTP. TTP signs M and sends the signature to TD. When TD receives TTP’s blind signature M , it unblinds M into M 0 and gets the signature on the message M 0 . If existing an integer α meets M 0 = αM , we call the protocol can meets restrictiveness. Definition 8 (Unforgeability). For any PPT adversary A, permit satisfies

245

the unforgeability if the probability for A to win the following game could be

negligible. The game is an interactive protocol between the challenger C and A. The detailed interaction is given below:

1. Setup: C initializes the system parameters params, the system (master)

secret/public key pairs. It publishes params and system public key while it

250

holds the system secret key in a confidentiality. 2. H-Oracle: A submits hash function queries to C in a self-adaptive way and obtains the responses from C.

3. Extract-oracle: A submits the identity ID to C and gets the corresponding private key SID from C.

255

¯ which is differ from 4. Forgery: A forges a valid permit on a new message M

the message M 0 that has been signed by TTP and has been unblinded by TD.

A wins the above game if Pr[Verify(permit, params) = “success”] ≥

1 p(k)

where p(k) is a polynomial of the security parameter k. Next, we define anonymity and traceability. 260

Definition 9 (Anonymity). The anonymity of an honest TD refers to the untraceability of the honest TD’s computation service activities for PCS. The 11

Table 1: Notations and descriptions

Notations

Descriptions

TTP

Trusted third party

TD

Terminal device

PCS

Public cloud server

PKG

Private key generator

G1 , G2

Two groups with the same prime order q

e

Bilinear pairing e : G1 × G1 → G2

H1 , H 2 , H 3

Three cryptographic hash functions

(Sign, Vry)

Universal secure signature /verification algorithm pair

SID

ID’s private key

QID

QID = H1 (ID)

(P SID , P QID )

ID’s pseudonym private key /pseudonym public key pair

honest TD is said to be anonymous if the TTP, PCS, and Bank cannot link TD’s computation service activities to his real identity even though they collude. Definition 10 (Traceability). A dishonest TD is said to be traceable if TTP 265

and Bank can link the TD’s computation service activities to its real identity. The dishonest TD will store one permit more times in the bank.

Throughout this paper, we use some notations which are listed in Table 1. 4. Design of PAT scheme for crowdsourcing computation in public 270

clouds To design a secure and efficient PAT scheme for crowdcomputing in public clouds, we will take use of some cryptographic techniques, such as restrictive partially blind signatures, digital signatures, pseudonym, etc. Our concrete PAT 12

5.Traceability

1.Extract TTP

PKG

2.Registration

PCS

3.Provide service and gain reward

TD

Bank

4.Revocation Figure 1: Architecture of our PAT scheme

scheme comprises six phases: i) Setup; ii) Extract; iii) Registration; iv) Provide 275

service and gain reward; v) TD revocation; and vi) Traceability. First, we give the PAT scheme’s architecture. Then, we give the detailed scheme. Figure 1 depicts the architecture of our PAT scheme. There are five entities, TTP, PCS, TD, PKG and Bank. Based on the condition that the system pa1 By rameters have been created, these five entities interact each other below.

280

using Extract, TTP, TD and PCS get their private key from PKG where their 2 TD registers itself at TTP. 3 TD public key is their identity, respectively.

interacts with PCS. TD provides computation service for PCS and gains reward 4 TD is revoked from the network. 5 TD stores its reward in the from PCS. bank. The bank can also trace the dishonest TD.

285

The detailed phases are given below: 1. Setup: Let P be a generator of G1 . Pick a random element P¯ of G1 . PKG chooses s ∈ Zq∗ and calculates Ppub = sP . PKG sets s as the system’s

master secret key and keeps it in secret. Let the bilinear pairings be

e : G1 × G1 → G2 where G1 is a cyclic additive group and G2 is a cyclic

multiplicative group. G1 and G2 have the same order q. Let (Sign, Vry) be a secure universal signature/verification algorithm pairs. Three secure

13

cryptographic hash functions are given below: H1 : {0, 1}∗ → G1 , H2 : {0, 1}∗ → Zq∗ , H3 : {0, 1}∗ × G1 × G24 → Zq∗ Finally, we get and publish the following system parameters params as: {G1 , G2 , e, q, P, P¯ , Ppub , H1 , H2 , H3 , (Sign, V ry)} 2. Extract: The entity sends its identity ID to PKG. By taking use of the public parameters, PKG calculates QID = H1 (ID) and SID = sQID . The entity’s private key SID is sent to the entity. Denote TD’s identity as IDT D , TTP’s identity as IDT , PCS’s identity be IDc . Denote TD’s private key as SIDT D , TTP’s private key as SIDT and PCS’s private key as SIDc . Denote the hash values of the identities as QIDT D = H1 (IDT D ), QIDT = H1 (IDT ), QIDc = H1 (IDc ) 3. Registration: TTP calculates and publishes g = e(P, P ), g1 = e(P, QIDT ), g2 = e(P¯ , QIDT ) Let inf denote the common information which comes from the negotiation between TD and TTP. The registration phase is an interaction which is performed between TD and TTP below: (a) Blinded message: TD selects a random u ∈ Zq∗ and calculates M = 290

uP + P¯ . TD conveys M to TTP.

(b) Commitment: Upon receiving M , TTP selects a random r ∈ Zq∗ and calculates

R = rP, R1 = rM, R2 = e(M, SIDT ) R3 = rH2 (inf )QIDT , R4 = e(M, rSIDT ), SignSIDT (inf ) TTP sends {R, R1 , R2 , R3 , R4 , SignSIDT (inf )} to TD.

14

(c) Blinding: Upon receiving {R, R1 , R2 , R3 , R4 , SignSIDT (inf )}, TD selects α, a, b, σ1 , σ2 ∈ Zq∗ and calculates

M 0 = αM, t1 = e(aQIDT + bR + bR3 , Ppub ), Y = e(QIDT , Ppub ) bαH2 (inf )

U = R2α , B = g1σ1 g2σ2 , t2 = e(bαR1 , Ppub )R4

c0 = H3 (SignSIDT (inf )||M 0 ||B||U ||t2 ||t1 ), c =

Ua

c0 + a mod q b

TD sends c to TTP. (d) Signing: TTP calculates S = (c + rH2 (inf ))SIDT + rPpub and sends S to TD. (e) Unblinding: TD picks a random u ¯ ∈ Zq∗ and calculates P QIDT D = u ¯QIDT D , P SIDT D = u ¯SIDT D Γ = H2 (M 0 )P SIDT D , S 0 = bS Finally, TD gets the permit of M 0 below: permit = {IDT , P QIDT D , M 0 , inf, B, SignSIDT (inf ), Γ, U, c0 , S 0 } 295

4. Provide service and gain reward Before TD accesses PCS and provides computation service, it presents permit to PCS. Upon receiving permit, PCS verifies it below: (a) P CS → T D:

PCS calculates A = e(M 0 , QIDT ), d = H(A, B, QIDc ). It then sends

300

d to TD; (b) P CS ← T D:

TD calculates r1 = duα + σ1 , r2 = dα + σ2 and sends r1 , r2 to PCS.

(c) PCS checks whether the following formulas hold: c0

= H3 (SignSIDT (inf )||M 0 ||B||U ||e(M 0 , 0

0

S 0 )U −c ||e(S 0 , P )e(QIDT , Ppub )−c )

and g1r1 g2r2 = e(M 0 , QIDT )d B, e(Γ, P ) = e(H2 (M 0 )P QIDT D , Ppub ) 15

and verifies whether V ryIDT (SignSIDT (inf )) is valid. When permit is successfully verified, PCS will give the service command 305

cmdserv to TD. The progress of anonymous service provision and reward is described as the following: (a) T D ← P CS:

The following message is sent to TD: {P QT D , IDT , cmdserv , rewardserv } where rewardserv denotes the reward value of the service.

310

(b) T D ↔ P CS:

P After many rounds service, suppose TD gets the total reward rewardserv . P Let the common information be inf = rewardserv . Let Mr = M 0 denote the original message. TD interacts with PCS to generate the restrictively partial blind signature permit’ by using the same method

315

of Registration. (c) T D → Bank:

When TD wants to redeem the total reward

P

rewardserv at bank,

it submits the identity of PCS and Permit’ to the bank. Then the

320

bank executes the verification algorithm. The bank would accept and P store the reward rewardserv if succeeds.

5. TD revocation

From two cases, we give the TD revocation schemes: (a) When TTP or PCS wants to revoke TD, TTP will reject TD’s new requests. Further, when the expiration data passed in inf, TD will 325

become invalid. (b) When TD informs TTP that it wants to be revoked, TTP notifies PCS that all subsequent attempts to access PCS by using TD’s permit should be rejected. Further, if TD doesn’t access PCS until the expiration data, the same effect can also be achieved.

16

6. Traceability When the dishonest TD uses the same Permit twice, the bank could receive two pairs of responses from TD as follows: r1 = d(αu) + σ1 , r2 = da + σ2 r10 = d0 (αu) + σ1 , r2 = d0 a + σ2 330

By using the two response pairs, bank can calculate u =

r1 −r10 r2 −r20 .

Bank

sends u to TTP. TTP calculates A = uP + P¯ and searches the real identity IDT D . TTP sends IDT D to the bank. Thus, the dishonest TD can be traced. 5. Security analysis and performance analysis 335

An applicable PAT scheme must be secure and efficient. We analyze our proposed PAT scheme’s security and performance in this section. 5.1. Security analysis Theorem 1 (Correctness). The generated permit can pass the verification, i.e., permit can be accepted by PCS, on the condition that TTP, TD and PCS

340

are honest and performs according to the proposed PAT scheme. Proof: Based on the process of permit generation and verification, the following results can be obtained e(M 0 , S 0 )U −c

0

= e(αM, bS)U −c

0

= e(M, (c + rH2 (inf ))SIDT + rPpub )bα U −c

0 0

= e(bαrM, Ppub )e(M, rSIDT )bαH2 (inf ) × e(M, cSIDT )bα U −c 0

bαH2 (inf )

U cb−c

bαH2 (inf )

Ua

= e(bαR1 , Ppub )R4 = e(bαR1 , Ppub )R4

= t2 ;

17

and 0

e(S 0 , P )e(QIDT , Ppub )−c =

e(bS, P )e(−c0 QIDT , Ppub )

=

e(b(c + rH2 (inf ))SIDT + brPpub − c0 SIDT , P )

= = =

e(b(c + rH2 (inf ))QIDT + brP − c0 QIDT , Ppub ) e(bR3 + bR + aQIDT , Ppub ) t1

So, the following verification part is correct. c0

= H3 (SignSIDT (inf )||M 0 ||B||U ||e(M 0 , S 0 ) 0

0

U −c ||e(S 0 , P )e(QIDT , Ppub )−c )

On the other hand, we prove the following verification part g1r1 g2r2 = e(P, QIDT )duα+σ1 e(P, QIDT )dα+σ2 = e(P, QIDT )duα e(P, QIDT )dα e(P, QIDT )σ1 × e(P, QIDT )σ2 = e(α(uP + P ), QIDT )d B

= e(M 0 , QIDT )d B and e(Γ, P ) = e(H2 (M 0 )P SIDT D , P ) = e(H2 (M 0 )P QIDT D , Ppub ) Therefore, the proposed scheme meets correctness.



Theorem 2 (Restrictiveness). TD only can get the signature of the restricted message M 0 which is defined as M 0 = αM , where α ∈ Zq∗ . Thus, our PAT scheme satisfies the restrictiveness.

345

Proof: This theorem can be proved from two situations: (1) M is a generator of G1 ; (2) M is not a generator of G1 .

In the prior situation, it is trivial to prove that M 0 = αM since M is a

generator. We prove the latter situation below.

18

Suppose that M 0 = βM + P ∗ . Assume that the theorem does not hold, then there does not exist v ∈ Zq∗ which satisfies P ∗ = vM . Based on the generation process of permit , we get t2 bαH2 (inf )

= e(bαR1 , Ppub )R4

Ua

= e(bαrM, Ppub )e(M, rSIDT )bαH2 (inf ) e(M, SIDT )aα = e(M, bαrPpub + (aα + bαH2 (inf )r)SIDT ) Since permit can pass the verification, the following formula holds: t2 0

=

e(M 0 , S 0 )U −c

=

e(M 0 , bS)R2−c α

=

e(M 0 , bS)e(M, SIDT )−c α

0

0

Thus, we get e(M, bαrPpub + (aα + bαH2 (inf )r)SIDT ) 0

= e(M 0 , bS)e(M, SIDT )−c α i.e., e(M 0 , S) = e(M, αrPpub + (rαH2 (inf ) + αc)SIDT ) We get the following formula: e(M 0 , (c + rH2 (inf ))SIDT + rPpub ) = e(M, αrPpub + (rαH2 (inf ) + αc)SIDT ) Thus, M 0 = βM + P ∗ = αM . We get P ∗ = (α − β)M If α −β 6= 0, the above result contradicts the assumption. Otherwise, M 0 = αM

350



holds. Thus, the theorem is proved.

Theorem 3 (Unforgeability). [18] If an adversary can forge a valid permit with the probability  within time bound t, then within time t0 ≤ 19

16Qt 

and with

probability 0 ≥ 19 , two forged permit can be forged with the same random tape and message. The challenger can solve the CDH problem with probability 0 ≥ 355

1 9

within time t0 + TH + TE . Under the difficulty assumption of CDH problem, the proposed permit is unforgeable in the oracle model. Q denotes the adversary’s hash function query times. TH , TE denote the time cost in the hash query and extract query, respectively. Proof: Suppose that an adversary A can (t, ) break our permit, the chal-

360

lenger can break CDH problem by using A. Given the triple (P, P1 = aP, P2 = bP ), C tries to calculate the CDH problem abP . In order to break CDH, C interacts with A below:

1. Setup: C gives A the system parameters with the master public key Ppub = P1 = aP where the master secret key a is unknown to C.

365

2. H1 -oracle: A submits the identity IDi to C. If IDi 6= IDT , C picks a

random θi ∈ Zq∗ and responds the point θi P to A, i.e., H1 (IDi ) = θi P ; otherwise, C returns P2 = bP to A, i.e., H1 (IDT ) = P2 . C keeps a list T ab1 which stores the triple (IDi , θi , θi P ) and the special triple (IDT , ∗, P2 ).

3. H2 , H3 -oracle: the two hash functions H2 , H3 can be regarded as the usual 370

cryptographic hash functions. When A queries them, the corresponding hash value is responded.

4. Extract-oracle: A submits the identity IDi to C. If IDi 6= IDT and IDi

has been submitted to H1 oracle, C looks up T ab1 and gets θi . C calculates

SIDi = θi P1 and returns SIDi to A. If IDi 6= IDT and IDi has never

375

been submitted to H1 oracle, C submits IDi to H1 -oracle and gets θi . C

calculates SIDi = θi P1 and returns SIDi to A. Otherwise, C rejects and

fails.

5. A outputs the forged signature S of c which corresponds to the message m.

According to the forking lemma [40], we redo the previous four steps with a different H3 . A can get another forged signature Sˆ which corresponds 20

the same message m and the same randomness. Since S and Sˆ are valid, C can get

S = (c + rH2 (inf ))SIDT + rPpub

(1)

Sˆ = (ˆ c + rH2 (inf ))SIDT + rPpub

(2)

C lets equation 1 minus equation 2. The following formula holds: S − Sˆ = (c − cˆ)SIDT ˆ SIDT = (c − cˆ)−1 (S − S) Thus, ˆ abP = (c − cˆ)−1 (S − S) Thus, the CDH problem is broken. Based on difficulty of CDH, c is unforgeable. Further, permit is unforgeable. 380

We take H3 as the random oracle. Suppose that A has submitted Q queries

to C. According to the forking lemma [40], with the same random tape and with probability 0 ≥

1 9

within the time bound t0 ≤

16Qt  ,

A can obtain two different

signature S and S 0 . In the above interaction game, denote the hash function

time overhead as TH and Extract time overhead as TE . Thus, C can solve the 385

CDH problem with probability 0 ≥ 1 over9 within time t0 + TH + TE .



Traceability: From the phase Traceability of PAT scheme, we know that the

dishonest TD can be traced by the cooperation of bank and TTP. Thus, our scheme satisfies the property of traceability. Anonymity: In order to provide the service to PCS, TD sends permit = 390

{IDT , P QIDT D , M 0 , inf, B, Γ, U, c0 , S 0 } to PCS. In permit, QIDT D = u ¯QIDT D

where u ¯ is randomly picked from Zq∗ . Thus, the honest TD keeps anonymous for PCS , bank and TTP. On the other hand, others cannot pass themselves as

the real TD by intercepting and capturing permit. By using short signature [1], TD creates the signature Σ which is generated by using the pseudonym private 395

key P SIDT D . Thus, our concrete PAT scheme can realize the anonymity of TD and counterfeiting of permit. 21

5.2. Performance comparison Our PAT scheme’s performance is analyzed from the computation cost and communication cost. In our scheme, bilinear pairing, scalar multiplication and 400

point addition will consume more time compared to other operations. Thus, only these three operations are considered in the performance comparison. Denote the bilinear pairing time cost as Cpar , scalar multiplication time cost as Cmul and point addition time cost as Cadd . 5.2.1. Computation cost

405

In the phases Seup and Extract, the system parameters and entity’s public/private key pair can be achieved once for all. Thus, we do not consider the two phases’ computation cost. In the phase Registration, TTP performs 5 bilinear pairings where 3 bilinear pairings (i.e., g, g1 , g2 ) can be done once for all, 6 scalar multiplication and 1 point addition; TD performs 3 bilinear pairings, 10

410

scalar multiplication and 3 point addition. In the phase Provide service and gain reward, PCS performs 7 bilinear pairings and 1 scalar multiplication; Through the interaction between TD and PCS, another permit’ is generated; the bank will performs 7 bilinear pairings and 1 scalar multiplication. For purpose of evaluating the effectiveness of out PAT scheme’s computation

415

cost, we implement it and depict the computation cost. In the implementation, we take use of the C programming language with the GMP (GMP-5.0.5), Miracl and PBC (pbc-0.5.13) libraries. In the implementation, TTP and PCS run on the following laptop: • CPU: Intel Core i7-3517U @ 1.90GHz

420

• Physical Memory: 4GB DDR3 1600MHz • OS: Ubuntu 13.04 Linux 3.8.0-19-generic SMP i686 TD runs on the following laptop: • CPU: CPU I PDC E6700 3.2GHz • Physical Memory: DDR3 2G 22

L. 6, NO. 1, JANUARY 2007

9

6KOGQXGTJGCFKP4GIKUVTCVKQP 

2%51RU

In the PAT scheme, some elliptic curve cryptography and hash function are 

selected. These selections are listed below: i) an elliptic curve with 160-bit 6KOGQXGTJGCF UQH2%5

7U @ 1.90GHz DDR3 1600MHz nux 3.8.0-19-generic SMP

6KOGQXGTJGCF UQH662CPF6&

6621RU act, the system parameters 6&1RU  key pair can be achieved ot consider the two phas he phase Registration, TTP  s where 3 bilinear pairings nce for all, 6 scalar multi on; TD performs 3 bilinear ation and 3 point addition.  and gain reward, PCS per nd 1 scalar multiplication; ween TD and PCS, another  nk will performs 7 bilinear  plication.       6JGPWODGTQHIGPGTCVGFRGTOKV g the effectiveness of out cost, we implement it and TD’s computing time (s) in Registration Figure 2: TTP and TD’s computing time (s) in Registration st. In the implementation, Fig. 2. TTP and gramming language with racl and PBC (pbc-0.5.13) 425 • OS: Ubuntu6KOGQXGTJGCFKPRGTOKVXGTKHKECVKQP 11.10 over VMware-workstation-full-8.0.0 tion, TTP and PCS run on 



group order, the coordinates of the point lie in the field which has 512-bit size; ii) H1 is given in PBC (pbc-0.5.13) libraries; and iii) H2 , H3 are given by using

aptop: 430 SHA-1, MD-5 respectively.  0 3.2GHz Figure 2 depicts the computation cost in the phase Registration, where the R3 2G  VMware-workstation-full- number of generated permit is represeneted in X-axis; the TTP’s time cost and

e elliptic curve cryptograselected. These selections c curve with 160-bit group 435 the point lie in the field H1 is given in PBC (pbc2 , H3 are given by using

putation cost in the phase mber of generated permit the TTP’s time cost and generate n different per440 xis. Figure 3 depicts the mit verification, where the represented in X-axis; the rifying n different permit is the two figures, our PAT licable.

ysis

der to generate a permit, o TTP. The total size is 0 = 1184 bits. TTP will ignSIDT (inf ) to TD. The R2 | + |R3 | + |R4 | + |S| +



TD’s time cost in order to generate n different permit are represented in Yaxis.Figure 3depicts  the computation of   PCS for  permit verification, where 6JGPWODGTQHXGTKHKGFRGTOKV

the number of verified permit is represented in X-axis; the computing time of

Fig. 3.verifying PCS’s computing time (s) in Verifyingin permit PCS’s n different permit is represented Y-axis. From the two figures, our PAT scheme is efficient and applicable.

and gain reward, to verify the permit, TD sends permit

5.3. Communication analysis to PCS. The size of permit is |permit| = |IDT | +

|P QInIDthe + |M  | + |inf | + |B| |SignSID (inf )| TD + will send M and c T D | registration, in order to + generate a Tpermit, |Γ| + |U | + |c | + |S  | = 6 ∗ 1024 + 160 + 512 + |B| + to TTP. The total size is |M | + |c| = 2 ∗ 512 + 160 = 1184 bits. TTP will |Sign SIDT (inf )| = 6816 + |inf | + |B| + |SignSIDT (inf )| bits. Thus, is )acceptable in total the size is |R| + |R1 | + send R, R1 , the R2 , communication R3 , R4 , S, SignSIDcost (inf to TD. The T application. 23

6

C ONCLUSION

In this paper, we propose the novel concept of traceable privacy-preserving incentive scheme for crowdcomputing in public clouds. The novel PAT concept comes from the application requirements. The system model and security model is given in this paper. We design the concrete PAT scheme by using bilinear pairings. Finally, we analyze the concrete PAT

6KOGQXGTJGCF UQH66

gs where 3 bilinear pairings once for all, 6 scalar multiion; TD performs 3 bilinear cation and 3 point addition. e and gain reward, PCS perand 1 scalar multiplication; tween TD and PCS, another nk will performs 7 bilinear iplication. ng the effectiveness of out n cost, we implement it and ost. In the implementation, ogramming language with iracl and PBC (pbc-0.5.13) ation, TTP and PCS run on

     





  6JGPWODGTQHIGPGTCVGFRGTOKV





Fig. 2. TTP and TD’s computing time (s) in Registration

6KOGQXGTJGCFKPRGTOKVXGTKHKECVKQP  2%51RU

laptop: 00 3.2GHz R3 2G r VMware-workstation-full-



6KOGQXGTJGCF UQH2%5

17U @ 1.90GHz B DDR3 1600MHz inux 3.8.0-19-generic SMP











me elliptic curve cryptograe selected. These selections ic curve with 160-bit group the point lie in the field H1 is given in PBC (pbcH2 , H3 are given by using

mputation cost in the phase umber of generated permit the TTP’s time cost and o generate n different per445 axis. Figure 3 depicts the rmit verification, where the s represented in X-axis; the erifying n different permit is m the two figures, our PAT plicable.







  6JGPWODGTQHXGTKHKGFRGTOKV





Fig. 3. PCS’s computing time (s) in Verifying permit Figure 3: PCS’s computing time (s) in Verifying permit |R + |R3reward, | + |R4 |to+verify |S| + |Sign = 6 ∗ permit 2 ∗ 512 + |SignSIDT (inf )| = 2 | gain SIDT (inf and the permit, TD)| sends to PCS. The size of permit is |permit| = |ID + T | service 6144 + |SignSIDT (inf )| bits. In the phase Provide and gain reward, |P QIDT D | + |M  | + |inf | + |B| + |SignSIDT (inf )| + to permit to PCS. size+of permit is |permit| =  |Γ|verify + |U |the + |cpermit, | + |S TD | = sends 6 ∗ 1024 + 160 + 512The + |B| |Sign (inf = +|B| |B|+ +|Sign |SignSSID (inf)|)|+ |Γ| + |U | + |c0 | + |S 0 | = |ID +ID|PT Q | +6816 |M 0 | + |inf | + IDT(inf T |S IDT)| D T bits. Thus, the communication cost is acceptable in the 6∗1024+160+512+|B|+|SignSIDT (inf )| = 6816+|inf |+|B|+|SignSIDT (inf )| application. bits. Thus, the communication cost is acceptable in the application.

6 C ONCLUSION 6. Conclusion

der to generate a permit, 450 to TTP. The total size is 60 = 1184 bits. TTP will SignSIDT (inf ) to TD. The |R2 | + |R3 | + |R4 | + |S| + ∗ 512 + |SignSIDT (inf )| = In the phase Provide service

In this paper, we propose the novel concept of tracein the cloud (orscheme cloud crowdcomputing) is likely to trend ableCrowdcomputing privacy-preserving incentive for crowdcomputing in public clouds. The novel PAT concept in the foreseeable future. However, recruiting and trusting terminal devices to comes from the application requirements. The system perform the crowdcomputing are challenging. How example, how could we model and security modeltasks is given in this paper. We design the concrete PAT scheme by using bilinensure that no one dishonest terminal device can double-claim or multiple-claim ear pairings. Finally, we analyze the concrete PAT one contribution for and a specific task? This is the a challenge scheme’s efficiency security. Through analysis,similar to e-cash, where ourhave PATtoscheme efficient andisprovably secure. we ensure is that no e-cash double-spent.

455

Therefore, in this paper, we proposed the novel concept of traceable privacy-

lysis

preserving incentive scheme for crowdcomputing in public clouds. We then presented the first precise reward scheme, based on bilinear pairings. The scheme offers both anonymity and traceability for crowdcomputing in public clouds. 24

We proved the security of the scheme, and demonstrated using simulations the 460

utility of the proposed scheme. Future work includes evaluating the scheme in a real-world deployment, such as in a closed university environment. This would allow us to identify areas that would need refinement or simplification in order to further enhance its efficiency for a real-world deployment.

465

7. Acknowledgements We would like to thank anonymous editors and reviewers for their invaluable comments and suggestions that have resulted in the improvement of completeness and readability. The work of H. Wang was supported by the National Natural Science Foundation of China (No.61272522). The work of D. He was

470

supported by the National Natural Science Foundation of China (Nos. 61501333, 61572379) and the Natural Science Foundation of Hubei Province of China (No. 2015CFB257). 8. *Reference [1] Boneh, D., Lynn, B., Shacham, H., ”Short signatures from the Weil pairing”,

475

Journal of Cryptology, 17(4), 2004, pp. 297-319. [2] Armbrust M., Fox A., Griffith R., Joseph A., Katz R., Konwinski A., Lee G., Patterson D., Rabkin A., Stoica I., Zaharia M., ”Above the cloud: a Berkeley view of cloud computing”, Berkeley University, 2009. [3] Assuncao M.D., Costanzo A., Buyya R., ”A cost-benefit analysis of using

480

cloud computing to extend the capacity of clusters”, Cluster Computing, 13(3), 2010, pp.335-347. [4] Chapman C., Emmerich W., Marquez F.G., Clayman S., Galis, A., ”Software architecture definition for on-demand cloud provisioning”,Cluster Computing, 15(2), 2012, pp.79-100.

25

485

[5] Ma X., Li J., Zhang F., ”Outsourcing computation of modular exponentiations in cloud computing”, Cluster computing, 16(4), 2013, pp.787-796. [6] Carter H., Mood B., Traynor P., Butler K., ”Outsourcing secure two-party computation as a black box”, Cryptology and Network Security, LNCS 9476, 2015, pp 214-222.

490

[7] Guillevic A., Vergnaud D., ”Algorithms for outsourcing pairing computation”, LNCS 8968, 2015, pp.193-211. [8] Anderson D.P., Cobb J., Korpela E., Lebofsky M., Werthimer D., ”SETI @ Home: An experiment in public-resource computing”, Communications of the ACM, 45(11), 2002, pp. 56-61.

495

[9] Folding @ home, https://en.wikipedia.org/wiki/Folding@home [10] The Great Internet Mersenne Prime Search, http://www.mersenne.org/ [11] Rajshree N., Sengupta B., Desai N., ”Crowd-sourcing service designs: overview and research challenges”, Service-Oriented Computing-ICSOC 2012 Workshops, LNCS 7759, 2013, pp.203-214.

500

[12] Smirnov A., Ponomarev A., ”Crowd computing framework for geoinformation tasks”,Information Fusion and Geographic Information Systems (IF & GIS’2015, LNCS 8968, 2015, pp. 109-123. [13] Christoforou E.,

Fernandez A.,

Chryssis G.,

,

Mosteiro M.A.,

Sanchez A., ”Reputation-based mechanisms for reliable crowdsourc505

ing computation”, http://eprints.networks.imdea.org/861/1/TR-IMDEANetworks-2014-2.pdf. [14] Turski W. M., ”Safety, security and dependability in crowd computing”, LNCS 6875, 2011, pp. 498-503. [15] Boneh D., Lynn B., Shacham H., ”Short signatures from the Weil pairing”,

510

ASIACRYPT 2001, LNCS 2248, 2001, pp. 514-532.

26

[16] Ren J., Zhang Y., Zhang K, Zhang K., Shen X., ”Exploiting mobile crowdsourcing for pervasive cloud services: challenges and solutions”, IEEE Communications Magazine, 53(3), 2015, pp. 98-105. [17] Zhang X., Yang Z., Zhou Z., Cai H., Chen L., Li X., ”Free market of crowd515

sourcing: Incentive mechanism design for mobile sensing”, IEEE Transactions on Parallel and Distributed Systems, 25(12), 2014, pp. 3190-3200. [18] Goldreich O., “Foundations of cryptography: volume 2, basic applications”, Cambridge university press, 2009. [19] Raya M., Hubaux J.P., ”Securing vehicular ad hoc networks”, J. Computer

520

Security, 15(1), 2007, pp.39-68. [20] Brands S., ”Untraceable off-line cash in wallets with observers”, Proc. CRYPTO’93, 1993, pp. 302-318. [21] Wei K., Chen Y.R., Smith A.J., Vo B., ”Whopay: a scalable and anonymous payment system for peer-to-peer environments”, ICDCS 2006, 2006,

525

pp. 13-13. [22] Zeinalipour-Yazti D., Laoudias C., Costa C., Vlachos M., Andreou M.I., Gunopulos D., ”Crowdsourced trace similarity with smartphones”, IEEE Transactions on Knowledge and Data Engineering, 25(6), 2013, pp.12401253.

530

[23] Liu Z., Cao Z., Wong D., ”Traceable CP-ABE: how to trace decryption devices found in the wild”, IEEE Transactions on Information Forensics and Security, 10(1), 2015, pp. 55-68. [24] Boneh D., Franklin M., ”Identity-based encryption from the Weil pairing”, CRYPTO 2001, LNCS 2139, 2001, pp. 213-229.

535

[25] Miyaji A., Nakabayashi M., Takano S., ”New explicit conditions of elliptic curve traces for FR-reduction”, IEICE Transactions Fundamentals, 5, 2001, pp. 1234-1243. 27

[26] Chaum D., ”Blind signature for untraceable payments”, Eurocrypt’82, 1982, pp. 199-203. 540

[27] Brands S., ”Untraceable off-line cash in wallet with observers”, Crypto 1993, LNCS 773, 1993, pp. 302-318. [28] Brands S., ”An efficient off-line electronic cash system based on the representation problem”, Nasa Sti/recon Technical Report N, 94(93), 1993, pp.63?C67.

545

[29] Abe M., Fujisaki E., ”How to date blind signatures”, Asiacrypt 1996, LNCS 1163, 1996, pp. 244-251. [30] Maitland G., Boyd C., ”A provably secure restrictive partially blind signature scheme”, PKC 2002, LNCS 2274, 2002, pp. 99-114. [31] Chen X., Zhang F., Liu S., ”ID-based restrictive partially blind signatures

550

and applications”, J. Syst. Softw, 80(2), 2007, pp. 164-171. [32] Xu G., ”A new restrictive partially blind signature with designated verifier”, ICCSIT 2008, 2008, pp. 123-126. [33] Hu X., Huang S., ”An efficient id-based restrictive partially blind signature scheme”, SNPD2007, 2007, pp. 205-209.

555

[34] Wang S., Han P., Zhang Y., Wang X., ”An improved id-based restrictive partially blind signature scheme”, SNPD2007, 2007, pp. 295-300. [35] Wang C., Lu R., ”A certificateless restrictive partially blind signature scheme”, IIH-MSP 2008, 2008, pp. 279-282. [36] Sun J., Zhang C., Zhang Y., Fang Y., ”SAT: A security architecture achiev-

560

ing anonymity and traceability in wireless mesh networks”, IEEE Transactions on Dependable and Secure Computing, 8(2), 2011, pp.295-307. [37] Yang Z., Yu S., Lou W., Liu C., ”P2: Privacy-preserving communication and precise reward architecture for V2G networks in smart grid”, IEEE Trans. Smart Grid, 2(4), 2011, pp. 697?C706. 28

565

[38] Blanco-Justicia A., Domingo-Ferrer J., ”Privacy-preserving loyalty programs”, DPM/SETOP/QASA 2014, 2014, pp. 133-146. [39] Goldreich O., ”Foundations of Cryptography: Basic Tools”, Publishing House of Electronics Industry, Beijing, 2003, pp. 194-195. [40] Pointcheval D., Stern J., ”Security arguments for digital signatures and

570

blind signatures”, Journal of Cryptology, 13(3), 2000, pp. 361-396. [41] Fu Z., Sun X., Liu Q., Zhou L., Shu J., ”Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing,” IEICE Transactions on Communications, 98 (1), 2015, pp. 190-200.

575

[42] Xia Z., Wang X., Sun X., Wang Q., ”A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data,” IEEE Transactions on Parallel and Distributed Systems, 27 (2), 2016, 340-352. [43] Fu Z., Ren K., Shu J., Sun X., Huang F., ”Enabling personalized search over encrypted outsourced data with efficiency improvement, IEEE Transactions

580

on Parallel and Distributed Systems, 27 (9), 2016, 2546-2559. [44] Ren Y., Shen J., Wang J., Han J., Lee S., ”Mutual verifiable provable data auditing in public cloud storage,” Journal of Internet Technology, 16 (2), 2015, 317-323. [45] He D., Zeadally S., Wu L., ”Certificateless public auditing scheme

585

for cloud-assisted wireless body area networks,” IEEE Systems Journal, doi:10.1109/JSYST.2015.2428620, 2015. [46] Guo P., Wang J., Geng X., Kim C., Kim J., ”A variable threshold-value authentication architecture for wireless mesh networks,” Journal of Internet Technology, 15 (6), 2014, 929-935.

590

[47] Shen J., Tan H., Wang J, Wang J, Lee S, ”A novel routing protocol providing good transmission reliability in underwater sensor networks,” Journal of Internet Technology, 16 (1), 2015, 171-178. 29

Huaqun Wang received the BS degree in mathematics education from the Shandong Normal University and the MS degree in applied mathematics from the East China Normal University, both in China, in 1997 and 2000, respectively. He received the Ph.D. degree in information security from Nanjing University of Posts and Telecommunications in 2006. He is currently a professor of Nanjing University of Posts and Telecommunications, China. His research interests include applied cryptography, network security, and cloud computing security.

Debiao He received his Ph.D. degree in applied mathematics from School of Mathematics and Statistics, Wuhan University in 2009. He is currently an Associate Professor of the State Key Lab of Software Engineering, Computer School, Wuhan University. His main research interests include cryptography and information security, in particular, cryptographic protocols.

YANFEI SUN received the Ph.D. degree in information network from the Nanjing University of Posts and Telecommunications, Nanjing, China, in 2006. He has been a Professor with the Jiangsu High Technology Research Key Laboratory for Wireless Sensor Network, Nanjing University of Posts and Telecommunications, since 2006. His main research interests are in the areas of intelligent optimization, network management, machine learning, and future network.

Neeraj Kumar received his Ph.D. in CSE from Shri Mata Vaishno Devi University, Katra, India. He is now an Associate Professor in the Department of Computer Science and Engineering, Thapar University, Patiala, Punjab (India). He is a member of IEEE. His research is focused on mobile computing, parallel/distributed computing, multi-agent systems, service oriented computing, routing and security issues in mobile ad hoc, sensor and mesh networks. He has more than 100 technical research papers in leading journals such as-IEEE TII, IEEE TIE, IEEE TDSC, IEEE ITS, IEEE TWPS, IEEE SJ,IEEE ComMag, IEEE WCMag, IEEE NetMag and conferences. His research is supported from DST, TCS and UGC. He has guided many students leading to M.E. and Ph.D.

Kim-Kwang Raymond Choo received his Ph.D. in Information Security in 2006 from Queensland University of Technology, Australia. He currently holds the Cloud Technology Endowed Professorship at The University of Texas at San Antonio, and is an Associate Professor at University of South Australia, and a Guest Professor at China University of Geosciences, Wuhan. He is the recipient of various awards including ESORICS 2015 Best Paper Award, Winning Team of the Germany's University of Erlangen-Nuremberg (FAU) Digital Forensics Research Challenge 2015, 2014 Highly Commended Award by the Australia New Zealand Policing Advisory Agency, Fulbright Scholarship in 2009, 2008 Australia Day Achievement Medallion, and British Computer Society's Wilkes Award in 2008. He is a Fellow of the Australian Computer Society.



HIGHLIGHTS

1. We propose the precise reward model achieving anonymity and traceability for crowdcomputing in public clouds. 2. We construct the first precise reward scheme achieving anonymity and traceability for crowdcomputing in public clouds. 3. We show that our proposed concrete scheme is provably secure. It satisfies the security properties: unforgeability, anonymity, and traceability. 4. Detailed performance analysis and experimental result are given.