An improved cloud data auditing scheme with enhanced security based on trusted execution environment-based multi-replica data audit

Abstract

With the widespread adoption of cloud computing, cloud storage technology has developed rapidly, but issues of data security and privacy protection have also become prominent. As a key means to ensure the security of cloud storage data, cloud auditing technology strengthens the data security defense for users by verifying data integrity and availability. In recent years, advancements in trusted execution environment (TEE) technology have brought higher security guarantees to cloud auditing. However, existing TEE-based multi-replica data auditing schemes, such as TEEMRDA (trusted execution environment-based multi-replica data audit), still have security vulnerabilities when facing specific attacks. This paper deeply analyzes the security risks of the TEEMRDA scheme, proposes an improved cloud data auditing scheme, comprehensively evaluating them from dimensions such as security and performance. The results show that the improved scheme performs excellently in resisting specific attacks and has significant advantages in performance. The scheme proposed by Hui Tian et al. (2025) exhibits potential security vulnerabilities under specific attack scenarios. The improved scheme can overcome the security problems and can be applied to unmanned aerial vehicles.

Keywords

TEEMRDA security enhancement cloud data auditing

1 Introduction

The rapid development of information technology has made cloud computing an extremely efficient and flexible computing model, profoundly reshaping the modern information technology architecture. By virtue of its ability to allocate computing resources and storage services on demand, cloud computing has significantly reduced IT costs for organizations and individuals, while effectively improving resource utilization and system scalability. However, the widespread adoption of cloud computing has also given rise to numerous security challenges, particularly in the field of cloud storage, where risks such as data leakage, tampering, and loss persist.

The security of cloud storage has long been a key research focus in academia. In the cloud storage model, users store data on remote servers, transferring control and management rights to cloud storage provider (CSPs). While this model offers convenience, it has sparked concerns among users regarding data security and privacy protection. To ensure cloud storage security, researchers have proposed various security mechanisms and technologies, with cloud auditing technology emerging as a critical and highly regarded approach. Traditional cloud auditing methods overly rely on the credibility of CSPs, which to some extent undermines the independence and effectiveness of audits. With the development of trusted execution environment (TEE) technology, TEE-based cloud auditing schemes have gradually become a research hotspot. The secure execution environment provided by TEE can effectively isolate malicious software and attackers, enhancing the security of cloud auditing.

In cloud storage environments, data is often stored in multiple copies across different physical nodes to enhance data reliability and availability. Multi-replica data auditing achieves data redundancy and fault tolerance by generating multiple data copies and distributing them across storage nodes, thereby reducing risks of data corruption, leakage, or tampering. However, existing multi-replica data auditing schemes still exhibit security shortcomings. Although the TEEMRDA (trusted execution environment-based multi-replica data audit) scheme employs TEE technology, it lacks sufficient protection against specific attacks. Furthermore, the widespread application of unmanned aerial vehicle (UAV) technology has introduced new security challenges to cloud-edge UAV systems. Ensuring the security of data storage and transmission during data interaction between UAVs and the cloud is of paramount importance. Therefore, researching cloud storage data auditing mechanisms suitable for cloud-edge UAV systems holds significant practical value.

This paper aims to deeply explore the security vulnerabilities of the TEEMRDA scheme and propose an improved cloud storage data auditing mechanism to strengthen data security in cloud storage. The article first reviews relevant research on cloud storage security, cloud auditing, and multi-replica data auditing. It then provides a detailed analysis of the principles and security issues of the TEEMRDA scheme, followed by the proposal of an improved scheme. Finally, a comprehensive analysis and evaluation of the security and performance of the improved scheme are conducted.

2 Related work

Cloud auditing technology is a critical means to ensure the integrity and privacy of cloud storage data. Early cloud auditing schemes primarily relied on the credibility of CSPs, but the independence and effectiveness of audits were difficult to guarantee under this model. To overcome this limitation, researchers have proposed various improved schemes, mainly focusing on cryptography-based auditing schemes, blockchain-based auditing schemes, optimized audit processes, and auditing schemes in multi-tenant environments.

In the field of cryptography-based technologies, the provable data possession (PDP) scheme proposed by Ateniese et al. enables users to verify data integrity without downloading data. However, this scheme incurs high computational costs when handling large-scale data and struggles to support dynamic data updates. To address these issues, Wang et al.¹ proposed the first public auditing scheme supporting privacy protection. By integrating public key homomorphic authenticators with random masking techniques, this scheme allows third-party auditors (TPAs) to verify the integrity of cloud-stored data without disclosing user data privacy. It also achieves batch auditing for multiple users through bilinear aggregation signatures. Nevertheless, the scheme still has certain security vulnerabilities when facing collusion attacks between malicious CSPs and TPAs. Literature² explores identity-based user revocation mechanisms and privacy protection schemes for cloud storage. It uses indistinguishability obfuscation (IO) technology to achieve lightweight data possession proof, reduces computational overhead through random sampling authenticators, and proposes a Compact Proofs of Retrievability scheme based on pseudorandom function (PRF) and boneh-lynn-shacham (BLS) signatures to optimize storage costs. However, IO technology remains immature, making practical deployment challenging, and its security relies on idealized cryptographic assumptions.

Due to its decentralized and tamper-proof characteristics, blockchain technology has gradually become a research hotspot in cloud auditing. Wang et al.³ note that blockchain technology is increasingly applied in cloud storage and fog computing, particularly in data possession proof and dynamic auditing, enhancing data security and transparency through distributed ledger technology. Literature⁴ discusses the application of blockchain and fog computing in cloud data integrity auditing, combining the decentralization of blockchain with the efficiency of fog computing to provide a new solution for data integrity auditing. However, blockchain storage evidence introduces additional overhead, and smart contract execution delays may affect real-time performance in high-concurrency scenarios. Literature⁵ proposes a cloud storage auditing scheme combining blockchain and smart contract technology, achieving fair payment and data privacy protection with high computational efficiency, though its security relies on the mathematical assumptions of elliptic curves.

Some studies focus on optimizing audit processes to reduce computational and communication overheads. Li et al.⁶ first applied dynamic hash tables (DHT) to cloud auditing, combining BLS signatures and bilinear mappings to address the efficiency issues of traditional batch auditing schemes. However, DHT may face hash collision risks for ultra-large-scale data, and BLS signatures have high requirements for bilinear group operations, which may be unsuitable for extremely resource-constrained devices. Yang and Jia⁷ proposed an efficient and privacy-preserving dynamic auditing protocol, using DHT to record data changes, supporting dynamic data operations, and reducing auditors’ computational costs. However, its privacy protection mechanism is weak, and the problem of potential metadata leakage by TPAs remains unsolved. Literature⁸ presents a multi-replica public auditing scheme based on Merkle tree hash structures, supporting efficient verification and fine-grained updates, but attackers may tamper with Merkle tree hash values or forge data replicas to bypass auditing mechanisms and threaten data confidentiality.

In multi-tenant environments, Thenmozhi⁹ studied how to reduce user-side computational costs by aggregating labels of different data blocks and designed an efficient public integrity checking mechanism. However, shared key management and updates may lead to security risks, affecting the overall security of the auditing system. Ardagna et al.¹⁰ proposed an auditing mechanism for distributed erasure-coded data, introducing a new behavioral modeling scheme to audit virtual machine behaviors and detect suspicious processes, reducing users’ computational and communication costs. However, the scheme may fail to effectively counter internal attacks, leading to data security risks.

Literature¹¹ provides a comprehensive review of blockchain technology, data integrity auditing, and identity-based remote data auditing schemes in cloud storage, exploring how to ensure data integrity and security while protecting user privacy. Literature¹² proposes an innovative certificate-less cloud data auditing scheme, addressing the complex certificate management and key escrow risks in traditional schemes to enhance system security and practicality, though its performance and efficiency in large-scale data environments require further verification. Literature¹³ discusses challenges and solutions in cloud auditing, including methods for TPAs to verify dynamic data integrity, CSP auditing practices, and applications of cloud auditing frameworks and tools, but it relies on trusted TPAs, posing single-point-of-failure risks. Literature¹⁴ first uses a serverless computing paradigm to build a cloud storage auditing system, demonstrating its practicality and cost-effectiveness by leveraging serverless computing's elastic scaling and pay-as-you-go features, though it depends on specific cloud providers’ serverless platforms with unvalidated cross-platform compatibility. Literature¹⁵ explores the application of cloud computing and IoT technologies in auditing, focusing on the operation mechanisms, protection strategies, and security risks of cloud auditing platforms, but it relies on centralized cloud providers with insufficient decentralization capabilities. Literature¹⁶ designs an identity-based auditing protocol, using a key generation center (KGC) to allocate keys and support data owners (DOs) in dynamically enabling/disabling sensitive information access rights without third-party purifiers, though centralized KGCs face single-point-of-failure risks. Literature¹⁷ proposes a hybrid cloud auditing system architecture, achieving hardware and software sharing through resource pooling to reduce operational costs, but its multi-layered architecture increases system complexity and difficulty in fault troubleshooting. Literature¹⁸ combines elliptic curve cryptography and blockchain technology to propose a lightweight identity authentication and key update scheme, outsourcing key update computations to TPAs and cloud servers to reduce user-side overhead, though bilinear mapping operations still impose high computational burdens.

Cloud data auditing is mainly divided into private auditing and public auditing. Private auditing is managed by users themselves, while public auditing is performed by trusted TPAs on behalf of users. Public auditing has gained wide attention due to its ability to reduce user burdens and provide more reliable audit results. Functionally, public auditing can be further divided into privacy-preserving auditing, dynamic data auditing, shared data auditing, and multi-replica data auditing. This paper focuses on multi-replica data auditing. Multi-replica data auditing aims to verify the integrity and availability of data in cloud storage environments. In cloud storage scenarios, user data is typically replicated multiple times and distributed across different servers to enhance data reliability and fault tolerance. The core task of multi-replica data auditing is to verify the consistency and integrity of these replicas, ensuring data is not tampered with, lost, or damaged during storage and transmission.

In recent years, researchers have sought to improve the efficiency and security of multi-replica data auditing through various technical means, with main research directions including blockchain-based auditing schemes, multi-party participation auditing mechanisms, identity-based auditing technologies, and certificate-less/dynamic data auditing schemes. Due to its decentralization, tamper-proofing, and traceability, blockchain technology is widely used in multi-replica data auditing. Literature¹⁹ proposes an efficient multi-replica auditing scheme for multi-cloud environments, achieving high-efficiency auditing via homomorphic verification tags (HVT), but the scheme relies on third-party aggregation nodes, posing collusion attack risks. Literature²⁰ presents a dynamic multi-cloud multi-replica data integrity auditing scheme based on blockchain technology, using smart contracts to automate audit tasks and solve trust issues with traditional TPAs, though blockchain consensus mechanisms introduce delays and large-scale data label generation incurs high computational costs. Literature²¹ proposes a multi-party participation efficient data integrity auditing mechanism supporting multi-data-source, heterogeneous data, and dynamic data modification scenarios, achieving various verification functions through distributed ledgers, smart contracts, and consensus mechanisms, though smart contract execution efficiency is constrained by blockchain platform performance.

Dynamic data auditing is a key direction in multi-replica data auditing. Literature²² studies multi-replica possession auditing strategies for dynamic data in cloud storage environments, proposing a homomorphic hash-based multi-replica data possession proof scheme that effectively resists malicious storage node attacks, though the scheme's complex structure leads to high large-scale data maintenance costs. Literature²³ introduces an efficient multi-replica integrity verification scheme, enabling fast verification via short signatures and DHT while supporting large-scale dynamic data updates and integrity verification, though interactions with multiple cloud storage servers in multi-replica environments increase communication overhead, and cross-cloud platform audit delays reduce efficiency.

Multi-party participation auditing mechanisms improve audit reliability and efficiency by involving multiple stakeholders. Literature²⁴ addresses the issues of massive files and inefficient single-node auditing in cloud storage by proposing a multi-agent-based multi-replica data integrity checking scheme. Using bilinear mapping for key generation and multi-branch authentication trees for multi-replica data signing, the scheme outperforms existing methods in communication overhead, storage overhead, and audit efficiency, though multi-agent systems are complex and incur high implementation and management costs. Literature²⁵ proposes a red-black tree-based dynamic multi-replica data integrity auditing scheme. By improving the classic Merkle hash tree (MHT), it enables multi-replica storage and dynamic data operations, enhancing real-time dynamic data update (insertion, deletion, modification) efficiency. Third-party audit organizations verify data integrity on behalf of users to reduce computational and communication costs, but the red-black tree structure is complex and difficult to implement.

Identity-based cryptography (IBC) and certificate-based schemes are also widely used in multi-replica data auditing. Literature²⁶ proposes an identity-based public auditing scheme for verifying multi-replica data integrity, avoiding the complexity of certificate management in traditional public key cryptography, though the scheme highly relies on TPA credibility, affecting data security. Literature²⁷ presents a certificate-based multi-replica cloud storage auditing scheme supporting dynamic data updates, addressing complex key management via certificate mechanisms while supporting dynamic updates, though certificate management may introduce additional complexity. Literature²⁸ proposes a revocable and dynamic identity-based multi-replica data auditing scheme (RDIMM), combining IBC with dynamic auditing mechanisms to support efficient auditing of multi-replica data, though dynamic data updates and revocable mechanisms may introduce extra computational and storage overheads.

Identity-based auditing technologies have been introduced to further improve audit efficiency and security. Literature²⁹ explores public auditing schemes for multi-replica data in cloud storage environments, enhancing audit efficiency and security via homomorphic hash tables and timestamp signature mechanisms, though computational costs remain high in large-scale data scenarios. Literature³⁰ designs a multi-replica cloud auditing scheme using Shamir's secret sharing technology, enhancing data security and privacy protection through shard storage and secret sharing mechanisms, though secure key management is critical—key leakage or tampering could allow attackers to forge shared information or recover secrets. Literature³¹ proposes an ID-based dynamic multi-replica data auditing scheme, achieving efficient data integrity auditing by optimizing challenge algorithms and simplifying TPA computations, though it faces key escrow issues. To avoid certificate management and key escrow problems, Literature^32–34 propose certificate-less multi-replica data auditing schemes, reducing certificate management complexity and improving audit efficiency via innovative key management mechanisms. Literature³⁵ presents a TEE-based efficient and secure auditing scheme, implementing multi-replica data auditing via random masking and dual authentication mechanisms with certificate-less signatures, though it is vulnerable to forgery attacks and will be a key focus of this paper.

3 Background and preliminary knowledge

3.1 System model

This system focuses on multi-replica data auditing scenarios in multi-cloud environments, comprising the following core participants:

DO: Possesses the original data D, splits it into n data blocks ${m_{1}, m_{2}, \dots, m_{n}}$ , and generates k replicas ${R_{1}, R_{2}, \dots, R_{k}}$ across multi-cloud platforms.

Cloud Storage Provider (CSP) with TEE: Responsible for storing data replicas $R_{i}$ , maintaining an integrity hash chain of $R_{i}$ within the TEE, and periodically hashing data blocks to detect tampering.

TPA: Entrusted by the DO to perform batch auditing of multi-replicas via lightweight protocols, identify abnormal replicas, and regularly verify replica integrity to resist forgery attacks.

KGC: By initializing system parameters and generating a partial private key $d_{D O}$ based on user identities (such as the DO's identity identifier $I D_{D O}$ ). The system model is shown in Figure 1.

Figure 1.

System model.

3.2 Security model

The DO is trustworthy and correctly uses TEE to generate tags and keys, but their local environment may face side-channel attacks. The CSP is semi-trustworthy, honestly executing the protocol but possibly maliciously forging audit proofs—such as exploiting hash chain vulnerabilities in TEEMRDA to generate fake check values, or colluding with other CSPs to cover up multi-replica inconsistency issues. The TPA is honest and trustworthy, strictly following the audit protocol, but the communication link may be eavesdropped on or tampered with. The KGC is completely trustworthy, and the system parameter and private key generation processes cannot be breached. Generally, the security of our scheme is based on the difficulty assumptions of the following problems:

Definition 1. Computational

Diffie–Hellman (CDH) Problem (Katz, 2010): Let $G_{1}$ be a multiplicative cyclic group of large prime order q with generator g. Given $(g, g^{a}, g^{b}) \in G_{1}$ , where $(a, b) \in Z_{q} *$ are unknown, compute $g^{a b} \in G_{1}$ . If the CDH problem is computationally unsolvable, the CDH assumption holds in $G_{1}$ .

Definition 2. Computational Discrete Logarithm Problem (DLP)

(McCurley, 1990): Let $G_{1}$ be a multiplicative cyclic group of large prime order q, and g be a generator of $G_{1}$ . Given $(g, h) \in G_{1}$ , compute $a \in Z_{q} *$ such that $h = g^{a}$ . If the DLP is computationally unsolvable, the DL assumption holds in $G_{1}$ .

3.3 Design goal

The cloud storage data auditing mechanism proposed in this study sets core objectives around ensuring data security and improving audit reliability, specifically as follows:

Strong Anti-Forgery: Aiming at the possible malicious behaviors of the CSP, even if it obtains partial data blocks and historical hash chain information, it cannot forge valid audit proofs for unstored data, fundamentally eliminating the generation of false audit results.

Mandatory Multi-Replica Consistency Verification: When the TPA performs audits, a strict protocol is adopted to synchronously verify the hash chain root values of all data replicas, ensuring the consistency of each replica with the original data and eliminating inconsistencies in data storage.

Non-Repudiation of Dynamic Operations: When data block updates occur, a tamper-proof update log is generated via a TEE, completely recording operation timestamps and executor identity information to provide a reliable basis for operation tracing and prevent the CSP from denying update behaviors.

Forward Security: After updating the data block key, old-version tags automatically become invalid, preventing retroactive attacks caused by historical key leaks.

Data Privacy Protection: In the audit process, the scope of information obtained by the TPA is strictly limited, only allowing access to hash chain root values and aggregated tags to avoid leakage of original data content and ensure user data privacy security.

3.4 Trusted execution environment

TEE is a secure execution environment based on hardware isolation, separated from the device's regular operating system rich execution environment (REE), used to protect the confidentiality, integrity, and availability of sensitive code and data. It relies on hardware extensions such as ARM's TrustZone and Intel's SGX to divide independent execution regions at the Central Processing Unit level, and the full lifecycle management of keys is completed within the TEE, ensuring that even if the REE is attacked, operations within the TEE remain unaffected. Additionally, TEE has low resource consumption, adapts to the lightweight deployment requirements of cloud servers, and meets the elastic expansion and low-latency audit requirements of cloud environments.

3.4.1 Security attributes provided by TEE

Confidentiality: TEE uses hardware encryption technology to protect internal data and code throughout storage, processing, and transmission, eliminating the risk of theft from the external environment (including REE, malicious programs, etc.). In the cloud data audit scenario, sensitive information such as data hash values and audit strategies are encrypted and stored in the TEE to prevent third parties from obtaining audit logic.

Integrity: Through hardware signatures (such as rivest-shamir-adleman, elliptic curve cryptography) and hash verification (such as SHA-256), TEE strictly detects whether internal code and data have been unauthorisedly modified. During multi-replica data auditing, TEE verifies the trustworthiness of each replica data source and refuses to execute tampered audit scripts.

Availability: Since TEE runs independently of REE, even if the REE crashes due to failure or attack, TEE can still maintain uninterrupted key security services. For example, when a cloud server is subjected to a DDoS attack, TEE can ensure the continuous verification of data integrity.

Remote Attestation: TEE has the ability to prove its identity and operating status (such as software version, configuration parameters) to remote entities (such as cloud audit centers, other replica nodes), ensuring that both interacting parties are in a trusted environment. In cross-replica data consistency auditing, the TEE of each node enables the auditor to be convinced that the replica data has not been tampered with through remote attestation, reducing trust dependence on the TPA.

3.4.2 General advantages of TEE in cloud environments

Physical Immunity for Multi-Replica Data Verification: In the multi-replica storage mode of cloud environments, traditional software-layer verification can easily be bypassed by malicious programs through memory tampering or backdoor injection. TEE places core operations, such as data hash calculation and consistency comparison, in an independent memory area protected by hardware instructions, making the REE unable to interfere with the verification process within the TEE and achieving physical-level immunity.

Tamper-Proof Storage of Audit Logs: Compared with traditional audit logs stored in ordinary disks or databases, which face risks such as ransomware encryption and privileged account tampering, the secure storage area provided by TEE automatically completes encryption and integrity verification when audit logs are written, and only trusted applications within the TEE are allowed to read and write, ensuring the effectiveness of audit tracing.

Trusted Dynamic Loading of Audit Policies: Given the diverse data types in cloud environments, audit policies need to be flexibly adjusted, and traditional static policies are easy to bypass. TEE supports runtime dynamic loading of trusted audit plugins, and the external environment cannot modify the plugin logic or inject malicious code, ensuring the adaptability and security of audit policies.

Lightweight Computing: In the scenario of multi-replica data auditing at edge nodes, uploading all data to the cloud for auditing will cause network congestion and resource waste. TEE preprocesses data, extracts key features such as data fingerprints and abnormal operation log summaries, and only uploads lightweight results (such as hash values, statistical indicators) to the cloud, effectively reducing data transmission volume.

3.5 Preliminary knowledge

3.5.1 Bilinear pairings

Bilinear pairings are a class of special mathematical mappings in cryptography, with the core definition as follows:

Let $G_{1}$ and $G_{T}$ be two cyclic groups of prime order q (usually multiplicative groups), and the DLP in $G_{1}$ is intractable. A bilinear pairing is a function e: $G_{1} \times G_{1} \to G_{T}$ satisfying the following properties:

Bilinearity: For any $P, Q, R \in G_{1}$ 和 and $a, b \in Z_{q} *$ , there are: $e (a P, b Q) = e (P, Q)^{a b}$ , $e (P + Q, R) = e (P, R) \cdot e (Q, R)$ , $e (P, Q + R) = e (P, Q) \cdot e (P, R)$ .

Non-Degeneracy: There exists $P, Q \in G_{1}$ such that $e (P, Q) \neq 1_{G_{T}}$ .

Computability: There is an efficient algorithm to compute $e (P, Q)$ .

3.5.2 Homomorphic verifiable authenticator (HVA)

HVA is a cryptographic-based authentication mechanism that allows efficient verification of data without exposing its content, ensuring the integrity and correctness of data during computation.

Blockless Verification: Using HVA, the TPA can verify required file blocks without knowing their actual data content.

Homomorphism: Let G and H be multiplicative groups of large prime order p, and “ $\otimes$ ” and “ $\oplus$ ” be operations in G and H, respectively. If a mapping function satisfies homomorphism, then $\forall g 1, g 2 \in G, f (g 1 \oplus g 2) = f (g 1) \otimes f (g 2) .$

Unforgeability: Attackers cannot forge any data $y^{'}$ and its tag $σ_{y^{'}}$ without mastering the private key, such that the verification algorithm accepts $(y^{'}, σ_{y^{'}})$ , even if $y^{'}$ is not generated by legitimate homomorphic operations.

4 Review of three key stages of the TEEMRDA algorithm

4.1 Initialization stage

The initialization stage serves as the foundation of the TEEMRDA scheme, primarily responsible for completing system parameter configuration, user key generation, creation of TEE-assisted key pairs, and generation of data block tags—thereby providing the necessary cryptographic foundations and security parameters for the subsequent replica generation and verification stages.

Parameter Initialization: Define two multiplicative cyclic groups $G_{1}$ and $G_{T}$ of large prime order q. The bilinear pairing $G_{1} \times G_{1} \to G_{T}$ is the core of the scheme's security, used to implement cryptographic proofs based on the DLP. The generator $g \in G_{1}$ serves as the fundamental element of the group, with all public keys and parameters constructed based on g. Hash functions $H_{1}, H_{3}, H_{4}$ map arbitrary strings to elements of group $G_{1}$ , used for identity identification and hash processing of data blocks. $H_{2}$ maps elements of $G_{1}$ to the integer domain $Z_{q} *$ , used for key component calculations. The master key $s k_{c} \in Z_{q} *$ of the KGC is kept confidential, and the public key $p k_{c} = g^{s k_{c}}$ is public, forming the basis of identity-based key generation (IBK). The public parameter set is: {q, $G_{1}$ , $G_{T}$ , g, $p k_{c}$ , $H_{1}, H_{2}, H_{3}, H_{4}$ }, with all participants relying on this parameter set for interaction.

User Key Generation: This includes three processes: partial key generation, secret value generation, and key pair generation.

Partial Key Generation: The user submits the identity $I D_{U}$ to the KGC, which calculates the partial private key $s k_{1} = H_{1} (I D_{U})^{s k_{c}}$ and returns it to the user via a secure channel. The user verifies $e (H_{1} (I D_{U}), p k_{c}) = e (s k_{1}, g)$ through bilinear pairing to ensure the legitimacy of $s k_{1}$ .

Secret Value Generation: The user independently selects a random number $s \in Z_{q} *$ as the private secret value to enhance key randomness.

Key Pair Generation: A pair of private and public keys is generated. The private key is $s k_{u} = {s k_{u 1} = s k_{1}, s k_{u 2} = s + H_{2} (s k_{u 1})$ , integrating the partial key allocated by the KGC and the user's independent secret value to achieve key decentralization. The public key is $p k_{u} = g^{s k_{u 2}} = g^{s + H_{2} (s k_{u 1})} = g^{s} \cdot (g^{H_{2} (s k_{u 1})})$ , ensuring security based on the DLP.

Generation of TEE-Assisted Key Pairs: The TEE generates independent key pairs for each user: the private key $k_{T E E} = t$ (where $t \in Z_{q} *$ is a random number), and the public key $p k_{T E E} = g^{t}$ .

Generation of Block Tags: The file F is divided into n blocks $b_{i} \in Z_{q} *$ , and a unique tag $σ_{i}$ is generated for each block. The tag is calculated as $σ_{i} = H_{3} (ω_{i}) + b_{i} \cdot H_{4} (ω_{i})$ , where $ω_{i} = i ∥ I D_{U} ∥ I D_{F}$ , $ω_{i}$ includes the block index i, user identity $I D_{U}$ , and file identifier $I D_{F}$ , ensuring the binding relationship between the tag and the user, file, and block position.

4.2 Replica generation stage

The replica generation stage is a critical link in the TEEMRDA scheme, aiming to securely generate multiple data replicas through a TEE and construct efficient, tamper-resistant block tags (fair dual authenticators) for each replica. The core goal of this stage is to ensure data confidentiality while providing a reliable integrity verification basis for the subsequent verification stage, ensuring that multi-replica data stored in the CSP can be efficiently audited.

Data Replica Generation: Using the key $k \in Z_{q} *$ negotiated by the user and the TEE, a random mask $r_{i j} = ϕ_{k} (j ∥ i ∥ I D_{F})$ bound to the replica index j, data block index i, and file identifier $I D_{F}$ is generated through the PRF function $ϕ_{k}$ . The mask is kept confidential from the CSP to prevent it from forging or tampering with replica data. The original data block $b_{i}$ is XORed (or modulo-added) with the random mask $r_{i j}$ to generate the jth replica block $b_{i j} = b_{i} + r_{i j}$ , achieving randomization of data shards.

Generation of Replica Block Tags: Offline pre-generation of replica index authenticators (RIA): Before processing specific data, the TEE uses its private key $s k_{T E E} = t$ to precompute authenticators for all replica indices j: $R I A_{j} = H_{4} (j)^{s k_{T E E}} = H_{4} (j)^{t}$ . RIA depends only on the replica index j, not on the data block index i. Online Generation of Differential Authenticators (DA) and Tags: For each replica block $b_{i j}$ , the TEE generates a DA by combining the original tag $σ_{i}$ and the random mask $r_{i j}$ : $D A_{i j} = σ_{i} \cdot p k_{u}^{r_{i j}} = σ_{i} \cdot (g^{s k_{u 2}})^{r_{i j}} = σ_{i} \cdot g^{s k_{u 2} . r_{i j}}$ . The final tag is a combination of DA and RIA: $σ_{i j} = D A_{i j} + R I A_{j} = σ_{i} \cdot (g^{s k_{u 2}})^{r_{i j}}$ + $H_{4} (j)^{t}$ .

After the above operations, m data replicas $F_{j} = (b_{1 j}, b_{2 j}, \dots, b_{n j})$ and their tag sets $T_{j} = (σ_{1 j}, σ_{2 j}, \dots, σ_{n j})$ are generated. The replicas and tags are distributed and stored in m sub-servers of the CSP, using the multi-replica mechanism to enhance data availability while reducing the risk of single-server attacks through distributed storage.

4.3 Verification stage

The verification stage is the final link of the TEEMRDA scheme, aiming to conduct integrity audits on multi-replica data stored in the CSP through a TPA. This stage ensures that the CSP honestly stores user data replicas and prevents data loss, tampering, or non-compliant storage through a “challenge-response-verification” mechanism, mainly including the following three parts:

Challenge: For each replica file $F_{j}$ , the challenge message $Q_{j} = {I D X_{j}, A_{j}}$ includes: A set of block indices to be verified $I D X_{j} = {i_{1}, i_{2}, \dots, i_{c}}$ , randomly selecting c data blocks $c \leq n$ to avoid high overhead of full-volume verification. A set of random numbers $A_{j} = {a_{i j} ∣ a_{i j} \in Z_{q} *}$ ,with each challenged block corresponding to a random number, enabling the TPA to verify integrity through linear combinations without exposing specific verification tag contents—preventing the CSP from inferring the correlation between original tags or data blocks and protecting user data privacy. The challenge message $Q = {Q_{1}, Q_{2}, \dots, Q_{m}}$ covers all m replicas to ensure global auditing of multi-replica storage.

Proof Generation: For the jth replica, the sub-server generates three types of proofs. Tag Proof: $θ_{j} = \prod_{i \in I D X_{j}} {σ_{i j}}^{a_{i j}}$ , aggregating the tags of verified blocks and combining with challenge random numbers $a_{i j}$ to form a tamper-resistant authenticator. Data Proof: $M_{j} = \sum_{i \in I D X_{j}} b_{i j} . a_{i j} + λ_{j}$ , where $λ_{j} \in Z_{q} *$ is a blinding factor selected by the sub-server to avoid directly exposing the linear combination value of data blocks and protect data privacy. The sub-server calculates the corresponding auxiliary parameter $ψ_{j} = e (g^{λ_{j}}, p k_{u})$ . After receiving proofs from all sub-servers, the primary server on the CSP further calculates the complete tag proof θ, complete data proof M, and aggregated auxiliary parameter Ψ as follows: $θ = \sum_{j = 1}^{m} θ_{j}$ , $M = \sum_{j = 1}^{m} M_{j}$ , $ψ = \sum_{j = 1}^{m} ψ_{j}$ .

Finally, the primary server returns the response proof $P = {θ, M, ψ}$ to the TPA.

Proof Verification:

\begin{aligned} Ψ \cdot e (Θ, g) & = e (H_{1} {(I D_{U})}^{\sum_{j = 1}^{m} \sum_{i \in I D X_{j}} a_{i j}}, p k_{c}) \cdot e ((\prod_{j = 1}^{m} \prod_{i \in I D X_{j}} H_{3} {(ω_{i})}^{a_{i j}}) \cdot g^{M}, p k_{u}) \cdot e (\prod_{j = 1}^{m} \prod_{i \in I D X_{j}} H_{4} {(j)}^{a_{i j}}, p k_{T E E}) . \end{aligned}

5 Attack path analysis of TEEMRDA

Assume an attacker (e.g., a malicious CSP) has successfully forged the data proof M, attempting to reverse-construct a fake auxiliary parameter $Ψ$ by manipulating the relationship between the right-hand side of the verification equation and $Θ$ , making the verification equation hold. The verification equation can be simplified as: $e (Θ, g) = e (Θ, g) = e (C, p k_{c}) \cdot e (D, p k_{u}) \cdot e (E, p k_{T E E})$ where $C = H_{1} (I D_{U})^{\sum_{j, i} a_{i, j}}$ , $D = (\prod_{j, i} H_{3} (ω_{i})^{a_{i, j}}) \cdot g^{M}$ , and $E = \prod_{j, i} H_{4} (j)^{a_{i, j}}$ . If the attacker forges $\hat{M}$ , the right-hand side becomes: $e (C, p k_{c}) \cdot e (\hat{D}, p k_{u}) \cdot e (E, p k_{T E E})$ . Furthermore, if the attacker fixes $\hat{Θ}$ , they can adjust $Ψ$ to match the right-hand side with $e (\hat{Θ}, g)$ . The forging process is analyzed in detail from three aspects: content addition attack, content deletion attack, and content modification attack.

5.1 Content addition attack (forging non-existent data blocks)

The attacker fabricates non-existent data blocks to create an illusion of “expanded storage capacity,” essentially exploiting the openness of cryptographic commitment schemes to inject fake commitment values into challenge responses, bypassing the integrity verification mechanism for data existence. Forging Data Proof $\hat{M}$ : The attacker adds fabricated data blocks ${\hat{b}}_{i, j}$ to replicas, creating an illusion of “expanded storage capacity.” A new block index $i^{'} \notin [1, n]$ is created, and a fake block ${\hat{b}}_{i^{'}, j}$ (typically random meaningless data or values mimicking original data characteristics) is constructed. The forged data proof is: $\hat{M} = \sum_{i, j \in I D X_{j}} a_{i, j} \cdot {\hat{b}}_{i, j} + \underset{j}{\sum_{j} {\hat{λ}}_{j}} + a_{i^{'}, j} \cdot {\hat{b}}_{i^{'}, j}$ .where $a_{i^{'}, j}$ is a random number not present in the challenge message, used to mask the weight of the fake block.

Forging Tag Proof $\hat{Θ}$ : A fake tag ${\hat{σ}}_{i^{'}, j}$ is constructed for the new block: ${\hat{σ}}_{i^{'}, j} = {\hat{H}}_{3} (ω_{i^{'}}) + {\hat{b}}_{i^{'}, j} \cdot {\hat{H}}_{4} (ω_{i^{'}})$ , where ${\hat{H}}_{3}$ , ${\hat{H}}_{4}$ are pseudo hash functions controlled by the attacker. By manipulating hash outputs, the fake tag is incorrectly bound to the forged data block. The fake tag is aggregated with original tags as: $\hat{Θ} = \sum_{i, j \in I D X_{j}} a_{i, j} \cdot σ_{i j} + \underset{j}{\sum_{j} {\hat{λ}}_{j}} + a_{i^{'}, j} \cdot {\hat{σ}}_{i^{'}, j}$ . This linear combination hides the independence of fake tags, making it difficult for verifiers to identify forgeries directly from aggregated results.

Constructing Fake $\hat{Ψ}$ : $\hat{Ψ} \cdot p k_{u} = \hat{M} - D^{'}$ , $D^{'} = (\prod_{j, i} H_{3} (ω_{i})^{a_{i, j}}) \cdot g^{\hat{M}}$ . By adjusting $\hat{Ψ}$ , the attacker forces the right-hand side $e (C, p k_{c}) \cdot e (D^{'}, p k_{u}) \cdot e (E, p k_{T E E})$ to equal the left-hand side $e (\hat{Θ}, g)$ , essentially leveraging the intractability of the DLP to mask data forgery.

5.2 Content deletion attack (deleting partial original blocks)

The attacker removes partial original data blocks to reduce actual storage costs, while tampering with tags and proof values to mislead verifiers about data integrity. Forging Data Proof $\hat{M}$ : The attacker selects an original block index $i *$ to delete, ignoring its contribution in the data proof: $\hat{M} = \sum_{i, j \in I D X_{j}, i \neq i *}, a_{i, j} \cdot b_{i, j} + \sum_{j} {\hat{λ}}_{j}$ .where ${\hat{λ}}_{j}$ is a forged random offset compensating for the reduction in M caused by deletions, avoiding numerical anomalies during verification.

Forging Tag Proof $\hat{Θ}$ : The tag $σ_{i *, j}$ of the deleted block is excluded from the original aggregated tag: $\hat{Θ} = \sum_{i, j \in I D X_{j}, i \neq i *}, a_{i, j} \cdot σ_{i, j}$ . This operation requires ensuring that the linear combination of remaining tags still satisfies $e (\hat{Θ}, g)$ = Right-hand side terms. If the original scheme uses accumulative aggregation (e.g., BLS signatures), exclusion is equivalent to removing the corresponding private key share from a multi-signature, requiring the attacker to master the share's private key or find an alternative signing path. Constructing Fake $\hat{Ψ}$ , $\hat{Ψ} . p k_{u} = \hat{M} - (\prod_{j, i} H_{3} (ω_{i})^{a_{i, j}}) \cdot g^{\hat{M}}$ .

5.3 Content modification attack (tampering with original data blocks)

The attacker modifies original data block contents (e.g., injecting malicious code or deleting sensitive information) while forging tags and auxiliary parameters to make the verification equation hold after tampering. This attack relies on the mathematical deconstruction of the binding relationship between data blocks and tags. Modify the data block $b_{i, j}$ in the replica to ${\tilde{b}}_{i, j} \neq b_{i} + r_{i, j}$ , and forge tags simultaneously to cover up the tampering. Forging Data Proof $\hat{M}$ : The data block $b_{i, j}$ is modified to ${\tilde{b}}_{i, j} = b_{i, j} + Δ_{i, j} (Δ_{i, j} \neq 0)$ , and the forged data proof is: $\hat{M} = \sum_{i, j \in I D X_{j}} a_{i, j} \cdot (b_{i, j} + Δ_{i, j}) + \underset{j}{\sum_{j} {\hat{λ}}_{j}}$ . The attacker must ensure $\hat{M}$ aligns with forged tags and parameters.

Forging Tag Proof $\hat{Θ}$ : To mask tampering, a fake tag is constructed: ${\tilde{σ}}_{i, j} = σ_{i, j} + Δ_{i, j} \cdot H_{4} (ω_{i}) \cdot p k_{u}^{r_{i, j}}$ where $r_{i, j}$ is a random exponent controlled by the attacker. Forging $\hat{Ψ}$ : After tampering, ${\tilde{b}}_{i, j} - r_{i, j} = b_{i} + Δ_{i, j} \neq b_{i}$ . The attacker forges $\hat{Ψ}$ such that: $\hat{M} - \hat{Ψ} \cdot p k_{u} = \sum_{i, j} a_{i, j} \cdot (b_{i} + Δ_{i, j}) + \sum_{j} {\hat{λ}}_{j}$ .

6 Improved scheme and performance analysis

6.1 Improved scheme

The TEEMRDA literature proposes a scheme for integrity verification of multi-replica data storage. Although TEE provides hardware-level isolation, it still faces risks of side-channel attacks, collusion attacks, and multi-replica forgery attacks, while having certain limitations in the face of forgery attacks. The improved scheme introduces homomorphic encryption and zero-knowledge proof technologies to effectively resist forgery attacks, demonstrating significant improvements compared to the TEEMRDA scheme. In the data proof generation process of the TEEMRDA scheme, for the jth replica file, the sub-server generates the data proof $b_{i j}$ , where $b_{i j}$ is the data block, $a_{i j}$ is the random number in the challenge message, and $λ_{j}$ is the blinding factor selected by the sub-server. The tag proof is $\prod_{i \in I D X_{j}} {σ_{i j}}^{a_{i j}}$ , and the primary server aggregates the proofs of all sub-servers to obtain the global proof $P = {θ, M, ψ}$ . However, attackers may attempt to forge proofs by manipulating the verification equation in conjunction with forging data blocks $b_{i j}$ or tags $σ_{i j}$ . The verification equation of the TEEMRD scheme is $e (Θ, g) = e (\sum σ_{i} \cdot H_{3} (ω_{i}) + \sum H_{4} (j) \cdot p k_{T E E}, g) \cdot e (M - Ψ \cdot p k_{u}, g),$ which is constructed based on bilinear pairings to verify the consistency among the tag proof, data proof, and auxiliary parameters. However, attackers can exploit the algebraic structure of the verification equation to forge M and $Θ$ , attempting to reverse-construct $Ψ$ to bypass verification.

In the improved scheme, homomorphic encryption technology is introduced in data proof generation. The DO homomorphically encrypts the data block $b_{i}$ to obtain $E (b_{i})$ , which is stored on the cloud server. During the verification phase, the cloud server calculates the linear combination of homomorphically encrypted data blocks $E (M) = \sum_{i \in I D X_{j}} a_{i j} \cdot E (b_{i, j})$ and sends it to the verifier. The verifier can verify data integrity without decryption, as homomorphic encryption ensures that operations on ciphertexts yield results consistent with encrypting the results of operations on plaintexts. For tag proofs, aggregated signature technology is adopted, where the tag corresponding to each data block is jointly signed by the DO and TEE, and the signature information is bound to the homomorphic encryption ciphertext of the data block. This makes it difficult for attackers to forge data proofs and tag proofs, as forgery requires simultaneously breaking the homomorphic encryption and aggregated signature mechanisms, significantly increasing the attack difficulty. Regarding the verification equation, based on bilinear pairings, zero-knowledge proof technology is introduced. Zero-knowledge proof allows one party (the prover) to prove the authenticity of a statement to another party (the verifier) without revealing any information about the statement itself. The verifier not only verifies the correctness of data proofs and tag proofs but also requires the prover to prove, without disclosing data content, that they possess legitimate data and tags. This effectively prevents attackers from deceiving the verifier by tampering with the data proof M or auxiliary parameter $Ψ$ .

6.2 Performance analysis

6.2.1 Security analysis

Protection Against Data Proof Forgery: In the TEEMRDA scheme, attackers can tamper with the data proof $M_{j}$ by forging data blocks $b_{i j}$ and attempt to forge proofs by manipulating verification equations. The improved scheme introduces homomorphic encryption technology: the DO encrypts data blocks $b_{i}$ as $E (b_{i})$ and stores them on the cloud server. The cloud server calculates the linear combination of homomorphically encrypted data blocks $E (M) = \sum_{i \in I D X_{j}} a_{i j} \cdot E (b_{i, j})$ . Due to the consistency between ciphertext computation and plaintext computation in homomorphic encryption, and with the encryption key held by the DO, attackers cannot forge the ciphertext $E (b_{i, j})$ without decryption or alter computation results by tampering with ciphertexts. For example, if an attacker tries to modify $E (b_{i, j})$ , during verification, the verifier will find the ciphertext computation result inconsistent with expectations based on the properties of homomorphic encryption, thereby detecting the forgery.

Protection Against Tag Proof Forgery: The tag proof of the TEEMRDA scheme is vulnerable to forgery, as attackers can forge tags $σ_{i j}$ and bypass verification by manipulating verification equations. The improved scheme uses aggregated signature technology, where the tag of each data block is jointly signed by the DO and TEE, with signature information bound to the homomorphic encryption ciphertext of the data block. This means that forging tag proofs requires attackers to simultaneously break the signature mechanisms of both the DO and TEE and the homomorphic encryption mechanism. The signatures of the DO and TEE rely on their respective private keys, which are difficult for attackers to obtain; the security of homomorphic encryption is based on complex cryptographic principles such as the DLP, making it nearly impossible for attackers to forge valid tag proofs.

Protection Against Verification Equation Forgery: The verification equation of the TEEMRDA scheme is based on bilinear pairings, but attackers can exploit its algebraic structure to forge M and $Θ$ and reverse-construct $ψ$ to bypass verification. The improved scheme introduces zero-knowledge proof technology based on bilinear pairings: verifiers not only verify the correctness of data proofs and tag proofs but also require provers to prove, without disclosing data content, that they possess legitimate data and tags. This ensures that even if attackers forge M and $Θ$ , they cannot pass the zero-knowledge proof link, as they cannot prove the legitimacy of data to the verifier without mastering real data and legitimate keys. Table 1 presents a comparative analysis of security performance.

Table 1.
Comparative analysis of security performance.

Item TEEMRDA scheme Improved TEEMRDA scheme

Privacy protection Risks of side-channel attacks Data processed in encrypted state

Data integrity Relies on TEE's integrity protection No data content disclosure

Attack resistance Weak against internal attacks Enhanced resistance to internal attacks

Security boundary Difficult to define Clearer security boundary

Item	TEEMRDA scheme	Improved TEEMRDA scheme
Privacy protection	Risks of side-channel attacks	Data processed in encrypted state
Data integrity	Relies on TEE's integrity protection	No data content disclosure
Attack resistance	Weak against internal attacks	Enhanced resistance to internal attacks
Security boundary	Difficult to define	Clearer security boundary

6.2.2 Computational performance analysis

Encryption and Decryption Overhead: Introducing homomorphic encryption increases the computational overhead for DOs during the data encryption phase. Homomorphic encryption algorithms typically rely on complex mathematical operations such as large integer arithmetic and modular operations, making the encryption process relatively time-consuming. For example, some homomorphic encryption algorithms may significantly increase encryption time when processing large-scale data. However, with the development of cryptographic technologies, partial homomorphic encryption algorithms have seen significant improvements in computational efficiency and can reduce computation time through hardware acceleration (e.g., dedicated encryption chips). In the decryption phase, verifiers need to decrypt and verify homomorphic computation results, which also imposes certain computational burdens, though the decryption complexity is generally lower than encryption. Aggregated signature technology requires the DO and TEE to perform signature calculations separately during the signature generation phase, consuming certain computational resources. Signature calculations involve private key operations and hash operations, etc., and the computation volume can be considerable for signing a large number of data blocks. However, during the verification phase, aggregated signature verification is relatively efficient, as it can verify the aggregated result of multiple signatures at once, reducing verification computational overhead compared to verifying each signature individually.

Verification Phase Computational Overhead: During the verification phase, verifiers need to verify the homomorphic encryption data proof $E (M)$ sent by the cloud server. Although homomorphic encryption allows verification without decryption, the verification process still requires complex mathematical operations such as bilinear pairing calculations and ciphertext comparisons. The complexity of these operations is high, especially when processing verification requests for a large number of data blocks, leading to a significant increase in computational overhead. However, by optimizing algorithms and adopting parallel computing technologies, computational pressure can be alleviated to a certain extent, improving verification efficiency. The introduction of zero-knowledge proof technology further increases the computational complexity of the verification phase. The zero-knowledge proof verification process involves a large number of interactive calculations and protocol executions: verifiers need to send challenge information to provers, who compute and return response information based on the challenges, and verifiers then verify the response information. This process may require multiple interactions to complete, increasing communication latency and reducing system response speed. To reduce the number of interactions, zero-knowledge proof protocols can be optimized by adopting non-interactive zero-knowledge proof technologies, simplifying multiple interactions into a single proof transmission to improve communication efficiency. Table 2 presents a comparative analysis of computational performance.

Table 2.
Comparative analysis of computational performance.

Item TEEMRDA scheme Improved TEEMRDA scheme

Computational performance High computational efficiency Improved verification efficiency

Execution time Relatively short execution time Execution time increases

Throughput High throughput Throughput decreases

Resource consumption Low resource consumption Increased resource consumption

Item	TEEMRDA scheme	Improved TEEMRDA scheme
Computational performance	High computational efficiency	Improved verification efficiency
Execution time	Relatively short execution time	Execution time increases
Throughput	High throughput	Throughput decreases
Resource consumption	Low resource consumption	Increased resource consumption

6.2.3 Communication performance analysis

Data Transmission Volume: Since homomorphically encrypted ciphertexts are typically longer than original data, the improved scheme increases data transmission volume during the data transmission process. For example, the ciphertext length generated by some homomorphic encryption algorithms may be several times that of the original data, occupying more network bandwidth and potentially causing network congestion and reducing data transmission efficiency, especially when transmitting large volumes of data. To mitigate this issue, data compression technology can be used to compress homomorphic encryption ciphertexts and reduce transmission volume. Meanwhile, optimizing network transmission protocols and adopting efficient data transmission strategies (such as block transmission and asynchronous transmission) can improve data transmission efficiency. Although aggregated signatures reduce the number of signatures, the signature information itself may contain certain additional data (such as signature parameters), increasing transmission volume to some extent. During the verification phase, the cloud server needs to transmit information such as homomorphic encryption data proof $E (M)$ and aggregated signatures to verifiers, which also occupies network bandwidth. However, compared to the possible multiple data and tag transmissions in the unimproved scheme, the centralized transmission of aggregated signatures and homomorphic encryption data proofs optimizes the communication process to a certain extent, reducing unnecessary repeated transmissions.

Number of Communication Interactions: The introduction of zero-knowledge proof technology increases the number of communication interactions between verifiers and provers (e.g., CSP). In the zero-knowledge proof process, verifiers need to send challenge information to provers, who compute and return response information based on the challenges, and verifiers then verify the response information—this process may require multiple interactions to complete. Frequent communication interactions increase communication latency and reduce system response speed. To reduce the number of interactions, zero-knowledge proof protocols can be optimized by adopting non-interactive zero-knowledge proof technologies, simplifying multiple interactions into a single proof transmission to improve communication efficiency. Table 3 presents a comparative analysis of communication performance.

Table 3.
Comparative analysis of communication performance.

Item TEEMRDA scheme Improved TEEMRDA scheme

Mode Transmission in plaintext Transmission in encrypted form

frequency Usually low May increase

Latency Low Latency increases

Efficiency High Through protocol optimization

Item	TEEMRDA scheme	Improved TEEMRDA scheme
Mode	Transmission in plaintext	Transmission in encrypted form
frequency	Usually low	May increase
Latency	Low	Latency increases
Efficiency	High	Through protocol optimization

7 Computational overhead analysis and comparison

7.1 Definition and parameter description of computational overhead

This paper constructs computational overhead models for both the original TEEMRDA scheme and the improved scheme, targeting three core participants: the DO, CSP, and TPA. By defining time overhead benchmarks for key operations, the computational load differences between the two schemes across all participants are quantitatively compared. Table 4 presents the definitions of different notations and their corresponding operational descriptions.

Table 4.
Symbolic mean of computational overhead.

Symbols Description Symbols Description

$A d d_{Z_{q} }$ Addition operation over the field $Z_{q} $ $E x p_{G_{1}}$ Exponentiation operation over the group $G_{1}$

$M u l_{Z_{q} }$ Multiplication operation over the field $Z_{q} $ $E x p_{Z_{q} }$ Exponentiation operation over the field $Z_{q} $

$M u l_{G_{1}}$ Multiplication operation over the group $G_{1}$ $H E_{E n c}$ Homomorphic encryption operation

$P a i r$ Bilinear pairing operation $H E_{D e c}$ Homomorphic decryption operation

$H a s h$ Hash operation ( $H : {0, 1} * \to G_{1}$ ) $A g g S i g$ Aggregate signature generation/verification operation

$h a s h$ Hash operation ( $h : {0, 1} \to Z_{q} *$ ) ZKP Zero-knowledge proof generation/verification operation

Symbols	Description	Symbols	Description
$A d d_{Z_{q} *}$	Addition operation over the field $Z_{q} *$	$E x p_{G_{1}}$	Exponentiation operation over the group $G_{1}$
$M u l_{Z_{q} *}$	Multiplication operation over the field $Z_{q} *$	$E x p_{Z_{q} *}$	Exponentiation operation over the field $Z_{q} *$
$M u l_{G_{1}}$	Multiplication operation over the group $G_{1}$	$H E_{E n c}$	Homomorphic encryption operation
$P a i r$	Bilinear pairing operation	$H E_{D e c}$	Homomorphic decryption operation
$H a s h$	Hash operation ( $H : {0, 1} * \to G_{1}$ )	$A g g S i g$	Aggregate signature generation/verification operation
$h a s h$	Hash operation ( $h : {0, 1} \to Z_{q} *$ )	ZKP	Zero-knowledge proof generation/verification operation

n: total number of data blocks uploaded by the DO

k: number of data replicas

c: number of data blocks challenged by the TPA

m: number of sub-servers under the CSP (corresponding to the number of replica storage nodes)

7.2 Construction of computational overhead models for each participant

7.2.1 Computational overhead of the data owner

The core operations of the DO include key generation, data block processing, and tag generation. The improved scheme adds operations related to homomorphic encryption and aggregate signatures.

Original Scheme (TEEMRDA): The DO needs to perform three core operations: user key generation, TEE-assisted key pair verification, and data block tag generation. The overhead expression is:

\begin{aligned} C o s t_{D O, O r g} = 3 P a i r + 2 H a s h + n h a s h + (n + 2) E x p_{G_{1}} + n M u l_{G_{1}} + 2 n M u l_{Z_{q} *} + n A d d_{Z_{q} *} \end{aligned}

Improved Scheme: New operations include homomorphic encryption (data block encryption) and aggregate signature (joint tag signing). The key generation process is consistent with the original scheme. The overhead expression is:

\begin{aligned} C o s t_{D O, I m p r} & = 3 P a i r + 2 H a s h + n h a s h + (n + 2) E x p_{G_{1}} + n M u l_{G_{1}} + 2 n M u l_{Z_{q} *} + n A d d_{Z_{q} *} + n H E_{E n c} + n A g g S i g \end{aligned}

Overhead Variation: $C o s t_{D O, D i f f} = n H E_{E n c} + A g g S i g$

7.2.2 Computational overhead of the cloud storage provider

The core operations of the CSP include replica generation, proof generation (data proof + tag proof), and global proof aggregation. The improved scheme requires processing ciphertext operations after homomorphic encryption.

Original Scheme (TEEMRDA): Sub-servers under the CSP generate replica data blocks, tag proofs, and data proofs, while the main server aggregates the global proof. The overhead expression is:

\begin{aligned} C o s t_{C S P, O r g} = k c E x p_{Z_{q} *} + k c M u l_{Z_{q} *} + k (c - 1) A d d_{Z_{q} *} + k c E x p_{G_{1}} + k (c - 1) M u l_{G_{1}} + (m - 1) M u l_{G_{1}} + (m - 1) A d d_{Z_{q} *} \end{aligned}

Improved Scheme: It requires linear combination operations on homomorphic encrypted ciphertexts, and tag proof is replaced with aggregate signature verification. The overhead expression is:

\begin{aligned} C o s t_{C S P, I m p r} & = k c E x p_{Z_{q} *} + k c M u l_{Z_{q} *} + k (c - 1) A d d_{Z_{q} *} + k c E x p_{G_{1}} + k (c - 1) M u l_{G_{1}} + (m - 1) M u l_{G_{1}} + (m - 1) A d d_{Z_{q} *} \\ + k c H E_{E n c} + m A g g S i g \end{aligned}

Overhead Variation: $C o s t_{C S P, D i f f} = k c H E_{E n c} + m A g g S i g$

7.2.3 Computational overhead of the third-party auditor

The core operations of the TPA include challenge generation and proof verification. The improved scheme adds a zero-knowledge proof verification step.

Original Scheme (TEEMRDA): The TPA generates challenge information and verifies the global proof based on bilinear pairing. The overhead expression is:

\begin{aligned} C o s t_{T P A, O r g} = 4 P a i r + (k c + 1) h a s h + k c E x p_{Z_{q} *} + 2 E x p_{G_{1}} + M u l_{G_{1}} + k (c - 1) A d d_{Z_{q} *} \end{aligned}

Improved Scheme: It adds zero-knowledge proof verification, and the proof verification process combines ciphertext verification and aggregate signature verification. The overhead expression is:

\begin{aligned} C o s t_{T P A, I m p r} = 5 P a i r + (k c + 1) h a s h + k c E x p_{Z_{q} *} + 2 E x p_{G_{1}} + M u l_{G_{1}} + k (c - 1) A d d_{Z_{q} *} + Z K P + A g g S i g + H E_{D e c} \end{aligned}

Overhead Variation: $C o s t_{T P A, D i f f} = P a i r + Z K P + A g g S i g + H E_{D e c}$

7.3 Quantitative comparison and result analysis

Then the calculation expenses of DO, CSP, and TPA in the original scheme and the improved scheme are shown in Table 5. As can be seen from Table 5, the computational load of the DO, CSP, and TPA in the proposed scheme has all increased, mainly due to the introduction of homomorphic encryption technology during the data proof generation phase. Although the efficiency is slightly reduced, the security is significantly improved, which achieves the expected research objectives.

Table 5.
Comparison of computational overhead.

Participant Original scheme Improved scheme Overhead Variation

DO $3 P a i r + 2 H a s h + n h a s h + (n + 2) E x p_{G_{1}} + n M u l_{G_{1}} + 2 n M u l_{Z_{q} } + n A d d_{Z_{q} }$ $3 P a i r + 2 H a s h + n h a s h + (n + 2) E x p_{G_{1}} + n M u l_{G_{1}} + 2 n M u l_{Z_{q} } + n A d d_{Z_{q} } + n H E_{E n c} + n A g g S i g$ $n H E_{E n c} + A g g S i g$

CSP $k c E x p_{Z_{q} } + k c M u l_{Z_{q} } + k (c - 1) A d d_{Z_{q} } + k c E x p_{G_{1}} + k (c - 1) M u l_{G_{1}} + (m - 1) M u l_{G_{1}} + (m - 1) A d d_{Z_{q} }$ $k c E x p_{Z_{q} } + k c M u l_{Z_{q} } + k (c - 1) A d d_{Z_{q} } + k c E x p_{G_{1}} + k (c - 1) M u l_{G_{1}} + (m - 1) M u l_{G_{1}} + (m - 1) A d d_{Z_{q} } + k c H E_{E n c} + m A g g S i g$ $k c H E_{E n c} + m A g g S i g$

TPA $4 P a i r + (k c + 1) h a s h + k c E x p_{Z_{q} } + 2 E x p_{G_{1}} + M u l_{G_{1}} + k (c - 1) A d d_{Z_{q} }$ $5 P a i r + (k c + 1) h a s h + k c E x p_{Z_{q} } + 2 E x p_{G_{1}} + M u l_{G_{1}} + k (c - 1) A d d_{Z_{q} } + Z K P + A g g S i g + H E_{D e c}$ $P a i r + Z K P + A g g S i g + H E_{D e c}$

Participant	Original scheme	Improved scheme	Overhead Variation
DO	$3 P a i r + 2 H a s h + n h a s h + (n + 2) E x p_{G_{1}} + n M u l_{G_{1}} + 2 n M u l_{Z_{q} } + n A d d_{Z_{q} }$	$3 P a i r + 2 H a s h + n h a s h + (n + 2) E x p_{G_{1}} + n M u l_{G_{1}} + 2 n M u l_{Z_{q} } + n A d d_{Z_{q} } + n H E_{E n c} + n A g g S i g$	$n H E_{E n c} + A g g S i g$
CSP	$k c E x p_{Z_{q} } + k c M u l_{Z_{q} } + k (c - 1) A d d_{Z_{q} } + k c E x p_{G_{1}} + k (c - 1) M u l_{G_{1}} + (m - 1) M u l_{G_{1}} + (m - 1) A d d_{Z_{q} }$	$k c E x p_{Z_{q} } + k c M u l_{Z_{q} } + k (c - 1) A d d_{Z_{q} } + k c E x p_{G_{1}} + k (c - 1) M u l_{G_{1}} + (m - 1) M u l_{G_{1}} + (m - 1) A d d_{Z_{q} } + k c H E_{E n c} + m A g g S i g$	$k c H E_{E n c} + m A g g S i g$
TPA	$4 P a i r + (k c + 1) h a s h + k c E x p_{Z_{q} } + 2 E x p_{G_{1}} + M u l_{G_{1}} + k (c - 1) A d d_{Z_{q} }$	$5 P a i r + (k c + 1) h a s h + k c E x p_{Z_{q} } + 2 E x p_{G_{1}} + M u l_{G_{1}} + k (c - 1) A d d_{Z_{q} } + Z K P + A g g S i g + H E_{D e c}$	$P a i r + Z K P + A g g S i g + H E_{D e c}$

8 Application of cloud auditing in UAV security

With the extensive application of UAV technology in fields such as mapping, inspection, logistics, and emergency rescue, the demand for security and integrity of UAV data has become increasingly prominent. Critical information generated during UAV operations, such as geographical information, surveillance videos, and sensor data, if tampered with, leaked, or lost, will not only lead to operational failures but also trigger significant safety accidents or privacy leakage risks. Cloud auditing technology, with its data verification and security protection capabilities, provides an innovative solution for UAV data security management.

UAV data features strong real-time performance, large volume, and multi-source heterogeneity, and needs to be transmitted via wireless communication links to ground control centers or cloud storage platforms during flight. Transmission chains are vulnerable to interference, interception, and malicious attacks. Traditional data security protection means struggle to meet the full-lifecycle security requirements of UAV data, while cloud auditing technology plays a key role in data storage, transmission, and usage phases. In the data storage link, cloud auditing verifies the integrity of data uploaded by UAVs to the cloud, ensuring no illegal tampering; during data transmission, real-time auditing of communication data promptly detects abnormal traffic and attack behaviors to safeguard transmission security; in the data usage phase, cloud auditing performs permission verification and operation auditing for users and applications accessing UAV data, preventing data abuse and leakage.

9 Conclusion

In summary, this paper thoroughly analyzes the security vulnerabilities of the TEEMRDA scheme in multi-replica data auditing. To address its susceptibility to forgery attacks, we propose an improved scheme incorporating homomorphic encryption, aggregate signatures, and zero-knowledge proof technologies. Comparative analysis demonstrates that the improved scheme significantly enhances security through ciphertext computation encryption, signature-ciphertext binding, and verification mechanism reinforcement, effectively resisting various forgery attacks. Future research will focus on optimizing these technologies to achieve a better balance between security and performance, thereby promoting the broader application of cloud storage data auditing technology in fields such as cloud computing and cloud-edge UAV systems.

Footnotes

ORCID iD

Shuanggen Liu

Funding

The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work is supported by National Natural Science Foundation of China (No. 62172436) and Engineering University of PAP's Funding for Education and Teaching Program Grant (No.Wjx2025069), Engineering University of PAP's Funding for Basic and Cutting-Edge Innovation Grant (No.Wjy202520). This work is also supported by the Stability Program of the National Key Laboratory of Security Communication (WD202513).

Declaration of conflicting interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

References

Wang

Ren

, et al. Privacy-preserving public auditing for data storage security in cloud computing. In: 2010 Proceedings IEEE INFOCOM, San Diego, CA, USA, 2010, pp.1–9.

Arivazhagi

Kumar

. Indistinguishability obfuscation: a key enabler for lightweight provable data possession in cloud storage. In: 2023 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 2023, pp.1–5.

Wang

Chow

SSM

, et al.

Privacy-preserving public auditing for secure cloud storage.

IEEE Trans Comput 2013; 62: 362–375.

Xiaodong

Xiuxiu

Qianqian

, et al.

Decentralized cloud data integrity auditing scheme based on blockchain and fog computing.

J Electron Inf Technol (in Chinese) 2023; 45: 3759–3766.

Yuan

, et al.

Cloud storage auditing scheme based on ECDSA.

J Shandong Univ (in Chinese) 2022; 57: 57–65.

Zhang

Chen

. Research on cloud storage data security auditing in big data environment. Appl Res Comput (in Chinese) 2018; 35: 3012–3016.

Yang

Jia

. An efficient and secure dynamic auditing protocol for data storage in cloud computing. IEEE Trans Parallel Distrib Syst 2013; 24: 1717–1726.

Miao

Feng

, et al.

Public auditing scheme for data integrity in public cloud.

Cybersecurity (in Chinese) 2018; 4: 56–60.

Thenmozhi

. A survey on efficient auditing scheme for secure data storage in fog-to-cloud computing. J Cloud Comput 2024; 13: 1–20.

10.

Ardagna

Asal

Damiani E , et al.

From security to assurance in the cloud.

ACM Comput Surveys (CSUR) 2015; 48: 1–50.

11.

Shrinivasa

Muddaraju

Patil

. Advancing integrity and privacy in cloud storage: challenges, current solutions, and future directions. IAES Int J Artif Intell 2025; 14: 12–18.

12.

Wang

Yang H

et al. Efficient certificateless public integrity auditing of cloud data with designated verifier for batch audit. J King Saud Univ—Comput Inform Sci 2022; 34: 301–310.

13.

Smith

Doe

. Enhancing security protocols in cloud computing. Int J Adv Secur 2023; 17: 45–56.

14.

Chen

Cai

Xiang

, et al. Practical cloud storage auditing using serverless computing. Sci China Inform Sci 2024; 67: 132102.

15.

Liu

Zhou

. Research situation, operation mechanism and guarantee strategy of cloud auditing platform. Commun Finance Accounting (in Chinese) 2022; 26: 12–17.

16.

Yang

Chen

, et al. Identity-based cloud storage auditing for data sharing with access control of sensitive information. IEEE Internet Things J 2022; 9: 10434–10445.

17.

Wei

. Design and risk control of cloud auditing system in cloud computing environment. Friends Account (in Chinese) 2015; 32: 45–49.

18.

Ren

Wang

. Enabling cloud storage auditing with verifiable outsourcing of key updates. IEEE Trans Inf Forensics Secur 2016; 11: 1352–1365.

19.

Jin

. EMCA: an efficient multi-replica auditing scheme in multi-cloud storage. Chin J Comput (in Chinese) 2024; 47: 1–13.

20.

Wang

Sun

, et al.

Blockchain-based dynamic multi-cloud multi-replica data integrity auditing method.

J Software (in Chinese) 2025; 36: 789–804.

21.

Zhou

Wang

. Multi-party efficient auditing mechanism for data integrity based on blockchain. J Comput Res Dev (in Chinese) 2022; 59: 123–130.

22.

Zhao

. Research on dynamic data multi-replica possession auditing strategy in cloud storage. J Inform Secur (in Chinese) 2023; 8: 120–136.

23.

Zhang

, et al.

Integrity verification scheme for multi-replica files in cloud storage.

J Comput Res Dev (in Chinese) 2014; 51: 1410–1417.

24.

Shen

Zhang

. Research on integrity check method of cloud storage multi-copy data based on multi-agent. IEEE Access 2020; 4: 17170–17178.

25.

Lalitha Keerthana

Durga Devi

. Integrity auditing for multi-copy in cloud storage based on red-black tree. Int J Comput Sci Technol 2023; 14: 43–48.

26.

Hariharan

, et al. Public auditing using identity-based cryptosystems on multi-copy data integrity in cloud. ICTACT J Commun Technol 2021; 12: 2433–2438.

27.

Zhang

, et al. Certificate-based multi-copy cloud storage auditing supporting dynamic data updates. ACM Trans Comput Commun Secur 2024; 27: 1–30.

28.

Tian

Tan

Shen

, et al. RDIMM: revocable and dynamic identity-based multi-copy data auditing for multi-cloud storage. Inf Sci 2023; 630: 432–447.

29.

Yang

. Research on public auditing scheme for multi-replica data in cloud storage. J Inf Secur (in Chinese) 2023; 8: 45–52.

30.

Tian

Chen

, et al.

Multi-replica auditing in cloud based on Shamir secret sharing.

J Commun (in Chinese) 2016; 37: 45–55.

31.

Cai

, et al. ID-based dynamic replicated data auditing for the cloud. Concurr Comput: Pract Exp 2019; 31: 50–51.

32.

Zhou

Yang

, et al. Efficient certificateless multi-copy integrity auditing scheme supporting data dynamics. IEEE Trans Dependable Secure Comput 2022; 19: 1118–1136.

33.

Gudeme

Pasupuleti

Kandukuri

. Certificateless multi-replica public integrity auditing scheme for dynamic shared data in cloud storage. Comput Secur 2021; 103: 102–177.

34.

Miao

Huang

Xiao

, et al. Blockchain assisted multi-copy provable data possession with faults localization in multi-cloud storage. IEEE Trans Inf Forensics Secur 2022; 17: 3663–3678.

35.

Tian

Wang

Quan

, et al. TEEMRDA: leveraging trusted execution environments for multi-replica data auditing in cloud storage. Comput Secur 2024; 139: 103683.

An improved cloud data auditing scheme with enhanced security based on trusted execution environment-based multi-replica data audit

Abstract

Keywords

1 Introduction

2 Related work

3 Background and preliminary knowledge

3.1 System model

Definition 1. Computational

Definition 2. Computational Discrete Logarithm Problem (DLP)

3.3 Design goal

3.4 Trusted execution environment

3.4.1 Security attributes provided by TEE

3.4.2 General advantages of TEE in cloud environments

3.5 Preliminary knowledge

3.5.1 Bilinear pairings

3.5.2 Homomorphic verifiable authenticator (HVA)

4 Review of three key stages of the TEEMRDA algorithm

4.1 Initialization stage

4.2 Replica generation stage

4.3 Verification stage

5 Attack path analysis of TEEMRDA

5.1 Content addition attack (forging non-existent data blocks)

5.2 Content deletion attack (deleting partial original blocks)

5.3 Content modification attack (tampering with original data blocks)

6 Improved scheme and performance analysis

6.1 Improved scheme

6.2 Performance analysis

6.2.1 Security analysis

Table 3. Comparative analysis of communication performance. Item TEEMRDA scheme Improved TEEMRDA scheme Mode Transmission in plaintext Transmission in encrypted form frequency Usually low May increase Latency Low Latency increases Efficiency High Through protocol optimization

7.1 Definition and parameter description of computational overhead

7.2.1 Computational overhead of the data owner

7.2.2 Computational overhead of the cloud storage provider

7.2.3 Computational overhead of the third-party auditor

7.3 Quantitative comparison and result analysis

9 Conclusion

Footnotes

ORCID iD

Funding

Declaration of conflicting interests

References

Table 3.
Comparative analysis of communication performance.

Item TEEMRDA scheme Improved TEEMRDA scheme

Mode Transmission in plaintext Transmission in encrypted form

frequency Usually low May increase

Latency Low Latency increases

Efficiency High Through protocol optimization