Design of fully homomorphic multikey encryption scheme for secured cloud access and storage environment

Abstract

Cloud hosting is a kind of storage that enables users to access, save, and manage their data in a secure and private cloud environment. As a result of this choice, users are no longer need to maintain and build their storage infrastructure on their computers or servers. Many businesses are hesitant to embrace cloud storage because of the complexities of data privacy and security issues. An easy-to-use and secure method for cloud storage sharing and data access is proposed in this study, which may be implemented quickly and easily. This solution requires users to have a secure password and biometric data in order to function properly. Their capacity to deceive consumers into disclosing critical information to their service providers is the primary reason for this problem. Cloud storage systems must have a secure framework in place in order for users to connect to and interact with one another. Many benefits of cloud storage exist, including enabling users to store and manage their data in a safe environment. Users can regulate and manage their data security while using cloud storage services. While implementing a safe and authenticated data storage model, this article addresses the different elements that must be taken into consideration. Several procedures have been established to deal with this problem. Unfortunately, they are not sufficiently secure to prevent a wide variety of security intrusions from taking place on them. When encrypting stored cloud data, the Fully Homomorphic multikey Encryption (FHE) algorithm is utilized. They also have a vulnerability in their protocol that makes it susceptible to both user and serverside attacks. When it comes to remote access, cloud data and data sharing between geographically dispersed devices is a reliable protocol to use.

1 Introduction

Cloud computing is a new paradigm that enables businesses to provide their customers with on-demand access to computing and file storage capabilities. The on-Demand Routing protocol easy to share routes for broadcast or non-broadcast media, and it enables users to use cloud computing services as needed without having contact between consumers and service providers (Karati et al., 2021). Its emergence has raised concerns about privacy and the integrity of their data. The use of server-side hardware is very cheap and easy to provide security to cloud data. However, it is not as secure as cloud computing due to its limited availability and resource constraints. Gaffled circuits are often used in cloud computing. In this paper, we introduce a method for safely reusing garbled circuits for different inputs. In terms of cloud privacy, there are various approaches like twin cloud and token-based cloud computing. Cloud tokenization exchange sensitive data for an irreversible, non-sensitive placeholder known as a token and securely preserving the original, sensitive data. However,these methods are very hard to parallelize. For researchers, one of the most promising approaches is FHE which is a type of Homomorphic multikey encryption (Ghaffar et al., 2020; Zhou et al., 2019). The rapid emergence and evolution of communication and information technology have greatly changed the computational model. The rise of cloud computing was directly caused by the changes in the computational model. It is mainly built on the principle of distributed computing, which is a type of multi-core computing. Due to the increasing popularity of data storage, the existing storage models are not able to handle the influx of data. Data storage management is a set of processes i.e., network virtualization, replication, mirroring, security, compression, deduplication, traffic analysis, process automation, storage provisioning and memory management to improve the performance of data storage resources. The cloud computing provides the data storage as a service and it deliver the on-demand access in order to eliminate buying and managing your own data storage infrastructure. This is where the need for storage solutions comes from. Cloud storage is a webbased data storage mechanism that allows users to store and retrieve their data from a variety of distant servers (Ghaffar et al., 2020). Cloud storage is becoming more popular. A third-party cloud storage provider is in charge of providing the storage service. Users may purchase or rent the storage space that they need in order to save their data. It is a collection of multiple storage devices and servers (Li et al., 2017) that is known as cloud storage. Cloud storage is much more than just a storage system, though. It is also considered to be a kind of service. Because cloud storage services are provided by other parties, customers are not required to comprehend the numerous components of storage devices, as well as the administration and maintenance of such devices. They may easily take advantage of the advantages of cloud storage without the need for any specialised knowledge or experience. Cloud storage, in addition to minimising the amount of storage space necessary, provides a great deal of convenience to its customers as well. When it comes to growth, cloud storage architecture makes things easier by enabling service providers to acquire more storage servers and quickly enhance the available capacity. The movement of the majority of the data from on-premises storage to cloud storage makes data management much easier to handle. Using cloud storage space to migrate big amounts of data to the cloud, businesses may save a significant amount of money by renting or purchasing storage space from cloud providers. File versioning, automatic synchronization, data backups, security, and scalability are some of the features of cloud storage space. Enterprises may get the best cloud storage solution for their unique requirements with the assistance of cloud storage service providers. It not only ensures that they get the highest possible quality of service, but it also helps to reduce security threats. As a result of the benefits of cloud storage, more businesses are beginning to provide their services via the cloud storage infrastructure. Google Drive, Microsoft’s Windows Azure, Sync, Amazon Drive S3, Apple iCloud, MediaFire, Microsoft OneDrive, and pCloud are just a few examples of cloud storage services. The results of a poll carried out by cloud storage business many survey revealed that just around 20% of consumers are prepared to keep confidential data in the cloud. Even in the face of this, the vast majority of users are pleased with the service’s dependability and overall functionality. One of the most common reasons why consumers do not utilise cloud storage services is because of concerns about security. This is one of the primary reasons why many people are skeptical about cloud storage systems.

2 Fully homomorphic multikey encryption security in cloud

Since the cloud storage system has various features and security concerns, it is often necessary to develop and implement different solutions for different issues. This paper aims to analyze and discuss the various security issues that cloud storage can face (Yang et al., 2021). Due to the separation between the data management and the ownership of the stored data, it is important that the security measures are implemented to prevent the unauthorized access to the data. The use of encryption to preserve the privacy of stored data is generally considered to be a good practise. When Alice wishes to communicate data to Bob, she uses this encryption mechanism. The method may be used when Bob has to communicate information to Alice. Homomorphic multikey encryption is a key component of cloud storagebecause it allows anyone to execute certain algebraic operations on encrypted data, which is significant in the field of quantum computation. Unfortunately, it is not extensively utilised in cloud storage environments at the present time (Zhu et al., 2021). Maintaining the integrity of data saved on a cloud storage provider’s server is also a significant concern. The Provable Data Possession (PDP) scheme is a cryptographic mechanism that allows users to verify the availability and integrity of outsourced data on untrusted cloud storage servers (CSS). The majority of PDP schemes are publicly verifiable, however in some applications, private verification is required to prevent the publication of any relevant information and it is described in (Liu et al., 2021; Kaleem et al., 2021) for specifications, and it lets a client to prove that the server did not tamper with or delete the data. Their attention was drawn away from the problem of data updating in real time. Essentially, the idea behind this strategy is to ensure that the data saved in the cloud is not tampered with. This can only be accomplished via the use of dynamic data updates. Data sharing has become more popular among cloud service providers as a result of the growing number of situations in which it is necessary. It is a secure way of information transmission cloud data sharing method and provides ubiquitous access i.e., may access the data anywhere using network devices. An international team of academics suggested a solution for securing sensitive data using an elliptic curve encryption system in 2010.

This article covers cloud storage data access and sharing technologies in depth. There are three key components involved: a server, a user, and a third-party that has been vetted by the organisation, in that order. Initially, the system creates the global parameter KG for the system. To utilise the cloud storage service (Rawal & Vivek, 2017), the user needs first create an account with the CS. Accessed data cannot be accessed by an attacker over the public channel, on the other hand. The purpose of this article is to present the security standards that must be met by cloud storage services.

2.1 Homomorphic multikey security requirements in cloud storage and data access

In order for the user to have access to the TCS after being authorised, the user authentication scheme must be applied (Albrecht et al., 2019). Depending on his or her preferences, the user may personalise their passwords. In schemes saves the user’s time and aids in the prevention of unauthorized access.

2.2 Mathematical background

Definition 1

The following properties are followed when ordering the elements in \(\mathbb {G}.\{\mathbb {G}, \cdot \}\) (Fig. 1 and Table 1)

Fig. 1

Fully homomorphic multikey encryption security requirements

Table 1 List of notations

A group \(\mathbb {G}\) has a set of elements that have a binary operation \(\mathbb {G}\). \(\mathbb {\{ G, \cdot \}}\).

(a).:

Closure Property: The closure property of x,y provides with only one unique answer after adding or multiply in same \(\mathbb {G}\).

(b).:

The Associative Property: The property’s Associative Properties are defined as if x,y,z are all in \(\mathbb {G}.x \cdot (y \cdot z) = (x \cdot y) \cdot z\), where ∀x,y, and z in \(\mathbb {G}\)

(c).:

An identity property is a unique element that can be used to identify a specific element. x ⋅ e = e ⋅ x = x,y ⋅ e = e ⋅ y = y,z ⋅ e = e ⋅ z = z.

(d).:

Inverse element: For any \(x\mathbb {\in G}\), there is an element \(x \cdot x^{\prime } =\) and \(x^{\prime } \cdot x = e\).

2.3 Homomorphism in public key crypto system

Four parties are involved in this data exchange and access system, which is described in this section. In this scenario, there are four parties involved: the user; the system administrator; the data sharing scheme; and the fuzzy extraction algorithm. When given a specific input, fuzzy extractors are a biometric tool that enables for user authentication by employing a biometric template created from the user’s biometric data as the key, with predictability indicating the likelihood of an attacker guessing the secret key and it is a process that can consistently extract uniform randomness from it. It is also error-tolerant in the event that the input is changed. Generation (Gen) is a technique that generates a biometric input string from which an extracted string may be generated. If the input string is not supplied, it will be outputted as an auxiliary string until otherwise specified. It is possible to retrieve V from the auxiliary string U and the vector \(\text{CUBI}O^{\prime }\) prime that is near to U using this technique.

• RSA cryptosystem:

  $$\begin{array}{@{}rcl@{}} \mathcal{E}(x) &=& x^{e}\text{modm} \\ \mathcal{E}\left( x_{1} \right)\cdot\mathcal{ E}\left( x_{2} \right) &=& {x_{1}^{e}}{x_{2}^{e}}modm = \left( x_{1}x_{2} \right)^{e}modm = \mathcal{E}\left( x_{1} \cdot x_{2} \right) \\ \end{array}$$

• Paillier Cryptosystem

  $$\begin{array}{@{}rcl@{}} \text{~Encrypt~}(m;CUPK) &=& g^{\text{Msg}} \cdot r^{n}\left( \text{mod}n^{2} \right) \\ c_{1} \cdot c_{2} &=& g^{m_{1}} \cdot {r_{1}^{n}} \cdot g^{m_{2}} \cdot {r_{2}^{n}} = g^{m_{1} + m_{2}} \cdot \left( r_{1} \cdot r_{2} \right)^{n}\text{mod}n^{2} = c_{3} \\ \end{array}$$

• ElGamal Encryption

  $$\begin{array}{@{}rcl@{}} E & :&G_{q} \rightarrow G_{q} \times G_{q} \\ E(m) & \ = &\left( g^{r},m*h^{r} \right) \\ E\left( m_{1} \right)*E\left( m_{2} \right) & =& \left( g^{r_{1}},m_{1}*h^{r_{1}} \right)\left( g^{r_{2}},m_{2}*h^{r_{2}} \right) \\ & =& \left( g^{r_{1} + r_{2}},m_{1}*m_{2}*h^{r_{1} + r_{2}} \right) \\ & =& E\left( m_{1}*m_{2} \right) \\ \end{array}$$

2.4 The proposed scheme FHE preliminaries

This algorithm generates a list of parameters that are used in HE algorithms. It takes the desired security level and outputs it as an input.

$$\text{~}\mathrm{ParamGen}\text{~}(\lambda,PT,K,B) \rightarrow \text{~Params~}$$

This document only describes the underlying plaintext space of a parametrized format. It does not specify the type of approximate numbers that can be used in the space.

$$\left( V_{1},\ldots,V_{K} \right) + \left( V_{1}^{\prime},\ldots,V_{K}^{\prime} \right) = \left( V_{1} + V_{1}^{\prime},\ldots,V_{K} + V_{K}^{\prime} \right)$$

The encryption of a message is performed by parametrizing the digits with the plaintext space Zp. The message space is an integer that is equal to the range [0,1023).

$$\text{~}\mathrm{PubKeygen}\text{(Params)~} \rightarrow \text{~SK,\ CUPK,\ EK~}$$

The extension rings and fields are parameterized by modulus p, and they are also specified by a polynomial f(x), which is equal to the plaintext space Z[x].

$$\text{~}\mathrm{SecKeygen}\text{(Params)~} \rightarrow \text{~SK,\ EK~}$$

The dimension of the encrypted vectors is defined as the space where the messages are encrypted which is used to prevent a series of text that is identical to a prior sequence from creating the same exact ciphertext when encrypted by using a continuously changing integer in combination with a secret key. It is usually computed by defintion, which is the operation that is performed component-wise.

$$\text{~}\mathrm{PubEncrypt}\text{\ (CUPK,\ Msg)~} \rightarrow \text{~C~}$$

As per the external sources, auxiliary parameter acts like supplementary which is used to encrypt the messages for the secure transmission. The auxiliary parameter B is used to specify the complexity of the programs and circuits that can be used to carry out encrypted messages. Generally, lower-complex programs and circuits are more efficient in their evaluation.

$$\begin{array}{@{}rcl@{}} SecEncrypt(SK,M) &\rightarrow& C \\ Decrypt(SK,C) &\rightarrow& Msg \\ \end{array}$$

A fuzzy extractor is a set of procedures that can reliably extract random bits from a given input. It is usually not error-tolerant if the input changes. Gen is a probabilistic generator procedure that outputs an extracted string from a biometric input which is get from the biometric characteristics that are acquired applying adequate sensors to extract biometric template in an enrolment process. It does so by extracting the specified string from the CUBIO distribution. \(Rep\left (\text{FH}E^{\prime },P \right ) = Q\) if \(\text{CUBI}O^{\prime }\) is reasonably close to CUBIO.

FHE distribution on M with \(\min \limits\) randomness m, the distribution’s randomness is equal to the sum of the digits of the operation name. Gen is a cyclic generation procedure Gen(CUBIO) = (R,P) that takes advantage of the input of Biometric input. It outputs an extracted string. Rep is a procedure that returns V from the string U and the vector \(\text{CUBI}O^{\prime }\). The \(\left (CUBIO,CUBIO^{\prime } \right ) \in M\) does so by converting the data pair \(\left (\text{CUBI}O^{\prime } \right )\) to Q.KG chooses the system’s global parameter q, and then generates public and private key pairs with a large prime number z₋q.

$$\begin{array}{@{}rcl@{}} &&\left( \text{HS}K_{a} = k_{a},CUPK_{a} = g^{k_{a}}\text{modn} \right),\\ &&\left( \text{HS}K_{b} = k_{b},CUPK_{b} = g^{k_{b}}\text{modn} \right) \text{and}\\ &&\left( \text{HS}K_{c} = k_{c},CUPK_{c} = g^{k_{c}}\text{modn} \right) \text{for} CU_{a},CU_{b} \text{and} \text{TCS} \end{array}$$

2.5 Preliminaries

A fuzzy extractor is a procedure that can extract almost uniform randomness from a biometric input. It is error-tolerant if the input changes or the output is not sufficiently close to the original one.

1. 1.

   Gen is a probabilistic generator that outputs an extractable string containing a biometric input as Gen(CUBIO) = (Q,P).

For any distribution of m, if the generating function Gen(CUBIO) = (Q,P), then randomness collected the operator and the string is equal to the sum of the distributions CU_l.

1. 2.

   The Repoperator \(\left (FHE,CUBIO^{\prime } \right ) \in M\) is a predictable mechanism that allows for the recovery of information V concerning the U string \(DIS\left (CUBIO,CUBIO^{\prime } \right ) \leq t\), if Gen(CUBIO) = (Q,P) and the CUBIO’prime vector close to V.

2.6 System initialization phase

The first parameter KG chooses \(x_{1}:\{ 0,1\}^{*} \rightarrow \{ 0,1\}^{n},x_{2}:\{ 0,1\}^{*} \rightarrow Z_{a}^{*}\). At last, KG is the global parameter q, and the second one is the generator g. Then, it chooses hash functions h1 : 1,1,1,1 ∗, and q public \(\left (\text{HS}K_{a} = k_{a},CUPK_{a} = g^{k_{a}}\text{modn} \right )\), \(\left (\text{HS}K_{b} = k_{b},CUPK_{b} = g^{k_{b}}\text{modn} \right )\) and \(\left (\text{HS}K_{c} = k_{c},CUPK_{c} = g^{k_{c}}\text{modn} \right )\) for CU_a,CU_b. CUPK distribute the public and private key pairs to the parties involved (Fig. 2).

Fig. 2

Cloud user and Server transaction phases with FHE authentication mechanism for to provide safe data access

3 Cloud server and user mutual authentication scheme for secured storage and access

There are some processes that must be completed in order to safeguard data access in diverse applications: user registration, authentication, and password changing. The steps of the user authentication procedure are shown in this session.

3.1 Cloud user registration phase

In order to make advantage of the cloud storage service offered by TCS, users must first create an Registration. This step is required to check that the user has been granted permission to access the service. When it comes to establishing trust, both sides must verify their communications with one another. In this case, the user CU_a sends a registration request to server TCS after forming a CS account and choosing an identity CIDi for themselves. It is regulated by TCS to save the information about the user Qi on a mobile device, then securely communicates the information to Ui. Following that, CU_a selects a password that is evenly spread across the system \(\left (\text{CUP}W_{i} \right )\). She also leaves a trace of her Bioi on the sensor, which may be detected. In the next phase, the variables Y i,Mi,Ni,It,h(),Gen(), and Rep() are inserted into a device with the values they represent.

Step 1: The Cloud Server CU_a selects and inputs the identity and password of the user. The biometric template created by the fuzzy extractor is subsequently imprinted on the Cloud Server. C transfers the variable A_i via a secure channel and saves the parameters \(\left (g,h1,andb_{a} \right )\) in the Cloud Server’s memory.

Step 2: CS sends A_i = h₁left,B_i = h₁left, and submits the parameters through a secure channel.

$$\begin{array}{@{}rcl@{}} \text{FHERP}W_{a} & =& h\left( b \parallel CUPW_{a} \right) \\ Gen\left( \text{Bi}o_{a} \right) & =& \left( \sigma_{a},\tau_{a} \right) \\ N_{a} & =& R_{a} \oplus h\left( \sigma_{a} \parallel\text{FHERP}W_{a} \parallel b \right) \\ \text{Ms}g_{a} & =& h\left( b\parallel ID_{a} \parallel\text{FHERP}W_{a} \parallel\sigma_{a} \parallel R_{a} \right) \\ N_{a} & =& b \oplus h\left( ID_{a}\parallel\text{CUP}W_{a} \parallel\sigma_{a} \right) \\ && \text{~Cloud\ User\ Initial\ Login\ and~}\mathbf{A} \\ && \text{~ceess~} \end{array}$$

3.2 Cloud user initial login and authentication protocol

In order to build confidence between the Data User and the Cloud Service Provider, these two parties must first authenticate one another. Babu et al. protocol is a cryptographic system using Blockchain based authentication that may be employed with or without a smart card, depending on the condition. Cryptography is an integral part of the inner-workings of blockchain technology and it provide the trait of immutability and improve the security, scalability, reliability. Here, a registered user CUi authenticates himself or herself by inputting the card reader and biometric sensor credentials into the appropriate fields. Ui is subjected to biometric scanning in order to determine the user’s physical characteristics. Ui then authenticates by entering the credentials IDi, PWi, and BIO_a into the authentication dialogue box. After that, the smart card creates a cancelable fingerprint C0T I, which is subsequently retrieved using error-correcting techniques. SCi determines if h(r0i) equals h. (ri). If it fails to do so, the session is terminated without further delay.

Step 1: CU_a inputs CUIDi and CUPW_i in the login screen. The Cloud Server then calculates the number of sessions computed by the Cloud Server. If it is equal, the session is ended.

If the identity CUIDi is valid, TCS checks if the number B_aprime is equal to the one provided by the user. It is ignored if the two numbers are not equal in size.

Step 2: If the identity CUID i is valid, TCS checks if the request is equal. If it is \(\text{BI}O_{a}^{\prime } = x_{1}\left (CSIDi \parallel k_{c} \right )\), it rejects the login request.

Step 3: V_a sends the TCS authentication message to the U_pi. If the session is ended, then the cloud user can verify the authentication of the TCS by CU_pi. CU_a computes \(\text{GR}P_{a}^{\prime } = F_{a}^{r_{a}}modN,HSK^{\prime } = x_{1}\left (CSIDi \parallel GRP_{a}^{\prime } \right ),X_{a}^{\prime } = x_{1}\left (B_{a}\left . \parallel D_{a} \right .\parallel F_{a} \parallel HSK^{\prime } \right )\).

\(\text{Ms}g_{3} = x_{1}\left (\text{CSIDi} \parallel B_{a}\parallel D_{a} \parallel F_{a} \parallel \text{HS}K^{\prime } \right )\) and submits \(\left \{ \text{Ms}g_{3} \right \}\) to TCS.

Step 4: CS computes \(\text{Ms}g_{3}^{\prime } = h(CUIDi)\left (B_{a}^{\prime } \right )(CUIDi)\).

\(\text{Ms}g_{3}^{\prime } = x_{1}\left (\text{CSIDi} \parallel B_{a}^{\prime } \parallel D_{a}\parallel F_{a} \parallel \text{HSK} \right )\), and checks \(\text{Ms}g_{3}^{\prime }\overset {?}{=}\text{Ms}g_{3}\).

CU_a and TCS For these secret communications, the two parties share a session key \(HSK = x_{1}\left (CSIDi \parallel g^{r_{a}r_{c}}\text{modN} \right )\).

3.3 Password change phase

The CU_a user may make changes to his or her passwords without the assistance of the cloud storage service provider. In order to do this, the user must successfully enter the passwords and imprint the data on the screen. \(\text{CUBI}O_{a}^{\prime }\). The Cloud Server checks the computed \(V_{a}^{\prime } = h_{1}\) left > to verify the user’s identity. \(V_{a}^{\prime } = Rep\left (\text{CUBI}O_{a}^{\prime },P_{a} \right )\), \(\text{FHERP}W_{a}^{\prime } = x_{1}\left (R_{a}^{\prime } \parallel CUPW_{a} \right ),A_{a}^{\prime } = x_{1}\left (CSIDi \parallel FHERPW_{a}^{\prime } \right )\), and checks \(A_{a}^{\prime }\overset {?}{=}A_{a}\). If the passwords \(\text{CUP}W_{a}^{\text{new}}\) are not equal, the Cloud Server will terminate the password change request. The user is asked to enter a new password. The Cloud Server will also replace the existing passwords with new ones. \(\text{FHERP}W_{a}^{\text{new}} = x_{1}\left (R_{a}^{\prime } \parallel CUPW_{a}^{\text{new}} \right ),A_{a}^{\text{new}} = x_{1}\left (CSIDi \parallel FHERPW_{a}^{\text{new}} \right )\), \(C_{a}^{\text{new}} = C_{a} \oplus FHERPW_{a}^{\prime } \oplus FHERPW_{a}^{\text{new}}\), and replaces A_a and C_a with \(A_{a}^{\text{new}}\) and \(C_{a}^{\text{new}}\).

3.4 Storage and access in cloud

This section describes a secure data sharing scheme that enables users to store and share their data \(m \in Z_{q}^{*}\) in cloud storage. For a user CU_a, sends data to the receiver the scheme requires that he or she register with the cloud storage provider.

Step 1: The user CU_a generates a random number that’s \(\alpha \in Z_{a}^{*}\), and stores it as the encrypted data of m on the device m_e = m ⋅ g^α. \(\text{CUP}K_{a}^{x_{2}(CSIDi \mid \alpha )}modq,m_{V} = x_{1}\left (g^{\text{Msg}}\text{modN} \right )\). In order to get the original data, user authenticates and obtains the original data stored on the server TCS.

Then, after storing the random number a ∗, the device stores the encrypted data of m ∗ as well as the original data. When he wants to recover \(m = m_{e} \cdot g^{- \alpha } \cdot \left (g^{x_{2}(CSIDi \parallel \alpha )} \right )^{- k_{a}}\text{modN}\) the original data, he authenticates and retrieves the data whether m is valid by checking \(x_{1}\left (g^{\text{Msg}}\text{modN} \right )\overset {?}{=}m_{V}\).

Step 2: The receiving user then submits CU_blogin to CS a data sharing request from CU_a.

Step 3: Login of U_a generates two random numbers \(V_{b} = g^{r_{b}}\text{modN.}R_{c} = g^{r_{c}^{\prime }}modN,m_{c}^{*} = CUPK_{c}^{- r_{c}^{\prime }} \cdot g^{- \alpha }modN,m_{b}^{*} = CUPK_{b}^{- r_{b}}\text{CUP}K_{a}^{- x_{2}(CSIDi \mid \alpha )}\text{mod}\)N. and \(r_{b},r_{c}^{\prime } \in Z_{c}^{*}\). Now Computes CU_a submits (CSIDj, \(R_{c},m_{c}^{*}\) ) to TCS, and submits \(\left (R_{b},m_{b}^{*} \right )\) to CU_b.

Step 4: After receiving the message \(\left (R_{c},m_{c}^{*} \right ),CS\) computes m_c = m_e. \(m_{c}^{*} \cdot R_{c}^{k_{c}}\text{modN}\), and submits \(\left (m_{c},m_{V} \right )\) to the user CU_b sends the message to the user.

Step 5: When receiving the message, enter username and the shared message m is obtained by calculating the sum of the two numbers. \(\left (R_{b},m_{b} \right )\) and \(\left (m_{c},m_{V} \right ),CU_{b}\) obtains the shared data m by computing \(m_{b} = m_{c} \cdot m_{b}^{*}\). \(R_{b}^{k_{b}}\text{modN}\), and the validity of data \(mx_{1}\left (g^{m_{b}}\text{modN} \right )\overset {?}{=}m_{V}\) validate that to receive the data. Store \(\left (m_{e},m_{V} \leftarrow 2.(CSIDi,CSIDj \right.\), Request ) (CSID j, Q_

4 Random oracle model (ROM) and BAN logic for formal security analysis and verification

In this study, we explain the notion of safe data storage and access using BAN logic, a formal technique. This technique accomplishes the aims of data protection for the user.

P believes that X is true.

1. (1)

   U believes M is true, i.e. U∣ ≡ X : U believes M

2. (2)

   Someone sent a message which contains M to U, and U can read X. i.e. U ⊲ X : U sees M

   This function returns the message containing M once sent.

3. (3)

   An earlier iteration of U delivered a message with M attached, i.e. \(U \mid \sim X:U\) once said M

4. (4)

   M is subject to the jurisdiction of entity U, and U is trusted for M, i.e. U ⇒ X: U controls M

   Since the present round of protocol, no entity has sent a message containing M.

5. (5)

   No entity sent a message containing M at any time before the current round of protocol, i.e. #(M) : M is fresh

6. (6)

   \(U\overset {\kappa }{\longleftrightarrow }V:U\) and V the two users and the server may interact with one another through the shared key K, where K is said to be more secure if no other entity can get it except for U,V and the entity trusted by U,V.

   Rule 1 Message means that if U believes that he/she shares the key K with V, then U should believe that V once said M.

7. (7)

   (M,N) : M and N are components of the message (M,N).

8. (8)

   {M,N}_K : M and N are encrypted using the key K.

9. (9)

   (M,N)_K : Using the key K,M and N are hashed together.

Goal 1: \(\ CU_{a} \mid \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\).

Goal 2: \(\ CU_{a}| \equiv CS| \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\).

Goal 3: \(\ CS \mid \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\).

Goal 4: \(\ \text{CS}\left | \equiv CU_{a} \right | \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\).

Rule 1: Message meaning rule: Message means that if a person believes that he/she has a key K, then he/she should see the message X_K.

sees the message {X}_K,U believes that V once said M.

Rule 2: Nonce verification rule: If U believes that M is fresh and V once said M, then U believes that M.

\(\frac{P| \equiv \#(X),P| = Q \mid \sim }{P|\overline {\bar {I}}Q| \equiv X}\), if U believes M is fresh and V once said X,U believes V believes M.

Rule 3: Jurisdiction rule: If V believes that it has jurisdiction over M, then it should believe that it has jurisdiction over M.

_P∣≡X, if U believes that V had jurisdiction right to M and believes V believes X,U believes M.

Rule 4: Freshness rule:

\(\underset {P \mid = \#(M,N)}{P \mid = \#(X)}\), If message (M,N) contains message M, then message (M,N) must be fresh as well.

Rule 5: Belief rule: If U believes that the message is clear and unambiguous (M,N), then U believes that the message is clear and unambiguous (X).

$$P| = Q| \equiv (M,N)$$

Rule 6: Seeing rule: \(\frac{P_{d}(M,N)}{\text{PXX}},M\) is a part of the message (M,N), and if U sees (M,N),U also sees M.

Before the formal analysis, the two parties such as Data user and cloud service providers should first communicate the messages that they exchanged, first assume that the two parties are communicating through normal SMS messages.

The validity of A₁ and A₂ depends on the random numbers generated by r_a and r_c, which are both fresh random numbers.

A₁ and A₂ are valid since r_a and r_c random numbers produced by CUa and TCS to put it another way, because of the freshness in both ra and rc, A3 and A4 are reasonable choices. Using the device’s information and the server’s identification, the user may derive the secret key. A logical assumption is that the user’s identity and Cloud Server information is known. User CU_a and server TCS can calculate \(x_{1}\left (\text{CSI}D_{i} \mid k_{c} \right )\) from the Cloud Server information and the secret key \(k_{c}^{\prime \prime }\) and user’s identification, and A₅ and \(A_{6}^{\prime \prime }\) are also reasonable.”

In this paper, we prove that a proposed protocol can meet the goals of its intended users. We provide a detailed description of the proposed protocol.

\(S_{1}:CU_{a}| \equiv CS| \sim \left (D_{a},F_{a},CU_{a} \longleftrightarrow HSKCS \right )\) We use the freshnessconjuncatenation rule when it comes to selecting fresh produce.

\(S_{2}:CU_{a} \mid \equiv \#\left (D_{a},F_{a},CU_{a} \longleftrightarrow HSKCS \right )\) based on the premise of S₃ and S₄, the nonce-verification rule is used in order to get the result.

\(S_{3}:CU_{a}| \equiv CS| \equiv \left (D_{a},F_{a},CU_{a} \longleftrightarrow HSKCS \right )\) based on the premise of S₅, we use the belief rule in order to attain our goals.

\(S_{4}:CU_{a}| \equiv CS| \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\) (Goal 2). based on the premise of A₇ and S₆, we apply jurisdiction rule for the belief rule in order to attain our goals.

\(S_{5}:CU_{a} \mid \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\) (Goal 1) based on the premise of message 3 , we can get

\(S_{6}:CS \triangleleft \left (CSIDi,CD_{a},F_{a},CU_{a} \longleftrightarrow HSKCS \right )_{x_{1}\left (CSIDi \parallel k_{c} \right )}\) based on the premise of S₈ and A₆, we employ the message meaning for belief rule in order to attain our goals

\(S_{7}:CS\left | \equiv CU_{a} \right | \sim \left (CSIDi,CD_{a},F_{a},CU_{a} \longleftrightarrow HSKCS \right )\). based on the premise of A₄, we apply freshness-conjuncatenation belief rule in order to attain our goals

\(S_{8}:CS \mid \equiv \#\left (CSIDi,CD_{a},F_{a},CU_{a} \longleftrightarrow HSKCS \right )\) based on the premise of S₉ and S₁₀, we apply nonce-verification for belief rule in order to attain our goals

\(S_{9}:CS\left | \equiv CU_{a} \right | \equiv \left (CSIDi,CD_{a},F_{a},CU_{a} \longleftrightarrow HSKCS \right )\) based on the premise of S₁₁, we apply belief rule to obtain

\(S_{10}:CS\left | \equiv CU_{a} \right | \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\) (Goal 4) based on the premise of A₈ and S₁₂, we apply jurisdiction to use the belief rule in order to attain our goals \(S_{13}:CS \mid \equiv \left (U_{a} \longleftrightarrow HSKCS \right )\) (Goal 3) The many security measures of the proposal are discussed in detail in this section.

4.1 Random oracle model (ROM)

The Random Oracle Model was used for our formal security analysis. The random-oracle model (ROM) used for designing and analysing cryptographic protocols. It gives random functions that would undoubtedly create excellent cryptographic hash functions and security proofs for extremely practical constructions of crucial cryptographic building blocks like digital signatures, public-key encryption, and key exchange. It is commonly regarded as strong evidence that a protocol would withstand assaults in practise, despite its recognised inability to provide verifiable assurances when instantiated with a real-world hash function. This framework offers a simple and effective security paradigm for our proposed solution. We validate the ROM scheme’s security and privacy and use the same security model.

Theorem 1

An adversary \(\mathcal {U}_{A}\) can execute multiple oracle queries with execution time of less than 2 minutes. The adversary can break the security of U_rp by using the hash function h(cdot). P denotes the protocol’s correctness. D denotes the password dictionary. If the U_rp protocol is not followed, then the query will be executed by an adversary.

$$\text{Adv}t_{P_{p},D}^{\text{AKE}}\left( \mathcal{U}_{A} \right) \leq M^{\prime} \cdot q_{s}^{N^{\prime}} + \epsilon(w)$$

where \(M^{\prime }\) and N / are the security parameter and trivial function of Z_ipf.

Proof

In every game, the Test query ₀ to Game _{1 − 6} is used to guess the correct bit. The result S_a and \(U_{r}\left \lbrack S_{a} \right \rbrack\) is presented as the probability of the chosen bit being correct. The game is offered as S_a and U_r left.

$$\text{Adv}t_{P_{\text{rp}},D}^{\text{AKE}}\left( \mathcal{U}_{A} \right) = P_{r}\left\lbrack S_{0} \right\rbrack$$

□

Game 1: This game shows how to establish a hash list h(cdot) with a secure hash function.

$$\left| P_{r}\left\lbrack S_{1} \right\rbrack - P_{r}\left\lbrack S_{0} \right\rbrack \right| \leq \epsilon(w)$$

Game 2: Collisions have been ruled out in all possible sessions. The game will be terminated if there is a collision.

$$\left| P_{r}\left\lbrack S_{2} \right\rbrack - P_{r}\left\lbrack S_{1} \right\rbrack \right| \leq \epsilon(w)$$

Game 3: The game’s simulation rules have been altered using the execute query. For example, the way private key sessions are calculated has been altered. If an attacker properly calculates XCS during the passive session \(\mathcal {U}A\), may get the difference between Games 2 and 3 . To solve the task, we need to select some numbers randomly r_a1,r_cs1, and r_cs2r_a1,r_cs1,r_a2 and r_cs2 and compute T_Sk = r_cs2X_a and \(T_{\text{Sk}} = r_{a2}X_{\text{cs}} \cdot \mathcal {U}_{A}\) can make a query X_cs,N_cs,T_cs to hash oracle.

$$\left| P_{r}\left\lbrack S_{3} \right\rbrack - P_{r}\left\lbrack S_{2} \right\rbrack \right| \leq \epsilon(w)$$

Game 4: In this Game, we are going to use the query method used to active session \(\mathcal {U}_{A}\) determines the authenticated X_cs to masquerade \(\mathcal {A}\mathcal {U}_{a}\).

This rule is assigned with the following responsibilities: To Calculate \(N_{\text{cs}} = x_{1}\left (CUIDa \parallel CUIDs \parallel X_{a}\left . \parallel X_{a}^{\prime } \right .\parallel T_{a}\left . \parallel T_{\text{cs}} \right .\parallel T_{\text{sk}} \right )\) and determines \(N_{\text{cs}}^{\prime }\overset {?}{=}N_{\text{cs}}\)

If this is correct, then \(\mathcal {\text{CS}}\) predicts a list. \(\left \{ PCUIDa,X_{a}^{*},N_{a},T_{a} \right \}\) presented in L_hs.. This method is computed by calculating the valid X_css to disguise the query (Table 2).

$$\left| P_{r}\left\lbrack S_{4} \right\rbrack - P_{r}\left\lbrack S_{3} \right\rbrack \right| \leq \epsilon(w)$$

Table 2 Specifications for implementation

Game 5: The game’s active session is used to query. This game will be aborted if the query succeeds and finds the record leftX_cs.

$$\left| P_{r}\left\lbrack S_{5} \right\rbrack - P_{r}\left\lbrack S_{4} \right\rbrack \right| \leq \epsilon(w)$$

Game 6: The session key is chosen at random in this game. S_k of \(\mathcal {A}\mathcal {A}_{a}\) and CS. The advantage of \(\mathcal {U}_{a}\) is negligible to guess the session key

$$\begin{array}{@{}rcl@{}} \left| P_{r}\left\lbrack S_{6} \right\rbrack \right| & \leq& M^{\prime} \cdot q_{s}^{N^{\prime}} \\ \text{Adv}t_{P_{\text{rp}},D}^{\text{AKE}}\left( \mathcal{U}_{A} \right) & \leq& M^{\prime} \cdot q_{s}^{N^{\prime}} + \epsilon(w) \\ \end{array}$$

It can be performed within polynomial time. For the algorithm’s implementation, we need to know the self-reducibility \(\text{Adv}_{CDH,P_{\text{rp}}}(C)\) of the problem. Because of its difficulty, the CDH problem is viewed as infeasible in polynomial time and hence as infeasible. It has been shown that the theorem is accurate. \(= \mid Pr\left \lbrack C\left (P,r_{a2}P,cupk_{\text{cs}},r_{a2}\text{cup}k_{\text{cs}} \right ) = 1 \right \rbrack - Pr\left \lbrack C\left (P,r_{\text{cs}},r_{cs2}P\quad sk_{\text{cs}} \right ) = 1 \right \rbrack\), where sk_cs is a fixed value.

Now, \(\text{Ad}v_{CDH,P_{\text{rp}}}(C) \geq \mid Pr\left \lbrack TextAnon\left (\text{cCUID}C^{c},cCUIDc^{j} \right ) = 1 \right \rbrack - Pr\lbrack\) TestAnon \(\left . \ \left (\text{cid}_{C}^{c},\text{cid}_{C}^{k} \right ) = 1 \right \rbrack \mid\).

5 Security and performance evaluation

The different security characteristics of a suggested user authentication mechanism are presented in this section.

5.1 User friendly

The user can freely choose the username and passwords for secure data access. To update the passwords CU_a inputs CSID_a and CUPW_a, the user needs to input the data required to create the new password, \(V_{a}^{\prime }\) according to \(\text{CUBI}O_{a}^{\prime }\) and U_a, and computes FHERPW_{a }ˆ {∖prime } , A _ { a } ˆ {∖prime }∖text { and the Cloud Server will } reproduce the data.

After verifying the validity of the user’s identity \(A_{a}^{\prime }\overset {?}{=}A_{a}\), password and biometric, the Cloud Server sends a message \(\_{a}^{\text{new}}\) to compute \(\text{FHERP}W_{a}^{\text{new}},A_{a}^{\text{new}},C_{a}^{\text{new}}\), and replaces A_a and C_a with \(A_{a}^{\text{new}}\) and \(C_{a}^{\text{new}}\) to the mobile app to reset the passwords. Once this is accomplished, the user will be able to change his or her password without having to contact the cloud storage service provider.

5.2 Safeguard against a stolen verifier attack

Specifically, the suggested approach offers a way of mutual authentication between a cloud storage provider and its user. There is a reliance on the shared secret knowledge x1 (CSIDillkc) for the approach to work. Utilizing the information supplied by the Cloud Server, CUa can extract the value \(x_{1}\left (CSIDi \parallel k_{c} \right )\), which can then be calculated by TCS by using CU_a ’s identity CSID_i and the secret key kc provided by the Cloud Server. When the cloud storage provider accesses the Cloud Server, they will be able to extract the value of the secret information.

5.3 Efficient wrong password detection

The proposed method will allow the Cloud Server to quickly identify the unauthorized access by the user when they input a wrong password. This method will prevent the cloud storage provider from checking the credentials of the users.

In the login phase, Uz authenticates CU_a inputs CSIDi and imprints the biometric \(\text{CUBI}O_{a}^{\prime }\) by using the fingerprint CUBIO_I prime on the Cloud Server. CU_a inputs a wrong password \(\text{CUP}W_{a}^{*}\left (\neq CUPW_{a} \right )\) by mistake. Then, the Cloud Server computes \(V_{a}^{\prime } = Rep\left (\text{CUBI}O_{a}^{\prime },P_{a} \right ),FHERPW_{a}^{\prime } = x_{1}\left (R_{a}^{\prime } \parallel CUPW_{a}^{*} \right )\left (\neq x_{1}\left (R_{a} \parallel CUPW_{a} \right ) = FHERPW_{a} \right )\), and it is obvious that \(A_{a}^{\prime } = x_{1}\left (CSIDi \parallel FHERPW_{a}^{\prime } \right ) \neq x_{1}\left (CSIDi \parallel FHERPW_{a}^{\prime } \right ) = A_{a}\). Then, the device computes the incorrect V_i ∗ left = operatornameCUBIOprime.

5.4 Resist replay attack without use of clock synchronization

The goal of this proposed scheme is to prevent replay attack by generating a random number and a timestamp for each session. This method will prevent the attackers from accessing the synchronized clocks of all the entities in the network.

5.5 Authentication process and session key agreement

In terms of security, both authentication process and session key agreement are regarded to be among the most important factors to consider. At first, the authentication process request

\(\text{Ms}g_{1} = \left \{ CSIDi,D_{a},E_{a} \right \}\) from CU_a,CS computes \(B_{a}^{\prime } = x_{1}\left (CSIDi \parallel k_{c} \right ),E_{a}^{\prime } = x_{1}\left (\text{CSIDi} \parallel B_{a}^{\prime } \parallel D_{a} \right )\), the user can verify the validity \(E_{a}^{\prime }\overset {?}{=}E_{a}\) of their request by checking the box labeled “E _i prime?”

Next, the recipient receives \(\text{Ms}g_{2} = \left \{ F_{a},X_{a} \right \}\) from CS,CU_a computes \(\text{GR}P_{a}^{\prime } = F_{a}^{r_{a}}modN,HSK^{\prime } = x_{1}\left (CSIDi \parallel GRP_{a}^{\prime } \right ),X_{a}^{\prime } = x_{1}\left (B_{a} \parallel D_{a} \parallel F_{a} \parallel HSK^{\prime } \right )\), and can authenticate TCS by checking \(X_{a}^{\prime } = X_{a}\) the response message Msg₂ = leftF_i right from TCS. When receiving a mutual authentication message, TCS will ignore the M3prime value and verify \(\left \{ \text{Ms}g_{3} \right \}\) from CU_a in step 4, it computes \(\text{Ms}g_{3}^{\prime } = x_{1}\left (\text{CSIDi}\left . \parallel B_{a}^{\prime } \right .\parallel D_{a}\left . \parallel F_{a} \right .\parallel \text{HSK} \right )\), and can verify the validity of CU_a by checking \(\text{Ms}g_{3}^{\prime }\overset {?}{=}\text{Ms}g_{3}\) the validity of the message. The proposed scheme enables the user to authenticate with the cloud storage provider through a mutual authentication. The session key \(HSK = x_{1}\left (CSIDi \parallel g^{r_{a}r_{c}}\text{modN} \right )\) As an additional step to the mutual authentication, which incorporates both r_a and r_c from each of the two member organizations, the cloud storage provider computes the information that a user provides to them using random numbers obtained after the mutual authentication, which is carried out by the cloud storage provider after the mutual authentication, and this is carried out by the cloud storage provider afterwards

5.6 Violation of user anonymity

The identity CUID_A of \(\mathcal {A}\mathcal {U}_{\dashv }\) is not sent in plain text CUIDa. However, UCUID a = CUID a ⊕ X_a. This is done via the use of a secret channel to deliver the results of the calculation to a private key termed \(\mathcal {\text{CS}}\), which is encrypted. The CUID_a, in addition, can only be created by the authorised \(\mathcal {\text{CS}}\) that is used to authenticate users, and it is not made accessible to the public.

5.7 Resist impersonation attack

In order to be successful in impersonating the user CU_a, the attacker must first provide a legitimate username and email address into the system. The attacker must next generate a fake login request message using the user’s email address as a starting point, and send it to the victim. \(\text{Ms}g_{1}^{*} = \left \{ CSIDi,D_{a}^{*},E_{a}^{*} \right \}\) and a valid response \(\text{Ms}g_{3}^{*}\). User also know the Cloud Server’s \(B_{a} = h\left (CSIDi \parallel r_{c} \right )\). Since r_c is and the user’s response \(h\left (CSIDi \parallel r_{c} \right )\) An attacker needs to know the Cloud Server’s details to carry out an attack. However, since the device’s details are only known to the network’s random number, the attacker would be unable to get them.

6 Cloud storage and data sharing security

This section is applicable to the proposed data sharing scheme.

6.1 Confidentiality

With our data sharing system, users can be certain that your information is completely safe and secure, U_i stores the encrypted data of m in its leftm _e,m_V right, and it uses the random number alphain Z_q ∗ to determine the original m.m,CU_a stores \(\left \{ m_{e},m_{V} \right \}\) as the encrypted data of m on TCS, where \(\alpha \in Z_{q}^{*}\) is a random number, \(m_{e} = m \cdot g^{\alpha } \cdot CUPK_{a}^{x_{2}(CSIDi \mid \alpha )}\text{mod} N,m_{V} = x_{1}\left (g^{\text{Msg}}\text{modN} \right )\). The Trusted Cloud Storage (TCS) Provider allows holistic security and serves as a reference point for users which is used to identify cloud providers that are aligned with their security requirements. Because TCS cannot estimate the original m without knowing the random number α. The hardness of finding discrete logarithms depends on the groups i.e., if the polynomial-time based on few groups means then it is easily finding the solution O (n) but the large number group means the complexity is much harder O (log k (n)).

6.2 Correctness

Users’ personal information may be retrieved by accessing the shared data m when the data

$$\begin{array}{@{}rcl@{}} \mathrm{m}_{\mathrm{b}}&=&\mathrm{m}_{\mathrm{c}} \cdot \mathrm{m}_{\mathrm{b}}^{*} \cdot \mathrm{R}_{\mathrm{b}}^{\mathrm{k}_{\mathrm{b}}} \text{ modq }\\ &=&\left( \mathrm{m}_{\mathrm{e}} \cdot \mathrm{m}_{\mathrm{c}}^{*} \cdot \mathrm{R}_{\mathrm{c}}^{\mathrm{k}_{\mathrm{c}}}\right) \cdot\left( \text{CUPK}_{\mathrm{b}}^{-\mathrm{r}_{\mathrm{b}}} \cdot \text{CUPK}_{\mathrm{a}}^{-\mathrm{x}_{2}}(\text{CSIDi} \| \alpha)\right) \cdot \mathrm{R}_{\mathrm{b}}^{\mathrm{k}_{\mathrm{b}}} \text{ modq }\\ &=&\left( \left( \mathrm{m} \cdot \mathrm{g}^{\alpha} \cdot \text{CUPK}_{\mathrm{a}}^{\mathrm{x}_{2}}(\text{CSIDi} \mid \alpha)\right) \cdot\left( \operatorname{CUPK}_{\mathrm{c}}^{-\mathrm{r}_{\mathrm{c}}^{\prime}} \cdot \mathrm{g}^{-\alpha}\right) \cdot \mathrm{R}_{\mathrm{c}}^{\mathrm{k}_{\mathrm{c}}}\right) \cdot\left( \text{CUPK}_{\mathrm{b}}^{-\mathrm{r}_{\mathrm{b}}} \cdot \operatorname{CUPK}_{\mathrm{a}}^{-\mathrm{x}_{\mathrm{a}}} (\operatorname{CSIDi} \mid \alpha)\right) \cdot \mathrm{R}_{\mathrm{b}}^{\mathrm{k}_{\mathrm{b}}} \text{ modq }\\ &=&\mathrm{m} \cdot \mathrm{g}^{\alpha} \cdot \text{CUPK}_{\mathrm{a}}^{\mathrm{x}_{2}}(\text{CSIDi} \| \alpha) \cdot \text{CUPK}_{\mathrm{c}}^{-\mathrm{r}_{\mathrm{c}}^{\prime}} \cdot \mathrm{g}^{-\alpha} \cdot \mathrm{R}_{\mathrm{c}}^{\mathrm{k}_{\mathrm{c}}} \cdot \text{CUPK}_{\mathrm{b}}^{-\mathrm{r}_{\mathrm{b}}} \cdot \operatorname{CUPK}_{\mathrm{a}}^{-\mathrm{x}_{2}}(\operatorname{CSIDi} \| \alpha) \cdot \mathrm{R}_{\mathrm{b}}^{\mathrm{k}_{\mathrm{b}}} \text{ modq }\\ &=&\mathrm{m} \cdot \text{CUPK}_{\mathrm{c}}^{-\mathrm{r}_{\mathrm{c}}^{\prime}} \cdot \mathrm{R}_{\mathrm{c}}^{\mathrm{k}_{\mathrm{c}}} \cdot \text{CUPK}_{\mathrm{b}} ^{-\text{rb}} \cdot \mathrm{R}_{\mathrm{b}}^{\mathrm{k}_{\mathrm{b}}} \text{ modq }\\ &=&\mathrm{m} \cdot \text{CUPK}_{\mathrm{c}}^{\mathrm{r}_{\mathrm{c}} ^{\prime}}{\mathrm{c}}^{\mathrm{r}^{\mathrm{r} c} \mathrm{c} ^{\mathrm{k}_{\mathrm{c}}}} \cdot \text{CUPK}_{\mathrm{b}} ^{-\mathrm{r}_{\mathrm{b}}} \cdot \mathrm{g}^{\mathrm{r} \mathrm{b} \mathrm{k}} \mathrm{k}^{\text{kb}} \text{ modq } \end{array}$$

(1)

sharing scheme is configured properly and the scheme is implemented correctly.

6.3 Verifiable

When U_i Before obtaining the original data, one must first authenticate with the C before obtaining it. leftm _e, which will allow him to recover m. TCS and gets \(\left \{ m_{e},m_{V} \right \}\), The user may then devise a strategy for retrieving the m. \(m_{e} \cdot g^{- \alpha } \cdot \left (g^{x_{2}(CSIDi \parallel \alpha )} \right )^{- k_{a}}\text{modN}\), additionally, the correctness of the data m may be verified by the use of a verification technique. \(x_{1}\left (g^{\text{Msg}}\text{modN} \right )\overset {?}{=} m_{V}\). When the user obtains U_i ’s shared data, he can verify its validity by checking the validity of the data by checking h₁ left (gleft ). Similarity, when the user obtains a certain amount of data, he or she can check the validity of the data by checking the h₁.

6.4 Non-transferable

According to the recommended strategy, it is possible that the user CU_l will get permission to share data from the user CU_b. This is taken into consideration \(\left (R_{b},m_{b}^{*} \right )\) and \(\left (m_{c},m_{V} \right )\) from CU_a and TCS who gets the data sharing permission of U_l is the one who needs to know the secret key k_b of CU_b, where k_b of the U_j to recover the original data. This scheme prevents the unauthorized transfer of the data sharing permission of U_j. It is necessary to recover the original data (Table 3).

Table 3 Time complexity

7 Proposed FHE scheme experimental analysis

Using Table-3 can calculate the time required to store the data during the data storage phase. When it comes to secure data access, time cost of hash operation and modular inversion refer to the parts of the process that require the usage of hash operations. When it comes to authentication and login phases, both the user and the storage provider needs 2Te + 6Th for every session.

7.1 Theoretical analysis

Furthermore, the performance of our plan has been evaluated in relation to a number of other comparable schemes using the AVISPA tool. Automated Validation of Internet Security Protocols and Applications (AVISPA) is a push-button tool that provides a modular and expressive formal language for describing protocols and their security features. The various benefits of this tool include the ability to integrate various back ends in order to execute a number of automatic analytic methodologies. It has a great level of scalability and robustness. The AVISPA tool is a commonly used security verification tool that may be used to test a broad range of Internet Protocols and Applications, including, but not limited to, the HTTP and HTTPS protocols. The HTTP protocol for transfer hypertext over the Internet, whereas HTTPS is an extension of HTTP (HTTP). HTTP has been the most extensively used protocol for data transfer over the Web due to its simplicity. It operates at the application layer, while HTTPS is used for secure communication, which is a communication protocol that uses Transport Layer Security to encrypt data. It is also utilized to verify the security of our scheme’s security measures AVISPA has four rear ends, which are as follows: There are four types of model verifiers: 1) on-the-fly model verifier, 2) Constraint-Logic attack searcher, 3) SAT-based model verifier, and 4) Tree Automata. All of the players’ responsibilities are depicted as fundamental roles in this diagram. The composition roles are also referred to as composition roles in this document. A threat model, developed by DolevYoo, is used to predict the behavior of the attacker. The HLPSL2IF security protocol combines an Intermediate Form and an output format that is used to construct a security protocol. If a protocol fails, the attack trail of the failed protocol is included in the OF if the protocol is unsafe. Also included in this program is a display of overall operation statistics (OI). Specifically, simulation results for the different rear ends of the proposed method were left out of the paper. In addition, the fundamental roles for the different users were established. It is possible to layer the AVISPA and HLPSL implementations on top of one another. Ensuring the HLPSL implementation is done correctly will help guarantee that the security protocol can achieve a particular state. For the execution test, the scheme is carried out in batches and consists of several model checking sessions that are carried out simultaneously. The suggested technique enables authorized agents to carry out a given procedure while also searching for and identifying a passive intruder. This scheme is calculated using the OFMC and CL-AtSe back ends, which are both open source. The scheme is found in around 0.35 seconds after being searched. The depth of the network is around seven plies, and the number of visited nodes is approximately 128.

7.2 Computational complexity

We have computed the computational complexity T_h of the various schemes and cryptographic operations that we have used T_pm. The time necessary to do It takes 0.000732 ms to do a hash operation, whereas it takes 0.002975ms to calculate the result of point multiplication. ms. For calculating the computational complexity of this scheme, we have considered the various hash T_h functions that are involved in its operation. The time required for calculating the operation’s duration and the number of operations performed are computed in the following tables. Results shows (Figs. 3 and 4, Table 4)

Fig. 3

AVISPA architecture

Fig. 4

After other factors, computational overhead

Table 4 Computational overhead

7.3 Storage overhead

The amount of space needed for keeping the different parameters of a specific scheme is referred to as the storage cost of the scheme. It is calculated by dividing the cost of storage by the number of bytes stored. In the table, it can be seen that our plan is around the same price as the other schemes. Our solution, on the other hand, is more cost-effective in terms of storage (Table 5 and Fig. 5).

Table 5 Analysis of Storage overhead

Fig. 5

Analysis of results in Storage overhead the computational cost of various proposed and related protocols. It is also shown in the Y-axis as the computation cost

7.4 Communication overhead

In computing the communication cost, the bit size of each entity’s message is taken into account. It is expressed as a percentage of the total amount of bytes available. The establishment of a session between two parties results (Table 6 and Fig. 6).

Table 6 Analysis of Communication overhead in Various Protocols with proposed model

Fig. 6

Comparison of Communication Cost (Number of Bits ) in establishing a mutually authenticated connection between the two parties. In data sharing services, the user authenticates by presenting a credential token to the service provider

7.5 Comparison of security features

Cloud storage \(\mathcal {C}\) allows you to store and distribute encrypted data \(\mathcal {\text{AS}}\). The result shows the difference in the number of bits required for communication between the various protocols. Table-5 also shows the same efficiency comparison of the protocols with security features such as Data Confidentiality (F1), Flexible Data Access Control(F2), Man-in-Middle Attack (F3), Mutual Authentication(F4), Non-Repudiation (F5), Password Guessing Attack (F6), Password Stolen Attack(F7), Perfect Forward Secrecy (F8), Provide User Anonymity (F9), Server Impersonation (F10), Stolen Verifier and Privileged Insider Attack (F11) and User Impersonation Attack (F12). After analyzing the various aspects of our proposed protocol, we can conclude that it is more advantageous for our system’s resource utilization. It also provides enhanced security features (Table 7).

Table 7 Comparison of security features

8 Conclusion and future work

We presented a mechanism for user authentication that limits access to cloud storage to individuals who are not allowed to do so. Additionally, we proposed a safe data sharing system based on the difficult intractable discrete logarithm issue. Numerous elements must be taken into account when determining the security of data sharing for cloud storage. Among them is ensuring that the data owner has access to the internet in order to spread the data. Cloud applications may benefit from this kind of secure data storage and access method. It incorporates the user attribute rules, biometrics, and Fully homomorphic double encryption necessary for storage provider access. If a user shares his data with another user, the system administrator must revoke the user’s authorization to share private data. Data may be moved to another cloud storage provider only with the express permission of the user. Unfortunately, there are several drawbacks to relying on the internet to communicate data. For instance, if the data owner intends to share his or her information with a group, he or she should specify which group. This method has the ability to protect data from unauthorised access. We compared and contrasted the proposed technique to existing studies on cloud storage. Recent techniques have exposed users’ privacy by making it simple for an attacker to identify a genuine user.