Message recovery concept is first proposed by Nyberg and Ruppel (1993). They showed that if the message encryption and digital signature computation can be done together, the sender only has to transmit a set of cipher text to achieve both authentication and encryption. The receivers can authenticate the data of the sender by checking whether the recovered message makes sense or not, and only the legal receiver has the key to correctly recover the original data. Thus, the message recovery scheme can encrypt the original message and generate its digital signature at the same time.

Lin and Chang (2008) used this concept to propose a new digital signature scheme for linearly hierarchical organization. In Lin and Yang’s (2012) scheme, the elliptic curve cryptosystem is applied to improve the computation efficiency of source authentication. The parameters used in Lin and Yang’s scheme are defined as follows: p is a large prime number, g is a point on the elliptic curve in the finite field GF ( p ), where g ∈ Z p ; M i is the message in packet i, where i is the packet’s sequence number; k i is a random number for the ith packet, and H ( . ) is a one-way hash function; GF ( p ) → R. ( y s , x s ) is the public and private key pair for the sender, where y s = x s × g mod p; ( y r j , x r j ) is the public and private key pair for the receiver j, where y r j = x r j × g mod p.

In Lin and Yang’s scheme, when the sender wants to send a message, and the sender has to generate the information set ( r i , s i , i ) using the following equations: r i ′ ≡ k i × g mod p , R i ≡ i × r i ′ mod p , m i ≡ M i + ( k i × i × y r j ) x mod p , where ( k i × i × y r j ) x is the x-coordinate of the point P.

r i ≡ m i + H ( R i ) mod p , and s i ≡ k i − x s × r i mod p .

After the information set ( r i , s i , i ) is generated, it is sent to the receivers. When the receivers receive the information set, each receiver will authenticate the sender and check the integrity of the message. Each receiver computes r i ′ by using its private key with the equation below: r i ′ ≡ s i × g + r i × y s mod p , R i ≡ i × r i ′ mod p , m i ≡ r i − H ( R i ) mod p, and M i ≡ m i − ( r i ′ × x r × i ) x mod p .

The recovered message will be meaningless if the sender or the receiver is illegal. That is, this scheme can achieve both source authentication and message encryption at the same time. However, there are two disadvantages in their scheme. First, their scheme cannot satisfy the forward secrecy and backward secrecy. According to the equations presented above, if a receiver’s public key is in the finite field of elliptic curve, the receiver can decrypt any data encrypted by the sender. This is a big problem when it applies to data sharing in cloud services because the malicious receiver can access the confidential data in this scenario. Second, when the sender wants to send a message to more than one receiver, the sender has to encrypt the message once for each receiver. This causes the high computation cost problem.

To achieve the higher efficiency and security, the bilinear pairing (Miller, 1986; Koblitz, 1987) is applied to the group signature schemes and ID-based encryption schemes (Zhang et al., 2004; Joux, 2002; Barreto et al., 2002; Bonehand and Franklin, 2001). Let G 1 be a cyclic additive group and G 2 be a cyclic multiplicative group of prime order p. The bilinear pairing e ˆ : G 1 × G 1 → G 2 has the following three properties (Lin et al., 2010). 1.

Bilinearity: for all g 1 , g 2 , g 3 ∈ G 1 and a , b ∈ Z q ∗ , e ˆ ( g 1 , g 2 + g 3 ) = e ˆ ( g 1 , g 2 ) · e ˆ ( g 1 , g 3 ) , e ˆ ( g 1 + g 2 , g 3 ) = e ˆ ( g 1 , g 3 ) · e ˆ ( g 2 , g 3 ) , and e ˆ ( a g 1 , b g 2 ) = e ˆ ( a b g 1 , g 2 ) = e ˆ ( g 1 , a b g 2 ) = e ˆ ( g 1 , g 2 ) a b .

According Lin et al. (2010), the DLP is supposed to be the hard problem is G 1 and G 2 in this paper.

Cloud service offers many benefits; it enables users to share their data with anyone on the cloud. However, the security, privacy, and integrity of the cloud services are the main challenges (Hay et al., 2011). To address these challenges, we propose a scheme in this paper that can satisfy the four security requirements as defined in Wang and Wu (2005) as follows. 1.

Forward secrecy and backward secrecy: forward secrecy says if the decryption key is leaked, the receivers cannot recover any data by the previous encryption key except when the data owner allows. Similarly, backward secrecy says when a data is shared with a new receiver, the new receiver cannot recover any of the previous data using the new decryption key unless the data owner allows.

Forward secrecy and backward secrecy: the encryption key is computed by K = e ˆ ( Q / P i , S i ), where Q = k ∏ l = i n P l . The parameter k is selected randomly in every session in the proposed scheme. Due to the discrete logarithm problem (DLP), k is hard to be computed. Therefore, neither previous members nor new entrants can compute other keys except the session they are involved in. As a result, forward secrecy and backward secrecy are achieved in this proposed scheme.

Source authentication: when a legal member wants to authenticate the data, the member can compute z ≡ u + v × P i × w mod q. Assume an attacker attempts to impersonate the legal data owner, then the attacker uses its public key P a to compute its private key S a and u a ≡ ( r − S a × v ) × g mod q. Then, the attacker uploads ( v , u a , n , Q ) to the cloud service. When a receiver recovers the data send by the attacker, the following equations are used: z a ≡ ( r − S a × v ) × g + v × P i × x × g mod q z a ≡ r × g − x × P a × v × g + v × P i × x × g mod q , R a ≡ n × z a mod q , M = m − ( z a × K × n ) mod q . The receiver can verify whether the data is from the legal data owner by determining if the result, M, is meaningless or not.

Data integrity: legal members can verify the integrity of the data using the following equations: z ≡ u + v × P i × w mod q , R ≡ n × z mod q , m ≡ v − H 2 ( R ) mod q , and M ≡ m − ( z × K × n ) mod q . According to the equations above, if the sequence number n is altered to a, or v is altered to v a by an attacker during transmission; the recovered data will become meaningless. When a legal member decrypts a packet, the member has to compute R by z and get m by computing R. As a result, without the right sequence number and the original m, the recovered data will be meaningless.

Confidentiality: besides the integrity of data, data confidentiality is also considered in the proposed scheme. Data should be recoverable only by the members whom the data owner wants to share with. If an attacker tries to recover the data using the following equations without the correct private key or the random number r, the recovered message will be meaningless. z ≡ u + v × P i × w mod q , R ≡ n × z mod q , m ≡ v − H 2 ( R ) mod q , K ′ = e ˆ ( S j , Q / P j ) , and M ≡ m − ( z × K × n ) mod q .

With regard to the privacy and the security in cloud storage service, the security requirements of the proposed scheme is compared with Zhao et al.’s and Han et al.’s scheme in Table 2. As Table 2 shows, the proposed scheme and Han et al.’s scheme can achieve forward secrecy and backward secrecy, authentication of the data source, integrity of the data, and the confidentiality of the data. However, Zhao et al.’s scheme cannot satisfy the source authentication requirement.

In the aspect of computational cost analysis, the proposed scheme is compared with Zhao et al.’s scheme and Han et al.’s scheme in Table 3. T A is the time complexity of point addition, T B is the time complexity of bilinear paring, T M is the time complexity of real number multiplication, and T E is the time complexity of exponential operation. There is no exponential operation in the proposed scheme; therefore, it is obvious that the proposed scheme is more efficient than the scheme proposed by Han et al.