EDI-C: Reputation-Model-Based Collaborative Audit Scheme for Edge Data Integrity

Abstract

The emergence of mobile edge computing (MEC) has facilitated the development of data caching technology, which enables application vendors to cache frequently used data on the edge servers close to the user, thereby providing low-latency data access services. However, in an unstable MEC environment, the multi-replica data cached by different edge servers is prone to corruption, making it crucial to verify the consistency of multi-replica data on different edge servers. Although the existing research realizes data integrity verification based on the cooperation of multiple edge servers, the integrity proof generated by multiple copies of data is the same, which has low verification efficiency and is vulnerable to attacks such as replay and replace. To address the above issues, based on homomorphic hash and sampling algorithms, this paper proposes an efficient and lightweight multi-replica integrity verification algorithm, which has significantly less storage cost and computational cost and can resist forgery and replay and replace attacks. Based on the verification algorithm, this paper further proposes a multi-replica edge data integrity collaborative audit scheme EDI-C based on the reputation model. EDI-C realizes the efficient collaborative audit of multiple edge servers in a distributed discrete environment through an incentive mechanism to avoid the trust problem of both sides caused by centralized audit. Also, it supports batch auditing of multiple copies of original data files at the same time through parallel processing and data block auditing technology, which not only significantly improves the verification efficiency but also realizes the accurate location and repair of corrupted data at the data block level. Finally, the security analyses and performance evaluation show the security and practicability of EDI-C. Compared with the representative schemes, the results show that EDI-C can ensure the integrity verification of cached data more efficiently in an MEC environment.

1. Introduction

With the rapid development of 5G networks and the wide application of mobile Internet-of-Things (IoT) devices, the traditional cloud computing architecture can no longer satisfy the demand of mobile IoT services, and the unpredictable data access latency between geographically distributed users and remote clouds has become the bottleneck of network services [1]. To overcome this challenge, a new computing architecture, Edge Computing (EC) [2], has emerged and matured gradually, and it has become one of the key technologies for 5G. Derived from cloud computing, EC is an information transmission and processing technology on the user side. The emergence of EC extends cloud-based data caching services to the edge side of the network, and an edge caching data service framework is shown in Figure 1. The app vendor (AV) can cache commonly used data of latency-sensitive applications to edge servers (ESs) close to the user’s geographic location, thereby reducing the service response time and providing more convenient and low-latency services to nearby users [3].

However, this emerging edge storage has brought about many unique security issues and challenges. Compared with traditional large-scale cloud computing environments, EC environments are more dynamic, discrete, and unstable. Since ESs are geographically distributed and deployed and cannot be always maintained internally like traditional cloud servers, ESs are not completely reliable, e.g., software anomalies or hardware failures can lead to corruption of cached data on ESs [4], and an attacker can tamper with cached data on ESs by injecting Trojan horses and viruses, which poses a security threat to the users accessing the corrupted data. Thus, it is urgent to ensure the integrity and consistency of multi-copy data on different ESs in a dynamic, discrete, and unstable environment.

Most existing research [4,5,6,7,8] on the problem of data integrity verification at the edge mainly extends the traditional schemes to the EC environment. Nevertheless, traditional centralized cloud data integrity verification schemes are not applicable to EC environments with large-scale distributed deployments, which makes the edge data integrity verification problem unique: edge caching systems are composed of highly distributed ESs that lack centralized control like cloud servers hosted in data centers; EC environments usually need to pick up massive data, and both the ES and AV need more efficient and lightweight verification schemes [9]; in real-world scenarios, ESs and mobile devices have limited storage and computational resources, and due to the variation in the resource levels of different edge nodes, the same and complex verification schemes are not suitable for the global edge nodes.

Recently, many studies have turned to collaborative verification between ESs to verify the integrity of edge data without the participation of AV, which can solve the trust problem of both sides in centralized verification. However, all ESs need to generate hash values based on the entire replica data as integrity proof, which results in excessive computational overhead. Meanwhile, since the correct integrity proof is the same globally, a malicious ES can cheat the verifier by replaying the proof that has already been verified.

For the integrity verification of multiple data copies on different edge servers in edge caching systems in highly discrete distributed EC environments with varying resource levels, this paper proposes an efficient reputation-model-based collaborative auditing scheme for edge data integrity, EDI-C, which dynamically coordinates interactive auditing among ESs in the system, and different edge nodes can perform different auditing tasks flexibly according to their available resources. The contributions of this paper are summarized as follows:

• This paper proposes an efficient lightweight multi-copy data integrity verification algorithm based on homomorphic hashing and sampling algorithms. The algorithm only involves basic addition, multiplication, and modulo operations, and it does not need to compute the labels for each block of data, thereby effectively reducing the computation and communication cost; also, it can resist replay and replace attacks.
• Based on the verification algorithm, this paper proposes a multi-replica edge data integrity collaborative audit scheme EDI-C based on the reputation model. EDI-C realizes efficient collaborative audit of multiple edge servers in a distributed discrete environment through an incentive mechanism, and it avoids the trust problem of both sides caused by centralized audit. Moreover, by using parallel processing and data block auditing technology, EDI-C can support the batch auditing of multiple copies of original data at the same time, which not only improves the verification efficiency but also realizes the accurate location and repair of corrupted data at the data block level.

2. Related Work

2.1. Traditional Cloud Storage Multiple-Replica Integrity Verification

For the integrity verification of outgoing packet data in remote untrustworthy servers, Ateniese et al. [10] first proposed the Provable Data Possession (PDP) model at the Computer and Communications Security conference in 2007. The PDP model uses the RSA signature algorithm to construct Homomorphic Verifiable Tags (HVT) to perform the integrity verification of data in remote untrustworthy servers by users without retrieving the data; meanwhile, it reduces computation and communication overheads through random sampling strategy and aggregation verification, making it possible to apply the model to verify the data holdings of large datasets. Meanwhile, Juels and Kaliski [11] developed the Proof of Retrievability (POR) model. The POR model achieves probabilistic proof of the file holding type by embedding “sentinels” in the file, and it provides data recovery by using redundant encoding of the data. These two types of verification models support probabilistic verification.

Storing multiple copies is a common strategy for improving reliability and availability in cloud storage. For important data files, users sometimes want to store multiple copies on a server to guarantee that some corrupted data copies can be still recovered from the remaining copies. Meanwhile, cloud service providers may sell the same storage space multiple times to gain more profit, but it actually stores only one copy but claims to have stored multiple copies on multiple servers. Curtmola et al. [12] provided the first implementation of multiple-replica provable data possession (MR-PDP) based on the PDP model, where HVTs are generated from the original data blocks during preprocessing and stored in the server. Nevertheless, this scheme is only suitable for static scenarios where each data replica is checked one by one, so it incurs much additional computation. Besides, there are many research schemes [13,14,15,16,17] based on authentication data structures such as Merkle Hash Tree (MHT) and Index-Hash Table (IHT), and they utilize homomorphic signatures for simultaneous verification of multi-copy outsourced data and dynamic update verification. To further enhance the efficiency and reduce the burden of certificate management, researchers have also proposed an identity-based scheme for multi-copy data integrity verification by adopting identity signature technology [18,19].

2.2. Edge Cache Data Integrity Verification

The emergence of the new cloud service architecture, EC, has facilitated the development of network caching systems for deploying application data at the edge [1,20], thereby providing low-latency cached data services to users near edge devices. However, in EC environments with highly unstable networks, faced with ESs with limited computing power and storage space, cached data are susceptible to intentional or unintentional corruption, and there is an urgent need for a methodology to efficiently check the integrity of the data cached on ESs by application providers.

Tong et al. [21] were the first to investigate the problem of edge data integrity verification, and they proposed two integrity-checking protocols for mobile Edge storage with the participation of third-party trusted centers, namely, ICE-basic protocol and ICE-batch. Specifically, the latter is a batch verification protocol based on the idea of aggregation verification, and it enables users to check data integrity on single and multiple edge cloud nodes. Recently, they proposed an efficient tag caching strategy to reduce the authentication communication cost [22]. Cui et al. [7] proposed a homomorphic tag-based framework called ICL-EDI for edge data integrity verification. Additionally, based on bilinear pairs and certificate-less signatures, Liu et al. [23] designed an edge that can resist key disclosure attacks while achieving privacy preservation. However, none of these studies [7,21,22,23] considered dynamic data verification and recovery of corrupted data. To this end, Qiao et al. [6] proposed a lightweight auditing scheme called EDI-SA, which reduces the verification computation overhead by using algebraic signatures [24]; also, they developed an improved sampling strategy that supports batch auditing and dynamic update verification. Subsequently, Ding et al. [8] proposed an improved edge data integrity verification scheme called EDI-DA, which designs a new data structure, indexed unidirectional linked tables, to support dynamic data operations, thereby improving the updating efficiency and practicality. However, the scheme cannot perform data recovery and still has some security issues such as forgery attacks.

The schemes [6,7,8,21,22,23] are all realized by migrating the traditional outsourced cloud data integrity verification schemes directly to the EC environment. However, edge data integrity verification is fundamentally different from traditional cloud data integrity verification in that both sides (AV and ES) of edge cloud cached data verification have the original data, whereas in traditional cloud data integrity verification, users no longer keep the original data locally after outsourcing it to the cloud server, and the PDP-based implementation of outsourced data integrity verification requires the generation of labels before the data is outsourced, with the user only retaining the labels locally as the basis for verification. Therefore, PDP-based authentication schemes are too complex to be applied to the integrity verification of edge data. Additionally, EC environments often need to access massive amounts of data, and both ES and AV need more efficient and lightweight verifiable solutions.

For the integrity verification of edge data in a targeted way, Li et al. [4] developed a sampling-based probabilistic detection method, EDI-V, to verify replica data integrity on ESs with limited computational resources, where the edge cloud only needs to generate specific sampling trees called variable Merkle hash tree (VMHT) for data integrity verification. However, in practice, the total number of edge data replicas is large, and it is not feasible to utilize a single hash tree to manage all replicas. Therefore, based on the idea of aggregate verification, another scheme called EDI-S was proposed in [5], which adopts elliptic curve signatures to generate integrity proofs for each replica. However, the scheme suffers from a large communication overhead for delivering verification messages and cannot locate and repair corrupted copies at the data block level.

Recently, many studies have turned to collaborative verification of edge nodes with each other to verify the integrity of edge data without the involvement of AVs, i.e., it can solve the trust problem between two parties in centralized verification while ensuring the fairness of verification without requiring a trusted third party. Li et al. [25] designed CooperEDI, a data integrity verification scheme based on a distributed consensus mechanism to form a decentralized self-managed edge caching system, where ESs can autonomously interact with each other to verify the integrity of cached copies without remote control from AVs. Then, they implemented EdgeWatch [26], a collaborative verification framework for edge data integrity using blockchain. Moreover, based on the principles of game theory, prospect theory, and reinforcement learning, Mitsis et al. [27] proposed a behavior and price-aware edge computing framework to solves the data offloading decision problem in a multi-user, multi-server, multi-access edge computing competitive environment, which is crucial for evaluating the importance and potential impact of contributions. However, in the scheme [25,26], all edge nodes need to generate hash values as integrity proofs based on the entire replica data, which leads to too much computational overhead. Moreover, the correct integrity proofs are the same for the whole globe, and malicious edge nodes conspire to replay already verified proofs to deceive the verifier.

The complex EC environment has become a bottleneck for providing secure and trustworthy edge caching data services. To this end, this paper aimed to design a collaborative auditing scheme for edge data integrity that is efficient and applicable to discrete distributed environments and can resist attacks by malicious edge nodes.

3. Preliminaries

3.1. System Model

As shown in Figure 2, a collaborative audit system model of edge data integrity in a distributed discrete environment was constructed in this paper. To adapt to the characteristics of a distributed EC environment, the management area was reasonably planned according to the geographical location. Through the collaborative audit and mutual verification between ESs in the same area, the roles of the auditor and the auditee were organically unified, thereby realizing efficient integrity verification of the data of the whole edge caching system. Also, this paper designed an incentive mechanism based on reputation, which can effectively eliminate the interest space of multi-party collusion adhering to the principle of game theory, so that ES can honestly audit each other. The model mainly involves two entities: the ES and the AV. Specifically, ES is deployed at the edge of the network (base stations and access points) close to the user’s geographic location and stores copies of commonly used and relevant data. The AV deploys the service data on the ES, which is responsible for supervising the audit process and managing the system, to ensure service quality by auditing the integrity of the data copies. Meanwhile, to enable the ES in the system to realize collaborative auditing under the incentive mechanism, the AV also needs to maintain the Audit Ledger and Credit Ledger. Specifically, the Audit Ledger contains the VerResults, all verification results collected by the AV during the audit phase, and the EDIList, a list of copy integrity verification results for globally participating ESs counted by the AV. The Credit Ledger contains the CreditList, a list of credit updated by AV after credit settlement based on the audit results, and the SettlementRecord, a record of the credit settlement process that ESs can use to prove when they challenge the results.

3.2. Fault Model

It is assumed that the AV is honest and trustworthy and performs audit tasks honestly. There may be dishonest nodes in the ESs: when some copies of data are corrupted or lost, dishonest ESs may replace or replay integrity certificates to pass the audit; honest ESs always process messages correctly and timely. These ESs are geographically dispersed and managed by different infrastructure providers, and it is difficult for an attacker to compromise a large number of data copies on these ESs simultaneously without being detected. Based on the reputation model [28] and game theory [29], consensus among helping participants in unreliable networks can be addressed. An underlying assumption is that no more than half of the participants fail at the same time. Based on this assumption, most participants in a distributed system can eventually reach a consensus when some participants temporarily fail. Therefore, this study makes the following assumption: in the edge cache system, no more than half copies of any data are corrupted at the same time.

Specifically, data copies stored on ESs (also known as edge data) are exposed to storage failures and three main attacks as described below.

• Accidental failures. Failures such as hardware failures, software anomalies, and network attacks can lead to the corruption of edge data.
• Forgery attacks. When some edge data are corrupted or lost, a dishonest ES may be able to forge an integrity proof in polynomial time with a non-negligible probability of passing audit proof verified by an honest verifier.
• Replay attacks. A dishonest ES may be able to use a previously generated proof of correct data integrity to pass a new integrity audit.
• Replace attacks. A dishonest ES may pass the integrity audit of an AV by replacing a corrupted block with another intact block stored by itself, or by intercepting an integrity proof generated by another ES as its own.

3.3. Design Goals

The design objectives of the program are listed below:

• Correctness. The scheme should ensure that the AV can correctly utilize the verification equations to audit the integrity of the edge data.
• Lightweight. Given the resource constraints in the edge computing environment, the computation and communication overhead of ES and AV should be as small as possible during the audit process.
• Security. The scheme should prevent dishonest ESs from performing replay attacks, substitution attacks, and forgery attacks.

3.4. Homomorphic Hash

Homomorphic hash is a hash algorithm with homomorphic properties, and it has the following properties:

• Homomorphism: For any two messages $m_1$, $m_2$ and real numbers $w_1$, $w_2$, there is $H(w_1{m}_1+w_2{m}_2)=H{(m_1)}^{w_1}H{(m_2)}^{w_2}$.
• Collision resistance: there is no probability polynomial algorithm for the attacker to forge $(m_1,m_2,m_3,w_1,w_2)$ and satisfy $m_3=w_1{m}_1+w_2{m}_2$ such that $H(m_3)=$$H{(m_1)}^{w_1}H{(m_2)}^{w_2}$.

Informally, a collision-resistant homomorphic hash function [30] can be defined as follows:

Given security parameters ${\lambda }_p$ and ${\lambda }_q$, construct a set of hash parameters $G=(p,q,g)$, where $p$ and $q$ are two large random primes satisfying $\left|p\right|={\lambda }_p$, $\left|q\right|={\lambda }_q$ and $q|(p-1)$, and $g$ is a $1\times m$ row vector consisting of random elements in $Z_p$ of order $q$.

Let $\beta$ be the block size and let $m=⌈\beta /({\lambda }_q-1)⌉$. Consider a file $F$ as an $m\times n$ matrix, whose elements are all elements of $Z_p$. Our selection of m guarantees that each element is smaller than $2^{{\lambda }_q-1}$ and is thus less than the prime q. Now, the $j^{\mathrm{th}}$ column of $F$ simply corresponds to the $j^{\mathrm{th}}$ block of the file $F$, which is represented as $b_j=(b_{1,j},\cdots ,b_{m,j})$. Thus,

$$F=(b_1,b_2,\cdots ,b_n)=\left(\begin{array}{ccc}{b}_{1,1}& \cdots & b_{1,n}\\ ⋮& \ddots & ⋮\\ b_{m,1}& \cdots & b_{m,n}\end{array}\right)$$

(1)

The addition of two blocks of data is the addition of the corresponding column vectors, e.g., the addition of the $i^{\mathrm{th}}$ block to the $j^{\mathrm{th}}$ block, which can be expressed as follows:

$$b_i+b_j=(b_{1,i}+b_{1,j},b_{2,i}+b_{2,j},\cdots ,b_{n,i}+b_{n,j})\mathrm{mod}q$$

(2)

For an arbitrary message block $b_j$, define its hash as $H_G(b_j)={\displaystyle \prod {}_{t=1}^m{g}_t^{b_{t,j}}\mathrm{mod}p}$.

The homomorphism of the data block can be obtained from its hash computation process:

$$\begin{array}{l}{H}_G(b_i+b_j)={\displaystyle \prod {}_{t=1}^m}{g}_t^{b_{t,i}+b_{t,j}}\mathrm{mod}p={\displaystyle \prod {}_{t=1}^m{g}_t^{b_{t,i}}{g}_t^{b_{t,j}}}\mathrm{mod}p\\ ={\displaystyle \prod {}_{t=1}^m{g}_t^{b_{t,i}}}\mathrm{mod}p\times {\displaystyle \prod {}_{t=1}^m{g}_t^{b_{t,j}}}\mathrm{mod}p=H_G(b_i)\times H_G(b_j)\end{array}$$

(3)

Under standard cryptographic assumptions, the algorithm is secure, and the detailed proof is given in reference [30].

3.5. Reputation Models and Incentive Mechanism

The reputation model [28] and the incentive mechanism are a complementary organic whole, where the former is the basis for realizing incentives, and the latter provides a guarantee for enhancing the reputation and the overall trustworthiness of the system. The reputation model is the key to realizing behavioral incentives, and the user’s reputation is determined based on past behaviors. Game theory [29] is mainly used to examine the role of a node in the system under formulaic incentives to interact with each other, and it provides a mathematical theoretical approach to investigate the competition phenomenon, thereby mathematically portraying the behavior of users in strategic scenarios, where the success of each user’s choices relies on the behavioral choices of others. Game theory focuses on the behavior of specific entity perspectives in a given system and tries to study the optimization strategies involved. It views the inter-operation between entities as a game, where each game participant chooses a strategy and operates according to the rules defined in advance by the system designer, and it obtains a certain gain at the end of the game.

Reputation models based on game theory indicate that users’ behavioral choices not only depend on their individual judgments but also are closely related to the choices of other users who are online at the same time. Thus, the system can be modeled as a continuous game process in which users act rationally, i.e., they only consider maximizing their interests. Based on this assumption, the problem of reputation evaluation can be transformed into a strategy selection problem in game theory: if the model can generate a Nash equilibrium [31], the users are informed about the behavioral selection strategy that is most beneficial to them.

The incentive mechanism constructed based on the reputation model aims to improve the overall output of the system by guiding and constraining user behaviors. The incentives directly affect the users’ reputation values and their distribution. In many large-scale web applications, the possibility of keeping interaction history between users is usually low, so reputation-based incentives take the reputation value portrayed by the user’s historical behavior as the basis for incentives, provide differentiated services to users based on the reputation value to guide them to adopt the good behaviors expected by the system, and improve the overall output of the system by updating the user’s reputation evaluation. This approach is universal in practical applications and has strong engineering feasibility.

4. The Proposed Scheme EDI-C

4.1. Verification Algorithm

In the edge caching system, since both sides of data integrity verification own the original data, there is no need to pre-compute the data block labels as the basis for verification, so this paper designed a secure and efficient data integrity verification algorithm based on homomorphic hashing [30], which is described in detail as follows:

• ParaGen $({\lambda }_p,{\lambda }_q)\to (pp)$: Given the security parameters ${\lambda }_p$ and ${\lambda }_q$, the system parameters are generated $pp=\{H_G,𝒫,ℱ\}$. Specifically, $H_G$ is a homomorphic hash function with parameter $G=(p,q,g)$, where $p$ and $q$ are two large random prime numbers satisfying $\left|p\right|={\lambda }_p$, $\left|q\right|={\lambda }_q$, and $q|(p-1)$, and $g$ is a $1\times m$ row vector consisting of random elements in ${\mathbb{Z}}_p$ of order $q$; $𝒫:{\mathbb{Z}}_p^{*}\times \{1,\cdots ,n\}\to \{1,\cdots ,n\}$ is a pseudo-random permutation (PRP) for determining the location of each randomly drawn data block; $ℱ:{\mathbb{Z}}_p^{*}\times \{1,\cdots ,n\}\to {\mathbb{Z}}_p^{*}$ is a pseudo-random function (PRF) for a random number generator.
• Challenge $(pp)\to (chal)$: The verifier first chooses $r$ data blocks for the challenge, then randomly generates the keys $K_{𝒫}$ and $K_{ℱ}$ for the PRP $𝒫$ and the PRF $ℱ$, and finally constitutes the challenge $chal=\{r,K_{𝒫},K_{ℱ}\}$.
• ProofGen $(chal,pp,F)\to (proof)$: The challenger first generates a set of challenge indexes $C=\{c_1,c_2,\dots ,c_r\}$$c_i=P_{K_{𝒫}}(i),1\le i\le r$ based on the key $K_{𝒫}$ and then generates the corresponding set of random numbers $S=\{s_1,s_2,\dots ,s_r\}$$s_i=F_{K_{ℱ}}(i),1\le i\le r$ based on the key $K_{ℱ}$. Subsequently, it computes the hash value $H_G(b_j)={\displaystyle \prod {}_{t=1}^m{g}_t^{b_{t,j}}}\mathrm{mod}p,$ $j\in C$ of the challenged data block based on the set of challenge indexes $C$ and computes the integrity proof $proof={\displaystyle \prod {}_{i=1}^r{H}_G{(b_{c_i})}^{s_i}}$ based on the set of random numbers $S$. Finally, it returns $proof$ to the verifier.
• ProofVer $(proof,pp,F)\to (True,False)$: The verifier checks whether the equation $H_G({\displaystyle \sum {}_{i=1}^r{s}_i{b}_{c_i}})=proof$ holds according to the locally saved data file $F$ and proves that the verification passes if the equation holds.

4.2. Incentive Mechanism

Theorem-type environments (including propositions, lemmas, corollaries, etc.) can be formatted as follows:

Following the game theory, this paper designed an incentive mechanism based on reputation value for the auditing scheme, which motivates the edge nodes involved in the verification to maintain honest behaviors from the perspective of interests while ensuring the virtuous cycle and security stability of the system. In the following, some relevant parameters are defined first:

Definition 1

(Credit). The Credit is the core of the incentive mechanism, and it equivalent to a credit token that passes through this verification model, and the essential source of Credit mainly comes from the initial credit of the ES and the payoff rewards obtained from participation in audits.

Definition 2

(IntialCredit). Each ES obtains a copy of the data from the AV by paying a deposit in exchange for an IntialCredit, which is confiscated when malicious behavior is detected on this ES.

Definition 3

(Reward). The Reward is the value that the AV determines the data to have and the compensation paid by the ES when the audit fails.

Definition 4

(DataValve). The DataValve is the value attributed to the data by the AV and the compensation paid by the ES when the audit fails.

Definition 5

(Penalty). The Penalty to be paid by the ES when malicious behavior is found in the audit.

The Credit is a combination of each ES’s risk solvency, economic strength, integrity, and historical behavior, and it can provide timely feedback about the ES’s situation to the AV and help the AV to manage the service resources stored on the ES. The verification incentive consists of the reward promised by the representative node that initiates the audit invitation and the penalty paid by the ES that fails to participate in the audit honestly and fails the integrity verification. When the audit is completed, ESs that provide correct audit findings in a timely manner share the rewards, while ESs that provide delayed or incorrect findings will not receive rewards. This mechanism encourages ESs to participate in edge data integrity verification quickly and honestly. The flowchart of the incentive mechanism is shown in Figure 3, where some of the key designs are described below:

• Each ES entering the network needs to pay a certain number of deposits in exchange for IntialCredit, and the probability of an ES becoming a representative node in each round of auditing is positively related to its Credit. That is, the larger the Credit, the higher the probability of the node being elected as a representative node to undertake an audit.
• The representative node that initiates the audit invitation needs to pay the corresponding audit Reward to the ES in the system involved in the verification of its data copy.
• If the ES cooperates truthfully with the audit of its data corruption, only the DataValve corresponding to the corrupted data is required as compensation.
• If the ES conceals or falsifies its data corruption, it not only pays out the corresponding DataValve but also distributes the penalty to other honest ESs.
• The Credit is managed by the AV, and the credit settlement is completed automatically based on the audit results. If a round of auditing ends normally, each honest ES involved in this round will distribute all the audit payoffs of this round based on the contribution as a short-term incentive. The ES responsible for the audit will lose more Credit from collusion than it earns from collusion. Rational ESs will perform honest audits to maximize benefits and effectively resist collusion attacks during audits.
• The ES’s performance in accomplishing the task will be recorded in the reputation ledger maintained by the AV to support the evaluation of its long-term Credit. Typically, ESs can only earn a high Credit by completing audit tasks with consistently high performance.

4.3. Basic Scheme

This paper considers an edge caching system consisting of $n$ ESs, represented as $ES=\left\{E{S}_i\right|1\le i\le n\}$. The AV has one or more copies of data cached on each ES. All the ESs in the system are divided into multiple regions $E{S}_G\in ES$ according to their geographic distribution. Assume that there are $s$ ESs in each region, and each ES in the $E{S}_G$ and AV maintains a list $E{S}_G=\left\{E{S}_i\right|1\le i\le s\}$. Let both the original file stored on the AV and its copy of the same data cached in the ESs be $F$. Assume that a file $F$ is divided into $l$ data blocks, i.e., $F=(b_1,b_2,\cdots ,b_l)$, where each $b_i$ is $l$ bits and $b_i\in GF(2^l),$ $i\in \{1,2,\dots ,l\}$. If the length of the last data block is less than $l$ bits, it is made up of an identifier.

This paper first considers the case when only one copy of the original file $F$ needs to be checked on each ES. The workflow of the scheme is illustrated in Figure 4, which consists of three phases: the Setup Phase, the Data Integrity Audit Phase, and the Result Summary Phase. In the Setup Phase, the AV distributes file data and scheme-related system parameters to all ESs in the system for preservation; in the Data Integrity Audit Phase, the AV firstly selects representative nodes in each region based on the IntialCredit, and then the nodes in each region perform a collaborative audit of cached data integrity and upload the results to the AV; in the Result Summary Phase, the AV aggregates the final audit results based on all the verification results and performs reputation settlement based on the incentive mechanism.

4.3.1. Setup Phase

The AV generates system parameters $pp=\{H_G,𝒫,ℱ\}$ according to ParaGen in the verification algorithm introduced in Section 4.1. For a given file $F=(b_1,b_2,\cdots ,b_l)$, there is $I_F\in {\{0,1\}}^{*}$. Eventually, the AV sends the cached data file $F$ along with the system parameters $pp$ to the ESs in the system.

4.3.2. Data Integrity Audit Phase

• Step 1 Selection of representative nodes

First, each ES node in the network pays a certain number of integrity deposits in exchange for IntialCredit. The AV selects the best reputable server from each group of $E{S}_G$ as the audit representative node $E{S}_d$ for the data replica $F$ according to the reputation of the ESs retrieved from the Credit Ledger. Based on the idea of the reputation model, a high Credit value indicates that this ES has performed edge data integrity auditing honestly and timely, and if this ES has been performing well in the past, it is unlikely that it has committed malicious behavior as an audit representative.

• Step 2 Audit invitation

To check the integrity of replica data in all the ESs in the shortest possible time, $E{S}_d$ makes a request for auditing the local data to the ESs in the area while verifying each other’s data.

To verify the replica $F$ in the $E{S}_k\in E{S}_G$ in the area, $E{S}_d$ constructs a challenge request $re{q}_{d\to k}=<I{D}_d,I_F,r,K_{𝒫}^k,K_{ℱ}^k>$ to each $E{S}_k$ according to the Challenge algorithm introduced in Section 4.1, where $I{D}_d$ represents the identity of $E{S}_d$, $I_F$ represents the unique identifier of $F$, $r$ represents the number of data blocks for the challenge, $K_{𝒫}^k$ represents a randomly generated key for PRP $𝒫$, and $K_{ℱ}^k$ represents a randomly generated key for PRF $ℱ$.

Finally, $E{S}_d$ sends an audit invitation $in{v}_{d\to k}=\{re{q}_{d\to k},reward\}$ to $E{S}_k$, where Reward represents the reward promised by $E{S}_d$ for this audit.

• Step 3 Response Audit

Upon receiving the audit invitation $in{v}_{d\to k}=\{re{q}_{d\to k},reward\}$, the $E{S}_k,k\in \{1,2,\dots ,s\}$ first checks whether it has a data replica $F$ locally. If it has, $E{S}_k$ accepts the audit invitation and continues with the following steps; otherwise, it does not participate in this round of audit.

$E{S}_k$ generates the set of challenge indexes $C_{d\to k}=\{c_1,c_2,\dots ,c_r\}$$c_i=P_{K_{𝒫}}(i), 1\le i\le r$ and the corresponding set of random numbers $S_{d\to k}=\{s_1,s_2,\dots ,s_r\}$$s_i=F_{K_{ℱ}}(i), 1\le i\le r$ based on the keys $K_{𝒫}^k$ and $K_{ℱ}^k$, then computes the hash $H_G(b_j)={\displaystyle \sum {}_{t=1}^m{g}_t^{b_{t,j}}\mathrm{mod}p,j\in C_{d\to k}}$ and the integrity proof $E_k={\displaystyle \prod {}_{i=1}^r}{H}_G{(b_{c_i})}^{s_i}$, and eventually constructs the integrity proof $proo{f}_{k\to d}=<I{D}_k,I_F,E_k>$ of the local replica $F$.

Meanwhile, $E{S}_k$ also acts as a verifier to make a challenge request $re{q}_{k\to d}=<I{D}_k,I_F,r,K_{𝒫}^d,K_{ℱ}^d>$ to $E{S}_r$, where $I{D}_k$ denotes the identity of $E{S}_k$, $I_F$ denotes the unique identifier of $F$, $r$ denotes the number of data blocks for the challenge, $K_{𝒫}^d$ denotes a randomly generated key for PRF $𝒫$, and $K_{ℱ}^d$ denotes a randomly generated key for the PRF $ℱ$.

Finally, the $E{S}_k$ combines the $proo{f}_{k\to d}=<I{D}_k,I_F,E_k>$ and $re{q}_{k\to d}=<I{D}_k,I_F,r,K_{𝒫}^d,$ $K_{ℱ}^d>$ into a response $re{s}_{k\to d}=\{proo{f}_{k\to d},re{q}_{k\to d}\}$ returned to the representative node $E{S}_d$.

• Step 4 Verification

After $E{S}_d$ receives the response $re{s}_{k\to d}=\{proo{f}_{k\to d},re{q}_{k\to d}\}$ from $E{S}_k$, it first checks whether $E{S}_k$ is the legal data owner in $E{S}_G$. If it is, $E{S}_d$ proceeds with the following steps; otherwise, this message is not received.

$E{S}_d$ generates the set of challenge indexes $C_{k\to d}=\{c_1,c_2,\dots ,c_r\}$$c_i={𝒫}_{K_{𝒫}^d}(i), 1\le i\le r$ and the corresponding set of random numbers $S_{k\to d}=\{s_1,s_2,\dots ,s_r\}$$s_i={ℱ}_{K_{ℱ}^d}(i), 1\le i\le r$ based on the keys $K_{𝒫}^d$ and $K_{ℱ}^d$, then computes the hash $H_G(b_j)={\displaystyle \prod {}_{t=1}^m{g}_t^{b_{t,j}}\mathrm{mod}p}$, $j\in C_{k\to d}$ and the integrity proof $E_d={\displaystyle \prod {}_{i=1}^r}{H}_G{(b_{c_i})}^{s_i}$ of the challenged data block, and eventually constructs the integrity proofs $proo{f}_{d\to k}=<I{D}_r,I_F,E_d>$ of the local replica $F$ to be sent to $E{S}_k$.

Meanwhile, $E{S}_d$ checks whether the equation $H_G({\displaystyle \sum {}_{i=1}^r}{s}_i{b}_{c_i})=E_k$ holds based on its own locally stored data copy. If the equation holds, it indicates that the verification passes, i.e., the copy stored on the $E{S}_k$ is complete; otherwise, the verification fails, i.e., the copy on the $E{S}_k$ is corrupted. Finally, $E{S}_d$ reports all the final verification results and the $reward$ promised by this audit to the AV.

After $E{S}_k$ receives the data integrity proof returned by $E{S}_d$, it checks whether the equation $H_G({\displaystyle \sum {}_{i=1}^r{s}_i{b}_{c_i}})=E_d$ holds based on its own locally stored data copy. If the equation holds, it indicates that the verification passes; otherwise, the verification fails. Finally, $E{S}_k$ reports the verification result to the AV.

4.3.3. Result Summary Phase

In unreliable or error-prone processor networks, there is an underlying assumption that no more than half of the participants will fail simultaneously. In an edge caching system, n data replicas cached on n ESs are likely to be corrupted simultaneously by only a few of them, i.e., at least (n + 1)/2 data replicas are correct at any given time. This is reasonable in highly distributed mobile EC environments. This is because most edge data copies are unlikely to be corrupted by concurrent hardware failures, software anomalies, or network attacks.

When [s/2] verification results about the data copy $F$ in $E{S}_d$ are obtained that are identical and honest, the AV assumes that $E{S}_d$ has a valid data copy $F$ and accepts the verification results uploaded by $E{S}_d$ about the data copies on the other ESs in the group, and it uses them to update VerResults and EDIList in the Audit Ledger. Then, the AV performs credit settlement based on the incentive mechanism as follows:

• For ESs that have corrupted data but truthfully participate in the audit, the AV deducts the DataValue corresponding to their corrupted data.
• For ESs that conceal or falsify data corruption, the AV deducts the DataValue corresponding to their corrupted data and Penalty.
• Each honest ES participating in this round of auditing distributes all Reward and Penalty compensated by dishonest ESs for this round based on their contributions. The honest representative node $E{S}_d$ is paid more than the normal ESs in the group involved in auditing. The Credit lost by the ESs responsible for auditing due to collusion will be larger than the Credit earned by collusion, so rational ESs will perform honest auditing to maximize the benefit.
• The AV updates the SettlementRecord and CreditList in the Credit Ledger.

4.4. Scheme Expansion

4.4.1. Batch Audit

In practice, data from multiple files may be stored in the ES, and the basic auditing scheme can verify only one piece of file data in each round of interaction, which is inefficient and leads to much resource waste. In this section, the basic auditing scheme is extended with improvements based on homomorphism to enable batch auditing of the integrity of multiple copies of file data on ESs. In the process of collaborative auditing, the ES acts as both the verifier and the verified, and batch auditing is changed only when constructing challenge requests, generating proofs, and verifying, which is described in detail below:

Assuming that one wants to audit $m$ different files $F^t(t=1,\cdots ,m)$ simultaneously, the $E{S}_v$ on the side of the verifier constructs the challenge request $req=$ $<I{D}_v,{\left\{I_{F^t}\right\}}_{t\in [1,m]},r,K_{𝒫},K_{ℱ}>$, where $I{D}_v$ denotes the identity of the ES that sends the challenge request, ${\left\{I_{F^t}\right\}}_{t\in [1,m]}$ denotes the set of identifiers of all the challenged files $F^t(t=1,\cdots ,m)$, $r$ denotes the number of challenged data chunks, $K_{𝒫}$ denotes a randomly generated key for PRP $𝒫$, and $K_{ℱ}$ denotes a randomly generated key for PRF $ℱ$.

Upon receiving the challenge request $req$, the verified $E{S}_p$ first generates a set of challenge indexes $C=\{c_1,c_2,\dots ,c_r\}$$c_i=P_{K_{𝒫}}(i), 1\le i\le r$ and a set of random numbers $S=\{s_1,s_2,\dots ,s_r\}$$s_i=F_{K_{ℱ}}(i), 1\le i\le r$ based on the keys $K_{𝒫}$ and $K_{ℱ}$. Then, it computes $E={\displaystyle \prod {}_{t=1}^m}{\displaystyle \prod {}_{i=1}^r{H}_G{(b_{c_i}^t)}^{s_i}}$, where $b_{c_i}^t$ represents the $c_i$^th data block in the file $F^t$ that is challenged. Finally, the integrity proof $proof=<I{D}_p,{\left\{I_{F^t}\right\}}_{t\in [1,m]},E>$ of all challenged files is constructed, where $I{D}_p$ represents the identity of the verified $E{S}_p$, and ${\left\{I_{F^t}\right\}}_{t\in [1,m]}$ represents the set of identifiers of all challenged files $F^t(t=1,\cdots ,m)$.

The $E{S}_v$ as the verifier receives the $proof$ and checks whether the equation $H_G({\displaystyle \sum {}_{t=1}^m}{\displaystyle \sum {}_{i=1}^r{s}_i{b}_{c_i}^t})=E$ holds based on its locally stored data copies. If the equation holds, it indicates that the verification passes, i.e., all the $m$ copies of the file $F^t(t=1,\cdots ,m)$ stored on the $E{S}_p$ are intact; otherwise, the verification fails, i.e., at least one of the copies of the file on the $E{S}_p$ is corrupted.

4.4.2. Localization and Recover

When a round of edge data integrity auditing is completed, the AV recognizes that $E{S}_d$ has a valid replica $F$ and assigns $E{S}_d$ to obtain the data corruption location and recover the data for the ESs in the domain that fail the audit.

According to the audit result reported by the AV, the edge node $E{S}_f$ that fails the audit sends its identity information and the hash value of all data blocks as proof of data integrity $Proo{f}_{f\to d}=<I{D}_f,I_F,{\{H_G(b_i)\}}_{i\in [1,l]}>$ to the representative node $E{S}_d$ that has been recognized by the AV. $E{S}_d$ employs the bisection method to quickly search and obtain the location of the corrupted data block in the following steps:

• When $E{S}_d$ receives $Proo{f}_{f\to d}$, it first divides ${\{H_G(b_i)\}}_{i\in [1,l]}$ into $E_{left}={\displaystyle \prod {}_{i=1}^{[l/2]}{H}_G{(b_i)}^{s_i}}$ and $E_{right}={\displaystyle \prod {}_{i=[l/2]}^l}{H}_G{(b_i)}^{s_i}$ parts.
• $E{S}_d$ checks if $H_G({\displaystyle \sum {}_{i=1}^{[l/2]}{b}_i})=E_{left}$ holds based on locally stored data $F$. If the verification passes, then the process ends; otherwise, the process continues to the next step. The other part $E_{right}$ is verification similarly.
• Iterate over the first two steps until all damaged data blocks are found.

Finally, $E{S}_d$ sends the corrupted data block to the edge node $E{S}_f$ that fails the audit to recover its stored file data.

5. Security Analyses

Theorem 1

(Correctness). If the ES stores a complete and correct copy of the replica data $F$, it can generate proof of data integrity that can successfully pass verification.

Proof of Theorem 1.

According to the homomorphism of homomorphic hash functions, $H(w_1{m}_1+w_2{m}_2)=H{(m_1)}^{w_1}H{(m_2)}^{w_2}$ holds for any two messages $m_1,m_2$ and real numbers $w_1,w_2$. The equation must hold if the proof provided by the ES can be verified for data integrity. If the $proof=<I{D}_k,I_F,E_k>$ provided by the $E{S}_k$ passes the verification of data integrity, then the equation $H_G({\displaystyle \sum {}_{i=1}^r{s}_i{b}_{c_i}})=E_k$ must hold, and its correctness is shown below:

$$\begin{array}{l}{H}_G({\displaystyle \sum {}_{i=1}^r{s}_i{b}_{c_i}})={\displaystyle \prod _{t=1}^m{g}_t^{{\displaystyle \sum {}_{i=1}^r{s}_i{b}_{t,c_i}}}}\mathrm{mod}p={\displaystyle \prod {}_{i=1}^r{\displaystyle \prod {}_{t=1}^m}}{g}_t^{s_i{b}_{t,c_i}}\mathrm{mod}p\\ ={\displaystyle \prod {}_{i=1}^r}({\displaystyle \prod {}_{t=1}^m}{g}_t^{b_{t,c_i}}{)}^{s_i}\mathrm{mod}p={\displaystyle \prod {}_{i=1}^r{H}_G{(b_{c_i})}^{s_i}}=E_k\end{array}$$

(4)

□

Theorem 2

(Probabilistic verification). Given a replica $F=(b_1,b_2,\cdots ,b_l)$ with $l$ data blocks, EDI-C can successfully detect a corrupted data replica with a probability of at least $1-{\left(\frac{l-d_k}{l}\right)}^r$, where $d_k$ denotes the number of corrupted data blocks of replica $F$ in the edge node, and $r$ denotes the number of challenge blocks.

Proof of Theorem 2.

The pseudo-random permutation P is used in EDI-C to determine the location of each randomly selected data block, and the probability that the verifier successfully detects a corrupted replica $F$ on an edge node is equal to the probability that at least one of the corrupted data blocks in the replica $F$ will be challenged. According to the rules of probability computation, this probability expressed as follows:

$$P(\eta \ge 1)=1-P(\eta =0)=1-\left(\frac{l-d_k}{l}\right)\left(\frac{l-d_k-1}{l-1}\right)\left(\frac{l-d_k-2}{l-2}\right)\cdots \left(\frac{l-d_k-r+1}{l-r+1}\right)$$

where $\eta$ denotes the number of detected damaged blocks.

Given any integer $i\le l$, there is $\left(\frac{l-d_k-i}{l-i}\right)\ge \left(\frac{l-d_k-i-1}{l-i-1}\right)$, and thus the inequality $P(\eta \ge 1)>1-{\left(\frac{l-d_k}{l}\right)}^r$ holds.

Additionally, instead of verifying all data blocks of each replica in the auditing process, only some randomly selected data blocks are needed for integrity verification, making it more efficient and economical. □

Theorem 3

(Resistance to Forgery Attacks). In EDI-C, ESs cannot be verified using forged data integrity proofs.

Proof of Theorem 3.

In each proof generation and verification phase of EDI-C, the ESs need to recalculate the corresponding integrity proofs based on the respective stored data copies and new challenge requests. Suppose that $E{S}_{𝒜}$ has a corrupted data block. Since each ES generates different challenge indexes and random numbers based on the received keys $K_P$ and $K_F$, $E{S}_{𝒜}$ cannot forge its own proof by intercepting the integrity proofs of other ESs. Specifically, assuming that the data copy $F$ is corrupted by the challenged data block $b_i$ and that the $proof$ computed by $E{S}_{𝒜}$ using the forged data block $b_i^{*}$ can pass the verification, then $H_G(b_i)=H_G(b_i^{*})$ must hold. This implies that $E{S}_{𝒜}$ can discover a collision of the hash function $H_G$, which contradicts the assumption that $H_G$ is a collision-resistant hash function. Therefore, no ES can use a forged data block to generate an integrity proof to pass the verification. That is, EDI-C can resist forgery attacks. □

Theorem 4

(Resistance to Replay Attacks). In EDI-C, no ES can replay the previous audit’s correct proof of integrity (i.e., a correct but outdated proof of integrity) to pass a new round of integrity verification by other ESs.

Proof of Theorem 4.

Define the replay attack game as follows: assume $E{S}_{𝒜}$ is a malicious adversary. Upon receiving a challenge $\{I{D}_k,I_F,C_{𝒜},S_{𝒜}\}$ sent by another $E{S}_k$, $E{S}_{𝒜}$ returns an expired $Proo{f}_{𝒜}\prime =<I{D}_{𝒜},I_F,E_{𝒜}\prime >$, and since $C_{𝒜}\prime$ and $S_{𝒜}\prime$ are both expired, $E_{𝒜}\prime$ is also expired. The expired proof was previously generated by $E{S}_{𝒜}$ or intercepted from other ESs. If $Proo{f}_{𝒜}\prime$ can pass the integrity verification, then $E{S}_{𝒜}$ wins.

Let the set of outdated challenge indexes and the set of random numbers be $C_{𝒜}\prime$ and $S_{𝒜}\prime$, respectively, and let the set of new challenge indexes and the set of random numbers be $C_{𝒜}$ and $S_{𝒜}$, respectively. Assuming that $Proo{f}_{𝒜}\prime =<I{D}_{𝒜},I_F,E_{𝒜}\prime >$ can be verified, where $E_{𝒜}\prime$ is computed by $E{S}_{𝒜}$ using the correct but outdated $C_{𝒜}\prime$ and $S_{𝒜}\prime$, then $E_{𝒜}\prime ={\displaystyle \prod {}_{i=1}^r{H}_G{(b_{c_i})}^{s_i}}=H_G({\displaystyle \sum {}_{i=1}^r{s}_i{b}_{c_i}})$ must hold, which indicates that $E{S}_{𝒜}$ can find collisions of the hash function $H_G$. However, this is contradicted by the collision-resistant nature of the hash function. Additionally, the seeds of the PRP for each round of audit challenges in the sampling algorithm differ, which leads to different challenge blocks and the corresponding random numbers for each round of auditing, i.e., there is a high probability that $C_{𝒜}\prime \ne C_{𝒜}$ and $S_{𝒜}\prime \ne S_{𝒜}$, so $E_{𝒜}\prime \ne E_{𝒜}$. Therefore, $Proo{f}_{𝒜}\prime$ cannot pass the verification with a significant advantage.

Thus, ES wins with negligible probability and no ES can replay the correct but outdated integrity proof to pass a new round of integrity verification by other ESs. That is, EDI-C can effectively resist replay attacks. □

Theorem 5

(Resistance to Replace Attacks). In EDI-C, no ESs can generate an integrity proof by replacing the challenged data block with other complete data blocks to pass the verification of the other ESs.

Proof of Theorem 5.

The game defining the replace attack is introduced as follows: Assume that $E{S}_{𝒜}$ is a malicious adversary (here an ES can be either a representative node in the group or any other ordinary node), and when it receives a challenge $\{I{D}_k,I_F,C_{𝒜},S_{𝒜}\}$ sent by another $E{S}_k$, $E{S}_{𝒜}$ returns $proo{f}_{𝒜}\prime =$  $<I{D}_{𝒜},I_F,E_{𝒜}\prime >$ to the ES that initiated the challenge. There are two scenarios of the replace attack: (1) $E{S}_{𝒜}$ generates integrity proof $proo{f}_{𝒜}\prime$ by replacing the challenged data block $b_i$ with another unchallenged valid data block $f_j(j\ne i)$; (2) $E{S}_{𝒜}$ takes the $proo{f}_j$ of another $E{S}_j(j\ne 𝒜)$ as $proo{f}_{𝒜}\prime$. If $proo{f}_{𝒜}\prime$ can pass the integrity verification, indicates that $E{S}_{𝒜}$ wins.

Case 1: $E{S}_{𝒜}$ replaces $b_i$ with another complete data block $b_i(i\ne j)$ to compute $E_{𝒜}\prime$ as an integrity proof. Assume that the correct integrity proof corresponding to the challenge index set $C_{𝒜}=\{c_1,c_2,\dots ,c_r\}$ is $E_{𝒜}={\displaystyle \prod {}_{i=1}^r{H}_G{(b_{c_i})}^{s_i}}$. Since $b_i=b_j$ holds with negligible probability, if the integrity proof obtained in this approach can pass the integrity verification of other ESs by a non-negligible margin, then $E_{𝒜}=E_{𝒜}\prime$ must hold. This indicates that $E{S}_{𝒜}$ can find collisions of the hash function $H_G$, which contradicts the assumption that $H_G$ is a collision-resistant hash function. Therefore, $E{S}_{𝒜}$ cannot generate a valid integrity proof by replacing the challenged data block with another complete data block.

Case 2: The challenge index set $C=\{c_1,c_2,\dots ,c_r\}$ consists of $r$ different indexes generated by the PRP based on the key $K_P$. Since the key $K_P$ in each challenge is randomly generated, the key $K_P$ used by each ES to construct the challenge index set differs, so different ESs obtain different challenge index sets $C$. Even though two different ESs obtain the same challenge index set $C$ with a low probability, the probability that the sets $S=\{s_1,s_2,\dots ,s_r\}$ of random numbers corresponding to the challenge index set $C$ generated by different $E{S}_k$ are identical is almost negligible. Therefore, the $E{S}_{𝒜}$ cannot pass the verification by replacing its integrity proof $Proo{f}_{𝒜}$ with the integrity proof $Proo{f}_j$ of the $E{S}_j(j\ne 𝒜)$.

Thus, $E{S}_{𝒜}$ wins the game with negligible probability, and any ES cannot replace the challenged data block with other complete data blocks to generate an integrity proof to pass the verification of other ESs. That is, EDI-C can resist the replace attack. □

6. Performance Evaluation

6.1. Functionality Comparison

To better demonstrate the superiority of EDI-C, it is compared with the existing schemes on edge data integrity verification mainly in terms of realization function and security, and the results are listed in

Table 1. Comparison of edge data integrity verification schemes.

Scheme	Realization Functions		Security
	Aggregation Verification	Localization and Recovery	Resistance to Forgery Attacks	Resistance to Replay Attacks	Resistance to Replace Attacks
EDI-V	×	×	√	√	√
ICE-batch	√	×	×	×	×
ICL-EDI	×	×	×	×	×
EDI-SA	√	×	√	√	√
EDI-DA	√	×	√	√	√
EDI-S	√	×	√	√	√
CooperEDI	×	√	×	×	×
EdgeWatch	×	×	×	×	×
EDI-C	√	√	√	√	√

. In EDI-V, the AV can only verify the integrity proofs returned by the ES one by one, and the ES needs to regenerate a new Merkle hash tree for the integrity proof in each audit, which results in a high verification overhead and does not support aggregation verification. In contrast, EDI-S, EDI-SA, EDI-DA, and ICL-EDI implement aggregated verification of the integrity proofs returned by the ESs based on elliptic curve signatures, algebraic signatures, and homomorphic labels, respectively. Among them, EDI-SA and EDI-DA also support batch auditing. However, ICL-EDI is not secure and cannot resist replay, replace, and forgery attacks. CooperEDI and EdgeWatch are distributed edge data verification protocols implemented based on blockchain. They are not limited to data integrity verification by the AV but perform collaborative verification among ESs, so they are more suitable for EC environments with large-scale distributed deployments, but the integrity proofs constructed from the hash value of the entire data file cannot resist replay, replace, and forgery attacks. EDI-C combines improved sampling algorithms and homomorphic hashing algorithms to locate and recover from data block-level corruption while resisting forgery, replay, and replace attacks. It is more functional and secure and is more suitable for EC environments.

6.2. Experimental Evaluation

To evaluate the performance of EDI-C, it is compared with typical EDI-V schemes [4] and ICL-EDI schemes [7]. In this research, only the performance of data integrity verification was compared, and EDI-V, ICL-EDI, and EDI-C were implemented in simulation experiments to compare their computation and communication overheads. In order to evaluate the performance of EDI-C more comprehensively, the three parameters system scale, data block size, and sampling scale were varied in this study to simulate different edge data integrity verification scenarios. Each time, the value of one parameter was changed, while the other parameters were kept at their default values, as shown in

Table 2. Parameter settings.

Parameter	Value Varied	Value Fixed
System scale	20, 40, 60, 80, 100	40
Data block size (KB)	128, 256, 512, 1024, 2048	256
Sampling scale	50, 100, 150, 200, 250	100

. Each experiment was repeated 100 times, and the average result was finally reported.

All experiments were conducted on a computer running the Ubuntu 18.04.6 system and equipped with R9-5900HX CPU (4.6 GHz) and 32 GB RAM, and the program was implemented using Python 3.6.9. In order to simulate the edge cache system, a total of 10 different geographic regions were specified in the whole system, and 10 virtual machines were randomly mapped to a geographic region to simulate the ESs in the region. In addition, another virtual machine was used to simulate the AV. Since the network latency fluctuated over time and was roughly 50ms on average, the network latency between virtual machines was ignored. The hash algorithm in the program was implemented using the SHA256 function in the Cryptodome. Hash library, while the random number generator algorithm was implemented using the RandomState function.

6.2.1. Computation Overhead

The computational overhead is measured by the computational time required to complete the entire verification process, and the smaller the computational overhead, the higher the performance of the scheme. According to the current RSA security requirements, the public key is required to be at least 4096 bits.

Figure 5 shows the time consumed by each scheme when the system scale (the total number of ESs participating in the audit) increased from 20 to 100. It can be seen from Figure 5 that the time consumed to complete the audit of EDI-V and ICL-EDI increased with the system scale, while the computational overhead of EDI-C remained stable. For example, when the system scale was 20, the consumed times of EDI-V, ICL-EDI, and EDI-C were 1408 s, 2289 s and 278 s, respectively. When the system scale increased to 100, the consumed times of EDI-V, ICL-EDI, and EDI-C were 1808 s, 2799 s, and 289 s, respectively. Since EDI-V and ICL-EDI are centralized audit schemes, the integrity verification of all edge data copies was completed by AV, which needed to find the same sampled data from the original data for verification as that in ES. EDI-C is a collaborative audit scheme, and all ESs in the system engage in mutual interaction and simultaneous auditing. EDI-C is less affected by the change in system scale and has better scalability.

Figure 6 compares the time consumed by each scheme when the data block size increased from 128 KB to 2 MB. In EDI-V, each ES creates a subtree of VMHT based on the sampled data blocks, and the increase in the data block size affects the total number of nodes in the VMHT on each ES, so the time spent by the ESs increases. In both ICL-EDI and EDI-C, the computation overhead of constructing proofs and verifications is related to the data block size. However, in ICL-EDI, additional overhead is taken to construct homomorphic labels. When the data block size increased from 128 KB to 2048 KB, the time consumption of EDI-V increased from 264.96 s to 4187.74 s, while that of ICL-EDI increased from 148.57 s to 2438.77 s. In contrast, the time consumption of EDI-C increased only from 97.58 s to 1089.14 s, demonstrating that EDI-C can effectively handle large-scale data copies.

Figure 7 compares the time consumption of each scheme when the sampling scale increased from 50 to 250. As shown in Figure 7, the time required to complete the audit by ICL-EDI, EDI-V, and EDI-C increased significantly with the sampling scale. ICL-EDI and EDI-C need to generate the corresponding proof of data integrity based on the sampled data blocks. However, in ICL-EDI, AV also needs more time to check the proof when the sampling scale increases. For EDI-V, when the sampling scale increases, each ES needs to spend more time to generate the VMHT. The EDI-C scheme has the least time consumption because it does not need to generate complex data block labels and does not need to generate VMHT as proof; instead, it only needs to calculate the hash of the sampled data blocks.

Then, the computational complexity of these three schemes was theoretically analyzed and compared, and the results are presented in

Table 3. Comparison of computational complexity.

Scheme	ParaGen	Challenge	ProofGen	ProofVer
EDI-V [4]	$O(l)$	$O(l+s)$	$O(l)$	$O(2^r+s)$
ICL-EDI [7]	$O(l)$	$O(s)$	$O(r)$	$O(r+s)$
EDI-C	$O(1)$	$O(s)$	$O(r)$	$O(r)$

. In this table, l denotes the number of data blocks divided by each data replica, $s$ denotes the number of ESs, and $r$ denotes the number of challenged blocks on each ES. To compare the computational complexity with the centralized verification schemes (ICL-EDI and EDI-V), the following analysis is mainly performed in terms of the ParaGen, ProofGen, and ProofVer phases. In the ParaGen phase, ICL-EDI needs to calculate the label for each data block, and the larger the size, the more data block labels need to be calculated. The AV in EDI-V also needs to build the VMHT with all data blocks. However, EDI-C does not require complicated preparation in the ParaGen phase, and its computational complexity is independent of l. In the ProofGen phase, the computational complexity of EDI-V is related to the number of data blocks l. Each ES generates subtrees of VMHT as integrity proof in each audit round. A larger l leads to a larger depth of the VMHT, which significantly increases the computational complexity of AV and ES. However, the computational complexity of EDI-C and ICL-EDI in the ProofGen phase is only related to the number of challenge blocks r, which is much smaller than the number of data blocks l, so their computational complexity is smaller. In the ProofVer phase, the computational complexity of both EDI-V and ICL-EDI is related to the number of challenge blocks r and the number of edge servers s. Moreover, the computational complexity of EDI-V is exponential to the number of challenge blocks r because it needs to construct subtrees of the corresponding VMHT for verification. In contrast, the computational complexity of EDI-C is only related to the number of challenge blocks r, so it is smaller at verification time.

To sum up, the experimental results indicate that the scheme proposed in this paper has less computational overhead than other related works.

6.2.2. Communication Overhead

Figure 8 shows that the communication overhead of the three schemes as the system scale (the total number of ESs participating in the audit) increased from 20 to 100. For centralized verification schemes such as EDI-V and ICL-EDI, the communication overhead is mainly related to the examination of the integrity proof size (KB) of the edge data copy returned by the ES to the AV. For the cooperative auditing scheme EDI-C, the communication overhead is mainly related to the examination of the total amount of integrity proof size (KB) that needs to be passed between ES for interactive auditing. Overall, EDI-C has a higher communication overhead than the other schemes. This is because EDI-C requires multiple ESs to collaborate in performing integrity verification, and as the system scale increases, more ESs are involved, which leads to higher communication overhead. However, EDI-C verifies replica data integrity by the collaboration between ESs; the AV is not involved in data integrity verification; and the communication overhead for verification is mainly composed of the overall communication overhead incurred between different ESs, which occurs only at the edge of the network, thereby ensuring its application in real EC systems. However, the communication overhead of centralized verification edge data integrity verification schemes like EDI-V and ICL-EDI is incurred on the backhaul network between the ESs and the AV, and this is contrary to the goal of minimizing backhaul network traffic in mobile EC environments.

7. Conclusions

Due to the discrete and unstable characteristics of the MEC environment, ensuring the consistency of multiple replicas on different edge servers is the key to providing secure and reliable edge caching services. This paper proposes an efficient and lightweight multi-replica integrity verification algorithm based on homomorphic hash and sampling algorithms, which effectively reduces the storage cost and computational cost and can resist forgery, replay, and replace attacks. Then, based on the verification algorithm, a multi-replica edge data integrity cooperative audit scheme EDI-C is further proposed based on the reputation model, which coordinates the positive and honest participation of ESs in auditing through an incentive mechanism in a distributed discrete environment. By using parallel processing and data block audit technology, EDI-C can also support batch audit of multiple cached copies of original data, which not only greatly improves the verification efficiency but also realizes the accurate location and repair of corrupted data at the data block level. Through security analysis, EDI-C is proven to be resistant to forgery, replay, and replace attacks. The comparison of EDI-C with two representative schemes through simulation experiments indicates that EDI-C has significantly less computation and communication overheads.