Dynamic Provable Data Possession Protocols with Public Verifiability and Data Privacy

Abstract

Cloud storage services have become accessible and used by everyone. Nevertheless, stored data are dependable on the behavior of the cloud servers, and losses and damages often occur. One solution is to regularly audit the cloud servers in order to check the integrity of the stored data. The Dynamic Provable Data Possession scheme with Public Verifiability and Data Privacy presented in ACISP’15 is a straightforward design of such solution. However, this scheme is threatened by several attacks. In this paper, we carefully recall the definition of this scheme as well as explain how its security is dramatically menaced. Moreover, we proposed two new constructions for Dynamic Provable Data Possession scheme with Public Verifiability and Data Privacy based on the scheme presented in ACISP’15, one using Index Hash Tables and one based on Merkle Hash Trees. We show that the two schemes are secure and privacy-preserving in the random oracle model.

A Security Proof Against the Server for the IHT-based Scheme

For any PPT adversary \(\mathcal {A}\) who wins the game, there is a challenger \(\mathcal {B}\) that wants to break the CDH and DL problems by interacting with \(\mathcal {A}\) as follows:

\(\diamond \) KeyGen. \(\mathcal {B}\) runs \(\textsf {GroupGen}(\lambda ) \rightarrow (p,\mathbb {G},\mathbb {G}_{T},e,g)\). Then, it is given the CDH instance tuple \((g,g^{a},g^{b})\) where \(<g>=\mathbb {G}\), chooses two exponents \(x,y \in \mathbb {Z}_{p}\) and computes \(g_{1} = g^{x}\) and \(g_{2} = g^{y}\). It also sets \(\mathbb {G}_{1} =<g_{1}>\) and \(\mathbb {G}_{2} =<g_{2}>\). Note that \((g^{a})^{x} = g_{1}^{a}\), \((g^{b})^{x} = g_{1}^{b}\), \((g^{a})^{y} = g_{2}^{a}\) and \((g^{b})^{y} = g_{2}^{b}\). \(\mathcal {B}\) chooses \(\beta _{j},\gamma _{j} \in _{R} \mathbb {Z}_{p}\) and sets \(h_{j} = g_{1}^{\beta _{j}} \cdot (g_{1}^{b})^{\gamma _{j}}\) for \(j \in [1,s]\). Let a hash function \(H: \mathbb {Q} \times \mathbb {N} \rightarrow \mathbb {G}_{1}\) be controlled by \(\mathcal {B}\) as follows. Upon receiving a query \((i_{l'},vnb_{i_{l'}})\) to H for some \(l' \in [1,q_{H}]\), if \(((i_{l'},vnb_{i_{l'}}),\theta _{l'},W_{l'})\) exists in \(L_{H}\), return \(W_{l'}\); otherwise, choose \(\beta _{j},\gamma _{j} \in _{R} \mathbb {Z}_{p}\) and set \(h_{j} = g_{1}^{\beta _{j}} \cdot (g_{1}^{b})^{\gamma _{j}}\) for \(j \in [1,s]\). For each \(i_{l'}\), choose \(\theta _{l'} \in _{R} \mathbb {Z}_{p}\) at random and set \(W_{l'}=\frac{g_{1}^{\theta _{l'}}}{g_{1}^{ \sum _{j=1}^{s} \beta _{j} m_{i_{l'},j}} (g_{1}^{b})^{ \sum _{j=1}^{s} \gamma _{j} m_{i_{l'},j} }}\) for a given block \(m_{i_{l'}} = (m_{i_{l'},1} , \cdots , m_{i_{l'},s})\). Put \(((i_{l'},vnb_{i_{l'}}),\theta _{l'},W_{l'})\) in \(L_{H}\) and return \(W_{l'}\). \(\mathcal {B}\) sets the public key \(pk= (p,\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,g_{1},g_{2},h_{1},\cdots ,h_{s},g_{2}^{a},H)\) and forwards it to \(\mathcal {A}\). \(\mathcal {B}\) keeps \(g_{1}^{a}\), \(g_{1}^{b}\) and \(g_{2}^{b}\) secret.

\(\diamond \) Adaptive Queries. \(\mathcal {A}\) has first access to \(\mathcal {O}_{TG}\) as follows. It first adaptively selects blocks \(m_{i}=(m_{i,1},\cdots ,m_{i,s})\), for \(i \in [1,n]\). Then, \(\mathcal {B}\) computes \(T_{m_{i}} = (W \cdot \prod _{j=1}^{s} h_{j}^{m_{i,j}})^{-sk} = (W \cdot \prod _{j=1}^{s} h_{j}^{m_{i,j}})^{-a}\), such that if \(((i,vnb_{i}),\theta ,W)\) exists in \(L_{H}\), then W is used to compute \(T_{m_{i}}\). Otherwise, \(\theta \in _{R} \mathbb {Z}_{p}\) is chosen at random, \(W=\frac{g_{1}^{\theta }}{g_{1}^{ \sum _{j=1}^{s} \beta _{j} m_{i,j}} (g_{1}^{b})^{ \sum _{j=1}^{s} \gamma _{j} m_{i,j} }}\) is computed for \(h_{j} =g_{1}^{\beta _{j}} \cdot (g_{1}^{b})^{\gamma _{j}}\), \(((i,vnb_{i}),\theta ,W)\) is put in \(L_{H}\) and W is used to compute \(T_{m_{i}}\). Note that we have \(\prod _{j=1}^{s} h_{j}^{m_{i,j}} \cdot H(i,vnb_{i}) = (\prod _{j=1}^{s} h_{j}^{m_{i,j}}) \cdot \frac{g_{1}^{\theta }}{g_{1}^{ \sum _{j=1}^{s} \beta _{j} m_{i,j}} \cdot (g_{1}^{b})^{ \sum _{j=1}^{s} \gamma _{j} m_{i,j} }} = \frac{ g_{1}^{\sum _{j=1}^{s} \beta _{j} m_{i,j}} (g_{1}^{b})^{ \sum _{j=1}^{s} \gamma _{j} m_{i,j} } \cdot g_{1}^{\theta } }{g_{1}^{ \sum _{j=1}^{s} \beta _{j} m_{i,j}} \cdot (g_{1}^{b})^{ \sum _{j=1}^{s} \gamma _{j} m_{i,j} }} = g_{1}^{\theta }\) and so, \(T_{m_{i}} = (H(i,vnb_{i}) \cdot \prod _{j=1}^{s} h_{j}^{m_{i,j}} )^{-sk} = (H(i,vnb_{i}) \cdot \prod _{j=1}^{s} h_{j}^{m_{i,j}} )^{-a} = (g_{1}^{a})^{- \theta }\). \(\mathcal {B}\) gives the blocks and tags to \(\mathcal {A}\). The latter sets an ordered collection \(\mathbb {F}=\{m_{i}\}_{i \in [1,n]}\) of blocks and an ordered collection \(\mathbb {E}=\{T_{m_{i}}\}_{i \in [1,n]}\) which are the tags corresponding to the blocks in \(\mathbb {F}\).

\(\mathcal {A}\) has also access to \(\mathcal {O}_{DOP}\) as follows. Repeatedly, \(\mathcal {A}\) selects a block \(m_{l}\) and the corresponding \(info_{l}\) and forwards them to \(\mathcal {B}\). Here, l denotes the rank where \(\mathcal {A}\) wants the data operation to be performed: l is equal to \(\frac{i_{1}+i_{2}}{2}\) for an insertion and to i for a deletion or a modification. We recall that only the rank is needed for a deletion and the version number \(vnb_{l}\) increases by 1 for a modification. Then, \(\mathcal {A}\) outputs two new ordered collections \(\mathbb {F}'\) and \(\mathbb {E}'\), and a corresponding updating proof \(\nu '=(U_{1},\cdots ,U_{s},C_{1},\cdots ,C_{s},d,w_{l})\), such that \(w_{l} \in _{R} \mathbb {Z}_{p}\), \(d = T_{m_{l}}^{w_{l}}\), and for \(j \in [1,s]\), \(u_{j} \in _{R} \mathbb {Z}_{p}\), \(U_{j} =h_{j}^{u_{j}}\), \(c_{j}= m_{l,j} \cdot w_{l} + u_{j}\) and \(C_{j}=h_{j}^{c_{j}}\). \(\mathcal {B}\) runs \(\textsf {CheckOp}\) on \(\nu '\) and sends the answer to \(\mathcal {A}\). If the answer is 0, then \(\mathcal {B}\) aborts; otherwise, it proceeds.

\(\diamond \) Challenge. \(\mathcal {A}\) selects \(m_{i}^{*}\) and \(info_{i}^{*}\), for \(i \in \mathcal {I} \subseteq (0,n+1) \cap \mathbb {Q}\), and forwards them to \(\mathcal {B}\) who checks the data operations. In particular, the first \(info_{i}^{*}\) indicates a full re-write. \(\mathcal {B}\) chooses a subset \(I \subseteq \mathcal {I}\), randomly selects |I| elements \(v_{i} \in _{R} \mathbb {Z}_{p}\) and sets \(chal=\{(i,v_{i})\}_{i \in I}\). It forwards chal as a challenge to \(\mathcal {A}\).

\(\diamond \) Forgery. Upon receiving chal, the resulting proof of data possession on the correct stored file m should be \(\nu =(R_{1},\cdots ,R_{s},B_{1},\cdots ,B_{s},c)\) and pass the Eq. 6. However, \(\mathcal {A}\) generates a proof of data possession on an incorrect stored file \(\tilde{m}\) as \(\tilde{\nu }=(\tilde{R}_{1},\cdots ,\tilde{R}_{s}, \tilde{B}_{1},\cdots ,\tilde{B}_{s},\tilde{c})\), such that \(\tilde{r}_{j} \in _{R} \mathbb {Z}_{p}\), \(\tilde{R}_{j} =h_{j}^{\tilde{r}_{j}}\), \(\tilde{b}_{j}=\sum _{(i,v_{i}) \in chal} \tilde{m}_{i,j} \cdot v_{i} + \tilde{r}_{j}\) and \(\tilde{B}_{j}=h_{j}^{\tilde{b}_{j}}\), for \(j \in [1,s]\). It also sets \(\tilde{c} =\prod _{(i,v_{i}) \in chal} T_{\tilde{m}_{i}}^{v_{i}}\). Finally, it returns \(\tilde{\nu }\) to \(\mathcal {B}\). If \(\tilde{\nu }\) still pass the verification, then \(\mathcal {A}\) wins. Otherwise, it fails.

Analysis. We define \(\varDelta r_{j}=\tilde{r}_{j}-r_{j}\), \(\varDelta b_{j}=\tilde{b}_{j}-b_{j} = \sum _{(i,v_{i}) \in chal} ( \tilde{m}_{i,j}- m_{i,j}) v_{i} +\varDelta r_{j}\) and \(\varDelta \mu _{j}=\sum _{(i,v_{i}) \in chal} ( \tilde{m}_{i,j}- m_{i,j}) v_{i}\), for \(j \in [1,s]\). Note that \(r_{j}\) and \(b_{j}\) are the elements of a honest proof of data possession \(\nu \) such that \(r_{j} \in _{R} \mathbb {Z}_{p}\) and \(b_{j} = \sum _{(i,v_{i}) \in chal} m_{i,j} \cdot v_{i} + r_{j}\) where \(m_{i,j}\) are the actual sectors (not the ones that \(\mathcal {A}\) claims to have).

We prove that if \(\mathcal {A}\) can win the game, then solutions to the CDH and DL problems are found, which contradicts the assumption that the CDH and DL problems are hard in \(\mathbb {G}\) and \(\mathbb {G}_{1}\) respectively. Let assume that \(\mathcal {A}\) wins the game. We recall that if \(\mathcal {A}\) wins then \(\mathcal {B}\) can extract the actual blocks \(\{m_{i}\}_{(i,v_{i}) \in chal}\) in polynomially-many interactions with \(\mathcal {A}\). Wlog, suppose that \(chal = \{(i,v_{i})\}\), meaning the challenge contains only one block.

\(\circ \) First case ( \(\tilde{c} \ne c\) ): According to Eq. 6, we have \( e( \frac{ \tilde{c}}{c} ,g_{2}) = e \left( \frac{T_{\tilde{m}_{i}}}{T_{m_{i}}} ,g_{2} \right) ^{v_{i}} = e ( \prod _{j=1}^{s} h_{j}^{ \varDelta \mu _{j}} , g_{2}^{-a}) = e ( \prod _{j=1}^{s} (g_{1}^{\beta _{j}} \cdot (g_{1}^{b})^{\gamma _{j}})^{\varDelta \mu _{j}} ,g_{2}^{-a}) \) and so, we get that \( e( \frac{ \tilde{c}}{c} \cdot (g_{1}^{a} )^{\sum _{j=1}^{s} \beta _{j} \varDelta \mu _{j}} ,g_{2}) = e(g_{1}^{b},g_{2}^{-a})^{\sum _{j=1}^{s} \gamma _{j} \varDelta \mu _{j}} \) meaning that we have found the solution to the CDH problem, that is \((g_{1}^{b})^{a} = (g^{x})^{ab}= (\frac{ \tilde{c}}{c} \cdot (g_{1}^{a} )^{\sum _{j=1}^{s} \beta _{j} \varDelta \mu _{j}})^{ \frac{-1}{{\sum _{j=1}^{s} \gamma _{j} \varDelta \mu _{j}}} }\) unless evaluating the exponent causes a divide-by-zero. Nevertheless, we notice that not all of the \(\varDelta \mu _{j}\) can be zero (indeed, if \(\mu _{j} = m_{i,j} v_{i} = \tilde{\mu }_{j} = \tilde{m}_{i,j} v_{i}\) for \(j \in [1,s]\), then \(c = \tilde{c}\) which contradicts the hypothesis), and the \(\gamma _{j}\) are information theoretically hidden from \(\mathcal {A}\) (Pedersen commitments), so the denominator is zero only with probability 1 / p, which is negligible. Finally, since \(\mathcal {B}\) knows the exponent x such that \(g_{1}=g^{x}\), it can directly compute \( ((\frac{ \tilde{c}}{c} \cdot (g_{1}^{a} )^{\sum _{j=1}^{s} \beta _{j} \varDelta \mu _{j}})^{ \frac{-1}{{\sum _{j=1}^{s} \gamma _{j} \varDelta \mu _{j}}} })^{ \frac{1}{x} } \) and obtains \(g^{ab}\). Thus, if \(\mathcal {A}\) wins the game, then a solution to the CDH problem can be found with probability equal to \(1 - 1/p\).

\(\circ \) Second Case ( \(\tilde{c} = c\) ): According to Eq. 6, we have \(e(\tilde{c},g_{2}^{a}) = e ( H(i,vnb_{i})^{v_{i}},g_{2}) \cdot e(\prod _{j=1}^{s} \tilde{B}_{j},g_{2}) \cdot e(\prod _{j=1}^{s} \tilde{R}_{j} ,g_{2})^{-1}\). Since the proof \(\nu =(R_{1},\cdots ,R_{s},B_{1},\cdots ,B_{s},c)\) is a correct one, we also have \(e(c,g_{2}^{a}) = e ( H(i,vnb_{i})^{v_{i}},g_{2}) \cdot e(\prod _{j=1}^{s} B_{j},g_{2}) \cdot e(\prod _{j=1}^{s} R_{j} ,g_{2})^{-1}\). We recall that \(chal = \{(i,v_{i})\}\). From the previous analysis step, we know that \(\tilde{c}=c\). Therefore, we get that \(\prod _{j=1}^{s} \tilde{B}_{j} \cdot (\prod _{j=1}^{s} \tilde{R}_{j} )^{-1}= \prod _{j=1}^{s} B_{j} \cdot (\prod _{j=1}^{s} R_{j})^{-1}\). We can re-write as \(\prod _{j=1}^{s} h_{j}^{\tilde{b}_{j} - \tilde{r}_{j}}= \prod _{j=1}^{s} h_{j}^{b_{j} -r_{j}}\) or even as \(\prod _{j=1}^{s} h_{j}^{\varDelta b_{j} - \varDelta r_{j}}= \prod _{j=1}^{s} h_{j}^{\varDelta \mu _{j}} =1\). For \(g_{1}, h \in \mathbb {G}_{1}\), there exists \(\xi \in \mathbb {Z}_{p}\) such that \(h=g_{1}^{\xi }\) since \(\mathbb {G}_{1}\) is a cyclic group. Wlog, given \(g_{1}, h \in \mathbb {G}_{1}\), each \(h_{j}\) could randomly and correctly be generated by computing \(h_{j} = g_{1}^{y_{j}} \cdot h^{z_{j}} \in \mathbb {G}_{1}\) such that \(y_{j}\) and \(z_{j}\) are random values in \(\mathbb {Z}_{p}\). Then, we have \( 1= \prod _{j=1}^{s} h_{j}^{\varDelta \mu _{j}} = \prod _{j=1}^{s} (g_{1}^{y_{j}} \cdot h^{z_{j}})^{\varDelta \mu _{j}} = g_{1}^{\sum _{j=1}^{s} y_{j} \cdot \varDelta \mu _{j}} \cdot h^{\sum _{j=1}^{s} z_{j} \cdot \varDelta \mu _{j} } \). Clearly, we can find a solution to the DL problem. More specifically, given \(g_{1},h=g_{1}^{\xi } \in \mathbb {G}_{1}\), we can compute \( h = g_{1}^{\frac{\sum _{j=1}^{s} y_{j} \cdot \varDelta \mu _{j}}{\sum _{j=1}^{s} z_{j} \cdot \varDelta \mu _{j}}} = g_{1}^{\xi }\) unless the denominator is zero. However, not all of the \(\varDelta \mu _{j}\) can be zero and the \(z_{j}\) are information theoretically hidden from \(\mathcal {A}\), so the denominator is only zero with probability 1 / p, which is negligible. Thus, if \(\mathcal {A}\) wins the game, then a solution to the DL problem can be found with probability equal to \(1 - 1/p\). Therefore, for \(\mathcal {A}\), it is computationally infeasible to win the game and generate an incorrect proof of data possession which can pass the verification.

The simulation of \(\mathcal {O}_{TG}\) is perfect. The simulation of \(\mathcal {O}_{DOP}\) is almost perfect unless \(\mathcal {B}\) aborts. This happens when the data operation was not correctly performed. As previously, we can prove that if \(\mathcal {A}\) can pass the updating proof, then solutions to the CDH and DL problems are found. Following the above analysis and according to Eq. 5, if \(\mathcal {A}\) generates an incorrect updating proof which can pass the verification, then solutions to the CDH and DL problems can be found with probability equal to \(1 - \frac{1}{p}\) respectively. Therefore, for \(\mathcal {A}\), it is computationally infeasible to generate an incorrect updating proof which can pass the verification. The proof is completed.