Speaker : YUN–KUAN,CHANG Date : 2010/07/30

Provable Data Possession at Untrusted

Stores

Provable Data Possession Schemes - Secure PDP Schemes 1/3

We describe a framework for provable data possession.

2

1. KeyGen(1k) → (pk, sk) pk=(N,g) sk=(e,d,v)

2. TagBlock(pk, sk,m,i) → (Ti,mi,wi)

sk=(d,v) wi=v||i Ti,m=(h(wi ). gm) d mod N

3. Send pk, F = (m1, . . . ,mn), Σ= (T1,m1

,w1 , . . . ,

Ti,mi,wi)

4. Client delete F,Σ

Provable Data Possession Schemes - Secure PDP Schemes 2/3

3

1. CheckProof(pk, sk, chal, V) → {“S”,”F”}

pk=(N,g) sk=(e,v) chal=(c,k1,k2,s) v=(T,ρ) τ= Te

= ga1mi1+...+acmic mod N

2. If H(τs mod N) = ρ → S

1. chal=(c,k1,k2,gs) c: F 某區塊

k1 ← {0, 1}κ

k2 ← {0, 1}κ gs = gs

mod N s ← Ζ*

N

R

R

R

1. GenProof(pk, F, chal,Σ) → v=(T,ρ) pk=(N,g) F = (m1, . . . ,mn)

Σ= (T1,m1,w1 , . . . ,Ti,mi

,wi)

chal=(c,k1,k2,gs) 1≦j≦c T=(Ta1i1

,mi1… Tacic

,mic)

ρ=H(gsa1mi1+...+acmic mod N)

Provable Data Possession Schemes - Public verifiability 2/3

The following changes should be applied to the S-PDP protocol

4

1. KeyGen(1k) → (pk, sk) pk=(N,g,e) sk=(d,v)

2. TagBlock(pk, sk,m,i) → (Ti,mi,wi)

sk=(d,v) wi=ωѵ (i) publishes ѵ Ti,m=(h(wi ). gm) d mod N

3. Send pk, F = (m1, . . . ,mn), Σ= (T1,m1

,w1 , . . . ,

Ti,mi,wi)

4. Client delete F,Σ

Provable Data Possession Schemes - Public verifiability 3/3

5

R

R

R

Random Oracle Model

Pseudorandom function (PRF)

Pseudorandom permutation (PRP)

Knowledge of Exponent Assumption (KEA-r)

6