Speaker : YUN–KUAN,CHANG Date : 2010/07/30
Provable Data Possession at Untrusted
Stores
Provable Data Possession Schemes - Secure PDP Schemes 1/3
We describe a framework for provable data possession.
2
1. KeyGen(1k) → (pk, sk) pk=(N,g) sk=(e,d,v)
2. TagBlock(pk, sk,m,i) → (Ti,mi,wi)
sk=(d,v) wi=v||i Ti,m=(h(wi ). gm) d mod N
3. Send pk, F = (m1, . . . ,mn), Σ= (T1,m1
,w1 , . . . ,
Ti,mi,wi)
4. Client delete F,Σ
Provable Data Possession Schemes - Secure PDP Schemes 2/3
3
1. CheckProof(pk, sk, chal, V) → {“S”,”F”}
pk=(N,g) sk=(e,v) chal=(c,k1,k2,s) v=(T,ρ) τ= Te
= ga1mi1+...+acmic mod N
2. If H(τs mod N) = ρ → S
1. chal=(c,k1,k2,gs) c: F 某區塊
k1 ← {0, 1}κ
k2 ← {0, 1}κ gs = gs
mod N s ← Ζ*
N
R
R
R
1. GenProof(pk, F, chal,Σ) → v=(T,ρ) pk=(N,g) F = (m1, . . . ,mn)
Σ= (T1,m1,w1 , . . . ,Ti,mi
,wi)
chal=(c,k1,k2,gs) 1≦j≦c T=(Ta1i1
,mi1… Tacic
,mic)
ρ=H(gsa1mi1+...+acmic mod N)
Provable Data Possession Schemes - Public verifiability 2/3
The following changes should be applied to the S-PDP protocol
4
1. KeyGen(1k) → (pk, sk) pk=(N,g,e) sk=(d,v)
2. TagBlock(pk, sk,m,i) → (Ti,mi,wi)
sk=(d,v) wi=ωѵ (i) publishes ѵ Ti,m=(h(wi ). gm) d mod N
3. Send pk, F = (m1, . . . ,mn), Σ= (T1,m1
,w1 , . . . ,
Ti,mi,wi)
4. Client delete F,Σ
Provable Data Possession Schemes - Public verifiability 3/3
5
R
R
R
Random Oracle Model
Pseudorandom function (PRF)
Pseudorandom permutation (PRP)
Knowledge of Exponent Assumption (KEA-r)
6