An Efficient Dynamic Provable Data Possession Scheme in Cloud Storage

Abstract

Cloud storage provides clients with flexible, dynamic and cost effective data storage service. This new paradigm of data storage service, however, introduces new security challenges. Since clients can no longer control the remote data, they need to be convinced that their data are correctly stored in the cloud. Moreover, supporting dynamic data updates is a practical requirement of cloud storage. It is imperative to provide an efficient and secure dynamic auditing protocol to check the data integrity in the cloud. In this paper, we first analyze the dynamic performance of some prior works and propose a new Dynamic Provable Data Possession (DPDP) scheme. We introduce a secure signature scheme and the Large Branching Tree (LBT) data structure in our scheme. LBT structure simplifies the process of updates and the signature scheme is used to authenticate both the value and the position of data blocks, which greatly improves the efficiency in communication. The security and performance analysis show that our DPDP scheme is provably secure and efficient.

Appendices

Appendix A. Data Possession Game

The security of a data possession game between a challenger C and a adversary A is presented as follows. The challenger plays the role of verifier and the adversary acts as a malicious CSS.

• KeyGen: The challenger runs \((pk,sk) \leftarrow KeyGen(1^k)\), then sends pk to the adversary.

• ACF Queries: The adversary can make adaptively chosen file (ACF) queries as follows. First, the adversary interact with the tag generation oracle \(\mathcal {O}_{TG}\). For each query, A chooses a data block \(m_i\) and sends it to \(\mathcal {O}_{TG}\). Then the oracle responds each query with a corresponding verification metadata \(\tau _i \leftarrow (H(m_i) \cdot \omega ^{m_i})^x\). The adversary keeps making n times queries. Then, it enables to create an ordered collection of metadata \(T=\{\tau _i\}_{1\le i \le n}\) for all the selected data blocks \(F=\{m_1,m_2,...,m_n\}\). Second, the adversary is given access to a data update oracle \(\mathcal {O}_{UP}\). Achooses a data block \(m_i\) (i=1,2,...,n) and generates corresponding update information \(Info_i\) indicating what operation the adversary wants to perform. Then the adversary runs Update algorithm and outputs a new version of data file F’ and an update proof \(P_{update}\). After receiving these information submitted by the adversary, the oracle \(\mathcal {O}_{UP}\) verifies the proof \(P_{update}\) by running algorithm VerifyUpdate. The output is accept or reject. The adversary can repeat the above interaction in polynomial times.

• Setup: The adversary decides on data block \(m_{i}^{*}\) and corresponding update information \(Info_{i}^{*}\) for all \(i \in I \in [0, n+1]\). The ACF Queries are performed again by the adversary, with the first \(Info_{i}^{*}\) specifying a full re-write (this corresponds to the first time the client sends a file to CSS). The challenger verifies the update information and update his local metadata.

• Challenge: The final version of data file F is created according to the data update requested by A, and verified then accepted by the challenger. Now the challenger generates a challenge chal and sends it to the adversary.

• Forge: The adversary computes a data possession proof P based on chal. Then the challenger runs algorithm VerifyProof and outputs the result belonging to accept/reject. If the output is accept, then the adversary wins.

Appendix B. Proof of Theorem 1

Theorem 1

If the tag generation scheme we use is existentially unforgeable, CDH problem and DL problem is intractable in bilinear groups in the random oracle model, there exist no adversary against our provable data possession scheme could cause the verifier to accept a corrupted proof in the challenge-verify process, within non-negligible probability, except by responding the correctly computed proof.

Proof

We firstly prove that the tag generation scheme is existentially unforgeable with the assumption that BLS short signature scheme is secure. We prove this by reduction. Assume BLS signature scheme is secure and its public key is \(pk = g^x\). If there exists an adversary who can win the challenge game with non-negligible probability, then the adversary must be able to forge a signature in BLS scheme. Pick \(x \leftarrow Z_p\), and compute \(u=g^x\). When the adversary queries about a data block \(m_i\), he/she sends the block to BLS signature oracle, and the oracle responds with the signature \(s_i=H(m_i)^x\). The adversary queries the oracle about the same block in our scheme, and be replied with the tag \(\tau _i=(H(m_i)\cdot \omega ^{m_i})^x\). Let \(\omega =g^\alpha \), then \(\tau _i=s_i\cdot \mu ^{\alpha m_i}\). Suppose that the adversary can forge a new tag \(\tau _j=(H(m_j)\cdot \omega ^{m_j})^x\) for the block \(m_j\) that has never been queried. Therefore, the adversary can compute BLS signature on \(m_j\) as \(s_j=\tau _j / \mu ^{\alpha m_j}\). This completes the proof of the security of the tag generation scheme.

Now we prove the Theorem 1 by using a sequence of games.

• Game 1. The first game is the data possession game we defined in Appendix A.

• Game 2. Game 2 is the same as Game 1, with one difference. When the challenger responds the ACF Queries made by the adversary, he/she keeps a list of all his/her responses. Then the challenger observes each instance of the challenge-response process with the adversary. If in any of these instances the adversary responds a valid proof which can make the challenger accept, but the adversary’s tag proof is not equal to the \(\tau =\prod \limits _{i\in I}\tau _i^{\pi _i}\), which is the expected response that would have been obtained from an honest prover, the challenger declares reject and aborts.

Analysis. Before we analyzing the difference in probabilities between Game 1 and Game 2, we firstly describe the notion and draw a few conclusions. Suppose the data file that causes the abort is divided into n blocks, and the tags of data blocks are \(\tau _i=(H(m_i)\cdot \omega ^{m_i})^x\) for \(i\in [1,n]\). Assume \(chal=\{i,\pi _i\}_{i\in I}\) is the query that causes the challenger to abort, and the adversarys response to that query was \(P'=\{\varphi ^{'},\tau ^{'},\{H(m_i),\varOmega _i\}_{i\in I},\gamma \}\). Let the expected response be \(P=\{\varphi ,\tau ,\{H(m_i),\varOmega _i\}_{i\in I},\gamma \}\). The correctness of \(H(m_i)\) can be verified through \(\{H(m_i),\varOmega _i\}_{i\in I}\) and \(\gamma \). Because of the correctness of the scheme, the expected response can pass the verification equation, that is

$$\begin{aligned} e(\tau ,g)=e(\prod \limits _{i\in I}H(m_i)^{\pi _i}\cdot \omega ^{\varphi },y). \end{aligned}$$

Because the challenger aborted, we know that \(\tau \ne \tau ^{'}\) and that \(\tau ^{'}\) passes the verification equation \(e(\tau ^{'},g)=e(\prod \limits _{i\in I}H(m_i)^{\pi _i}\cdot \omega ^{\varphi ^{'}},y)\). Observe that if \(\varphi ^{'}= \varphi \), it follows from the verification equation that \(\tau ^{'} = \tau \), which contradicts our assumption above. Therefore, it must be the case that \(\varDelta \varphi \) is nonzero, here we define \(\varDelta \varphi =\varphi ^{'}-\varphi \).

With this in mind, we show that if the adversary win Game 2 and causes the challenger to abort, we can construct a simulator to solve CDH problem.

Given the values g, \(g^x\), \(h\in G\) as inputs, the goal of the simulator is to output \(h^x\). The simulator behaves like the challenger in Game 2 and interacts with the adversary as follows:

1. (1)

   To generate a tag key, the simulator sets the public key y to \(g^x\), and then forwards y to the adversary.

2. (2)

   The simulator programs the random oracle H and keeps a list of queries to respond consistently. Upon receiving the adversarys queries, the simulator chooses a random \(r\leftarrow Z_p\) and responds with \(g^r \in G\). It also responds queries of the form \(H(m_i)\) in a special way, as we will see below.

3. (3)

   When requested to store the data file which is divided into n blocks \(\{m_i\}_{1\le i \le n}\), the simulator responds as follows. It firstly chooses a random block \(m_i\). For each \(1\le i \le n\), the simulator chooses a random value \(r_i \leftarrow Z_p\) and sets \(\omega = g^a h^b\) for \(a,b \leftarrow Z_p\), then it outputs \(H(m_i)=g^{r_i}h^{-m_i}\). Therefore, the simulator can compute the tag \(\tau _i=(H(m_i)\cdot \omega ^{m_i})^x=(g^{r_i}h^{-m_i}\cdot (g^a h^b)^{m_i})^x\).

4. (4)

   The simulator continues interacting with the adversary until the adversary succeeds in responding with a tag \(\tau ^{'}\) that is not equal to the expected tag \(\tau \). After receiving the valid proof \(P^{'}\) from the adversary, the simulator is able to compute \(e(\tau ^{'}/\tau ,g)=e(\omega ^{\varDelta \varphi },g)=e((g^a h^b)^{\varDelta \varphi },g)\).

Rearranging terms yields \(e(\tau ^{'}\tau ^{-1}y^{-a\varDelta \varphi },g)=e(h,y)^{b\varDelta \varphi }\).

Since \(y=g^x\), we obtain \(h^x=(\tau ^{'}\tau ^{-1}y^{a\varDelta \varphi })^{\frac{1}{b\varDelta \varphi }}\). To analyze the probability that the challenger aborts in the game, we only need to compute the probability that \(b\varDelta \varphi =0~(\)mod p). Because b is chosen by the challenger and hidden from the adversary, the probability that \(b\varDelta \varphi =0~(\)mod p) will be only 1 / p, which is negligible.

Therefore, if there is a non-negligible difference between the adversarys probabilities of success in Game 1 and Game 2, we can construct a simulator that solves CDH problem by interacting with the adversary.

• Game 3. Game 3 is the same as Game 2, with one difference. When the challenger responds the ACF Queries made by the adversary, he keeps a list of all his responses. Then the challenger observes each instance of the challenge-response process with the adversary. If in any of these instances the adversary responds a valid proof which can make the challenger accept, but the adversary’s data proof is not equal to the \(\varphi =\prod \limits _{i\in I}\pi _i m_i\), which is the expected response that would have been obtained from an honest prover, the challenger declares reject and aborts.

Analysis. Again, let us describe some notation. Suppose the data file that causes the abort is divided into n blocks. Assume \(chal=\{i,\pi _i\}_{i\in I}\) is the query that causes the challenger to abort, and the adversary’s response to that query was

$$\begin{aligned} P'=\{\varphi ^{'},\tau ^{'},\{H(m_i),\varOmega _i\}_{i\in I},\gamma \}. \end{aligned}$$

Let the expected response be \(P=\{\varphi ,\tau ,\{H(m_i),\varOmega _i\}_{i\in I},\gamma \}\), among which the data proof should be \(\varphi =\prod \limits _{i\in I}\pi _i m_i\),. Game 2 already guarantees that we have \(\tau ^{'} = \tau \). It is only the values of \(\varphi ^{'}\) and \(\varphi \) that can differ. Define \(\varDelta \varphi =\varphi ^{'}-\varphi \), again, it must be the case that \(\varDelta \varphi \) is nonzero.

We now show that if the adversary causes the challenger in Game 3 to abort with non-negligible probability, we can construct a simulator to solve DL problem.

Given the values \(g,h \in G\) as inputs, the goal of the simulator is to output \(\alpha \) such that \(h=g\alpha \). The simulator behaves like the challenger in Game 2 and interacts with the adversary as follows:

1. (1)

   When requested to store the data file which is divided into n blocks \(\{m_i\}_{1\le i \le n}\), the simulator first sets \(\omega =g^a h^b\) for \(a,b \in Z_p\). Then, it responds to the adversary according to the TagGen algorithm.

2. (2)

   The simulator continues interacting with the adversary until the adversary succeeds in responding with a data proof \(\varphi ^{'}\) that is not equal to the expected \(\varphi \). After receiving the valid proof \(P^{'}\) from the adversary, the simulator is able to compute

$$\begin{aligned} e(\prod \limits _{i\in I}H(m_i)^{\pi _i}\cdot \omega ^{\varphi ^{'}},y)=e(\tau ^{'},g)=e(\tau ,g)=e(\prod \limits _{i\in I}H(m_i)^{\pi _i}\cdot \omega ^{\varphi },y). \end{aligned}$$

From this equation, we have \(1=\omega ^{\varDelta \varphi }s=(g^a h^b)^{\varDelta \varphi }\).

Thus, the solution to DL problem has been found, that is \(h=g^{-\frac{a\varDelta \varphi }{b\varDelta \varphi }}\), unless the denominator is zero. However, \(\varDelta \varphi \) is not equal to zero, and the value of b is chosen by the challenger and hidden from the adversary, the probability that \(b\varDelta \varphi =0~(\)mod p) will be only 1 / p, which is negligible.

Therefore, if there is a non-negligible difference between the adversary’s probabilities of success in Game 2 and Game 3, we can construct a simulator that solves DL problem by interacting with the adversary.

Wrapping Up. As we analyzed above, there is only negligible difference probability of the adversary between game sequences Game i (\(i=1,2,3\)), if the tag generation scheme is existentially unforgeable, CDH problem and DL problem are hard in bilinear groups. This completes the proof of Theorem 1.    \(\square \)