Identity-Based Provable Data Possession with Designated Verifier from Lattices for Cloud Computing

Abstract

Provable data possession (PDP) is a technique that enables the verification of data integrity in cloud storage without the need to download the data. PDP schemes are generally categorized into public and private verification. Public verification allows third parties to assess the integrity of outsourced data, offering good openness and flexibility, but it may lead to privacy leakage and security risks. In contrast, private verification restricts the auditing capability to the data owner, providing better privacy protection but often resulting in higher verification costs and operational complexity due to limited local resources. Moreover, most existing PDP schemes are based on classical number-theoretic assumptions, making them vulnerable to quantum attacks. To address these challenges, this paper proposes an identity-based PDP with a designated verifier over lattices, utilizing a specially leveled identity-based fully homomorphic signature (IB-FHS) scheme. We provide a formal security proof of the proposed scheme under the small-integer solution (SIS) and learning with errors (LWE) within the random oracle model. Theoretical analysis confirms that the scheme achieves security guarantees while maintaining practical feasibility. Furthermore, simulation-based experiments show that for a 1 MB file and lattice dimension of n = 128, the computation times for core algorithms such as TagGen, GenProof, and CheckProof are approximately 20.76 s, 13.75 s, and 3.33 s, respectively. Compared to existing lattice-based PDP schemes, the proposed scheme introduces additional overhead due to the designated verifier mechanism; however, it achieves a well-balanced optimization among functionality, security, and efficiency.

1. Introduction

As information technology continues to advance rapidly, cloud computing has become a key component of modern information technology, particularly in the areas of data storage and processing, providing powerful support. As one of the core services of cloud computing, cloud storage enables users to store their local data on cloud servers, alleviating the storage burden on physical devices while enhancing the convenience and flexibility of data access [1,2]. However, as cloud storage becomes more widespread, outsourcing data to cloud service providers (CSPs) introduces security and integrity challenges.

One critical issue is ensuring the integrity of cloud-stored data. As cloud storage removes direct control over data, it exposes the data to potential attacks such as unauthorized tampering, malicious deletion, or even accidental damage due to hardware or software failures. Although users depend on CSPs to preserve data integrity, the cloud’s inherent openness and sharing raise significant issues regarding data security, privacy, and reliability. Whether due to malicious actions by CSPs or external attackers, there is a pressing need for robust mechanisms to ensure that outsourced data are properly stored and remain intact.

Real-world incidents further underscore this need. For example, during a six-month high-energy physics operation involving approximately 97 petabytes of data, CERN reported that about 128 megabytes had been irreversibly corrupted, raising concerns about the impact of even minor data degradation on scientific research outcomes [3]. In another case, Jeff Bonwick, creator of the ZFS file system, revealed that Greenplum—a high-performance database—experiences silent data corruption every 10 to 20 minutes without triggering system alerts. These cases illustrate that even in rigorously managed scientific and enterprise environments, data corruption can occur undetected, undermining both data reliability and decision making [3].

Traditional data integrity verification solutions, such as downloading the entire dataset for inspection, have become impractical due to the large data volumes involved and the high communication and computational costs [4]. To address this challenge, researchers have proposed various alternative approaches.

Among them, blockchain-based storage frameworks [5,6] leverage distributed ledgers and consensus protocols to achieve verifiability and tamper resistance. These schemes often utilize Merkle hash trees and smart contracts for auditability and state tracking. However, they typically suffer from high communication costs, significant computational overhead, and consensus-related delays, which limit their applicability in resource-constrained environments. On the other hand, coding techniques in edge computing [3,5] enhance data availability through redundant encoding and erasure coding, providing strong resilience against data loss or corruption. Nonetheless, these methods primarily focus on fault tolerance and recovery, and they lack fine-grained audit control or designated verifier mechanisms.

Intuitively, data owners can perform integrity verification tasks themselves, but this requires them to retrieve and check the data’s integrity individually, resulting in a significant communication and computational burden. To alleviate this burden, public auditing allows data users to delegate these tasks to a third-party auditor (TPA). Auditors can regularly check the integrity of outsourced data on behalf of the users. If the audit fails, the auditor quickly informs the user, indicating that the data may have been tampered with.

Although public auditing offers significant benefits, there are two main obstacles to its widespread application in cloud computing. On the one hand, many existing public auditing schemes [7,8,9,10,11] are based on traditional cryptographic hardness assumptions, which will be vulnerable to the emerging threats posed by quantum computing. With the inevitable rise of quantum computing, developing post-quantum secure auditing schemes becomes increasingly vital. On the other hand, current public auditing approaches depend on third-party auditors to verify data integrity. However, these schemes often demand significant computational resources from the auditors, as they involve intensive verification processes, including operations like bilinear pairings and modular exponentiations. These procedures place a heavy computational burden on auditors and create a performance bottleneck.

In addition to these challenges, the deployment of public auditing faces another security issue: public auditing may expose user privacy. Unauthorized third parties should not have access to sensitive user information. To protect data users’ privacy, users can designate a specific verifier to carry out data integrity checks.

In addition to existing security threats, the rapid development of quantum computing poses a fundamental challenge to data integrity verification mechanisms in cloud environments. Most widely adopted integrity verification methods are based on classical number-theoretic problems, such as integer factorization and discrete logarithms. However, these foundations are no longer secure in the face of quantum attacks—particularly because Shor’s algorithm [12] can efficiently solve these problems in polynomial time, rendering many cryptographic schemes that rely on them vulnerable. Once quantum computing becomes practical, existing integrity verification mechanisms will no longer provide long-term security guarantees, thereby seriously undermining the reliability and trustworthiness of cloud storage systems.

Consequently, designing data integrity verification mechanisms that are not only resistant to quantum attacks but also efficient in terms of computational, storage, communication, and transmission overhead has become a critical research direction for securing the next generation of cloud storage infrastructures.

1.1. Related Work

PDP is a practical method for verifying the outsourced data’s integrity, and it was first introduced by Ateniese et al. [13] based on the integer factorization hypothesis. PDP generates verifiable metadata during the data processing phase, which are then outsourced to the cloud service provider (CSP). Afterward, the verifier checks the data’s integrity by randomly sampling blocks. For instance, Ateniese and colleagues demonstrated that with a file containing 10,000 blocks, the verifier can achieve a 99% error detection rate by requesting proofs from just 460 randomly selected blocks [14].

Subsequently, a variety of PDP mechanisms have been developed to suit the diverse requirements of various cloud deployment environments, such as dynamic scenarios, batch verification, and privacy protection. For instance, Yuan et al. [15] developed a new dynamic PDP scheme with multiple replicas to verify the integrity of files stored by users across multiple CSPs. He et al. [7] introduced a PDP scheme for shared data that enables completely dynamic updates and ensures that verifier storage costs remain constant. Zhang et al. [16] tackled enterprise private cloud data sharing challenges by employing attribute-based signatures to design a revocable integrity auditing scheme under the SIS problem. Focusing on the key management issue, Zhang et al. [17] developed an identity-based public auditing scheme with key-exposure resistance based on lattices, which updates the user’s private key using lattice basis delegation while maintaining a constant key size. Wang et al. [18] designed an identity-based data integrity auditing scheme from the lattice method, ensuring forward security. In short, identity-based PDP schemes can simplify key management, thereby reducing the burden on both CSPs and data owners. Sasikala and Bindu [19] introduced a certificateless batch verification scheme over lattices designed to support integrity checking of multiple cloud-stored files. To address the inherent private key escrow problem and lower the overhead of managing public key certificates, Zhou et al. [8] developed a certificate-based PDP scheme under the square computational Diffie–Hellman (CDH) assumption. Zhang et al. [20] developed a revocable certificateless PDP scheme that preserves user identity privacy while also eliminating the key escrow and certificate management problems found in traditional approaches, supporting efficient user revocation.

The abovementioned schemes, referred to as public PDP schemes [21], allow anyone to verify data integrity without downloading the full data. In these schemes, the proofs produced by cloud servers can be validated by anyone.

In contrast to public PDP schemes, Shen and Tzeng [22] introduced a delegatable PDP scheme in 2011, enabling the data owner to create a delegation key for the designated verifier, which is then stored on the cloud server for later verification. The following year, Wang [23] introduced the concept of proxy PDP and provided a concrete construction, allowing users to delegate auditing authority to a proxy through a delegation warrant. In fact, both of the previously discussed methods fall under the category of PDP with designated verifier (DV-PDP) schemes. In the DV-PDP scheme, the user can designate a specific verifier (proxy) to conduct the outsourced data’s integrity verification on their behalf. However, both DV-PDP schemes [22,23] were demonstrated to be insecure by Ren et al. [24], as a dishonest cloud storage server could obtain the key information associated with the delegated verifier. Unfortunately, Zhang et al. [25] demonstrated that Ren et al.’s [24] scheme is insecure and vulnerable to forgery attacks. In 2017, Wu et al. [21] introduced the earliest non-repudiable DV-PDP scheme aimed at addressing the non-repudiation issue and reducing possible conflicts between users and CSPs. Zhang et al. [26] proposed a lattice-based designated verifier auditing scheme specifically designed for cloud-assisted wireless body area networks, which ensures that only the designated verifier is capable of verifying the integrity of outsourced medical data stored on the associated cloud server. To address the vulnerability of DV-PDP to replay attacks launched by malicious cloud servers, a remote data possession verification scheme with a designated verifier was proposed by Yan et al. [27] under the CDH assumption, ensuring that only the specified verifier can validate data integrity, while others are unable to do so. However, this approach depends on public key infrastructure technology and fails to tackle data privacy concerns. To address these limitations, Bian et al. [28] designed an identity-based remote data possession verification scheme based on the discrete logarithm and CDH assumptions, allowing data owners to designate a specific verifier.

1.2. Contribution

To address the challenge of constructing a post-quantum PDP scheme that supports both identity-based cryptosystem and designated verifier auditing, this paper proposes a lattice-based PDP framework tailored for secure and accountable cloud storage in the post-quantum era. The key contributions of this paper are summarized as follows:

• This paper proposes a novel identity-based PDP scheme that employs a specially leveled IB-FHS scheme to eliminate the complexity of traditional public key infrastructures, thereby simplifying key management.
• The proposed scheme introduces a designated verifier mechanism, ensuring that only authorized auditors can perform legitimate data integrity checks. This effectively mitigates the privacy risks associated with public verifiability and enhances the controllability and accountability of the auditing process.
• The scheme is proven secure under the SIS and LWE assumptions in the random oracle model, ensuring its resistance against quantum attacks.
• This paper conducts a comprehensive evaluation of the proposed scheme through theoretical analysis and simulation-based experiments, covering communication overhead, storage requirements, and computational cost. The experimental results under representative parameter settings demonstrate that the core algorithms maintain reasonable computation times. Compared to existing PDP schemes, although the introduction of a designated verifier mechanism leads to a certain increase in computational overhead, the proposed scheme achieves a well-balanced tradeoff between functionality and efficiency.

Overall, our work aims to construct an identity-based PDP with designated verifier scheme over lattices, offering quantum-resistant security and flexible auditing control. It is particularly suitable for cloud auditing scenarios that require authorization verification in a post-quantum setting.

1.3. Organization

The rest of this paper is organized as follows. Section 2 introduces the necessary preliminaries. Section 3 defines our PDP scheme and its security model. Section 4 presents the detailed construction of the proposed PDP scheme. Section 5 provides formal security analysis covering unforgeability, indistinguishability, and robustness. Section 6 offers a performance evaluation in terms of computation, storage, and communication. Finally, Section 7 provides the conclusion.

2. Preliminaries

2.1. Notation

In this paper, we apply some initial symbols, as shown in

Table 1. Symbol description.

Symbols	Definitions
$a\in {\mathbb{Z}}_q$	Random numbers on integer module q spaces
$\mathbf{z}\in {\mathbb{Z}}_q^n$	n-dimensional vectors on integer module spaces q
$\mathbf{Q}\in {\mathbb{Z}}_q^{n\times m}$	n-row m-column matrices on integer module q space
${\mathbf{Q}}^T$	Transpose matrix of $\mathbf{Q}$
$\tilde{\mathbf{Q}}$	Gram–Schmidt orthogonalization of a matrix $\mathbf{Q}$
$\parallel \mathbf{Q}\parallel$	Matrix $\mathbf{Q}$’ $l_2$-norm
$[·|·]$	Horizontal concatenation of vectors or matrices
$\left[t\right]$	Set $\{1,2,\cdots ,t\}$
$O(·)$	Asymptotic upper bound

.

2.2. Lattice

A lattice $\Lambda$ in ${\mathbb{R}}^m$ is a discrete additive subgroup generated by integer linear combinations of basis vectors. Given a matrix $\mathbf{A}=[{\mathbf{a}}_1|\cdots |{\mathbf{a}}_n]\in {\mathbb{R}}^{m\times n}$ with column vectors ${\mathbf{a}}_i$, the lattice is defined as

$$\Lambda =\left\{\sum _{i=1}^n{x}_i{\mathbf{a}}_i|x_i\in \mathbb{Z}\right\}\subseteq {\mathbb{R}}^m.$$

(1)

The value n is called the rank of $\Lambda$. If $n=m$, then $\Lambda$ is said to be full rank.

The dual lattice ${\Lambda }^{*}$ consists of all vectors $\mathbf{y}\in {\mathbb{R}}^m$ such that $\langle \mathbf{x},\mathbf{y}\rangle \in \mathbb{Z}$ for all $\mathbf{x}\in \Lambda$. When $\mathbf{A}$ is a basis of $\Lambda$, the basis of ${\Lambda }^{*}$ can be written as ${\mathbf{B}}^{*}=\mathbf{B}{\left({\mathbf{B}}^T\mathbf{B}\right)}^{-1}$.

In this paper, we focus on q-ary lattices, i.e., full-rank lattices that contain $q{\mathbb{Z}}^m$.

Definition 1

(q-ary lattice). Given $\mathbf{B}\in {\mathbb{Z}}^{n\times m},\mathbf{k}\in {\mathbb{Z}}_q^n$, the following definitions describe q-ary lattices:

$$\begin{array}{cc}\hfill {\Lambda }_q\left(\mathbf{B}\right)& :=\{\mathbf{a}\in {\mathbb{Z}}^m|\exists \mathbf{e}\in {\mathbb{Z}}_q^n\mathrm{such}\mathrm{that}{\mathbf{B}}^T\mathbf{e}=\mathbf{a}modq\},\hfill \\ \hfill {\Lambda }_q^{\perp }\left(\mathbf{B}\right)& :=\{\mathbf{a}\in {\mathbb{Z}}^m|\mathbf{Ba}=\mathbf{0}modq\},\hfill \\ \hfill {\Lambda }_q^{\mathbf{k}}\left(\mathbf{B}\right)& :=\{\mathbf{a}\in {\mathbb{Z}}^m|\mathbf{Ba}=\mathbf{k}modq\},\hfill \end{array}$$

(2)

where if $\mathbf{y}\in {\Lambda }_q^{\mathbf{k}}\left(\mathbf{B}\right)$, then ${\Lambda }_q^{\mathbf{k}}\left(\mathbf{B}\right)={\Lambda }_q^{\perp }\left(\mathbf{B}\right)+\mathbf{y}$.

Definition 2

(Gaussian distribution on lattice). Let $\mathbf{u}\in {\mathbb{R}}^m$ and $\phi \in \mathbb{R}$ define the following: ${\rho }_{\phi ,\mathbf{u}}\left(\mathbf{t}\right)=exp\left(\pi {\displaystyle \frac{{\parallel \mathbf{t}-\mathbf{u}\parallel }^2}{{\phi }^2}}\right)$ and ${\rho }_{\phi ,\mathbf{u}}(\Lambda )={\sum }_{\mathbf{t}\in \Lambda }{\rho }_{\phi ,\mathbf{u}}\left(\mathbf{t}\right)$. The discrete Gaussian distribution on lattice Λ, centered at $\mathbf{u}$ with parameter φ, is then given by $\forall \mathbf{y}\in \Lambda ,{\mathcal{D}}_{\Lambda ,\phi ,\mathbf{u}}\left(\mathbf{y}\right)={\displaystyle \frac{{\rho }_{\phi ,\mathbf{u}}\left(\mathbf{y}\right)}{{\rho }_{\phi ,\mathbf{u}}(\Lambda )}}$.

Lemma 1

(Leftover hash lemma [29]). Let $q>2,m>(n+1)logq+\omega (logn)$, $\mathbf{Q}\in {\{-1,1\}}^{m\times k}$, $\mathbf{J}\in {\mathbb{Z}}_q^{n\times m},\mathbf{B}\in {\mathbb{Z}}_q^{n\times k}$ be randomly selected matrices, where $k=k\left(n\right)$ is a polynomial. The distributions $(\mathbf{J},\mathbf{JQ},{\mathbf{Q}}^T\mathbf{d})$ and $(\mathbf{J},\mathbf{B},{\mathbf{Q}}^T\mathbf{d})$ are statistically indistinguishable for any vector $\mathbf{d}\in {\mathbb{Z}}^m$.

2.3. Trapdoor and Sample Algorithms from Lattices

We now present the algorithms used for trapdoor generation and lattice-based sampling. In our construction, the public key and master secret key are generated using the efficient randomized algorithm TrapGen. To derive private keys for the data owner and the designated verifier, we employ the SampleBasisLeft and NewBasisDel algorithms, respectively. For generating tags on data blocks, we utilize the SampleLeft algorithm.

Lemma 2

($TrapGen(1^n,1^m,q)$ [29]). Given $n\ge 1,q\ge 2,m=O(nlogq)$, we can obtain $(\mathbf{U},\mathbf{P})\leftarrow TrapGen(1^n,1^m,q)$, where the distribution of $\mathbf{U}\in {\mathbb{Z}}_q^{n\times m}$ is statistically close (within negligible distance in n) to uniform over ${\mathbb{Z}}_q^{n\times m}$, and $\mathbf{P}$ is $\mathbf{U}$’s trapdoor.

Definition 3

(Gadget matrix). Given $m=n·\lceil logq\rceil$, the gadget matrix $\mathbf{G}$ is defined as $\mathbf{G}=\mathbf{g}\otimes {\mathbf{I}}_n\in {\mathbb{Z}}_q^{n\times m}$, where $\mathbf{g}=(1,2,4,\cdots ,2^{\lceil logq\rceil })\in {\mathbb{Z}}_q^{\lceil logq\rceil }$. The inverse function ${\mathbf{G}}^{-1}:{\mathbb{Z}}_q^{n\times m}\to {\{0,1\}}^{m\times m}$ converts each entry $x\in {\mathbb{Z}}_q$ of matrix $\mathbf{A}$ into a column of its binary representation. For any $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, ${\mathbf{G}}_n·{\mathbf{G}}_n^{-1}\left(\mathbf{A}\right)=\mathbf{A}$.

Lemma 3

($SampleLeft(\mathbf{J},\mathbf{Q},\mathbf{P},\mathbf{k},s)$ [30]). Let us have $q\ge 2,m\ge n,s\ge \parallel \tilde{\mathbf{P}}\parallel ·\omega \left(\sqrt{log(m+m_1)}\right)$, matrices $\mathbf{J}\in {\mathbb{Z}}_q^{n\times m},\mathbf{Q}\in {\mathbb{Z}}^{n\times m_1}$, $\mathbf{J}$’s trapdoor $\mathbf{P}$, and vector $\mathbf{k}\in {\mathbb{Z}}_q^n$; then, we can get $\mathbf{e}\in {\mathbb{Z}}^{m+m_1}\leftarrow SampleLeft(\mathbf{J},\mathbf{Q},\mathbf{P},\mathbf{k},s)$, where $\mathbf{e}$ is distributed statistically close to ${\mathcal{D}}_{{\Lambda }_q^{\mathbf{k}}\left(\mathbf{J}\right|\mathbf{Q}),s}$. Accordingly, with the delegated algorithm $SampleBasisLeft(\mathbf{J},\mathbf{Q},\mathbf{P},s)$, it is possible to output ${\Lambda }_q^{\perp }\left(\mathbf{J}\right|\mathbf{Q})$’s basis as ${\mathbf{P}}_{\left(\mathbf{J}\right|\mathbf{Q})}$.

Lemma 4

($SampleRight(\mathbf{J},\mathbf{Q},\mathbf{H},{\mathbf{P}}_{\mathbf{Q}},\mathbf{k},s)$ [30]). For given $q>2,m>n$, $\mathbf{J}\in {\mathbb{Z}}_q^{n\times k},\mathbf{Q}\in {\mathbb{Z}}^{n\times m},\mathbf{H}\in {\mathbb{Z}}^{k\times m}$, $\mathbf{Q}$’s trapdoor ${\mathbf{P}}_{\mathbf{Q}}$ and $\mathbf{k}\in {\mathbb{Z}}_q^n$, we can get $\mathbf{c}\in {\mathbb{Z}}^{m+k}\leftarrow SampleRight(\mathbf{J},\mathbf{Q},\mathbf{H},$${\mathbf{P}}_{\mathbf{Q}},\mathbf{k},s)$, where $\mathbf{c}$ is statistically close to the distribution ${\mathcal{D}}_{{\Lambda }_q^{\mathbf{k}}\left(\mathbf{J}|\mathbf{JH}+\mathbf{Q}\right),s}$, $s>\parallel {\tilde{\mathbf{P}}}_{\mathbf{Q}}\parallel ·s_{\mathbf{H}}·\omega \left(\sqrt{logm}\right)$ and to $s_{\mathbf{H}}={sup}_{\parallel y\parallel =1}\parallel \mathbf{H}y\parallel$. Furthermore, with the delegated algorithm SampleBasisRight $(\mathbf{J},\mathbf{Q},\mathbf{H},{\mathbf{P}}_{\mathbf{Q}},s)$, it is possible to output ${\Lambda }_q^{\perp }\left(\mathbf{J}\right|\mathbf{JH}+\mathbf{Q})$’s basis as ${\mathbf{P}}_{\left(\mathbf{J}\right|\mathbf{JH}+\mathbf{Q})}$.

Lemma 5

($NewBasisDel(\mathbf{J},\mathbf{H},\mathbf{P},s)$ [31]). Given $q>2,m>2nlogq$, $\mathbf{J}\in {\mathbb{Z}}_q^{n\times m},\mathbf{H}\in {\mathcal{D}}_{m\times m}$, and $\mathbf{J}$’s trapdoor $\mathbf{P}$, we get ${\mathbf{P}}_{\mathbf{Q}}\leftarrow NewBasisDel(\mathbf{J},\mathbf{H},\mathbf{P},s)$, where ${\mathbf{P}}_{\mathbf{Q}}$ is ${\Lambda }_q^{\perp }(\mathbf{Q}={\mathbf{JH}}^{-1})$’s basis, $s>\parallel \tilde{\mathbf{P}}\parallel ·s_{\mathbf{H}}\sqrt{m}·\omega \left({log}^{3/2}m\right),s_{\mathbf{H}}=\sqrt{nlogq}·\omega \left(\sqrt{logm}\right)$, and ${\mathcal{D}}_{m\times m}$ follows the discrete Gaussian distribution ${\mathcal{D}}_{{\mathbb{Z}}^m,s_{\mathbf{H}}}$.

Lemma 6

($SampleRwithBasis\left(\mathbf{J}\right)$ [30]). Given $q>2,m>2nlogq,\mathbf{J}\in {\mathbb{Z}}_q^{n\times m}$, $SampleRwithBasis\left(\mathbf{J}\right)$ produces an invertible matrix $\mathbf{H}\in {\mathcal{D}}_{m\times m}$ and ${\Lambda }_q^{\perp }(\mathbf{Q}={\mathbf{JH}}^{-1})$’s basis ${\mathbf{P}}_{\mathbf{Q}}$, where $\parallel {\tilde{\mathbf{P}}}_{\mathbf{Q}}\parallel \le O\left(\sqrt{nlogq}\right)$.

Lemma 7

($SampleD(\mathbf{J},\mathbf{P},\mathbf{k},s)$ [29]). Given $\mathbf{J}\in {\mathbb{Z}}_q^{n\times m},\mathbf{k}\in {\mathbb{Z}}_q^n$, ${\Lambda }_q^{\perp }\left(\mathbf{J}\right)$’s basis $\mathbf{P}$, and $s=O\left(\sqrt{nlogq}\right)$, $SampleD(\mathbf{J},\mathbf{P},\mathbf{k},s)$ samples $\mathbf{v}\in {\mathbb{Z}}_q^n$ from the discrete Gaussian distribution ${\mathcal{D}}_{{\Lambda }_q^{\mathbf{k}}\left(\mathbf{J}\right),s·\omega \left(\sqrt{logn}\right)}$.

2.4. Hard Problems on Lattices

Definition 4

(${SIS}_{n,m,q,\beta }$ problem). Given $n,m,q,\beta$ and $q\ge \beta ·\left(\sqrt{nlogn}\right)$, the ${SIS}_{n,m,q,\beta }$ problem is to find a vector $\mathbf{k}\in {\mathbb{Z}}_q^n\setminus \left\{\mathbf{0}\right\}$ with $\parallel \mathbf{k}\parallel \le \beta$ such that $\mathbf{Bk}=\mathbf{0}$, where $\mathbf{B}\in {\mathbb{Z}}_q^{n\times m}$ is a uniform and random matrix. The average case ${SIS}_{n,m,q,\beta }$ problem is as difficult as solving the worst case ${GapSVP}_{\stackrel{\sim }{O}(\beta ·\sqrt{n})}$ [29].

Definition 5

(${LWE}_{n,m,q,\beta }$ problem). Given $n,m\ge n,q\ge 2$ and $\beta q>2\sqrt{n}$, then randomly select vectors $\mathbf{s}\in {\mathbb{Z}}_q^n,\mathbf{k}\in {\mathbb{Z}}_q^m$ and a uniform matrix $\mathbf{B}\in {\mathbb{Z}}_q^{n\times m}$, as well as sample a Gaussian vector $\mathbf{r}\leftarrow {\left({\mathcal{D}}_{{\mathbb{Z}}^m,\sqrt{2}\beta q}\right)}^m$, and the distributions $(\mathbf{B},{\mathbf{B}}^T\mathbf{s}+\mathbf{r})$ and $(\mathbf{B},\mathbf{k})$ are indistinguishable. The ${LWE}_{n,m,q,\beta }$ problem is as hard as SIVP under quantum reductions to within $O(n/\beta )$ [30].

For the LWE instance $(\mathbf{B},{\mathbf{B}}^T\mathbf{s}+\mathbf{r})$, if the Euclidean norm of $\mathbf{B}$’ trapdoor $\mathbf{P}$ is sufficiently small and if $\mathbf{r}$ follows a discrete Gaussian distribution, then $\mathbf{s}$ can be easily retrieved, as explained in [32]. It is important to note that ${\mathbf{P}}^T({\mathbf{B}}^T\mathbf{s}+\mathbf{r})(modq)={\left(\mathbf{BP}\right)}^T\mathbf{s}+{\mathbf{P}}^T\mathbf{r}(modq)$, where $\mathbf{P}$ and $\mathbf{r}$ both contain very small entries, and ${\mathbf{P}}^T\mathbf{r}(modq)={\mathbf{P}}^T\mathbf{r}$. Then, multiply by ${\left({\mathbf{P}}^T\right)}^{-1}$ to obtain $\mathbf{r}$. Moreover, we can easily recover $\mathbf{s}$.

2.5. Pseudo-Random Functions

For any $\ell \ge 1$, a pseudo-random function (PRF) is defined by a pair of the probabilistic polynomial-time (PPT) algorithms $\mathrm{PRF}=(\mathrm{PRF}.\mathrm{Gen},\mathrm{PRF}.\mathrm{Eval})$ as follows:

• $\mathrm{PRF}.\mathrm{Gen}\left(1^{\lambda }\right)$: Output a seed ${\phi }_1\in {\mathbb{Z}}_q^{*}$ under the security parameter $\lambda$.
• $\mathrm{PRF}.\mathrm{Eval}({\phi }_1,i)$: Given ${\phi }_1\in {\mathbb{Z}}_q^{*}$ and $i\in [\ell ]$, return ${\zeta }_i\in {\mathbb{Z}}_q$. For convenience, we use ${\mathrm{PRF}}_{{\phi }_1}(·)$ to represent the algorithm PRF.Eval, where ${\mathrm{PRF}}_{{\phi }_1}(·):{\mathbb{Z}}_q^{*}\times \{1,2,\cdots ,\ell \}\to \{{\zeta }_1,\cdots ,{\zeta }_{\ell }\}$.

2.6. Pseudo-Random Permutations

For any $\ell \ge 1$, a pseudo-random permutation (PRP) is defined by a pair of PPT algorithms $\mathrm{PRP}=(\mathrm{PRP}.\mathrm{Gen},\mathrm{PRP}.\mathrm{Eval})$ as follows:

• $\mathrm{PRP}.\mathrm{Gen}\left(1^{\lambda }\right)$: Output a seed ${\phi }_2\in {\mathbb{Z}}_q^{*}$ under the security parameter $\lambda$.
• $\mathrm{PRP}.\mathrm{Eval}({\phi }_2,i)$: Given ${\phi }_2\in {\mathbb{Z}}_q^{*}$ and $i\in [\ell ]$, return ${\psi }_i\in [\ell ]$. For convenience, we use ${\mathrm{PRP}}_{{\phi }_2}(·)$ to represent the algorithm PRP.Eval, where ${\mathrm{PRP}}_{{\phi }_2}(·):{\mathbb{Z}}_q^{*}\times \{1,2,\cdots ,\ell \}\to \{{\psi }_1,\cdots ,{\psi }_{\ell }\}.$

It should be noted that the elements in the set $\{{\psi }_1,\cdots ,{\psi }_{\ell }\}$ are distinct.

3. Framework of Our Provable Data Possession

3.1. System Model

The system model of our PDP scheme involves four primary entities: the key generation center (KGC), the data owner (DO), the CSP, and the designated verifier (DV). The PDP scheme comprises four entities, as depicted in Figure 1. Their roles and responsibilities are described as follows:

• KGC: The KGC is a globally trusted authority in the system. It is tasked with generating the public parameter and master secret key. In addition, the KGC produces the data owner and the designated verifier’s private keys based on their identities.
• DO: To reduce storage and management burdens, the data owner outsources their data to CSPs. Moreover, the data owner can specify a particular verifier who is exclusively authorized to perform integrity checks on the outsourced data.
• CSP: With ample computational resources and storage space, the CSP provides data storage services to users. However, it is untrusted, meaning it may delete or tamper with the outsourced data for its own benefit or deceive the user for reputation.
• DV: The designated verifier is a trusted entity explicitly appointed by the data owner to conduct data integrity verification. Unlike publicly verifiable schemes where any party can audit the data, the designated verifier model restricts the ability to verify to a specific, authorized party.

3.2. Syntax

The proposed PDP scheme $\Pi$ includes six algorithms: $\Pi =$ (Setup, KeyGenS, KeyGenV, TagGen, GenProof, and CheckProof). The following PPT algorithms constitute our PDP scheme:

• $\mathbf{Setup}(1^{\lambda },1^l)$: Given security parameter $\lambda$ and the maximum data blocks l, produce public parameter $params$ and master secret key $msk$. For simplicity, $params$ is implicitly treated as an input for the remaining algorithms.
• $\mathbf{KeyGenS}(msk,i{d}_A)$: Upon the input of master secret key $msk$ and the identity $i{d}_A$, produce the public/private key $(P{K}_A,S{K}_A)$ of the data owner.
• $\mathbf{KeyGenV}(msk,i{d}_B)$: Upon the input of master secret key $msk$ and the identity $i{d}_B$, produce the public/private key $(P{K}_B,S{K}_B)$ of the designated verifier.
• $\mathbf{TagGen}(P{K}_A,S{K}_A,P{K}_B,\mathbf{U})$: Given public keys $P{K}_A,P{K}_B$, secret key $S{K}_A$, and file $\mathbf{U}$, the data owner splits $\mathbf{U}$ into l blocks (with zero padding if needed), i.e., $\mathbf{U}:=({\mathbf{U}}_1,\cdots ,{\mathbf{U}}_l)$, where ${\mathbf{U}}_i\in {\mathbb{Z}}_q^{n\times n}$ for $i\in \left[l\right]$; return ${\Omega }^{id}={\left\{({\mathbf{U}}_i,{\mathbf{u}}_i)\right\}}_{i\in \left[l\right]}$, where $({\mathbf{U}}_i,{\mathbf{u}}_i)$ represents the i-th block–tag pair. Let ${\Omega }^{id}$ be the set of all block–tag pairs.
• $\mathbf{GenProof}(P{K}_A,P{K}_B,{\Omega }^{id},CH)$: Given public keys $P{K}_A,P{K}_B$, block–tag pairs ${\Omega }^{id}$, and the designated verifier’s challenge $CH$, return a PDP proof ${\Sigma }^{id}$.
• $\mathbf{CheckProof}(P{K}_A,P{K}_B,S{K}_B,CH,{\Sigma }^{id})$: Given public keys $P{K}_A,P{K}_B$, secret key $S{K}_B$, the challenge $CH$, and the PDP proof ${\Sigma }^{id}$, output 1 (accept) or 0 (reject).

In Figure 2, the algorithm shown below the entity name indicates that the entity is responsible for executing the algorithm. The dashed arrow indicates that the algorithm output is transmitted to the designated receiver.

Correctness: Given $(params,msk)\leftarrow \mathrm{Setup}(1^{\lambda },1^l)$, for all $msk,i{d}_A,i{d}_B,\mathbf{U},CH$, $(P{K}_A,S{K}_A)\leftarrow \mathbf{KeyGenS}(msk,i{d}_A)$, $(P{K}_B,S{K}_B)\leftarrow \mathbf{KeyGenV}(msk,i{d}_B)$, and ${\Omega }^{id}\leftarrow \mathbf{TagGen}(P{K}_A,S{K}_A,P{K}_B,\mathbf{U})$, if ${\Sigma }^{id}\leftarrow \mathbf{GenProof}(P{K}_A,P{K}_B,{\Omega }^{id},CH)$, then $\mathbf{CheckProof}(P{K}_A,P{K}_B,S{K}_B,CH,{\Sigma }^{id})=1$.

3.3. Security

The unforgeability proof shows that a malicious CPS, acting as an adversary, cannot deceive the designated verifier or pass the verification by submitting a forged response auditing proof.

For the scheme $\Pi$, the selectively unforgeable proof is defined by the game ${Exp}_{\mathcal{A}}\left(1^{\lambda }\right)$ between the PPT adversary $\mathcal{A}$ and the challenger $\mathcal{C}$. Let $i{d}_A,i{d}_B$ denote identities of Alice and Bob, respectively. The game is defined as follows:

• Initial: $\mathcal{A}$ announces to $\mathcal{C}$ the target identities $i{d}_{A^{*}}$ and $i{d}_{B^{*}}$, as well as a list of $\gamma$ messages ${\mathbf{U}}_1,\cdots ,{\mathbf{U}}_{\gamma }$ under the target identity $i{d}_{A^{*}}$ denoted as $\mathbf{U}:=\{{\mathbf{U}}_1,\cdots ,{\mathbf{U}}_{\gamma }\}$ for $0\le \gamma \le l$.
• Setup: $\mathcal{C}$ gets $(params,msk)\leftarrow \mathbf{Setup}(1^{\lambda },1^l)$ and provides $params$ to $\mathcal{A}$ while keeping $msk$ confidential.
• Key queries: $\mathcal{A}$ queries any identity $i{d}_A,i{d}_B$’s secret key (except $i{d}_{A^{*}},i{d}_{B^{*}}$). $\mathcal{C}$ gets $(P{K}_A,S{K}_A)$ using $\mathbf{KeyGenS}(msk,i{d}_A)$ and $(P{K}_B,S{K}_B)$ using $\mathbf{KeyGenV}(msk,i{d}_B)$ and then transmits them to $\mathcal{A}$.
• Block–tag queries: $\mathcal{A}$ sends $\mathbf{U}$ under the identity $i{d}_{A^{*}}$ to $\mathcal{C}$. $\mathcal{C}$ returns block–tag pairs ${\Omega }^{i{d}_{A^{*}}}={\left\{({\mathbf{U}}_i,{\mathbf{u}}_i^{i{d}_{A^{*}}})\right\}}_{i\in \left[\gamma \right]}\leftarrow \mathbf{TagGen}(P{K}_A,S{K}_A,P{K}_B,\mathbf{U})$ to $\mathcal{A}$.
• PDP proof queries: $\mathcal{A}$ transmits a challenge $CH$ limited to $\mathbf{U}$. Using ${\Omega }^{i{d}_{A^{*}}}$, $\mathcal{C}$ produces a PDP proof ${\Sigma }^{i{d}_{A^{*}}}\leftarrow \mathbf{GenProof}(P{K}_A,P{K}_B,{\Omega }^{i{d}_{A^{*}}},CH)$ and transmits it to $\mathcal{A}$.
• Challenge: $\mathcal{C}$ produces $C{H}^{i{d}_{A^{*}}}$ restricted to $\mathbf{U}$ and transmits it to $\mathcal{A}$.
• Forgery: $\mathcal{A}$ generates a forgery ${\widehat{\Omega }}^{i{d}_{A^{*}}}$.

$\mathcal{A}$ wins the game if either condition (1) or (2) is satisfied. These conditions are defined as follows:

(1) The PDP proof ${\widehat{\Omega }}^{i{d}_{A^{*}}}$ passes the verifier’s check.

(2) The PDP proof meets ${\widehat{\Omega }}^{i{d}_{A^{*}}}\ne {\Omega }^{id}$, where ${\Omega }^{id}$ is an honest PDP proof.

Let ${\mathrm{Adv}}_{\mathcal{A}}$ represent the advantage of $\mathcal{A}$ in winning the experiment based on the coin tosses of $\mathcal{A}$ and $\mathcal{C}$. This defines the security for our PDP scheme.

Definition 6

(Unforgeability). For given the security parameters λ and the maximum number of data blocks l, if no PPT adversary $\mathcal{A}$ can succeed in the game ${Exp}_{\mathcal{A}}\left(1^{\lambda }\right)$ with non-negligible probability, i.e., ${Adv}_{\mathcal{A}}$ is negligible, then the proposed scheme is considered selectively unforgeable.

4. Our Provable Data Possession Scheme

In this section, we propose an identity-based PDP with a designated verifier, which is constructed using leveled IB-FHS. Building upon the approach in [14], the proposed scheme introduces the designated verifier mechanism that ensures that only the designated verifier can check for data integrity. Specifically, we pre-encode the messages to be signed into matrix form, use the leveled IB-FHS in combination with the designated verifier’s public key information to produce signatures, and treat these signatures as tags for the file, which are then verified by the designated verifier. The lattice-based PDP scheme is constructed as follows.

Let $i{d}_A$ and $i{d}_B$ represent the identities of data owner Alice and designated verifier Bob, respectively. The hash function refers to the full-rank difference (FRD) map $H_1:{\mathbb{Z}}_q^n\to {\mathbb{Z}}_q^{n\times n}$ [29]. $H_2:{\{0,1\}}^{*}\to {\mathcal{D}}_{m\times m}$ and $H_3:{\{0,1\}}^{*}\times {\mathbb{Z}}_q^{n\times n}\to {\mathbb{Z}}_q^{2m\times m}$ are collision-resistant hash functions.

4.1. Construction

• $\mathbf{Setup}(1^{\lambda },1^l)$ is shown in Algorithm 1. Given the security parameter $\lambda$ and the maximum number of data blocks l, return the public parameters $params$ and the master secret key $msk$.

Algorithm 1: Setup $(1^{\lambda },1^l)$

Ensure:  $params$ and $msk$       1: Set $n=n(\lambda ,l),q=q(n,l),m_0=n(n,l)$, $m_1=n\lceil logq\rceil$ and $m=m_0+m_1$       2: Pick Gaussian parameters $s_1,s_2,s_3$       3: $({\mathbf{A}}_0,{\mathbf{T}}_{{\mathbf{A}}_0})\leftarrow TrapGen(1^n,1^{m_0},q)$       4: Sample random matrices ${\mathbf{A}}_1,\mathbf{B},{\left\{{\mathbf{D}}_i\right\}}_{i\in \left[l\right]}\in {\mathbb{Z}}_q^{n\times m_1}$ and ${\mathbf{A}}_2\in {\mathbb{Z}}_q^{n\times m}$       5: Return $params=({\mathbf{A}}_0,{\mathbf{A}}_1,{\mathbf{A}}_2,\mathbf{B},{\left\{{\mathbf{D}}_i\right\}}_{i\in \left[l\right]})$ and $msk={\mathbf{T}}_{{\mathbf{A}}_0}$

2.

$\mathbf{KeyGenS}(msk,i{d}_A)$ is shown in Algorithm 2. Given $msk$ and the identity $i{d}_A$, return the public key and secret key of Alice.

Algorithm 2:$\mathbf{KeyGenS}(msk,i{d}_A)$

Ensure:  $(P{K}_A,S{K}_A)$       1: Compute ${\mathbf{F}}_{i{d}_A}={\mathbf{A}}_1+H_1\left(i{d}_A\right)\mathbf{B}\in {\mathbb{Z}}_q^{n\times m_1}$       2: Set identity matrix ${\mathbf{A}}_{id}=\left[{\mathbf{A}}_0\right|{\mathbf{F}}_{i{d}_A}]\in {\mathbb{Z}}_q^{n\times m}$       3: Run $SampleBasisLeft({\mathbf{A}}_0,{\mathbf{F}}_{i{d}_A},{\mathbf{T}}_{{\mathbf{A}}_0},s_1)$ to obtain ${\mathbf{T}}_{{\mathbf{A}}_{id}}$, which is a basis of ${\Lambda }_q^{\perp }\left({\mathbf{A}}_0\right|{\mathbf{F}}_{i{d}_A})$, where $s_1\ge \parallel {\tilde{\mathbf{T}}}_{{\mathbf{A}}_0}\parallel ·\omega \left(\sqrt{logm}\right)$ according to Lemma 3       4: Return Alice’s public/secret key $(P{K}_A,S{K}_A)=({\mathbf{A}}_{id},{\mathbf{T}}_{{\mathbf{A}}_{id}})$

3.

$\mathbf{KeyGenV}(msk,i{d}_A,i{d}_B)$: Given $msk$ and the identities $i{d}_A,i{d}_B$, then run Algorithm 3 to return the public key and secret key of Bob.

Algorithm 3: $\mathbf{KeyGenV}(msk,i{d}_A,i{d}_B)$

Ensure:  $(P{K}_B,S{K}_B)$       1: Compute ${\mathbf{F}}_{i{d}_B}=H_2\left(i{d}_B\right)\in {\mathcal{D}}_{m\times m}$ and ${\mathbf{B}}_{id}={\mathbf{A}}_{id}{\mathbf{F}}_{i{d}_B}^{-1}\in {\mathbb{Z}}_q^{n\times m}$       2: Run $NewBasisDel({\mathbf{A}}_{id},{\mathbf{F}}_{i{d}_B},{\mathbf{T}}_{{\mathbf{A}}_{id}},s_2)$ to get ${\mathbf{T}}_{{\mathbf{B}}_{id}}$, where $s_2>\parallel {\tilde{\mathbf{T}}}_{{\mathbf{A}}_{id}}\parallel ·s_{\mathbf{H}}\sqrt{m}·\omega \left({log}^{3/2}m\right)$ and $s_{\mathbf{H}}=\sqrt{nlogq}·\omega \left(\sqrt{logm}\right)$ according to Lemma 6       3: Return Bob’s public/secret key $(P{K}_B,S{K}_B)=({\mathbf{B}}_{id},{\mathbf{T}}_{{\mathbf{B}}_{id}})$

4.

$\mathbf{TagGen}(P{K}_A,S{K}_A,P{K}_B,\mathbf{U})$ is shown in Algorithm 4. Upon inputting public keys $P{K}_A,P{K}_B$, secret key $S{K}_A$, and a file $\mathbf{U}$, Alice outputs $(\mathbf{U},{\Omega }^{id})$.

Algorithm 4:  $\mathbf{TagGen}(P{K}_A,S{K}_A,P{K}_B,\mathbf{U})$

Ensure:  $(\mathbf{U},{\Omega }^{id})$       1: Divide the file $\mathbf{U}$ into l blocks, each forming an $n\times n$ matrix over ${\mathbb{Z}}_q$ (padding with zeros if needed), i.e., $\mathbf{U}:=({\mathbf{U}}_1,\cdots ,{\mathbf{U}}_l)$, where ${\mathbf{U}}_i\in {\mathbb{Z}}_q^{n\times n}$ for $i\in \left[l\right]$       2: ${\mathbf{u}}_i^{id}\in {\mathbb{Z}}^{2m\times m_1}\leftarrow SampleLeft({\mathbf{A}}_{id},{\mathbf{A}}_2+{\mathbf{B}}_{id},{\mathbf{T}}_{{\mathbf{A}}_{id}},{\mathbf{D}}_i+{\mathbf{U}}_i\mathbf{G},s_3)$ such that $\left[{\mathbf{A}}_{id}\right|{\mathbf{A}}_2+{\mathbf{B}}_{id}]·{\mathbf{u}}_i^{id}={\mathbf{D}}_i+{\mathbf{U}}_i\mathbf{G}$, where $s_3\ge \parallel {\tilde{\mathbf{T}}}_{{\mathbf{A}}_{id}}\parallel ·\omega \left(\sqrt{log2m}\right)$       3: Let ${\Omega }^{id}={\left\{({\mathbf{U}}_i,{\mathbf{u}}_i^{id})\right\}}_{i\in \left[l\right]}=\{({\mathbf{U}}_1,{\mathbf{u}}_1^{id}),({\mathbf{U}}_2,{\mathbf{u}}_2^{id}),\cdots ,({\mathbf{U}}_l,{\mathbf{u}}_l^{id})\}$ as the block-tag pairs collection       4: Return  $(\mathbf{U},{\Omega }^{id})$

5.

$\mathbf{GenProof}(P{K}_A,P{K}_B,\mathrm{PRF},\mathrm{PRP},{\Omega }^{id},CH)$ is shown in Algorithm 5. Upon inputting public keys $P{K}_A,P{K}_B$, a pseudo-random function PRF, a pseudo-random permutation PRP, a block–tag pairs collection ${\Omega }^{id}$, and a query $CH=\left(\right|K|,{\phi }_1,{\phi }_2)$ submitted by Bob—where $\left|K\right|\in \left[l\right]$ represents the queried data blocks’ number, and ${\phi }_1,{\phi }_2\in {\mathbb{Z}}_q^{*}$—the CSP outputs ${\Sigma }^{id}=\{{\mu }^{id},{\mathbf{E}}^{id},{\mathbf{Q}}^{id}\}$.

Algorithm 5:  $\mathbf{GenProof}(P{K}_A,P{K}_B,\mathrm{PRF},\mathrm{PRP},{\Omega }^{id},CH)$

Ensure:  ${\Sigma }^{id}$       1: Let $K=\{1,2,\cdots ,|K\left|\right\}$ be a set, where $\left|K\right|$ represents the queried data blocks’ number       2: Compute $W={\mathrm{PRF}}_{{\phi }_1}\left(K\right)$, where $W=\{W_1,W_2,\cdots ,W_{\left|K\right|}\}$ and $W_j\in {\mathbb{Z}}_q$ for $j\in \left[\right|K\left|\right]$       3: Compute $V={\mathrm{PRP}}_{{\phi }_2}\left(K\right)$, where $V=\{V_1,V_2,\cdots ,V_{\left|K\right|}\}$ and $V_j\in K$ for $j\in \left[\right|K\left|\right]$       4: Compute ${\sigma }^{id}={\sum }_{j=1}^{\left|K\right|}{\mathbf{u}}_{V_j}^{id}{\mathbf{L}}_{W_j}$ and ${\mu }^{id}={\sum }_{j=1}^{\left|K\right|}{W}_j{\mathbf{U}}_{V_j}$, where ${\mathbf{GL}}_{W_j}=W_j\mathbf{G}$. Note that we have ${\mathbf{L}}_{W_j}={\mathbf{G}}^{-1}\left(W_j\mathbf{G}\right)\in {\{0,1\}}^{m_1\times m_1}$       5: Randomly select a matrix ${\mathbf{R}}^{id}\in {\mathbb{Z}}_q^{n\times n}$ and an error matrix ${\mathbf{S}}^{id}\in {\mathbb{Z}}_q^{n\times m}$       6: Compute ${\mathbf{Y}}^{id}=H_3({\mu }^{id},{\mathbf{R}}^{id})\in {\mathbb{Z}}_q^{2m\times m_1}$       7: Compute ${\mathbf{E}}^{id}={\sigma }^{id}+{\mathbf{Y}}^{id}\in {\mathbb{Z}}_q^{2m\times m_1}$       8: Compute ${\mathbf{Q}}^{id}={\mathbf{B}}_{id}^T{\mathbf{R}}^{id}+{{\mathbf{S}}^{id}}^T\in {\mathbb{Z}}_q^{m\times n}$       9: Return  ${\Sigma }^{id}=\{{\mu }^{id},{\mathbf{E}}^{id},{\mathbf{Q}}^{id}\}$

6.

$\mathbf{CheckProof}(P{K}_A,P{K}_B,S{K}_B,CH,{\Sigma }^{id})$: Upon inputting public keys $P{K}_A,P{K}_B$, secret key $S{K}_B$, a query $CH=\left(\right|K|,{\phi }_1,{\phi }_2)$, and a response ${\Sigma }^{id}$ from the CSP, Bob performs Algorithm 6.

Algorithm 6:  $\mathbf{CheckProof}(P{K}_A,P{K}_B,S{K}_B,CH,{\Sigma }^{id})$

Ensure:  1 (accept) or 0 (reject)       1: Compute ${\mathbf{T}}_{{\mathbf{B}}_{id}}^T{\mathbf{Q}}^{id}={\mathbf{T}}_{{\mathbf{B}}_{id}}^T({\mathbf{B}}_{id}^T{\mathbf{R}}^{id}+{{\mathbf{S}}^{id}}^T)={\mathbf{T}}_{{\mathbf{B}}_{id}}^T{{\mathbf{S}}^{id}}^{T}modq$       2: Compute ${{\mathbf{S}}^{id}}^T={\left({\mathbf{T}}_{{\mathbf{B}}_{id}}^{-1}\right)}^T{\mathbf{T}}_{{\mathbf{B}}_{id}}^T{\mathbf{Q}}^{id}$, then obtain ${\mathbf{R}}^{id}$ from ${\mathbf{Q}}^{id}$ and ${\mathbf{S}}^{id}$       3: Compute ${\sigma }^{id}={\mathbf{E}}^{id}-H_3\left({\mu }^{id},{\mathbf{R}}^{id}\right)\in {\mathbb{Z}}_q^{2m\times m_1}$       4: Compute $W=\{W_1,\cdots ,W_{\left|K\right|}\}={\mathrm{PRF}}_{{\phi }_1}\left(K\right)$       5: Compute $V=\{V_1,\cdots ,V_{\left|K\right|}\}={\mathrm{PRP}}_{{\phi }_2}\left(K\right)$       6: Compute ${\mathbf{D}}_{CH}={\sum }_{j=1}^{\left|K\right|}{\mathbf{D}}_{V_j}{\mathbf{L}}_{W_j}$, where ${\mathbf{L}}_{W_j}={\mathbf{G}}^{-1}\left(W_j\mathbf{G}\right)\in {\{0,1\}}^{m_1\times m_1}$       7: Return 1 (accept) if the verification equation $\left[{\mathbf{A}}_{id}\right|{\mathbf{A}}_2+{\mathbf{B}}_{id}]·{\sigma }^{id}={\mathbf{D}}_{CH}+{\mu }^{id}\mathbf{G}$ holds and $\parallel {\sigma }^{id}\parallel \le s_3\sqrt{2m{m}_1}$, otherwise return 0 (reject)

4.2. Correctness

The correctness of our PDP scheme holds if all parties—the data owner, CSP, and designated verifier—follow the prescribed construction. Specifically, the CSP generates the PDP proof using GenProof, and the designated verifier checks it with CheckProof.

Lemma 8

(Correctness). If the parties act honestly, the challenge–response will pass verification, ensuring that the proposed scheme meets correctness.

Proof. 

For each $j\in \left[\right|K\left|\right]$, $W_j\in {\mathbb{Z}}_q$, and $V_j\in K$, we obtain

$$\mathbf{A}{\sigma }_{V_j}^{id}={\mathbf{D}}_{V_j}+{\mathbf{M}}_{V_j}\mathbf{G},$$

(3)

and

$$\mathbf{A}{\sigma }_{V_j}^{id}{\mathbf{L}}_{W_j}=\mathbf{A}{\sigma }_{V_j}^{id}{\mathbf{G}}^{-1}\left(W_j\mathbf{G}\right),$$

(4)

where $\mathbf{A}=\left[{\mathbf{A}}_{id}\right|{\mathbf{A}}_2+{\mathbf{B}}_{id}]$.

Then, we have

$$\mathbf{A}{\sigma }_{V_j}^{id}{\mathbf{L}}_{W_j}={\mathbf{D}}_{V_j}{\mathbf{L}}_{W_j}+{\mathbf{M}}_{V_j}\mathbf{G}{\mathbf{G}}^{-1}\left(W_j\mathbf{G}\right)={\mathbf{D}}_{V_j}{\mathbf{L}}_{W_j}+W_j{\mathbf{M}}_{V_j}\mathbf{G}.$$

(5)

For all $j\in \left[\right|K\left|\right]$, we obtain

$$\sum _{j=1}^{\left|K\right|}\mathbf{A}{\sigma }_{V_j}^{id}{\mathbf{L}}_{W_j}=\sum _{j=1}^{\left|K\right|}{\mathbf{D}}_{V_j}{\mathbf{L}}_{W_j}+\sum _{j=1}^{\left|K\right|}{W}_j{\mathbf{M}}_{V_j}\mathbf{G}={\mathbf{D}}_{CH}+{\mu }_{id}\mathbf{G},$$

(6)

where ${\mathbf{D}}_{CH}={\sum }_{j=1}^{\left|K\right|}{\mathbf{D}}_{V_j}{\mathbf{L}}_{W_j}$.

Hence, the verification equation $\left[{\mathbf{A}}_{id}\right|{\mathbf{A}}_2+{\mathbf{B}}_{id}]·{\sigma }^{id}={\mathbf{D}}_{CH}+{\mu }^{id}\mathbf{G}$ holds. □

5. Security Analysis

5.1. Unforgeability

Assume that there exists an adversary $\mathcal{A}$, as defined in Section 3.3; we design an algorithm $\mathcal{B}$ that utilizes a forged but valid PDP proof provided by $\mathcal{A}$ to solve the ${SIS}_{n,m_0,q,\beta }$ problem. Let ${\mathbf{U}}^{\prime }:=\{{\mathbf{U}}_1^{\prime },\cdots ,{\mathbf{U}}_{\gamma }^{\prime }\}$ be the set (possibly empty) under the target identities $i{d}_{A^{*}}$ and $i{d}_{B^{*}}$, where $\mathcal{A}$ will generate a forgery with $0\le \gamma \le l$.

Theorem 1

(Unforgeability). If a malicious CSP (adversary) succeeds in the security game with overwhelming probability ${Adv}_{\mathcal{A}}$, then the ${\mathrm{SIS}}_{n,m_0,q,\beta }$ problem can also be solved with at least the same probability. Given the assumed hardness of the ${SIS}_{n,m_0,q,\beta }$ problem, the proposed scheme achieves selective unforgeability.

Proof. 

• Invocation: $\mathcal{B}$ is given a ${SIS}_{n,m_0,q,\beta }$ assumption’s random instance, i.e., ${\mathbf{A}}_0\in {\mathbb{Z}}_q^{n\times m_0}$, and is requested to return a solution $\mathbf{e}\in {\mathbb{Z}}^{m_0}\setminus \left\{\mathbf{0}\right\}$ with $\left|\right|\mathbf{e}\left|\right|\le \beta$ such that ${\mathbf{A}}_0\mathbf{e}=0modq$.
• Initial: $\mathcal{A}$ announces to $\mathcal{C}$ the target identities $i{d}_{A^{*}}$ and $i{d}_{B^{*}}$.
• Setup: $\mathcal{B}$ employs the algorithm outlined below, utilizing ${\mathbf{A}}_0$ from the SIS challenge as follows:
  • Set $n,m_0,m_1,q$, $m_1=n\lceil logq\rceil$ and $m=m_0+m_1$.
  • Let $s_1,s_2,s_3$ denote the Gaussian parameters.
  • $(\mathbf{B},{\mathbf{T}}_{\mathbf{B}})\leftarrow TrapGen(1^n,1^{m_1},q)$.
  • Randomly pick the matrices ${\mathbf{M}}_1$ from ${\{-1,1\}}^{m_0\times m_1}$, ${\mathbf{M}}_2$ from ${\{-1,1\}}^{m_0\times m}$, and ${\mathbf{M}}_3\in {\mathcal{D}}_{m\times m}$.
  • Set ${\mathbf{A}}_1={\mathbf{A}}_0{\mathbf{M}}_1-H_1\left(i{d}_{A^{*}}\right)\mathbf{B}$ and ${\mathbf{A}}_2={\mathbf{A}}_0{\mathbf{M}}_2-\left[{\mathbf{A}}_0|{\mathbf{A}}_0{\mathbf{M}}_1\right]{\mathbf{M}}_3^{-1}$.
  • Randomly sample ${\left[{\mathbf{u}}_{i,1}^{i{d}_{A^{*}}T}|{\mathbf{u}}_{i,2}^{i{d}_{A^{*}}T}\right]}^T\leftarrow {\left({\mathcal{D}}_{{\mathbb{Z}}^m,s_3}\right)}^{2m}$ for $i\in \left[\gamma \right]$ as “pre-signatures”, and then set

    $${\mathbf{D}}_i={\mathbf{A}}_{{id}_{A^{*}}}\left(\begin{array}{c}{\mathbf{u}}_{i,1}^{i{d}_{A^{*}}}\\ {\mathbf{u}}_{i,2}^{i{d}_{A^{*}}}\end{array}\right)-{\mathbf{U}}_i^{\prime }\mathbf{G},$$

    (7)

    where ${\mathbf{A}}_{{id}_{A^{*}}}=\left[\left({\mathbf{A}}_0|{\mathbf{A}}_0{\mathbf{M}}_1\right)|{\mathbf{A}}_0{\mathbf{M}}_2\right]={\mathbf{A}}_0\left[\left({\mathbf{I}}_{m_0}|{\mathbf{M}}_1\right)|{\mathbf{M}}_2\right]$.
  • Randomly pick $l-\gamma$ matrices ${\left\{{\mathbf{D}}_j\right\}}_{j\in \left[\right[l]\setminus [\gamma \left]\right]}\in {\mathbb{Z}}_q^{m\times m_1}$ for $j\in \left[l\right]\setminus \left[\gamma \right]$.
  • Output the public parameter $params=\left({\mathbf{A}}_0,{\mathbf{A}}_1,{\mathbf{A}}_2,\mathbf{B},{\left\{{\mathbf{D}}_i\right\}}_{i\in \left[l\right]}\right)$.
  The inquiry process of $\mathcal{B}$ simulation random oracle ${\mathrm{H}}_2$ and ${\mathrm{H}}_3$ is as follows. $\mathcal{B}$ initializes two empty lists $L_1$ and $L_2$. The following outlines the queries and steps:
• ${\mathrm{H}}_2$ queries. Upon inputting an identity $i{d}_B$, perform the following:
  • If $i{d}_B\ne i{d}_{B^{*}}$, there exists $H_2\left(i{d}_B\right)$ in list $L_1$; return $H_2\left(i{d}_B\right)={\mathbf{F}}_{i{d}_B}$ to $\mathcal{A}$. Otherwise, run the algorithm $SampleRwithBasis\left({\mathbf{A}}_{id}\right)$ to generate ${\mathbf{F}}_{i{d}_B}\in {\mathcal{D}}_{m\times m},{\mathbf{B}}_{id}={\mathbf{A}}_{id}{\mathbf{F}}_{i{d}_B}^{-1}\in {\mathbb{Z}}_q^{n\times m}$ and ${\Lambda }_q^{\perp }\left({\mathbf{B}}_{id}\right)$’s basis ${\mathbf{T}}_{{\mathbf{B}}_{id}}$, where ${\mathbf{A}}_{id}=\left[{\mathbf{A}}_0|{\mathbf{A}}_0{\mathbf{M}}_1\right]$. Then, store $\left(i{d}_B,{\mathbf{F}}_{i{d}_B},{\mathbf{B}}_{id},{\mathbf{T}}_{{\mathbf{B}}_{id}}\right)$ into list $L_1$ and return $H_2\left(i{d}_B\right)={\mathbf{F}}_{i{d}_B}$ to $\mathcal{A}$.
  • If $i{d}_B=i{d}_{B^{*}}$, then add $(i{d}_B,{\mathbf{M}}_3,{\mathbf{A}}_{id}{\mathbf{M}}_3^{-1},\perp )$ into list $L_1$ and return ${\mathrm{H}}_2\left(i{d}_{B^{*}}\right)={\mathbf{M}}_3$.
• Key Queries. Upon inputting identities $i{d}_A,i{d}_B$ (except $i{d}_{A^{*}},i{d}_{B^{*}}$), perform the following:
  • ${\mathbf{T}}_{{\mathbf{A}}_{id}}\leftarrow \mathrm{SampleBasisRight}({\mathbf{A}}_0,({\mathrm{H}}_1\left(i{d}_A\right)-{\mathrm{H}}_1\left(i{d}_{A^{*}}\right))\mathbf{B},{\mathbf{M}}_1,{\mathbf{T}}_{\mathbf{B}},s_1)$.
  • Search for $i{d}_B$ in $L_1$ and return the associated ${\mathbf{T}}_{\mathbf{B}}$.
  • Output $(P{K}_A,S{K}_A)=({\mathbf{A}}_{id},{\mathbf{T}}_{{\mathbf{A}}_{id}})$ and $(P{K}_B,S{K}_B)=({\mathbf{B}}_{id},{\mathbf{T}}_{{\mathbf{B}}_{id}})$.
• Block–tag pairs queries. Upon receiving the set ${\mathbf{U}}^{\prime }$ from $\mathcal{A}$, $\mathcal{B}$ responds with block–tag pairs ${\left\{({\mathbf{U}}_i^{\prime },{\mathbf{u}}_i^{\prime i{d}_{A^{*}}})\right\}}_{i\in \left[\gamma \right]}$, where ${\left\{{\mathbf{u}}_i^{\prime i{d}_{A^{*}}}\right\}}_{i\in \left[\gamma \right]}={\left\{{\left[{\mathbf{u}}_{i,1}^{i{d}_{A^{*}}T}\right|{\mathbf{u}}_{i,2}^{i{d}_{A^{*}}T}]}^T\right\}}_{i\in \left[\gamma \right]}$ are precomputed during Setup phase.
• ${\mathrm{H}}_3$ queries. Upon inputting ${\mu }^{id}$, perform the following:
  • If there exists ${\mu }^{id}$ in list $L_2$, return the corresponding value ${\mathbf{Y}}^{id}$ and ${\mathbf{Q}}^{id}$ to $\mathcal{A}$.
  • Otherwise, $\mathcal{B}$ randomly picks a matrix ${\mathbf{R}}^{id}\in {\mathbb{Z}}_q^{n\times n}$ and an error matrix ${\mathbf{S}}^{id}\in {\mathbb{Z}}_q^{n\times m}$, computes

    $${\mathbf{Y}}^{id}={\mathrm{H}}_3\left({\mu }^{id},{\mathbf{R}}^{id}\right),$$

    (8)

    and

    $${\mathbf{Q}}^{id}={\mathbf{B}}_{id}^T{\mathbf{R}}^{id}+{{\mathbf{S}}^{id}}^T,$$

    (9)

    and then adds $\left({\mu }^{id},{\mathbf{Y}}^{id},{\mathbf{Q}}^{id}\right)$ into $L_2$ and returns ${\mathbf{Y}}^{id}$ and ${\mathbf{Q}}^{id}$.
• PDP proof queries. $\mathcal{A}$ issues a challenge $CH=\left(\right|K|,{\phi }_1,{\phi }_2)$, limited to the set ${\mathbf{U}}^{\prime }$, where $\left|K\right|\in \left[\gamma \right]$ and ${\phi }_1,{\phi }_2\in {\mathbb{Z}}_q^{*}$. The challenger uses ${\left\{({\mathbf{U}}_i^{\prime },{\mathbf{u}}_i^{i{d}_{A^{*}}})\right\}}_{i\in \left[\gamma \right]}$ to produce a valid PDP proof ${\Sigma }^{{id}_{A^{*}}}=\{{\mu }^{{id}_{A^{*}}},{\mathbf{E}}^{{id}_{A^{*}}},{\mathbf{Q}}^{{id}_{A^{*}}}\}$ by running Algorithm 5 and transmits it to $\mathcal{A}$.
• Challenge. $\mathcal{B}$ generates a challenge $C{H}^{*}=\left(\right|K^{*}|,{\phi }_1^{*},{\phi }_2^{*})$ restricted to ${\mathbf{U}}^{\prime }$, where $0<|K^{*}|\le \gamma$ and ${\phi }_1^{*},{\phi }_2^{*}\in {\mathbb{Z}}_q^{*}$, and transmits it to $\mathcal{A}$.
• Forgery. $\mathcal{A}$ returns a forgery ${\widehat{\Sigma }}^{{id}_{A^{*}}}=\{{\widehat{\mu }}^{{id}_{A^{*}}},{\widehat{\mathbf{E}}}^{{id}_{A^{*}}},{\widehat{\mathbf{Q}}}^{{id}_{A^{*}}}\}$. If ${\widehat{\Sigma }}^{{id}_{A^{*}}}$ passes the verifier’s check with overwhelming probability ${\mathrm{Adv}}_{\mathcal{A}}$, then the Equation (10) holds, with ${\mathrm{Adv}}_{\mathcal{A}}$, as

  $${\mathbf{A}}_{i{d}_{A^{*}}}{\widehat{\sigma }}^{i{d}_{A^{*}}}={\mathbf{D}}_{CH}+{\widehat{\mu }}^{{id}_{A^{*}}}\mathbf{G},$$

  (10)

  where ${\mathbf{A}}_{{id}_{A^{*}}}=\left[\left({\mathbf{A}}_0|{\mathbf{A}}_0{\mathbf{M}}_1\right)|{\mathbf{A}}_0{\mathbf{M}}_2\right]={\mathbf{A}}_0\left[\left({\mathbf{I}}_{m_0}|{\mathbf{M}}_1\right)|{\mathbf{M}}_2\right]$ and ${\mathbf{D}}_{CH}={\sum }_{j=1}^{|K^{*}|}{\mathbf{D}}_{V_j}{\mathbf{L}}_{W_j}$.
  Let ${\Sigma }^{{id}_{A^{*}}}=\{{\mu }^{{id}_{A^{*}}},{\mathbf{E}}^{{id}_{A^{*}}},{\mathbf{Q}}^{{id}_{A^{*}}}\}$ be computed honestly. Here,

  $${\mu }^{{id}_{A^{*}}}=\sum _{j=1}^{|K^{*}|}{W}_j{\mathbf{U}}_{V_j}^{\prime },$$

  (11)

  $${\mathbf{E}}^{{id}_{A^{*}}}={\sigma }^{{id}_{A^{*}}}+H_3({\mu }^{{id}_{A^{*}}},{\mathbf{R}}^{{id}_{A^{*}}}),$$

  (12)

  and

  $${\mathbf{Q}}^{{id}_{A^{*}}}={\mathbf{B}}_{{id}_{A^{*}}}^T{\mathbf{R}}^{{id}_{A^{*}}}+{{\mathbf{S}}^{{id}_{A^{*}}}}^T,$$

  (13)

  where $W=\{W_1,\cdots ,W_{|K^{*}|}\}={\mathrm{PRF}}_{{\phi }_1^{*}}\left(K^{*}\right)$, and $V=\{V_1,\cdots ,V_{|K^{*}|}\}={\mathrm{PRP}}_{{\phi }_2^{*}}\left(K^{*}\right)$. Thus, we obtain

  $${\mathbf{A}}_{i{d}_{A^{*}}}{\sigma }^{i{d}_{A^{*}}}={\mathbf{D}}_{CH}+{\mu }^{{id}_{A^{*}}}\mathbf{G}.$$

  (14)
  Hence, we have

  $${\mathbf{A}}_{i{d}_{A^{*}}}({\widehat{\sigma }}^{i{d}_{A^{*}}}-{\sigma }^{i{d}_{A^{*}}})=({\widehat{\mu }}^{i{d}_{A^{*}}}-{\mu }^{i{d}_{A^{*}}})\mathbf{G},$$

  (15)

  which holds with overwhelming probability ${\mathrm{Adv}}_{\mathcal{A}}$.
  Next, we show that if adversary $\mathcal{A}$ succeeds in the security game with non-negligible advantage ${\mathrm{Adv}}_{\mathcal{A}}$, then challenger $\mathcal{B}$ can solve an instance of the ${\mathrm{SIS}}_{n,m_0,q,\beta }$ problem with at least the same probability.
  Let ${\widehat{\sigma }}^{{\mathit{id}}_{A^{*}}}={\left[{\widehat{\mathbf{u}}}_1^{{\mathit{id}}_{A^{*}}T}\right|{\widehat{\mathbf{u}}}_2^{{\mathit{id}}_{A^{*}}T}]}^T$ be the forged response produced by $\mathcal{A}$. Since ${\widehat{\Sigma }}^{{\mathit{id}}_{A^{*}}}\ne {\Sigma }^{{\mathit{id}}_{A^{*}}}$, at least one of the following must hold: (i) ${\widehat{\mu }}^{{\mathit{id}}_{A^{*}}}={\mu }^{{\mathit{id}}_{A^{*}}}$, where ${\widehat{\sigma }}^{{\mathit{id}}_{A^{*}}}\ne {\sigma }^{{\mathit{id}}_{A^{*}}}$; (ii) ${\widehat{\mu }}^{{\mathit{id}}_{A^{*}}}\ne {\mu }^{{\mathit{id}}_{A^{*}}},$ where ${\widehat{\sigma }}^{{\mathit{id}}_{A^{*}}}={\sigma }^{{\mathit{id}}_{A^{*}}}$; (iii) ${\widehat{\mu }}^{{\mathit{id}}_{A^{*}}}\ne {\mu }^{{\mathit{id}}_{A^{*}}},$ where ${\widehat{\sigma }}^{{\mathit{id}}_{A^{*}}}\ne {\sigma }^{{\mathit{id}}_{A^{*}}}$.
  We analyze the above cases:

  –

  Case 1: If the forged tag differs while the file block remains unchanged, then $\mathcal{B}$ outputs $\left[\left[{\mathbf{I}}_{m_0}\right|{\mathbf{M}}_1]{[{\widehat{\mathbf{u}}}_1^{i{d}_{A^{*}}T}-{\mathbf{u}}_1^{i{d}_{A^{*}}T}]}^T+{\mathbf{M}}_2{[{\widehat{\mathbf{u}}}_2^{i{d}_{A^{*}}T}-{\mathbf{u}}_2^{i{d}_{A^{*}}T}]}^T\right]$ as the ${\mathrm{SIS}}_{n,m_0,q,\beta }$ solution.

  –

  Case 2: If the file block differ but the tags are identical, then this contradicts Equation (15). Thus, this case is not possible.

  –

  Case 3: If both the file block and tag differ, then $\mathcal{B}$ outputs $[\left[{\mathbf{I}}_{m_0}\right|{\mathbf{M}}_1]{[{\widehat{\mathbf{u}}}_1^{i{d}_{A^{*}}T}-{\mathbf{u}}_1^{i{d}_{A^{*}}T}]}^T+{\mathbf{M}}_2{[{\widehat{\mathbf{u}}}_2^{i{d}_{A^{*}}T}-{\mathbf{u}}_2^{i{d}_{A^{*}}T}]}^T]{\mathbf{T}}_{\mathbf{G}}$ as the ${\mathrm{SIS}}_{n,m_0,q,\beta }$ solution, where ${\mathbf{T}}_{\mathbf{G}}$ is a short basis of ${\Lambda }_q\left(\mathbf{G}\right)$.

□

5.2. Indistinguishability

In addition to unforgeability, the proposed scheme also satisfies indistinguishability. This property simply means that the simulated experiment and the real algorithm are indistinguishable from the adversary’s perspective.

Theorem 2

(Indistinguishability). Let $\{params,P{K}_A,S{K}_A,P{K}_B,S{K}_B,{\Sigma }^{id}\}$ and $\{param{s}^{*},P{K}_A^{*},$$S{K}_A^{*},P{K}_B^{*},S{K}_B^{*},{\Sigma }^{{id}^{*}}\}$ be the outputs of the Setup, KeyGenS, KeyGenV, TagGen, and GenProof algorithms in real and simulated execution, respectively. We demonstrate that the two distributions are statistically indistinguishable.

Proof. 

The differences are as follows in the execution of the algorithm:

• Setup: In the real Setup algorithm, ${\mathbf{A}}_0\in {\mathbb{Z}}_q^{n\times m_0}$ and its trapdoor ${\mathbf{T}}_{{\mathbf{A}}_0}$ are obtained by using the TrapGen algorithm, and matrices $({\mathbf{A}}_1,{\mathbf{A}}_2,\mathbf{B},{\left\{{\mathbf{D}}_i\right\}}_{i\in \left[l\right]})$ are selected uniformly at random. In the simulated Setup algorithm, the SIS generator uniformly randomly selects ${\mathbf{A}}_0$ without its trapdoor. Define ${\mathbf{A}}_1={\mathbf{A}}_0{\mathbf{M}}_1-\mathrm{H}\left(i{d}_{A^{*}}\right)\mathbf{B}$ and ${\mathbf{A}}_2={\mathbf{A}}_0{\mathbf{M}}_2-\left[{\mathbf{A}}_0\right|{\mathbf{A}}_0{\mathbf{M}}_1]{\mathbf{M}}_3^{-1}$, where ${\mathbf{M}}_1\in {\{-1,1\}}^{m_0\times m_1}$, ${\mathbf{M}}_2\in {\{-1,1\}}^{m_0\times m}$ and ${\mathbf{M}}_3\in {\mathcal{D}}_{m\times m}$ are selected uniformly randomly. $\mathbf{B}$ is sampled using the Trapdoor algorithm. Additionally, set ${\mathbf{D}}_i=\left[\left({\mathbf{A}}_0\right|{\mathbf{A}}_0{\mathbf{M}}_1)\right|{\mathbf{A}}_0{\mathbf{M}}_2]\left[\begin{array}{c}{\mathbf{u}}_{i,1}^{id}\\ {\mathbf{u}}_{i,2}^{id}\end{array}\right]-{\mathbf{U}}_i\mathbf{G}$ for $i\in \left[\gamma \right]$, where ${\left[\begin{array}{c}{{\mathbf{u}}_{i,1}^{id}}^T|{{\mathbf{u}}_{i,2}^{id}}^T\end{array}\right]}^T\leftarrow {\left({\mathcal{D}}_{{\mathbb{Z}}^m,s_3}\right)}^{2m}$, and for $j\in \left[l\right]\setminus \left[\gamma \right]$, sample uniform random ${\mathbf{D}}_j\in {\mathbb{Z}}_q^{n\times m_1}$.
• KeyGenS: In real KeyGenS algorithm, the trapdoor ${\mathbf{T}}_{{\mathbf{A}}_{id}}$ of ${\mathbf{A}}_{id}$ is generated by running SampleBasisLeft. In the simulated KeyGenS algorithm, ${\mathbf{T}}_{{\mathbf{A}}_{id}}$ is produced using SampleBasisRight.
• KeyGenV: In real KeyGenV algorithm, the trapdoor ${\mathbf{T}}_{{\mathbf{B}}_{id}}$ of ${\mathbf{B}}_{id}$ is produced using NewBasisDel. In the simulated KeyGen algorithm, ${\mathbf{T}}_{{\mathbf{B}}_{id}}$ is generated using SampleRwithBasis.
• TagGen: In the real TagGen algorithm, ${\mathbf{u}}_i^{id}$ is generated using the SampleLeft algorithm where $i\in \left[l\right]$. In the simulated TagGen algorithm, ${\mathbf{u}}_i^{id}$ is pre-produced during the Setup phase.
• GenProof: In the real GenProof algorithm, ${\mathbf{R}}^{id}\in {\mathbb{Z}}_q^{n\times n}$ and ${\mathbf{S}}^{id}\in {\mathbb{Z}}_q^{n\times m}$ are uniformly selected randomly. ${\mathbf{u}}_i^{id}$ generated by the SampleLeft algorithm is used to produce ${\sigma }^{id}$, where $i\in \left[l\right]$. ${\Sigma }^{id}$ is then derived from ${\mathbf{R}}^{id},{\mathbf{S}}^{id}$ and ${\mathbf{u}}_i^{id}$. In the simulated GenProof algorithm, the matrix ${\mathbf{R}}^{id}=\left[{\mathbf{A}}_0\right|{\mathbf{A}}_0{\mathbf{M}}_1]{\mathbf{M}}_4$ for ${\mathbf{M}}_4\in {\{-1,1\}}^{m\times n}$, the matrix ${\mathbf{S}}^{id}={\left(\left[{\mathbf{A}}_0\right|{\mathbf{A}}_0{\mathbf{M}}_1]{\mathbf{M}}_5\right)}^T$ for ${\mathbf{M}}_5\in {\{-1,1\}}^{m\times m}$, and ${\mathbf{u}}_i^{id}$ are pre-produced during the Setup phase, and ${\Sigma }^{id}$ is obtained by using ${\mathbf{R}}^{id},{\mathbf{S}}^{id}$ and ${\mathbf{u}}_i^{id}$.

Now, we argue that the distribution $({\mathbf{A}}_0,{\mathbf{A}}_1,{\mathbf{A}}_2,\mathbf{B},{\left\{{\mathbf{D}}_i\right\}}_{i\in \left[l\right]})$ is statistically indistinguishable in both real and simulated executions. By Lemma 1, it has $({\mathbf{A}}_0,[{\mathbf{A}}_1|{\mathbf{A}}_2|{\mathbf{D}}_1|{\mathbf{D}}_2|\cdots |$${\mathbf{D}}_l)\approx ({\mathbf{A}}_0,[{\mathbf{A}}_0{\mathbf{M}}_1-\mathrm{H}\left(i{d}_A\right)\mathbf{B}|{\mathbf{A}}_0{\mathbf{M}}_2-\left[{\mathbf{A}}_0\right|{\mathbf{A}}_0{\mathbf{M}}_1]{\mathbf{M}}_3^{-1}|{\mathbf{D}}_1|{\mathbf{D}}_2|\cdots |{\mathbf{D}}_l\left]\right)$, where ${\mathbf{D}}_i=\left[{\mathbf{A}}_0\right|{\mathbf{A}}_0{\mathbf{M}}_1]{\mathbf{u}}_{i,1}^{id}+{\mathbf{A}}_0{\mathbf{M}}_2{\mathbf{u}}_{i,2}^{id}-{\mathbf{U}}_i\mathbf{G}$ for $i\in \left[\gamma \right]$, and ${\mathbf{D}}_j\in {\mathbb{Z}}_q^{n\times m_1}$ for $j\in \left[l\right]\setminus \left[\gamma \right]$. Here, ${\left[\begin{array}{c}{{\mathbf{u}}_{i,1}^{id}}^T|{{\mathbf{u}}_{i,2}^{id}}^T\end{array}\right]}^T\leftarrow {\left({\mathcal{D}}_{{\mathbb{Z}}^m,s_3}\right)}^{2m}$. In both executions, $(\mathbf{B},{\mathbf{T}}_{\mathbf{B}})$ is produced identically. Hence, the distribution of $({\mathbf{A}}_0,{\mathbf{A}}_1,{\mathbf{A}}_2,\mathbf{B},{\left\{{\mathbf{D}}_i\right\}}_{i\in \left[l\right]})$ is statistically indistinguishable in both cases.

For a key query on an identity $i{d}_A$, the algorithms SampleBasisLeft and SampleBasisRight are invoked to generate the corresponding trapdoor. By leveraging Lemmas 3 and 4, we ensure that the output of these algorithms is statistically close to a sample from the discrete Gaussian distribution ${\mathcal{D}}_{{\Lambda }_{\left({\mathbf{A}}_{id}\right),s_1}}$, assuming that the Gaussian parameter $s_1$ is chosen to be sufficiently large. This implies that the generated trapdoor is statistically independent of any specific structure or information leakage. Similarly, for another identity $i{d}_B$, the NewBasisDel and SampleRwithBasis algorithms are used to derive the trapdoor. According to Lemmas 5 and 6, their outputs are computationally and statistically indistinguishable, ensuring that no adversary can distinguish whether the trapdoor was generated in the real execution or through simulation. Thus, in both executions, ${\mathbf{T}}_{{\mathbf{A}}_{id}}\left({\mathbf{T}}_{{\mathbf{B}}_{id}}\right)$ is statistically indistinguishable.

According to Lemmas 3 and 4, the distributions of public parameters, public/secret keys for identities, and tags associated with challenge files are statistically indistinguishable in both the real and simulated executions. Therefore, an adversary cannot leverage these components to distinguish between the two settings.

For the GenProof algorithm in both executions, considering the secure hash function ${\mathrm{H}}_3$ and the LWE instance, the ${\Sigma }^{id}=\{{\mu }^{id},{\mathbf{E}}^{id},{\mathbf{Q}}^{id}\}$ values produced by the two executions are statistically close to uniform and random. □

5.3. Robustness

Theorem 3

(Robustness). Our scheme meets robustness if the LWE problem is hard.

Proof. 

We define robustness as the guarantee that only the designated verifier, authorized by the data owner, is capable of successfully validating the integrity of the data.

In the proposed scheme, the verifier-specific component of the proof response is defined as ${\mathbf{Q}}^{id}={\mathbf{B}}_{id}^T·{\mathbf{R}}^{id}+{\mathbf{S}}^{idT}$, which is an LWE instance based on the robustness assumption of the LWE problem.

Under the LWE assumption, the distribution of ${\mathbf{Q}}^{id}$ is indistinguishable from a uniformly random matrix over ${\mathbb{Z}}_q^{n\times m}$. Therefore, without knowledge of the designated verifier’s private key, it is infeasible for any adversary—including other verifiers, CSPs, or external attackers—to recover the underlying secret ${\mathbf{R}}^{id}$.

If such an adversary $\mathcal{A}$ could recover ${\mathbf{R}}^{id}$ from ${\mathbf{Q}}^{id}$ without being the designated verifier, this would imply that $\mathcal{A}$ can distinguish ${\mathbf{Q}}^{id}$ from random and invert the LWE function, thereby solving an instance of the LWE problem—contradicting our hardness assumption.

Therefore, under the assumption that LWE is hard, our scheme ensures that only the designated verifier can perform valid proof verification, satisfying the definition of robustness. □

5.4. Parameter Selection

Since the proposed PDP scheme is based on the trapdoor construction [33] and utilizes a specific leveled IB-FHS for signature generation, the parameter relationships were analyzed with these factors in mind. Following the computational formulas provided in [32,34], we derived the parameters of the scheme accordingly. The parameters are presented in

Table 2. Parameter set for Gaussian parameter $r=8$.

${\mathit{L}}_{\mathit{c}}$	0	0	0	1	1	5	10	15
$\lambda$	75	100	128	75	128	75	75	128
n	157	178	544	497	1127	1256	4624	11,912
m	4059	4610	26,099	26,828	94,618	143,088	1,747,591	8,814,469
$logq$	13	13	24	27	42	57	189	370

$L_c$—circuit depth; $\lambda$—a security parameter; $n,m$—the parameters employed in trapdoor function; q—a large integer.

, ensuring that the scheme achieved the specified level of security.

Although the SIS and LWE are widely considered hard problems for post-quantum cryptography, their security may be affected by unforeseen advances in quantum algorithms or future quantum computing capabilities. In such cases, it would be necessary to increase the lattice dimension n and the modulus q to maintain an adequate security level.

6. Performance Evaluation

6.1. Functionality Comparison

As presented in

Table 3. Functionality comparisons with related schemes.

	Items	IBC	Designated Verifier	Assumption	QAR
Schemes
Deng et al. (2023) [10]		✗	✗	DL	✗
Deng et al. (2024) [11]		✓	✗	CDH	✗
Luo et al. [14]		✓	✗	SIS	✓
Sasikala and Bindu [19]		✗	✗	SIS	✓
Wu et al. [21]		✗	✓	DL	✗
Yan et al. [27]		✗	✓	CDH	✗
Zhou et al. [35]		✓	✗	SIS	✓
Our Scheme		✓	✓	SIS, LWE	✓

IBC—identity-based cryptosystem; QAR—quantum attacks resistance; DL—discrete logarithm problem; ✓ indicates that the scheme has this feature; ✗ indicates that the scheme does not have this feature.

, several existing schemes, like Deng et al.’s (2023) [10], Wu et al.’s [21], and Yan et al.’s [27], do not incorporate an identity-based cryptosystem (IBC), thereby limiting their applicability in environments that demand streamlined identity management. Although Deng et al.’s (2024) [11], Luo et al.’s [14], and Zhou et al.’s [35] schemes support an IBC, they lack the capability for designated third-party auditing, which is crucial in applications such as cloud auditing—especially in scenarios where it is necessary to guard against potential malicious auditors tampering with or forging audit results.

With respect to security assumptions, certain schemes (e.g., [10,11,21,27]) rely on traditional number-theoretic problems like DL and CDH problems, which are potentially vulnerable in the presence of quantum adversaries. While schemes such as Luo et al.’s [14], Sasikala and Bindu’s [19], and Zhou et al.’s [35] adopt lattice-based hardness assumptions (e.g., SIS) and offer a degree of quantum resistance, they still fail to provide a complete set of functionalities, as none of them simultaneously support both IBC and feature a designated verifier.

In contrast, the PDP scheme proposed in this work offers a more comprehensive and well-balanced design. It supports both IBC and designated third-party validation, thereby enhancing its practical deployability and ensuring stronger accountability. Moreover, this scheme relies on the hardness of both the SIS and LWE problems, offering strong resistance against quantum attacks. Consequently, the proposed scheme theoretically exhibits strong resistance against quantum attacks while fulfilling advanced functional requirements, making it particularly suitable for practical deployment and applications.

6.2. Time and Space Complexity

Table 4. Time and space complexity comparisons with related scheme.

Schemes	Algorithms	Time Complexity	Space Complexity
Luo et al. [14]	TagGen	$O\left(l(n^2{m}_1+(m+m_1)m_1)\right)$	$O\left(l(n^2+(m+m_1)m_1)\right)$
	GenProof	$O\left(\right|K\left|(n^2+(m+m_1)m_1^2)\right)$	$O\left(\right|K\left|(n^2+(m+m_1)m_1)\right)$
	CheckProof	$O\left(\right|K\left|((m+m_1)m_1^2+n{m}_1)\right)$	$O((m+m_1)+n{m}_1+|K\left|\right)$
Our Scheme	TagGen	$O\left(ln{m}_1^2\right)$	$O\left(l(n^2+n{m}_1)\right)$
	GenProof	$O\left(\right|K|n^2+nm)$	$O\left(\right|K|(n^2+m_1)+nm)$
	CheckProof	$O\left(\right|K|m{m}_1+(m+m_1)m_1)$	$O\left(\right|K|+m{m}_1+n^2)$

$m_1=n\lceil logq\rceil$; l—the maximum number of data blocks; $\left|K\right|$—the number of the queried data blocks.

presents a comparison between our scheme and the scheme by Luo et al. [14] in terms of time and space complexity across three core phases: TagGen, GenProof, and CheckProof. This comparison aims to quantitatively evaluate the computational efficiency and resource consumption of different designs.

In the TagGen phase, the time complexity of our scheme is $O\left(ln{m}_1^2\right)$, and the space complexity is $O\left(l(n^2+n{m}_1)\right)$. By contrast, the scheme by Luo et al. [14] exhibits a time complexity of $O\left(l(n^2{m}_1+(m+m_1)m_1)\right)$ and a space complexity of $O\left(l(n^2+(m+m_1)m_1)\right)$. Our scheme incurs lower computational and storage overhead in the TagGen phase, making it especially suitable for efficient large-scale data tag generation.

Moreover, in the GenProof and CheckProof phases, our scheme incorporates a designated verifier mechanism, which embeds verifier identity information into authentication tags and proofs, thereby enabling control over verification rights. This mechanism ensures that only authorized verifiers can perform verification, significantly enhancing the system’s support for controlled auditability.

Although this mechanism introduces additional structure and computation—leading to slightly higher complexity in the GenProof and CheckProof phases compared to the Luo et al. [14] scheme—the overall complexity remains within a practical polynomial range. The overhead remains moderate under typical parameters. In summary, our scheme achieves a well-balanced tradeoff between enhanced security capabilities and acceptable computational cost, offering both flexibility and efficiency.

6.3. Communication and Storage Cost

As shown in

Table 5. Communication and storage comparisons with related schemes.

	Items	PK + SK Size	Tag Size	Proof Size
Schemes
Luo et al. [14]		$(nm+n{m}_1+m{m}_1)logq$	$(m+m_1)m_{1}logq$	$(n^2+(m+m_1)m_1)logq$
Sasikala and Bindu [19]		$(nm+m^2)logq$	$mlogq$	$(n+2m)logq$
Zhou et al. [35]		$(nm+m^2+2\overline{l}m)logq$	$mlogq$	$(n+2m)logq$
Our Scheme		$(nm+m^2)logq$	$2m{m}_{1}logq$	$(n^2+(n+2m_1)m)logq$

PK—public key; SK—secret key; $m=m_1+m_0$; $m_1=n\lceil logq\rceil$; $\overline{l}$—the bit length of a file block.

, we evaluated the communication and storage overhead of our scheme in comparison with several lattice-based PDP constructions, focusing on public and secret key (PK + SK) size, tag size, and proof size. The findings indicate that our scheme achieves a balanced tradeoff between efficiency and functionality.

In terms of key size, our scheme requires $(nm+m^2)logq$ bits, which matches the construction proposed by Sasikala and Bindu [19] and is smaller than those by Luo et al. [14] and Zhou et al. [35], demonstrating efficient storage without compromising functionality. Regarding tag size, our design incurs $2m{m}_{1}logq$, which is slightly larger than that in Sasikala and Bindu’s [19] work and the approach by Zhou et al. [35], but remains considerably smaller than the quadratic growth in Luo et al.’s scheme [14], striking a balance between efficiency and security. With respect to proof size, our scheme requires $(n^2+(n+2m_1)m)logq$ bits, which is larger than the proof sizes in Sasikala and Bindu’s [19] and Zhou et al.’s [35] designs, but still more efficient than the construction proposed by Luo et al. [14]. Notably, the increased proof size in our design stems primarily from the incorporation of a designated verifier mechanism. This feature enhances privacy and accountability in audit scenarios, thus slightly increasing the communication cost during the proof generation phase.

In summary, the proposed scheme maintains reasonable efficiency while supporting IBS, designated third-party validation, and post-quantum security. It demonstrates strong practicality and is particularly well suited for secure cloud storage applications in the post-quantum era.

6.4. Computation Cost

In this section, we present the experiments conducted to evaluate the proposed PDP scheme, which were executed using MATLAB 2020b on a system with an Intel(R) Core(TM) i5-13500H processor (2.60 GHz) and 16GB of RAM. The file size M used in the experiments was approximately 1MB.

The computation cost for the proposed PDP scheme algorithms (TagGen, GenProof, and CheckProof) was assessed for different lattice dimensions—denoted by n. For a file of size $M\approx 1$ MB, when $n=128$, the corresponding number of data blocks came out to 21, and when $n=256$, the number of data blocks came out to 5. The designated verifier can challenge all the data blocks to achieve a detection probability of $100\%$.

The results of the computation time for $n=128$ and $n=256$ are shown in

Table 6. Computation cost (s).

	Algorithms	TagGen	GenProof	CheckProof
n
128		20.76	13.75	3.33
256		36.66	30.67	5.17

. Figure 3 illustrates the computation time of the TagGen, GenProof, and CheckProof algorithms with respect to the number of data blocks. As shown in the figure, both the TagGen and GenProof algorithms exhibited a linear increase in computation time as the number of data blocks grew. Notably, in the CheckProof algorithm, the verifier could compute the matrix ${\mathbf{D}}_{CH}$ offline, which helped reduce the verification time. As a result, the computation time for CheckProof remained relatively stable even as the number of data blocks increased.

Compared with existing PDP schemes based on various insecure number-theoretic assumptions, the proposed PDP scheme requires larger parameters, including public and private keys, and exhibits higher computational costs. However, it offers promising potential for post-quantum cryptography. Compared with existing lattice-based PDP schemes, the additional overhead primarily stems from the introduction of the designated verifier mechanism. Moreover, in certain practical applications and implementations, the proposed scheme inherits the same limitations as the leveled FHS scheme—namely, suboptimal performance.

7. Conclusions

This paper presents a lattice-based PDP scheme that incorporates a designated verifier using a leveled IB-FHS. The scheme was proven secure under SIS and LWE assumptions in the random oracle model, confirming its theoretical soundness and feasibility. We have also evaluated the effectiveness and practicality of the proposed scheme through performance comparisons with existing PDP schemes in terms of computation, storage, and communication cost. The results demonstrate that our approach achieves a favorable balance between security and efficiency, making it well suited for authorization-based cloud storage auditing scenarios.

However, we also acknowledge several limitations that merit further exploration. First, compared to traditional PDP schemes, the increased computational overhead of the proposed construction is primarily attributable to its reliance on lattice-based cryptography and the inclusion of a designated verifier mechanism. Second, the current design is centered around a designated verifier and does not consider the complexities introduced by multi-tenant cloud environments, where ensuring data isolation and enforcing fine-grained access control among tenants are essential. Third, although the scheme includes theoretical performance estimates, real-world deployment may involve additional overhead and integration challenges that require practical validation. Furthermore, transitioning the construction to the standard model remains an important and meaningful direction for enhancing its theoretical robustness. As future work, we plan to (1) optimize the efficiency of the core algorithms to reduce computational costs; (2) extend the proposed scheme to support secure auditing in multi-tenant cloud settings with proper isolation mechanisms and delegated verification control; and (3) develop a standard model instantiation to eliminate reliance on idealized cryptographic assumptions.