Paper 2013/392

Efficient Simultaneous Privately and Publicly Verifiable Robust Provable Data Possession from Elliptic Curves

Christian Hanser and Daniel Slamanig


When outsourcing large sets of data to the cloud, it is desirable for clients to efficiently check, whether all outsourced data is still retrievable at any later point in time without requiring to download all of it. Provable data possession (PDP)/proofs of retrievability (PoR), for which various constructions exist, are concepts to solve this issue. Interestingly, by now, no PDP/PoR scheme leading to an efficient construction supporting both private and public verifiability simultaneously is known. In particular, this means that up to now all PDP/PoR schemes either allow public or private verifiability exclusively, since different setup procedures and metadata sets are required. However, supporting both variants simultaneously seems interesting, as publicly verifiable schemes are far less efficient than privately verifiable ones. In this paper, we propose the first simultaneous privately and publicly verifiable (robust) PDP protocol, which allows the data owner to use the more efficient private verification and anyone else to run the public verification algorithm. Our construction, which is based on elliptic curves, achieves this, as it uses the same setup procedure and the same metadata set for private and public verifiability. We provide a rigorous security analysis and prove our construction secure in the random oracle model under the assumption that the elliptic curve discrete logarithm problem is intractable. We give detailed comparisons with the most efficient existing approaches for either private or public verifiability with our proposed scheme in terms of storage and communication overhead, as well as computational effort for the client and the server. Our analysis shows that for choices of parameters, which are relevant for practical applications, our construction outperforms all existing privately and publicly verifiable schemes significantly. This means, that even when our construction is used for either private or public verifiability alone, it still outperforms the most efficient constructions known, which is particularly appealing in the public verifiability setting.

Note: minor bug

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. SECRYPT'13
Provable data possessionproofs of retrievabilityremote data checkingoutsourced storageelliptic curvesECDLPprovable security
Contact author(s)
chanser @ iaik tugraz at
2013-07-25: last of 3 revisions
2013-06-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Christian Hanser and Daniel Slamanig},
      title = {Efficient Simultaneous Privately and Publicly Verifiable Robust Provable Data Possession from Elliptic Curves},
      howpublished = {Cryptology ePrint Archive, Paper 2013/392},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.