Cryptographic proofs for remote storage: models and construction - - PowerPoint PPT Presentation

Cryptographic proofs for remote storage: models and construction

Julien Lavauzelle1, Françoise Levy-dit-Vehel1,2

1 LIX & INRIA Saclay, Université Paris-Saclay 2 ENSTA ParisTech

Journées codage & cryptographie 2018, Aussois, France 12/10/2018

• 1. Proofs-of-* for secure remote storage
• 2. A generic construction of proof-of-retrievability

Model and definition A generic construction of PoR Some instances

1/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

• 1. Proofs-of-* for secure remote storage
• 2. A generic construction of proof-of-retrievability

Model and definition A generic construction of PoR Some instances

1/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Informal issue

Checking storage properties on remote servers, e.g. verifying that:

◮ the server actually stores the file, ◮ the server has fully deleted some data, ◮ a file is retrievable from the server, ◮ some space is used/available on a server. 2/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Informal issue

Checking storage properties on remote servers, e.g. verifying that:

◮ the server actually stores the file, ◮ the server has fully deleted some data, ◮ a file is retrievable from the server, ◮ some space is used/available on a server.

Practical application:

◮ cryptocurrency based on a decentralized cloud storage network ◮ Storj, FileCoin, SpaceMint. 2/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

PoR and PDP

Proof of Retrievability (PoR):1 a verifier checks extractability of a file m.

1introduced in PoRs: Proofs of Retrievability for Large Files, Juels, Kaliski CCS’07

3/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

PoR and PDP

Proof of Retrievability (PoR):1 a verifier checks extractability of a file m.

Verifier Prover Initialisation κ ← KeyGen(1λ) w ← Init(m, κ) w delete m, (most of) w

1introduced in PoRs: Proofs of Retrievability for Large Files, Juels, Kaliski CCS’07

3/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

PoR and PDP

Proof of Retrievability (PoR):1 a verifier checks extractability of a file m.

Verifier Prover Initialisation κ ← KeyGen(1λ) w ← Init(m, κ) w delete m, (most of) w Verification u ←R Q u ru ← Resp(u, w) ru 0/1 ← Check(u, ru, κ)

1introduced in PoRs: Proofs of Retrievability for Large Files, Juels, Kaliski CCS’07

3/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

PoR and PDP

Proof of Retrievability (PoR):1 a verifier checks extractability of a file m.

Verifier Prover Initialisation κ ← KeyGen(1λ) w ← Init(m, κ) w delete m, (most of) w Verification u ←R Q u ru ← Resp(u, w) ru 0/1 ← Check(u, ru, κ) Extraction

{(u, ru) : u ∈ Q}

m/⊥ ← Extract({(u, ru) : u ∈ Q}, κ)

1introduced in PoRs: Proofs of Retrievability for Large Files, Juels, Kaliski CCS’07

3/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

PoR and PDP

Proof of Retrievability (PoR):1 a verifier checks extractability of a file m.

Verifier Prover Initialisation κ ← KeyGen(1λ) w ← Init(m, κ) w delete m, (most of) w Verification u ←R Q u ru ← Resp(u, w) ru 0/1 ← Check(u, ru, κ) Extraction

{(u, ru) : u ∈ Q}

m/⊥ ← Extract({(u, ru) : u ∈ Q}, κ)

A Proof of Data Possession (PDP) is essentially a PoR without explicit extractor.

1introduced in PoRs: Proofs of Retrievability for Large Files, Juels, Kaliski CCS’07

3/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Other proofs for remote storage

Proving deletion of data:

◮ Proof of Secure Erasure (PoSE)2 [One-time computable self-erasing

functions, Dziembowski, Kazan, Wichs TCC’11]

2originally introduced by Perito and Tsudik, Secure code update for embedded devices via proofs of

secure erasure (ESORICS 2010)

4/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Other proofs for remote storage

Proving deletion of data:

◮ Proof of Secure Erasure (PoSE)2 [One-time computable self-erasing

functions, Dziembowski, Kazan, Wichs TCC’11] Proving that some space/time is invested:

◮ Proof of Space (PoS) [Proofs of Space, Dziembowski, Faust, Kolmogorov,

Pietrzak, CRYPTO’15]

2originally introduced by Perito and Tsudik, Secure code update for embedded devices via proofs of

secure erasure (ESORICS 2010)

4/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Other proofs for remote storage

Proving deletion of data:

◮ Proof of Secure Erasure (PoSE)2 [One-time computable self-erasing

functions, Dziembowski, Kazan, Wichs TCC’11] Proving that some space/time is invested:

◮ Proof of Space (PoS) [Proofs of Space, Dziembowski, Faust, Kolmogorov,

Pietrzak, CRYPTO’15] Proving robust storage:

◮ Proof of replication (PoReP), e.g. in FileCoin ◮ With public audit: public incompressible encodings (PIE) [Cecchetti,

Miers, Juels, IACR eprint’18]

2originally introduced by Perito and Tsudik, Secure code update for embedded devices via proofs of

secure erasure (ESORICS 2010)

4/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

• 1. Proofs-of-* for secure remote storage
• 2. A generic construction of proof-of-retrievability

Model and definition A generic construction of PoR Some instances

4/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

• 1. Proofs-of-* for secure remote storage
• 2. A generic construction of proof-of-retrievability

Model and definition A generic construction of PoR Some instances

4/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Formal definitions for PoRs

Verifier Prover Initialisation κ ← KeyGen(1λ) w ← Init(m, κ) w delete m, w Verification u ←R Q u ru ← Resp(u, w) ru 0/1 ← Check(u, ru, κ) Extraction

{(u, ru)}

m/⊥ ← Extract({(u, ru) : u ∈ Q}, κ)

5/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Formal definitions for PoRs

Verifier Prover Initialisation κ ← KeyGen(1λ) w ← Init(m, κ) w delete m, w Verification u ←R Q u ru ← Resp(u, w) ru 0/1 ← Check(u, ru, κ) Extraction

{(u, ru)}

m/⊥ ← Extract(r, κ)

Hypothesis (following [Paterson, Stinson, Upadhyay, J. Math. Crypto.’13]): response algorithm Resp is non-adaptive and deterministic. ⇒ One can consider the response word r = (ru : u ∈ Q)

5/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Security model

For some response word r and secret data κ, we define the success: succ(r, κ) := Pru←RQ (Check(u, ru, κ) = 1) .

6/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Security model

For some response word r and secret data κ, we define the success: succ(r, κ) := Pru←RQ (Check(u, ru, κ) = 1) .

• Soundness. A PoR is (ε, τ)-sound if for every prover r,

Pr     Extract(r, κ) = m and succ(r, κ) ≥ 1 − ε

• m ←R M

κ ←R KeyGen(1λ) w ← Init(m, κ) r ← Resp(·, w)     ≤ τ .

6/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Security model

For some response word r and secret data κ, we define the success: succ(r, κ) := Pru←RQ (Check(u, ru, κ) = 1) .

• Soundness. A PoR is (ε, τ)-sound if for every prover r,

Pr     Extract(r, κ) = m and succ(r, κ) ≥ 1 − ε

• m ←R M

κ ←R KeyGen(1λ) w ← Init(m, κ) r ← Resp(·, w)     ≤ τ . Goal: τ ≪ 1, for constant ε > 0.

6/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

• 1. Proofs-of-* for secure remote storage
• 2. A generic construction of proof-of-retrievability

Model and definition A generic construction of PoR Some instances

6/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Outline

Our main goals

◮ sublinear communication complexity for the verification ◮ low additional storage ◮ few computation during the verification step (e.g. Resp and Check) ◮ analysable/quantifiable soundness 7/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Outline

Our main goals

◮ sublinear communication complexity for the verification ◮ low additional storage ◮ few computation during the verification step (e.g. Resp and Check) ◮ analysable/quantifiable soundness

Overview of the solution Let C ⊆ Fn

q with “many well-distributed low-weight parity-check equations”.

◮ Initialisation:

• 1. encode the file m into a codeword c ∈ C
• 2. apply symbol-wise Fq-permutations to codeword c, leading to a file w ∈ Fn

q ◮ User verifies that w satisfies permuted low-weight parity-check

equations induced by C

7/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Verification structures

◮ C ⊆ Fn

q a code

◮ Q a set of ℓ-subsets of [1, n] ◮ R :

Q × Fn

q

→ Fℓ

q

(u, w) → w|u

8/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Verification structures

◮ C ⊆ Fn

q a code

◮ Q a set of ℓ-subsets of [1, n] ◮ R :

Q × Fn

q

→ Fℓ

q

(u, w) → w|u Let V : Q × Fℓ

q → Fs q for some s ≥ 1. We say that (Q, V) is a verification

structure for C if:

• 1. for all i ∈ [1, n], there exists u ∈ Q such that i ∈ u;
• 2. for all u ∈ Q, the map a → V(u, R(u, a)) is surjective and

∀c ∈ C, V(u, R(u, c)) = 0 .

8/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Verification structures

◮ C ⊆ Fn

q a code

◮ Q a set of ℓ-subsets of [1, n] ◮ R :

Q × Fn

q

→ Fℓ

q

(u, w) → w|u Let V : Q × Fℓ

q → Fs q for some s ≥ 1. We say that (Q, V) is a verification

structure for C if:

• 1. for all i ∈ [1, n], there exists u ∈ Q such that i ∈ u;
• 2. for all u ∈ Q, the map a → V(u, R(u, a)) is surjective and

∀c ∈ C, V(u, R(u, c)) = 0 . Notation:

◮ V is the verification map for C, and Q is a query set for C. ◮ R(w) := (R(u, w) : u ∈ Q) ∈ (Fℓ

q)Q,

◮ R(C) := {R(c), c ∈ C} is called the response code of C. 8/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Example

Let C ⊆ F7

2 the binary [7, 3, 4] Hadamard code.

n = 7, ℓ = 3, s = 1

(non full-rank) H =

         1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1         

9/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Example

Let C ⊆ F7

2 the binary [7, 3, 4] Hadamard code.

n = 7, ℓ = 3, s = 1

(non full-rank) H =

         1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1         

Q = {{1, 2, 3}, {1, 4, 5}, {1, 6, 7}, {2, 5, 6}, {2, 4, 7}, {3, 4, 6}, {3, 5, 7}} .

9/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Example

Let C ⊆ F7

2 the binary [7, 3, 4] Hadamard code.

n = 7, ℓ = 3, s = 1

(non full-rank) H =

         1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1         

Q = {{1, 2, 3}, {1, 4, 5}, {1, 6, 7}, {2, 5, 6}, {2, 4, 7}, {3, 4, 6}, {3, 5, 7}} . Verification map V : Q × F3

2 → F2 defined by V(u, b) = ∑3 i=1 bi.

9/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Example

Let C ⊆ F7

2 the binary [7, 3, 4] Hadamard code.

n = 7, ℓ = 3, s = 1

(non full-rank) H =

         1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1         

Q = {{1, 2, 3}, {1, 4, 5}, {1, 6, 7}, {2, 5, 6}, {2, 4, 7}, {3, 4, 6}, {3, 5, 7}} . Verification map V : Q × F3

2 → F2 defined by V(u, b) = ∑3 i=1 bi.

The response word r = R(c) ∈ (F3

2)7 is:

r =     c1 c2 c3   ,   c1 c4 c5   ,   c1 c6 c7   ,   c2 c5 c6   ,   c2 c4 c7   ,   c3 c4 c6   ,   c3 c5 c7     .

9/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

The PoR construction

• Key generation:

κ := σ = (σ1, . . . , σn) ←R S(Fq)n

10/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

The PoR construction

• Key generation:

κ := σ = (σ1, . . . , σn) ←R S(Fq)n

• Initialisation:

Init(m, σ) : m ∈ Fk

q → c ∈ C → w = σ(c) ∈ Fn q

10/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

The PoR construction

• Key generation:

κ := σ = (σ1, . . . , σn) ←R S(Fq)n

• Initialisation:

Init(m, σ) : m ∈ Fk

q → c ∈ C → w = σ(c) ∈ Fn q

• Verification:
• 1. Challenge u = {u1, . . . , uℓ} ←R Q.
• 2. The prover must send back ru := w|u ∈ Fℓ

q.

3. Check(u, ru, σ) :=

• 1

if V(u, σ−1(ru)) = 0

• therwise.

10/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

The PoR construction

• Key generation:

κ := σ = (σ1, . . . , σn) ←R S(Fq)n

• Initialisation:

Init(m, σ) : m ∈ Fk

q → c ∈ C → w = σ(c) ∈ Fn q

• Verification:
• 1. Challenge u = {u1, . . . , uℓ} ←R Q.
• 2. The prover must send back ru := w|u ∈ Fℓ

q.

3. Check(u, ru, σ) :=

• 1

if V(u, σ−1(ru)) = 0

• therwise.
• Extraction: Given r = (ru : u ∈ Q) ∈ (Fℓ

q)Q, the verifier runs a decoding

algorithm for the response code R(σ(C)) and outputs the result.

10/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Analysis

Given the word r = (ru : u ∈ Q), one can define: V(u, σ−1(ru)) = 0 → an erasure V(u, σ−1(ru)) = 0 but ru = w|u → an error

11/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Analysis

Given the word r = (ru : u ∈ Q), one can define: V(u, σ−1(ru)) = 0 → an erasure V(u, σ−1(ru)) = 0 but ru = w|u → an error If E = |{erasures}| and B = |{errors}|, then Extraction succeeds if E + 2B < ∆, where ∆ is a threshold for error-and- erasure decoding on the code R(C).

11/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Analysis

Given the word r = (ru : u ∈ Q), one can define: V(u, σ−1(ru)) = 0 → an erasure V(u, σ−1(ru)) = 0 but ru = w|u → an error If E = |{erasures}| and B = |{errors}|, then Extraction succeeds if E + 2B < ∆, where ∆ is a threshold for error-and- erasure decoding on the code R(C). ⇒ We need to estimate Pr     Extract(r, κ) = m and succ(r, κ) ≥ 1 − ε

• m ←R M

κ ←R KeyGen(1λ) w ← Init(m, κ) r ← Resp(w)    

11/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Analysis

Given the word r = (ru : u ∈ Q), one can define: V(u, σ−1(ru)) = 0 → an erasure V(u, σ−1(ru)) = 0 but ru = w|u → an error If E = |{erasures}| and B = |{errors}|, then Extraction succeeds if E + 2B < ∆, where ∆ is a threshold for error-and- erasure decoding on the code R(C). ⇒ We need to estimate Pr     E + 2B ≥ ∆ and E ≤ ε|Q|

• m ←R M

κ ←R KeyGen(1λ) w ← Init(m, κ) r ← Resp(w)    

11/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Main theorem

Notation.

◮ N = |Q| the length of R(C), ◮ δ = ∆/N its relative error-and-erasure decoding capability.

Theorem (simplified). Assume (⋆) and define ε0 = δ 1−α

1+α. Then, for every

ε < ε0, the PoR scheme associated to C and (Q, V) is (ε, τ)-sound, where τ = 4 N(1 + α)2(ε0 − ε)2 ,

where: – α ≪ 1 is a bound on the proba that a random answer is accepted – (⋆) min{d⊥(C|u), u ∈ Q} > max{|u ∩ v|, u = v ∈ Q}.

12/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Our parameters

Storage needs:

◮ prover stores (n − k) log q additional bits, where C ⊆ Fn

q has dimension k

◮ verifier stores

an n-tuple of permutations σ

13/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Our parameters

Storage needs:

◮ prover stores (n − k) log q additional bits, where C ⊆ Fn

q has dimension k

◮ verifier stores

an n-tuple of permutations σ a key κ for generating an n-tuple of suitable PRPs

13/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Our parameters

Storage needs:

◮ prover stores (n − k) log q additional bits, where C ⊆ Fn

q has dimension k

◮ verifier stores

a key κ for generating an n-tuple of suitable PRPs Computational needs:

◮ prover only needs to read symbols (no additional computation) ◮ verifier inverts ℓ permutations σ|u, and computes ru → V(u, ru) ∈ Fs

q.

13/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Our parameters

Storage needs:

◮ prover stores (n − k) log q additional bits, where C ⊆ Fn

q has dimension k

◮ verifier stores

a key κ for generating an n-tuple of suitable PRPs Computational needs:

◮ prover only needs to read symbols (no additional computation) ◮ verifier inverts ℓ permutations σ|u, and computes ru → V(u, ru) ∈ Fs

q.

⇒ Our goal: find a code C ⊆ Fn

q and (Q, V) such that

◮ ℓ := |u| ≪ n, for u ∈ Q ◮ max{|v ∩ v′|, v = v′ ∈ Q} < d⊥(C|u), for every u ∈ Q ◮ C has large dimension ◮ R(C) has large relative minimum distance δ and large length N 13/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

• 1. Proofs-of-* for secure remote storage
• 2. A generic construction of proof-of-retrievability

Model and definition A generic construction of PoR Some instances

13/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 1: tensor product of codes

A ⊆ Fℓ

q a code of small length. Its s-fold tensor product is:

A⊗s :=

• (a(1)

i1 . . . a(s) is

: i ∈ [1, ℓ]s)

• ∀1 ≤ j ≤ s, a(j) ∈ A
• ⊆ Fℓs

q

14/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 1: tensor product of codes

A ⊆ Fℓ

q a code of small length. Its s-fold tensor product is:

A⊗s :=

• (a(1)

i1 . . . a(s) is

: i ∈ [1, ℓ]s)

• ∀1 ≤ j ≤ s, a(j) ∈ A
• ⊆ Fℓs

q

Verification structure (Q, V):

◮ Q = {“axis-parallel lines” L ⊂ [1, ℓ]s}, ◮ V(L, b) = Hb, where H is a parity-check matrix for A. 14/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 1: tensor product of codes

A ⊆ Fℓ

q a code of small length. Its s-fold tensor product is:

A⊗s :=

• (a(1)

i1 . . . a(s) is

: i ∈ [1, ℓ]s)

• ∀1 ≤ j ≤ s, a(j) ∈ A
• ⊆ Fℓs

q

Verification structure (Q, V):

◮ Q = {“axis-parallel lines” L ⊂ [1, ℓ]s}, ◮ V(L, b) = Hb, where H is a parity-check matrix for A.

• Proposition. If A ⊆ Fℓ

q is an MDS code of distance d, then

dmin(R(A⊗s)) = sds−1 .

14/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 1: tensor product of codes

A ⊆ Fℓ

q a code of small length. Its s-fold tensor product is:

A⊗s :=

• (a(1)

i1 . . . a(s) is

: i ∈ [1, ℓ]s)

• ∀1 ≤ j ≤ s, a(j) ∈ A
• ⊆ Fℓs

q

Verification structure (Q, V):

◮ Q = {“axis-parallel lines” L ⊂ [1, ℓ]s}, ◮ V(L, b) = Hb, where H is a parity-check matrix for A.

• Proposition. If A ⊆ Fℓ

q is an MDS code of distance d, then

dmin(R(A⊗s)) = sds−1 . Theorem [γ > 0, d = γℓ, ℓ → ∞]. A PoR based on A⊗s is (ε, τ)-sound for every ε < γs, where τ = O

• 1

s(γℓ)s

• = O(1/n) .

14/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 2: code based on AG(2, q)

Let A := F2

q and Q := { affine lines L ⊂ A}.

Cq := {c ∈ FA

q , ∀L ∈ Q, ∑ x∈L

cx = 0} ⊆ FA

q

15/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 2: code based on AG(2, q)

Let A := F2

q and Q := { affine lines L ⊂ A}.

Cq := {c ∈ FA

q , ∀L ∈ Q, ∑ x∈L

cx = 0} ⊆ FA

q

Verification structure (Q, V):

◮ query set Q defined above ◮ for b ∈ Fq

q ≃ FL q, define V(L, b) = ∑ q i=1 bi

15/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 2: code based on AG(2, q)

Let A := F2

q and Q := { affine lines L ⊂ A}.

Cq := {c ∈ FA

q , ∀L ∈ Q, ∑ x∈L

cx = 0} ⊆ FA

q

Verification structure (Q, V):

◮ query set Q defined above ◮ for b ∈ Fq

q ≃ FL q, define V(L, b) = ∑ q i=1 bi

• Prop. Response code R(C) has relative minimum distance δ ≥ 1 − 2/q.

15/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 2: code based on AG(2, q)

Let A := F2

q and Q := { affine lines L ⊂ A}.

Cq := {c ∈ FA

q , ∀L ∈ Q, ∑ x∈L

cx = 0} ⊆ FA

q

Verification structure (Q, V):

◮ query set Q defined above ◮ for b ∈ Fq

q ≃ FL q, define V(L, b) = ∑ q i=1 bi

• Prop. Response code R(C) has relative minimum distance δ ≥ 1 − 2/q.

Theorem [q → ∞]. A PoR based on Cq is (ε, τ) sound for every ε < 1 − o(1), where τ = O

• 1

(1 − ε)q2

• = O(1/n) .

15/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Instance 2: code based on AG(2, q)

Let A := F2

q and Q := { affine lines L ⊂ A}.

Cq := {c ∈ FA

q , ∀L ∈ Q, ∑ x∈L

cx = 0} ⊆ FA

q

Verification structure (Q, V):

◮ query set Q defined above ◮ for b ∈ Fq

q ≃ FL q, define V(L, b) = ∑ q i=1 bi

• Prop. Response code R(C) has relative minimum distance δ ≥ 1 − 2/q.

Theorem [q → ∞]. A PoR based on Cq is (ε, τ) sound for every ε < 1 − o(1), where τ = O

• 1

(1 − ε)q2

• = O(1/n) .

Prop [from Hamada’68]. If q = 2e, then the code Cq has rate 1 − O

• n−1+

log3(2) 2

• .

15/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Numerical parameters

Using the code Cq with q = 213

◮ initial file of size ≃ 106 MB, ◮ server storage: +2.4% storage overhead, ◮ client storage: a few bits for κ, ◮ communication rate: 1.25 · 10−4 of the initial file size. 16/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018

Conclusion

We presented:

◮ a generic construction of PoR based on codes with locality ◮ low computation, low storage

Possible further works:

◮ better instances of codes and verification structures ◮ other features (e.g. dynamic PoR) 17/17

• J. Lavauzelle

— Cryptographic proofs for remote storage: models and construction JC2 2018