Outsourced Storage & Proofs of Retrievability Hovav Shacham, UC - - PowerPoint PPT Presentation

outsourced storage proofs of retrievability
SMART_READER_LITE
LIVE PREVIEW

Outsourced Storage & Proofs of Retrievability Hovav Shacham, UC - - PowerPoint PPT Presentation

Dec 12, 2023 439 likes •700 views

Outsourced Storage & Proofs of Retrievability Hovav Shacham, UC San Diego Brent Waters, SRI International The Setting Client stores (long) file with server - Wants to be sure its actually there Motivation: online backup; SaaS

slide-1
SLIDE 1

Outsourced Storage & Proofs of Retrievability

Hovav Shacham, UC San Diego Brent Waters, SRI International

slide-2
SLIDE 2

The Setting

  • Client stores (long) file with server
  • Wants to be sure it’s actually there
  • Motivation: online backup; SaaS
  • Long-term reliable storage is expensive
slide-3
SLIDE 3

Example Protocols

V P

(M) M

V P

(M) (M) c h(cM) h(cM)

?

= · (h = h(M)) h

?

= h(·)

Kotla,Alvisi, Dahlin, Usenix 2007:

slide-4
SLIDE 4

How do we evaluate protocols of this sort?

slide-5
SLIDE 5

Systems Criteria

  • Efficiency:
  • Storage overhead
  • Computation

(including # block reads)

  • Communication
  • Unlimited use
  • Stateless verifiers
  • Who can verify? File owner? anyone?
slide-6
SLIDE 6

Crypto criterion

  • Only an adversary storing the file can

pass the verification test

  • Possible to extract M from any prover P'

via black-box access

  • (Cf. ZK proof-of-knowledge)
  • Insight due to Naor, Rothblum, FOCS 2005

and Juels, Kaliski, CCS 2007

slide-7
SLIDE 7

Security Model — I

  • Keygen: output secret key sk
  • Store (sk, file M):
  • utput tag t, encoded file M*
  • Proof-of-storage protocol:
  • Public verifiability:
  • Keygen outputs keypair (pk,sk)
  • Verifier algorithm takes only pk

{0, 1} ←

  • V(sk, t) P(t, M∗)
slide-8
SLIDE 8

Security Model — II

  • Challenger generates sk
  • Adversary makes queries:
  • “store Mi” ⇒ get ti, Mi*
  • “protocol on ti” ⇒ interact w/ V(sk,ti).
  • Finally, adversary outputs:
  • challenge tag t from among {ti}
  • description of cheating prover P' for t
slide-9
SLIDE 9

Security Model — III

  • Security guarantee:

∃ extractor algorithm Extr st. when we have except with negligible probability

  • V(sk, t) P

= 1

Extr(sk, t, P ) = M

slide-10
SLIDE 10

Probabilistic Sampling

  • Want to check 80 blocks at random,

not entire file

  • Pr[ detect 1-in-106 erasure ]: < 0.01%
  • Pr[ detect 50% erasure ]: 1 - (1/2)80
  • So: encode M ⇒ M* st. any 1/2 of blocks

suffice to recover M: erasure code

  • Due to Naor, Rothblum, FOCS 2005
slide-11
SLIDE 11

The Simple Solution

  • Store:
  • erasure encode M ⇒ M*
  • for each block mi of M*,

store authenticator σi = MACk(i,mi)

  • Proof of storage:

V P

{(mi, σi)}i∈I I ⊆ [1, n] (|I| = 80) σi

?

= MACk(i, mi)

  • {(mi, σi)}n

i=1

  • (k)
slide-12
SLIDE 12

Lower communication using homomorphic authenticators

slide-13
SLIDE 13
  • Downside to simple solution:

response is 80 blocks, 80 authenticators

  • Let’s send Σmi instead!

Improved Solution (Try #1)

V P

I ⊆ [1, n] (|I| = 80)

  • {(mi, σi)}n

i=1

  • (k)

µ =

  • i∈I mi

σ =

  • i∈I σi
slide-14
SLIDE 14
  • Downside to simple solution:

response is 80 blocks, 80 authenticators

  • Let’s send Σmi instead!

Improved Solution (Try #1)

V P

I ⊆ [1, n] (|I| = 80)

  • {(mi, σi)}n

i=1

  • (k)

µ =

  • i∈I mi

σ =

  • i∈I σi

???

slide-15
SLIDE 15

Homomorphic Authenticators

  • Problem: have linear combination of

messages mi

  • Need to authenticate via some function
  • f {σi}
  • Ateniese et al., CCS 2007:

RSA-based homomorphic authenticators; authenticates

  • iνimi
  • i σνi

i

slide-16
SLIDE 16

Our Contributions

  • 1. Efficient homomorphic authenticators

based on PRFs and on bilinear groups

  • 2. A full proof for (improved) simple

protocol, against arbitrary adversaries

slide-17
SLIDE 17

PRF Authenticator

  • PRF f: {0,1}*→K; mi ∈ K; K: GF(280) or Zp
  • Keygen: PRF key k; α ∈ K
  • Authenticate:
  • Aggregate:
  • Verify:

σi ← fk(i) + α · mi σ ←

  • νiσi

µ ←

  • νimi

σ

?

=

  • νifk(i) + αµ
slide-18
SLIDE 18

BLS Authenticator

  • Bilinear map e: G1×G2→GT, 〈u〉= G1.
  • Keygen: sk: x ∈ Zp; pk: v = g2x ∈ G2.
  • Authenticate:
  • Aggregate:
  • Verify:

σi ←

  • H(i)umix

σ ←

  • σνi

i

µ ←

  • νimi

e(σ, g)

?

= e

  • uµ ·
  • H(i)νi, v
slide-19
SLIDE 19

Improved Solution (Try #2)

V P

  • {(mi, σi)}n

i=1

  • I ⊆ [1, n]

(|I| = 80) νi ← K i ∈ I Q = {(i, νi)} µ, σ µ ←

  • (i,νi)∈Q

νimi σ ←

  • (i,νi)∈Q

νiσi σ

?

=

  • (i,νi)∈Q

νifk(i) + αµ (k, α)

slide-20
SLIDE 20

Communication & storage

  • PRF solution: 80-bit µ, 80-bit σ
  • BLS solution: 160-bit µ, 160-bit σ
  • But: 100% storage overhead
  • Storage/communication tradeoff:
  • split each block into s sectors
  • one authenticator per block:
  • response: (1+s)×80 bits [or ×160 bits]
  • storage overhead: 1/s
slide-21
SLIDE 21

The proof of security

slide-22
SLIDE 22

Security Proof Outline

  • 1. “Straitening”: whenever (µ,σ) verify

correctly, µ was computed as Σνimi

  • 2. “Extraction”: can extract 1/2 of blocks

from prover P' that outputs µ=Σνimi on ε-fraction of queries, ⊥ otherwise

  • 3. “Decoding”: recover M from any 1/2 of

M* blocks

slide-23
SLIDE 23

Attack on Improved Solution Try #1

  • Attacker picks index i*
  • For i≠i*, sets ai ← ±1, stores m' ← mi + aimi*
  • for query I st. i*∉I, compute
  • this is correct if #(+1) = #(-1) in Σai:

µ =

  • i∈I

m

i =

  • i∈I

(mi + aimi∗) = µ + mi∗

  • i∈I

ai Pr

  • 0 =
  • i∈I ai
  • =

80 40

  • ·

1 280 ≈ 8.89

slide-24
SLIDE 24

Attack (cont.)

Attacker knows dim (n-1) subspace: But he doesn’t know any single block!          1 · · · ±1 1 ±1 ±1 1 ±1 · · · 1 ±1         

slide-25
SLIDE 25

Conclusion

  • Homomorphic authenticators from PRFs, BLS
  • “Improved Solution, Try #2”:
  • compact response (& query in r.o. model)
  • secure against arbitrary adversarial behavior
  • Security requires proof — some okay-looking

schemes are insecure http://cs.ucsd.edu/~hovav/papers/sw08.html