Proofs of Retrievability Using Locally Decodable Codes Julien - - PowerPoint PPT Presentation
Proofs of Retrievability Using Locally Decodable Codes Julien Lavauzelle, Franoise Levy-dit-Vehel GRACE team, LIX & INRIA, Palaiseau, France 2016 IEEE International Symposium on Information Theory July 13, 2016 Issue Server Client Huge
GRACE team, LIX & INRIA, Palaiseau, France
2016 IEEE International Symposium on Information Theory July 13, 2016
Huge file (e.g. 10 GB)
1/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Huge file (e.g. 10 GB)
1/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
1/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proof of Retrievability (PoR) = 3 procedures:
◮ Initialization [Client] :
F → Init(F) = ( ˜ F, dataF) Then, the client uploads ˜ F on the server.
2/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proof of Retrievability (PoR) = 3 procedures:
◮ Initialization [Client] :
F → Init(F) = ( ˜ F, dataF) Then, the client uploads ˜ F on the server.
◮ Verification [Client ←
→ Server] :
Client (dataF) Server ( ˜ F) Pick a challenge c Compute an answer r VerifdataF (c, r) ∈ {true, false} c r
2/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proof of Retrievability (PoR) = 3 procedures:
◮ Initialization [Client] :
F → Init(F) = ( ˜ F, dataF) Then, the client uploads ˜ F on the server.
◮ Verification [Client ←
→ Server] :
Client (dataF) Server ( ˜ F) Pick a challenge c Compute an answer r VerifdataF (c, r) ∈ {true, false} c r
◮ Extraction [Client ←
→ Server]. We want that Extract(dataF) = F holds w.h.p.
2/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Definition (τ-faulty server). Let τ ∈ [0, 1], P be a PoR and X the distribution of challenges. A τ-faulty server A for P is an algorithm such that, for all encoded files ˜ F: Px∼X
F, x)) = false
Rem: this also includes malicious servers.
3/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Definition (τ-faulty server). Let τ ∈ [0, 1], P be a PoR and X the distribution of challenges. A τ-faulty server A for P is an algorithm such that, for all encoded files ˜ F: Px∼X
F, x)) = false
Rem: this also includes malicious servers. Definition (PoR soundness). Let τ, ε ∈ [0, 1]. A PoR is said (τ, ε)-sound if, for all τ-faulty servers A and all files F: P
where the probability is taken over extraction procedure randomness.
3/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proceedings of the 2007 ACM Conference on Computer and Communications Security, Alexandria, USA, 2007.
x1 x2 x3 x6 x5 x7 x8 x0 x9 x4 x1 x2 x3 x6 x5 x7 x8 x0 x9 x4 4/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proceedings of the 2007 ACM Conference on Computer and Communications Security, Alexandria, USA, 2007.
x1 x2 x3 x6 x5 x7 x8 x0 x9 x4 4/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proceedings of the 2007 ACM Conference on Computer and Communications Security, Alexandria, USA, 2007.
x1 x2 x3 x6 x5 x7 x8 x0 x9 x4 x4,x7 ? 4/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proceedings of the 2007 ACM Conference on Computer and Communications Security, Alexandria, USA, 2007.
x1 x2 x3 x6 x5 x7 x8 x0 x9 x4 x4,x7 ? 4/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proceedings of the 2007 ACM Conference on Computer and Communications Security, Alexandria, USA, 2007.
x4,x7 ? x1 x2 x3 x6 x5 x7 x8 x0 x9 x4 4/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Low communication; ◮ low server overhead and low client storage; ◮ low algorithmic complexity; ◮ unbounded use. 5/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ bounded use; ◮ quite big client storage. 6/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ bounded use; ◮ quite big client storage.
◮ check the structure of the file instead of file values; ◮ use locally decodable codes which provide a local
6/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Fq = {t1, . . . , tq} a finite field. ev1 : Fq[T] → Fq
q
f → (f (t1), . . . , f (tq)) evm : Fq[X1, . . . , Xm] → Fqm
q
f → (f (x))x∈Fm
q
Example: full length Reed-Solomon code (n = q). C = RSq(k) = {ev1(f ), f ∈ Fq[X], deg f < k} c = Fq f (xi) ∈ C
7/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Let C ⊆ {ev(f ), f ∈ Fq[T]} be a (univariate) base code. The (multivariate) lifted code Liftm(C) is the code: L = Liftm(C) = {evm(g), g ∈ Fq[X1, . . . , Xm], ∀ affine line ℓ, ev1(g|ℓ) ∈ C} Fq Fq
Alan Guo, Swastik Kopparty, Madhu Sudan, New Affine-Invariant Codes from Lifting in Proceedings of ITCS’13, Berkeley, USA, 2013.
8/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Consider L = Liftm(C).
◮ Initialization:
Init(F) = dataF = ∅ ˜ F = EncL(F)
9/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Consider L = Liftm(C).
◮ Initialization:
Init(F) = dataF = ∅ ˜ F = EncL(F)
◮ Verification:
Client Server ∅ ˜ F Randomly pick a line ℓ ⊂ Fm
q
Read values ˜ c = { ˜ F[x]}x∈ℓ If ˜ c ∈ C, then return
ℓ ˜ c
9/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures.
Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file,
Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file, – otherwise, do nothing.
Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file, – otherwise, do nothing.
Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file, – otherwise, do nothing.
Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file, – otherwise, do nothing.
◮ Decode the remaining erasures with
the decoding algorithm of C. Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file, – otherwise, do nothing.
◮ Decode the remaining erasures with
the decoding algorithm of C. Tab: Fm
q → Fq
∈ C
10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file, – otherwise, do nothing.
◮ Decode the remaining erasures with
the decoding algorithm of C. Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialize file Tab with qm erasures. ◮ While there remains ≥ qm−1 erasures :
– run a verification test; – if success: update the file, – otherwise, do nothing.
◮ Decode the remaining erasures with
the decoding algorithm of C. Tab: Fm
q → Fq 10/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proposition. If the distance dmin(C) ≥ 2, we can efficiently decode up to qm−1 erasures in Liftm(C). Let A = { line ℓ ⊂ Fm
q }.
Lemma. Let U ⊂ A such that |U| ≥ 1
2 |A|. Then, the union of lines
in U covers all but qm−1 points of Fm
q . 11/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proposition. If the distance dmin(C) ≥ 2, we can efficiently decode up to qm−1 erasures in Liftm(C). Let A = { line ℓ ⊂ Fm
q }.
Lemma. Let U ⊂ A such that |U| ≥ 1
2 |A|. Then, the union of lines
in U covers all but qm−1 points of Fm
q .
Let P be a LiftPoR, with m ≥ 2 and dmin(C) ≥ 2. Then, for all τ < 1/2, P is (τ, 1)-sound.
11/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Proposition. If the distance dmin(C) ≥ 2, we can efficiently decode up to qm−1 erasures in Liftm(C). Let A = { line ℓ ⊂ Fm
q }.
Lemma. Let U ⊂ A such that |U| ≥ 1
2 |A|. Then, the union of lines
in U covers all but qm−1 points of Fm
q .
Let P be a LiftPoR, with m ≥ 2 and dmin(C) ≥ 2. Then, for all τ < 1/2, P is (τ, 1)-sound.
11/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Verification
Client Server ∅ ∅ Randomly pick a line ℓ Build a (random) word c ∈ C If c ∈ C, then accept. Else, reject. ℓ c
12/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
How to prevent these spurious codewords with high probability?
13/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
How to prevent these spurious codewords with high probability? Idea: Link each symbol to its location in Fm
q .
For any x ∈ Fm
q , let φx : Fq → Fq be a secret and invertible function.
The new ˜ F is now defined by: ˜ Fx = φx( EncL(F)x)
13/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
How to prevent these spurious codewords with high probability? Idea: Link each symbol to its location in Fm
q .
For any x ∈ Fm
q , let φx : Fq → Fq be a secret and invertible function.
The new ˜ F is now defined by: ˜ Fx = φx( EncL(F)x) In practice: a block cipher Eκ in counter mode (CTR) gives an appropriate keystream; i.e.: φx(α) = α ⊕ Eκ(x).
13/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ Initialization, verification: just need to add the en(de)cryption step. ◮ Extraction:
– Add a majority voting phase (with threshold γ) in order to increase the soundness. – Consequences: need more memory and time.
Theorem Let P be the LiftPoR with parameters q, m, d = dmin(C) ≥ 2 and γ ∈ [0, 1]. Then, for all τ < (1 − γ)/2, P is (τ, 1 − 2−λ)-sound, where: λ = ˜ O(γqm−1d) .
14/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
Numerical values:
Instance Results m q |F| 1/R − 1
comm./|F| (bits) (redundancy)
2 64 3, 367 0.217 24 384 0.121 2 4, 096 16, 245, 775 0.033 48 49, 152 0.0030 3 512 79, 837, 411 0.681 54 4, 608 5.84 × 10−5 4 128 49, 578, 831 4.414 56 896 1.92 × 10−5
Implementation (m = 2, dmin(C) = 2) with SageMath (Python).
◮ Subquadratic time complexity for every phase, but ... ◮ ... high constants, e.g. extraction < 10 kbits/s, even without
decryption.
15/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
|F| : file size |κ| : key size R =
|F| qm log q
: code rate R∗ = 1
R − 1
: code redundancy
Work Bowers-Juels-Oprea Shacham-Waters Ours (2010, JK’07 improved) (2008 − 13) Unbounded use? No (N uses) Yes Yes Client storage |κ| |F|β + |κ| |κ| Server storage αN + R∗|F|
|F|1−β R
+ R∗|F| R∗|F| Communication cost |κ| + α |F|β + |κ|
R∗
|F|
R
1/m Notes α ≃ 28 β ∈ ]0, 1[ m ∈ {2, 3}
16/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
|F| : file size |κ| : key size R =
|F| qm log q
: code rate R∗ = 1
R − 1
: code redundancy
Work Bowers-Juels-Oprea Shacham-Waters Ours (2010, JK’07 improved) (2008 − 13) Unbounded use? No (N uses) Yes Yes Client storage |κ| |F|β + |κ| |κ| Server storage αN + R∗|F|
|F|1−β R
+ R∗|F| R∗|F| Communication cost |κ| + α |F|β + |κ|
R∗
|F|
R
1/m Notes α ≃ 28 β ∈ ]0, 1[ m ∈ {2, 3}
16/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16
◮ We build (theoretically) efficient proofs of retrievability
◮ low storage (especially for the client); ◮ quite low communication; ◮ is implementable...
◮ Open questions/future works:
◮ other locally decodable/testable codes; ◮ link with Private Information Retrieval schemes...
17/17 Julien Lavauzelle, Françoise Levy-dit-Vehel ISIT’16