Verifiability for Cloud Storage and Computation Melek nen July 5th, - - PowerPoint PPT Presentation

Melek Ӧnen July 5th, 2016 – Lorient

Joint work with Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva

Verifiability for Cloud Storage and Computation

Cloud – Outsourcing Storage and Computation

2

Company A Company B User

Reduced IT costs Flexibility Availability

Data storage Data processing

Benefits

[Cloud Security Spotlight 2015]

Multi-tenancy

Melek Önen SEC2, July 5th 2016

Loss of Control

No possession of resources

Lack of Trust

Malicious cloud

Lack of Transparency

Cloud as a black box

Cloud Security: Barrier to Cloud Adoption

3

Melek Önen SEC2, July 5th 2016

Cloud Security Requirements

Privacy for cloud storage and computation

• Data privacy with storage efficiency
• Privacy preserving data processing

Integrity for cloud storage and computation

• Verifiable storage  Data retrievability
• Verifiable computation  Verifiable polynomial eval, matrix multi, word search

Data Retrievability in the Cloud

4

Compute Proof

R1: Verifiable without downloading file R3: Verifiable at any time

Verify

R2: Verifiable with small costs

Upload POR Query Verification POR Generation

Melek Önen SEC2, July 5th 2016

Efficient setup & verification Limited number of verifications

Proofs of Retrievability: Related Work

5 Tag-based [Ateniese et al. 2007, Shacham et al. 2008] Sentinel-based [Juels et al. 2007]

Combination of blocks Tag aggregation Verification Upload Upload Verification

Efficient communication Costly tag generation

Tags

Melek Önen SEC2, July 5th 2016

Proofs of Retrievability: StealthGuard

6

Pseudorandom Watchdogs Privacy-Preserving Watchdog Search Conceal watchdogs  Encryption PIR-based privacy-preserving search for watchdogs  Unbounded number of verifications

Search Verify

[ESORICS 2014]

Melek Önen SEC2, July 5th 2016

𝑰(

StealthGuard: Watchdog Search

7

POR Query Verification POR Generation

Nonce PIR query for a watchdog

, ) = 𝟐 𝟏 𝟏 𝟐 𝟐 𝟐 𝟏 𝟏 𝟐 𝟐 𝟐 𝟏 𝟏 𝟏 𝟏 𝟏 𝟏 𝟏 𝟏 𝟐 𝟐 𝟐 𝟐 𝟐 𝟐 𝟐 𝟐 𝟏 𝟐 𝟐 𝟐 𝟏 ≟ 𝑰( , )

True False

PIR

…

Melek Önen SEC2, July 5th 2016

Verifiable Computation

8

𝒚, 𝒈 𝒚 = ?

Compute 𝒈 𝒚 Compute Proof 𝚸

𝒛 = 𝒈 𝒚 , 𝚸

Verify 𝒚, 𝒛, 𝚸

𝒈 𝒈

Setup Problem Generation Verification Computation

R3: Public verifiability

Anyone can verify a computation result

R2: Public delegatability

Anyone can submit a computation request

R1: Cost(Verify) ≪ Cost(Compute)

[Parno et al. 2012] [Parno et al. 2012]

Melek Önen SEC2, July 5th 2016

Verifiability for 3 Operations

9 High-Degree Polynomial Evaluation Large Matrix Multiplication Conjunctive Keyword Search

𝒈 𝒚 𝒛 𝑩 𝒀 = 𝒃𝒋𝒀𝒋 ∈ 𝔾𝒒[𝒀]

𝒆 𝒋=𝟏

𝒚 ∈ 𝔾𝒒 𝒛 = 𝑩 𝒚 ∈ 𝔾𝒒 𝑵. 𝒚 with 𝐍 = 𝑵𝒋𝒌 ∈ 𝔾𝒒

𝒐×𝒏

𝒚 = 𝒚𝟐, 𝒚𝟑, … , 𝒚𝒏 ⟙ ∈ 𝔾𝒒

𝒏

𝒛 = 𝒛𝟐, 𝒛𝟑, … , 𝒛𝒐 ⟙ = 𝑵𝒚 ∈ 𝔾𝒒

𝒐

𝒈 𝒚, 𝒈 𝒚 = ? Compute 𝒈 𝒚 and 𝚸 Verify 𝒚, 𝒛,

𝚸

𝒛 = 𝒈 𝒚 , 𝚸 Search(.) Keywords 𝕏 = {𝝏𝟐, 𝝏𝟑, … , 𝝏𝒐} ID of files 𝑮𝒋 such that 𝕏 ⊂ 𝑮𝒋

𝒈,

Melek Önen SEC2, July 5th 2016

[ASIACCS 2016] [SPC 2015]

Verifiable Polynomial Evaluation – Idea

10

Euclidean Division of Polynomials

𝑩 = 𝑹𝑪 + 𝑺

𝒚, 𝑩 𝒚 = ? 𝒛, 𝚸

Compute 𝒛 = 𝑩 𝒚 𝚸 = 𝑹(𝒚)

Verify 𝒛 = 𝚸 𝑪 𝒚 + 𝑺(𝒚) ? (𝑪, 𝑺) (𝑩, 𝑹) Req 1: 𝑪, 𝑺 small degree (𝑩, 𝑹)

Melek Önen SEC2, July 5th 2016

Verifiable Polynomial Evaluation – Details

11 Polynomial

𝑩(𝒀) = 𝒃𝒋𝒀𝒋

𝒆 𝒋=𝟏

Setup

Euclidean Division 𝑩 = 𝑹𝑪 + 𝑺 𝑺 = 𝒔𝟐𝒀 + 𝒔𝟏 𝑹 𝒀 = 𝒓𝒋𝒀𝒋

𝒆−𝟑 𝒋=𝟏

𝑪 𝒀 = 𝒀𝟑 + 𝒄𝟏 𝑸𝑳𝑩 (𝒉𝒄𝟏, 𝒊𝒔𝟐, 𝒊𝒔𝟏) 𝑭𝑳𝑩 (𝑩, 𝒊𝒓𝟏, 𝒊𝒓𝟐, … , 𝒊𝒓𝒆−𝟑)

Melek Önen SEC2, July 5th 2016

12

Problem Generation 𝒚, 𝑩 𝒚 = ? Compute

Result 𝒛 = 𝑩 𝒚 Proof 𝚸 = 𝒊𝑹 𝒚

𝒛, 𝚸

Verifiable Polynomial Evaluation – Details

𝑸𝑳𝑩 (𝒉𝒄𝟏, 𝒊𝒔𝟐, 𝒊𝒔𝟏) 𝑭𝑳𝑩 (𝑩, 𝒊𝒓𝟏, 𝒊𝒓𝟐, … , 𝒊𝒓𝒆−𝟑)

Melek Önen SEC2, July 5th 2016

13

Verify 𝒇 𝒉, 𝒊𝒛 ≟ 𝒇 𝑾𝑳𝒚,𝑪, 𝚸 𝒇 𝒉, 𝑾𝑳𝒚,𝑺

Verifiable Polynomial Evaluation – Details

𝑾𝑳𝒚 𝑾𝑳𝒚,𝑪 = 𝒉𝑪 𝒚 𝑾𝑳𝒚,𝑺 = 𝒊𝑺(𝒚)

𝒛, 𝚸

Melek Önen SEC2, July 5th 2016

Result 𝒛 = 𝑩 𝒚 Proof 𝚸 = 𝒊𝑹 𝒚

Verifiable Matrix Multiplication – Idea

14

Auxiliary Matrices

𝑶 = 𝜺𝑵 + 𝑺

𝑺 pseudo-random

𝒚, 𝑵𝒚 = ? 𝒛, 𝚸

Compute 𝒛 = 𝑵𝒚 𝚸 = 𝑶𝒚

Verify 𝚸 = 𝜺𝒛 + 𝑺𝒚 ?

𝑺 (𝑵, 𝑶) Req 1: Projection 𝝁𝚸 = 𝜺𝝁 𝒛 + 𝝁 𝑺𝒚 Req 2: Compute 𝝁𝑺 beforehand (𝑸𝑳𝑵) (𝑵, 𝑶)

Melek Önen SEC2, July 5th 2016

• Verifiable data storage [ESORICS’14]
• Based on privacy preserving watchdog lookup
• Comparison with prior work

Unlimited number of verifications

• Verifiable computation [ASIACCS’16]
• Based on simple maths

Euclidean division for polynomials Scalar product for matrices

• Comparison with prior work

Efficient Publicly delegatable and verifiable

• Future work
• Verifiability with privacy

Conclusion

15

Melek Önen SEC2, July 5th 2016

melek.onen@eurecom.fr

THANK YOU

Verifiable Matrix Multiplication – Details

17 Matrix

𝑵

Setup

Auxiliary matrices 𝑺 and 𝑶 with 𝑶𝒋𝒌 = 𝒉𝝁𝒋(𝜺𝑵𝒋𝒌+𝑺𝒋𝒌)

Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

𝑸𝑳𝑵 𝑸𝑳𝒌 = 𝒇 𝒉𝝁𝒋𝑺𝒋𝒌

𝒐 𝒋=𝟐

, 𝒊

𝟐≤𝒌≤𝒏

𝑭𝑳𝑵 (𝑵, 𝑶)

18 𝑾𝑳𝒚 𝑾𝑳𝒚 = 𝑸𝑳𝒌

𝒚𝒌 𝒏 𝒌=𝟐

Problem Generation 𝒚, 𝑵𝒚 = ? Compute

Result 𝒛 = 𝑵𝒚 Proof 𝚸 = 𝑶𝒋𝒌

𝒚𝒌 𝒏 𝒌=𝟐 𝒐 𝒋=𝟐

𝒛, 𝚸

Verifiable Matrix Multiplication – Details

Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

𝑭𝑳𝑵 (𝑵, 𝑶) 𝑸𝑳𝑵 𝑸𝑳𝒌 = 𝒇 𝒉𝝁𝒋𝑺𝒋𝒌

𝒐 𝒋=𝟐

, 𝒊

𝟐≤𝒌≤𝒏

19

Verify

𝒇 𝚸, 𝒊 ≟ 𝒇 𝒉𝝁𝒋𝒛𝒋

𝒐 𝒋=𝟐

, 𝒊𝜺 𝑾𝑳𝒚

Verifiable Matrix Multiplication – Details

Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

𝒛, 𝚸

𝑾𝑳𝒚 𝑾𝑳𝒚 = 𝑸𝑳𝒌

𝒚𝒌 𝒏 𝒌=𝟐

General functions Key size and proof generation linear with circuit size Efficient verification Construction of efficient aPRFs

Verifiable Computation: Related Work

20 Algebraic PRFs [Benabbas et al. 2011, Fiore & Gennaro 2012] Pinocchio [Parno et al. 2013]

Arithmetic circuit

QAP polynomials

Setup Setup

𝒈 𝒈 𝒃𝑸𝑺𝑮 𝒈, 𝒃𝑸𝑺𝑮 𝒈, 𝒃𝑸𝑺𝑮 𝒚, 𝒈 𝒚 = ?

Compute 𝒛 = 𝒈 𝒚 Compute 𝚸 = 𝒃𝑸𝑺𝑮(𝒈(𝒚))

𝒛, 𝚸

Verification 𝒃𝑸𝑺𝑮 𝒛 = 𝚸

QAP QAP

𝒚, 𝒈 𝒚 = ?

Evaluate circuit on 𝒚 → 𝒛 Proof with QAP polynomials → 𝚸

𝒛, 𝚸

Verification QAP verification based on 𝒛 and 𝚸

Performance Evaluation of StealthGuard

21

Scheme Upload Storage

• verhead

Proof Generation Verification Communication Ateniese et

• al. 2008

106 exp 106 mul 267 MB 103 PRP, 103 PRF 103 exp, 104 mul 104 exp 104 PRP 316 B Shacham and Waters 2008 106 PRF 109 mul 51 MB 104 mul 102 mul 3 KB Xu et al. 2012 108 mul 106 PRF 26 MB 102 exp 105 mul 104 mul 104 PRF 36 KB Juels and Kaliski 2007 106 PRF 30 MB N/A 104 PRP 33 MB StealthGuard 2014 105 PRF 105 PRP 8 MB 105 mul 106 mul 50 MB Lighter Smaller storage

• verhead

Comparable Comparable More expensive but unbounded number of verifications

Sentinels Tags

Melek Önen SEC2, July 5th 2016

• Security
• Soundness under

𝒆 𝟑 - Strong Bilinear Diffie-Hellman assumption

 𝑕, 𝑕𝛽, ℎ, ℎ𝛽, … , ℎ𝛽 𝑒/2 → compute 𝛾, ℎ

1 𝛽+𝛾

Proof by reduction 22

Verifiable Polynomial Evaluation – Analysis

Amortized model Client Cloud Setup Problem Generation Verify Compute

𝒫(𝑒) 𝒫(1) 𝒫(1) 𝒫(𝑒)

■ Performance

Melek Önen SEC2, July 5th 2016

• Security
• Soundness under the co-CDH assumption

 𝑕, 𝑕𝛽, ℎ, ℎ𝛾 → compute 𝑕𝛽𝛾 Proof by reduction 23

Verifiable Matrix Multiplication– Analysis

Amortized model Client Cloud Setup Problem Generation Verify Compute

𝒫(𝑜𝑛) 𝒫(𝑛) 𝒫(𝑜) 𝒫(𝑜𝑛)

■ Performance