Verifiability for Cloud Storage and Computation Melek nen July 5th, - PowerPoint PPT Presentation

Verifiability for Cloud Storage and Computation Melek Ӧ nen July 5th, 2016 – Lorient Joint work with Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva

Cloud – Outsourcing Storage and Computation Data storage Data processing [Cloud Security Spotlight 2015] Benefits Reduced IT costs Availability Company A Company B User Flexibility Multi-tenancy Melek Önen SEC2, July 5 th 2016 2

Cloud Security: Barrier to Cloud Adoption Loss of Control Lack of Trust Lack of Transparency No possession of resources Malicious cloud Cloud as a black box Cloud Security Requirements Privacy for cloud storage and computation • Data privacy with storage efficiency • Privacy preserving data processing Integrity for cloud storage and computation Verifiable storage  Data retrievability • Verifiable computation  Verifiable polynomial eval, matrix multi, word search • Melek Önen SEC2, July 5 th 2016 3

Data Retrievability in the Cloud Upload POR Generation POR Query Verification Compute Proof Verify R1: Verifiable without downloading file R2: Verifiable with small costs R3: Verifiable at any time Melek Önen SEC2, July 5 th 2016 4

Proofs of Retrievability: Related Work Tag-based [Ateniese et al. 2007, Shacham et al. 2008] Upload Tags Combination of blocks Verification Tag aggregation Efficient communication Costly tag generation Sentinel-based [Juels et al. 2007] Upload Verification Efficient setup & verification Limited number of verifications Melek Önen 5 SEC2, July 5 th 2016

[ESORICS 2014] Proofs of Retrievability: StealthGuard Pseudorandom Watchdogs Conceal watchdogs  Encryption Privacy-Preserving PIR-based privacy-preserving search for watchdogs Watchdog Search  Unbounded number of verifications Verify Search Melek Önen 6 SEC2, July 5 th 2016

StealthGuard: Watchdog Search POR Query POR Generation PIR query for a watchdog Nonce Verification … 𝟐 𝟐 𝟐 𝟐 𝟐 𝟏 𝟐 𝟏 𝟏 𝟏 𝟐 𝟏 𝟐 𝟐 𝟐 𝟏 𝑰( , ) = ≟ 𝑰( , ) 𝟐 𝟐 𝟏 𝟐 𝟏 𝟐 𝟏 𝟐 𝟐 𝟏 𝟏 𝟐 𝟐 𝟏 𝟏 𝟏 True False PIR Melek Önen 7 SEC2, July 5 th 2016

Verifiable Computation Setup Problem Generation Computation Verification 𝒈 𝒚, 𝒈 𝒚 = ? 𝒈 Compute 𝒈 𝒚 𝒛 = 𝒈 𝒚 , 𝚸 Compute Proof Verify 𝒚, 𝒛, 𝚸 𝚸 R1: Cost(Verify) ≪ Cost(Compute) R2: Public delegatability [Parno et al. 2012] Anyone can submit a computation request R3: Public verifiability [Parno et al. 2012] Anyone can verify a computation result Melek Önen SEC2, July 5 th 2016 8

Verifiability for 3 Operations 𝒈 𝒚, 𝒈 𝒚 = ? 𝒈 , Compute 𝒈 𝒚 and 𝒛 = 𝒈 𝒚 , 𝚸 𝚸 Verify 𝒚, 𝒛, 𝚸 High-Degree Large Matrix Conjunctive Polynomial Evaluation Multiplication Keyword Search 𝒆 𝑩 𝒀 = 𝒃 𝒋 𝒀 𝒋 ∈ 𝔾 𝒒 [𝒀] 𝒐×𝒏 𝒈 𝑵. 𝒚 with 𝐍 = 𝑵 𝒋𝒌 ∈ 𝔾 𝒒 Search(.) 𝒋=𝟏 𝒚 = 𝒚 𝟐 , 𝒚 𝟑 , … , 𝒚 𝒏 ⟙ ∈ 𝔾 𝒒 𝒏 𝒚 ∈ 𝔾 𝒒 𝒚 Keywords 𝕏 = {𝝏 𝟐 , 𝝏 𝟑 , … , 𝝏 𝒐 } 𝒛 = 𝒛 𝟐 , 𝒛 𝟑 , … , 𝒛 𝒐 ⟙ = 𝑵𝒚 ∈ 𝔾 𝒒 𝒐 𝒛 𝒛 = 𝑩 𝒚 ∈ 𝔾 𝒒 ID of files 𝑮 𝒋 such that 𝕏 ⊂ 𝑮 𝒋 [ASIACCS 2016] [SPC 2015] Melek Önen 9 SEC2, July 5 th 2016

Verifiable Polynomial Evaluation – Idea Euclidean Division of Polynomials 𝑩 = 𝑹𝑪 + 𝑺 (𝑩, 𝑹) (𝑪, 𝑺) 𝒚, 𝑩 𝒚 = ? (𝑩, 𝑹) Compute 𝒛 = 𝑩 𝒚 𝚸 = 𝑹(𝒚) 𝒛, 𝚸 Verify 𝒛 = 𝚸 𝑪 𝒚 + 𝑺(𝒚) ? Req 1: 𝑪, 𝑺 small degree Melek Önen SEC2, July 5 th 2016 10

Verifiable Polynomial Evaluation – Details 𝒆 𝑩(𝒀) = 𝒃 𝒋 𝒀 𝒋 Setup Polynomial 𝒋=𝟏 Euclidean 𝑩 = 𝑹𝑪 + 𝑺 Division 𝒆−𝟑 𝑪 𝒀 = 𝒀 𝟑 + 𝒄 𝟏 𝑹 𝒀 = 𝒓 𝒋 𝒀 𝒋 𝒋=𝟏 𝑺 = 𝒔 𝟐 𝒀 + 𝒔 𝟏 (𝑩, 𝒊 𝒓 𝟏 , 𝒊 𝒓 𝟐 , … , 𝒊 𝒓 𝒆−𝟑 ) (𝒉 𝒄 𝟏 , 𝒊 𝒔 𝟐 , 𝒊 𝒔 𝟏 ) 𝑭𝑳 𝑩 𝑸𝑳 𝑩 Melek Önen SEC2, July 5 th 2016 11

Verifiable Polynomial Evaluation – Details Problem Compute Generation 𝒚, 𝑩 𝒚 = ? 𝒛, 𝚸 (𝑩, 𝒊 𝒓 𝟏 , 𝒊 𝒓 𝟐 , … , 𝒊 𝒓 𝒆−𝟑 ) (𝒉 𝒄 𝟏 , 𝒊 𝒔 𝟐 , 𝒊 𝒔 𝟏 ) 𝑭𝑳 𝑩 𝑸𝑳 𝑩 𝒛 = 𝑩 𝒚 Result 𝚸 = 𝒊 𝑹 𝒚 Proof Melek Önen SEC2, July 5 th 2016 12

Verifiable Polynomial Evaluation – Details Verify 𝒛, 𝚸 𝒛 = 𝑩 𝒚 Result 𝚸 = 𝒊 𝑹 𝒚 Proof 𝑾𝑳 𝒚,𝑪 = 𝒉 𝑪 𝒚 𝒇 𝒉, 𝒊 𝒛 ≟ 𝒇 𝑾𝑳 𝒚,𝑪 , 𝚸 𝒇 𝒉, 𝑾𝑳 𝒚,𝑺 𝑾𝑳 𝒚 𝑾𝑳 𝒚,𝑺 = 𝒊 𝑺(𝒚) Melek Önen SEC2, July 5 th 2016 13

Verifiable Matrix Multiplication – Idea Auxiliary Matrices 𝑶 = 𝜺𝑵 + 𝑺 𝑺 pseudo-random (𝑵, 𝑶) (𝑵, 𝑶) 𝑺 𝒚, 𝑵𝒚 = ? Compute 𝒛 = 𝑵𝒚 𝚸 = 𝑶𝒚 𝒛, 𝚸 Req 1: Projection 𝝁𝚸 = 𝜺𝝁 𝒛 + 𝝁 𝑺𝒚 Verify 𝚸 = 𝜺𝒛 + 𝑺𝒚 ? Req 2: Compute 𝝁𝑺 beforehand ( 𝑸𝑳 𝑵 ) Melek Önen 14 SEC2, July 5 th 2016

Conclusion  Verifiable data storage [ESORICS’14]  Based on privacy preserving watchdog lookup  Comparison with prior work  Unlimited number of verifications  Verifiable computation [ASIACCS’16]  Based on simple maths  Euclidean division for polynomials  Scalar product for matrices  Comparison with prior work  Efficient  Publicly delegatable and verifiable  Future work  Verifiability with privacy Melek Önen 15 SEC2, July 5 th 2016

THANK YOU melek.onen@eurecom.fr

Verifiable Matrix Multiplication – Details 𝑵 Matrix Setup 𝑺 and 𝑶 with 𝑶 𝒋𝒌 = 𝒉 𝝁 𝒋 (𝜺𝑵 𝒋𝒌 +𝑺 𝒋𝒌 ) Auxiliary matrices 𝒐 𝑭𝑳 𝑵 (𝑵, 𝑶) 𝑸𝑳 𝒌 = 𝒇 𝒉 𝝁 𝒋 𝑺 𝒋𝒌 , 𝒊 𝑸𝑳 𝑵 𝒋=𝟐 𝟐≤𝒌≤𝒏 Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva 17 Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

Verifiable Matrix Multiplication – Details Problem Compute Generation 𝒚, 𝑵𝒚 = ? 𝒛, 𝚸 𝑭𝑳 𝑵 (𝑵, 𝑶) 𝒐 𝑸𝑳 𝒌 = 𝒇 𝒉 𝝁 𝒋 𝑺 𝒋𝒌 , 𝒊 𝑸𝑳 𝑵 𝒛 = 𝑵𝒚 Result 𝒋=𝟐 𝟐≤𝒌≤𝒏 𝒐 𝒏 𝒏 𝒚 𝒌 𝚸 = 𝑶 𝒋𝒌 Proof 𝒚 𝒌 𝑾𝑳 𝒚 = 𝑸𝑳 𝒌 𝑾𝑳 𝒚 𝒋=𝟐 𝒌=𝟐 𝒌=𝟐 Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva 18 Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

Verifiable Matrix Multiplication – Details Verify 𝒛, 𝚸 𝒐 𝒏 𝒇 𝚸, 𝒊 ≟ 𝒇 𝒉 𝝁 𝒋 𝒛 𝒋 , 𝒊 𝜺 𝑾𝑳 𝒚 𝒚 𝒌 𝑾𝑳 𝒚 = 𝑸𝑳 𝒌 𝑾𝑳 𝒚 𝒋=𝟐 𝒌=𝟐 Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva 19 Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

Verifiable Computation: Related Work Algebraic PRFs [ Benabbas et al. 2011, Fiore & Gennaro 2012 ] 𝒈 𝒃𝑸𝑺𝑮 Setup 𝒈, 𝒃𝑸𝑺𝑮 𝒚, 𝒈 𝒚 = ? 𝒈, 𝒃𝑸𝑺𝑮 Verification 𝒛, 𝚸 𝒃𝑸𝑺𝑮 𝒛 = 𝚸 Compute 𝒛 = 𝒈 𝒚 Compute 𝚸 = 𝒃𝑸𝑺𝑮(𝒈(𝒚)) Efficient verification Construction of efficient aPRFs Pinocchio [Parno et al. 2013] Setup QAP 𝒈 QAP polynomials 𝒚, 𝒈 𝒚 = ? Arithmetic circuit QAP Verification Evaluate circuit on 𝒚 → 𝒛 QAP verification 𝒛, 𝚸 based on 𝒛 and 𝚸 Proof with QAP polynomials → 𝚸 General functions Key size and proof generation linear with circuit size 20

Performance Evaluation of StealthGuard Storage Proof Scheme Upload Verification Communication overhead Generation Ateniese et 10 6 exp 10 3 PRP, 10 3 PRF 10 4 exp 267 MB 316 B al. 2008 10 6 mul 10 3 exp, 10 4 mul 10 4 PRP Shacham and 10 6 PRF 51 MB 10 4 mul 10 2 mul 3 KB Waters 2008 10 9 mul Tags 10 8 mul 10 2 exp 10 4 mul 36 KB Xu et al. 2012 26 MB 10 6 PRF 10 5 mul 10 4 PRF Juels and 10 6 PRF 30 MB N/A 10 4 PRP 33 MB Sentinels Kaliski 2007 StealthGuard 10 5 PRF 10 6 mul 10 5 mul 8 MB 50 MB 2014 10 5 PRP More expensive Smaller but unbounded Lighter storage Comparable Comparable number of overhead verifications Melek Önen SEC2, July 5 th 2016 21

Verifiable Polynomial Evaluation – Analysis  Security 𝒆  Soundness under 𝟑 - Strong Bilinear Diffie-Hellman assumption 1  𝑕, 𝑕 𝛽 , ℎ, ℎ 𝛽 , … , ℎ 𝛽 𝑒/2 → compute 𝛾, ℎ 𝛽+𝛾  Proof by reduction ■ Performance Client Cloud Problem Setup Verify Compute Generation 𝒫(𝑒) 𝒫(1) 𝒫(1) 𝒫(𝑒) Amortized model Melek Önen 22 SEC2, July 5 th 2016

Verifiable Matrix Multiplication – Analysis  Security  Soundness under the co-CDH assumption  𝑕, 𝑕 𝛽 , ℎ, ℎ 𝛾 → compute 𝑕 𝛽𝛾  Proof by reduction ■ Performance Client Cloud Problem Setup Verify Compute Generation 𝒫(𝑜𝑛) 𝒫(𝑛) 𝒫(𝑜) 𝒫(𝑜𝑛) Amortized model 23