Proofs of Retrievability via Fountain Code

Transcription

1 Proofs of Retrievability via Fountain Code Sumanta Sarkar and Reihaneh Safavi-Naini Department of Computer Science, University of Calgary, Canada Foundations and Practice of Security October 25, 2012

2 Outsourcing Data into Cloud Storage Suppose a user generates lots of electronic data: videos, photos, s, text documents. He also has many devices: desktop, laptop, tablet, smartphone. But none of them are capable of storing huge data. Cloud storage comes with the solution: Outsource the data into the cloud. Access all data from all the devices and from anywhere. Cloud keeps the whole data intact as long as the client wants.

3 Risk of Outsourcing Data into Cloud Storage Completely rely on the cloud for the integrity of the data. No control over the infrastructure of the cloud. Device failure may erase some portions of the data. A dishonest cloud may erase some portions of the data to reduce its own storage cost.

4 Checking the Integrity of the Data Store a MAC of the data locally. Can download the whole file, compute the MAC and check with the previously stored one. Not a practical solution when the data is big.

5 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol.

6 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol. The client applies an erasure code on the file M and stores the encoded file M in the cloud. M can be decoded from a fraction, say ρ of M.

7 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol. The client applies an erasure code on the file M and stores the encoded file M in the cloud. M can be decoded from a fraction, say ρ of M. Along with M, the client also stores some extra information (M) which will be used in the audit. An audit is a challenge-response protocol. In the audit the client (verifier) challenges on some random location of the file and cloud s (prover) correct response proves that file blocks are intact in those locations.

8 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol. The client applies an erasure code on the file M and stores the encoded file M in the cloud. M can be decoded from a fraction, say ρ of M. Along with M, the client also stores some extra information (M) which will be used in the audit. An audit is a challenge-response protocol. In the audit the client (verifier) challenges on some random location of the file and cloud s (prover) correct response proves that file blocks are intact in those locations. The security of a PoR scheme is formalized by showing the existence of an extractor which retrieves the file with very high probability from an erasing adversary that can pass the audit protocol with some reasonable probability.

9 Efficiency of PoR System The computational cost of preparing a file for storing in the cloud, and calculating the response, Communication cost required during an audit and, The extra storage (overhead) needed for storing the file M.

10 Efficiency of PoR System The computational cost of preparing a file for storing in the cloud, and calculating the response, Communication cost required during an audit and, The extra storage (overhead) needed for storing the file M. So small size challenge improves the communication cost of the protocol, and also the computation cost of the prover as less blocks will be involved in the computation of response.

11 Bounded/Unbounded-use PoR and Private/Public Verifiability PoR that allows unlimited number of challenge-response interactions is unbounded-use, otherwise it is bounded-use. A private verifiable PoR allows only the owner of the file who stores the file can run the challenge-response protocol, whereas in public verifiable PoR, anyone knowing the appropriate public key can perform the verification.

12 Main Contribution We present an unbounded-use private PoR scheme that improves the cost of response computation and the cost of communication of challenges in the average case. Our construction closely follows that of Shacham and Waters 2008 and uses Fountain code.

13 Related Work on PoR PoR was introduced by Juels and Kaliski 2007 and subsequently has been extended and improved by Shacham and Waters 2008; Bowers, Juels and Oprea 2009; Dodis, Vadhan and Wichs JK07 scheme has quadratic communication complexity (in terms of security parameter) for response. This was improved to linear complexity in SW08 by using homomorphic linear authenticators. Dodis et al. viewed the set of all correct responses corresponding to the file M = Enc(M) stored in the cloud as a codeword C which is a challenge-response encoding of M. The set of all responses for the same file M from the prover form a word C which may differ from C. The extractor decodes M from C.

14 Background on PoR We follow SW08. Kg(): This randomized algorithm generates a secret key sk and the public key pk. St(sk,M): This randomized algorithm takes the secret key sk and the client file M {0, 1}. Then it processes M and outputs M which is stored in the cloud. P, V : The randomized algorithms that correspond to the prover and the verifier. At the end of the prover-verifier interaction: {0, 1} R (V(pk, sk, t) P(pk, t, M )).

15 PoR properties: Correctness and Soundness Correctness means that if the prover is honest then (V(pk, sk, t) P(pk, t, M )) = 1. A PoR is sound if any prover that convinces the verification means that it actually holds the file.

16 ɛ-adversary and the Extractor Adversary is assumed to erase some portion of the file with probability bounded by a fixed value. A prover is ɛ-admissible if it convincingly answers an ɛ fraction of challenges. A PoR scheme is ɛ-sound if there exists an extraction algorithm (Extractor) which by interacting (challenge-response) with the ɛ-admissible adversary can recover the file except with negligible probability.

17 Fountain Codes In Fountain codes the sender generates potentially a limitless string of encoded symbols. The receiver can recover the message from sufficiently many encoded symbols. Examples: LT code [Luby 2002] and Raptor code [Shokrollahi 2006] are two well known Fountain codes.

18 Raptor Code: Encoding Precoding The message is (x 1,..., x k ), where each x i is of l-bits. First (x 1,..., x k ) is encoded to (y 1,..., y n ) by an erasure code C n which can recover (x 1,..., x k ) from any ρn number of symbols. LT coding To generate Raptor encoding symbols, LT code is applied on (y 1,..., y n ). For that, a degree distribution defined by a polynomial n w(x) = w i x i where w i is the probability of choosing i, i {1,..., n} is chosen. i=1 Randomly choose a degree, say j, using w(x). Choose uniformly at random, j symbols from the set {y 1,..., y n }, and XOR them to produce the encoded symbol (output symbol) r i = y i1... y ij.

19 Raptor Code structure

20 Raptor Code: Decoding After collecting r i symbols little more than k in amount, apply BP decoding and get ρ fraction of {y 1,..., y n }, and then applying decoding of C n receiver can recover (x 1,..., x k ).

21 Raptor Code parameters The following are from the Raptor code construction given in [Shokrollahi 2006]. Let α > 0 be a real number, set D = 4(1 + α)/α and define w D (x) = 1 µ + 1 (µx + D where µ = (α/2) + (α/2) 2. The average of w D is x i (i 1)i + x D+1 D i=2 ), (1) ln(1/α) + β + O(α), (2) where 1 < β < 1 + γ + ln(9), the constant γ is the Euler s constant.

22 Results on decoding Raptor Code Lemma (Shokrollahi 2006) There exists a positive real number c (depending on α) such that with an error probability of at most e cn any set of (1 + α/2)n + 1 output symbols of the LT-code with distribution w D and n-input symbols y 1,..., y n are sufficient to recover at least ρn input symbols from {y 1,..., y n } via belief propagation decoding, where ρ = 1 α/4 1+α. Theorem (Shokrollahi 2006) Let α > 0 be a real number, k an integer, D = 4(1 + α)/α, R = (1 + α/2)/(1 + α), n = k/r. Let C n be an erasure code which can decode (1 R)/2 erasures. Then the Raptor code with precode C n and the LT-code with the distribution w D (x) which encodes k symbols, can decode from (1 + α)k output symbols.

23 PoR of SW08 Suppose F = (m 1,..., m n ) is the erasure encoded file of the client file F. Each m i Z p. Choose θ Z p randomly and create authenticators σ i = PRF (i) + θm i. Challenge: Q = {(i 1, v 1 ),..., (i w, v w )}, where i j randomly chosen from {1,..., n} and v j chosen randomly from Z p. Response: r = (i,v i ) Q v im i and σ = (i,v i ) Q v iσ i. Verify: σ? = (i,v i ) Q v iprf (i) + θr.

24 RAPTOR-PoR: Choosing Key R Kg(): A random symmetric encryption key k enc Kenc and a R random MAC key k mac Kmac are chosen. The secret key is sk = (k enc, k mac ). Since this is private verification, there is no public key pk.

25 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M.

26 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M. R Choose a PRF key k prf Kprf and a random binary l l matrix A = [A 1,..., A l ] T, where each A i is an l-bit row vector.

27 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M. R Choose a PRF key k prf Kprf and a random binary l l matrix A = [A 1,..., A l ] T, where each A i is an l-bit row vector. Let t 0 = n Enc kenc (k prf A 1 A l ), and t = t 0 MAC kmac (t 0 ) be the file tag.

28 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M. R Choose a PRF key k prf Kprf and a random binary l l matrix A = [A 1,..., A l ] T, where each A i is an l-bit row vector. Let t 0 = n Enc kenc (k prf A 1 A l ), and t = t 0 MAC kmac (t 0 ) be the file tag. For each i, where 1 i n, create authenticators σ 1,..., σ n as σ i = PRF kprf (i) y i A for 1 i n. Each σ i is also an l-bit symbol. Then M = (y 1,..., y n, σ 1,..., σ n ) is the processed file. Send M and t to the cloud.

29 RAPTOR-PoR: Audit (1) V.Tagcheck(sk, t) : Obtains k mac and k enc from the secret key sk. t 0 = n Enc kenc (k prf A 1 A l ) t = t 0 MAC kmac (t 0 ) Receives the tag t from the prover and verify it by the k mac, if MAC does not match, quit the audit. Otherwise, using the symmetric key k enc, decrypt Enc kenc (k prf A 1 A l ) and recover n, k prf and the matrix A.

30 RAPTOR-PoR: Audit (1) V.Tagcheck(sk, t) : Obtains k mac and k enc from the secret key sk. t 0 = n Enc kenc (k prf A 1 A l ) t = t 0 MAC kmac (t 0 ) Receives the tag t from the prover and verify it by the k mac, if MAC does not match, quit the audit. Otherwise, using the symmetric key k enc, decrypt Enc kenc (k prf A 1 A l ) and recover n, k prf and the matrix A. V.Chal(n) : Choose an integer w using the degree distribution with the generator polynomial w D (x) = n i=1 w ix i. Then choose w indices, say {i 1,..., i w }, uniformly from {1,..., n} and choose one index, say c, uniformly at random from {i 1,..., i w }. Send Q = ({i 1,..., i w }, {c}) to the prover.

31 RAPTOR-PoR: Audit (2) P(Q, M ) : In response to the challenge Q compute r = y i1... y iw (3) σ = σ i1... σ iw. Send resp = (r, σ, y c, σ c ) to the verifier.

32 RAPTOR-PoR: Audit (2) P(Q, M ) : In response to the challenge Q compute r = y i1... y iw (3) σ = σ i1... σ iw. Send resp = (r, σ, y c, σ c ) to the verifier. V.Ver(A, k prf, resp) : After receiving prover s response, check whether σ =? ra PRF kprf (i), i {i 1,...,i w } σ c? = PRFkprf (c) y c A.

33 Parameters for RAPTOR-PoR Refer to Raptor code parameters: we take α = 1/l. l is the security parameter. Rate of the precode C n is R = 2l+1 2l+2. Then n = poly(l), if k = poly(l). The erasure probability that C n can handle is 1 ρ = 1 4(l+1). D = 4(l + 1), µ = 1 2l + 1 4l 2, the degree distribution is w D (x) = 2l + 1 4l 2 + 2l + 1 x + 4l ( 2 x 2 2l x 3 4(l+1) x (4l + 3)(4l + 4) + x ) 4l+5. 4l + 4 The mean of this distribution is ln(l) + β + O(1/l) = O(log l), where 1 < β < 1 + γ + ln(9), the constant γ is the Euler s constant.

34 RAPTOR-PoR: Result on Extractor Theorem If the prover is ɛ-admissible then running the Audit protocol for (1+1/l)k ɛ iterations, the extractor will be able to retrieve the file with error probability e poly(l).

35 RAPTOR-PoR: Comparison with the other PoR All previous schemes challenge a fixed number of blocks of order O(l). In our scheme, the size of the challenge set is chosen from the interval [1, 4l + 5] according to the probability distribution w D (x). So in the worst case, it is O(l). However, in the average case it is ln(l) + β + O(1/l), where 1 < β < 1 + γ + ln(9), i.e., O(log l). This also means that the cloud has to consider O(log l) number of blocks while computing a response in the average case. In RAPTOR-PoR, the response is formed just by XORing w l-bit-elements, whereas forming a response for a challenge on w elements in SW 2008 scheme, one has to compute w-multiplications and (w 1)-additions over Z p.

36 Conclusion We have proposed a PoR construction based on the SW 2008 PoR and improved the response computation. Notably we use challenge of variable length which are chosen probabilistically. The next task is to have an efficient implementation of our scheme, which requires additional measures. For instance applying erasure encoding on a big file is not practical, so file should be divided into stripes and then we can apply erasure encoding on each stripes. So this require completely new analysis of the scheme.

37 THANK YOU