Leakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage

Transcription

1 Leakage-Reslent Identfcaton Schemes from Zero-Knowledge Proofs of Storage Guseppe Atenese Sapenza, Unversty of Rome Antono Faono Aarhus Unversty Seny Kamara Mcrosoft Research Abstract We provde a framework for constructng leakage-reslent dentfcaton ID) protocols n the bounded retreval model BRM) from proofs of storage PoS) that hde partal nformaton about the fle. More precsely, we descrbe a generc transformaton from any zero-knowledge PoS to a leakage-reslent ID protocol n the BRM. We then descrbe a ZK-PoS based on RSA whch, under our transformaton, yelds the frst ID protocol n the BRM based on RSA n the ROM). The resultng protocol reles on a dfferent computatonal assumpton and s more effcent than prevously-known constructons. Keywords: Leakage Reslence, Bounded Retreval Model, Proof of Storage, Identfcaton Scheme, Generc Transformaton, RSA securty. 1 Introducton Cryptographc schemes are tradtonally desgned under the assumpton that the adversary cannot learn any nformaton about the secret key. In practce, however, ths assumpton does not always hold as the adversary could recover nformaton about the key through varous means such as sdechannel attacks [19, 20, 26, 5, 23], memory leakage attacks [16] or by compromsng the system on whch the keys are stored. These attacks, commonly referred to as leakage attacks, have motvated the desgn of leakage-reslent cryptosystems whch reman secure even aganst adversares that may obtan partal nformaton about the secret state clearly, under some lmtatons on the knd of leakage allowed). Several models of leakage-reslence have been proposed and many cryptographc prmtves have been realzed under gradually stronger models [22, 12, 24, 1, 18, 14, 10]. In what follows we dscuss only the most relevant to our work, specfcally, we focus on the bounded retreval model BRM). In ths model, there s an absolute upper bound λ on the total amount of nformaton the adversary can recover about the secret key. In the BRM ths bound s ndependent of k, the securty parameter, thus securty can only be acheved f the key s larger than λ. Snce the latter can be very large, we requre that the effcency of the scheme be related only to the securty A prelmnary verson of ths paper s publshed n the proceedngs of the 15th IMA Internatonal Conference on Cryptography and Codng, IMACC 2015, St. Catherne s College, Unversty of Oxford, UK. Ths s the full verson. Partally supported by the European Unons Horzon 2020 research and nnovaton programme under grant agreement No , project SUNFISH. Supported by European Research Councl Startng Grant

2 parameter. The BRM model was ntroduced by D Crescenzo et al. [8] and by Dzembowsk [11]. The former showed how to construct password-based key agreement protocols whle the latter proposed a symmetrc-key authentcated key agreement AKA) protocol. In ths work, we consder the problem of dentfcaton n the BRM. More precsely, we are nterested n practcal dentfcaton schemes that support large secret keys and whose effcency s ndependent of the key length. The problem was frst consdered by Alwen et al. [1], our contrbuton provdes a new and dfferent perspectve, whch results n a practcal scheme based on RSA. 1.1 Our Contrbutons We provde a framework for constructng leakage-reslent ID protocols n the BRM from publclyverfable proofs of storage PoS) that are computatonally zero-knowledge ZK). PoS are nteractve protocols allowng a clent to verfy that a server fathfully stores ts fle. A PoS s publcly verfable f anyone wth access to the clent s publc-key can verfy the server s storage and t s computatonally ZK f, roughly speakng, ts verfcaton phase leaks no useful nformaton about the fle to a bounded adversary. We show how to construct such a scheme based on the RSA assumpton. PoS were ntroduced ndependently by Atenese et al. [2] and Juels and Kalsk [17]. Publcly verfable PoS were frst consdered n [2] wth extensons and mprovements gven n [27, 3]. We summarze the contrbutons of ths work as follows: 1. generalty) We provde a transformaton from any zero-knowledge ZK) PoS to a BRM dentfcaton scheme. 2. effcency) Our ZK-PoS-to-BRM-ID transformaton s very effcent, leadng to BRM-ID schemes that are practcal and more effcent than pror work. 3. securty) We show how to buld ZK-PoS under standard cryptographc assumptons. In partcular, we propose a novel BRM-ID scheme based on the standard RSA assumpton n the random oracle model ROM). 1.2 Related Work Leakage-reslent dentfcaton schemes n the BRM were frst consdered n [1] whch proposed a scheme based on the generalzed Okamoto scheme see Okamoto [25]) and the parng-based publckey homomorphc lnear authentcator of Shacham and Waters [27]. In [1], a transformatons s also gven from absolute leakage-reslent ID schemes to leakage-reslent sgnature schemes and AKA protocols. The transformaton reles on parallel-repetton and conssts n takng n ndependent copes of the basc relatve-leakage scheme. Snce n s large, ths yelds complex and relatvely neffcent schemes, thus a more effcent transformaton s descrbed by the authors that employs subset selecton and reduces both communcaton and tme complexty. For a detaled comparson between the constructons of [1] and our own, we refer the reader to Secton 4.1. Here, we just menton that the framework of [1] works only for an extenson of the Okamoto ID scheme [25] and s not generalzable. Also, the BRM-ID scheme based on the Okamoto ID scheme reles on BLS sgnatures [6] and thus on the Gap Dffe-Hellman assumpton. For the same level of securty, we provde schemes that rely on weaker computatonal assumptons and that are more effcent n terms of computaton. Whle zero-knowledge PoS can be desgned from general-purpose zero-knowledge proofs by havng the server prove knowledge of the fle, such an approach would not be effcent. The frst 2

3 practcal ZK-PoS scheme was proposed by Wang et al. [28] who extended the parng-based PoS constructon of Shacham and Waters [27] to be zero-knowledge. In comparson, our RSA-based ZK- PoS reles on a weaker computatonal assumpton and, as far as we know, s the frst constructon to have a full proof of securty. 1.3 Overvew of Our Technque At a hgh level, our framework works as follows. The secret key of the dentfcaton protocol s the encodng of a randomly-generated fle and the publc key s the state nformaton generated by encodng the fle together wth the publc key for the PoS. To dentfy tself, the prover executes the verfcaton phase of the PoS wth the verfer to prove that t ndeed holds the fle. Note that whle n the context of a BRM leakage attack) the verfer can learn λ bts about the key/fle, the propertes of the PoS allow us to ncrease the fle sze beyond λ wthout ncreasng the communcaton complexty of the verfcaton phase. One problem wth the above approach s that standard PoS do not necessarly hde nformaton about the fle from the verfer and, therefore, the ID scheme verfer above could learn the remanng n λ bts of the key from the verfcaton phase. To address ths, we need a zero-knowledge PoS; that s, a PoS wth a verfcaton phase that hdes all partal nformaton about the fle. More formally, for the dentfcaton scheme we consder the securty noton of pre-mpersonaton leakage-resstance, n whch an attacker, n a test stage of the experment, can nteract wth an honest prover and leak arbtrary functons of the secret key. We model the latter wth a leakage oracle that on nput an effcently computable and adaptvely chosen) functon f outputs the value f sk). The restrcton s that the total length of the leaked nformaton s bounded by some a-pror fxed value λ. For the PoS, we phrase the soundness defnton usng the paradgm of wtness-extended emulaton see Lndell [21]). Intutvely, ths guarantees that there exsts an expected polynomal tme extractor that, for any adversary that convnces the verfer wth some probablty, outputs the orgnal fle wth approxmately the same probablty. The man ntuton s that even after the test stage, an adversary cannot have full knowledge of the secret key/fle. It follows then by the knowledge) soundness of the PoS that the adversary cannot convnce the verfer. In the ntuton above we have not defned the meanng of knowledge of the adversary after the test stage. At frst glance, one mght consder the average condtonal mn-entropy of the secret key/fle after the test stage. Ths measure, however, s nsuffcent for two reasons: 1. The PoS s only computatonally zero knowledge so, n prncple, all the mn-entropy of the fle could be lost after the test stage. 2. The condtonal average mn-entropy s not smooth wth respect to statstcally-close dstrbutons. Specfcally, gven a random varable X and two statstcally-close random varables Y and Y, there could be an arbtrary gap between H X Y ) and H X Y ). Therefore, even f we consdered the stronger noton of statstcal zero-knowledge PoS, we mght run nto the same problem. We overcome the above problems by consderng a slghtly dfferent experment. In the new experment the prover oracle s substtuted by the smulator guaranteed to exst by the zero knowledge property of the PoS. The crux s that a polynomally-bounded adversary cannot dstngush the two 3

4 experments and, therefore, t can convnce the verfer wth approxmately the same probablty. Now we can gve a meanngful lower bound on the average condtonal mn-entropy of the secret key/fle after the test stage. The adversary cannot guess the orgnal secret wth probablty roughly more than 2 sk +λ 2 ωlog k) so, by soundness of the PoS, t cannot convnce the verfer wth notceable probablty. Concretely, the proof proceeds n two steps. Frst, we establsh a lower bound on the condtonal average mn-entropy of an encodng f of a unformly random fle f when the adversary s gven access to a leakage oracle parameterzed wth f, and the randomness necessary to encode f. We then show that f there exsts a probablstc polynomal tme ppt) adversary A that succeeds n the pre-mpersonaton leakage experment wth a notceable probablty, then, by the soundness of the PoS, the lower bound on the average condtonal mn-entropy mentoned above s volated. Ths follows because we can smulate the pre-mpersonaton leakage experment and then successfully extract from the adversary the fle f durng the mpersonaton stage. Furthermore, the experment provdes the nformaton necessary to reconstruct f from f. Ths leads to a predctor that guesses the encoded fle f wth notceable probablty. A comparson. Consder the proof of securty of the dentfcaton schemes presented n [1]. Brefly, ther proof technque reles on a collson resstant hash CRH) functon and the dentfcaton scheme s a proof of knowledge of a premage x the secret key) for an element y the publc key) n the co-doman of the hash functon. The reducton samples a secret key x n the doman of the CRH functon h and gven the secret key, the reducton can easly reply to all the leakage queres. If the adversary succeeds n the pre-mpersonaton experment then the reducton can extract a pre-mage x. Ther analyss shows that the uncertanty of x s hgh even after the test stage and therefore wth hgh probablty x x and y = hx ) = hx). In comparson wth our work, they present a drect reducton to the computatonal problem of breakng a CRH functon. Our proof has a smlar nterpretaton. Gven a successful adversary for the pre-mpersonaton leakage experment we defne a new adversary for the PoS securty experment. Ths new adversary forgets part of the fle namely t has only λ bts of nformaton about t) and convnces the verfer of the PoS scheme, therefore breakng the knowledge soundness of the proof of storage. However, snce we cannot drectly argue that a forgetful adversary that convnces the verfer breaks the securty of PoS, we formalze t provdng the two bounds mentoned before. A smlar technque, although based on a dfferent measure of mn-entropy, was recently used n the context of fully leakage-reslent sgnature see Faono et al. [13]). 2 Defntons 2.1 Prelmnares If x s a strng, we denote ts length by x ; f X s a set, X represents the number of elements n X. When x s chosen randomly n X, we wrte x X. When A s an algorthm, we wrte y Ax) to denote a run of A on nput x and output y; f A s randomzed, then y s a random varable and Ax; r) denotes a run of A on nput x and randomness r; sometmes, when A s determnstc we wrte y := Ax). An algorthm A s probablstc polynomal-tme ppt) f t s randomzed and for any nput x, r {0, 1} the computaton of Ax; r) termnates n at most poly x ) steps. Throughout the paper we let k denote the securty parameter. We say that a functon ν : N R 4

5 s neglgble n the securty parameter k f νk) = k ω1). A postve functon f s notceable f there exst a postve polynomal p and a number n 0 such that fn) 1/pn) for all n n 0. We start by recallng the noton of condtonal mn-entropy. We adopt the defnton gven n [1], where the authors generalze the noton of condtonal mn-entropy to nteractve predctors that partcpate n some randomzed experment E. The average) condtonal mn-entropy of random varable X gven any randomzed experment E s defned as follows: [ H X E) = max log Pr B) E = X ]), B where the maxmum s taken over all predctors wthout any requrement on effcency. Note that w.l.o.g. the predctor B s determnstc, n fact, we can derandomze B by hardwrng the random cons that maxmze hs outcome. Sometmes we wrte H X Y ) for a random varable Y, n ths case we mean the average condtonal mn-entropy of X gven the random experment that gves Y as nput to the predctor. We recall the defnton of δ-ndstngushablty for ensembles of dstrbuton, both n the computatonal and statstcal flavors. Defnton 1 Indstngushablty). Gven a functon δ : N R and two dstrbuton ensembles {X k } k 0 and {Y k } k 0 such that X k pk) and Y k pk) for a polynomal pk), we say that the ensemble {X k } k 0 s δ-ndstngushable from {Y k } k 0 f for any non-unform polynomal tme dstngusher D the followng holds: Pr [ D1 k, X k ) = 1 ] [ ] Pr D1 k, Y k ) = 1 δk). When we refer to statstcal δ-ndstngushablty, the equaton above holds for all dstngushers wthout any bound on the runnng tme. 2.2 Proofs of Storage Publcly-verfable PoS consst of two phases: a setup phase where the clent encodes the fle and sends t to the server; and a verfcaton phase where a verfer whch may or may not be the orgnal clent) engages n an nteractve protocol wth the server to determne f t ndeed possesses the fle. The encodng algorthm also outputs a state nformaton whch represents a ponter to the encoded fle and has sze ndependent of the fle sze. Moreover, we requre that knowledge of the state nformaton doesn t help a malcous server to volate the soundness property. Later, we formalze ths noton by gvng to the adversary oracle access to the encodng algorthm. We consder PoS n whch the verfcaton phase requres three moves as opposed to two as n prevous work [2, 27, 3]): the server generates the frst message a usng the publc key pk and randomness r; the verfer sends a random challenge c; and the server returns a proof π usng pk, the encoded fle, the challenge and the randomness used to generate the frst message a. Defnton 2 Proof of storage). A publcly-verfable proof of storage PoS) s a tuple of sx ppt algorthms Π = Gen, Enc, Comm, Chall, Prove, Vrfy) such that: pk, sk) Gen1 k ) s a probablstc algorthm that s run by the clent to set up the scheme. It takes as nput a securty parameter, and outputs a publc and prvate key par pk, sk). 5

6 f, st) Enc sk f) s a probablstc algorthm that s run by the clent n order to encode the fle. It takes as nput the secret key sk, and a fle f vewed as an n-dmensonal vector over a block space B = {0, 1} pk) for some polynomal pk) let p be the block sze of Π). It outputs an encoded fle f and publc state nformaton st n {0, 1} lstk) let l st be the state nformaton sze of Π). a Commpk) s a probablstc algorthm run by the server to generate the frst message. It takes as nput the publc key and outputs an ntal message a. c Challpk) s a probablstc algorthm that takes as nput the publc key and outputs a challenge c. π Provepk, f, r, c) s a probablstc algorthm that takes as nput the publc key pk, an encoded fle f, a strng r, and a challenge c. It outputs a proof π. b := Vrfypk, st, a, c, π) s a determnstc algorthm that takes as nput the publc key pk, the state nformaton st, the frst message a, a challenge c, and a proof π. It outputs a bt, where 1 ndcates acceptance and 0 ndcates rejecton. We say that Π s correct f for all k N, all pk, sk) output by Gen1 k ), all n N and f B n, all f, st) output by Enc sk f), and all c output by Challpk), t holds that [ Pr Vrfy pk, st, Commpk; r c ), c, Provepk, ) ] f, r c, c; r p ) = 1 = 1. r c,r p An mportant characterstc of a PoS s localty whch requres that the runnng tme of the Prove algorthm be polynomal n the securty parameter ndependent of the parameter n). Localty effectvely captures the server-sde effcency guarantee provded by a PoS and, as we wll show n Secton 3, s what allows us to meet the effcency requrements of the BRM. Informally, soundness of a PoS guarantees that f the verfer accepts the proof then the prover ndeed has suffcent nformaton to recover the entre orgnal fle f. As noted n [2, 17, 27, 9], soundness can be formalzed usng the noton of a knowledge extractor [15, 4]. As n [3], we phrase our defnton usng the paradgm of wtness-extended emulaton [21]. Defnton 3 Soundness for a publcly-verfable PoS). Let Π = Gen, Enc, Comm, Chall, Prove, Vrfy) be a publcly-verfable PoS. We say that Π s sound wth knowledge error εk) f there exsts an expected polynomal-tme knowledge extractor K such that for all adversares A = A 0, A 1 ) where A 0 s an oracle ppt algorthm and A 1 s an nteractve ppt algorthm nvolved n the followng probablstc experment: 1. Key Stage: The challenger computes pk, sk) Gen1 k ). The adversary A 0 takes as nput pk and gets oracle access to Enc sk ). Eventually, A 0 outputs a tuple f, st A ) and the challenger computes f, st) Enc sk f). 2. Extracton Stage: The extractor K takes as nput pk and st and gets access to the oracle A 1 st A, f, st, ; ) modeled as an nteractve oracle. Fnally K outputs the tuple a, c, π), f ). 3. The output of the experment s the tuple pk, st, a, c, π), f, f). The propertes lsted below hold: 6

7 ) The followng probablty s at most εk): [ Pr Vrfypk, st, a, c, π) = 1 f f ], 1) where the probablty s over the outputs of the experment above. ) For any pk and st, the dstrbuton a, c, π ) nduced by an executon of A 1 st A, f, st) wth an honest verfer and the dstrbuton a, c, π) as output by the extractor K n the experment above are dentcally dstrbuted. We say that Π s sound f εk) s neglgble. For smplcty, we consder only PoS Π where the functon Enc s njectve for any sk and for any assgnment of the nternal randomness. Ths assumpton s made wthout loss of generalty, n fact any PoS scheme can be converted nto one wth ths property by appendng the mssng data n the encoded fle. By the soundness property, the procedure s effcent and the average sze of the encoded fle ncreases only by a neglgble factor 1. We now turn to our defnton of zero-knowledge. Namely, we consder the noton of black-box zero-knowledge whch guarantees that there exsts a smulator for any adversary and the smulator has only black-box oracle access to the adversary s algorthm. Defnton 4 zero-knowledge). Let Π = Gen, Enc, Comm, Chall, Prove, Vrfy) be a publcly-verfable PoS. Π s δ-zero-knowledge δ-zk) f there s an expected polynomal tme transcrpt smulator S such that for all non-unform polynomal tme adversares A, for any n 0, for any f B n and for any nfnte sequence L = {pk, sk, f, st)} k 0 ndexed by the securty parameter k and where pk, sk) s output by Gen1 k ) and f, st) s output by Enc sk f), the dstrbuton ensemble { a, c, π ) S A st, pk, sk) } pk,sk, f,st) L s δk)-ndstngushable from the followng dstrbuton ensemble: r {0, 1} ; a := Commpk; r); a, c, π) : c Apk, st, a); π Provepk, f, r, c) pk,sk, f,st) L. In the defnton above, the secret key for the PoS s gven as nput to the smulator. We could consder a stronger defnton where the secret key s gven to the dstngusher, but we dsmssed ths opton snce a weaker zero-knowledge requrement makes our fnal compler more general. 2.3 Identfcaton Protocols An dentfcaton protocol allows a prover P n possesson of a secret key sk to prove ts dentty to a verfer V that holds the correspondng publc key pk. 1 To see ths, consder the procedure that frst encodes usng Enc, then runs nternally the extractor wth oracle access to the honest prover and, f the extractor fals, appends the orgnal fle to the encodng. Snce the extractor fals only wth neglgble probablty the average sze of the encoded fle ncreases only by a neglgble factor. 7

8 We consder 3-move dentfcaton protocols where the prover generates the frst message α usng the publc key pk and randomness r; the verfer sends a random challenge β; and the prover then computes a response γ usng pk, sk), the randomness r and the verfer s challenge β. Gven the transcrpt of the protocol, the verfer decdes whether to accept or not. The prover algorthm of any dentfcaton scheme n the BRM must have effcency essentally ndependent of the sze of the secret key. Ths s captured by the followng defnton. Defnton 5 Identfcaton protocol n BRM). A 3-move dentfcaton protocol s a protocol between a ppt prover P and a ppt verfer V that conssts of fve polynomal-tme algorthms Σ = Setup, Comm, Chall, Resp, Vrfy) such that: pk, sk) Setup1 k, 1 s ) s a probablstc algorthm that takes as nput the securty parameter and the key-sze parameter and outputs a publc and prvate key par pk, sk) such that pk = polyk) and sk = polyk, s). α Commpk) s a probablstc algorthm run by the prover P to generate the frst message. It takes as nput the publc key and outputs an ntal message α. β Challpk) s a probablstc algorthm run by the verfer V that takes as nput the publc key and outputs a challenge β. γ Resppk, sk, r, β) s a probablstc algorthm that s run by the prover P to generate the second message. It takes as nput the publc key pk, the secret key sk, the randomness r, and a challenge β from some assocated challenge space), and outputs a response γ. b := Vrfypk, α, β, γ) s a determnstc algorthm run by the verfer V to decde whether to accept the nteracton. It takes as nput the frst message α, the publc key pk, a challenge β, and a response γ. It outputs a bt b, where 1 ndcates acceptance and 0 ndcates rejecton. The followng propertes hold: Correctness. For all k N, all s N, all pk, sk) output by Setup1 k, 1 s ), and β output by Challpk), t holds that [ Pr Vrfy pk, Commpk; r), β, Resppk, sk, r, β; r ) ) = 1 ] = 1. r,r Effcency. The prover P has runnng tme polyk, log s). We call the localty of the protocol the number of bts of the secret key read as a functon of the securty parameter k. By sayng run the protocol Σ we refer to the executon of the protocol between P and V. As n prevous work [1, 18], we model leakage attacks by provdng the adversary wth access to a leakage oracle that returns arbtrary bts of nformaton related to the secret key. Snce we are workng n the BRM, we requre that the oracle returns at most λ bts. Defnton 6 Leakage oracle). A leakage oracle Leak λ,k sk ) s parameterzed by a secret key sk, a securty parameter k and a leakage parameter λ. It takes as nput a functon f specfed as a crcut) and returns fsk) subject to the restrcton that the total output length of all ts reples s at most λ, otherwse t outputs. 8

9 Roughly speakng, securty for dentfcaton schemes requres that an adversary should not convnce an honest verfer to accept an nteracton unless t knows the secret key correspondng to a gven publc key. In the case of securty aganst mpersonaton under actve attacks, ths should hold even f the adversary s prevously allowed to nteract wth the honest prover a polynomal number of tmes. In [1], Alwen et al. extend ths noton to capture leakage attacks by provdng the adversary wth a Leak λ,k sk ) oracle. Ths leads to two defntons: securty aganst pre-mpersonaton leakage, where the adversary can only access the oracle before nteractng wth the verfer; and securty aganst anytme leakage, where the adversary can access the oracle even durng the nteracton wth the verfer. Defnton 7 Securty aganst pre-mpersonaton leakage [1]). Let Σ be an dentfcaton protocol and A = A 0, A 1 ) be an adversary. Consder the followng experment: 1. Key Stage: The challenger computes pk, sk) Setup1 k, 1 s ). 2. Test Stage: The adversary A 0 takes as nput pk and gets oracle access to Leak λ,k sk ) and to an honest prover Psk, pk), modeled as an oracle that runs arbtrarly many) proofs upon request; access to proofs s sequental. Fnally A 0 outputs st A. 3. Impersonaton Stage: A 1 st A ) executes Σ as a prover wth an honest verfer runnng wth pk). 4. The adversary succeeds f the honest verfer accepts the nteracton. Σ s εk)-secure aganst pre-mpersonaton leakage λk, s) f the success probablty of every ppt adversary A and for nfntely many postve nteger s n the above experment s at most εk). We say that Σ s secure aganst pre-mpersonaton leakage λk, s) f εk) s neglgble. 3 From Proofs of Storage to Leakage-Reslent ID Protocols In ths secton we show how to transform any computatonally ZK publcly-verfable proof of storage nto a leakage-reslent dentfcaton protocol n the BRM. The basc dea s to use the fle as the secret key of the dentfcaton protocol and the state nformaton as ts publc key. A basc verson of ths approach would work as follows. The honest prover generates a publc and prvate key par for the PoS. A fle s chosen at random and encoded. The encoded fle f serves as the dentfcaton secret key, and the state nformaton st together wth the publc key of the PoS serves as the publc key. To dentfy tself, the prover executes the verfcaton phase of the PoS wth the verfer. One problem wth the above approach s that, n the context of a pre-mpersonaton leakage attack, the adversary receves access to a Leak λ,k f ) oracle and to an honest prover. The effect of the leakage oracle can be mtgated somewhat by ncreasng the sze of the fle to be larger than λ. Snce the communcaton complexty of the PoS s effectvely constant, ths wll not degrade the effcency of the protocol. However, to prevent the adversary s nteracton wth the honest prover from revealng too much nformaton about the fle, we wll requre the verfcaton phase of the PoS to be zero-knowledge. The compler s shown n Fgure 1. If the Prove algorthm of Π s local then the resultng scheme s an dentfcaton scheme n the BRM. We recall here a lemma from [1] that we make use of. 9

10 Let Π = Gen, Enc, Comm, Prove, Vrfy) be a PoS wth block sze pk). Construct a leakagereslent ID protocol Σ = Setup, Comm, Resp, Vrfy) as follows: Setup1 k, 1 s ): Set n = s/pk); Compute pk, sk ) Π.Gen1 k ) and sample a fle f B n ; Compute f, st) Π.Enc sk f) and set sk = f and pk = pk, st); Delete sk and f. Commpk; r): Output α := Π.Commpk; r). Challpk): Output β Π.Challpk). Resppk, sk, r, β): Output γ := Π.Provepk, f, r, β). Vrfypk, α, β, γ): Output b := Π.Vrfypk, st, α, β, γ). Fgure 1: Transformng a ZK PoS wth block sze pk) nto a leakage-reslent ID protocol. Lemma 1. For any random varable X and for any experment E wth oracle access to Leak λ X ), consder the experment E whch s the same as E except that the predctor does not have oracle access to Leak λ X ), then H X E) H X E ) λ. Let E be the followng randomzed experment: 1. It generates a key par pk, sk ) for Π, samples a fle f unformly at random, samples random cons ω enc and computes f, st) := Enc sk f; ω enc ). 2. The predctor takes as nput pk = pk, st), sk and ω enc and gets oracle access to Leak λ,k f ). Lemma 2. Let l st be the sze of the state of Π. Then, H f E) f λ l st. Proof. Consder the experment E whch s the same as E except that B s oracle access to Leak λ,k f s removed. We apply Lemma 1: ) H f E H f E ) λ, Consder the experment E whch s the same as E but where the predctor does not get the state nformaton st as nput. We apply Lemma 1: H f E ) H f E ) l st. Notce that n the experment E the nformaton about f s lmted to sk and ω enc and recall that Enc sk ; ω enc ) s njectve, thus any predctor guesses f wth probablty 2 f. In the next lemma we gve an upper bound on the average condtonal mn entropy of f gven the experment E that depends on the wnnng probablty of a ppt adversary n the pre-mpersonaton leakage experment. 10

11 Lemma 3. Let Π be a δ-zk PoS wth knowledge error ε Π and let ε A be the probablty wth whch an adversary A succeeds n the pre-mpersonaton leakage experment. If δ s neglgble then H f E) log1/ε A ) + 2 ε Π ε A + 1. Proof. Consder the predctor B that, gven the publc key pk = pk, st) and sk, ω enc works as follows durng the experment E: 1. Setup Stage: It chooses a strng ω for A 0 that maxmzes the wnnng probablty of A n the pre-dentfcaton leakage experment. Let A ω be the algorthm A 0 wth the randomness fxed to ω. 2. Test Stage: It executes A ω pk) and answers ts leakage queres usng ts own leakage oracle. At the -th oracle call of A ω to the prover oracle, t executes the smulator a, c, π ) S Aω sk), where A ω s a copy of the adversary A ω where the machne state s set as the machne state of A ω just before the -th call. The messages a and π are sequentally fed to the adversary A ω. Eventually, A ω outputs st A. 3. Extracton Stage: It uses the extractor Kpk, st), guaranteed to exst by the soundness of Π, wth A 1 st A ) to recover a fle f. It returns as ts output Enc sk f ; ω enc ). A ω s determnstc thus, for all at the -th nteracton wth the prover, A ω wll reply wth the challenge message c equal to the one n the smulated transcrpt. To bound the probablty that the extractor K outputs the correct fle, we frst argue that the probablty wth whch A 1 succeeds n the mpersonaton stage s roughly the same whether t receves ts state from a A ω that was executed wth oracle access to an honest prover or to a smulator. Proposton 1. Let qk) resp. q k)) be an upper bound on the number of queres made by A ω to the prover oracle resp. leakage oracle). The vew of A ω n the Test Stage of the predctor B, as descrbed below, { pk, a, c, π ) [qk)], f f ) ) }, [q k)] and the vew of A ω n the Test Stage of the pre-mpersonaton leakage experment {pk, ) a, c, π [qk)], f f ) ) }, [q k)] where, for all [qk)], the tuple a, c, π ) s a transcrpt of the nteracton between A ω honest prover, are qk)δk))-ndstngushable. and the The proposton can be proved wth a hybrd argument based on the zero-knowledge property of the PoS. Indeed, the zero-knowledge property holds for any non-unform polynomal-tme adversary A. Recall that A ω at the end of the test stage outputs the state nformaton st A. The probablty that A 1 st A ) succeeds n the mpersonaton stage s at least ε A qδ ε A 2. Ths holds because δ s neglgble n k and by Proposton 1. In fact, f ths were not the case, the concatenaton of A ω and A 1 st A ) executng Π as prover wth an honest verfer would dstngush the two dstrbutons wth notceable probablty. 11

12 Now, we can bound the probablty that the extractor K outputs the correct fle. From the soundness of Π, the extractor K outputs a tuple a, c, π), f ) such that Vrfypk, a, c, π) = 1 and f f wth probablty at most ε Π k). But note that Hence, t follows that Pr[Vrfypk, a, c, π) = 1 f f] Pr[Vrfypk, a, c, π) = 1] Pr[ f = f] ε A 2 Pr[ f = f]. Pr[ f = f] ) ε A 2 ε Π = ε A 2 1 2ε Π ε A > ε A ε Π εa = ε A 2 2 ε Π εa 1, where we used 1 x) e x > 2 2x. The lemma follows because of Eq.2) below and by takng the log: [ 2 H f E) Pr B E = f ] [ Pr Enc sk f ; ω enc ) = f ] [ = Pr f = f ]. 2) We are now ready to prove our man theorem whch establshes the securty of our transformaton. Theorem 1. Let Π be a proof of storage that s sound wth knowledge error ε Π k), computatonal δk)-zero-knowledge and wth state nformaton sze l st k). If δk) and ε Π k) are neglgble n k and f f > λ + l st + ωlog k), then Σ as n Fgure 1 s secure aganst pre-mpersonaton leakage λ. Proof. Let ε A be the pre-mpersonaton leakage wnnng probablty of an adversary A, snce ε Π and δ are neglgble n k, by Lemma 3: H f E) log 1/ε A ) + neglk) + 1. It follows then that f ε A s notceable n k, there exsts a constant c such that H f E) c logk) 3) for nfntely many k. Thus, f f > λ + l st + ωlog k), Equaton 3 contradcts Lemma 2. 4 A ZK-PoS based on RSA We now descrbe a statstcal) zero-knowledge proof of storage. The scheme, descrbed n Fgure 2, s an extenson of the RSA-based constructon of Atenese et al. [2]. It reles on a modulus generator Gen Q that takes as nput a securty parameter 1 k and outputs a tuple N, p, q ) such that N = 2p + 1) 2q + 1) = p q, where p and q are random prmes such that p q [2 k 1, 2 k 1] and p and q are prmes. Abstractly, the scheme can be seen as a wtness-ndstngushable Sgma protocol see Cramer [7]) for the relaton: { R = pk, st, c), t, f) ) t e Hst, )c 12 g f 1 mod N },

13 Gen1 k ): Set k = ωlog k) and generate N, p, q ) Gen Q1 k+5 k). Choose a prme e such that e > 2 k+5 k and d such that ed = 1 mod p q ). Let g 1 and g 2 be generators of the unque cyclc subgroup Q N of order p q.e., the set of quadratc resdues modulo N). Let H : {0, 1} Q N be a RO. Set pk = N, g 1, g 2, e, H) and sk = N, d, H). The block space B s Z 2 k and the challenge space C for n-block long fle s Z n Z 2 k 2 k. Enc sk f): 1. sample st {0, 1} k. 2. for 1 n: a) set r := Hst, ). ) d b) compute t := r g f 1 mod N. 3. let t := t 1,..., t n) 4. output the encoded fle f := f, t) and state nformaton st. Commpk): sample z 1 Z 2 k+4 k and z 2 Z 2 k+8 k and output a := g z 1 1 ge z 2 2 mod N Challpk): sample c SparseZ 2 k, n, m) and v Z 2 k output c := c, v). and Provepk, f, a, c): 1. parse c as c Z n and v Z 2 k 2 k 2. sample ρ Z 2 k+6 k 3. compute τ := g ρ 2 Πtc mod N 4. compute µ := z 1 + v 5. compute σ := z 2 + v ρ 6. output π := τ, µ, σ) c f Vrfypk, st, c, π): 1. for 1 n, set r := Hst, ) 2. output 1 ff µ < 2 k+5 k and a τ e /Π r c )v? g µ 1 ge σ 2 mod N) Fgure 2: A statstcal ZK PoS based on RSA wth localty parameter m. where pk = N, g 1, g 2, e, H) as defned n Fgure 2, and where the equaton that defnes the relaton R s essentally the verfcaton procedure of the PoS presented n [2]. We note that for any fle f B n and any challenge c Z n, let f, st Enc 2 k sk f) where f = f, t), a wtness for the nstance pk, st, c) can be derved as t = t c and f = c f. 4) 13

14 The wtness ndstngushablty property of the Sgma protocol s enough to derve the zeroknowledge property of the PoS. Wtness ndstngushablty means that the dstrbutons of the transcrpt for two dstnct wtnesses are ndstngushable, even when the verfer s malcous. Recall that the smulator of ZK-PoS takes as nput the secret key sk = N, d, H), and thus t can effcently derve a vald wtness t, f ) for the nstance pk, st, c) for any challenge c chosen by the adversary. Specfcally, t can encode an unformly random fle or even a fxed one) usng the same state nformaton and compute an honest proof of storage for the challenge c and the encoded fle 2. Notce that we are assumng that the frst message of the Sgma protocol s ndependent from the wtness, whch s usually true for Sgma protocols. The localty of the scheme depends on how the challenges are generated. In fact, to make the scheme local t s enough to use probablstc checkng and make the server generate a proof for a random subset of the blocks. More concretely, we defne a dstrbuton SparseZ 2 k, n, m) by samplng a vector c such that for all [n]: 1) wth probablty m/n the element c s chosen unformly at random from Z 2 k; otherwse 2) c s set to 0. For localty m the challenge s sampled from the dstrbuton SparseZ 2 k, n, m). Ths ensures that Prove and Vrfy have localty m on average. If the scheme needs to be always local, the honest-prover can just dscard the challenge f the number of non-zero locatons n c s not n the range {1 ± ε)m}, for a constant ε. The behavor wll be ndstngushable from the orgnal scheme wth all but neglgble probablty n k. Theorem 2. The scheme descrbed n Fgure 2 s statstcal zero-knowledge. Proof. For any adversary A, consder the smulator S A that on nput the key par N, g 1, g 2, e, d, H) samples a Commpk), then executes c, v) Apk, st, a). If A aborts then the smulator returns the specal symbol. Otherwse, wth the knowledge of the secret key, the smulator computes v := v 1 mod p q and samples an element µ n Z 2 k+4 k, an element σ n Z 2 k+8 k and sets τ := g µ 1 gσ 2 a 1) ) v d Π r c mod N where r := Hst, ), and outputs the tuple st, a, c, v), τ, µ, σ)). The output of S A s statstcally close to a real transcrpt snce a, v and c are dstrbuted exactly as they would be n a real transcrpt, and snce τ, µ, and σ are statstcally close to elements from a real transcrpt. Moreover by defnton v < p and v < q, thus the element v 1 mod p q s well defned. Theorem 3. For localty parameter m = ωlog k), the scheme descrbed n Fgure 2 s sound f the RSA assumpton holds wth respect to Gen Q. Proof. We descrbe a knowledge extractor K that runs n expected polynomal-tme and satsfes Defnton 3. Recall that K s gven pk, st) as nput and has oracle access to A 1 st A, f, st, ; ) whch we abbrevate as A ). K works as follows: 1. It chooses a random challenge c := c, v) and runs A on c, obtanng a frst message a and a proof π. If Vrfypk, st, a, c, π) = 0, K outputs τ, ) and halts. Otherwse, ts frst output wll stll be τ but t attempts to recover the orgnal fle as descrbed next. From now on, we assume that A wll be rewound to rght after t outputs ts frst message a so that t can be challenged on dstnct challenge pars. We sometmes denote the adversary that outputs a as 2 The actual smulator does t mplctly, wthout samplng the entre fle. 14

15 ts frst message as A a and wrte π A a c, v) to refer to the proof t outputs when gven challenge c, v). 2. It ntalzes a set Bass =, keeps track of the total number of calls to A and halts wth output fal f 2 k calls are made. 3. A challenge par c, v) s vald f A a c, v) outputs π such that Vrfypk, st, a, c, v), π) = 1. K estmates the probablty ε wth whch a par c, v) s vald by runnng A a wth a random challenge untl some fxed polynomal number t = tk) of successful verfcatons occur. By approprate choce of t t s possble to ensure that ε s wthn a factor of 2 of the true probablty wth all but neglgble probablty 2 k2. 4. For j = 1 to n do: Repeatedly sample the par c j, v j ) Challpk) untl: a) c j does not le n spanbass); b) The par c j, v j ) s vald; j, and pck a value v j { },..., v 4k/ ε) j c) Sample 4k/ ε random values v 1) j,..., v 4k/ ε) v 1) j such that vj v j and that c j, vj ) s vald. If no such tuple c j, v j, vj ) s found wthn 16k/ ε tres then output fal and halt. If found, add c to Bass. 5. Let Bass = { c 1,..., c n }. Let π j = τ j, µ j ) and πj = τ j, µ j ) be the outputs of A a c j, v j ) and A a c j, vj ), respectvely. Setup the system of lnear equatons { } c j, f = µ j µ j)/v j vj ) 1 j n n the unknowns f = f 1,..., f n ). Solve for f over the ntegers) and output t. Fxng st A, f and st, we let ε denote the probablty that a random challenge c, v) s vald. We assume st A ncludes A s cons thus ths corresponds to the probablty wth whch Ast A, f, st, ) responds correctly to the verfer s challenge. We note that the frst pont of Defnton 3 s satsfed. Indeed, dstrbuton of transcrpts generated by an honest verfer nteractng wth A s dentcal to the dstrbuton of the frst output of K. In fact, K produces ts frst output by emulatng an nteracton between A and the honest verfer. Clam 1. K runs n expected polynomal tme for any adversary A. If ε = 0 then K halts n Step 1, thus assume ε > 0. Steps 1 and 5 run n strct polynomal tme. The expected runnng tme of Step 3 s exactly some polynomal tmes tk)/ε. As for Step 4, there are two cases. If ε ε/2 then the runnng tme s bounded by some polynomal tmes 2 k due to the counter beng mantaned n Step 2. But the probablty that ε ε/2 s at most 2 k2. On the other hand, f ε > ε/2, then the expected runnng tme of Step 4 s at most some polynomal tmes n 16k 4k/ ε < n 128k 2 /ε. Snce K only reaches Step 4 wth probablty ε, the overall expected runnng tme of K s upper bounded by ) ε polyk) + polyk) tk)/p + polyk) 2 k 2 k2 + polyk) n 128k 2 /ε 15

16 whch s polynomal. Clam 2. If ε > 4 2 k + e m ) then the probablty condtoned on K reachng Step 4) that K outputs fal s neglgble. Observe that ths mples that [ Pr Vrfypk, st, a, c, π) = 1 ] f = fal, pk,st,a,π, f where the probablty s over the output of Exp PoS A, s neglgble n the securty parameter. Frst, observe that the probablty that K tmes out by vrtue of runnng for 2 k steps s neglgble ths follows from the fact that the expected runnng tme of K s polynomal). Next, fx any j and consder Step 4. We say that a vector c s good f there are at least a ε/2 fracton of v s for whch c, v) s vald. Let E 1 be the event that a par c, v) s such that c spanbass) c, v) s vald c s good We clam that the probablty that c les n spanbass) s at most 2 k + e m. The probablty that c s bad and does not le n spanbass) s at most 1 2 k )ε/2. We therefore have that Pr [E 1 ] ε 2 k + e m ) 1 2 k )ε/2 ε/4 5) where the last nequalty holds snce ε > 42 k + e m ). Now let E 2 be the event that v v and that c, v ) s vald. Note that f c s good, there s at least a 2 k ε/2 1 total number of v s that are dfferent from v and such that c, v ) s vald. Therefore, t follows that Pr [E 2 c s good] 2k ε/2 1 2 k ε/4 where the last nequalty follows from the assumpton that ε > 2 k+2. The probablty that condtoned on c beng good) K fnds a v v such that c, v ) s vald wthn 4k/ ε samples s at least 1 e k/2 ) snce ε 2ε wth all but neglgble probablty n k. Combned wth Equaton 5 we have that the probablty that K succeeds n fndng a tuple c, v, v ) such that c spanbass) and that both c, v) and c, v ) are vald s at least 1 2 k2 ) 1 e k ) ε/4 ε/16 snce k 1. It follows then that, n Step 4, K wll not fnd such a tuple wthn 16k/ ε teratons and therefore outputs fal) wth probablty at most e k, whch s neglgble. Ths end the proof of the clam. For completeness, we show that c les n spanbass) wth probablty 2 k + e m. Note that the larger Bass s, the most lkely c spanbass), therefore the worst case s Bass = n 1. If c spanbass) then there exst α 1,..., α n Z wth at least one coordnate wth α 0 16

17 and such that c V f and only f E n := n =0 α c = 0). W.l.o.g. let n be such a coordnate: Pr [E n ] [ ] Pr [ c n = x] Pr Σ n 1 α c = α nx x F Pr [ c n = 0 ] Pr [E n 1] + Pr [ c n = x ] [ ] Pr α c = α nx x F\{0} Σ n 1 ) m 2 k + 1 m Pr [E n n n 1] + m 2 k [ ] Pr Σ n 1 α c = α n nx x F\{0} ) m 2 k + 1 m Pr [E n n n 1] + m 2 k 1 Pr [E n n 1]) 1 m ) Pr [E n n 1] + m 2 k n From the last nequalty, by settng n := n, t follows that Pr [E n ] 1 m ) n Pr [E 0 ] + m 2 k n n e m Pr [E 0 ] + m 2 k n n 1 =0 1 1 m n )n m/n ) 1 m ) n ) e m + 1 r. Clam 3. If RSA assumpton holds then, for any ppt adversary A, [ Pr Vrfypk, st, a, c, π) = 1 f {fal, f} ], where the probablty s over the output of Exp PoS, s neglgble n the securty parameter. A As a santy check, we show that f we run the extractor K on an honest prover then the procedure correctly outputs the orgnal fle f. Gven two honestly generated therefore vald) proofs τ, µ, σ) and τ, µ, σ ), for c, v) and c, v ) respectvely, we obtan: τ ev = Π r c )v a 1 g µ 1 ge σ 2 mod N) τ ) ev = Π r c )v a 1 g µ 1 g e σ 2 mod N) By dvdng the two equatons and usng the defnton of τ and τ we get g µ µ = g v v ) c f mod N) from whch t follows that µ µ ) = v v ) c f mod p q ). 17

18 The equaton above, however, also holds over the ntegers snce µ µ 2 k+5 k v v ) c f 2 k+logn)+2 k < p q. And snce v v we have < p q and µ µ )/v v ) = c f. Ths ends the santy check. Note that f f fal then K reached Step 5 and therefore c, v) and c, v ) are vald. Therefore f f occurs only f, at Step 5, there exsts some c Bass for whch the challenges c, v) and c, v ) and correspondng proofs π = τ, µ, σ) and π = τ, µ, σ ) are such that yet Vrfypk, st, a, c, v), π) = Vrfypk, st, a, c, v ), π ) = 1 c f = µ µ )/v v ) c f. 6) We now argue that f ths occurs wth notceable probablty, then there exsts a ppt adversary B that volates the RSA assumpton wth respect to Gen Q. Let N and e be a modulus and exponent output by Gen Q and let y be a random element of Q N. The adversary B works as follows: 1. It chooses a generator u of Q N unformly at random and set g 1 := u e y and g 2 := y and pk := N, g 1, g 2, e, H). 2. It smulates the experment n the clam by answerng Enc and random oracle queres as follows: Enc queres): gven a fle f compute a set of tags t such that t = u w where w Z N 2, choose a random st {0, 1} k and keep track of f, st). If st was already chosen n a prevous query or B has already quered the Random Oracle on a value st, ), abort the smulaton. Otherwse, return f, t). RO queres): f query x has the form st, ) for some st such that there already exsts a record f, st) and [n], return u ew g f 1. Otherwse, return a random value n Q N and save the query/answer pars to answer queres consstently. 3. It runs the extractor K and fnds a vector c Bass such that the Equaton 6 holds. Fnally, t computes and returns ) τ v /τ ) v u v c α f w )) µ y β mod N) Where v := v v ), µ := µ µ ), σ := σ σ ) and set ) Φ := v c f + µ + σ e and α,β are such that: α Φ + β e = 1 7) 18

19 Frst note that the r values are statstcal close to the unform dstrbuton over Q N because w values are pcked from Z N 2, thus the smulaton s statstcal close to the real game. Moreover, there are a polynomal number of queres therefore the abortng probablty s neglgble n k. From the verfcaton equatons we get that τ v /τ ) v ) e Π r c ) v g µ 1 g2 e σ mod N) Applyng the defntons from the smulaton we get: τ v /τ ) v u v c f w )) µ ) e y Φ mod N) Equaton 7) holds here, n fact e s prme and dvdes Φ f and only f e dvdes Φ σ e < e recall that the verfcaton procedure ensures that µ < 2 k+5 k < e and v c f < 2 k+log n+2 k < e), thus we can apply Shamr s trck to fnd y d mod N). Remark 1. In order to smulate an RO from {0, 1} to J + N the subspace of elements wth Jacob Symbol +1), we follow the same smulaton and set h := u e y, g 1 := h 2, r := 1) b u ew h f for a random bt b and t := u 2w, 4.1 Effcency Comparson wth Prevous Work We compare the dentfcaton scheme derved by applyng our transformaton to the RSA-based ZK PoS from Secton 4 wth the thrd and most effcent) constructon of Alwen et al. [1]. In the followng, we denote our constructon by RSA-ID and that of Alwen et al. by GDH-ID. We consder multplcatons and addtons as constant-tme operatons and denote by t e the tme for an exponentaton, by t s the tme for an exponentaton wth a small.e., ok)) exponent, and by t p the tme for a parng operaton. For the same securty level, modular exponentatons n RSA groups are more expensve than modular exponentatons n groups for whch GDH seems to hold, therefore we dstngush them by usng the upper scrpts RSA and GDH to ndcate n whch group the operatons are carred out. We can assume that t GDH e < t RSA e t p. In GDH-ID, the prover needs Ωl m t GDH e ) work to generate each of ts two messages the frst and thrd) whle the verfer needs Ωm t GDH e + t p ) tme to verfy the nteracton 3. For our constructon, on the other hand, the prover needs only Ot RSA e ).e., two exponentatons and one multplcaton) and Ot RSA e + m t RSA s ) work for the frst and thrd messages, respectvely, and the verfer requres only Ot RSA e + m t RSA s ) tme to verfy the nteracton. We also note that whle the localty m n RSA-ID can be any functon that s ωlog k), n GDH-ID m must be at least Ωk). In partcular, to get approxmately 1/2 tolerance of relatve leakage, m must be 12 tmes larger than k. Wth respect to communcaton complexty, the thrd message of GDH-ID requres roughly l tmes the number of group element as the thrd message of RSA-ID though GDH-ID works n smaller groups than RSA-ID for the same securty parameter. There are two negatve aspects of RSA-ID compared wth GDH-ID: The frst s that, for the same securty level, RSA groups are bgger than groups for whch GDH seems to hold; The second s the rato between the secret-key sze and the leakage tolerated. However, the dfference s relevant 3 The nteger parameter l 2 n ther constructon can be arbtrarly set. 19

20 only when l s ω1) and m s ωk) n whch case the tme complexty of GDH-ID becomes much worse than that of RSA-ID. 5 Conclusons We showed that zero-knowledge proof-of-storage schemes can be used to buld leakage-reslent dentfcaton protocols n the bounded retreval model BRM). Our framework provdes new nsghts nto the BRM and unfolds new ways to buld leakage-reslent dentfcaton protocols n ths model. For nstance, we descrbed a ZK-PoS based on RSA whch yelds the frst ID protocol n the BRM based on RSA. When combned wth the compler n [3], our framework establshes a compellng connecton between homomorphc ID and leakage-reslent ID schemes. However, the mssng step toward an effcent compler between homomorphc ID and leakage-reslent ID schemes s to fnd an effcent compler between PoS and ZK-PoS. We do not explore any approach n ths paper and leave t as an open problem. Acknowledgments. We are grateful to Jonathan Katz for hs nsghtful comments, suggestons, and contrbutons to ths work. References [1] J. Alwen, Y. Dods, and D. Wchs. Leakage-reslent publc-key cryptography n the boundedretreval model. In CRYPTO, pages 36 54, [2] G. Atenese, R. Burns, R. Curtmola, J. Herrng, L. Kssner, Z. Peterson, and D. Song. Provable data possesson at untrusted stores. In CCS, [3] G. Atenese, S. Kamara, and J. Katz. Proofs of storage from homomorphc dentfcaton protocols. In ASIACRYPT, pages , [4] M. Bellare and O. Goldrech. On defnng proofs of knowledge. In CRYPTO, pages , [5] D. Boneh and D. Brumley. Remote tmng attacks are practcal. In 12th Usenx Securty Symposum, [6] D. Boneh, B. Lynn, and H. Shacham. In ASIACRYPT, pages , [7] Ronald Cramer. PhD thess. [8] G. D Crescenzo, R. Lpton, and S. Walfsh. Perfectly secure password protocols n the bounded retreval model. In TCC, pages , [9] Y. Dods, S. Vadhan, and D. Wchs. Proofs of retrevablty va hardness amplfcaton. In TCC, pages , [10] A. Duc, S. Dzembowsk, and S. Faust. Unfyng leakage models: From probng attacks to nosy leakage. In EUROCRYPT, pages ,