230 likes | 384 Views
Proofs of Retrievability via Hardness Amplification. Yevgeniy Dodis , Salil Vadhan and Daniel Wichs. Remote Data Storage. Average Computer User: Bob. Lots of data (music, photos, e-mails, forms…) Lots of devices (desktop, laptop, music player, phone, camera…)
E N D
Proofs of Retrievability via Hardness Amplification YevgeniyDodis, SalilVadhan and Daniel Wichs
Remote Data Storage Average Computer User: Bob • Lots of data (music, photos, e-mails, forms…) • Lots of devices (desktop, laptop, music player, phone, camera…) • Accessibility: Wants ability to access all data at all time from all devices. • Reliability: Should never loose data. Remote Storage Server: • Provides greater accessibility and reliability. • (for a cheap price)
Remote Data Storage Bob: Remote Storage Server: Is my data private? Is it authentic? Encrypt and MAC data before storing it remotely Does all of my data still exist?
Proofs of Retrievability (PoR) • Introduced by [Juels, Kaliski 07]. An audit protocol between Bob and the server in which Bob checks that his data still retrievable. • Formalized using the extraction paradigm (as in proofs of knowledge). • Naïve Protocol: To run an audit, Bob downloads all his data and verifies signature. • Too costly! Bob does not actually need the data at the time of an audit. • Goal: An audit protocol that has: • Low communication complexity. • Locality (server only accesses few locations of the data).
Direct-Product Scheme (One Audit) Enrollment Bob: Remote Storage Server: Store t random blocks S[r1],…,S[rt]. r1 r2 Error Correcting Code rt Server file S Bob’s file F
Direct-Product Scheme (One Audit) Audit Bob: Remote Storage Server: Store t random blocks S[r1],…,S[rt]. r1 e = r1,…,rt r2 S[r1],…,S[rt] r3 Verify that received blocks are correct. Server file S
Direct-Product Scheme (One Audit) • Intuition for security: • If the server knows enough blocks of the server file S, then can decode F. • If the sever knows too few blocks of S, then it cannot pass an audit. • Unfortunately, intuition does not translate into a proof since the server does not gives us blocks of S. Question 1: Is this scheme secure in general? Question 2: Is the tradeoff between server storage overhead, communication, and locality optimal? Know Know Don’t know Know Know Don’t know Know Know Know Don’t know Server file S
Direct-Product Scheme (One Audit) Arbitrary Adversarial Server: • Intuition for security: • If the server knows enough blocks of the server file S, then can decode F. • If the sever knows too few blocks of S, then it cannot pass an audit. • Unfortunately, intuition does not translate into a proof since the server does not gives us blocks of S. • Question 1: Is this scheme secure in general? • How do we extract the file? • Question 2: Is the tradeoff between server storage, communication, and locality optimal? e= (r1,…,rt) C*(e) Answers ² fraction of challenges correctly with C*(e)=(S[r1],…,S[rt])
Prior Work The “direct-product” scheme was introduced by [Naor, Rothblum 05] in the context of sublinear authenticators. PoR schemes were studied by [Juels, Kaliski 07], [Ateniese et al. 07], [Shacham, Waters 08]. • Question 1: Is the direct-product scheme secure? Yes if… • [JK07]: Make simplifying assumptions on behavior of the adversary. • [JK07,SW08]: Add MACs to authenticate the responses. Good: gives us “many-time” scheme + proof of security. Bad: increased server storage overhead (and computation/communication). Question 2: Is the tradeoff between server storage overhead, communication, and locality optimal? An optimization to direct-product scheme appears as part of an optimized MAC/Sig based scheme of [SW08]. Nearly optimal parameters required Random Oracles.
Direct-Product Protocol (One Audit) Bob: Remote Storage Server: Store key k for a MAC. Store t random blocks S[r1],…,S[rt]. ¾[r] = mack(S[r]) S[r] e = r1,…,rt C(e) = S[r1],…,S[rt] Verify that received blocks are correct. ¾[r1],…,¾[rt] Server file S Tags
Prior Work The “direct-product” scheme was introduced by [Naor, Rothblum 05] in the context of sublinear authenticators. PoR schemes were studied by [Juels, Kaliski 07], [Ateniese et al. 07], [Shacham, Waters 08]. • Question 1: Is the direct-product scheme secure? Yes if… • [JK07]: Make simplifying assumptions on behavior of the adversary. • [JK07,SW08]: Add MACs to authenticate the responses. • Good: gives us “many-time” scheme + proof of security. • Bad: increased server storage overhead (and computation/communication). • Question 2: Is the tradeoff between server storage overhead, communication, and locality optimal? No, e.g. • Optimizations to communication complexity appear in [SW08] but utilized Random Oracles to get nearly optimal parameters. • Remove R.O. ? Further improvements?
Our Results • Introduce new primitive called PoR codes. • Abstract key component of PoR into a clean coding-theoretic problem. • Three ways to turn PoR codes into PoR schemes with various tradeoffs. 1. Security of PoR, efficient (list) decoding algorithms for such codes. 2. Efficiency of PoR, optimizing various parameters of PoR codes. • Construct nearly optimal PoR codes (and therefore PoR schemes). • Along the way, answer questions 1, 2. • Answer 1: The direct-product scheme is secure. • First storage efficient PoR scheme (optimization of [JK07]) with full proof of security. • First information-theoretically secure PoR. • Answer 2: Further optimize all previous schemes. • In particular, remove Random Oracles from [SW08]. • Key Step: Connect (list) decoding of PoR codes to seemingly unrelated area of hardness amplification.
Our abstraction: PoR Codes Direct Product PoR • Coordinate C[e] corresponds to server’s response on challenge e. • In particular C can be exponential as it is never stored explicitly. • Locality: C[e] can be computed from only a few positions in S. • Ignores how Bob decides whether responses are correct/incorrect. Storage Server: e Bob: e C[e] … F S ECC All t-tuples Server file S 2¦n PoR Codeword C2§N Bob’s file F
Decoding PoR Codes (Attempt) Given oracle access to C* that is ²-close to C, decode F. • But we cannot uniquely decode when ²· ½. Remote Storage Server: … e C*(e) Incorrect codeword C* Decoder
Decoding PoR Codes: Two variants • Error List Decoding: Given oracle access to C* that is ²-close to C, produce a (short) list containing F • Corresponds to “basic” scheme. • Erasure Decoding: given oracle access to C* that is ²-close to C and C*[e] 2 {C[e] , ? }, recover F • Corresponds to MAC based scheme. • Efficiency: Run-time poly(|F|, 1/²). Remote Storage Server: … e C*(e) Incorrect codeword C* Decoder
PoR Schemes from PoR codes • Sheme 1: Bob stores (challenge, response) pairs locally. • Good: Information Theoretic security. Optimal server storage. • Bad: Bounded Use. Large client storage. • Scheme 2: Offload storage to the server (encrypt/MAC). • Good: Optimal client storage. Small additive overhead to server storage. • Bad: Bounded use. • Scheme 3: Authenticate each block of server file. • Good: Unbounded use. Optimal client storage. • Bad: Server storage roughly doubles. • Basic ideas of Schemes 1,2,3 come from [NR05], [JK07],[SW08]. • Efficiency of all schemes improved with optimized PoR codes. • Security of schemes 1& 2 requires error list-decoding which has not been known before (optimized or not).
List decoding “direct-product” codes • Hardness Amplification • (direct-product theorems) • Given oracle access to C* which is ²-close to C, output a small list containing F. … • If S(r) is ±-hard then the direct-product function • C(e) = (S(r1),…,S(rt)) • e=(r1,…,rt) • is ²-hard, where ²¿±. All t-tuples ECC PoR Codeword C Bob’s file F Server file S
List decoding “direct-product” codes • Hardness Amplification • (direct-product theorems) • Given oracle access to C* which is ²-close to C, output a small list containing F. … • 9 adversary computing • C(e) = (S(r1),…,S(rt)) • on an ²-fraction of tuples • ) • 9 adversary that computes S(r) on a ±-fraction of inputs. All t-tuples ECC PoR Codeword C Bob’s file F Server file S
List decoding “direct-product” codes • Hardness Amplification • (uniform direct product theorems) • [Trev05], [IJK06], [IJKW08] … • Given oracle access to an adversary that computes • C(e) = (S(r1),…,S(rt)) • on an ²-fraction of tuples, • construct a short list of adversaries one of which computes S(r) on a ±-fraction of inputs. All t-tuples ECC PoR Codeword C Bob’s file F Server file S • Given oracle access to C* which is ²-close to C, output a small list containing F.
List decoding “direct-product” codes • Hardness Amplification • (uniform direct product theorems) • [Trev05], [IJK06], [IJKW08] … • Given oracle access to an adversary that computes • C(e) = (S(r1),…,S(rt)) • on an ²-fraction of tuples, • construct a short list of adversaries one of which computes S(r) on a ±-fraction of inputs. All t-tuples ECC PoR Codeword C Bob’s file F Server file S • Step 1:C*)shortlist containing S* which is ±-close to S. • Step 2: Short list containing S*) short list containing F.
Parameters of Direct-Product Codes • Parameters • Security param¸. • Server Storage = °|F|. Any ° ¸ 1. • Locality t= O(¸/(° -1)) • Chall. Size = t log(n) • Resp. Size = tlog(|¦|) • Tradeoff between locality and server storage is optimal. • Easy to show that challenge/response size must be O(¸). • Does the challenge/response size need to depend on t? e= (r1,…,rt) … All t-tuples ECC PoR codeword C2 (¦ t)N Server file S 2¦n Bob’s file F
Two optimizations • Shorter Responses: Instead of sending response U = (S[r1],…, S[rt]), ask server to send a random position in an error-correcting encoding of U. • [SW08]: Implicitly use Hadamard which increases challenge. Can be replaced by Reed-Solomon. • Making this optimization work with MAC based scheme was major contribution of [SW08]. • Shorter Challenges: Use a randomness efficient “hitter” to sample indices (r1,…,rt) with a shorter challenge. • Works for erasure decoding. Removes Random Oracles from [SW08]. • Open for efficient error decoding. (works for inefficient decoding) Bob: Storage Server: e ,p =(r1,…,rt) U = S[r1],…,S[rt] ECC(U)[p] S e U = S[r1],…,S[rt]
Conclusions • Introduce PoR codes. Give nearly optimal constructions. • Proves security of storage-efficient PoR schemes. • First information-theoretic scheme. • Remove the use of Random Oracles from [SW08]. • Open questions: • Can we show efficient list-decoding for optimized PoR codes with a hitter? • Do unbounded use schemes require poor server storage overhead?