Publicly-verifiable proof of storage: a modular construction. Federico Giacon

Size: px

Start display at page:

Download "Publicly-verifiable proof of storage: a modular construction. Federico Giacon"

Dorthy Preston
5 years ago
Views:

1 Publicly-verifiable proof of storage: a modular construction Federico Giacon Ruhr-Universita t Bochum federico.giacon@rub.de 6th BunnyTN, Trent 17 December 2015

2 Proof of Storage Proof of Storage (PoS) A Proofs of Storage protocol allows a client to verify that a server is correctly storing a user s file. A PoS protocol is publicly-verifiable when the verification doesn t require any secret parameter. The parties involved are: The server, who stores the file. The user, who wants to store the file. A verifier, who checks that the file is being stored by the server. Federico Giacon Publicly-verifiable proof of storage: a modular construction 1 / 16

3 Proof of Storage Proof of Storage (PoS) A Proofs of Storage protocol allows a client to verify that a server is correctly storing a user s file. A PoS protocol is publicly-verifiable when the verification doesn t require any secret parameter. The parties involved are: The server, who stores the file. The user, who wants to store the file. A verifier, who checks that the file is being stored by the server. Federico Giacon Publicly-verifiable proof of storage: a modular construction 1 / 16

4 Proof of Storage Proof of Storage (PoS) A Proofs of Storage protocol allows a client to verify that a server is correctly storing a user s file. A PoS protocol is publicly-verifiable when the verification doesn t require any secret parameter. The parties involved are: The server, who stores the file. The user, who wants to store the file. A verifier, who checks that the file is being stored by the server. Federico Giacon Publicly-verifiable proof of storage: a modular construction 1 / 16

5 What PoS is NOT Three different problems: Secrecy of the stored file. The server can read any part of the file: a user must encrypt the file to maintain privacy. Retrieving the file. The server can refuse to give back the file to the user but still pass the verification, because it is actually storing the file. Recovering a partially corrupted file. Part of the stored file can become corrupted. The PoS protocol detects the problem, but doesn t restore the file. Federico Giacon Publicly-verifiable proof of storage: a modular construction 2 / 16

6 What PoS is NOT Three different problems: Secrecy of the stored file. The server can read any part of the file: a user must encrypt the file to maintain privacy. Retrieving the file. The server can refuse to give back the file to the user but still pass the verification, because it is actually storing the file. Recovering a partially corrupted file. Part of the stored file can become corrupted. The PoS protocol detects the problem, but doesn t restore the file. Federico Giacon Publicly-verifiable proof of storage: a modular construction 2 / 16

7 What PoS is NOT Three different problems: Secrecy of the stored file. The server can read any part of the file: a user must encrypt the file to maintain privacy. Retrieving the file. The server can refuse to give back the file to the user but still pass the verification, because it is actually storing the file. Recovering a partially corrupted file. Part of the stored file can become corrupted. The PoS protocol detects the problem, but doesn t restore the file. Federico Giacon Publicly-verifiable proof of storage: a modular construction 2 / 16

8 What PoS is NOT Three different problems: Secrecy of the stored file. The server can read any part of the file: a user must encrypt the file to maintain privacy. Retrieving the file. The server can refuse to give back the file to the user but still pass the verification, because it is actually storing the file. Recovering a partially corrupted file. Part of the stored file can become corrupted. The PoS protocol detects the problem, but doesn t restore the file. Federico Giacon Publicly-verifiable proof of storage: a modular construction 2 / 16

9 Proof of Storage Additional requirement We can trivially obtain a PoS protocol if the user stores a hash h of its file f and the server sends back the whole file, f. Verify(f ): if H(f ) == h return true; else return false; We require the protocol be efficient in term of bandwidth: the communication complexity must be much lower than the size of the file. Federico Giacon Publicly-verifiable proof of storage: a modular construction 3 / 16

10 Applications Cloud storage: the user can verify that their files are correctly stored by the cloud provider: otherwise the server might remove files that are unlikely to be accessed (e.g., old backups). Automated, trustless payment for file storage: with public verifiability a trusted third party (or a smart contract) can verify that the server is storing the file and authorize the payment, without requiring any trust between the user and the server. Federico Giacon Publicly-verifiable proof of storage: a modular construction 4 / 16

11 Proof of Storage The protocol (f, st) Encode sk (f ) c π Prove pk (f, c) (pk, sk, st) (pk, f ) b = Verify pk (st, c, π) Federico Giacon Publicly-verifiable proof of storage: a modular construction 5 / 16

12 Security The protocol is correct: The server knows f = the verification succeeds. The protocol is secure: A can verify = we can extract the file f from A. Federico Giacon Publicly-verifiable proof of storage: a modular construction 6 / 16

13 The result Ateniese, Kamara, Katz ASIACRYPT 2009 We can build a correct and secure publicly-verifiable PoS protocol based on the hardness of factoring in the random oracle model. Federico Giacon Publicly-verifiable proof of storage: a modular construction 7 / 16

14 Additional properties Unlimited challenges. Public verifiability. And with respect to the file size: Communication complexity: O (1). Server storage: the file f and a overhead O (1). Client storage: O (1). Federico Giacon Publicly-verifiable proof of storage: a modular construction 8 / 16

15 Modular construction Proof of Storage Homomorphic Linear Authentication Homomorphic Identification Protocol Hardness of factoring Federico Giacon Publicly-verifiable proof of storage: a modular construction 9 / 16

16 Modular construction Proof of Storage Pseudo-random functions Homomorphic Linear Authentication Homomorphic Identification Protocol Hardness of factoring Federico Giacon Publicly-verifiable proof of storage: a modular construction 9 / 16

17 Modular construction Proof of Storage Pseudo-random functions Homomorphic Linear Authentication Random Oracle Model Homomorphic Identification Protocol Hardness of factoring Federico Giacon Publicly-verifiable proof of storage: a modular construction 9 / 16

18 Proof of Storage Proof of Storage Homomorphic Linear Authentication Homomorphic Identification Protocol Hardness of factoring Federico Giacon Publicly-verifiable proof of storage: a modular construction 10 / 16

19 Homomorphic Linear Authentication f = (f 1,..., f N ) ( t, st) Tag sk ( f ) c τ Auth pk ( f, t, c) b = Verify pk (st, µ, c, τ) Federico Giacon Publicly-verifiable proof of storage: a modular construction 10 / 16

20 Homomorphic Linear Authentication b = Verify pk (st, µ, c, τ) Correctness ) Verify pk (st, c i f i, c, τ = 1 i Security A polynomial adversary cannot forge a valid authentication proof for µ i c i f i. Federico Giacon Publicly-verifiable proof of storage: a modular construction 11 / 16

21 HLA PoS The file is split: f = (f 1,..., f N ), with f i Z p. The server stores a file with HLA tags: f = ( f, t). The request procedure consists in: Share a key K for the pseudo-random function F : the commitment is c i = F K (i) Z p. Using the HLA protocol we compute τ Auth pk ( f, t, c) and set µ = i f i c i. The PoS proof is π = (µ, τ). To verify we use Verify of the HLA protocol. Federico Giacon Publicly-verifiable proof of storage: a modular construction 12 / 16

22 Homomorphic Linear Authentication Proof of Storage Homomorphic Linear Authentication Homomorphic Identification Protocol Hardness of factoring Federico Giacon Publicly-verifiable proof of storage: a modular construction 13 / 16

23 Identification Protocol Verify that the user knows the secret key sk without revealing additional information. α Commit pk (r) β γ Respond pk (sk, r, β) (pk, sk) pk b = Verify pk (α, β, γ) Federico Giacon Publicly-verifiable proof of storage: a modular construction 13 / 16

24 Homomorphic Identification Protocol For an homomorphic protocol we add Combine 1 and Combine 3. Correctness If {(α i, β i, γ i )} n i=1 is a set of valid IP transcript (Verify = 1) and c is a vector: ) Verify pk (Combine 1 ( c, α), c i β i, Combine 3 ( c, γ). i Security A polynomial adversary A has negligible probability to output a string ( c, µ, γ ) such that: µ i c i β i. Verify pk (Combine 1 ( c, α), µ, γ ) = 1. Federico Giacon Publicly-verifiable proof of storage: a modular construction 14 / 16

25 HIP HLA The file is split: f = (f 1,..., f N ), with f i Z p. Implicitly β i = f i. Tag sk ( f ): We take a random element st and we fix r i = H(st, i) and α i = Commit pk (r i ). We compute γ i = Respond pk (sk, r i, f i ). The tag is t = (γ 1,..., γ n). Auth pk ( f, t, c): Output the combined tag τ = Combine 3 ( c, t). Verify pk (st, µ, c, τ): Output the combined verification Verify pk (Combine 1 ( c, α), µ, τ). Federico Giacon Publicly-verifiable proof of storage: a modular construction 15 / 16

26 Homomorphic Identification Protocol Proof of Storage Homomorphic Linear Authentication Homomorphic Identification Protocol Hardness of factoring Federico Giacon Publicly-verifiable proof of storage: a modular construction 16 / 16

27 Instantiation Quadratic residuosity: N = pq, J +1 N is the set of element in Z N with Jacobi symbol +1, and QR N is the set of quadratic residues mod N. y $ QR N ; pk = (N, y); sk = (p, q). Commit pk (r): output α = r as element of J +1 N. Respond pk (sk, r, β): output γ, a random 2 3k -th root of ±ry β. Verify pk (α, β, γ): output 1 if and only if γ 23k = ±αy β and β < 2 3k. Combine( c, x): output i x c i i. Federico Giacon Publicly-verifiable proof of storage: a modular construction 16 / 16

28 Thank you for your attention.

Cryptographic protocols

Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital