Provable Data Possession

Research paper survey

C. Y. Lee
Benefits of Cloud Computing
2
Secure Storage
& Management
Traditional Data Possession Scheme
3
Files
Challenge Lists
{T}
CheckProof(T, T)
Success ? Failure ?
S
e
t
u
p

C
h
a
l
l
e
n
g
e

File F
File F
T
T
T = Crypto-Hash(F)
or
T = MAC
key
(F)
T = Crypto-Hash(F)
or
T = MAC
key
(F)
File F
File F
Provable Data Possession
Provable Data Possession (PDP)
Clients need to be able to verify that an untrusted
server has retained file data.
Without retrieving the data from the server.
Without having the server access the entire file
(probabilistic proofs).
Also called Proof of Data Retrivability (POR).
4
PROVABLE DATA POSSESSION AT
UNTRUSTED STORES
Giuseppe Ateniese, Randal Burns, Reza Curtmola, Joseph Herring,
Lea Kissner, Zachary Peterson,Dawn Song,
CCS07, October 29November 2, 2007, pp. 598-610, Alexandria,
Virginia, USA.
5
Homomorphic Verifiable Tags (HVTs)
HVT is a pair of values (T
i,m
, W
i
) stored at the
server.
Given a message m, T
m
is its HVT.
W
i
is a random value with index i.
Properties:
Blockless verification
Homomorphic tags
A value T
m
i
+m
j
corresponding to the sum of the messages m
i
+
m
j.


6
Provable Data Possession Scheme
(PDP)
7
m
1
m
2

m
t

m
n
File F
Tags E

1,
1

2,
2

KeyGen(1
k
) (pk, sk)
TagBlock(pk, sk, m) T
m

pk. File, Tags
GenProof(pk, F, chal,E) v
Challenge chal
v
CheckProof(pk, sk, chal, v)
Success ? Failure ?
S
e
t
u
p

C
h
a
l
l
e
n
g
e

Data Possession Game (Setup)
8
Client Server
(pk, sk) KeyGen(1
k
):
Three primes: p = 2p+1, q = 2q+1, and e.
pk = (N, g), N = pq is RSA modulus, g is a generator of QR
N

sk = (e, d, v), ed 1 (mod pq),

*0,1+

1 s i s n, (T
i,m
i
, W
i
) TagBlock(pk, (d, v), m
i
, i):
W
i
= v || i, T
i, m
i
= (h(W
i
)g
m
i
)
d
mod N
pk, F, E=(T
1, m
1
, , T
n,m
n
)
*
QR
N
is the set of quadratic residues modulo N.
*
H, h: a cryptographic hash function.
*
f
key
: a pseudo-random function (PRF) index on key.
*
t
key
: a pseudo-random permutation (PRP) index on key..
*
k: security parameter.
Provable Data Possession Scheme
(PDP)
9
m
1
m
2

m
t

m
n
File F
Tags E

1,
1

2,
2

KeyGen(1
k
) (pk, sk)
TagBlock(pk, sk, m) T
m

pk. File, Tags
GenProof(pk, F, chal,E) v
Challenge chal
v
CheckProof(pk, sk, chal, v)
Success ? Failure ?
S
e
t
u
p

C
h
a
l
l
e
n
g
e

CheckProof(pk, sk, chal, v)
sk = (e, d, v), chal = (c, k
1
, k
2
, s), =

,
for 1 s j s c,

1
,

2
,

= ||

1
++

if

= , success, else failure.

Data Possession Game (Challenge)
10
Client Server
CHAL = (c, k
1
, k
2
, g
s
)
v
CHAL=(c, k
1
, k
2
, g
s
)

1

*0,1+

,
2

*0,1+

,
c: # of proofs of possessed blocks
v GenProof(pk, F, chal, E)
for 1 s j s c,

1
,

2
(),
=

1
,

= (

1
++

1
++

v = (, )
SCALABLE AND EFFICIENT
PROVABLE DATA POSSESSION
Giuseppe Ateniese, Roberto Di Pietro, Luigi V. Mancini, Gene
Tsudik,
SecureComm 2008 September 22 - 25, 2008, Istanbul, Turkey.
11
Notations
F: outsourced file data
d equal-sized blocks: F[1], , F[d].
H(): cryptographic hash function.
AE
key
(): authenticated encryption scheme.
Ex: OCB, XCBC, IAPM
f
key
(): pseudo-random function(PRF) index on
key.
t
key
(): pseudo-random permutation(PRP) index
on key.
12
Basic Setup Phases
13
Client Server
Choose parameters t, k, L and functions f, t;
Choose the number t of tokens;
Choose the number r of indices per verification;
Generate randomly master keys W, Z, K e {0, 1}
k
.
for (i 1 to t) do
begin Round i
k
i
= f
W
(i) and c
i
= f
Z
(i)

= (

1 , ,

(,

)
end
(D, {[i, v
i
] for 1 s i s t})
*
Treat f and g as AES, L = 128.
Basic Verification Phases
14
Client Server
Challenge i
k
i
= f
W
(i) and c
i
= f
Z
(i)
{k
i
, c
i
}
*
Treat f and g as AES, L = 128.
= (

1 , ,

{z, v
i
}
, =

1
(

)
If decryption fails or (, ) (, ) then REJECT.
Supporting Dynamic Outsourced Data
Data block operations
Update
Delete
Append
Insert

15
Update i
th
Data Block
16
Client Server
To modify F[i] F[i]:
{n, F[n],{i, v
i
}|1s i s t}}
*
Treat f and t as AES, L = 128.
{i, v
i
}|1s i s t
ctr = ctr + 1;
for (i 1 to t) do
(,

) =

1
(

);
k
i
= f
W
(i), c
i
= f
Z
(i);
for (j 1 to r) do
if (

== ) then
v
i
= v
i
H(c
i
, j, F[n]) H(c
i
, j, F[n]);
v
i
= AE
K
(ctr, i, v
i
);
Block Deletion, Append, Insert
Block deletion:
Large portion basic PDP scheme on the new file.

# of blocks modified data update procedure.

17
v
i
= v
i
H(c
i
, j, F[n]) H(c
i
, j, DBlock);
Block Deletion, Append, Insert
Single-block append:
Append a new block to one of the original blocks
D[1],, D[d] in a round-robin fashion.





Insert:
Apply to append operation.
18
H(c
i
, j, ,

()])H(c
i
, d+j, ,

+
])H(c
i
, od+j, ,

+ ])

,1- = 1 , , + 1-

,2-

=
2 , , + 2-

,-

,-
=
=
, , + -
,-

Discussion
Bandwidth-storage tradeoff
Verification tags/tokens
Stored in client Storage + Computation cost
Retrieved from server Bandwidth cost
Limited number of verifications
How often to query a proof of possession?
19
Probabilistic Framework
Sampling ability greatly reduces the workload on
the server
Provide the probabilistic guarantees.
Assume S deletes t blocks out of the n-block file
F.
c: # of different blocks involved in a challenge.
X: # of blocks chosen by C that match the blocks
deleted by S.
P
X
: the probability that at least one of the blocks
picked by C matches one of the blocks deleted by S.

= (1

P
x
< 0.6% if c > 512 ,

= 1%.
20
Probabilistic Framework

21
Thanks for your listening
&
Welcome to Mr. Kilos talk
APPENDIX
24
Probabilistic Framework
Assume S deletes t blocks out of the n-block file F.
c: # of different blocks for challenge.
X: # of blocks chosen by C that match the blocks deleted
by S.
P
X
: the probability that at least one of the blocks picked
by C matches one of the blocks deleted by S.
P
x
= P{X > 1} = 1 - P{X = 0}

= 1

1
1

2
2

.
Since

, 1

1
+1
+1

25
Provable Data Possession at Untrusted Stores, CCS 07.