Académique Documents
Professionnel Documents
Culture Documents
m
t
m
n
File F
Tags E
1,
1
2,
2
KeyGen(1
k
) (pk, sk)
TagBlock(pk, sk, m) T
m
pk. File, Tags
GenProof(pk, F, chal,E) v
Challenge chal
v
CheckProof(pk, sk, chal, v)
Success ? Failure ?
S
e
t
u
p
C
h
a
l
l
e
n
g
e
Data Possession Game (Setup)
8
Client Server
(pk, sk) KeyGen(1
k
):
Three primes: p = 2p+1, q = 2q+1, and e.
pk = (N, g), N = pq is RSA modulus, g is a generator of QR
N
sk = (e, d, v), ed 1 (mod pq),
*0,1+
1 s i s n, (T
i,m
i
, W
i
) TagBlock(pk, (d, v), m
i
, i):
W
i
= v || i, T
i, m
i
= (h(W
i
)g
m
i
)
d
mod N
pk, F, E=(T
1, m
1
, , T
n,m
n
)
*
QR
N
is the set of quadratic residues modulo N.
*
H, h: a cryptographic hash function.
*
f
key
: a pseudo-random function (PRF) index on key.
*
t
key
: a pseudo-random permutation (PRP) index on key..
*
k: security parameter.
Provable Data Possession Scheme
(PDP)
9
m
1
m
2
m
t
m
n
File F
Tags E
1,
1
2,
2
KeyGen(1
k
) (pk, sk)
TagBlock(pk, sk, m) T
m
pk. File, Tags
GenProof(pk, F, chal,E) v
Challenge chal
v
CheckProof(pk, sk, chal, v)
Success ? Failure ?
S
e
t
u
p
C
h
a
l
l
e
n
g
e
CheckProof(pk, sk, chal, v)
sk = (e, d, v), chal = (c, k
1
, k
2
, s), =
,
for 1 s j s c,
1
,
2
,
= ||
1
++
if
*0,1+
,
2
*0,1+
,
c: # of proofs of possessed blocks
v GenProof(pk, F, chal, E)
for 1 s j s c,
1
,
2
(),
=
1
,
= (
1
++
1
++
v = (, )
SCALABLE AND EFFICIENT
PROVABLE DATA POSSESSION
Giuseppe Ateniese, Roberto Di Pietro, Luigi V. Mancini, Gene
Tsudik,
SecureComm 2008 September 22 - 25, 2008, Istanbul, Turkey.
11
Notations
F: outsourced file data
d equal-sized blocks: F[1], , F[d].
H(): cryptographic hash function.
AE
key
(): authenticated encryption scheme.
Ex: OCB, XCBC, IAPM
f
key
(): pseudo-random function(PRF) index on
key.
t
key
(): pseudo-random permutation(PRP) index
on key.
12
Basic Setup Phases
13
Client Server
Choose parameters t, k, L and functions f, t;
Choose the number t of tokens;
Choose the number r of indices per verification;
Generate randomly master keys W, Z, K e {0, 1}
k
.
for (i 1 to t) do
begin Round i
k
i
= f
W
(i) and c
i
= f
Z
(i)
= (
1 , ,
(,
)
end
(D, {[i, v
i
] for 1 s i s t})
*
Treat f and g as AES, L = 128.
Basic Verification Phases
14
Client Server
Challenge i
k
i
= f
W
(i) and c
i
= f
Z
(i)
{k
i
, c
i
}
*
Treat f and g as AES, L = 128.
= (
1 , ,
{z, v
i
}
, =
1
(
)
If decryption fails or (, ) (, ) then REJECT.
Supporting Dynamic Outsourced Data
Data block operations
Update
Delete
Append
Insert
15
Update i
th
Data Block
16
Client Server
To modify F[i] F[i]:
{n, F[n],{i, v
i
}|1s i s t}}
*
Treat f and t as AES, L = 128.
{i, v
i
}|1s i s t
ctr = ctr + 1;
for (i 1 to t) do
(,
) =
1
(
);
k
i
= f
W
(i), c
i
= f
Z
(i);
for (j 1 to r) do
if (
== ) then
v
i
= v
i
H(c
i
, j, F[n]) H(c
i
, j, F[n]);
v
i
= AE
K
(ctr, i, v
i
);
Block Deletion, Append, Insert
Block deletion:
Large portion basic PDP scheme on the new file.
# of blocks modified data update procedure.
17
v
i
= v
i
H(c
i
, j, F[n]) H(c
i
, j, DBlock);
Block Deletion, Append, Insert
Single-block append:
Append a new block to one of the original blocks
D[1],, D[d] in a round-robin fashion.
Insert:
Apply to append operation.
18
H(c
i
, j, ,
()])H(c
i
, d+j, ,
+
])H(c
i
, od+j, ,
+ ])
,1- = 1 , , + 1-
,2-
=
2 , , + 2-
,-
,-
=
=
, , + -
,-
Discussion
Bandwidth-storage tradeoff
Verification tags/tokens
Stored in client Storage + Computation cost
Retrieved from server Bandwidth cost
Limited number of verifications
How often to query a proof of possession?
19
Probabilistic Framework
Sampling ability greatly reduces the workload on
the server
Provide the probabilistic guarantees.
Assume S deletes t blocks out of the n-block file
F.
c: # of different blocks involved in a challenge.
X: # of blocks chosen by C that match the blocks
deleted by S.
P
X
: the probability that at least one of the blocks
picked by C matches one of the blocks deleted by S.
= (1
P
x
< 0.6% if c > 512 ,
= 1%.
20
Probabilistic Framework
21
Thanks for your listening
&
Welcome to Mr. Kilos talk
APPENDIX
24
Probabilistic Framework
Assume S deletes t blocks out of the n-block file F.
c: # of different blocks for challenge.
X: # of blocks chosen by C that match the blocks deleted
by S.
P
X
: the probability that at least one of the blocks picked
by C matches one of the blocks deleted by S.
P
x
= P{X > 1} = 1 - P{X = 0}
= 1
1
1
2
2
.
Since
, 1
1
+1
+1
25
Provable Data Possession at Untrusted Stores, CCS 07.