Download - Research survey on Provable Data Possession
Provable Data Possession Research paper survey
C. Y. Lee
Benefits of Cloud Computing
2
Secure Storage & Management
Traditional Data Possession Scheme
3
Files
Challenge Lists
{T’}
CheckProof(T, T’)
Success ? Failure ?
Set
upC
halle
nge
File F
File F
T’
T’T = Crypto-Hash(F)orT = MACkey(F)
T’ = Crypto-Hash(F)orT’ = MACkey(F)
File F
File F
Provable Data Possession
• Provable Data Possession (PDP)– Clients need to be able to verify that an
untrusted server has retained file data.– Without retrieving the data from the server.– Without having the server access the entire
file (probabilistic proofs).– Also called Proof of Data Retrivability (POR).
4
PROVABLE DATA POSSESSION AT UNTRUSTED STORES
Giuseppe Ateniese, Randal Burns, Reza Curtmola, Joseph Herring,Lea Kissner, Zachary Peterson,Dawn Song, CCS’07, October 29–November 2, 2007, pp. 598-610, Alexandria, Virginia, USA.
5
Homomorphic Verifiable Tags (HVTs)
• HVT is a pair of values (Ti,m, Wi) stored at the server.– Given a message m, Tm is its HVT.
– Wi is a random value with index i.
• Properties:– Blockless verification– Homomorphic tags
• A value Tmi+mj corresponding to the sum of the
messages mi + mj.
6
Provable Data Possession Scheme(PDP)
7
m1
m2
…
mt
…
mn
File FTags
𝑇 1 ,𝑚1
𝑇 2 ,𝑚2
𝑇 𝑡 , 𝑚𝑡
𝑇 𝑛 ,𝑚𝑛
……
KeyGen(1k) → (pk, sk)TagBlock(pk, sk, m) → Tm
pk. File, Tags
GenProof(pk, F, chal,) →
Challenge chal
CheckProof(pk, sk, chal, )
Success ? Failure ?
Set
upC
halle
nge
Data Possession Game (Setup)
8
Client Server
(pk, sk) KeyGen(1k): Three primes: p = 2p’+1, q = 2q’+1, and e. pk = (N, g), N = pq is RSA modulus, g is a generator of QRN
sk = (e, d, v), ed 1 (mod p’q’),
1 i n, (Ti,mi, Wi) TagBlock(pk, (d, v), mi, i):
Wi = v || i, Ti, mi = (h(Wi)gmi)d mod N
pk, F, =(T1, m1, …, Tn,mn
)
* QRN is the set of quadratic residues modulo N.* H, h: a cryptographic hash function.* fkey: a pseudo-random function (PRF) index on key.* key: a pseudo-random permutation (PRP) index on key..* : security parameter.
Provable Data Possession Scheme(PDP)
9
m1
m2
…
mt
…
mn
File FTags
𝑇 1 ,𝑚1
𝑇 2 ,𝑚2
𝑇 𝑡 , 𝑚𝑡
𝑇 𝑛 ,𝑚𝑛
……
KeyGen(1k) → (pk, sk)TagBlock(pk, sk, m) → Tm
pk. File, Tags
GenProof(pk, F, chal,) →
Challenge chal
CheckProof(pk, sk, chal, )
Success ? Failure ?
Set
upC
halle
nge
CheckProof(pk, sk, chal’, ) sk = (e, d, v), chal’ = (c, k1, k2, s), , for 1 j c,
if , “success”, else “failure”.
Data Possession Game (Challenge)
10
Client Server
CHAL = (c, k1, k2, gs)
CHAL=(c, k1, k2, gs) , c: # of proofs of possessed blocks
GenProof(pk, F, chal, ) for 1 j c, , =
SCALABLE AND EFFICIENT PROVABLE DATA POSSESSION
Giuseppe Ateniese, Roberto Di Pietro, Luigi V. Mancini, Gene Tsudik,SecureComm 2008 September 22 - 25, 2008, Istanbul, Turkey.
11
Notations
• F: outsourced file data– d equal-sized blocks: F[1], …, F[d].
• H(): cryptographic hash function.• AEkey(): authenticated encryption scheme.
– Ex: OCB, XCBC, IAPM
• fkey (): pseudo-random function(PRF) index on key.
• key (): pseudo-random permutation(PRP) index on key.
12
Basic Setup Phases
13
Client Server
Choose parameters t, k, L and functions f, ;Choose the number t of tokens;Choose the number r of indices per verification;Generate randomly master keys W, Z, K {0, 1}k.for (i 1 to t) dobegin Round i ki = fW(i) and ci = fZ(i) end (D, {[i, v’i] for 1 i t})
* Treat f and g as AES, L = 128.
Basic Verification Phases
14
Client Server
Challenge iki = fW(i) and ci = fZ(i)
{ki, ci}
* Treat f and g as AES, L = 128.
𝑧=𝐻 ¿{z, v’i}
If decryption fails or then REJECT.
Supporting Dynamic Outsourced Data
• Data block operations– Update– Delete– Append– Insert
15
Update ith Data Block
16
Client Server
To modify F[i] F’[i]:
{n, F’[n],{i, v’i}|1 i t}}
* Treat f and as AES, L = 128.
{i, v’i}|1 i t
ctr = ctr + 1;for (i 1 to t) do ; ki = fW(i), ci = fZ(i); for (j 1 to r) do if () then vi = vi H(ci, j, F[n]) H(ci, j, F’[n]); v’i = AEK(ctr, i, vi);
Block Deletion, Append, Insert
• Block deletion:– Large portion basic PDP scheme on the new
file.
– # of blocks modified data update procedure.
17
vi = vi H(ci, j, F[n]) H(ci, j, DBlock);
Block Deletion, Append, Insert
• Single-block append:– Append a new block to one of the original
blocks D[1],…, D[d] in a round-robin fashion.
• Insert:– Apply to append operation.
18
H(ci, j, ])H(ci, d+j, ])…H(ci, d+j, ]) 𝐹 ′ [1] ¿ 𝐹 [1 ] , 𝐹 [𝑑+1]𝐹 ′ [2 ]⋯
¿ ¿¿¿
𝐹 [𝑘 ] , 𝐹 [𝑑+𝑘]¿
𝐹 [𝑑 ] ¿
Discussion• Bandwidth-storage tradeoff
– Verification tags/tokens• Stored in client Storage + Computation cost• Retrieved from server Bandwidth cost
• Limited number of verifications– How often to query a proof of possession?
19
Probabilistic Framework• Sampling ability greatly reduces the
workload on the server– Provide the probabilistic guarantees.
• Assume S deletes t blocks out of the n-block file F.– c: # of different blocks involved in a challenge.– X: # of blocks chosen by C that match the
blocks deleted by S.– PX: the probability that at least one of the
blocks picked by C matches one of the blocks deleted by S.
– Px < 0.6% if c > 512 , = 1%. 20
Probabilistic Framework
21
Thanks for your listening&
Welcome to Mr. Kilo’s talk
APPENDIX
24
Probabilistic Framework• Assume S deletes t blocks out of the n-block
file F.– c: # of different blocks for challenge.– X: # of blocks chosen by C that match the blocks
deleted by S.– PX: the probability that at least one of the blocks
picked by C matches one of the blocks deleted by S.
• Px = P{X 1} = 1 - P{X = 0}– . – Since ,
25Provable Data Possession at Untrusted Stores, CCS 07.