proofs of storage - brown universityseny/slides/pos-cai.pdfour rsa-based brm-id [afkk13] machine #1:...
TRANSCRIPT
![Page 1: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/1.jpg)
Proofs of Storage
SENY KAMARA
MICROSOFT RESEARCH
![Page 2: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/2.jpg)
Computing as a Service
Computing is a vital resource
Enterprises, governments, scientists, consumers, …
Computing is manageable at small scales…
e.g., PCs, laptops, smart phones
…but becomes hard to manage at large scales
build and manage infrastructure, schedule backups,
hardware maintenance, software maintenance, security,
trained workforce, …
Why not outsource it?
2
![Page 3: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/3.jpg)
Cloud Services
Software as a service
Gmail, Hotmail, Flickr, Facebook, Office365, Google Docs, …
Service: customer makes use of provider applications
Customer: consumers & enterprise
Platform as a service
MS SQL Azure, Amazon SimpleDB, Google AppEngine
Service: customer makes use of provider’s software stack
Customer: developers
Infrastructure as a service
Amazon EC2, Microsoft Azure, Google Compute Engine
Service: customer makes use of provider’s (virtualized) infrastructure
Customer: enterprise, developers
3
![Page 4: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/4.jpg)
Cloud Advantages
Providers
Monetize spare capacity
Consumers
Convenience: backups, synchronizations, sharing
Companies
Elasticity
Can focus on core business
Cheaper services
4
![Page 5: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/5.jpg)
Cloud Risks
Risks
100% reliability is impossible
Downtime can be costly (startups can go out of business)
AWS outages
December 12th, 2010: EC2 down for 30 mins (Europe)
April 21, 2011: storage down for 10-12 hours (N. Virginia)
Foursquare, Reddit, Quora, BigDoor and Hootsuite affected
August 6th, 2011: storage down for 24 hours (Ireland)
August 8th, 2011: network connectivity down for 25 mins (N. Virginia)
Reddit, Quora, Netflix and FourSquare affected
July 7th, 2012: storage down for few hours (Virginia)
Instagram, Netflix, Pinterest affected
5
![Page 6: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/6.jpg)
Q: is my data still there?
6
![Page 7: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/7.jpg)
Outline
Motivation
Naïve Solutions
Overview of Proofs of Storage
Defining Proofs of Storage
Designing Proofs of Storage
Applying Proofs of Storage
7
![Page 8: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/8.jpg)
Q: is my data still there?
8
![Page 9: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/9.jpg)
Digital Signatures/MACs
Signatures
Gen(1k) ⟾ (sk, vk)
Sign(sk, m) ⟾ σ
Vrfy(vk, m, σ) ⟾ b
Security
Message Authentication Codes
Gen(1k) ⟾ sk
Tag(sk, m) ⟾ σ
Vrfy(sk, m, σ) ⟾ b
9
UNF: “given m and σ, no A can output a
valid σ’ for an element m’ ≠ m ”
![Page 10: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/10.jpg)
Communication Channels 10
![Page 11: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/11.jpg)
Local Storage 11
![Page 12: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/12.jpg)
Cloud Storage 12
![Page 13: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/13.jpg)
Simple Solutions
?H
H
Cloud can just store hash!
?H
Linear comm. complexity
13
![Page 14: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/14.jpg)
Simple Solutions
K1
TK1
TK2
TK3 TK3
TK1
…Large client storageBounded # of verifications
14
![Page 15: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/15.jpg)
Proofs of Storage
15
![Page 16: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/16.jpg)
Proof of Storage [Ateniese+07,Juels-Kaliski07]
O(1)
Petabytes
π
K
c
16
![Page 17: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/17.jpg)
PoS = PoR or PDP
Proof of retrievability [Juels-Kaliski07]
High tampering: detection
Low tampering: retrievability
Proof of data possession [Ateniese+07]
Detection
17
![Page 18: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/18.jpg)
PoS Security
Completeness
Soundness
COMP: “if Server possesses file, then Client accepts proof”
SOUND: “if Client accepts proof, then
Server possesses file”
18
![Page 19: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/19.jpg)
Formalizing Possession
Knowledge extractor
[Feige-Fiat-Shamir88, Feige-Shamir90, Bellare-Goldreich92]
Algorithm that extracts information from other algorithms
Typically done by rewinding
Adapted to PoS soundness
SOUND: “there exists an expected poly-time extractor
K that extracts the file from any poly-time A that
outputs valid proofs”
19
![Page 20: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/20.jpg)
Designing PoS
20
![Page 21: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/21.jpg)
Designing PoS
Based on sentinels
[Juels-Kaliski07]
Embed secret blocks in data and verify their integrity
Very efficient encoding
Only works with private data
Based on homomorphic linear authenticators (HLA)
[Ateniese+07]
Authenticates data with tags that can be aggregated
works with public data
21
![Page 22: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/22.jpg)
HLA-based PoS
Semi-compact PoR
Compact PDP
Semi-compact PDP
Compact PoR
Erasure code
1 2 3 4
1 2 3 4
t1 t2 t3 t4
1 2 3 4 EC EC
t1 t2 t3 t4 t5 t6
1 2 3 4 EC EC
HLA
PRF PRF
22
HLA
1 2 3 4
![Page 23: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/23.jpg)
Extracting via Linear Algebra
SOUND: “there exists an expected poly-time extractor
K that extracts the file from any poly-time A that
outputs valid proofs”
K
c
π
c
π
23
![Page 24: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/24.jpg)
Extracting via Linear Algebra
SOUND: “there exists an expected poly-time extractor
K that extracts the file from any poly-time A that
outputs valid proofs”
K⟨c1, f⟩
⟨c2, f⟩
C1∈[ℤp]n
C2∈[ℤp]n
1 2f = =Extract f1. If c1 and c2 are lin. Indep.
2. solve for f using linear algebra
24
![Page 25: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/25.jpg)
Extracting via Linear Algebra
What if c1 and c2 are not linearly independent?
Just pick them at random
What if A doesn’t compute inner product?
Use HLAs!
K⟨c1, f⟩
⟨c2, f⟩
C1∈[ℤp]n
C2∈[ℤp]n
1 2f = =Extract f1. If c1 and c2 are lin. Indep.
2. solve for f using linear algebra
25
![Page 26: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/26.jpg)
HLA
Syntax
Gen(1k) ⟾ K
Tag(K, f) ⟾ (t, st)
Chall(1k) ⟾ c
Auth(K, f, t, c) ⟾ α
Vrfy(K, μ, c, st) ⟾ b
SecurityUNF: “given f and c, no A can output a
valid α for an element μ ≠ ⟨c, f⟩”
26
![Page 27: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/27.jpg)
Constructing HLAs [AKK09]
HLAs from homomorphic identification protocols
Multiple execs. can be verified at once (i.e., batched)
Identification schemes
roughly zero-knowledge proofs of knowledge
Ex: Schnorr, Guillou-Quisquater, Shoup,…
Previous HLAs are instances of AKK transform
New HLA based on Shoup’s ID scheme
27
![Page 28: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/28.jpg)
Simple HLA [Shacham-Waters08]
1 2 3 4
t1 t2 t3 t4
ti = HK(i) + fi ∙w
W, K
C⬿[ℤp]n
μ = ⟨c, f⟩ and α = ⟨c, t⟩
α = ⟨c, (HK(1), …, HK(n))⟩ + μ ∙w
28
![Page 29: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/29.jpg)
Simple HLA
UNF: α proves that μ is the inner product of f and c
Why is Simple HLA unforgeable?
For intuition see [Ateniese-K.-Katz10]
Connection to 3-move identification protocols
UNF: “given f and c, no A can output a
valid α for an element μ ≠ ⟨c, f⟩”
29
![Page 30: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/30.jpg)
Simple HLA = Semi-Compact PoS
1 2 3 4
t1 t2 t3 t4
ti = HK(i) + fi ∙w
W, K
C⬿[ℤ*p]n
μ = ⟨c, f⟩ and α = ⟨c, t⟩
α = ⟨t, (HK(1), …, HK(n))⟩ + μ ∙w
O(n)!
O(1)
30
![Page 31: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/31.jpg)
Compressing Challenges
Idea #1
[Ateniese+07]
Send key to a PRF and have server generate challenge vector
Problem: how do we reduce to PRF security if A knows the PRF key?
Idea #2
[Shacham-Waters08] Use a random oracle
Idea #3
[Dodis-Vadhan-Wichs10] Use an expander-based derandomizedsampler
[Ateniese-K.-Katz10]
Idea#1 is secure
Security of PRF implies that PRF-generated vectors are linearly independent with high probability
31
![Page 32: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/32.jpg)
HLA-based PoS
Semi-compact PoR
Compact PDP
Semi-compact PDP
Compact PoR
Erasure code
1 2 3 4
1 2 3 4
t1 t2 t3 t4
1 2 3 4 EC EC
t1 t2 t3 t4 t5 t6
1 2 3 4 EC EC
HLA
PRF PRF
32
HLA
1 2 3 4
![Page 33: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/33.jpg)
Constructions 33
Assmpt. Verif. ROM Dyn. Unbounded
[ABC07+] RSA+KEA public Yes No Yes
[JK07] OWF private No Yes No
[SW08] BDH public Yes No Yes
[SW08] OWF private No No Yes
[APMT09] OWF private Yes Yes No
[EKPT09] Fact public Yes Yes Yes
[DVW09] OWF private No No No
[AKK09] Fact Public Yes* No Yes
![Page 34: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/34.jpg)
Applying PoS
34
![Page 35: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/35.jpg)
PoS Applications
Verifying integrity [Juels-Kaliski07, ABC+07,…]
Providing availability
HAIL [Bowers-Juels-Oprea09]
Iris [Stefanov-vDijk-Juels-Oprea12]
Verifying fault tolerance [Bowers-vDijk-Juels-Oprea11]
Verifying geo-location
[Benson-Dowsley-Shacham11,
Watson-SafaviNaini-Alimomeni-Locasto-Naranayan12,
Gondree-Peterson13]
Malware-resistant authentication [Ateniese-Faonio-K.-Katz13]
35
![Page 36: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/36.jpg)
Identification 36
pwd
H(pwd)
![Page 37: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/37.jpg)
Identification Schemes 37
pksk
![Page 38: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/38.jpg)
Bounded Retrieval Model
High-level idea
A can recover λ bits of secret key
Make secret key larger than λ bits
Efficiency independent of secret key size
Concretely
20GB secret key
Long time needed for A to recover 20GB w/o detection
Scheme efficiency independent of key size
38
![Page 39: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/39.jpg)
BRM-ID via PoS [AFKK13] 39
sk = f ⬿ {0,1}k
st
O(1)
PoS
![Page 40: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/40.jpg)
BRM-ID via PoS [AFKK13] 40
sk = f ⬿ {0,1}k
st
O(1)
ZK-PoS
![Page 41: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/41.jpg)
Zero-knowledge PoS
[Wang-Chow-Wang-Ren-Lou09]
Bilinear DH (?)
Based on [Shacham-Waters08]
[Ateniese-Faonio-K.-Katz13]
Construction #1: RSA
Construction #2: Factoring
Based on [ABC07+]
Full proof of security
41
![Page 42: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/42.jpg)
HLA-Based PoS Design 42
HLA Compact PoS
PoR
PDP
Zero-Knowledge
BRM-ID
Hom. ID
[AKK09]
PRF
[AKK09]
Erasure Code
[SW08]
[ABC+07]
[AFKK13]
![Page 43: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/43.jpg)
BRM-ID
[Alwen-Dodis-Wichs09]
3 BRM-IDs
Based on Okamoto ID scheme
Asymptotically less efficient than ours
43
![Page 44: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/44.jpg)
Our RSA-Based BRM-ID [AFKK13]
Machine #1: PC1-HD
Pentium Dual-Core 2.93GHz
2MB L2 cache
2GB DDR2 800MHz of RAM
1TB SATA 6Gb/s rotating hard drive
Machine #2: PC1-USB
Machine #1 + USB drive
Machine #3: PC2-SSD
Intel Xeon 8-Core 2.2GHz
16MB L3 cache
256GB DDR3 1600MHz of RAM
RAID 4 512GB SATA SSD hard drives
44
![Page 45: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/45.jpg)
Our RSA-Based BRM-ID [AFKK13]
1020 bits of security + 256MB of leakage
348MB secret key
PC1-HD: 0.18s
PC1-USB: 0.5s
PC2-SSD: 0.12s
1020 bits of security + 4GB of leakage
5584GB secret key
PC1-HD: 2.5-3s
PC1-USB: 1s
PC2-SSD: 0.12s
45
![Page 46: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/46.jpg)
Conclusions
PoS are interesting in practice
Well motivated
Different guarantees (PDPs and PORs)
Efficient constructions
Based on variety of assumptions (RSA, BDH, OWF)
PoS are interesting in theory
Non-trivial security definitions and constructions
Interactive proofs, signatures, coding theory
PoS are useful
Integrity, availability, geo-location, malware-resistant authentication
46
![Page 47: Proofs of Storage - Brown Universityseny/slides/pos-cai.pdfOur RSA-Based BRM-ID [AFKK13] Machine #1: PC1-HD Pentium Dual-Core 2.93GHz 2MB L2 cache 2GB DDR2 800MHz of RAM 1TB SATA 6Gb/s](https://reader034.vdocuments.us/reader034/viewer/2022052105/60400fa8e205c25ac551fb95/html5/thumbnails/47.jpg)
The End
47