Verifiability for Cloud Storage and Computation Melek Ӧnen July 5th, 2016 – Lorient Joint work with Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva

Cloud – Outsourcing Storage and Computation [Cloud Security Spotlight 2015] Data storage Data processing Benefits Reduced IT costs Multi-Tenancy Company A Company B User Availability Flexibility Multi-tenancy Melek Önen SEC2, July 5th 2016

Cloud Security: Barrier to Cloud Adoption Loss of Control No possession of resources Lack of Trust Malicious cloud Lack of Transparency Cloud as a black box Cloud Security Requirements Privacy for cloud storage and computation Data privacy with storage efficiency Privacy preserving data processing Integrity for cloud storage and computation Verifiable storage  Data retrievability Verifiable computation  Verifiable polynomial eval, matrix multi, word search Melek Önen SEC2, July 5th 2016

Data Retrievability in the Cloud Upload POR Generation POR Query Verification ? Compute Proof Verify R1: Verifiable without downloading file R2: Verifiable with small costs R3: Verifiable at any time Melek Önen SEC2, July 5th 2016

Proofs of Retrievability: Related Work Tag-based [Ateniese et al. 2007, Shacham et al. 2008] Upload Tags ? Combination of blocks Verification Tag aggregation Efficient communication Costly tag generation Sentinel-based [Juels et al. 2007] Upload ? Verification Efficient setup & verification Limited number of verifications Melek Önen SEC2, July 5th 2016

Proofs of Retrievability: StealthGuard [ESORICS 2014] Proofs of Retrievability: StealthGuard ! Pseudorandom Watchdogs Privacy-Preserving Watchdog Search Conceal watchdogs  Encryption PIR-based privacy-preserving search for watchdogs  Unbounded number of verifications ?   Verify Search Melek Önen SEC2, July 5th 2016 6

StealthGuard: Watchdog Search POR Query POR Generation PIR query for a watchdog Verification Nonce ? … 𝟏 𝟏 𝟏 𝟎 𝑯( , )= 𝟏 𝟏 𝟏 𝟎 𝟏 𝟏 𝟎 𝟎 𝟏 𝟏 𝟎 𝟎 ≟𝑯( , ) 𝟏 𝟎 𝟏 𝟎 𝟏 𝟏 𝟎 𝟏 True False 𝟏 𝟎 𝟎 𝟎 𝟎 𝟏 𝟏 𝟎     PIR Melek Önen SEC2, July 5th 2016

Verifiable Computation Setup Problem Generation Computation Verification 𝒇 𝒙, 𝒇 𝒙 = ? 𝒇 Compute 𝒇 𝒙 Compute Proof 𝚷 𝒚=𝒇 𝒙 , 𝚷 Verify 𝒙,𝒚, 𝚷 R1: Cost(Verify) ≪ Cost(Compute) R2: Public delegatability Anyone can submit a computation request [Parno et al. 2012] R3: Public verifiability Anyone can verify a computation result [Parno et al. 2012] Melek Önen SEC2, July 5th 2016

Verifiability for 3 Operations 𝒇 𝒙, 𝒇 𝒙 = ? 𝒇, Compute 𝒇 𝒙 and 𝚷 𝒚=𝒇 𝒙 , 𝚷 Verify 𝒙,𝒚, 𝚷 𝒇 𝒙 𝒚 High-Degree Polynomial Evaluation Large Matrix Multiplication Conjunctive Keyword Search 𝑨 𝑿 = 𝒊=𝟎 𝒅 𝒂 𝒊 𝑿 𝒊 ∈ 𝔽 𝒑 [𝑿] 𝒙∈ 𝔽 𝒑 𝒚=𝑨 𝒙 ∈ 𝔽 𝒑 𝑴. 𝒙 with 𝐌= 𝑴 𝒊𝒋 ∈ 𝔽 𝒑 𝒏×𝒎 𝒙 = 𝒙 𝟏 , 𝒙 𝟐 ,…, 𝒙 𝒎 ⟙ ∈ 𝔽 𝒑 𝒎 𝒚 = 𝒚 𝟏 , 𝒚 𝟐 ,…, 𝒚 𝒏 ⟙ =𝑴 𝒙 ∈ 𝔽 𝒑 𝒏 Search(.) Keywords 𝕎={ 𝝎 𝟏 , 𝝎 𝟐 , …, 𝝎 𝒏 } ID of files 𝑭 𝒊 such that 𝕎⊂ 𝑭 𝒊 [ASIACCS 2016] [SPC 2015] Melek Önen SEC2, July 5th 2016

Verifiable Polynomial Evaluation – Idea Euclidean Division of Polynomials 𝑨=𝑸𝑩+𝑹 (𝑨, 𝑸) (𝑩, 𝑹) 𝒙, 𝑨 𝒙 = ? (𝑨, 𝑸) Compute 𝒚=𝑨 𝒙 𝚷=𝑸(𝒙) We present here the high-level idea behind our solution for VPE based on the Euclidean division of polynomials. We recall that for any polynomial 𝐴 and 𝐵≠0, there exists a unique pair of polynomial (𝑄,𝑅) such that 𝐴=𝑄𝐵+𝑅 and deg 𝑅 < deg 𝐵 . We require 𝐵 to be of small degree ( deg 𝐵 =2) and the pair (𝐵,𝑅) constitutes the only elements the user has to store. On the other hand, polynomials (𝐴,𝑄) are sent to the cloud. When a user requests the cloud to compute 𝐴(𝑥) for some input 𝑥, the cloud actually computes 𝑦=𝐴 𝑥 and the proof Π=𝑄(𝑥). The verification only consists in checking whether the equation 𝑦=Π𝐵 𝑥 +𝑅(𝑥) holds. Now to render this simple solution viable in the context of cloud computing, we elaborate a bit more the idea. First, the soundness of our construction relies on the secrecy of polynomials 𝐵 and 𝑅. But since these are small-degree polynomials, their secrecy can be easily comprised with the knowledge of polynomial 𝑄. To avoid this issue, the user encodes 𝑄 in the exponent in a dedicated group. Now, to empower third-party users to request computations, our solution also encodes 𝐵 and 𝑅 in the exponent. Besides, our proposal leverages bilinear pairings to let verifiers assess the correctness of the cloud results. Finally, our construction is efficient for the user since polynomials 𝐵 and 𝑅 are small degree and the underlying cost of the verification is independent from the degree of the outsourced polynomial. 𝒚, 𝚷 Verify 𝒚=𝚷 𝑩 𝒙 +𝑹(𝒙) ? Req 1: 𝑩,𝑹 small degree Melek Önen SEC2, July 5th 2016

Verifiable Polynomial Evaluation – Details Setup Polynomial 𝑨(𝑿)= 𝒊=𝟎 𝒅 𝒂 𝒊 𝑿 𝒊 Euclidean Division 𝑨=𝑸𝑩+𝑹 𝑸 𝑿 = 𝒊=𝟎 𝒅−𝟐 𝒒 𝒊 𝑿 𝒊 𝑩 𝑿 = 𝑿 𝟐 + 𝒃 𝟎 𝑹= 𝒓 𝟏 𝑿+ 𝒓 𝟎 Details of the protocol - Setup 𝑷 𝑲 𝑨 ( 𝒈 𝒃 𝟎 , 𝒉 𝒓 𝟏 , 𝒉 𝒓 𝟎 ) 𝑬 𝑲 𝑨 (𝑨, 𝒉 𝒒 𝟎 , 𝒉 𝒒 𝟏 , …, 𝒉 𝒒 𝒅−𝟐 ) Melek Önen SEC2, July 5th 2016

Verifiable Polynomial Evaluation – Details Problem Generation Compute 𝒙, 𝑨 𝒙 = ? 𝒚, 𝚷 Details of the protocol ProbGen Compute 𝑷 𝑲 𝑨 ( 𝒈 𝒃 𝟎 , 𝒉 𝒓 𝟏 , 𝒉 𝒓 𝟎 ) 𝑬 𝑲 𝑨 (𝑨, 𝒉 𝒒 𝟎 , 𝒉 𝒒 𝟏 , …, 𝒉 𝒒 𝒅−𝟐 ) Result 𝒚=𝑨 𝒙 Proof 𝚷= 𝒉 𝑸 𝒙 Melek Önen SEC2, July 5th 2016

Verifiable Polynomial Evaluation – Details Verify 𝒚,𝚷 Result 𝒚=𝑨 𝒙 Details of the protocol - Verify Proof 𝚷= 𝒉 𝑸 𝒙 𝑽 𝑲 𝒙 𝑽 𝑲 𝒙,𝑩 = 𝒈 𝑩 𝒙 𝑽 𝑲 𝒙,𝑹 = 𝒉 𝑹(𝒙) 𝒆 𝒈, 𝒉 𝒚 ≟𝒆 𝑽 𝑲 𝒙,𝑩 ,𝚷 𝒆 𝒈,𝑽 𝑲 𝒙,𝑹 Melek Önen SEC2, July 5th 2016

Verifiable Matrix Multiplication – Idea Auxiliary Matrices 𝑵=𝜹𝑴+𝑹 𝑹 pseudo-random (𝑴, 𝑵) 𝑹 (𝑴, 𝑵) 𝒙 , 𝑴 𝒙 = ? Compute 𝒚 =𝑴 𝒙 𝚷 =𝑵 𝒙 𝒚 , 𝚷 The idea behind prior solutions on VMM involves, in addition to the outsourced matrix, an auxiliary matrix 𝑁 with is simply the addition of matrix 𝑀 with a pseudo-randomly generated matrix 𝑅. The secret matrix 𝑅 is stored by the cloud user whereas the pair of matrices 𝑀 and 𝑁 are outsourced to the cloud. Later on, the user submits an input vector 𝑥 to the cloud and requests the server to perform the multiplication 𝑀 𝑥 . The cloud performs the requested computation and generates a proof of correctness which in the multiplication 𝑁 𝑥 . Finally, the verification consists in checking whether Π = 𝑦 +𝑅 𝑥 . The challenge is to make the verification efficient, that is to satisfy Requirement 2 [cost(verify)<<cost(Compute)]. In other terms, the computation of the verification equation should be efficient for the verifier. Solution used by some related work: use of aPRFs to make the computation of 𝑅 𝑥 efficient. Our approach does not use aPRFs. Instead, we observe that projecting the verification equation to a random vector 𝜆 reduces the complexity of the verification (compared to prior work that uses aPRFs) if the scalar product 𝜆 𝑅 is computed beforehand (and is part of the public key used to generate a computation request). Req 1: Projection 𝝀 𝚷 =𝜹 𝝀 𝒚 + 𝝀 𝑹 𝒙 Req 2: Compute 𝝀 𝑹 beforehand (𝑷 𝑲 𝑴 ) Verify 𝚷 =𝜹 𝒚 +𝑹 𝒙 ? Melek Önen SEC2, July 5th 2016

Conclusion Verifiable data storage [ESORICS’14] Based on privacy preserving watchdog lookup Comparison with prior work Unlimited number of verifications Verifiable computation [ASIACCS’16] Based on simple maths Euclidean division for polynomials Scalar product for matrices Efficient Publicly delegatable and verifiable Future work Verifiability with privacy Melek Önen SEC2, July 5th 2016

THANK YOU melek.onen@eurecom.fr

Verifiable Matrix Multiplication – Details Setup Matrix 𝑴 Auxiliary matrices 𝑹 and 𝑵 with 𝑵 𝒊𝒋 = 𝒈 𝝀 𝒊 (𝜹 𝑴 𝒊𝒋 + 𝑹 𝒊𝒋 ) 𝑷 𝑲 𝑴 𝑷 𝑲 𝒋 =𝒆 𝒊=𝟏 𝒏 𝒈 𝝀 𝒊 𝑹 𝒊𝒋 , 𝒉 𝟏≤𝒋≤𝒎 𝑬 𝑲 𝑴 (𝑴, 𝑵) Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

Verifiable Matrix Multiplication – Details Problem Generation Compute 𝒙 , 𝑴 𝒙 = ? 𝒚 , 𝚷 𝑬 𝑲 𝑴 (𝑴, 𝑵) 𝑷 𝑲 𝑴 𝑷 𝑲 𝒋 =𝒆 𝒊=𝟏 𝒏 𝒈 𝝀 𝒊 𝑹 𝒊𝒋 , 𝒉 𝟏≤𝒋≤𝒎 Result 𝒚 =𝑴 𝒙 Proof 𝚷= 𝒊=𝟏 𝒏 𝒋=𝟏 𝒎 𝑵 𝒊𝒋 𝒙 𝒋 𝑽 𝑲 𝒙 𝑽 𝑲 𝒙 = 𝒋=𝟏 𝒎 𝑷 𝑲 𝒋 𝒙 𝒋 Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

Verifiable Matrix Multiplication – Details Verify 𝒚 , 𝚷 𝒆 𝚷,𝒉 ≟𝒆 𝒊=𝟏 𝒏 𝒈 𝝀 𝒊 𝒚 𝒊 , 𝒉 𝜹 𝑽 𝑲 𝒙 𝑽 𝑲 𝒙 𝑽 𝑲 𝒙 = 𝒋=𝟏 𝒎 𝑷 𝑲 𝒋 𝒙 𝒋 Kaoutar Elkhiyaoui, Melek Önen, Monir Azraoui, Refik Molva Efficient Techniques for Publicly Verifiable Delegation of Computation ASIACCS’16, Xi’an, China, May 31, 2016

Verifiable Computation: Related Work Algebraic PRFs [Benabbas et al. 2011, Fiore & Gennaro 2012] Setup 𝒇 𝒂𝑷𝑹𝑭 𝒇, 𝒂𝑷𝑹𝑭 𝒙, 𝒇 𝒙 = ? 𝒇, 𝒂𝑷𝑹𝑭 Verification 𝒚,𝚷 𝒂𝑷𝑹𝑭 𝒚 =𝚷 Compute 𝒚=𝒇 𝒙 Compute 𝚷=𝒂𝑷𝑹𝑭(𝒇(𝒙)) Efficient verification Construction of efficient aPRFs Pinocchio [Parno et al. 2013] Setup QAP polynomials 𝒇 QAP Arithmetic circuit 𝒙, 𝒇 𝒙 = ? QAP Verification QAP verification based on 𝒚 and 𝚷 𝒚, 𝚷 Evaluate circuit on 𝒙→𝒚 Proof with QAP polynomials →𝚷 General functions Key size and proof generation linear with circuit size

Performance Evaluation of StealthGuard Scheme Upload Storage overhead Proof Generation Verification Communication Ateniese et al. 2008 106 exp 106 mul 267 MB 103 PRP, 103 PRF 103 exp, 104 mul 104 exp 104 PRP 316 B Shacham and Waters 2008 106 PRF 109 mul 51 MB 104 mul 102 mul 3 KB Xu et al. 2012 108 mul 106 PRF 26 MB 102 exp 105 mul 104 PRF 36 KB Juels and Kaliski 2007 30 MB N/A 104 PRP 33 MB StealthGuard 2014 105 PRF 105 PRP 8 MB 50 MB Tags Sentinels Lighter Smaller storage overhead Comparable More expensive but unbounded number of verifications Melek Önen SEC2, July 5th 2016

Verifiable Polynomial Evaluation – Analysis Security Soundness under 𝒅 𝟐 - Strong Bilinear Diffie-Hellman assumption 𝑔, 𝑔 𝛼 , ℎ, ℎ 𝛼 ,…, ℎ 𝛼 𝑑/2 →compute 𝛽, ℎ 1 𝛼+𝛽 Proof by reduction Performance Client Cloud Setup Problem Generation Verify Compute 𝒪(𝑑) 𝒪(1) Our solution satisfies the classic security requirements: Correctness which means that the a result returned by a honest server will always be accepted by the verifier. This property is easily verified. Soundness which states that a server cannot make the verifier accept an incorrect result. The soundness of our construction relies on the d/2 Strong Bilinear Diffie-Helmann assumption. Note that the parameter d/2 means that our scheme can accommodate polynomials of degree higher than the ones in the scheme of SCC. In terms of performance, our protocol follows the amortized model in which the client is required to execute a one-time preprocessing operation (Setup) which is then amortized by an unlimited number of fast verifications. In the client side, the problem generation and the verification are independent from the degree of the outsourced polynomials. The computation overhead induced by the proof generation on the client side amounts to 𝓞(𝑑) operations (multiplications and exponentiations). Amortized model Melek Önen SEC2, July 5th 2016

Verifiable Matrix Multiplication– Analysis Security Soundness under the co-CDH assumption 𝑔, 𝑔 𝛼 , ℎ, ℎ 𝛽 → compute 𝑔 𝛼𝛽 Proof by reduction Performance Client Cloud Setup Problem Generation Verify Compute 𝒪(𝑛𝑚) 𝒪(𝑚) 𝒪(𝑛) Amortized model