1. Authentication: Owner and user OwnerUser Query: X > 6 Message m: Answer to X>6: X1, X5 Sign(m) DB

2. Authentication: Outsourcing Owner User Query: X > 6 Message m: Answer to X>6: X1, X5 ? DB Server DB Owner prepares everything that is needed for authenticating any query

3. Retrieving single value We need an individual signature for data point IDvaluesignature 11Sign(“tuple #1 is 1”) 22Sign(“tuple #2 is 2”) 33Sign(“tuple #3 is 3”) ………

4. Range query Individual signatures can be used, but inefficient User Query: X > 6 X>6: X1, X5 X1 = 10 Server X<=6: X2, X3 X2 = 2 X3 = 0X5 = 9 Number of signatures is linear to number of data points for any range query

5. Combine signatures and verify all together Aggregate signature Limitation: Must operate on messages with the same `format’ (with 1 variable only) – Example: `X1 > 6’, `X2 > 6’ – Format: `X > 6’ (X is variable) X3 = 0X4 = 0 + X3, X4 = 0

6. Range generalization X1 = 10 and X2 = 20 are of different formats `X1 is in [10, 20]’ and `X2 is in [10, 20]’ becomes the same format So, if a query is `X > 9’ or `X < 21’, we can present a signature of `X in [10, 20]’ for authentication

7. Ideal verification Query: X > 6 – Divide the data points into two groups X > 6 X<=6 Best verification cost: – All data point Xi > 6 provides a signature of `Xi in [7, ∞]’ – All data point Xj <= 6 provides a signature of `Xj in [-∞, 6]’ Answers: 2 aggregated signatures only Can be aggregated

8. Balance We provide additional signatures to reduce verification cost 6 Sign(-∞, 6)Sign(7, ∞) 7 Sign(-∞, 7)Sign(8, ∞)

9. What signatures are returned? X > a 4 signatures are returned a

10. A note on sensor paper A special case: the bit pattern represents a range – `00xxxxx’ represents the range `0000000’ to `0011111’

11. Different fanout Domain: [1, D] (Size: D) Fixed partitioning – Height (Number of signatures required per tuple): log f (D) Represents update cost and storage cost – Verification cost: O(flog f (D)) 12…f [1, f] … ………… [1, f 2 ]