Multi-file proofs of retrievability for cloud storage auditing

Mut-fe roofs of retrevabty for coud storage audtg B Wag a ad Xaojg Hog b a No96 West HuaYag Road, Iformato Egeerg Coege of Yagzhou Uversty, Yagzhou Cty, Jagsu Provce, 22527 PRCha b No5 South YagZJag Road, Yagzhou Cty, Jagsu Provce, 2250 PR Cha E-ma: jxb76@yeahet a Abstract: Coud storage aows cets to store a arge amout of data wth the he of storage servce rovders (SSPs) Proof-of-retrevabty(POR) rotocos aow oe server to rove to a verfer the avaabty of data stored by some cet Shacham et a reseted POR rotocos based o homomorhc authetcators ad roved securty of ther schemes uder a stroger securty mode, whch requres the exstece of a extractor to retreve the orga fe by recevg the rogram of a successfu rover Whe usg ther POR rotoco wth ubc verfabty to verfy the avaabty of mute fes searatey, the umber of arg oeratos comuted by a verfer s ear wth the umber of fes To mrove the heavy burde o the verfer, we troduce a oto caed mut-roof-of-retrevabty(mpor), aowg oe verfer to verfy the avaabty of mute fes stored by a server oe ass We aso desg a MPOR rotoco wth ubc verfabty by extedg the wor of Shacham et a The advatage of our MPOR scheme s that comutatoa overhead of a verfer our scheme s costat, deedet of the umber of fes Nevertheess, the soudess of our MPOR rotoco s roved uder a reatvey wea securty oto I artcuar, aayss of our MPOR rotoco shows that each fe ca be extracted exected oyoma tme uder certa restrcto o the sze of rocessed fes Keywords: Coud storage; Storage servce rovder; Proof-of-retrevabty; Homomorhc authetcator; Pubc verfabty Itroducto Coud comutg [3] has a dee mact o IT dustry by aowg cets to access hgh-quaty coud based servce ay-as-you-go maer Coud storage systems whch vove devery of data storage as a servce over Iteret are becomg more attractve Amazo S3 [], a we-ow storage servce, aows cets to store arge amouts of data

ad access ther stored data from ay ace at ow costs Oe of the major chaeges o coud storage systems s how to effcety verfy whether some remote storage servce rovder(ssp) s fathfuy storg cets data sce the SSP may ot be trusted Cets data may be at the dager of oss ether by data oss cdets or by macous deeto from a SSP who wats to save storage by deetg rarey accessed orto of the stored data There has bee a ot of research focused o roof-of-storage mechasms wthout the eed to dowoad the whoe data for verfcato Ths d of soutos s aso caed storage audtg [9,5,7], aowg cets to verfy through crytograhc meas that ther data o a utrusted SSP are et tact ad ready for retreva f eeded Some cruca system crtera for desgg roof-of-storage systems ca be summarzed as foows [6]: () Comutato ad commucato overhead of roof-of-storage rotocos ad storage overhead o a server shoud be as effcet as ossbe (2) Verfers shoud be stateess wthout the eed to mata states for storage audtg (3) The most mortat securty crtero for roof-of-storage systems requres that a verfer shoud be covced that the fe s actuay stored by a server whe the server ca ass the chec of storage audtg Eary research wors o roof-of-storage systems acs rovabe securty guaratee wthout rovdg forma securty modes ad roofs To formaze the securty crtero for roof-of-storage systems, forma modes ad costructos were frst studed by Naor et a [4] ad Jues et a [2] by usg homomorhc authetcators based o message authetcato code A fe s frst ecoded redudaty ad dvded to message bocs Each boc s authetcated by a MAC tag comuted by the cet The cet the erases the fe ad seds the ecoded fe ad the MAC tags to the server The dea behd ther rotocos s that a verfer oy eed chec a radom subset of the message bocs stored by the server to chec whether the orga fe s correcty stored by the server order to guaratee a effcet storage audt rotoco The egth of the server s resose s mroved wth the he of homomorhc authetcators by aggregatg the authetcato tags of dfferet message bocs Securty for roof-of-storage systems s catured by requrg the exstece of a extractor to retreve the secfed fe by teractg wth a server that ca ass the verfcato of storage audtg Ths securty oto s aso caed roof-of-retrevabty (POR) Ths 2

cocet s smar to zero owedge roofs of owedge [5] A weaer oto caed Proof-of-data-ossesso (PDP) [3] ca oy guaratee that a certa ercetage (eg, 99%) of message bocs ca be recovered wth hgh robabty (eg, 099) There are aso some aers [4,7,8] cosderg roof-of-storage systems suortg dyamc oeratos o the stored data I addto, POR rotocos that suort ubc verfabty meas everyoe ca chec whether a cet s data are correcty stored by a server Dgta sgatures ca be used to reace Mac tags to acheve ubc verfabty The NR mode [4] restrcts a checer to access secfc memory ocatos from the rover Shacham et a [6] stregtheed the NR mode by aowg a extractor bac-box access to a rover rogram Aother dstct feature formazed by Shacham et a ther securty mode [6] s that the secfed fe ca be extracted so og as the rover rogram ca correcty aswer ay sma (but o-eggbe) fracto of verfcato queres I addto, Shacham et a [6] desged a homomorhc authetcator based o BLS short sgature [6] to reset a POR rotoco wth ubc verfabty secure the radom orace mode Homomorhc authetcators ca be used to mrove the resose egth from the server by comressg authetcato vaues { σ } of bocs { m } to oe authetcator σ for ther ear combato { vm } We otce that the POR rotoco wth ubc verfabty [6] requres the verfer to comute two arg oeratos to verfy the resose from a server durg oe stace of ther POR rotoco Ths meas f oe wats to verfy the avaabty of fes stored by the server searatey, 2 arg oeratos shoud be comuted by the verfer, whch s a heavy overhead whe a cet has a arge umber of fes stored by that server Motvated by the above dscusso, we am to desg a mut-roof-of-retrevabty (MPOR) rotoco wth ubc verfabty I other words, our MPOR rotoco aows oe verfer to verfy the avaabty of fes stored by the server oe ass, whe the comutatoa overhead s deedet of the arameter The dea behd our costructo s to further comress the homomorhc authetcators from dfferet fes to reduce the comutato ad commucato overhead The ey ot of our wor s to choose a roer securty mode for MPOR rotoco ad rove the securty of our costructo uder t Soudess of MPOR rotocos s defed a 3

reatvey wea maer comared wth that of POR rotocos I the mut-fe settg, oe vocato of the extractor agorthm ca oy guaratee that at east oe fe amog those fes ca be recovered The reaso s that the extracted owedge s ow dstrbuted over these fes radomy Hece we caot guaratee that a the fes ca be extracted by the extractor a at oce the mut-fe settg O the other had, our aayss shows that each fe ca be extracted exected oyoma tme uder the assumto that each fe s sze s of the same magtude (eg, dgta mages, offce documets) So we defe soudess for MPOR rotocos by requrg the exstece of a extractor to retreve each fe exected oyoma tme The rest of ths aer s orgazed as foows At frst, we descrbe the otatos used ths aer ad bear mags secto 2 Sytax of MPOR schemes s troduced secto 3 We aso defe correctess, soudess for MPOR rotocos The soudess for MPOR rotocos s reatvey wea the sese that t oy requres each fe to be extracted exected oyoma tme uder the assumto that each fe s sze s of the same magtude I the foowg, we desg a MPOR rotoco wth ubc verfabty by extedg the wor [6] ad rove our MPOR scheme meet the requremet of soudess defed ths aer Fay, we evauate erformace of our MPOR rotoco to show that the cost of a verfer s greaty reduced comared wth that of the orga POR rotoco [6] whe verfyg mute fes stored by a server 2 Premares 2 Notato We use the otato x S to mea the eemet x s chose wth uform R robabty from the set S If A s a agorthm, the O( ) y A x (, ) meas that A has ut x,, access to a orace O, ad the outut of A s assged to y Let [ ] {,, } 22 Bear arg Gve a securty arameter, a effcet agorthm PG ( ) oututs ( e, G, GT, g, ), where G s a cycc grou of a rme order geerated by 4

g, 2 < < 2 G T s a cycc grou of the same order, ad et e : G G GT be a effcety comutabe bear fucto wth the foowg roertes: a b ab Bear: e( g, g ) e( g, g), for a a, b Z 2 No-degeerate: e( g, g) G T 3 Deftos 3 Sytax of a mut-roof-of-retrevabty scheme A mut-roof-of-retrevabty(mpor) scheme cossts of the foowg agorthms: Kg ( ) : Gve a securty arameter, ths radomzed ey-geerato agorthm oututs a secret/ubc ey ar ( s, ) St( s, M ) : Gve a secret ey s ad a fe M chose by a cet, ths fe-storg agorthm frst ecodes M by ayg a rate- ρ erasure code [2] to obta M such that ay ρ fracto of the ecoded fe M s suffcet to recover the orga fe M Fay t oututs a authetcato tag τ ad some auxary formato aug, ( M,( τ, aug)) St( M, s), where s s the secret ey of the cet M ad aug w be stored o the server sde τ ad aug w be used the foowg MPOR rotoco The rest art of our MPOR scheme cosst of the agorthms P (rover) ad MV (verfer) The foowg otato s used to deote oe teractve executo of our MPOR rotoco betwee the agorthms P ad MV : (,{ } ) (,{, MV P M M },{ aug } ) ( b, ) τ where s the ubc ey of the cet who stores the ecoded fes { M, M } o the server sde Parameter determes the umber of fes that ca be verfed τ smutaeousy {(, )} aug are geerated by the fe-storg agorthm St( ) for { M, M } resectvey The outut of the verfcato agorthm MV s bt b b deotes that the verfer s covced that the orga fes { M } are stored correcty by the rover Correctess of our MPOR scheme requres that a hoest server ca aways covce a 5

verfer of vadty of the stored fes That s: τ for ay ( s, ) Kg( ), {( M,(, aug )) St( M, s)} (,{ } ) (,{, MV P M M },{ aug } ) ( b, ) τ, we have 32 Soudess of mut-roof-of-retrevabty rotocos Soudess of MPOR rotocos formay requres that f a rover ca covce a verfer by assg the verfcato, the the orga fes { M } ca ready for retreva f eeded To formaze ths ot, a extracto agorthm s requred to recover the orga fes { M } by teractg wth the successfu rover va the MPOR rotoco The foowg game Ex ( A, ) w gve the forma defto of soudess of MPOR soud, MPOR rotocos Ex ( A, ) soud, MPOR Phase : The chaeger C geerates a eyar (, s) Kg( ) ad rovdes to A Phase 2: The adversary A teracts wth the chaeger by mag queres to a store orace The store query s haded by the orace as foows Store ( M ) // M s a fe chose by A Comute ( M,( τ, aug )) St ( s, M ) ; Retur ( M,( τ, aug )) ; For some fes M, M quered to the store orace who resods {( τ, )} aug resectvey, A maes a query to a MPOR orace, whch s haded as foows MPOR ( τ, τ ) The chaeger C rus a stace of the MPOR rotoco wth A as foows: < C(,{ τ, τ }) A > ( b, ) The chaeger ays the roe of a verfer durg the above executo ad oututs a bt b to deote whether t s covced that the orga fes are beg stored by the adversary correcty Retur b ; 6

At the ed of hase 2, A oututs the chaege set T { τ,, τ } cosstg of the tags retured by the store orace for some queres M,, M resectvey Descrto of a rover rogram P s aso rovded by A The rover rogram MPOR queres, e, P s ε -admssbe f t ca covcgy aswer ε fracto of < τ τ > ε Here the Pr[ MV ((,{, }) P ( b, )] robabty s over the cos of the verfer ad the rover Phase 3: We say a MPOR scheme s ε -soud f there exsts a effcet extracto agorthm Extr such that for every adversary A who ays the above game ad oututs the chaege tags { τ,, τ } retured by the store orace for the queres M,, M resectvey ad a ε -admssbe rover rogram P at the ed of hase 2, the,, there exsts a extracto agorthm Extr who recovers the fe M exected oyoma tme by teractg wth P va the MPOR rotoco That s: P ( ) τ τ,, Extr (,{,, }) M occurs exected oyoma tme excet wth eggbe robabty 4 Our mut-roof-of-retrevabty scheme Let (SKg, SSg, SVer) be a dgta sgature scheme Kg ( ) : Geerate a sgg eyar ( ss, s) SKg( ) by the ey geerato agorthm of Choose α R Z ad comute v g α The secret ey s s ( α, ss) The ubc ey s ( v, s ) St( s, M ) : Gve a fe M chose by a cet, ths fe-storg agorthm frst chooses a radom fe-ame f from a arge doma The coso robabty over fe ames s eggbe whe the doma s arge eough I the foowg, ay a erasure code to M to obta M ad st M to message bocs { } m Parse the secret ey of the cet as s ( α, ss) ad c a radom u Z Let τ 0 f u ad 7

comute a sgature a authetcato tag σ 0 0 SSg( ss, τ ) by the sgature-roducg agorthm of ad τ 0 0 m τ σ For, t comutes aug ( ( ) α H f u ) The ecoded fe M ad { aug } w be stored o the server sde Oe teractve executo of our MPOR rotoco betwee the agorthms P (rover) ad MV (verfer) ca be descrbed as foows: () Frst, the verfer MV maes a MPOR-query Q to the rover P : Q { P Q,, P Q }, P ( λ Z, f ), Q {( j, v )} wth dstct R j j [ ] ad each coeffcet v Z, where s the ubc ey of the cet, f j R s the fe-ame for a fe M ad s the umber of message bocs of the fe M The sze of each set Q s a fxed system arameter s (2) Havg receved the query Q, the rover agorthm, P( Q,{ M },{ aug } ) resods as foows: Frst t arses { M } as bocs { m }, resectvey I the foowg, comute: µ v jmj, ( j, v j ) Q σ µ ( µ,, µ,, µ ), σ σ v j augj, ( j, v j ) Q λ The rover P seds the resose ( µ, σ ) to the verfer (3) Havg receved the resose ( µ, σ ) MV (,{ τ, τ },( µ, σ )) roceeds as foows:, the verfcato agorthm Frst t arses ( v, s ) ad the authetcato tags τ τ 0 σ 0, If :, the sgature verfcato agorthm SVer( s, τ 0, σ 0 )0, the t oututs b 0 Otherwse, arse τ 0 as f u, ad the vector µ as ( µ,, µ,, µ ) If the foowg equato hods, outut b Otherwse outut b 0 8

v ( j, v j ) Q j λ µ λ e( σ, g) e( ( H ( f j) ) ( u ), v) It s easy to verfy the correctess of our MPOR scheme as foows: σ λ σ ( j, v j ) Q v ( j λ augj ) ( ( H ( f j) u ) ) ( j, v j ) Q mj v j λ α ( H ( f j) j ) ( j, v j ) Q ( H ( f j) j ) ( j, v j ) Q ( H ( f j) j ) ( j, v j ) Q The above resut meas v v v λ α λ α λ α ( u ) ( j, v j ) Q v j mj v j mj ( j, v j ) Q ( u ) ( u µ λ ) v ( j, v j ) Q j λ e( σ, g) e( ( H ( f j) ) α µ λ α ( u ), g) v ( j, v j ) Q α λ α j λ µ λ e( ( H ( f j) ) ( u ), v) Remar: The verfer chooses a MPOR query as: Q { P Q,, P Q }, P ( λ Z, f ), Q {( j, v )} wth dstct dces j [ ] ad each coeffcet λ α R v Z j R Q s a fxed system arameter s such that s < N Let N j The sze of each set A vector otato for the s -eemet set Q {( j, v )} over dces I { j} [ ] s rereseted by a N- eemet vector q ( ) N Z, such that q, ad q, j 0 for a j I, + N j N, where N I + N { j + N : j I } j j v j f j I + N, Gve a s -eemet set I ( I + N ) [ N], the query Q ca be regarded as chose over the dces I [ N] The jot coeffcet vector otato for the query Q s 9

a N- eemet vector q v c ( j, v j ) Q j j+ N q q Let c,, cn Reca that the hoest resose ( µ, σ ) µ v jmj ( j, v j ) Q σ µ ( µ,, µ,, µ ), σ σ v j augj, ( j, v j ) Q λ be that caoca bass for ( Z, for the query Q satsfes: We ca vew the message bocs of these fes as a N matrx H : + T H [ h,, h ], h (0,( m,, m ),0 ), where each coum vector h corresods to the message bocs of M resectvey We ca aso equvaety deote µ the resose by a vector q H query Q ) N, where q s the jot coeffcet vector otato for the 5 Securty roofs We rove the securty of our MPOR scheme by a seres of games Game 0 s exacty the same as Ex ( A, ) wth the foowg modfcato soud, MPOR The chaeger tay sets a fag d 0 ad ees a tabe of the store queres made by the adversary ad ts resoses for these queres Based o the tabe ad oe MPOR query Q, the chaeger s abe to determe the determstc verfcato resose ( µ, σ ) retured by the hoest rover agorthm Havg receved the resose ( µ, σ ) retured by the adversary behavg as a rover oe executo of our MPOR rotoco < C(,{ τ, τ }) A > ( b, ), the chaeger sets d f for a executos, the verfcato agorthm MV (,{ τ, τ }, µ, σ ) oututs b Otherwse the chaeger sets d 0 Let ε deote Pr[ d ] Game, 0 The above modfcato Game 0 w ot chage the vew of the adversary 0

Game s amost the same as Game 0 The chaeger ees a st of authetcato tags geerated by tsef whe hadg queres to the store orace If ay tag submtted by the adversary ca be verfed as vad but s ot o the st of tags geerated by the chaeger, the chaeger aborts The major modfcatos are rereseted by the foowg boxed statemets Phase : The chaeger C cs a emty st slst ad geerates a eyar (, s) Kg( ), where s ( α, ss), ( v, s ) C rovdes to A The adversary A teracts wth the chaeger by mag queres The store ad MPOR queres are haded as foows Store ( M ) // M s a fe chose by A Comute ( M, τ,{ aug } ) St( s, M ) ; Parse τ as 0 0 τ σ ad slst slst { τ 0 } Retur ( M, τ,{ aug } ) ; MPOR ( τ, τ ) If τ { τ, τ } such that τ τ 0 σ 0 ca be verfed as a vad sgature ad τ 0 slst, the chaeger aborts Otherwse C rus a stace of MPOR rotoco wth A : < C(,{ τ, τ }) A > ( b, ) Retur b ; Fay, A oututs the chaege set T { τ,, τ } cosstg of tags retured by the store orace for some queres M,, M resectvey The descrto of a rover rogram If P s aso rovded by A τ { τ,, τ } such that τ τ σ ca be verfed as a vad sgature ad 0 0 τ 0 slst, the chaeger aborts The other art of Game s et uchaged Cam : ε 0 ε s eggbe uder the assumto that the sgature scheme s exsteta uforgeabe [] uder the chose message attac Proof: It s obvous that Game 0 ad Game roceed detcay uess the evet E ay tag submtted by the adversary ca be verfed as a vad sgature but s ot o the st of

authetcato tags geerated by the chaeger occurs Hece ε 0 ε Pr[ E ] But f ths evet haes wth o-eggbe robabty, we ca costruct a adversary B agast the uforgeabty of the sgature scheme B taes a sgg ubc ey s SKg( ) as ut ad s gve access to a sgg orace SSgss ( ) B cs a radom α ad sets the secret ey s ( α, ), the α ubc ey ( v g, s) It s cear that B s abe to smuates the vew of A Game erfecty wth the he the sgg orace If the evet E haes, B smy oututs the tag submtted by A as ts forgery agast the sgature scheme Game 2 s amost the same as Game The chaeger Game 2 verfes the resose from the adversary durg each executo of our MPOR rotoco a way dfferet from the stadard verfcato agorthm MV ( ) ( µ, σ ) Reca that the chaeger s abe to determe the determstc verfcato resose retured by the hoest rover agorthm P( ) by the modfcato Game, gve the corresodg MPOR query Let ( µ, σ ) 2 be the resose retured by the adversary oe executo of our MPOR rotoco : < MV (,{ τ, τ }) A > ( b, ) The chaeger sets d ad aborts f there s at east oe executo oututs b ad σ σ Cam 2: ε 2 ε s eggbe uder the CDH assumto MV (,{ τ, τ }, µ, σ ) Proof: Game 2 s dstct from Game oy whe the resose from the adversary oe executo of our MPOR rotoco ca ass the verfcato but s ot equa to the correct resose from the hoest rover agorthm Let E 2 deote the evet The adversary oe executo of our MPOR rotoco ca ass the verfcato but σ σ Game 2 s dstct from Game oy whe E 2 haes Hece ε 2 ε Pr[ E2] If Pr[ E 2] s o-eggbe, we ca costruct a smuator that soves the CDH robem the radom orace mode α β The smuator S taes a stace ( g, g, h g ) of the CDH robem as ut ad

smuates the evromet of Game 2 for the adversary A as foows S geerates a sgg ey ar by rug ( ss, s) SKg( ) ad sets v g α, whch mcty defes the secret ey s ( α, ss) ad the ubc ey ( v, s ) S rovdes to A To resod each query ssued to the radom orace H ( ), S frst arses t as f ad rograms the resose of H ( ) as we w descrbe ater To resod each query M ssued to the store orace, S frst chooses a radom fe-ame f, ecodes M to obta M ad sts t to bocs { } m S β γ sets u g h, γ, β Z S cs r Z, ad rograms the resose R R of H ( f ) as ( ) r β ( m γ H f m g g h ) At ths ot, S comutes aug,, as foows: m aug ( ( ) α H f u ) (( r ( m g g h m )) ( g h ) m ) β γ β γ α ( g r ) α ( S comutes g α r ) τ accordg to the secfcato of the fe-storg agorthm St( ) va the sgg ey ad returs ( M, τ,{ aug } ) to A S teracts wth A ut the evet E 2 haes Assume that Q { P Q,, P Q}, P ( λ, f ), Q {(, v )} s the MPOR query ssued by the verfer oe executo of our MPOR rotoco for the ecoded fes M M Let the resose retured by the adversary as a rover to ths query be, µ, σ Let ( µ, σ ) be the determstc resose retured by the hoest rover agorthm for the query Q, whch satsfes the foowg: µ ( µ,, µ,, µ ), σ σ λ 3

µ v jmj ( j, v j ) Q σ v j augj, ( j, v j ) Q v ( j, v j ) Q j λ µ λ e( σ, g) e( ( H ( f j) ) ( u ), v) Whe E 2 haes, µ, σ ca aso ass the verfcato ad the foowg hod: µ ( µ,, µ,, µ ) ( v j λ µ λ e σ, g) e( ( H ( f j) ) ( u ), v) ( j, v j ) Q Let σ σ σ, µ µ µ, If, µ µ, t foows that σ σ accordg to the verfcato equato Cosequety, 0 hods for at east oe osto by the assumto σ σ We derve the foowg by dvso: ( µ λ e σ σ, g) e(( ( u β γ µ λ ), v) e(( (( g h ) ), v) Rearragg terms yeds β λ µ γ λ µ e(( σ σ ) v, g) (, ) e h v α β As v g, h g, we see that the souto g αβ to the CDH robem ca be wrtte µ β λ µ γ λ µ as (( σ σ ) v ) uess γ λ µ s equa to zero µ For ay fxed sequece { } that s ot a zero, the robabty that γ λ µ 0 s sce each γ chose by the smuator s uformy dstrbuted over γ Z ad hdde from the adversary s vew sce u g β γ h reveas o formato of Hece the success robabty of S sovg the CDH robem s at east Pr[ E ] 2 The chaeger Game 3 verfes the resose from the adversary durg each executo of our MPOR rotoco a way dfferet from Game 2 Gve a MPOR query Q, et ( µ, σ ) be the determstc resose retured by the hoest rover agorthm for the query 4

Q ad ( µ, σ ) be the resose retured by the adversary oe executo of our MPOR rotoco The chaeger arses µ as ( µ,, µ,, µ ) ad aborts f µ µ, where µ v m, j j ( j, v j ) Q Cam 3: ε3 ε 2 s eggbe uder the dscrete ogarthm assumto, Proof: Game 3 s dstct from Game 2 oy whe the resose from the adversary oe of the MPOR rotoco executos may cause the chaeger to abort as secfed Let E 3 deote the evet The adversary behavg as a rover oe executo of our MPOR rotoco ca ass the verfcato as secfed but, µ v jmj, ( j, v j ) Q Game 3 s dstct from Game 2 oy whe E 3 haes Hece ε 3 ε 2 Pr[ E3] If Pr[ E 3] s o-eggbe, we ca costruct a smuator that soves the dscrete ogarthm robem The smuator S taes a stace ( g, h g β ) of the dscrete ogarthm robem as ut ad smuates the evromet of Game 3 for the adversary A as foows S geerates a sgg eyar ( ss, s) SKg( ) ad cs α R Z Let v g α, whch defes the secret ey s ( α, ss) ad the ubc ey ( v, s ) S rovdes to A To resod each query M ssued to the store orace, S frst chooses a radom fe-ame f from a arge doma, ecodes M to obta M ad sts t to β γ bocs { m } S sets u g h, γ, β R Z S teracts wth the adversary ut the evet E 3 haes Assume Q { P Q,, P Q}, P ( λ, f ), Q {(, v )} s the MPOR 5 query ssued by the verfer oe executo of our MPOR rotoco for the fes M M The resose retured by the adversary to ths query s ( µ, σ ) Let ( µ, σ ) determstc resose retured by the hoest rover agorthm for the query Q, be the

Accordg to the roof Game 2, we ow that σ σ excet wth eggbe robabty eg( λ ) Uder ths assumto, we derve the foowg accordg to the verfcato equato: v ( j, v j ) Q j λ µ λ e( σ, g) e( ( H ( f j) ) ( u ), v) ( v j λ µ λ e σ, g) e( ( H ( f j) ) ( u ), v) ( j, v j ) Q We cocude µ λ µ λ u u ( ) ( ) by tag σ σ, whch meas µ λ β γ µ λ u g h ( ) (( ) ) Let µ µ µ, µ 0 hods for at east oe osto by the assumto, µ v jmj, ( j, v j ) Q If γ λ µ 0 mod because we have h g βλ µ ( ) γ λ µ, the dscrete ogarthm β ( ) mod β λ µ γ λ µ µ Smary, for ay fxed sequece { } that s ot a zero we ca argue that the robabty that γ λ µ s equa to zero s Hece the success robabty of S sovg the dscrete ogarthm robem s at east Pr[ E3] eg( λ) Resose of the adversary Game 3 s forced to be the same as that outut by the hoest rover agorthm of our MPOR rotoco A we-behaved rover rogram P causes the verfcato agorthm MV ( ) to accet each executo of MPOR rotoco by resodg wth ( µ, σ ) comuted by the hoest rover agorthm Cams -3 show that ay adversary that ws the game Ex ( A, ) s we-behaved excet wth soud, MPOR eggbe robabty I the foowg, we show that extracto w succeed by teractg 6

wth a we-behaved rover rogram Defto : Gve a MPOR query Q as ut, a ote rover rogram P oututs ether the correct resose comuted by the hoest rover agorthm or a seca symbo If P oututs the correct resose wth robabty at east ε, the we ca P a ε -ote rover rogram A ε -we-behaved rover rogram P ca be trasformed to ε -ote rover rogram P P ( ) wth bac box access to P Havg receved a MPOR query Q from a verfer, P ays the roe of verfer to teract wth from P by forwardg the query Q to µ σ P, P oututs (, ) µ σ P Havg receved the resose (, ) f ad oy f the verfcato agorthm MV (,{ τ, τ },( µ, σ )) oututs ; otherwse P oututs P rovdes P wth fresh radomess ad rewds t for each teracto As P s ε -we-behaved rover rogram, P s ε -ote Note that the tags { τ, τ } that are resoses to the store queres ca he P to verfy the correctess of ( µ, σ ) Let N For a subsace Ψ of ( Z )N retured by P, deote the dmeso of Ψ by dm Ψ Let FreeΨ be the dces of the caoca bass vectors { c } ( Z ) N Ψ I other words, FreeΨ { [ N]: c Ψ} cuded Lemma [ 6, Cam 46]: For a subsace Ψ of ( Z, ad et I be a s- eemet subset of [ N ] If ts coeffcet vector q Ψ ) N I FreeΨ, the a radom MPOR query Q over dces I wth occurs wth robabty at most ( ) Lemma 2 [6, Cam 47]: Let #(Free Ψ ) m For a radom s- eemet subset I of [ N ], the robabty that I FreeΨ s at most s s m ( N s + ) Theorem : Suose that P s a ε - ote rover rogram ad et 7

s ( ρ N) ω + ( N s + ) s If ε > ω, for each fe M,, the exected tme to 2 N 2 2 recover at east ρ fracto of t s O(( + ε N ) ρ t ) ε ω +, where t s the umber of MPOR queres ssued to the rover rogram by the extractor durg oe roud of teracto Proof: The t MPOR query-resose ars durg oe roud of teracto wth the rover rogram P cotrbute the foowg to the extractor s owedge of the ecoded fes M,, M : () () ( t) ( t) q H µ,, q H µ H s the matrx costructed from the ecoded fes M,, M, whch s descrbed at the ed of Secto 4 We rewrte the above as V H W where V s the t N matrx ( ) whose row vectors are the t coeffcet vectors { } of the MPOR queres ad W s q t the t matrx whose row vectors are t corresodg MPOR resoses ( ) { µ } t The matrx V ca be reduced to a matrx G U V the row-reduced echeo form, where U s a t t matrx wth ozero determat comuted by ayg Gaussa emato to V The extractor s owedge durg the above teracto ca be rereseted by the matrxs G, U, V, W, where the matrx G the row-reduced echeo form The subsace geerated by the matrx G s deoted by Ψ The extractor s owedge sace s tay emty The extractor reeats the foowg behavor ut Free Ψ ρn The extractor chooses a radom MPOR query Q over the dces I [ N] wth coeffcet vector q by ts radom cos ad rus the ε - ote P o Q P aswers the correct resose µ q Ψ : q H wth robabty ε We cosder the foowg three tyes: For queres of ths tye, the extractor exteds ts owedge as foows: It adds the row vector q to the curret matrx V, obtag / V ad adds the resose vector µ to the exstg matrx W, obtag / W It aso comutes / / / G U V the row-reduced echeo form / / / / G, U, V, W rereset the udate of the extractor s 8

owedge 2 q Ψ but I FreeΨ : 3 I FreeΨ : For queres of tye 2 or 3, the extractor does ot udate ts owedge ad cotue ts curret teracto wth the rover rogram P A query of tye creases dm Ψ by The extractor s teracto wth P s guarateed to termate whe the umber of queres of tye s above ρ N By Lemma, queres of tye 2 mae u at most ( ) sce Pr[ Q s tye 2] Pr[ q Ψ I Free Ψ] Q Q Pr[ q Ψ I Free Ψ] Pr[ I Free Ψ] Pr[ q Ψ I Free Ψ] ( ) Q Q Q Assume #(Free Ψ ) m For a radom s- eemet subset I of [ N ], the robabty that I FreeΨ s at most s s m ( N s + ) by Lemma 2 By the coveto set for the extractor, m ρn, ths quatty s at most ( ) s s ρn ( N s + ) Therefore the fracto of queres of tye 2 or 3 s at most s ( ρ N) ω + ( N s + ) s As P s a ε -ote rover rogram, P s abe to aswer at east ε fracto of the queres Therefore, a radom MPOR query chose by the extractor w be of tye wth robabty at east ε ω To yed ρ N queres of tye, the extractor w carry out O( ρ N ) teractos wth P ths roud ε ω As the matrx G the row-reduced echeo form, t s ossbe to determe whether a query Q s of tye, to whch P has resoded The extractor adds the coeffcet vector q of Q to the curret matrx V ad aes Gaussa emato to V to yed G, whch taes 2 O( N ) tme [8] If the ewy added row s ot a zeros, the q s of tye As Gaussa emato eed oy be aed to at most ε fracto of the queres resoded correcty by P 2 ρn, the rug tme of the extractor ths hase s O(( + ε N ) ) ε ω O the other had, whe ths hase has fshed, the owedge of the extractor cossts 9

of the matrxes G, U, V, W such that V H W, G U V G s the row-reduced echeo form The free dmeso of the subsace Ψ saed by G s ρ N by the covetos set for the extractor For each FreeΨ, there must be a row G, say row t, that equas some caoca bass vector c ( Z ) N sce G s the row-reduced echeo form Mutyg both sdes of V H W by U, we obta G H U W We defe a set As the umber of dces G { : Free Ψ, < } for each dex, FreeΨ s ρ N, there exsts at east oe dex such that G s at east ρ by the geohoe rce Reca that H [ h,, h ], + T h (0,( m,, m ),0 ) The er roducts betwee these caoca vectors c, G ad the corresodg coum vector h w recover at east ρ fracto of the ecoded fe M, whch ca extracted from the roduct U W The comutato w taes 2 O( t ) tme [8] I the foowg, we aayze the robabty gve dex, of a evet F G ρ for the At frst, we w aayze the robabty / of a evet G ρ for the gve dex, As metoed above, we assume that each fe s sze s of the same magtude For ease of aayss, we further assume b For stace, these fes of the same magtude ca be redudaty added before ecodg The robabty / N N b b b b ρ ρ( N ) ρn ρb ρ( b b) ρb The robabty b b j b, oy deeds o the vaues of j b j b ρb j ρb ρ ρ ρ,, b ad s deedet of the choce of As Pr[ F,, F ], Pr[ F, F ] F by the uo boud We 20

ow that Pr[ F ] Hece the extractor ca recover at east ρ fracto of the ecoded fe M wth robabty at east durg ths hase Ths meas at east ρ fracto of the fe M ca be recovered by rug the extractor agorthm rouds o average, who rewds the ε -ote rover P wth fresh cos before each teracto I cocuso, for each fe M,, the exected tme to recover at east ρ fracto of t s N O ε N ρ t ε ω 2 2 2 (( + ) + ) As M s redudaty ecoded by erasure codes [2] such that ay ρ fracto of the M s suffcet to recover the orga fe M The orga fe M s guarateed to be recovered ths case 6 Performace aayss We evauate the erformace of the roosed MPOR rotoco ad that of the POR rotoco [6] terms of the requred commucato ad comutatoa cost to verfy fes stored o the server sde The resut s stated Tabe, 2 Par deotes oe e arg oerato MEx ( G ) deotes oe geera mut-exoetato g g e over a grou G The sze of each set Q s assumed to be a fxed s both schemes For ease of comarso, we assume that there s oy oe sector er each ecoded message boc the POR rotoco [6] The advatage of our MPOR rotocos es the fact that the umber of arg oeratos comuted by the verfer s deedet of the arameter I addto, egth of the resose from a rover s further reduced by aggregatg the resoses from the rover Nevertheess, the soudess of our MPOR rotoco oy satsfes a reatvey wea securty oto uder the assumto that each fe s sze s of the same magtude Oe vocato of the extractor agorthm ca oy guaratee that at east oe fe amog those fes ca be recovered Our aayss shows that each fe ca be extracted exected oyoma tme uder our assumto o the sze of rocessed fes 2

7 Cocuso Proof-of-retrevabty rotocos ca he a cet to be assured of the avaabty of fes stored by a server H Shacham et a [6] stregtheed the securty mode for POR rotocos by aowg a extractor bac-box access to a rover rogram I addto, they reseted a POR rotoco wth ubc verfabty based o a homomorhc authetcator derved from BLS short sgature Whe usg ther POR rotoco wth ubc verfabty to verfy the avaabty of mute fes searatey, the umber of arg oeratos comuted by a verfer s ear wth the umber of fes To hade ths ssue, we exted the wor [6] by troducg a ew oto caed mut-roof-of-retrevabty Our MPOR rotoco wth ubc verfabty aows oe verfer to verfy the avaabty of fes stored by a server oe ass, whe the comutatoa overhead of a verfer our MPOR scheme s costat, deedet of the arameter Aayss of our MPOR rotoco shows that each fe ca be extracted exected oyoma tme uder certa restrcto o the sze of rocessed fes Acowedgemet Ths wor s suorted by Natura Scece Foudato of Hgher Educato Isttutos, Jagsu Provce offce of educato, PR Cha (Grat No 0KJD520005) Refereces [] Amazo sme storage servce (Amazo S3), htt://awsamazocom/s3/ [2] AAo ad MLuby, A ear tme erasure-reset code wth ear otma recovery, IEEETraIfTheory,42(6) (996) 732-736 [3] G Ateese, RBurs, RCurtmoa, JHerrg, OKha, LKsser, ZPeterso ad D Sog, Remote data checg usg rovabe data ossesso, ACM TrasIfSystSecurty, 4(), (20) Artce No2, [4] G Ateese, R D Petro, L V Mac, ad G Tsud, Scaabe ad effcet rovabe data ossesso, Crytoogy eprt Archve, Reort 2008/4, 2008 htt://ertacrorg/2008/4 [5] M Beare ad O Godrech, O defg roofs of owedge, CRYPTO'92, LNCS 740 (993) 390-420 22

[6] D Boeh, BLy ad H Shacham, Short sgatures from we arg, Joura of Crytoogy, 7(4) (2004) 297-39 [7] D Cash, A Kucu, ad D Wchs, Dyamc Proofs of Retrevabty va Obvous RAM, Crytoogy eprt Archve, htt://ertacrorg/202/550 [8] H Cohe, A course comutatoa agebrac umber theory, Ber, Srger, 993 [9] Y Deswarte, J-JQusquarter ad A Sadaead H Shacham, Remote tegrty checg, IICIS 2003, IFIP Vo40 (2004) - [0] C C Erway, A Kucu, C Paamathou, ad R Tamassa Dyamc rovabe data ossesso ACM CCS 09, (2009) 23-222 [] S Godwasser, SMca ad R Rvest, A dgta sgature scheme secure agast adatve chose-message attacs, SIAM Joura of Comutg, 7(2) (988) 28-308 [2] A Jues ad BKas, PORs: roofs of retrevabty for arge fes, CCS 2007, ACM, (2007) 584-597 [3] P Me ad T Grace, NIST SD 800-45, The NIST defto of coud comutg, NIST seca ubcato, 20 [4] M Naor ad GRothbum, The comexty of oe memory checg, JACM, 56(), (2009) Artce No2 [5] T Schwarz ad E Mer, Store, forget ad chec: Usg agebrac sgatures to chec remotey admstered storage, ICDCS 2006, IEEE, (2004) - [6] H Shacham ad BWaters, Comact roofs of retrevabty, Joura of Crytoogy, ubshed oe [7] MShah, MBaer, JMogu ad RSwamatha, Audtg to ee oe storage servce hoest, Proceedgs of HotOS 2007, ACM, (2007) Artce No [8] Q Wag, C Wag, J L, K Re, ad W Lou, Eabg ubc verfabty ad data dyamcs for storage securty coud comutg, ESORICS 2009, Srger, LNCS 5789, (2009) 355-370 23

Scheme POR rotoco [6] Our MPOR rotoco Tabe Comutatoa overhead of a verfer Cost for verfyg fes Parg Exoetato 2 s 2 MEx ( G) 2 s MEx ( G) + MEx ( G) Tabe 2 Legth of the resose from a rover Scheme POR rotoco [6] Our MPOR rotoco Tota bt egth of the resoses from the rover ( Z + G ) ( Z ) + G 24