您的当前位置:首页Towards a Theory of Data Entanglement

Towards a Theory of Data Entanglement

2023-02-20 来源:爱问旅游网
TowardsaTheoryofDataEntanglement⋆

(ExtendedAbstract)

JamesAspnes

⋆⋆

,JoanFeigenbaum⋆⋆⋆,AleksandrYampolskiy†,and

ShengZhong‡

DepartmentofComputerScience,YaleUniversity,NewHavenCT06520-8285,USA

Abstract.Wegiveaformalmodelforsystemsthatstoredatainen-tangledform.Weproposeanewnotionofentanglement,calledall-or-nothingintegrity(AONI)thatbindstheusers’datainawaythatmakesithardtocorruptthedataofanyoneuserwithoutcorruptingthedataofallusers.AONIcanbeausefuldefenseagainstnegligentordishoneststorageproviderswhomightotherwisebetemptedtodiscarddocumentsbelongingtouserswithoutmuchclout.Weshowthat,ifallusersusethestandardrecoveryalgorithm,wecanimplementAONIus-ingaMAC,but,ifsomeoftheusersadopttheadversary’snon-standardrecoveryalgorithm,AONIcannolongerbeachieved.However,evenforthelatterscenario,wedescribeasimpleentanglingmechanismthatpro-videsAONIforarestrictedclassofdestructiveadversaries.

1Introduction

SupposethatIprovideyouwithremotestorageforyourmostvaluableinfor-mation.Imayadvertisevariousdesirablepropertiesofmyservice:undergrounddiskfarmsprotectedfromnuclearattack,dailybackupstochiseledgranitemon-uments,replicationtothousandsofsitesscatteredacrosstheglobe.ButwhatassurancedoyouhavethatIwillnotmaliciouslydeleteyourdataassoonasyoursubscriptioncheckclears?

IfIconsiderdeletingthedataofarichorpowerfulcustomer,Imaybede-terredbyeconomic,social,orlegalrepercussions.ThesmallsecretjoyImightexperiencefromthethoughtofthelosswillnotcompensatemeforlosingapostedbond,destroyingmyreputation,orbeingimprisoned.Butifyouareanordinarycustomerwhodoesnothavemuchclout,andIseealucrativeopportu-nityinaltering—orsimplyneglectingtokeep—yourdata,thendeterrenceloses

itseffectiveness.Consequently,dataofpowerfulcustomersendupbeingmoreprotectedthandataofaveragecustomers.Toconvinceanaveragecustomerthatshewillnotloseherdataatmyrandomwhim,ImightofferstrongertechnicalguaranteesthatIcannotdestroyherdatawithoutseriouscosts.OnewaytodothiswouldbetolinkthefateofherdocumentstothedocumentsofenoughotherusersthatIcannothopetooffendthemallwithimpunity.Weshallcallsuchdocumentsentangled.

Dataentanglementwasinitiallysuggestedasamechanismforincreasingcensorship-resistanceindocument-storagesystems,e.g.,Dagster[21]andTan-gler[22].Thesesystemssplitdataintoblocksinsuchawaythatasingleblockbecomespartofseveraldocuments.Newdocumentsarerepresentedusingsomenumberofexistingblocks,chosenrandomlyfromthepool,combinedwithnewblockscreatedusingexclusive-or(Dagster)or3-out-of-4secretsharing[19](Tan-gler).DagsterandTangleruseentanglementasoneofmanymechanismstopre-ventacensorfromtamperingwithunpopulardata;othersinvolvedisguisingtheownershipandcontentsofdocumentsand(inTangler)storingdocumentsredundantly.

Itisnotclearthatdataentanglementisactuallyusefulforcensorshipresis-tance.Insteadofhavingtospecificallyattackatargetdocument,acensoronlyneedstodamageanydocumententangledwiththetargettoachievehisgoal.Instead,weconsiderdataentanglementforadifferentpurpose:protectingthedatafromanuntrustedstorageproviderthatmightbetemptedtodamageordestroythedatathroughnegligenceormalice.Entanglementprovidesanin-centiveforthestorageprovidertotakeextracareinprotectingaverageusers’documentsbyincreasingthecostoferrors.

WebegininSection2byanalyzingtheintuitivenotionofentanglementprovidedbyDagsterandTangler.WeshowthatentanglementasprovidedbyDagsterandTanglerisnotbyitselfsufficientlystrongtodeteradishoneststorageproviderfromtamperingwithdata,becausenotenoughdocumentsgetdeletedonaveragewhendestroyingablockofatypicaldocument.Thismotivatesoureffortstoobtainastrongerformofanentanglementthantheonesprovidedbythesesystems.

InSection3,wedefineourgeneralmodelofentanglementinanuntrustedstoragesystem.Ourgoalhereistomodeltheentanglementoperationitself,andwedonotaddressthequestionofwhereinthesystementanglementoccurs.However,wedoassumethatthestorageproviderdoesnotcarryouttheentan-glingoperationitself,asgivingittheusers’rawdatawouldallowittostorecopiesthatitcouldselectivelyreturnlater,eveniftheentangledstorewerelostordamaged.Instead,sometrustedthirdpartyisassumedtocarryouttheentanglingoperation,andanegligentormaliciousstorageproviderismodeledseparatelyasa“tamperer”thathasaccessonlytotheentangledstore.

Section4containsourdefinitionsofdocumentdependency,whereadoc-umentcannotberecoveredifanydocumentitdependsonislost,andall-or-nothingintegrity,wherenodocumentcanberecoveredifanydocumentislost.Thesedefinitionsallowasystem-independentdescriptionofthebindingbe-

tweenentangleddocuments.Wethenconsiderhowdifferentlevelsofattacksonthecommondatastoredoordonotpreventenforcementofdocumentdepen-dencyorall-or-nothingintegrity.

Inparticular,weshowthat,ifallclientsuseastandardalgorithmtore-covertheirdata,thenall-or-nothingintegrityrequiresonlytheabilitytodetecttamperingusingaMAC(Section5.1);inthismodel,thestandardrecoveryal-gorithmistoopolitetoreturnanyuser’sdataifanyotheruser’sdatahasbeenlost.Relyingonsuchfastidiousnessprovidesonlyaweakguarantee;whatwere-allywantisthatalldatabecomesirretrievableevenbynon-standardalgorithmsifanyislost.Weshowthatthisgoalisimpossibleifanadversaryisallowedtobothtamperwiththecommonstorearbitrarilyandprovideareplacementrecoveryalgorithm(Section5.2).Despitesuchupgradeattacks,itisstillpos-sibletoprovideaweakerguaranteethatwecallsymmetricrecovery,inwhicheachdocumentisequallylikelytobedestroyed(Section5.3).Furthermore,ifwerestricttheadversarytodestructivetampering,whichreducestheamountofinformationinthecommonstore,all-or-nothingguaranteesarepossibleevenwithupgradeattacks(Section5.4).

Theseresultsprovideafirststeptowardunderstandingdocumentdepen-dency.SuggestionsforfurtherworkaregiveninSection6.

Becauseofspacelimitations,manyproofsareomittedfromthisextendedabstract.Completeproofscanbefoundinthefullversion,availableasaYaleCStechnicalreport[2].1.1

RelatedWork

Entanglementismotivatedbythegoalofdeterringdatatamperingbyuntrustedservers,amoregeneralproblemthathasbeenstudiedextensively.Entangle-menthasbeenusedspecificallyinDagster[21]andTangler[15],aswedescribeinSection2.Otherapproachestopreventingordeterringtamperingincludereplicationacrossglobalnetworksoftamper-resistantservers[1,4,5,9,17,23]ortamperdetection[6–8,12–14,20]usingdigitalsignaturesandMerklehashtrees[16].Replicationprotectsagainstdatalossifasmallnumberofserversarecompromised;tamperdetectionpreventsdatalossfromgoingunnoticed.Bothtechniquescomplementtheentanglementapproachconsideredhere.

All-or-nothingintegrityasdefinedinthepresentworkisrelatedtotheguar-anteeprovidedbytheall-or-nothingtransformproposedbyRivest[18].Anall-or-nothingtransformisaninvertibletransformthatguaranteesthatnobitsofthepreimagecanberecoveredifℓbitsoftheimagearelost.All-or-nothingtransformsarenotdirectlyapplicabletoourproblem,becauseweconsiderthemoregeneralcaseinwhichtheimagemaybecorruptedinotherways,suchasbysuperencryptionoralterationofpartorallofthecommonstore.

2DagsterandTangler

WenowreviewhowDagster[21]andTangler[22]work,concentratingontheiroperationsatablocklevelandomittingdetailsofhowdocumentsaredivided

intoblocks.Wethenanalyzetheresultingentanglingeffectsandshowtheirshortcomingsforprotectingdatafromanegligentstorageprovider,motivatingourstrongernotionsofentanglementinSection4.2.1

Dagster

TheDagsterstoragesystemmayrunonasingleserveroronaP2Poverlaynetwork.EachdocumentinDagsterconsistsofc+1serverblocks:cblocksofolderdocumentsandonenewblock,anexclusive-orofpreviousblockswiththedocument.Thec+1blocksthatmustbeXORedtorecoverthedocumentarelistedinaDagsterResourceLocator.2.2

Tangler

TheTanglerstoragesystemuses(3,4)Shamirsecretsharing[19]toentanglethedata:Eachdocumentisrepresentedbyfourserverblocks,anythreeofwhicharesufficienttoreconstructtheoriginaldocument.TheblocksgetreplicatedacrossasubsetofTanglerservers.Hashesofblocksarerecordedinadatastructure,similartoDagsterResourceLocator,calledaninode.2.3

AnalysisofEntanglement

Atagivenpointintime,aDagsterorTanglerservercontainsasetofblocks{C1,...,Cm}comprisingdocuments{d1,...,dn}ofagroupofusers.(Herem,n∈Nandm≥n.)Dataarepartitionedinawaythateachblockbe-comesapartofseveraldocuments.Wecandrawanentanglementgraph(seeFigure1),whichhasanedge(dj,Ck)ifblockCkbelongstodocumentdj.Thisconnectionisrathertenuous—evenif(dj,Ck)isinthegraph,itmaystillbepossibletoreconstructdjfromblocksexcludingCk.DocumentnodesinDag-ster’sentanglementgraphhaveanout-degreec+1,andthoseinTangler’shaveout-degree4.Entangleddocumentsshareoneormoreserverblocks.InFig-ure1,documentsd1andd2areentangledbecausetheyshareserverblockC1;meanwhile,documentsd1andd2arenotentangled.

Thisshared-blocknotionofentanglementhasseveraldrawbacks.Evenifdocumentdjisentangledwithaspecificdocument,itmaystillbepossibletodeletedjfromtheserverwithoutaffectingthatparticulardocument.Forexample,knowingthatdnisentangledwithd1(asinFigure1),andthatd1isownedbysomeVeryImportantPerson,maygivesolacetotheownerofdn,whomightassumethatnoadversarywoulddareincurthewrathoftheVIPmerelytodestroydn.Butinthesituationdepictedinthefigure,theadversarycanstilldeleteserverblocksC2andCmandcorruptdnbutnotd1.

Theresultingdependencebetweendocumentsisthusveryweak.Inthefullpaper,weshow:

Theorem1.InaDagsterserverwithndocuments,whereeachdocumentislinkedwithcpre-existingblocks,deletingablockofarandomdocumentdestroysonaverageO(c)otherdocuments.

d1d2C1C2

...dnCm

Fig.1.Anentanglementgraphisabipartitegraphfromthesetofdocumentstothe

setofserverblocks.Edge(dj,Ck)isinthegraphifserverblockCkcanbeusedtoreconstructdocumentdj.

Theorem2.InaTanglerserverwithn󰀁documents,deletingtwoblocksofarandomdocumentdestroysonaverageOlogn

phase,inwhichtheindividualusers’dataarecombinedintoacommonstore;atamperingphase,inwhichtheadversarycorruptsthestore;andarecoveryphase,inwhichtheusersattempttoretrievetheirdatafromthecorruptedstoreusingoneormorerecoveryalgorithms.Forsimplicityofnotation,wenumbertheusers{1,...,n},whereeveryuseripossessesadocumentdithathewantstopublish.

Fig.2.Initialization,entanglement,andtamperingstages.

AnencodingschemeconsistsofthreeprobabilisticTuringmachines,(I,E,R),thatrunintimepolynomialinthesizeoftheirinputsandasecurityparameters.Thefirstofthese,theinitializationalgorithmI,handsoutthekeysusedintheencodingandrecoveryphases.Thesecond,theencodingalgorithmE,combinestheusers’dataintoacommonstoreusingtheencodingkey.Thethird,therecoveryalgorithmR,attemptstorecovereachuser’sdatausingtheappropriaterecoverykey.

ˇTˇ,Rˇ),whichalsoActingagainsttheencodingschemeisanadversary(I,

consistsofthreeprobabilisticpolynomial-timeTuringmachines.Thefirstisan

ˇ;likethegoodinitializerI,theevilIˇadversary-initializationalgorithmI

isresponsibleforgeneratingkeysusedbyotherpartsoftheadversaryduring

ˇ,whichmodifiesthetheprotocol.ThesecondisatamperingalgorithmT

ˇ,whichcommonstore.Thethirdisanon-standardrecoveryalgorithmR

maybeusedbysomeoralloftheuserstorecovertheirdatafromthemodifiedstore.

ˇ,TˇandRˇarechosenafterI,E,andRareknownbutthatWeassumethatIˇ,Tˇ,andRˇareusedforarbitrarilylargevaluesofsandn.ThisasinglefixedI

ˇandRˇtohaveanyeffect.isnecessaryforpolynomial-timeboundsonT

ˇTˇ,Rˇ),thestorageGivenanencodingscheme(I,E,R)andanadversary(I,

protocolproceedsasfollows(seealsoFigure2):

1.Initialization.TheinitializerIgeneratesacombiningkeykEusedbytheencodingalgorithmandrecoverykeysk1,k2,...kn,whereeachkeykiisusedbytherecoveryalgorithmtorecoverthedataforuseri.Atthesametime,

ˇforTˇgeneratesthesharedkeykˇandRˇ.theadversaryinitializerI

kE,k1,k2,...kn←I(1s,n),

ˇ←Iˇ(1s,n).k

2.Entanglement.TheencodingalgorithmEcomputesthecombinedstoreC

fromthecombiningkeykEandthedatadi:

C←E(kE,d1,d2,...dn).

ˇaltersthecombinedstoreCintoCˇ:3.Tampering.ThetampererT

ˇC).ˇ←Tˇ(k,C

4.Recovery.Theusersattempttorecovertheirdata.Useriapplieshisre-ˇ.EachRicouldbeeithercoveryalgorithmRitokiandthechangedstoreC

thestandardrecoveryalgorithmR,suppliedwiththeencodingscheme,or

ˇ,suppliedbytheadversary,dependingonthethenon-standardalgorithmR

choiceofthemodel.

ˇd′i←Ri(ki,C)WesaythatuserirecovershisdataiftheoutputofRiequalsdi.3.2

AdversaryClasses

Wedivideourmodelontwoaxes:oneboundingtheusers’choicesofreconstruc-tionalgorithmsandtheotherboundingtheadversary’spowertomodifythe

datastore.Withrespecttorecoveryalgorithms,weconsiderthreevariantsonthebasicframework(listedinorderofincreasingpowergiventotheadversary):–Inthestandard-recovery-algorithmmodel,theusersarerestrictedtoasinglestandardrecoveryalgorithmR,suppliedbythesystemdesigner.For-mally,thismeansRi=Rforallusersi;Theadversary’srecoveryalgorithmˇisnotused.ThisisthemodelusedtoanalyzeDagsterandTangler.R

–Inthepublic-recovery-algorithmmodel,theadversarynotonlymod-ifiesthecombinedstore,butalsosuppliesasinglenon-standardrecovery

ˇtoalloftheusers.Formally,wehaveRi=Rˇforeachi.ThealgorithmR

originalrecoveryalgorithmRisnotused.1Wecallthisanupgradeattackbyanalogytothereallifesituationofacompanychangingthedataformatofdocumentsprocessedbyitssoftwareanddistributinganewversionofthesoftwaretoreadthem.Webelievesuchanattackisarealisticpossibility,becausemostself-interesteduserswillbehappytoadoptanewrecoveryalgorithmifitoffersnewfeaturesorperformance,orifthealternativeislosingtheirdata.

–Intheprivate-recovery-algorithmmodel,theadversarymaychooseto

ˇtoonlyasubsetoftheusers.supplythenon-standardrecoveryalgorithmR

TherestcontinuetousethestandardalgorithmR.Formally,thismodelis

ˇforothers.amixoftheprevioustwomodels:Ri=RforsomeiandRi=RWealsodifferentiatebetweentwotypesoftamperers:

–Anarbitrarytamperercanfreelycorruptthedatastoreandisnotre-strictedinanyway.Mostreal-lifesystemsfitintothiscategoryastheyplace

norestrictionsonthetamperer.

–Adestructivetamperercanonlyapplyatransformationtothestorewhoserangeofpossibleoutputsissubstantiallysmallerthanthesetofin-puts.Thedestructivetamperercansuperimposeitsownencryptiononthecommonstore,transformthestoreinarbitraryways,andevenaddaddi-tionaldata,providedthatthecumulativeeffectofalltheseoperationsistodecreasetheentropyofthedatastore.Thoughadestructivetamperingas-sumptionmaylooklikeanartificialrestriction,itsubsumesnaturalmodelsofblockdeletionorcorruption,andeitheritorsomesimilarassumptionisneededtoachieveall-or-nothingintegrityintheprivate-recovery-algorithmmodel.ˇisandwhichusers,AnadversaryclassspecifieswhatkindoftampererT

ˇastheirrecoveryalgorithm.Altogether,weconsider6(=3×2)ifany,receiveR

adversaryclasses,eachcorrespondingtoacombinationofconstraintsonthetampererandtherecoveryalgorithms.

4DependencyandAll-Or-NothingIntegrity

Wenowgiveourdefinitionofdocumentdependencyforaparticularencodingschemeandadversaryclass.Wefirstdiscusssomebasicdefinitionsandassump-tionsinSection4.1.Ourstrongnotionsofentanglement,calleddependencyandall-or-nothingintegrity,aredefinedformallyinSection4.2.

4.1Preliminaries

BecauseweconsiderprotocolsinvolvingprobabilisticTuringmachines,wemustbecarefulintalkingaboutprobabilities.Fixanencoding(I,E,R),anadversary

ˇTˇ,Rˇ),andtherecoveryalgorithmRiforeachuseri.AnexecutionofA=(I,

theresultingsystemspecifiestheinputskiandditoE,theoutputofE,the

ˇandoutputCˇ,andtheoutputoftherecoveryalgorithmtamperer’sinputk

ˇki,Cˇ)orRˇ(k,ˇ)asappropriate)foreachuser.ThesetofpossibleRi(R(ki,C

executionsofthestoragesystemisassignedprobabilitiesintheobviousway:theprobabilityofanexecutionistakenovertheinputstothestoragesystemandthecointossesoftheencodingschemeandtheadversary.Itwillbeconvenienttoconsidermultipleadversarieswithafixedencodingscheme.Inthiscase,weusePrA(Q)todenotetheprobabilitythataneventQoccurswhenAistheadversary.

Duringanexecutionofthestoragesystem,thetampereraltersthecombined

ˇ.Asaresult,someusersenduprecoveringtheirdocumentsstorefromCintoC

whileothersdonot.Wesummarizewhichusersrecovertheirdocumentsinarecoveryvector,whichisavector-valuedrandomvariablerinwhichri=1

ˇ)=di(i.e.,ifuserirecovershisdocument)and0otherwise.ForifRi(ki,C

example,iftheservercontainsdocumentsd1,d2,andd3andinanexecutionwerecoveronlyd1andd2,thenr=110.4.2

OurNotionsofEntanglement

InSection2,weobservedthattheblock-sharingnotionofentanglementprovidedbyDagsterandTanglerisnotadequateforourpurposes.Thismotivatesustoproposethenotionofdocumentdependency,whichformalizestheideathat“ifmydatadependsonyours,Ican’tgetmydatabackifyoucan’t.”Inthisway,thefatesofspecificdocumentsbecomelinkedtogether:specifically,ifdocumentdidependsondocumentdj,thenwheneverdjcannotberecoveredneithercandi.

Givenjustoneexecution,eitherusersiandjeachgettheirdatabackortheydon’t.Sohowcanwesaythattheparticularoutcomeforidependsontheoutcomeforj?Essentially,wearesayingthatwearehappywithexecutionsinwhicheitherjrecoversitsdata(whetherornotidoes)orinwhichjdoesnotrecoveritsdataandidoesnoteither.Executionsinwhichjdoesnotrecoveritsdatabutidoesarebadexecutionsinthissense.Wewilltrytoexcludethesebadexecutionsbysayingthattheyeitherneveroccuroroccuronlywithverylowprobability.Formally:

Definition1.AdocumentdidependsonadocumentdjwithrespecttoaclassofadversariesA,denoteddi֒→dj,if,foralladversariesA∈A,

Pr[ri=0∨rj=1]≥1−ǫ.

A

A

Remark1.Hereafter,ǫreferstoanegligiblefunctionofthesecurityparameters.2

Theultimateformofdependencyisall-or-nothingintegrity.Intuitively,astoragesystemisall-or-nothingifeithereveryuserirecovershisdataornouserdoes:

Definition2.Astoragesystemisall-or-nothingwithrespecttoaclassofadversariesAif,forallA∈A,

Pr[r=0n∨r=1n]≥1−ǫ.

A

Itiseasytoshowthat

Theorem3.Astoragesystemisall-or-nothingwithrespecttoaclassofad-versariesAifandonlyif,forallusersi,j,di֒→dj.

All-or-nothingintegrityisaverystrongproperty.Insomemodels,wemaynotbeabletoachieveit,andwewillacceptaweakerpropertycalledsymmetricrecovery.Symmetricrecoveryrequiresthatallusersrecovertheirdocumentswithequalprobability:

Definition3.AstoragesystemhassymmetricrecoverywithrespecttoaclassofadversariesAif,forallA∈Aandallusersiandj,

Pr[ri=1]=Pr[rj=1].

A

A

A

Symmetricrecoverysaysnothingaboutwhathappensinparticularexecu-tions.Forexample,itisconsistentwiththedefinitionforexactlyoneofthedataitemstoberecoveredineveryexecution,aslongastheadversarycannotaffectwhichdataitemisrecovered.Thisisnotasstrongapropertyasall-or-nothingintegrity,butitisthebestthatcanbedoneinsomecases.

5PossibilityandImpossibilityResults

Thepossibilityofachievingall-or-nothingintegrity(abbreviatedAONI)de-pendsontheclassofadversariesweconsider.InSections5.1through5.3,weconsideradversarieswithanarbitrarytamperer.WeshowthatAONIcannotalwaysbeachievedinthiscase.TheninSection5.4,welookatadversarieswithadestructivetamperer.Wegiveasimpleinterpolationschemethatachievesall-or-nothingintegrityforadestructivetampererinallthreerecoverymodels.

5.1PossibilityofAONIforStandard-Recovery-AlgorithmModel

Inthestandard-recovery-algorithmmodel,allusersusethestandardrecoveryalgorithmR;thatisRi=Rforallusersi.

Thismodelallowsaverysimplemechanismforall-or-nothingintegritybasedonMessageAuthenticationCodes(MACs).3Theintuitionbehindthismecha-nismisthattheencodingalgorithmEsimplytagsthedatastorewithaMACusingakeyknowntoalltheusers,andtherecoveryalgorithmRreturnsanindividualuser’sdataonlyiftheMAContheentiredatabaseisvalid.

Wenowgiveanencodingscheme(I,E,R)basedonaMACscheme(GEN,TAG,VER):InitializationTheinitializationalgorithmIcomputeskMAC=GEN(1s).It

thenreturnsanencodingkeykE=kMACandrecoverykeyski=(i,kMAC).EntanglementTheencodingalgorithmEgeneratesann-tuple

m=(d1,d2,...,dn)andreturnsC=(m,σ)whereσ=TAG(kMAC,m).RecoveryThestandardrecoveryalgorithmRtakesasinputakeyki=(i,kMAC)

ˇ=(m,andthe(possiblymodified)storeCˇσˇ).ItreturnsmˇiifVER(kMAC,m,ˇσˇ)=

acceptandreturnsadefaultvalue⊥otherwise.Thefollowingtheoremstatesthatthisencodingschemeachievesall-or-nothingintegritywithstandardrecoveryalgorithms:

Theorem4.Let(GEN,TAG,VER)beaMACschemethatisexistentiallyunforgeableagainstchosenmessageattacks,andlet(I,E,R)beanencodingschemebasedonthisMACschemeasabove.LetAbetheclassofadversaries

ˇ.Thenthereexiststhatdoesnotprovidenon-standardrecoveryalgorithmsR

someminimum󰀃s0suchthatforanysecurityparameters≥s0andanyinputsd1,...,dnwith|di|≤s,(I,E,R)isall-or-nothingwithrespecttoA.5.2

ImpossibilityofAONIforPublicandPrivate-Recovery-AlgorithmModels

Inboththesemodels,theadversarymodifiesthecommonstoreanddistributes

ˇtotheusers(eithertoallusersoronlytoanon-standardrecoveryalgorithmR

afewselectaccomplices).Letusbeginbyshowingthatall-or-nothingintegritycannotbeachievedconsistentlyineithercase:

Theorem5.Foranyencodingscheme(I,E,R),ifAistheclassofadver-ˇ,then(I,E,R)isnotall-sariesprovidingnon-standardrecoveryalgorithmsRor-nothingwithrespecttoA.

Theessentialideaoftheproofistohavetheadversarysupplyadefective

ˇthatfailsrandomlywithprobability1/n.ThisyieldsarecoveryalgorithmR

constantprobabilityconvergingto1/ethatsomedocumentisnotreturned,whileallothersare.

Thisproofisrathertrivial,whichsuggeststhatlettingtheadversarysub-stituteanerror-pronerecoveryalgorithminplaceofthestandardonegivestheadversaryfartoomuchpower.Butitisnotatallclearhowtorestrictthemodeltoallowtheadversarytoprovideanimprovedrecoveryalgorithmwithoutal-lowingforthisparticularattack.AllowinguserstoapplytheoriginalrecoveryalgorithmRcanbedefeatedbysuperencryptingthedatastoreandburyingthe

ˇ;defeatingthisattackwouldrequireanalyz-decryptionkeyintheerror-proneR

ˇtoundothesuperencryptionandremovetheerrors,ataskthatislikelyingR

tobedifficultinpractice.4

Ontheotherhand,wedonotknowofanygeneralmechanismtoensurethat

ˇ,anditisnotoutofthequestionnousefulinformationcanbegleanedfromR

thatthereisanencodingsotransparentthatnosuperencryptioncandisguise

ˇareˇandtheadversary’skeykitforsufficientlylargeinputs,giventhatbothR

public.5.3

PossibilityofSymmetricRecoveryforPublic-Recovery-AlgorithmModel

Aswehaveseen,ifweplacenorestrictionsonthetamperer,itbecomesimpos-sibletoachieveall-or-nothingintegrityinthepublic-recovery-algorithmmodel.Wenowshowthatwecanstillachievesymmetricrecovery.

Becausewecannotpreventmassdestructionofdata,wewillsettleforpre-ventingtargeteddestruction.Thebasicintuitionisthatiftheencodingprocessissymmetricwithrespecttopermutationsofthedata,thenneithertheadversarynoritspartner,thenon-standardrecoveryalgorithm,candistinguishbetweendifferentinputs.Symmetryintheencodingalgorithmisnotdifficulttoachieveandbasicallyrequiresnotincludinganypositionalinformationinthekeysortherepresentationofdatainthecommonstore.Oneexampleofasymmetricencodingisatrivialmechanismthattagseachinputdiwitharandomkiandthenstoresasequenceof(di,ki)pairsinrandomorder.

Symmetryinthedataisastrongerrequirement.Weassumethatusers’docu-mentsdiareindependentandidenticallydistributed(i.i.d.)randomvariables.Ifdocumentsarenoti.i.d(inparticular,iftheyarefixed),wecanuseasimpletricktomakethemappeari.i.d.:Eachuseripicksasmallnumberriindependentlyanduniformlyatrandom,remembersthenumber,andcomputesd′i=di⊕G(ri),

whereGisapseudorandomgenerator.Thenewdiarealsouniformandinde-pendent(andthuscomputationallyindistinguishablefromi.i.d.).Theuserscan

thenstoredocumentsd′i(1≤i≤n)insteadoftheoriginaldocumentsdi.To

recoverdi,useriwouldretrieved′ifromtheserverandcomputedi=di⊕G(ri).

Weshallneedaformaldefinitionofsymmetricencodings:Definition4.Anencodingscheme(I,E,R)issymmetricif,foranysandn,anyinputsd1,d2,...dn,andanypermutationπoftheindices1throughn,ifthejointdistributionofk1,k2,...,knandCinexecutionswithuserinputsd1,d2,...dnisequaltothejointdistributionofkπ1,kπ2,...,kπnandCinexe-cutionswithuserinputsdπ1,dπ2,...dπn.

Usingthisdefinition,itiseasytoshowthatanysymmetricencodinggivessymmetricrecovery:

Theorem6.Let(I,E,R)beasymmetricencodingscheme.LetAbeaclassofadversariesasinTheorem5.Fixsandn,andletd1,...,dnberandomvariablesthatareindependentandidenticallydistributed.Then(I,E,R)hassymmetricrecoverywithrespecttoA.5.4

PossibilityofAONIforDestructiveAdversaries

Giventheresultsoftheprevioussections,toachieveall-or-nothingintegrityweneedtoplacesomeadditionalrestrictionsontheadversary.

ˇisdestructiveiftherangeofTˇwhenappliedtoAtamperingalgorithmT

aninputdomainofmdistinctpossibledatastoreshassizelessthanm.The

ˇwhenappliedamountofdestructivenessismeasuredinbits:iftherangeofT

ˇdestroyslgm−lgrbitsofentropy.toadomainofsizemhassizer,thenT

ˇaresmallerthanNotethatitisnotnecessarilythecasethattheoutputsofT

itsinputs;itisenoughthattherebefewerofthem.

Below,wedescribeaparticularencoding,basedonpolynomialinterpolation,withthepropertythatafterasufficientlydestructivetampering,theprobabilitythatanyrecoveryalgorithmcanreconstructaparticulardiissmall.Whilethisistriviallytrueforanunrestrainedtampererthatdestroysalllgmbitsofthecommonstore,ourschemerequiresonlythatwithndocumentsthetampererdestroyslightlymorethannlg(n/ǫ)bitsbeforetheprobabilitythatanyofthedatacanberecovereddropsbelowǫ(aformalstatementofthisresultisfoundinCorollary1).Sincencountsonlythenumberofusersandnotthesizeofthedata,forafixedpopulationofusersthenumberofbitsthatcanbedestroyedbeforealluserslosetheirdataiseffectivelyaconstantindependentofthesizeofthestorebeingtamperedwith.

Theencodingschemeisasfollows.ItassumesthateachdataitemcanbeencodedasanelementofZp,wherepisaprimeofroughlysbits.

InitializationTheinitializationalgorithmIchoosesk1,k2,...knindependently

anduniformlyatrandomwithoutreplacementfromZp.ItsetskE=(k1,k2,...,kn)andthenreturnskE,k1,...kn.

EntanglementTheencodingalgorithmEcomputes,usingLagrangeinterpo-lation,thecoefficients

cn−1,cn−2,...c0oftheuniquedegree(n−1)polynomialfoverZpwiththepropertythatf(ki)=diforeachi.ItreturnsC=(cn−1,cn−2,...c0).

RecoveryThestandardrecoveryalgorithmRreturnsf(ki),wherefisthe

polynomialwhosecoefficientsaregivenbyC.Intuitively,thereasonthetamperercannotremovetoomuchentropywithoutdestroyingalldataisthatitcannotidentifywhichpointsd=f(k)correspondtoactualuserkeys.Whenitmapstwopolynomialsf1andf2tothesamecorrupted

ˇ,thebestthatthenon-standardrecoveryalgorithmcandoisreturnstoreC

oneoff1(ki)orf2(ki)givenaparticularkeyki.Butiftoomanypolynomials

ˇ,theoddsthatRˇreturnsthevalueofthecorrectaremappedtothesameC

polynomialwillbesmall.

Acomplicationisthataparticularlycleveradversarycouldlookforpoly-nomialswhosevaluesoverlap;iff1(k)=f2(k),itdoesn’tmatterwhichftherecoveryalgorithmpicks.Butherewecanusethatfactthattwodegree(n−1)polynomialscannotoverlapinmorethan(n−1)placeswithoutbeingequal.Thislimitshowmuchpackingtheadversarycando.

AsinTheorem6,weassumethattheuserinputsd1,...,dnarechosenin-dependentlyandhaveidenticaldistributions.WemakeafurtherassumptionthateachdiischosenuniformlyfromZp.Thisisnecessarytoensurethattheresultingpolynomialsspanthefullpnpossibilities.5

ˇTˇ,Rˇ)beanadversaryTheorem7.Let(I,E,R)bedefinedasabove.LetA=(I,

ˇisdestructive:forafixedinputsizeandsecurityparameter,thereisawhereT

ˇ,constantMsuchthatforeachkeyk

ˇ(k,ˇf)}|≤M,|{T

wherefrangesoverthepossiblestorevalues,i.e.overalldegree-(n−1)polyno-mialsoverZp.IfthediaredrawnindependentlyanduniformlyfromZp,then

ˇistheprobabilitythatatleastoneuserirecoversdiusingR

Pr[r=0]<

A

n

2n2+nM1/n

5

Theassumptionthatthedocumentsarei.i.d.doesnotconstraintheapplicabilityof

ourresultsmuch,becausethetechniquetogetridofitdescribedinSection5.2canalsobeusedhere.

6ConclusionandFutureWork

Ourresultsaresummarizedbelow:

DestructiveTamperer

all-or-nothingsymmetricrecoverynoguaranteespossible

Theyshowthatitispossibleinprincipletoachieveall-or-nothingintegritywithonlymildrestrictionsontheadversary.Whetheritispossibleinpracticeisadifferentquestion.Ourmodelabstractsawaymostofthedetailsofthestor-ageandrecoveryprocesses,whichhidesundesirablefeaturesofouralgorithmssuchastheneedtoprocessalldatabeingstoredsimultaneouslyandtheneedtoreadeverybitofthedatastoretorecoveranydataitem.Someoftheseun-desirablefeaturescouldberemovedwithamoresophisticatedmodel,suchasaround-basedmodelthattreateddataasarrivingovertime,allowingcombiningalgorithmsthatwouldtouchlessofthedatastoreforeachstorageorretrievaloperationatthecostofmakingfewerdocumentsdependoneachother.TheresultingsystemmightlooklikeavariantofDagsterorTanglerwithstrongermechanismsforentanglement.Butsuchamodelmightpermitmoredangerousattacksiftheadversaryisallowedtotamperwithdataduringstorage,andfind-ingtherightbalancebetweenprovidingusefulguaranteesandmodelingrealisticattackswillbenecessary.Wehavemadeafirststeptowardsthisgoalinthepresentwork,butmuchstillremainstobedone.

References

1.R.J.Anderson.Theeternityservice.InProceedingsofPRAGOCRYPT96,pages242–252,1996.

2.J.Aspnes,J.Feigenbaum,A.Yampolskiy,andS.Zhong.Towardsatheoryofdataentanglement.TechnicalReportYALEU/DCS/TR-1277,March2004.Availableathttp://www.cs.yale.edu/~aspnes/entanglement-abstract.html.

3.B.Barak,O.Goldreich,S.Rudich,A.Sahai,S.Vadhan,andK.Yang.Onthe(im)possibilityofobfuscatingprograms.InAdvancesinCryptology-ProceedingsofCRYPTO2001,2001.

4.M.CastroandB.Liskov.PracticalByzantinefaulttolerance.InProceedingsofthe3rdSymposiumonOperatingSystemsDesignandImplementation,pages173–186,1999.

5.I.Clarke,O.Sandberg,B.Wiley,andT.Hong.Freenet:Adistributedinformationstorageandretrievalsystem.InDesigningPrivacyEnhancingTechnologies:Inter-nationalWorkshoponDesignIssuesinAnonymityandUnobservability,volume2009ofLectureNotesinComputerScience,pages46–66,2000.

6.K.Fu,F.Kaashoek,andD.Mazieres.Fastandsecuredistributedread-onlyfilesystem.InProceedingsofthe4thSymposiumonOperatingSystemsDesignandImplementation,pages181–196,2000.

7.G.A.Gibson,D.F.Nagle,K.Amiri,J.Butler,F.W.Chang,H.Gobioff,C.Hardin,E.Riedel,D.Rochberg,andJ.Zelenka.Acost-effective,high-bandwidthstoragearchitecture.InProceedingsofthe8thInternationalConferenceonArchitecturalSupportforProgrammingLanguagesandOperatingSystems,pages92–103,1998.8.E.Goh,H.Shacham,N.Mdadugu,andD.Boneh.Sirius:Securingremoteun-trustedstorage.InProceedingsoftheInternetSociety(ISOC)NetworkandDis-tributedSystemsSecurity(NDSS)Symposium,pages131–145,2003.

9.A.GoldbergandP.Yianilos.Towardsanarchivalintermemory.InProceedingsoftheIEEEInternationalForumonResearchandTechnology,AdvancesinDigitalLibraries(ADL’98),pages147–156.IEEEComputerSociety,1998.

10.S.GoldwasserandM.Bellare.Lecturenotesoncryptography.SummerCourse

“CryptographyandComputerSecurity”atMIT,1996–1999,1999.

11.S.Goldwasser,S.Micali,andR.Rivest.Adigitalsignatureschemesecureagainst

adaptivechosenmessageattack.SIAMJournalonComputing,17(2):281–308,1988.

12.U.MaheshwariandR.Vingralek.Howtobuildatrusteddatabasesystemon

untrustedstorage.InProceedingsofthe4thSymposiumonOperatingSystemsDesignandImplementation,pages135–150,2000.

13.D.MazieresandD.Shasha.Don’ttrustyourfileserver.InProceedingsofthe8th

IEEEWorkshoponHotTopicsinOperatingSystems,pages99–104,2001.

14.D.MazieresandD.Shasha.BuildingsecurefilesystemsoutofByzantinestor-age.InProceedingsoftheTwenty-FirstAnnualACMSymposiumonPrinciplesofDistributedComputing,pages108–117,2002.

15.D.MazieresandM.Waldman.Tangler:Acensorship-resistantpublishingsystem

basedondocumententanglements.InProceedingsofthe8thACMConferenceonComputerandCommunicationsSecurity,pages126–135,2001.

16.R.Merkle.Protocolsforpublickeycryptosystems.InIEEESymposiumonSecurity

andPrivacy,pages122–134,1980.17.MojoNation.Technologyoverview.

Onlineathttp://www.mojonation.net/docs/technical_overview.shtml,2000.18.R.Rivest.All-or-nothingencryptionandthepackagetransform.InFastSoftware

Encryption,volume1267ofLectureNotesinComputerScience,pages210–218,1997.

19.A.Shamir.Howtoshareasecret.CommunicationsoftheACM,22(11):612–613,

1979.

20.J.Strunk,G.Goodson,M.Scheinholtz,C.Soules,andG.Ganger.Self-securing

storage:Protectingdataincompromisedsystems.InProceedingsofthe4thSym-posiumonOperatingSystemsDesignandImplementation,pages165–180,2000.21.A.StubblefieldandD.S.Wallach.Dagster:Censorship-resistantpublishingwith-outreplication.TechnicalReportTR01-380,RiceUniversity,2001.

22.M.WaldmanandD.Mazieres.Tangler:Acensorship-resistantpublishingsystem

basedondocumententanglements.InProceedingsofthe8thACMConferenceonComputerandCommunicationsSecurity,pages126–135,2001.

23.M.Waldman,A.Rubin,andL.Cranor.Publius:Arobust,tamper-evident,

censorship-resistant,webpublishingsystem.InProceedingsof9thUSENIXSe-curitySymposium,2000.

因篇幅问题不能全部显示,请点此查看更多更全内容