Upcoming SlideShare
×

# Towards a theory of data entangelement

513 views
461 views

Published on

0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total views
513
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
1
0
Likes
0
Embeds 0
No embeds

No notes for slide
• How does the tamperer work and who gives out recovery algorithms?
• Replace picture and possibly drop the formal definition
• Add a picture of happy/unhappy computers
• Add a picture of happy/unhappy computers
• Emphasize that adversary cannot guess what the k_i are. Many-to-one map can’t be correct for most k_i. b/c of the property of polynomials. Maybe add picture (?)
• ### Towards a theory of data entangelement

1. 1. Towards a Theory of Data Entanglement James Aspnes, Joan Feigenbaum, Aleksandr Yampolskiy, and Sheng Zhong (Yale University)
2. 2. Outline <ul><li>Motivation </li></ul><ul><li>Dagster and Tangler </li></ul><ul><li>Our model </li></ul><ul><li>Notions of entanglement </li></ul><ul><li>Possibility and impossibility results </li></ul><ul><li>Conclusion </li></ul>
3. 3. Goal: Protect Remotely Stored Data from the Server <ul><li>Question: Suppose you store your data on a remote server. How do you ensure that it is not corrupted by the server? </li></ul><ul><li>Answer: Have your data entangled with some VIPs’ data so that corruption of your data  corruption of theirs. </li></ul>
4. 4. Previous Work: Dagster [SW01] New Document  Encrypt c randomly chosen blocks Pool of blocks Analysis: Deleting a typical document  loss of O( c ) documents
5. 5. Previous Work: Tangler [WM01] (0, New Document) 2 randomly chosen blocks Pool of n blocks Analysis: Deleting a typical document  loss of O ( (log n ) / n ) documents Interpolate degree-2 poly F() (x 1 ,F(x 1 )) (x 2 ,F(x 2 ))
6. 6. Our Model: Basic Framework <ul><li>Initialization : Keys are distributed to participants. </li></ul><ul><li>Entanglement : Users’ data are combined into a common store. </li></ul><ul><li>Tampering: Adversary tampers with the store before it is stored on server. </li></ul>encoding E … d 1 d 2 d n initializer I k 1 k 2 k n k E tamperer storage server
7. 7. Our Model: Basic Framework (cont.) <ul><li>Recovery : Users attempt to recover their data. </li></ul><ul><li>If R i returns original document d i , we say that user i recovers her data. </li></ul>… k 1 k 2 k n storage server
8. 8. Our Model : Classification <ul><li>Question: What can the adversary do to the data store? </li></ul><ul><li>Answer: He can… </li></ul><ul><ul><li>tamper with the store </li></ul></ul><ul><ul><li>tamper with the store and distribute a new recovery algorithm to all users ( upgrade attack ) </li></ul></ul><ul><ul><li>encrypt the store and distribute his recovery algorithm only to a few select buddies ( superencryption attack ) </li></ul></ul>
9. 9. Our Model : Classification (cont.) <ul><li>Classification based on recovery algorithm: </li></ul><ul><ul><li>Standard recovery algorithm </li></ul></ul><ul><ul><li>Public recovery algorithm </li></ul></ul><ul><ul><li>Private recovery algorithm </li></ul></ul>… … …
10. 10. Our Model : Classification (cont.) <ul><li>Classification based on corrupting algorithm: </li></ul><ul><ul><li>Destructive adversary that reduces entropy of the data store. </li></ul></ul><ul><ul><li>Arbitrary adversary. </li></ul></ul><ul><li>Altogether, we have 6 (= 3 £ 2) adversary classes . </li></ul>
11. 11. Our Definitions <ul><li>Fix encoding scheme , adversary , and recovery algorithms R i . </li></ul><ul><li>Recovery vector summarizes which documents are recovered </li></ul>
12. 12. Our Definitions (cont.) <ul><li>Data dependency: d i depends on d j if, with high probability, d i is recovered  d j is recovered: </li></ul>d 1 d 2 d 3 d 4 d 1 depends on d 2
13. 13. Our Definitions (cont.) <ul><li>All-or-nothing integrity (AONI): every document depends on every other document: </li></ul>d 1 d 2 d 3 d 4
14. 14. Our Definitions (cont.) <ul><li>Symmetric recovery: adversary cannot bias which documents are recovered </li></ul>
15. 15. Possibility of AONI in Standard-Recovery Model <ul><li>All users use the standard recovery algorithm: for all i, R i =R. </li></ul><ul><li>When combining data, mark data store using an unforgeable Message Authentication Code (MAC). </li></ul><ul><li>Standard recovery algorithm checks MAC: </li></ul><ul><ul><li>If MAC is valid, recover data. </li></ul></ul><ul><ul><li>If MAC is invalid, refuse to recover data. </li></ul></ul>
16. 16. Impossibility of AONI in Public and Private-Recovery Models <ul><li>If any users use the adversary’s recovery algorithm (for some i, R i ≠ R), AONI cannot be achieved </li></ul><ul><li>Adversary modifies the data store so that old recovery algorithm does not work. </li></ul><ul><li>And distributes a new recovery algorithm that flips a coin to decide whether to recover data or not. </li></ul>
17. 17. Impossibility of AONI in Public and Private-Recovery Models (cont.) <ul><li>With high probability, not all coin flips will have same result. </li></ul><ul><li>With high probability, some data are recovered while others are not. </li></ul>…
18. 18. Possibility of Symmetric Recovery in Public-Recovery Model <ul><li>All users use adversary’s recovery algorithm: for all i, </li></ul><ul><li>We can prevent targeted destruction of documents. </li></ul><ul><ul><li>Documents d 1 ,…, d n must appear i.i.d </li></ul></ul><ul><ul><li>Encoding scheme must be symmetric: </li></ul></ul>
19. 19. Possibility of AONI for Destructive Adversaries <ul><li>We can achieve AONI in all recovery models if tamperer destroys entropy. </li></ul><ul><li>When combining data, interpolate a polynomial using points (k i , d i ). </li></ul><ul><li>Store = polynomial. </li></ul><ul><li>AONI is achieved if sufficient entropy is removed. </li></ul><ul><ul><li>Many stores are mapped to single corrupted store. </li></ul></ul><ul><ul><li> With high probability, cannot recover every data item. </li></ul></ul>
20. 20. Summary of Results  all-or-nothing Private Recovery symmetric recovery all-or-nothing Public Recovery all-or-nothing all-or-nothing Standard Recovery Arbitrary Tamperer Destructive Tamperer
21. 21. Future Work <ul><li>We have considered a single-round model. Allowing multiple rounds of storage/retrieval will be more realistic. </li></ul><ul><li>What if data entanglement is combined with other techniques like replication? Will that help to defend data against untrusted server(s)? </li></ul>