Chapter 2 provides some cryptographic preliminaries and establishes notation that will be used in the rest of the dissertation. Chapters 3 - 5 contain our three ADS constructions for the cases of set operations, range queries, and pattern matching respectively. Each chapter begins with an overview of the problem formulation, the main result and techniques used, and a comparison with previous works that address the problem. We then provide the main results with proofs of security and experimental evaluation. Finally, Chapter 6 reviews the main results of this thesis and discusses interesting open problems, such as the selective combination of function-specific and general-purpose VC schemes.
Cryptographic Preliminaries
In this section, we present notation and cryptographic background that will be used in all of the following chapters. Additional definitions that are only used in the context of a particular scheme only, are included in the corresponding chapter.
We denote with λ the security parameter and with ν(λ) a negligible function. A function f (λ) is negligible if for each polynomial function poly(λ) and all large enough values of λ, f (λ) < 1/(poly(λ). We say that an event can occur with neg- ligible probability if its probability of occurrence is upper bound by a negligible function. Respectively, an event takes place with overwhelming probability if its complement takes place with negligible probability. In our technical exposition, we adopt the access complexity model: Used mainly in the memory checking litera- ture [BEG+94, DNRV09], this model allows us to measure complexity expressed in
the number of primitive cryptographic operations made by an algorithm without considering the related security parameter. For example, an algorithm making k modular multiplications over a group of size O(n) where n is O(exp(λ)) for a secu- rity parameter λ, runs in time O(k log n). In the access complexity model, this is O(k) ignoring the “representation” cost for each group element
Collision-resistant hash functions. A collision-resistant hash function h is a function randomly sampled from a function ensemble, such that no poly-size algo- rithm can output x, x0, such that h(x) = h(x0) and x 6= x0, except with probability
ν(λ). More formally:
Definition 1 (Collision-resistant hash function ensemble (CRH)). Let d(λ), t(λ) be polynomial functions of λ. A function ensemble H = {Hλ}λ∈N from {0, 1}d(λ) to
{0, 1}t(λ) is a CRH if:
Collision-resistance For any poly-size adversary A: Pr
h←Hλ h
x, x0 ← A(1λ, h) s.t. h(x) = h(x0)∧ x 6= x0i
≤ ν(λ) .
2.1
Authenticated data structures
An authenticated data structure (ADS) is a cryptographic primitive for proving the correctness of the result of a query on a remote dataset. The interaction model assumes three types of parties: an owner holding a data structure D who wishes to outsource it to a server who is, in turn, responsible for answering queries issued by multiple clients. The owner runs a pre-processing step over D, producing some cryptographic authentication information auth(D) and a succinct digest d of D, and signs d. The server is untrusted, i.e., it may modify the returned answer, hence it is required to provide a proof of the answer, generated using auth(D), and the signed digest d. A client with access to the public key of the owner can subsequently check the proof and verify the integrity of the answer. More formally, an authenticated data structure scheme is a collection of the following six polynomial-time algorithms: 1. {sk, pk} ← genkey(1λ). Outputs secret and public keys sk and pk, given the
security parameter l.
2. {auth(D0), d0} ← setup(D0, sk, pk): Computes the authenticated data struc-
ture auth(D0) and its respective digest, d0, given data structure D0, the secret
key sk and the public key pk.
3. {Dh+1, auth(Dh+1), dh+1, upd} ← update(u, Dh, auth(Dh), dh, sk, pk): On in-
and the digest dh, it outputs the updated data structure Dh+1 along with
auth(Dh+1), the updated digest dh+1 and some relative information upd. It
requires the secret key for execution.
4. {Dh+1, auth(Dh+1)dh+1} ← refresh(u, Dh, auth(Dh), dh, upd, pk): On input
update u on data structure Dh, the authenticated data structure auth(Dh),
the digest dh and relative information upd output by update, it outputs the
updated data structure Dh+1 along with auth(Dh+1) and the updated digest
dh+1, without access to the secret key.
5. {a(q), Π(q)} ← query(q, Dh, auth(Dh), pk): On input query q on data struc-
ture Dh and auth(Dh) it returns the answer to the query a(q), along with a
proof Π(q).
6. {accept/reject} ← verify(q, a(q), Π(q), dh, pk): On input query q, an answer
a(q), a proof Π(q), a digest dh and pk, it outputs either “accept” or “reject”.
The notation a(q), Π(q) symbolizes that the answer and proof are a function of the particular query q. When it is clear from the context, we will drop this notation and refer simply to a, Π. Let {accept, reject} = check(q, a(q), Dh) be a method
that decides whether a(q) is a correct answer for query q on data structure Dh (this
method is not part of the scheme but only introduced for ease of notation.) Then an authenticated data structure scheme ADS should satisfy the following:
Correctness. We say that an ADS is correct if, for all λ ∈ N, for all (sk, pk) output by algorithm genkey, for all (Dh, auth(Dh), dh) output by one invocation
of setup followed by polynomially-many invocations of refresh, where h ≥ 0, for all queries q and for all a(q), Π(q) output by query(q, Dh, auth(Dh), pk), with
all but negligible probability, whenever check(q, a(q), Dh) accepts, so does ver-
Security. Let λ ∈ N be a security parameter and (sk, pk) ← genkey(1λ) and A be
a poly-size adversary that is only given pk and has access to the algorithms of the ADS via an oracle Oλ,ADS that accepts queries in the following model: The adversary
picks an initial state of the data structure D0 and computes D0, auth(D0), d0 through
an oracle call to algorithm setup. Then, for i = 0, ..., h = poly(λ), A issues an update ui for the data structure Di and outputs Di+1, auth(Di+1) and di+1 through
an oracle call to algorithm update. At any point during these update queries, he can make polynomially many oracle calls to algorithms query and verify. Finally, the adversary picks an index 0 ≤ t ≤ h + 1, a query q, an answer a(q) and a proof Π(q). We say that an ADS is secure if for all large enough λ ∈ N, for all poly-size adversaries A it holds that:
Pr
(q, a(q), Π(q), t)← AOλ,ADS(1λ, pk) s.t.
accept ← verify(q, a(q), Π(q), dt, pk)∧ reject ← check(q, a(q), Dt)]
≤ν(λ),
where the probability is taken over the randomness of genkey and the coins of A. The above security game captures the fact that an adversary (playing the role of a corrupted server) that interacts with the trusted owner and is given oracle access to all the algorithms of the scheme, cannot come up with a fake result even if he is allowed to chose the contents of the database and the type of query himself. Observe that the only limitation of the adversary is that the digest that will be used for the verification of his final challenge, and the corresponding state of the dataset and authentication information is honestly computed, which maps the way the trusted owner would compute them in the real world.
An ADS is static if there is no efficient way to handle updates, i.e., the best way to accommodate such changes is to re-execute setup from scratch. A static ADS consists of only four algorithms {genkey,setup,query,verify}. In the security game above the calls to update are replaced by calls to setup.