VeriStream – A Framework for Verifiable Data Streaming

Abstract

In a Verifiable Data Streaming (VDS) protocol a computationally weak client outsources his storage to an untrusted storage provider. Later, the client can efficiently append and update data elements in the already outsourced and authenticated data set. Other users can stream arbitrary subsets of the authenticated data and verify their integrity on-the-fly, using the data owner’s public verification key. In this work, we present VeriStream, a fully-fledged framework for verifiable data streaming with integration into Dropbox. At its core, our framework is based upon a novel construction of an authenticated data structure, which is the first one that allows verifiable data streams of unbounded length and at the same time outperforms the best known constructions in terms of bandwidth and computational overhead. We provide a detailed performance evaluation, showing that VeriStreamonly incurs a small bandwidth overhead, while providing various security guarantees, such as freshness, integrity, authenticity, and public verifiability, at the same time.

Appendices

A \(\delta \)-bounded CATs

The fully dynamic CAT is more efficient than previous constructions [22] and allows the data owner to upload an unbounded amount of data. However, the proof is only given in the random oracle model and the construction requires the additional inversion property of chameleon hash functions. Although two of the three chameleon hash functions we consider, namely the Fiat-Shamir [3] and the Ateniese and de Medeiros [2] construction have this property, it is still desirable to find a solution based on weaker assumptions, which can be proven in the standard model. Therefore we propose the \(\delta \)-bounded CAT, which is upper bounded by the depth \(\delta \), but is provably secure in the standard model and has roughly the same computational and bandwidth overhead as the fully dynamic construction.

1.1 A.1 Intuition

Let us reconsider our first construction. There, we exploited the inversion property of our chameleon hash function to find randomnesses that mapped to certain root values. To provide a proof in the standard model we have to refrain from using this property. Instead, we pre-compute \(\delta \) dummy root values \(\rho _{h,0}\) where \( h= 1 \ldots \delta \), publish them in the public key \({ pk }\), and keep their pre-images secret in our state \({\mathsf {st}}\). An authentication path with depth i is then verified against \(\rho _{i,0}\). Since we keep all pre-images in our state, we can use \({\mathsf {col}}\) rather than \({\mathsf {scol}}\) to find collisions.

Note, again we can make use of a pseudorandom function to make the client’s state constant.

1.2 A.2 Construction

We now provide the formal description of all algorithms of the \(\delta \)-bounded CAT construction.

Construction 2

Let \(H: \{0,1\}^{*} \mapsto \{0,1\}^{len}\) be a hash function and \({\mathcal {CH}}= ({\mathsf {chGen}}, {\mathsf {ch}}, {\mathsf {col}})\) a chameleon hash function. The \(\delta \)-bounded chameleon authentication tree \({\varPi _\mathsf {CAT}}=({{\mathsf {catGen}}}, {\mathsf {catAdd}}, {\mathsf {catUpdate}}, {\mathsf {catVerify}})\) is defined as follows:

The algorithm computes \(({ cpk }, { csk }) {{\,}\leftarrow {\,}}{\mathsf {chGen}}(1^{{\lambda }})\) and sets \(c {{\,}\leftarrow {\,}}0\). For \(i = 1, \dots ,\delta \) it generates dummy nodes \(\rho _{i, 0}\) and stores their pre-images in \({\mathsf {st}}\). It returns the private key \({\mathsf {sp}}= ({ csk }, {\mathsf {st}}, {\mathsf {vp}})\) and the public key \({\mathsf {vp}}= ({ cpk }, (\rho _{1,0}, \ldots , \rho _{\delta ,0}))\)

Parse \({\mathsf {sp}}\) as \(({ csk }, {\mathsf {st}}, {\mathsf {vp}})\) and check whether the current tree is full, i.e., whether c is a power of two:

In this case the tree is full again. We need to extend its height by one to create a tree which has free leaves. Let d be its depth before increasing it by one. If \(d = \delta \) we abort, since the tree has reached its maximum capacity. Otherwise, we compute a dummy node \(v_{d-1, 1}\), and store its pre-images in \({\mathsf {st}}\). Next, we need to compute \(r'_{d, 0}\) such that \({\mathsf {ch}}(\rho _{d-1,0} \Vert v_{d-1,1}, r'_{d, 0}) = \rho _{d}\). We use the stored pre-image \((x_{d,0}, r_{d,0})\) of \(\rho _{d, 0}\) from\({\mathsf {st}}\) and compute \(r_{d, 0} {{\,}\leftarrow {\,}}{\mathsf {col}}({ csk }, x_{d,0}, r_{d,0}, \rho _{d-1,0} \Vert v_{d-1,1})\). Now we add \(v_{d-1,1}\), \(r'_{d, 0}\) to \(\pi \) in \({\mathsf {st}}\) and proceed as in the case where c is not a power of two.

In this case the tree is not full. The algorithms behaviour here is identical to the one in the fully dynamic version as defined in Constrution 1.

Parse \({\mathsf {vp}}\) as \(({ cpk }, (\rho _{1,0}, \ldots , \rho _{\delta ,0}))\). In order to verify, whether \(\pi \) authenticates \(\ell \) we compute, starting from the bottom, each node as the hash or the chameleon hash of its two children until we compute a node with index 0. If the a nodes index is odd, we compute it using the chameleon hash function, and we use the hash function otherwise. All required nodes and randomnesses are taken from \(\pi \). Let \(v_{d,0}\) be the node at which we terminated. Return 1 iff \(v_{d,0} = \rho _{d,0}\), and 0 otherwise.

Parse \({\mathsf {sp}}\) as \(({ csk }, {\mathsf {st}}, {\mathsf {vp}})\). Request \(\ell _i\), with its proof of correctness \(\pi _i\), and compute \({\mathsf {catVerify}}({\mathsf {vp}}, i, \ell _i, \pi _i)\); abort if it outputs 0. Otherwise, replace \(\ell \) with \(\ell '\) and recompute the new value of the corresponding root \(v_{d,0}\). Update the root node’s value at that height in the public key \({\mathsf {vp}}'\) accordingly. Recompute all root node values above \(v_{d,0}\) update the \({\mathsf {vp}}'\) accordingly.

Regarding security, we obtain the following theorem.

Theorem 2

Suppose that \(\mathcal {CH}\) is a one-way collision-resistant chameleon hash function and H is a collision-resistant hash function, then Construction 2 is a secure \(\delta \)-bounded chameleon authentication tree.

The proofs is similar to the previous one, with the difference that we do not need to program the random oracle anymore, and can easily be deduced.

B Evaluation of Chameleon Hash Functions

We discuss the performance of chameleon hash functions on their own, since they represent the most expensive building block in our protocols. In particular, we examine the hashing and collision finding performances of the Fiat-Shamir, the Ateniese and de Medeiros, its elliptic curve equivalent, and the Krawczyk-Rabin chameleon hash.

To evaluate their performances, we used each of them to compute 2000 hashes for randomly generated 160 bit long messages and then computed the average time it took. We used a security parameter of 2048 and chose all sizes in the underlying primitives according to the NIST Recommendations 2012 [17]. For the elliptic curve variation of the Ateniese and de Medeiros hash we used the P-224 curve.

The collision finding performances were measured by running the experiment above with the difference that we additionally computed a collision for another randomly generated message after each hash operation. The average times for computing one hash, or one hash and one collision respectively are depicted in Table 2.

One can see that when only performing the hash operation, the Fiat-Shamir construction is the fastest one. Unfortunately its performance for computing collisions is very poor, which renders it infeasible for applications that require high throughput. Quiet interestingly Ateniese and de Medeiros is slower than its elliptic curve pendant. Further tests with a smaller security parameter like 1024 showed that the elliptic curve variant is slower at first, but scales much better, when the security parameter increases. As expected from the mathematical description of the Krawczyk-Rabin chameleon hash, it performs very well and its collision finding algorithm is extremely efficient. However, it is not invertible and therefore it cannot be used in the dynamic constructions.

Table 2. Chameleon hash function benchmarks in milliseconds.